Bug#394795: openssh-server: Updated SELinux patch for openssh

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#394795: openssh-server: Updated SELinux patch for openssh
From: Manoj Srivastava <srivasta@debian.org>
Date: Mon, 23 Oct 2006 02:10:18 -0500
Message-id: <[🔎] 87d58jik2t.fsf@glaurung.internal.golden-gryphon.com>
Reply-to: Manoj Srivastava <srivasta@debian.org>, 394795@bugs.debian.org

Package: openssh-server
Version: 1:4.3p2-5
Severity: normal
Tags: patch

Hi,

        The attached patch bring openssh back in compatibility with
 recent SELinux releases --and includes an autoconf macro for
 configure.ac. I have tested the patch (after running autoreconf), and
 indeed, I am using it now.

        manoj

diff -uBbwr ../debian-current/openssh-4.3p2/configure.ac openssh-4.3p2/configure.ac
--- ../debian-current/openssh-4.3p2/configure.ac	2006-10-20 12:53:04.000000000 -0500
+++ openssh-4.3p2/configure.ac	2006-10-20 15:34:53.000000000 -0500
@@ -2996,6 +2996,28 @@
 	fi
 	])
 
+# Check whether user wants SELinux support
+SELINUX_MSG="no"
+LIBSELINUX=""
+AC_ARG_WITH(selinux,
+	[  --with-selinux[[=LIBSELINUX-PATH]]   Enable SELinux support],
+	[ if test "x$withval" != "xno" ; then
+		if test "x$withval" != "xyes"; then
+			CPPFLAGS="$CPPFLAGS -I${withval}/include"
+			if test -n "${need_dash_r}"; then
+				LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
+			else
+				LDFLAGS="-L${withval}/lib ${LDFLAGS}"
+			fi
+               fi 
+		AC_DEFINE(WITH_SELINUX,1,[Define if you want SELinux support.])
+		SELINUX_MSG="yes"
+		AC_CHECK_HEADERS(selinux.h)
+		LIBSELINUX="-lselinux"
+	fi
+	])
+AC_SUBST(LIBSELINUX)
+
 # Check whether user wants Kerberos 5 support
 KRB5_MSG="no"
 AC_ARG_WITH(kerberos5,
diff -uBbwr ../debian-current/openssh-4.3p2/Makefile.in openssh-4.3p2/Makefile.in
--- ../debian-current/openssh-4.3p2/Makefile.in	2006-10-20 12:53:04.000000000 -0500
+++ openssh-4.3p2/Makefile.in	2006-10-20 15:34:48.000000000 -0500
@@ -43,6 +43,7 @@
 CFLAGS=@CFLAGS@
 CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
 LIBS=@LIBS@
+LIBSELINUX=@LIBSELINUX@
 LIBEDIT=@LIBEDIT@
 LIBPAM=@LIBPAM@
 LIBWRAP=@LIBWRAP@
@@ -136,7 +137,7 @@
 	$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 
 sshd$(EXEEXT): libssh.a	$(LIBCOMPAT) $(SSHDOBJS)
-	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBS)
+	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBSELINUX) $(LIBS)
 
 scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
 	$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
diff -uBbwr ../debian-current/openssh-4.3p2/monitor.c openssh-4.3p2/monitor.c
--- ../debian-current/openssh-4.3p2/monitor.c	2006-10-20 12:53:04.000000000 -0500
+++ openssh-4.3p2/monitor.c	2006-10-20 15:34:48.000000000 -0500
@@ -111,6 +111,7 @@
 int mm_answer_pwnamallow(int, Buffer *);
 int mm_answer_auth2_read_banner(int, Buffer *);
 int mm_answer_authserv(int, Buffer *);
+int mm_answer_authrole(int, Buffer *);
 int mm_answer_authpassword(int, Buffer *);
 int mm_answer_bsdauthquery(int, Buffer *);
 int mm_answer_bsdauthrespond(int, Buffer *);
@@ -182,6 +183,7 @@
     {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
     {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
     {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
+    {MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole},
     {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
     {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
 #ifdef USE_PAM
@@ -638,6 +640,7 @@
 	else {
 		/* Allow service/style information on the auth context */
 		monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
+		monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1);
 		monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
 	}
 
