Bug#394795: openssh-server: Updated SELinux patch for openssh
Package: openssh-server
Version: 1:4.3p2-5
Severity: normal
Tags: patch
Hi,
The attached patch bring openssh back in compatibility with
recent SELinux releases --and includes an autoconf macro for
configure.ac. I have tested the patch (after running autoreconf), and
indeed, I am using it now.
manoj
diff -uBbwr ../debian-current/openssh-4.3p2/configure.ac openssh-4.3p2/configure.ac
--- ../debian-current/openssh-4.3p2/configure.ac 2006-10-20 12:53:04.000000000 -0500
+++ openssh-4.3p2/configure.ac 2006-10-20 15:34:53.000000000 -0500
@@ -2996,6 +2996,28 @@
fi
])
+# Check whether user wants SELinux support
+SELINUX_MSG="no"
+LIBSELINUX=""
+AC_ARG_WITH(selinux,
+ [ --with-selinux[[=LIBSELINUX-PATH]] Enable SELinux support],
+ [ if test "x$withval" != "xno" ; then
+ if test "x$withval" != "xyes"; then
+ CPPFLAGS="$CPPFLAGS -I${withval}/include"
+ if test -n "${need_dash_r}"; then
+ LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
+ else
+ LDFLAGS="-L${withval}/lib ${LDFLAGS}"
+ fi
+ fi
+ AC_DEFINE(WITH_SELINUX,1,[Define if you want SELinux support.])
+ SELINUX_MSG="yes"
+ AC_CHECK_HEADERS(selinux.h)
+ LIBSELINUX="-lselinux"
+ fi
+ ])
+AC_SUBST(LIBSELINUX)
+
# Check whether user wants Kerberos 5 support
KRB5_MSG="no"
AC_ARG_WITH(kerberos5,
diff -uBbwr ../debian-current/openssh-4.3p2/Makefile.in openssh-4.3p2/Makefile.in
--- ../debian-current/openssh-4.3p2/Makefile.in 2006-10-20 12:53:04.000000000 -0500
+++ openssh-4.3p2/Makefile.in 2006-10-20 15:34:48.000000000 -0500
@@ -43,6 +43,7 @@
CFLAGS=@CFLAGS@
CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
LIBS=@LIBS@
+LIBSELINUX=@LIBSELINUX@
LIBEDIT=@LIBEDIT@
LIBPAM=@LIBPAM@
LIBWRAP=@LIBWRAP@
@@ -136,7 +137,7 @@
$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS)
- $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBS)
+ $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBSELINUX) $(LIBS)
scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
diff -uBbwr ../debian-current/openssh-4.3p2/monitor.c openssh-4.3p2/monitor.c
--- ../debian-current/openssh-4.3p2/monitor.c 2006-10-20 12:53:04.000000000 -0500
+++ openssh-4.3p2/monitor.c 2006-10-20 15:34:48.000000000 -0500
@@ -111,6 +111,7 @@
int mm_answer_pwnamallow(int, Buffer *);
int mm_answer_auth2_read_banner(int, Buffer *);
int mm_answer_authserv(int, Buffer *);
+int mm_answer_authrole(int, Buffer *);
int mm_answer_authpassword(int, Buffer *);
int mm_answer_bsdauthquery(int, Buffer *);
int mm_answer_bsdauthrespond(int, Buffer *);
@@ -182,6 +183,7 @@
{MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
{MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
{MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
+ {MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole},
{MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
{MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
#ifdef USE_PAM
@@ -638,6 +640,7 @@
else {
/* Allow service/style information on the auth context */
monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
+ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1);
monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
}
@@ -692,6 +695,23 @@
}
int
+mm_answer_authrole(int sock, Buffer *m)
+{
+ monitor_permit_authentications(1);
+
+ authctxt->role = buffer_get_string(m, NULL);
