Fix obsolete usage of SELinux constants (#1261496)

2015-09-18 15:31:51 +02:00 · 2015-09-18 15:31:51 +02:00 · a01bd486f0
parent bf69b47630
commit a01bd486f0
2 changed files with 49 additions and 5 deletions
--- a/openssh-6.6.1p1-selinux-contexts.patch
+++ b/openssh-6.6.1p1-selinux-contexts.patch
@ -116,3 +116,38 @@ index 2871fe9..39b9c08 100644
 #endif
 	/* Change our root directory */
 diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
 index 12c014e..c5ef2ff 100644
 --- a/openbsd-compat/port-linux.c
 +++ b/openbsd-compat/port-linux.c
@@ -35,7 +35,6 @@
 #ifdef WITH_SELINUX
 #include <selinux/selinux.h>
 -#include <selinux/flask.h>
 #include <selinux/get_context_list.h>
 #ifndef SSH_SELINUX_UNCONFINED_TYPE
@@ -110,6 +109,7 @@ ssh_selinux_setup_pty(char *pwname, const char *tty)
 	security_context_t new_tty_ctx = NULL;
 	security_context_t user_ctx = NULL;
 	security_context_t old_tty_ctx = NULL;
 +	security_class_t class;
 	if (!ssh_selinux_enabled())
 		return;
@@ -129,8 +129,13 @@ ssh_selinux_setup_pty(char *pwname, const char *tty)
 		goto out;
 	}
 +	class = string_to_security_class("chr_file");
 +	if (!class) {
 +		error("string_to_security_class failed to translate security class context");
 +		goto out;
 +	}
 	if (security_compute_relabel(user_ctx, old_tty_ctx,
 -	    SECCLASS_CHR_FILE, &new_tty_ctx) != 0) {
 +	    class, &new_tty_ctx) != 0) {
 		error("%s: security_compute_relabel: %s",
 		    __func__, strerror(errno));
 		goto out;
--- a/openssh-6.6p1-role-mls.patch
+++ b/openssh-6.6p1-role-mls.patch
@ -378,7 +378,7 @@ diff -up openssh-6.8p1/openbsd-compat/Makefile.in.role-mls openssh-6.8p1/openbsd
 diff -up openssh-6.8p1/openbsd-compat/port-linux-sshd.c.role-mls openssh-6.8p1/openbsd-compat/port-linux-sshd.c
 --- openssh-6.8p1/openbsd-compat/port-linux-sshd.c.role-mls	2015-03-18 11:04:21.048817114 +0100
 +++ openssh-6.8p1/openbsd-compat/port-linux-sshd.c	2015-03-18 11:04:21.048817114 +0100
-@@ -0,0 +1,415 @@
+@@ -0,0 +1,424 @@
 +/*
 + * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com>
 + * Copyright (c) 2014 Petr Lautrbach <plautrba@redhat.com>
@ -419,11 +419,9 @@ diff -up openssh-6.8p1/openbsd-compat/port-linux-sshd.c.role-mls openssh-6.8p1/o
 +
 +#ifdef WITH_SELINUX
 +#include <selinux/selinux.h>
 +#include <selinux/flask.h>
 +#include <selinux/context.h>
 +#include <selinux/get_context_list.h>
 +#include <selinux/get_default_type.h>
 +#include <selinux/av_permissions.h>
 +
 +#ifdef HAVE_LINUX_AUDIT
 +#include <libaudit.h>
@ -488,10 +486,21 @@ diff -up openssh-6.8p1/openbsd-compat/port-linux-sshd.c.role-mls openssh-6.8p1/o
 +{
 +	struct av_decision avd;
 +	int retval;
-+	unsigned int bit = CONTEXT__CONTAINS;
+	access_vector_t bit;
 +	security_class_t class;
 +
 +	debug("%s: src:%s dst:%s", __func__, src, dst);
-+	retval = security_compute_av(src, dst, SECCLASS_CONTEXT, bit, &avd);
+	class = string_to_security_class("context");
 +	if (!class) {
 +		error("string_to_security_class failed to translate security class context");
 +		return 1;
 +	}
 +	bit = string_to_av_perm(class, "contains");
 +	if (!bit) {
 +		error("string_to_av_perm failed to translate av perm contains");
 +		return 1;
 +	}
 +	retval = security_compute_av(src, dst, class, bit, &avd);
 +	if (retval || ((bit & avd.allowed) != bit))
 +		return 0;
 +