@@ -692,6 +695,23 @@
 }
 
 int
+mm_answer_authrole(int sock, Buffer *m)
+{
+	monitor_permit_authentications(1);
+
+	authctxt->role = buffer_get_string(m, NULL);
+	debug3("%s: role=%s",
+	    __func__, authctxt->role);
+
+	if (strlen(authctxt->role) == 0) {
+		xfree(authctxt->role);
+		authctxt->role = NULL;
+	}
+
+	return (0);
+}
+
+int
 mm_answer_authpassword(int sock, Buffer *m)
 {
 	static int call_count;
diff -uBbwr ../debian-current/openssh-4.3p2/monitor.h openssh-4.3p2/monitor.h
--- ../debian-current/openssh-4.3p2/monitor.h	2006-10-20 12:53:04.000000000 -0500
+++ openssh-4.3p2/monitor.h	2006-10-20 15:34:48.000000000 -0500
@@ -30,7 +30,7 @@
 
 enum monitor_reqtype {
 	MONITOR_REQ_MODULI, MONITOR_ANS_MODULI,
-	MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,
+	MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,MONITOR_REQ_AUTHROLE,
 	MONITOR_REQ_SIGN, MONITOR_ANS_SIGN,
 	MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM,
 	MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER,
diff -uBbwr ../debian-current/openssh-4.3p2/monitor_wrap.c openssh-4.3p2/monitor_wrap.c
--- ../debian-current/openssh-4.3p2/monitor_wrap.c	2006-10-20 12:53:04.000000000 -0500
+++ openssh-4.3p2/monitor_wrap.c	2006-10-20 15:34:48.000000000 -0500
@@ -272,6 +272,23 @@
 	buffer_free(&m);
 }
 
+/* Inform the privileged process about role */
+
+void
+mm_inform_authrole(char *role)
+{
+	Buffer m;
+
+	debug3("%s entering", __func__);
+
+	buffer_init(&m);
+	buffer_put_cstring(&m, role ? role : "");
+
+	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, &m);
+
+	buffer_free(&m);
+}
+
 /* Do the password authentication */
 int
 mm_auth_password(Authctxt *authctxt, char *password)
diff -uBbwr ../debian-current/openssh-4.3p2/monitor_wrap.h openssh-4.3p2/monitor_wrap.h
--- ../debian-current/openssh-4.3p2/monitor_wrap.h	2006-10-20 12:53:04.000000000 -0500
+++ openssh-4.3p2/monitor_wrap.h	2006-10-20 15:39:45.000000000 -0500
@@ -44,6 +44,7 @@
 DH *mm_choose_dh(int, int, int);
 int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int);
 void mm_inform_authserv(char *, char *, char *);
+void mm_inform_authrole(char *);
 struct passwd *mm_getpwnamallow(const char *);
 char *mm_auth2_read_banner(void);
 int mm_auth_password(struct Authctxt *, char *);
diff -uBbwr ../debian-current/openssh-4.3p2/selinux.c openssh-4.3p2/selinux.c
--- ../debian-current/openssh-4.3p2/selinux.c	2006-10-20 12:53:04.000000000 -0500
+++ openssh-4.3p2/selinux.c	2006-10-20 15:57:51.000000000 -0500
@@ -13,20 +11,24 @@
 
 extern Authctxt *the_authctxt;
 
-static security_context_t
+static const security_context_t 
 selinux_get_user_context(const char *name)
 {
 	security_context_t user_context = NULL;
 	char *role = NULL;
-	int ret = 0;
+	int ret = -1;
+	char *seuser=NULL;
+	char *level=NULL;
 
 	if (the_authctxt)
 		role = the_authctxt->role;
+        if (getseuserbyname(name, &seuser, &level)==0) {
 	if (role != NULL && role[0])
-		ret = get_default_context_with_role(name, role, NULL,
+            ret=get_default_context_with_rolelevel(seuser, role, level,NULL,
 		    &user_context);
 	else
-		ret = get_default_context(name, NULL, &user_context);
+            ret=get_default_context_with_level(seuser, level, NULL,&user_context);
+        }
 	if (ret < 0) {
 		if (security_getenforce() > 0)
 			fatal("Failed to get default security context for %s.",
@@ -42,12 +44,9 @@
 void
 setup_selinux_pty(const char *name, const char *tty)
 {
-	security_context_t new_tty_context, user_context, old_tty_context;
+  if (is_selinux_enabled() > 0) {
+    security_context_t new_tty_context=NULL, user_context=NULL, old_tty_context=NULL;
 