+ debug3("%s: role=%s",
+ __func__, authctxt->role);
+
+ if (strlen(authctxt->role) == 0) {
+ xfree(authctxt->role);
+ authctxt->role = NULL;
+ }
+
+ return (0);
+}
+
+int
mm_answer_authpassword(int sock, Buffer *m)
{
static int call_count;
diff -uBbwr ../debian-current/openssh-4.3p2/monitor.h openssh-4.3p2/monitor.h
--- ../debian-current/openssh-4.3p2/monitor.h 2006-10-20 12:53:04.000000000 -0500
+++ openssh-4.3p2/monitor.h 2006-10-20 15:34:48.000000000 -0500
@@ -30,7 +30,7 @@
enum monitor_reqtype {
MONITOR_REQ_MODULI, MONITOR_ANS_MODULI,
- MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,
+ MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,MONITOR_REQ_AUTHROLE,
MONITOR_REQ_SIGN, MONITOR_ANS_SIGN,
MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM,
MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER,
diff -uBbwr ../debian-current/openssh-4.3p2/monitor_wrap.c openssh-4.3p2/monitor_wrap.c
--- ../debian-current/openssh-4.3p2/monitor_wrap.c 2006-10-20 12:53:04.000000000 -0500
+++ openssh-4.3p2/monitor_wrap.c 2006-10-20 15:34:48.000000000 -0500
@@ -272,6 +272,23 @@
buffer_free(&m);
}
+/* Inform the privileged process about role */
+
+void
+mm_inform_authrole(char *role)
+{
+ Buffer m;
+
+ debug3("%s entering", __func__);
+
+ buffer_init(&m);
+ buffer_put_cstring(&m, role ? role : "");
+
+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, &m);
+
+ buffer_free(&m);
+}
+
/* Do the password authentication */
int
mm_auth_password(Authctxt *authctxt, char *password)
diff -uBbwr ../debian-current/openssh-4.3p2/monitor_wrap.h openssh-4.3p2/monitor_wrap.h
--- ../debian-current/openssh-4.3p2/monitor_wrap.h 2006-10-20 12:53:04.000000000 -0500
+++ openssh-4.3p2/monitor_wrap.h 2006-10-20 15:39:45.000000000 -0500
@@ -44,6 +44,7 @@
DH *mm_choose_dh(int, int, int);
int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int);
void mm_inform_authserv(char *, char *, char *);
+void mm_inform_authrole(char *);
struct passwd *mm_getpwnamallow(const char *);
char *mm_auth2_read_banner(void);
int mm_auth_password(struct Authctxt *, char *);
diff -uBbwr ../debian-current/openssh-4.3p2/selinux.c openssh-4.3p2/selinux.c
--- ../debian-current/openssh-4.3p2/selinux.c 2006-10-20 12:53:04.000000000 -0500
+++ openssh-4.3p2/selinux.c 2006-10-20 15:57:51.000000000 -0500
@@ -13,20 +11,24 @@
extern Authctxt *the_authctxt;
-static security_context_t
+static const security_context_t
selinux_get_user_context(const char *name)
{
security_context_t user_context = NULL;
char *role = NULL;
- int ret = 0;
+ int ret = -1;
+ char *seuser=NULL;
+ char *level=NULL;
if (the_authctxt)
role = the_authctxt->role;
+ if (getseuserbyname(name, &seuser, &level)==0) {
if (role != NULL && role[0])
- ret = get_default_context_with_role(name, role, NULL,
+ ret=get_default_context_with_rolelevel(seuser, role, level,NULL,
&user_context);
else
- ret = get_default_context(name, NULL, &user_context);
+ ret=get_default_context_with_level(seuser, level, NULL,&user_context);
+ }
if (ret < 0) {
if (security_getenforce() > 0)
fatal("Failed to get default security context for %s.",
@@ -42,12 +44,9 @@
void
setup_selinux_pty(const char *name, const char *tty)
{
- security_context_t new_tty_context, user_context, old_tty_context;
+ if (is_selinux_enabled() > 0) {
