Fix obsolete usage of SELinux constants (#1261496)

2015-09-18 15:31:51 +02:00 · 2015-09-18 15:31:51 +02:00 · a01bd486f0
parent bf69b47630
commit a01bd486f0
2 changed files with 49 additions and 5 deletions
--- a/openssh-6.6.1p1-selinux-contexts.patch
+++ b/openssh-6.6.1p1-selinux-contexts.patch
@ -116,3 +116,38 @@ index 2871fe9..39b9c08 100644
 #endif
 
 	/* Change our root directory */
+diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
+index 12c014e..c5ef2ff 100644
+--- a/openbsd-compat/port-linux.c
+++ b/openbsd-compat/port-linux.c
+@@ -35,7 +35,6 @@
+ 
+ #ifdef WITH_SELINUX
+ #include <selinux/selinux.h>
+-#include <selinux/flask.h>
+ #include <selinux/get_context_list.h>
+ 
+ #ifndef SSH_SELINUX_UNCONFINED_TYPE
+@@ -110,6 +109,7 @@ ssh_selinux_setup_pty(char *pwname, const char *tty)
+ 	security_context_t new_tty_ctx = NULL;
+ 	security_context_t user_ctx = NULL;
+ 	security_context_t old_tty_ctx = NULL;
+	security_class_t class;
+ 
+ 	if (!ssh_selinux_enabled())
+ 		return;
+@@ -129,8 +129,13 @@ ssh_selinux_setup_pty(char *pwname, const char *tty)
+ 		goto out;
+ 	}
+ 
+	class = string_to_security_class("chr_file");
+	if (!class) {
+		error("string_to_security_class failed to translate security class context");
+		goto out;
+	}
+ 	if (security_compute_relabel(user_ctx, old_tty_ctx,
+-	    SECCLASS_CHR_FILE, &new_tty_ctx) != 0) {
+	    class, &new_tty_ctx) != 0) {
+ 		error("%s: security_compute_relabel: %s",
+ 		    __func__, strerror(errno));
+ 		goto out;
--- a/openssh-6.6p1-role-mls.patch
+++ b/openssh-6.6p1-role-mls.patch
@ -378,7 +378,7 @@ diff -up openssh-6.8p1/openbsd-compat/Makefile.in.role-mls openssh-6.8p1/openbsd
 diff -up openssh-6.8p1/openbsd-compat/port-linux-sshd.c.role-mls openssh-6.8p1/openbsd-compat/port-linux-sshd.c
 --- openssh-6.8p1/openbsd-compat/port-linux-sshd.c.role-mls	2015-03-18 11:04:21.048817114 +0100
 +++ openssh-6.8p1/openbsd-compat/port-linux-sshd.c	2015-03-18 11:04:21.048817114 +0100
-@@ -0,0 +1,415 @@
+@@ -0,0 +1,424 @@
 +/*
 + * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com>
 + * Copyright (c) 2014 Petr Lautrbach <plautrba@redhat.com>
@ -419,11 +419,9 @@ diff -up openssh-6.8p1/openbsd-compat/port-linux-sshd.c.role-mls openssh-6.8p1/o
 +
 +#ifdef WITH_SELINUX
 +#include <selinux/selinux.h>
-+#include <selinux/flask.h>
 +#include <selinux/context.h>
 +#include <selinux/get_context_list.h>
 +#include <selinux/get_default_type.h>
-+#include <selinux/av_permissions.h>
 +
 +#ifdef HAVE_LINUX_AUDIT
 +#include <libaudit.h>
@ -488,10 +486,21 @@ diff -up openssh-6.8p1/openbsd-compat/port-linux-sshd.c.role-mls openssh-6.8p1/o
 +{
 +	struct av_decision avd;
 +	int retval;
-+	unsigned int bit = CONTEXT__CONTAINS;
+	access_vector_t bit;
+	security_class_t class;
 +
 +	debug("%s: src:%s dst:%s", __func__, src, dst);
-+	retval = security_compute_av(src, dst, SECCLASS_CONTEXT, bit, &avd);
+	class = string_to_security_class("context");
+	if (!class) {
+		error("string_to_security_class failed to translate security class context");
+		return 1;
+	}
+	bit = string_to_av_perm(class, "contains");
+	if (!bit) {
+		error("string_to_av_perm failed to translate av perm contains");
+		return 1;
+	}
+	retval = security_compute_av(src, dst, class, bit, &avd);
 +	if (retval || ((bit & avd.allowed) != bit))
 +		return 0;
 +