-	if (is_selinux_enabled() <= 0)
-		return;
-
-	new_tty_context = old_tty_context = NULL;
 	user_context = selinux_get_user_context(name);
 
 	if (getfilecon(tty, &old_tty_context) < 0) {
@@ -66,20 +65,18 @@
 		}
 		freecon(old_tty_context);
 	}
-	if (user_context)
+    if (user_context) {
 		freecon(user_context);
 }
+  }
+}
 
 void
-setup_selinux_exec_context(const char *name)
+setup_selinux_exec_context(char *name)
 {
-	security_context_t user_context;
-
-	if (is_selinux_enabled() <= 0)
-		return;
-
-	user_context = selinux_get_user_context(name);
 
+  if (is_selinux_enabled() > 0) {
+    security_context_t user_context=selinux_get_user_context(name);
 	if (setexeccon(user_context)) {
 		if (security_getenforce() > 0)
 			fatal("Failed to set exec security context %s for %s.",
@@ -89,23 +86,10 @@
 			    "Continuing in permissive mode",
 			    user_context, name);
 	}
-	if (user_context)
+    if (user_context) {
 		freecon(user_context);
 }
-
-#else /* WITH_SELINUX */
-
-void
-setup_selinux_pty(const char *name, const char *tty)
-{
-	(void) name;
-	(void) tty;
 }
-
-void
-setup_selinux_exec_context(const char *name)
-{
-	(void) name;
 }
 
 #endif /* WITH_SELINUX */
diff -uBbwr ../debian-current/openssh-4.3p2/selinux.h openssh-4.3p2/selinux.h
--- ../debian-current/openssh-4.3p2/selinux.h	2006-10-20 12:53:04.000000000 -0500
+++ openssh-4.3p2/selinux.h	2006-10-20 15:41:29.000000000 -0500
@@ -1,7 +1,15 @@
 #ifndef SELINUX_H
 #define SELINUX_H
 
+#  ifdef WITH_SELINUX
+
 extern void setup_selinux_pty(const char *, const char *);
 extern void setup_selinux_exec_context(const char *);
 
+#  else
+
+static inline void setup_selinux_pty(const char *name, const char *tty) {}
+static inline void setup_selinux_exec_context(const char *name) {} 
+
+#endif /* WITH_SELINUX */
 #endif /* SELINUX_H */


-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (990, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-mh1-skas3-v9-pre9-fremap
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8)

Versions of packages openssh-server depends on:
ii  adduser  3.99                            Add and remove users and groups
ii  debconf  1.5.6                           Debian configuration management sy
ii  dpkg     1.13.24                         package maintenance system for Deb
ii  libc6    2.3.6.ds1-6                     GNU C Library: Shared libraries
ii  libcomer 1.39+1.40-WIP-2006.10.02+dfsg-1 common error description library
ii  libkrb53 1.4.4-3                         MIT Kerberos runtime libraries
ii  libpam-m 0.79-3.2                        Pluggable Authentication Modules f
ii  libpam-r 0.79-3.2                        Runtime support for the PAM librar
ii  libpam0g 0.79-3.2                        Pluggable Authentication Modules l
ii  libselin 1.32-2                          SELinux shared libraries
ii  libssl0. 0.9.8c-3                        SSL shared libraries
ii  libwrap0 7.6.dbs-11                      Wietse Venema's TCP wrappers libra
ii  openssh- 1:4.3p2-5                       Secure shell client, an rlogin/rsh
ii  zlib1g   1:1.2.3-13                      compression library - runtime

openssh-server recommends no packages.

-- debconf information:
  ssh/insecure_rshd:
* ssh/forward_warning:
  ssh/encrypted_host_key_but_no_keygen:
  ssh/insecure_telnetd:
  ssh/new_config: true
* ssh/use_old_init_script: true
  ssh/disable_cr_auth: false
* ssh/protocol2_only: false

-- 
Once, I read that a man be never stronger than when he truly realizes
how weak he is.  -- Jim Starlin, "Captain Marvel #31"
Manoj Srivastava <srivasta@acm.org> <http://www.golden-gryphon.com/>
1024D/BF24424C print 4966 F272 D093 B493 410B  924B 21BA DABB BF24 424C

Reply to:

Follow-Ups:
- Bug#394795: marked as done (openssh-server: Updated SELinux patch for openssh)
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Bug#73611: Fwd: paul evans Please do not come to the office today
Next by Date: Bug#73611: paul evans Please do not come to work today
Previous by thread: Bug#73611: Fwd: paul evans Please do not come to the office today
Next by thread: Bug#394795: marked as done (openssh-server: Updated SELinux patch for openssh)
Index(es):
- Date
- Thread