- experimental NSS keys support

- correctly setup context when empty level requested (#234951)
2007-06-20 17:47:18 +00:00 · 2007-06-20 17:47:18 +00:00 · c3274ccb32
parent 7210c0162a
commit c3274ccb32
3 changed files with 1439 additions and 7 deletions
--- a/openssh-4.5p1-mls.patch
+++ b/openssh-4.5p1-mls.patch
@ -49,15 +49,15 @@
 +	}
 +	if (selinux_trans_to_raw_context(default_context, &default_raw) < 0) {
 +		error("Error translating default context.");
-+		goto out;
+		default_raw = NULL;
 +	}
 +	if (selinux_trans_to_raw_context(selected_context, &selected_raw) < 0) {
 +		error("Error translating selected context.");
-+		goto out;
+		selected_raw = NULL;
 +	}
 +	if (asprintf(&msg, "sshd: default-context=%s selected-context=%s",
-+		     default_context ? default_raw : "?",
-+		     selected_context ? selected_raw : "?") < 0) {
+		     default_raw ? default_raw : (default_context ? default_context: "?"),
+		     selected_context ? selected_raw : (selected_context ? selected_context :"?")) < 0) {
 +		error("Error allocating memory.");
 +		goto out;
 +	}
@ -95,7 +95,7 @@
 +get_user_context(const char *sename, const char *role, const char *lvl,
 +	security_context_t *sc) {
 +#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
-+	if (get_default_context_with_level(sename, lvl, NULL, sc) != 0) {
+	if (lvl == NULL || lvl[0] == '\0' || get_default_context_with_level(sename, lvl, NULL, sc) != 0) {
 +	        /* User may have requested a level completely outside of his 
 +	           allowed range. We get a context just for auditing as the
 +	           range check below will certainly fail for default context. */
--- a/openssh-4.5p1-nss-keys.patch
+++ b/openssh-4.5p1-nss-keys.patch
--- a/openssh.spec
+++ b/openssh.spec
@ -28,6 +28,9 @@
 # Do we want kerberos5 support (1=yes 0=no)
 %define kerberos5 1

+# Do we want NSS tokens support
+%define nss 1
+
 # Whether or not /sbin/nologin exists.
 %define nologin 1

@ -61,7 +64,7 @@
 Summary: The OpenSSH implementation of SSH protocol versions 1 and 2
 Name: openssh
 Version: 4.5p1
-Release: 6%{?dist}%{?rescue_rel}
+Release: 7%{?dist}%{?rescue_rel}
 URL: http://www.openssh.com/portable.html
 #Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
 #Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.sig
@ -90,6 +93,7 @@ Patch44: openssh-4.3p2-allow-ip-opts.patch
 Patch48: openssh-4.3p2-pam-session.patch
 Patch49: openssh-4.3p2-gssapi-canohost.patch
 Patch50: openssh-4.5p1-mls.patch
+Patch51: openssh-4.5p1-nss-keys.patch
 License: BSD
 Group: Applications/Internet
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@ -115,7 +119,7 @@ BuildRequires: autoconf, automake, openssl-devel, perl, zlib-devel
 BuildRequires: audit-libs-devel
 BuildRequires: util-linux, groff, man
 BuildRequires: pam-devel
-BuildRequires: tcp_wrappers-devel
+#BuildRequires: tcp_wrappers-devel

 %if %{kerberos5}
 BuildRequires: krb5-devel
@ -217,6 +221,7 @@ an X11 passphrase dialog for OpenSSH.
 %patch48 -p1 -b .pam-sesssion
 %patch49 -p1 -b .canohost
 %patch50 -p1 -b .mls
+%patch51 -p1 -b .nss-keys

 autoreconf

@ -259,6 +264,9 @@ fi
 	--enable-vendor-patchlevel="FC-%{version}-%{release}" \
 	--disable-strip \
 	--without-zlib-version-check \
+%if %{nss}
+	--with-nss \
+%endif
 %if %{scard}
 	--with-smartcard \
 %endif
@ -342,6 +350,10 @@ rm -f $RPM_BUILD_ROOT/etc/profile.d/gnome-ssh-askpass.*

 perl -pi -e "s|$RPM_BUILD_ROOT||g" $RPM_BUILD_ROOT%{_mandir}/man*/*

+rm -f README.nss.nss-keys
+%if ! %{nss}
+rm -f README.nss
+%endif
 %clean
 rm -rf $RPM_BUILD_ROOT

@ -460,6 +472,10 @@ fi
 %endif

 %changelog
+* Wed Jun 20 2007 Tomas Mraz <tmraz@redhat.com> - 4.5p1-7
+- experimental NSS keys support
+- correctly setup context when empty level requested (#234951)
+
 * Tue Mar 20 2007 Tomas Mraz <tmraz@redhat.com> - 4.5p1-6
 - mls level check must be done with default role same as requested