diff --git a/openssh-5.1p1-log-in-chroot.patch b/openssh-5.1p1-log-in-chroot.patch deleted file mode 100644 index 197fdb9..0000000 --- a/openssh-5.1p1-log-in-chroot.patch +++ /dev/null @@ -1,116 +0,0 @@ -diff -up openssh-5.1p1/sshd.c.log-chroot openssh-5.1p1/sshd.c ---- openssh-5.1p1/sshd.c.log-chroot 2008-07-23 15:18:52.000000000 +0200 -+++ openssh-5.1p1/sshd.c 2008-07-23 15:18:52.000000000 +0200 -@@ -591,6 +591,10 @@ privsep_preauth_child(void) - /* Demote the private keys to public keys. */ - demote_sensitive_data(); - -+ /* Open the syslog permanently so the chrooted process still -+ can write to syslog. */ -+ open_log(); -+ - /* Change our root directory */ - if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1) - fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR, -diff -up openssh-5.1p1/log.c.log-chroot openssh-5.1p1/log.c ---- openssh-5.1p1/log.c.log-chroot 2008-06-10 15:01:51.000000000 +0200 -+++ openssh-5.1p1/log.c 2008-07-23 15:18:52.000000000 +0200 -@@ -45,6 +45,7 @@ - #include - #include - #include -+#include - #if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H) - # include - #endif -@@ -56,6 +57,7 @@ - static int log_on_stderr = 1; - static int log_facility = LOG_AUTH; - static char *argv0; -+int log_fd_keep = 0; - - extern char *__progname; - -@@ -310,6 +312,8 @@ - exit(1); - } - -+ if (log_fd_keep != 0) -+ return; - /* - * If an external library (eg libwrap) attempts to use syslog - * immediately after reexec, syslog may be pointing to the wrong -@@ -392,10 +396,33 @@ - syslog_r(pri, &sdata, "%.500s", fmtbuf); - closelog_r(&sdata); - #else -+ if (!log_fd_keep) { - openlog(argv0 ? argv0 : __progname, LOG_PID, log_facility); -+ } - syslog(pri, "%.500s", fmtbuf); -+ if (!log_fd_keep) { - closelog(); -+ } - #endif - } - errno = saved_errno; - } -+ -+void -+open_log(void) -+{ -+ int temp1, temp2; -+ -+ temp1 = open("/dev/null", O_RDONLY); -+ openlog(argv0 ? argv0 : __progname, LOG_PID|LOG_NDELAY, log_facility); -+ temp2 = open("/dev/null", O_RDONLY); -+ if (temp1 + 2 == temp2) -+ log_fd_keep = temp1 + 1; -+ else -+ log_fd_keep = -1; -+ -+ if (temp1 != -1) -+ close(temp1); -+ if (temp2 != -1) -+ close(temp2); -+} -diff -up openssh-5.1p1/log.h.log-chroot openssh-5.1p1/log.h ---- openssh-5.1p1/log.h.log-chroot 2008-06-13 02:22:54.000000000 +0200 -+++ openssh-5.1p1/log.h 2008-07-23 15:20:11.000000000 +0200 -@@ -46,6 +46,9 @@ - SYSLOG_LEVEL_NOT_SET = -1 - } LogLevel; - -+ -+extern int log_fd_keep; -+ - void log_init(char *, LogLevel, SyslogFacility, int); - - SyslogFacility log_facility_number(char *); -@@ -66,4 +69,6 @@ - - void do_log(LogLevel, const char *, va_list); - void cleanup_exit(int) __attribute__((noreturn)); -+ -+void open_log(void); - #endif ---- openssh-5.2p1/session.c. 2009-03-20 18:32:01.004151364 +0100 -+++ openssh-5.2p1/session.c 2009-03-20 19:00:28.328742384 +0100 -@@ -1445,6 +1456,7 @@ - if (chdir(path) == -1) - fatal("Unable to chdir to chroot path \"%s\": " - "%s", path, strerror(errno)); -+ open_log (); - if (chroot(path) == -1) - fatal("chroot(\"%s\"): %s", path, strerror(errno)); - if (chdir("/") == -1) -@@ -1632,7 +1644,8 @@ - * descriptors open. - */ - for (i = 3; i < 64; i++) -- close(i); -+ if (i != log_fd_keep) -+ close(i); - } - - /* diff --git a/openssh-5.6p1-redhat.patch b/openssh-5.6p1-redhat.patch deleted file mode 100644 index d1df8c1..0000000 --- a/openssh-5.6p1-redhat.patch +++ /dev/null @@ -1,101 +0,0 @@ -diff -up openssh-5.6p1/ssh_config.redhat openssh-5.6p1/ssh_config ---- openssh-5.6p1/ssh_config.redhat 2010-01-12 09:40:27.000000000 +0100 -+++ openssh-5.6p1/ssh_config 2010-09-03 15:21:17.000000000 +0200 -@@ -45,3 +45,16 @@ - # PermitLocalCommand no - # VisualHostKey no - # ProxyCommand ssh -q -W %h:%p gateway.example.com -+Host * -+ GSSAPIAuthentication yes -+# If this option is set to yes then remote X11 clients will have full access -+# to the original X11 display. As virtually no X11 client supports the untrusted -+# mode correctly we set this to yes. -+ ForwardX11Trusted yes -+# Look up the host key SSHFP records -+ VerifyHostKeyDNS ask -+# Send locale-related environment variables -+ SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES -+ SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT -+ SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE -+ SendEnv XMODIFIERS -diff -up openssh-5.6p1/sshd_config.0.redhat openssh-5.6p1/sshd_config.0 ---- openssh-5.6p1/sshd_config.0.redhat 2010-08-23 05:24:16.000000000 +0200 -+++ openssh-5.6p1/sshd_config.0 2010-09-03 15:23:20.000000000 +0200 -@@ -537,9 +537,9 @@ DESCRIPTION - - SyslogFacility - Gives the facility code that is used when logging messages from -- sshd(8). The possible values are: DAEMON, USER, AUTH, LOCAL0, -- LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. The -- default is AUTH. -+ sshd(8). The possible values are: DAEMON, USER, AUTH, AUTHPRIV, -+ LOCAL0, LOCAL1, LOCAL2, LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. -+ The default is AUTH. - - TCPKeepAlive - Specifies whether the system should send TCP keepalive messages -diff -up openssh-5.6p1/sshd_config.5.redhat openssh-5.6p1/sshd_config.5 ---- openssh-5.6p1/sshd_config.5.redhat 2010-07-02 05:37:17.000000000 +0200 -+++ openssh-5.6p1/sshd_config.5 2010-09-03 15:21:17.000000000 +0200 -@@ -919,7 +919,7 @@ Note that this option applies to protoco - .It Cm SyslogFacility - Gives the facility code that is used when logging messages from - .Xr sshd 8 . --The possible values are: DAEMON, USER, AUTH, LOCAL0, LOCAL1, LOCAL2, -+The possible values are: DAEMON, USER, AUTH, AUTHPRIV, LOCAL0, LOCAL1, LOCAL2, - LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7. - The default is AUTH. - .It Cm TCPKeepAlive -diff -up openssh-5.6p1/sshd_config.redhat openssh-5.6p1/sshd_config ---- openssh-5.6p1/sshd_config.redhat 2009-10-11 12:51:09.000000000 +0200 -+++ openssh-5.6p1/sshd_config 2010-09-03 15:21:17.000000000 +0200 -@@ -31,6 +31,7 @@ - # Logging - # obsoletes QuietMode and FascistLogging - #SyslogFacility AUTH -+SyslogFacility AUTHPRIV - #LogLevel INFO - - # Authentication: -@@ -58,9 +59,11 @@ - # To disable tunneled clear text passwords, change to no here! - #PasswordAuthentication yes - #PermitEmptyPasswords no -+PasswordAuthentication yes - - # Change to no to disable s/key passwords - #ChallengeResponseAuthentication yes -+ChallengeResponseAuthentication no - - # Kerberos options - #KerberosAuthentication no -@@ -70,7 +73,9 @@ - - # GSSAPI options - #GSSAPIAuthentication no -+GSSAPIAuthentication yes - #GSSAPICleanupCredentials yes -+GSSAPICleanupCredentials yes - - # Set this to 'yes' to enable PAM authentication, account processing, - # and session processing. If this is enabled, PAM authentication will -@@ -82,11 +87,19 @@ - # PAM authentication, then enable this but set PasswordAuthentication - # and ChallengeResponseAuthentication to 'no'. - #UsePAM no -+UsePAM yes -+ -+# Accept locale-related environment variables -+AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES -+AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT -+AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE -+AcceptEnv XMODIFIERS - - #AllowAgentForwarding yes - #AllowTcpForwarding yes - #GatewayPorts no - #X11Forwarding no -+X11Forwarding yes - #X11DisplayOffset 10 - #X11UseLocalhost yes - #PrintMotd yes diff --git a/openssh-5.6p1-selabel.patch b/openssh-5.6p1-selabel.patch deleted file mode 100644 index ff5d1f3..0000000 --- a/openssh-5.6p1-selabel.patch +++ /dev/null @@ -1,108 +0,0 @@ -diff -up openssh-5.6p1/configure.ac.selabel openssh-5.6p1/configure.ac ---- openssh-5.6p1/configure.ac.selabel 2010-09-13 11:20:47.000000000 +0200 -+++ openssh-5.6p1/configure.ac 2010-09-13 11:20:50.000000000 +0200 -@@ -700,7 +700,6 @@ mips-sony-bsd|mips-sony-newsos4) - [ AC_DEFINE(USE_SOLARIS_PROCESS_CONTRACTS, 1, - [Define if you have Solaris process contracts]) - SSHDLIBS="$SSHDLIBS -lcontract" -- AC_SUBST(SSHDLIBS) - SPC_MSG="yes" ], ) - ], - ) -@@ -3500,6 +3499,7 @@ AC_ARG_WITH(selinux, - ], - AC_MSG_ERROR(SELinux support requires libselinux library)) - SSHDLIBS="$SSHDLIBS $LIBSELINUX" -+ SSHLIBS="$SSHLIBS $LIBSELINUX" - LIBS="$LIBS $LIBSELINUX" - AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level) - AC_CHECK_FUNCS(setkeycreatecon) -@@ -4269,6 +4269,8 @@ else - fi - AC_CHECK_DECL(BROKEN_GETADDRINFO, TEST_SSH_IPV6=no) - AC_SUBST(TEST_SSH_IPV6, $TEST_SSH_IPV6) -+AC_SUBST(SSHLIBS) -+AC_SUBST(SSHDLIBS) - - AC_EXEEXT - AC_CONFIG_FILES([Makefile buildpkg.sh opensshd.init openssh.xml \ -@@ -4345,6 +4347,9 @@ echo " Libraries: ${LIBS}" - if test ! -z "${SSHDLIBS}"; then - echo " +for sshd: ${SSHDLIBS}" - fi -+if test ! -z "${SSHLIBS}"; then -+echo " +for ssh: ${SSHLIBS}" -+fi - - echo "" - -diff -up openssh-5.6p1/contrib/ssh-copy-id.selabel openssh-5.6p1/contrib/ssh-copy-id ---- openssh-5.6p1/contrib/ssh-copy-id.selabel 2010-08-10 05:36:09.000000000 +0200 -+++ openssh-5.6p1/contrib/ssh-copy-id 2010-09-13 11:20:50.000000000 +0200 -@@ -41,7 +41,7 @@ fi - # strip any trailing colon - host=`echo $1 | sed 's/:$//'` - --{ eval "$GET_ID" ; } | ssh $host "umask 077; test -d ~/.ssh || mkdir ~/.ssh ; cat >> ~/.ssh/authorized_keys" || exit 1 -+{ eval "$GET_ID" ; } | ssh $host "umask 077; test -d ~/.ssh || mkdir ~/.ssh ; cat >> ~/.ssh/authorized_keys; test -x /sbin/restorecon && /sbin/restorecon ~/.ssh ~/.ssh/authorized_keys" || exit 1 - - cat < - int ssh_selinux_enabled(void); - void ssh_selinux_setup_pty(char *, const char *); - void ssh_selinux_setup_exec_context(char *); -diff -up openssh-5.6p1/ssh.c.selabel openssh-5.6p1/ssh.c ---- openssh-5.6p1/ssh.c.selabel 2010-09-13 11:20:50.000000000 +0200 -+++ openssh-5.6p1/ssh.c 2010-09-13 11:23:02.000000000 +0200 -@@ -848,10 +848,21 @@ main(int ac, char **av) - */ - r = snprintf(buf, sizeof buf, "%s%s%s", pw->pw_dir, - strcmp(pw->pw_dir, "/") ? "/" : "", _PATH_SSH_USER_DIR); -- if (r > 0 && (size_t)r < sizeof(buf) && stat(buf, &st) < 0) -+ if (r > 0 && (size_t)r < sizeof(buf) && stat(buf, &st) < 0) { -+#ifdef WITH_SELINUX -+ char *scon; -+ -+ if (matchpathcon(buf, 0700, &scon) != -1) { -+ setfscreatecon(scon); -+ matchpathcon_fini(); -+ } -+#endif - if (mkdir(buf, 0700) < 0) - error("Could not create directory '%.200s'.", buf); -- -+#ifdef WITH_SELINUX -+ setfscreatecon(NULL); -+#endif -+ } - /* load options.identity_files */ - load_public_identity_files(); - diff --git a/openssh-5.8p1-pam_selinux.patch b/openssh-5.8p1-pam_selinux.patch deleted file mode 100644 index c8cceea..0000000 --- a/openssh-5.8p1-pam_selinux.patch +++ /dev/null @@ -1,156 +0,0 @@ -diff -up openssh-5.8p1/auth-pam.c.pam_selinux openssh-5.8p1/auth-pam.c ---- openssh-5.8p1/auth-pam.c.pam_selinux 2009-07-12 14:07:21.000000000 +0200 -+++ openssh-5.8p1/auth-pam.c 2011-02-12 10:49:57.000000000 +0100 -@@ -1069,7 +1069,7 @@ is_pam_session_open(void) - * during the ssh authentication process. - */ - int --do_pam_putenv(char *name, char *value) -+do_pam_putenv(char *name, const char *value) - { - int ret = 1; - #ifdef HAVE_PAM_PUTENV -diff -up openssh-5.8p1/auth-pam.h.pam_selinux openssh-5.8p1/auth-pam.h ---- openssh-5.8p1/auth-pam.h.pam_selinux 2004-09-11 14:17:26.000000000 +0200 -+++ openssh-5.8p1/auth-pam.h 2011-02-12 10:49:57.000000000 +0100 -@@ -38,7 +38,7 @@ void do_pam_session(void); - void do_pam_set_tty(const char *); - void do_pam_setcred(int ); - void do_pam_chauthtok(void); --int do_pam_putenv(char *, char *); -+int do_pam_putenv(char *, const char *); - char ** fetch_pam_environment(void); - char ** fetch_pam_child_environment(void); - void free_pam_environment(char **); -diff -up openssh-5.8p1/openbsd-compat/port-linux.c.pam_selinux openssh-5.8p1/openbsd-compat/port-linux.c ---- openssh-5.8p1/openbsd-compat/port-linux.c.pam_selinux 2011-02-12 10:49:57.000000000 +0100 -+++ openssh-5.8p1/openbsd-compat/port-linux.c 2011-02-12 10:55:52.000000000 +0100 -@@ -36,6 +36,7 @@ - #include "hostfile.h" - #include "auth.h" - #include "xmalloc.h" -+#include "servconf.h" - - #ifdef WITH_SELINUX - #include -@@ -50,6 +51,7 @@ - #include - #endif - -+extern ServerOptions options; - extern Authctxt *the_authctxt; - extern int inetd_flag; - extern int rexeced_flag; -@@ -197,29 +199,38 @@ get_user_context(const char *sename, con - return -1; - } - -+static void -+ssh_selinux_get_role_level(char **role, const char **level) -+{ -+ *role = NULL; -+ *level = NULL; -+ if (the_authctxt) { -+ if (the_authctxt->role != NULL) { -+ char *slash; -+ *role = xstrdup(the_authctxt->role); -+ if ((slash = strchr(*role, '/')) != NULL) { -+ *slash = '\0'; -+ *level = slash + 1; -+ } -+ } -+ } -+} -+ - /* Return the default security context for the given username */ - static int - ssh_selinux_getctxbyname(char *pwname, - security_context_t *default_sc, security_context_t *user_sc) - { - char *sename, *lvl; -- const char *reqlvl = NULL; -- char *role = NULL; -+ const char *reqlvl; -+ char *role; - int r = -1; - context_t con = NULL; - - *default_sc = NULL; - *user_sc = NULL; -- if (the_authctxt) { -- if (the_authctxt->role != NULL) { -- char *slash; -- role = xstrdup(the_authctxt->role); -- if ((slash = strchr(role, '/')) != NULL) { -- *slash = '\0'; -- reqlvl = slash + 1; -- } -- } -- } -+ -+ ssh_selinux_get_role_level(&role, &reqlvl); - - #ifdef HAVE_GETSEUSERBYNAME - if ((r=getseuserbyname(pwname, &sename, &lvl)) != 0) { -@@ -300,6 +311,36 @@ ssh_selinux_getctxbyname(char *pwname, - return (r); - } - -+/* Setup environment variables for pam_selinux */ -+static int -+ssh_selinux_setup_pam_variables(void) -+{ -+ const char *reqlvl; -+ char *role; -+ char *use_current; -+ int rv; -+ -+ debug3("%s: setting execution context", __func__); -+ -+ ssh_selinux_get_role_level(&role, &reqlvl); -+ -+ rv = do_pam_putenv("SELINUX_ROLE_REQUESTED", role ? role : ""); -+ -+ if (inetd_flag && !rexeced_flag) { -+ use_current = "1"; -+ } else { -+ use_current = ""; -+ rv = rv || do_pam_putenv("SELINUX_LEVEL_REQUESTED", reqlvl ? reqlvl: ""); -+ } -+ -+ rv = rv || do_pam_putenv("SELINUX_USE_CURRENT_RANGE", use_current); -+ -+ if (role != NULL) -+ xfree(role); -+ -+ return rv; -+} -+ - /* Set the execution context to the default for the specified user */ - void - ssh_selinux_setup_exec_context(char *pwname) -@@ -311,6 +352,24 @@ ssh_selinux_setup_exec_context(char *pwn - if (!ssh_selinux_enabled()) - return; - -+ if (options.use_pam) { -+ /* do not compute context, just setup environment for pam_selinux */ -+ if (ssh_selinux_setup_pam_variables()) { -+ switch (security_getenforce()) { -+ case -1: -+ fatal("%s: security_getenforce() failed", __func__); -+ case 0: -+ error("%s: SELinux PAM variable setup failure. Continuing in permissive mode.", -+ __func__); -+ break; -+ default: -+ fatal("%s: SELinux PAM variable setup failure. Aborting connection.", -+ __func__); -+ } -+ } -+ return; -+ } -+ - debug3("%s: setting execution context", __func__); - - r = ssh_selinux_getctxbyname(pwname, &default_ctx, &user_ctx); diff --git a/openssh-5.8p1-selinux.patch b/openssh-5.8p1-selinux.patch deleted file mode 100644 index 6967cbd..0000000 --- a/openssh-5.8p1-selinux.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up openssh-5.8p1/openbsd-compat/port-linux.c.selinux openssh-5.8p1/openbsd-compat/port-linux.c ---- openssh-5.8p1/openbsd-compat/port-linux.c.selinux 2011-02-12 09:38:45.000000000 +0100 -+++ openssh-5.8p1/openbsd-compat/port-linux.c 2011-02-12 09:39:10.000000000 +0100 -@@ -213,7 +213,7 @@ ssh_selinux_setfscreatecon(const char *p - - if (!ssh_selinux_enabled()) - return; -- if (path == NULL) -+ if (path == NULL) { - setfscreatecon(NULL); - return; - } diff --git a/openssh-5.9p1-mls.patch b/openssh-5.9p1-mls.patch deleted file mode 100644 index 1163949..0000000 --- a/openssh-5.9p1-mls.patch +++ /dev/null @@ -1,400 +0,0 @@ -diff -up openssh-5.9p0/misc.c.mls openssh-5.9p0/misc.c ---- openssh-5.9p0/misc.c.mls 2011-05-05 06:14:34.000000000 +0200 -+++ openssh-5.9p0/misc.c 2011-08-30 12:29:29.157087474 +0200 -@@ -427,6 +427,7 @@ char * - colon(char *cp) - { - int flag = 0; -+ int start = 1; - - if (*cp == ':') /* Leading colon is part of file name. */ - return NULL; -@@ -442,6 +443,13 @@ colon(char *cp) - return (cp); - if (*cp == '/') - return NULL; -+ if (start) { -+ /* Slash on beginning or after dots only denotes file name. */ -+ if (*cp == '/') -+ return (0); -+ if (*cp != '.') -+ start = 0; -+ } - } - return NULL; - } -diff -up openssh-5.9p0/openbsd-compat/port-linux.c.mls openssh-5.9p0/openbsd-compat/port-linux.c ---- openssh-5.9p0/openbsd-compat/port-linux.c.mls 2011-08-30 12:29:28.873086987 +0200 -+++ openssh-5.9p0/openbsd-compat/port-linux.c 2011-08-30 13:28:12.584149668 +0200 -@@ -40,7 +40,15 @@ - #ifdef WITH_SELINUX - #include - #include -+#include - #include -+#include -+#include -+ -+#ifdef HAVE_LINUX_AUDIT -+#include -+#include -+#endif - - #ifndef SSH_SELINUX_UNCONFINED_TYPE - # define SSH_SELINUX_UNCONFINED_TYPE ":unconfined_t:" -@@ -51,6 +59,149 @@ extern Authctxt *the_authctxt; - extern int inetd_flag; - extern int rexeced_flag; - -+/* Send audit message */ -+static int -+send_audit_message(int success, security_context_t default_context, -+ security_context_t selected_context) -+{ -+ int rc=0; -+#ifdef HAVE_LINUX_AUDIT -+ char *msg = NULL; -+ int audit_fd = audit_open(); -+ security_context_t default_raw=NULL; -+ security_context_t selected_raw=NULL; -+ rc = -1; -+ if (audit_fd < 0) { -+ if (errno == EINVAL || errno == EPROTONOSUPPORT || -+ errno == EAFNOSUPPORT) -+ return 0; /* No audit support in kernel */ -+ error("Error connecting to audit system."); -+ return rc; -+ } -+ if (selinux_trans_to_raw_context(default_context, &default_raw) < 0) { -+ error("Error translating default context."); -+ default_raw = NULL; -+ } -+ if (selinux_trans_to_raw_context(selected_context, &selected_raw) < 0) { -+ error("Error translating selected context."); -+ selected_raw = NULL; -+ } -+ if (asprintf(&msg, "sshd: default-context=%s selected-context=%s", -+ default_raw ? default_raw : (default_context ? default_context: "?"), -+ selected_context ? selected_raw : (selected_context ? selected_context :"?")) < 0) { -+ error("Error allocating memory."); -+ goto out; -+ } -+ if (audit_log_user_message(audit_fd, AUDIT_USER_ROLE_CHANGE, -+ msg, NULL, NULL, NULL, success) <= 0) { -+ error("Error sending audit message."); -+ goto out; -+ } -+ rc = 0; -+ out: -+ free(msg); -+ freecon(default_raw); -+ freecon(selected_raw); -+ close(audit_fd); -+#endif -+ return rc; -+} -+ -+static int -+mls_range_allowed(security_context_t src, security_context_t dst) -+{ -+ struct av_decision avd; -+ int retval; -+ unsigned int bit = CONTEXT__CONTAINS; -+ -+ debug("%s: src:%s dst:%s", __func__, src, dst); -+ retval = security_compute_av(src, dst, SECCLASS_CONTEXT, bit, &avd); -+ if (retval || ((bit & avd.allowed) != bit)) -+ return 0; -+ -+ return 1; -+} -+ -+static int -+get_user_context(const char *sename, const char *role, const char *lvl, -+ security_context_t *sc) { -+#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL -+ if (lvl == NULL || lvl[0] == '\0' || get_default_context_with_level(sename, lvl, NULL, sc) != 0) { -+ /* User may have requested a level completely outside of his -+ allowed range. We get a context just for auditing as the -+ range check below will certainly fail for default context. */ -+#endif -+ if (get_default_context(sename, NULL, sc) != 0) { -+ *sc = NULL; -+ return -1; -+ } -+#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL -+ } -+#endif -+ if (role != NULL && role[0]) { -+ context_t con; -+ char *type=NULL; -+ if (get_default_type(role, &type) != 0) { -+ error("get_default_type: failed to get default type for '%s'", -+ role); -+ goto out; -+ } -+ con = context_new(*sc); -+ if (!con) { -+ goto out; -+ } -+ context_role_set(con, role); -+ context_type_set(con, type); -+ freecon(*sc); -+ *sc = strdup(context_str(con)); -+ context_free(con); -+ if (!*sc) -+ return -1; -+ } -+#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL -+ if (lvl != NULL && lvl[0]) { -+ /* verify that the requested range is obtained */ -+ context_t con; -+ security_context_t obtained_raw; -+ security_context_t requested_raw; -+ con = context_new(*sc); -+ if (!con) { -+ goto out; -+ } -+ context_range_set(con, lvl); -+ if (selinux_trans_to_raw_context(*sc, &obtained_raw) < 0) { -+ context_free(con); -+ goto out; -+ } -+ if (selinux_trans_to_raw_context(context_str(con), &requested_raw) < 0) { -+ freecon(obtained_raw); -+ context_free(con); -+ goto out; -+ } -+ -+ debug("get_user_context: obtained context '%s' requested context '%s'", -+ obtained_raw, requested_raw); -+ if (strcmp(obtained_raw, requested_raw)) { -+ /* set the context to the real requested one but fail */ -+ freecon(requested_raw); -+ freecon(obtained_raw); -+ freecon(*sc); -+ *sc = strdup(context_str(con)); -+ context_free(con); -+ return -1; -+ } -+ freecon(requested_raw); -+ freecon(obtained_raw); -+ context_free(con); -+ } -+#endif -+ return 0; -+ out: -+ freecon(*sc); -+ *sc = NULL; -+ return -1; -+} -+ - static void - ssh_selinux_get_role_level(char **role, const char **level) - { -@@ -69,14 +220,15 @@ ssh_selinux_get_role_level(char **role, - } - - /* Return the default security context for the given username */ --static security_context_t --ssh_selinux_getctxbyname(char *pwname) -+static int -+ssh_selinux_getctxbyname(char *pwname, -+ security_context_t *default_sc, security_context_t *user_sc) - { -- security_context_t sc = NULL; - char *sename, *lvl; - char *role; - const char *reqlvl; - int r = 0; -+ context_t con = NULL; - - ssh_selinux_get_role_level(&role, &reqlvl); - -@@ -87,37 +239,62 @@ ssh_selinux_getctxbyname(char *pwname) - } - #else - sename = pwname; -- lvl = NULL; -+ lvl = ""; - #endif - - if (r == 0) { - #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL -- if (role != NULL && role[0]) -- r = get_default_context_with_rolelevel(sename, role, lvl, NULL, &sc); -- else -- r = get_default_context_with_level(sename, lvl, NULL, &sc); -+ r = get_default_context_with_level(sename, lvl, NULL, default_sc); - #else -- if (role != NULL && role[0]) -- r = get_default_context_with_role(sename, role, NULL, &sc); -- else -- r = get_default_context(sename, NULL, &sc); -+ r = get_default_context(sename, NULL, default_sc); - #endif - } - -- if (r != 0) { -- switch (security_getenforce()) { -- case -1: -- fatal("%s: ssh_selinux_getctxbyname: " -- "security_getenforce() failed", __func__); -- case 0: -- error("%s: Failed to get default SELinux security " -- "context for %s", __func__, pwname); -- break; -- default: -- fatal("%s: Failed to get default SELinux security " -- "context for %s (in enforcing mode)", -- __func__, pwname); -+ if (r == 0) { -+ /* If launched from xinetd, we must use current level */ -+ if (inetd_flag && !rexeced_flag) { -+ security_context_t sshdsc=NULL; -+ -+ if (getcon_raw(&sshdsc) < 0) -+ fatal("failed to allocate security context"); -+ -+ if ((con=context_new(sshdsc)) == NULL) -+ fatal("failed to allocate selinux context"); -+ reqlvl = context_range_get(con); -+ freecon(sshdsc); -+ if (reqlvl !=NULL && lvl != NULL && strcmp(reqlvl, lvl) == 0) -+ /* we actually don't change level */ -+ reqlvl = ""; -+ -+ debug("%s: current connection level '%s'", __func__, reqlvl); - } -+ -+ if ((reqlvl != NULL && reqlvl[0]) || (role != NULL && role[0])) { -+ r = get_user_context(sename, role, reqlvl, user_sc); -+ -+ if (r == 0 && reqlvl != NULL && reqlvl[0]) { -+ security_context_t default_level_sc = *default_sc; -+ if (role != NULL && role[0]) { -+ if (get_user_context(sename, role, lvl, &default_level_sc) < 0) -+ default_level_sc = *default_sc; -+ } -+ /* verify that the requested range is contained in the user range */ -+ if (mls_range_allowed(default_level_sc, *user_sc)) { -+ logit("permit MLS level %s (user range %s)", reqlvl, lvl); -+ } else { -+ r = -1; -+ error("deny MLS level %s (user range %s)", reqlvl, lvl); -+ } -+ if (default_level_sc != *default_sc) -+ freecon(default_level_sc); -+ } -+ } else { -+ *user_sc = *default_sc; -+ } -+ } -+ if (r != 0) { -+ error("%s: Failed to get default SELinux security " -+ "context for %s", __func__, pwname); - } - - #ifdef HAVE_GETSEUSERBYNAME -@@ -126,8 +303,12 @@ ssh_selinux_getctxbyname(char *pwname) - if (lvl != NULL) - xfree(lvl); - #endif -- -- return (sc); -+ if (role != NULL) -+ xfree(role); -+ if (con) -+ context_free(con); -+ -+ return (r); - } - - /* Setup environment variables for pam_selinux */ -@@ -165,6 +346,8 @@ void - ssh_selinux_setup_exec_context(char *pwname) - { - security_context_t user_ctx = NULL; -+ int r = 0; -+ security_context_t default_ctx = NULL; - - if (!ssh_selinux_enabled()) - return; -@@ -189,22 +372,45 @@ ssh_selinux_setup_exec_context(char *pwn - - debug3("%s: setting execution context", __func__); - -- user_ctx = ssh_selinux_getctxbyname(pwname); -- if (setexeccon(user_ctx) != 0) { -+ r = ssh_selinux_getctxbyname(pwname, &default_ctx, &user_ctx); -+ if (r >= 0) { -+ r = setexeccon(user_ctx); -+ if (r < 0) { -+ error("%s: Failed to set SELinux execution context %s for %s", -+ __func__, user_ctx, pwname); -+ } -+#ifdef HAVE_SETKEYCREATECON -+ else if (setkeycreatecon(user_ctx) < 0) { -+ error("%s: Failed to set SELinux keyring creation context %s for %s", -+ __func__, user_ctx, pwname); -+ } -+#endif -+ } -+ if (user_ctx == NULL) { -+ user_ctx = default_ctx; -+ } -+ if (r < 0 || user_ctx != default_ctx) { -+ /* audit just the case when user changed a role or there was -+ a failure */ -+ send_audit_message(r >= 0, default_ctx, user_ctx); -+ } -+ if (r < 0) { - switch (security_getenforce()) { - case -1: - fatal("%s: security_getenforce() failed", __func__); - case 0: -- error("%s: Failed to set SELinux execution " -- "context for %s", __func__, pwname); -+ error("%s: SELinux failure. Continuing in permissive mode.", -+ __func__); - break; - default: -- fatal("%s: Failed to set SELinux execution context " -- "for %s (in enforcing mode)", __func__, pwname); -+ fatal("%s: SELinux failure. Aborting connection.", -+ __func__); - } - } -- if (user_ctx != NULL) -+ if (user_ctx != NULL && user_ctx != default_ctx) - freecon(user_ctx); -+ if (default_ctx != NULL) -+ freecon(default_ctx); - - debug3("%s: done", __func__); - } -@@ -222,7 +428,10 @@ ssh_selinux_setup_pty(char *pwname, cons - - debug3("%s: setting TTY context on %s", __func__, tty); - -- user_ctx = ssh_selinux_getctxbyname(pwname); -+ if (getexeccon(&user_ctx) < 0) { -+ error("%s: getexeccon: %s", __func__, strerror(errno)); -+ goto out; -+ } - - /* XXX: should these calls fatal() upon failure in enforcing mode? */ - -diff -up openssh-5.9p0/sshd.c.mls openssh-5.9p0/sshd.c ---- openssh-5.9p0/sshd.c.mls 2011-08-30 12:29:22.663149706 +0200 -+++ openssh-5.9p0/sshd.c 2011-08-30 12:29:29.524024777 +0200 -@@ -2082,6 +2082,9 @@ main(int ac, char **av) - restore_uid(); - } - #endif -+#ifdef WITH_SELINUX -+ ssh_selinux_setup_exec_context(authctxt->pw->pw_name); -+#endif - #ifdef USE_PAM - if (options.use_pam) { - do_pam_setcred(1); diff --git a/openssh-5.9p1-role.patch b/openssh-5.9p1-role.patch deleted file mode 100644 index e090f38..0000000 --- a/openssh-5.9p1-role.patch +++ /dev/null @@ -1,613 +0,0 @@ -diff -up openssh-5.9p1/auth.h.role openssh-5.9p1/auth.h ---- openssh-5.9p1/auth.h.role 2012-02-06 17:21:26.038970656 +0100 -+++ openssh-5.9p1/auth.h 2012-02-06 17:21:59.477033401 +0100 -@@ -59,6 +59,9 @@ struct Authctxt { - char *service; - struct passwd *pw; /* set if 'valid' */ - char *style; -+#ifdef WITH_SELINUX -+ char *role; -+#endif - void *kbdintctxt; - void *jpake_ctx; - #ifdef BSD_AUTH -diff -up openssh-5.9p1/auth-pam.c.role openssh-5.9p1/auth-pam.c ---- openssh-5.9p1/auth-pam.c.role 2012-02-06 17:21:25.983793983 +0100 -+++ openssh-5.9p1/auth-pam.c 2012-02-06 17:21:59.476038868 +0100 -@@ -1074,7 +1074,7 @@ is_pam_session_open(void) - * during the ssh authentication process. - */ - int --do_pam_putenv(char *name, char *value) -+do_pam_putenv(char *name, const char *value) - { - int ret = 1; - #ifdef HAVE_PAM_PUTENV -diff -up openssh-5.9p1/auth-pam.h.role openssh-5.9p1/auth-pam.h ---- openssh-5.9p1/auth-pam.h.role 2004-09-11 14:17:26.000000000 +0200 -+++ openssh-5.9p1/auth-pam.h 2012-02-06 17:21:59.477033401 +0100 -@@ -38,7 +38,7 @@ void do_pam_session(void); - void do_pam_set_tty(const char *); - void do_pam_setcred(int ); - void do_pam_chauthtok(void); --int do_pam_putenv(char *, char *); -+int do_pam_putenv(char *, const char *); - char ** fetch_pam_environment(void); - char ** fetch_pam_child_environment(void); - void free_pam_environment(char **); -diff -up openssh-5.9p1/auth1.c.role openssh-5.9p1/auth1.c ---- openssh-5.9p1/auth1.c.role 2012-02-06 17:21:26.016845827 +0100 -+++ openssh-5.9p1/auth1.c 2012-02-06 17:21:59.478033396 +0100 -@@ -468,6 +468,9 @@ do_authentication(Authctxt *authctxt) - { - u_int ulen; - char *user, *style = NULL; -+#ifdef WITH_SELINUX -+ char *role=NULL; -+#endif - - /* Get the name of the user that we wish to log in as. */ - packet_read_expect(SSH_CMSG_USER); -@@ -476,11 +479,24 @@ do_authentication(Authctxt *authctxt) - user = packet_get_cstring(&ulen); - packet_check_eom(); - -+#ifdef WITH_SELINUX -+ if ((role = strchr(user, '/')) != NULL) -+ *role++ = '\0'; -+#endif -+ - if ((style = strchr(user, ':')) != NULL) - *style++ = '\0'; -+#ifdef WITH_SELINUX -+ else -+ if (role && (style = strchr(role, ':')) != NULL) -+ *style++ = '\0'; -+#endif - - authctxt->user = user; - authctxt->style = style; -+#ifdef WITH_SELINUX -+ authctxt->role = role; -+#endif - - /* Verify that the user is a valid user. */ - if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL) -diff -up openssh-5.9p1/auth2.c.role openssh-5.9p1/auth2.c ---- openssh-5.9p1/auth2.c.role 2012-02-06 17:21:26.024976386 +0100 -+++ openssh-5.9p1/auth2.c 2012-02-06 17:23:14.127811737 +0100 -@@ -216,6 +216,9 @@ input_userauth_request(int type, u_int32 - Authctxt *authctxt = ctxt; - Authmethod *m = NULL; - char *user, *service, *method, *active_methods, *style = NULL; -+#ifdef WITH_SELINUX -+ char *role = NULL; -+#endif - int authenticated = 0; - - if (authctxt == NULL) -@@ -227,6 +230,11 @@ input_userauth_request(int type, u_int32 - debug("userauth-request for user %s service %s method %s", user, service, method); - debug("attempt %d failures %d", authctxt->attempt, authctxt->failures); - -+#ifdef WITH_SELINUX -+ if ((role = strchr(user, '/')) != NULL) -+ *role++ = 0; -+#endif -+ - if ((style = strchr(user, ':')) != NULL) - *style++ = 0; - -@@ -249,8 +257,15 @@ input_userauth_request(int type, u_int32 - use_privsep ? " [net]" : ""); - authctxt->service = xstrdup(service); - authctxt->style = style ? xstrdup(style) : NULL; -- if (use_privsep) -+#ifdef WITH_SELINUX -+ authctxt->role = role ? xstrdup(role) : NULL; -+#endif -+ if (use_privsep) { - mm_inform_authserv(service, style); -+#ifdef WITH_SELINUX -+ mm_inform_authrole(role); -+#endif -+ } - userauth_banner(); - } else if (strcmp(user, authctxt->user) != 0 || - strcmp(service, authctxt->service) != 0) { -diff -up openssh-5.9p1/auth2-gss.c.role openssh-5.9p1/auth2-gss.c ---- openssh-5.9p1/auth2-gss.c.role 2012-02-06 17:21:26.017853239 +0100 -+++ openssh-5.9p1/auth2-gss.c 2012-02-06 17:21:59.479096211 +0100 -@@ -260,6 +260,7 @@ input_gssapi_mic(int type, u_int32_t ple - Authctxt *authctxt = ctxt; - Gssctxt *gssctxt; - int authenticated = 0; -+ char *micuser; - Buffer b; - gss_buffer_desc mic, gssbuf; - u_int len; -@@ -272,7 +273,13 @@ input_gssapi_mic(int type, u_int32_t ple - mic.value = packet_get_string(&len); - mic.length = len; - -- ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service, -+#ifdef WITH_SELINUX -+ if (authctxt->role && (strlen(authctxt->role) > 0)) -+ xasprintf(&micuser, "%s/%s", authctxt->user, authctxt->role); -+ else -+#endif -+ micuser = authctxt->user; -+ ssh_gssapi_buildmic(&b, micuser, authctxt->service, - "gssapi-with-mic"); - - gssbuf.value = buffer_ptr(&b); -@@ -284,6 +291,8 @@ input_gssapi_mic(int type, u_int32_t ple - logit("GSSAPI MIC check failed"); - - buffer_free(&b); -+ if (micuser != authctxt->user) -+ xfree(micuser); - xfree(mic.value); - - authctxt->postponed = 0; -diff -up openssh-5.9p1/auth2-hostbased.c.role openssh-5.9p1/auth2-hostbased.c ---- openssh-5.9p1/auth2-hostbased.c.role 2012-02-06 17:21:26.038970656 +0100 -+++ openssh-5.9p1/auth2-hostbased.c 2012-02-06 17:21:59.479096211 +0100 -@@ -106,7 +106,15 @@ userauth_hostbased(Authctxt *authctxt) - buffer_put_string(&b, session_id2, session_id2_len); - /* reconstruct packet */ - buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST); -- buffer_put_cstring(&b, authctxt->user); -+#ifdef WITH_SELINUX -+ if (authctxt->role) { -+ buffer_put_int(&b, strlen(authctxt->user)+strlen(authctxt->role)+1); -+ buffer_append(&b, authctxt->user, strlen(authctxt->user)); -+ buffer_put_char(&b, '/'); -+ buffer_append(&b, authctxt->role, strlen(authctxt->role)); -+ } else -+#endif -+ buffer_put_cstring(&b, authctxt->user); - buffer_put_cstring(&b, service); - buffer_put_cstring(&b, "hostbased"); - buffer_put_string(&b, pkalg, alen); -diff -up openssh-5.9p1/auth2-pubkey.c.role openssh-5.9p1/auth2-pubkey.c ---- openssh-5.9p1/auth2-pubkey.c.role 2012-02-06 17:21:26.039787441 +0100 -+++ openssh-5.9p1/auth2-pubkey.c 2012-02-06 17:21:59.480096032 +0100 -@@ -121,7 +121,15 @@ userauth_pubkey(Authctxt *authctxt) - } - /* reconstruct packet */ - buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST); -- buffer_put_cstring(&b, authctxt->user); -+#ifdef WITH_SELINUX -+ if (authctxt->role) { -+ buffer_put_int(&b, strlen(authctxt->user)+strlen(authctxt->role)+1); -+ buffer_append(&b, authctxt->user, strlen(authctxt->user)); -+ buffer_put_char(&b, '/'); -+ buffer_append(&b, authctxt->role, strlen(authctxt->role)); -+ } else -+#endif -+ buffer_put_cstring(&b, authctxt->user); - buffer_put_cstring(&b, - datafellows & SSH_BUG_PKSERVICE ? - "ssh-userauth" : -diff -up openssh-5.9p1/monitor.c.role openssh-5.9p1/monitor.c ---- openssh-5.9p1/monitor.c.role 2012-02-06 17:21:26.071220592 +0100 -+++ openssh-5.9p1/monitor.c 2012-02-06 17:21:59.481783500 +0100 -@@ -148,6 +148,9 @@ int mm_answer_sign(int, Buffer *); - int mm_answer_pwnamallow(int, Buffer *); - int mm_answer_auth2_read_banner(int, Buffer *); - int mm_answer_authserv(int, Buffer *); -+#ifdef WITH_SELINUX -+int mm_answer_authrole(int, Buffer *); -+#endif - int mm_answer_authpassword(int, Buffer *); - int mm_answer_bsdauthquery(int, Buffer *); - int mm_answer_bsdauthrespond(int, Buffer *); -@@ -232,6 +235,9 @@ struct mon_table mon_dispatch_proto20[] - {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, - {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, - {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, -+#ifdef WITH_SELINUX -+ {MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole}, -+#endif - {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, - {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, - #ifdef USE_PAM -@@ -833,6 +839,9 @@ mm_answer_pwnamallow(int sock, Buffer *m - else { - /* Allow service/style information on the auth context */ - monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); -+#ifdef WITH_SELINUX -+ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1); -+#endif - monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); - } - #ifdef USE_PAM -@@ -876,6 +885,25 @@ mm_answer_authserv(int sock, Buffer *m) - return (0); - } - -+#ifdef WITH_SELINUX -+int -+mm_answer_authrole(int sock, Buffer *m) -+{ -+ monitor_permit_authentications(1); -+ -+ authctxt->role = buffer_get_string(m, NULL); -+ debug3("%s: role=%s", -+ __func__, authctxt->role); -+ -+ if (strlen(authctxt->role) == 0) { -+ xfree(authctxt->role); -+ authctxt->role = NULL; -+ } -+ -+ return (0); -+} -+#endif -+ - int - mm_answer_authpassword(int sock, Buffer *m) - { -@@ -1252,7 +1280,7 @@ static int - monitor_valid_userblob(u_char *data, u_int datalen) - { - Buffer b; -- char *p; -+ char *p, *r; - u_int len; - int fail = 0; - -@@ -1278,6 +1306,8 @@ monitor_valid_userblob(u_char *data, u_i - if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) - fail++; - p = buffer_get_string(&b, NULL); -+ if ((r = strchr(p, '/')) != NULL) -+ *r = '\0'; - if (strcmp(authctxt->user, p) != 0) { - logit("wrong user name passed to monitor: expected %s != %.100s", - authctxt->user, p); -@@ -1309,7 +1339,7 @@ monitor_valid_hostbasedblob(u_char *data - char *chost) - { - Buffer b; -- char *p; -+ char *p, *r; - u_int len; - int fail = 0; - -@@ -1326,6 +1356,8 @@ monitor_valid_hostbasedblob(u_char *data - if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST) - fail++; - p = buffer_get_string(&b, NULL); -+ if ((r = strchr(p, '/')) != NULL) -+ *r = '\0'; - if (strcmp(authctxt->user, p) != 0) { - logit("wrong user name passed to monitor: expected %s != %.100s", - authctxt->user, p); -diff -up openssh-5.9p1/monitor.h.role openssh-5.9p1/monitor.h ---- openssh-5.9p1/monitor.h.role 2012-02-06 17:21:26.071852220 +0100 -+++ openssh-5.9p1/monitor.h 2012-02-06 17:21:59.482846081 +0100 -@@ -31,6 +31,9 @@ - enum monitor_reqtype { - MONITOR_REQ_MODULI, MONITOR_ANS_MODULI, - MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV, -+#ifdef WITH_SELINUX -+ MONITOR_REQ_AUTHROLE, -+#endif - MONITOR_REQ_SIGN, MONITOR_ANS_SIGN, - MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM, - MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER, -diff -up openssh-5.9p1/monitor_wrap.c.role openssh-5.9p1/monitor_wrap.c ---- openssh-5.9p1/monitor_wrap.c.role 2012-02-06 17:21:26.071852220 +0100 -+++ openssh-5.9p1/monitor_wrap.c 2012-02-06 17:21:59.483845610 +0100 -@@ -336,6 +336,25 @@ mm_inform_authserv(char *service, char * - buffer_free(&m); - } - -+/* Inform the privileged process about role */ -+ -+#ifdef WITH_SELINUX -+void -+mm_inform_authrole(char *role) -+{ -+ Buffer m; -+ -+ debug3("%s entering", __func__); -+ -+ buffer_init(&m); -+ buffer_put_cstring(&m, role ? role : ""); -+ -+ mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, &m); -+ -+ buffer_free(&m); -+} -+#endif -+ - /* Do the password authentication */ - int - mm_auth_password(Authctxt *authctxt, char *password) -diff -up openssh-5.9p1/monitor_wrap.h.role openssh-5.9p1/monitor_wrap.h ---- openssh-5.9p1/monitor_wrap.h.role 2012-02-06 17:21:26.073192915 +0100 -+++ openssh-5.9p1/monitor_wrap.h 2012-02-06 17:21:59.483845610 +0100 -@@ -42,6 +42,9 @@ int mm_is_monitor(void); - DH *mm_choose_dh(int, int, int); - int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int); - void mm_inform_authserv(char *, char *); -+#ifdef WITH_SELINUX -+void mm_inform_authrole(char *); -+#endif - struct passwd *mm_getpwnamallow(const char *); - char *mm_auth2_read_banner(void); - int mm_auth_password(struct Authctxt *, char *); -diff -up openssh-5.9p1/openbsd-compat/Makefile.in.role openssh-5.9p1/openbsd-compat/Makefile.in ---- openssh-5.9p1/openbsd-compat/Makefile.in.role 2010-10-07 13:19:24.000000000 +0200 -+++ openssh-5.9p1/openbsd-compat/Makefile.in 2012-02-06 17:21:59.484846191 +0100 -@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bindresvport - - COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o - --PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o -+PORTS=port-aix.o port-irix.o port-linux.o port-linux_part_2.o port-solaris.o port-tun.o port-uw.o - - .c.o: - $(CC) $(CFLAGS) $(CPPFLAGS) -c $< -diff -up openssh-5.9p1/openbsd-compat/port-linux.c.role openssh-5.9p1/openbsd-compat/port-linux.c ---- openssh-5.9p1/openbsd-compat/port-linux.c.role 2011-08-29 08:09:57.000000000 +0200 -+++ openssh-5.9p1/openbsd-compat/port-linux.c 2012-02-06 17:21:59.484846191 +0100 -@@ -31,7 +31,11 @@ - - #include "log.h" - #include "xmalloc.h" -+#include "servconf.h" - #include "port-linux.h" -+#include "key.h" -+#include "hostfile.h" -+#include "auth.h" - - #ifdef WITH_SELINUX - #include -@@ -42,41 +46,63 @@ - # define SSH_SELINUX_UNCONFINED_TYPE ":unconfined_t:" - #endif - --/* Wrapper around is_selinux_enabled() to log its return value once only */ --int --ssh_selinux_enabled(void) --{ -- static int enabled = -1; -+extern ServerOptions options; -+extern Authctxt *the_authctxt; -+extern int inetd_flag; -+extern int rexeced_flag; - -- if (enabled == -1) { -- enabled = (is_selinux_enabled() == 1); -- debug("SELinux support %s", enabled ? "enabled" : "disabled"); -+static void -+ssh_selinux_get_role_level(char **role, const char **level) -+{ -+ *role = NULL; -+ *level = NULL; -+ if (the_authctxt) { -+ if (the_authctxt->role != NULL) { -+ char *slash; -+ *role = xstrdup(the_authctxt->role); -+ if ((slash = strchr(*role, '/')) != NULL) { -+ *slash = '\0'; -+ *level = slash + 1; -+ } -+ } - } -- -- return (enabled); - } - - /* Return the default security context for the given username */ - static security_context_t - ssh_selinux_getctxbyname(char *pwname) - { -- security_context_t sc; -- char *sename = NULL, *lvl = NULL; -- int r; -+ security_context_t sc = NULL; -+ char *sename, *lvl; -+ char *role; -+ const char *reqlvl; -+ int r = 0; -+ -+ ssh_selinux_get_role_level(&role, &reqlvl); - - #ifdef HAVE_GETSEUSERBYNAME -- if (getseuserbyname(pwname, &sename, &lvl) != 0) -- return NULL; -+ if ((r=getseuserbyname(pwname, &sename, &lvl)) != 0) { -+ sename = NULL; -+ lvl = NULL; -+ } - #else - sename = pwname; - lvl = NULL; - #endif - -+ if (r == 0) { - #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL -- r = get_default_context_with_level(sename, lvl, NULL, &sc); -+ if (role != NULL && role[0]) -+ r = get_default_context_with_rolelevel(sename, role, lvl, NULL, &sc); -+ else -+ r = get_default_context_with_level(sename, lvl, NULL, &sc); - #else -- r = get_default_context(sename, NULL, &sc); -+ if (role != NULL && role[0]) -+ r = get_default_context_with_role(sename, role, NULL, &sc); -+ else -+ r = get_default_context(sename, NULL, &sc); - #endif -+ } - - if (r != 0) { - switch (security_getenforce()) { -@@ -104,6 +130,36 @@ ssh_selinux_getctxbyname(char *pwname) - return (sc); - } - -+/* Setup environment variables for pam_selinux */ -+static int -+ssh_selinux_setup_pam_variables(void) -+{ -+ const char *reqlvl; -+ char *role; -+ char *use_current; -+ int rv; -+ -+ debug3("%s: setting execution context", __func__); -+ -+ ssh_selinux_get_role_level(&role, &reqlvl); -+ -+ rv = do_pam_putenv("SELINUX_ROLE_REQUESTED", role ? role : ""); -+ -+ if (inetd_flag && !rexeced_flag) { -+ use_current = "1"; -+ } else { -+ use_current = ""; -+ rv = rv || do_pam_putenv("SELINUX_LEVEL_REQUESTED", reqlvl ? reqlvl: ""); -+ } -+ -+ rv = rv || do_pam_putenv("SELINUX_USE_CURRENT_RANGE", use_current); -+ -+ if (role != NULL) -+ xfree(role); -+ -+ return rv; -+} -+ - /* Set the execution context to the default for the specified user */ - void - ssh_selinux_setup_exec_context(char *pwname) -@@ -113,6 +169,24 @@ ssh_selinux_setup_exec_context(char *pwn - if (!ssh_selinux_enabled()) - return; - -+ if (options.use_pam) { -+ /* do not compute context, just setup environment for pam_selinux */ -+ if (ssh_selinux_setup_pam_variables()) { -+ switch (security_getenforce()) { -+ case -1: -+ fatal("%s: security_getenforce() failed", __func__); -+ case 0: -+ error("%s: SELinux PAM variable setup failure. Continuing in permissive mode.", -+ __func__); -+ break; -+ default: -+ fatal("%s: SELinux PAM variable setup failure. Aborting connection.", -+ __func__); -+ } -+ } -+ return; -+ } -+ - debug3("%s: setting execution context", __func__); - - user_ctx = ssh_selinux_getctxbyname(pwname); -@@ -220,21 +294,6 @@ ssh_selinux_change_context(const char *n - xfree(newctx); - } - --void --ssh_selinux_setfscreatecon(const char *path) --{ -- security_context_t context; -- -- if (!ssh_selinux_enabled()) -- return; -- if (path == NULL) { -- setfscreatecon(NULL); -- return; -- } -- if (matchpathcon(path, 0700, &context) == 0) -- setfscreatecon(context); --} -- - #endif /* WITH_SELINUX */ - - #ifdef LINUX_OOM_ADJUST -diff -up openssh-5.9p1/openbsd-compat/port-linux_part_2.c.role openssh-5.9p1/openbsd-compat/port-linux_part_2.c ---- openssh-5.9p1/openbsd-compat/port-linux_part_2.c.role 2012-02-06 17:21:59.485846294 +0100 -+++ openssh-5.9p1/openbsd-compat/port-linux_part_2.c 2012-02-06 17:21:59.485846294 +0100 -@@ -0,0 +1,75 @@ -+/* $Id: port-linux.c,v 1.11.4.2 2011/02/04 00:43:08 djm Exp $ */ -+ -+/* -+ * Copyright (c) 2005 Daniel Walsh -+ * Copyright (c) 2006 Damien Miller -+ * -+ * Permission to use, copy, modify, and distribute this software for any -+ * purpose with or without fee is hereby granted, provided that the above -+ * copyright notice and this permission notice appear in all copies. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF -+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -+ */ -+ -+/* -+ * Linux-specific portability code - just SELinux support at present -+ */ -+ -+#include "includes.h" -+ -+#if defined(WITH_SELINUX) || defined(LINUX_OOM_ADJUST) -+#include -+#include -+#include -+#include -+ -+#include "log.h" -+#include "xmalloc.h" -+#include "port-linux.h" -+#include "key.h" -+#include "hostfile.h" -+#include "auth.h" -+ -+#ifdef WITH_SELINUX -+#include -+#include -+#include -+ -+/* Wrapper around is_selinux_enabled() to log its return value once only */ -+int -+ssh_selinux_enabled(void) -+{ -+ static int enabled = -1; -+ -+ if (enabled == -1) { -+ enabled = (is_selinux_enabled() == 1); -+ debug("SELinux support %s", enabled ? "enabled" : "disabled"); -+ } -+ -+ return (enabled); -+} -+ -+void -+ssh_selinux_setfscreatecon(const char *path) -+{ -+ security_context_t context; -+ -+ if (!ssh_selinux_enabled()) -+ return; -+ if (path == NULL) { -+ setfscreatecon(NULL); -+ return; -+ } -+ if (matchpathcon(path, 0700, &context) == 0) -+ setfscreatecon(context); -+} -+ -+#endif /* WITH_SELINUX */ -+ -+#endif /* WITH_SELINUX || LINUX_OOM_ADJUST */