+ security_context_t new_tty_context=NULL, user_context=NULL, old_tty_context=NULL;
- if (is_selinux_enabled() <= 0)
- return;
-
- new_tty_context = old_tty_context = NULL;
user_context = selinux_get_user_context(name);
if (getfilecon(tty, &old_tty_context) < 0) {
@@ -66,20 +65,18 @@
}
freecon(old_tty_context);
}
- if (user_context)
+ if (user_context) {
freecon(user_context);
}
+ }
+}
void
-setup_selinux_exec_context(const char *name)
+setup_selinux_exec_context(char *name)
{
- security_context_t user_context;
-
- if (is_selinux_enabled() <= 0)
- return;
-
- user_context = selinux_get_user_context(name);
+ if (is_selinux_enabled() > 0) {
+ security_context_t user_context=selinux_get_user_context(name);
if (setexeccon(user_context)) {
if (security_getenforce() > 0)
fatal("Failed to set exec security context %s for %s.",
@@ -89,23 +86,10 @@
"Continuing in permissive mode",
user_context, name);
}
- if (user_context)
+ if (user_context) {
freecon(user_context);
}
-
-#else /* WITH_SELINUX */
-
-void
-setup_selinux_pty(const char *name, const char *tty)
-{
- (void) name;
- (void) tty;
}
-
-void
-setup_selinux_exec_context(const char *name)
-{
- (void) name;
}
#endif /* WITH_SELINUX */
diff -uBbwr ../debian-current/openssh-4.3p2/selinux.h openssh-4.3p2/selinux.h
--- ../debian-current/openssh-4.3p2/selinux.h 2006-10-20 12:53:04.000000000 -0500
+++ openssh-4.3p2/selinux.h 2006-10-20 15:41:29.000000000 -0500
@@ -1,7 +1,15 @@
#ifndef SELINUX_H
#define SELINUX_H
+# ifdef WITH_SELINUX
+
extern void setup_selinux_pty(const char *, const char *);
extern void setup_selinux_exec_context(const char *);
+# else
+
+static inline void setup_selinux_pty(const char *name, const char *tty) {}
+static inline void setup_selinux_exec_context(const char *name) {}
+
+#endif /* WITH_SELINUX */
#endif /* SELINUX_H */
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (990, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-mh1-skas3-v9-pre9-fremap
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)
Versions of packages openssh-server depends on:
ii adduser 3.99 Add and remove users and groups
ii debconf 1.5.6 Debian configuration management sy
ii dpkg 1.13.24 package maintenance system for Deb
ii libc6 2.3.6.ds1-6 GNU C Library: Shared libraries
ii libcomer 1.39+1.40-WIP-2006.10.02+dfsg-1 common error description library
ii libkrb53 1.4.4-3 MIT Kerberos runtime libraries
ii libpam-m 0.79-3.2 Pluggable Authentication Modules f
ii libpam-r 0.79-3.2 Runtime support for the PAM librar
ii libpam0g 0.79-3.2 Pluggable Authentication Modules l
ii libselin 1.32-2 SELinux shared libraries
ii libssl0. 0.9.8c-3 SSL shared libraries
ii libwrap0 7.6.dbs-11 Wietse Venema's TCP wrappers libra
ii openssh- 1:4.3p2-5 Secure shell client, an rlogin/rsh
ii zlib1g 1:1.2.3-13 compression library - runtime
openssh-server recommends no packages.
-- debconf information:
ssh/insecure_rshd:
* ssh/forward_warning:
ssh/encrypted_host_key_but_no_keygen:
ssh/insecure_telnetd:
ssh/new_config: true
* ssh/use_old_init_script: true
ssh/disable_cr_auth: false
* ssh/protocol2_only: false
--
Once, I read that a man be never stronger than when he truly realizes
how weak he is. -- Jim Starlin, "Captain Marvel #31"
Manoj Srivastava <srivasta@acm.org> <http://www.golden-gryphon.com/>
1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C
Reply to: