| diff --git a/openbsd-compat/port-linux-sshd.c b/openbsd-compat/port-linux-sshd.c |
| index 8f32464..18a2ca4 100644 |
| |
| |
| @@ -32,6 +32,7 @@ |
| #include "misc.h" /* servconf.h needs misc.h for struct ForwardOptions */ |
| #include "servconf.h" |
| #include "port-linux.h" |
| +#include "misc.h" |
| #include "sshkey.h" |
| #include "hostfile.h" |
| #include "auth.h" |
| @@ -445,7 +446,7 @@ sshd_selinux_setup_exec_context(char *pwname) |
| void |
| sshd_selinux_copy_context(void) |
| { |
| - security_context_t *ctx; |
| + char *ctx; |
| |
| if (!sshd_selinux_enabled()) |
| return; |
| @@ -461,6 +462,72 @@ sshd_selinux_copy_context(void) |
| } |
| } |
| |
| +void |
| +sshd_selinux_change_privsep_preauth_context(void) |
| +{ |
| + int len; |
| + char line[1024], *preauth_context = NULL, *cp, *arg; |
| + const char *contexts_path; |
| + FILE *contexts_file; |
| + struct stat sb; |
| + |
| + contexts_path = selinux_openssh_contexts_path(); |
| + if (contexts_path == NULL) { |
| + debug3_f("Failed to get the path to SELinux context"); |
| + return; |
| + } |
| + |
| + if ((contexts_file = fopen(contexts_path, "r")) == NULL) { |
| + debug_f("Failed to open SELinux context file"); |
| + return; |
| + } |
| + |
| + if (fstat(fileno(contexts_file), &sb) != 0 || |
| + sb.st_uid != 0 || (sb.st_mode & 022) != 0) { |
| + logit_f("SELinux context file needs to be owned by root" |
| + " and not writable by anyone else"); |
| + fclose(contexts_file); |
| + return; |
| + } |
| + |
| + while (fgets(line, sizeof(line), contexts_file)) { |
| + /* Strip trailing whitespace */ |
| + for (len = strlen(line) - 1; len > 0; len--) { |
| + if (strchr(" \t\r\n", line[len]) == NULL) |
| + break; |
| + line[len] = '\0'; |
| + } |
| + |
| + if (line[0] == '\0') |
| + continue; |
| + |
| + cp = line; |
| + arg = strdelim(&cp); |
| + if (arg && *arg == '\0') |
| + arg = strdelim(&cp); |
| + |
| + if (arg && strcmp(arg, "privsep_preauth") == 0) { |
| + arg = strdelim(&cp); |
| + if (!arg || *arg == '\0') { |
| + debug_f("privsep_preauth is empty"); |
| + fclose(contexts_file); |
| + return; |
| + } |
| + preauth_context = xstrdup(arg); |
| + } |
| + } |
| + fclose(contexts_file); |
| + |
| + if (preauth_context == NULL) { |
| + debug_f("Unable to find 'privsep_preauth' option in" |
| + " SELinux context file"); |
| + return; |
| + } |
| + |
| + ssh_selinux_change_context(preauth_context); |
| + free(preauth_context); |
| +} |
| + |
| #endif |
| #endif |
| |
| diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c |
| index 22ea8ef..1fc963d 100644 |
| |
| |
| @@ -179,7 +179,7 @@ ssh_selinux_change_context(const char *newname) |
| strlcpy(newctx + len, newname, newlen - len); |
| if ((cx = index(cx + 1, ':'))) |
| strlcat(newctx, cx, newlen); |
| - debug3("%s: setting context from '%s' to '%s'", __func__, |
| + debug_f("setting context from '%s' to '%s'", |
| oldctx, newctx); |
| if (setcon(newctx) < 0) |
| do_log2(log_level, "%s: setcon %s from %s failed with %s", |
| __func__, newctx, oldctx, strerror(errno)); |
| diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h |
| index cb51f99..8b7cda2 100644 |
| |
| |
| @@ -29,6 +29,7 @@ int sshd_selinux_enabled(void); |
| void sshd_selinux_copy_context(void); |
| void sshd_selinux_setup_exec_context(char *); |
| int sshd_selinux_setup_env_variables(void); |
| +void sshd_selinux_change_privsep_preauth_context(void); |
| #endif |
| |
| #ifdef LINUX_OOM_ADJUST |
| diff --git a/sshd.c b/sshd.c |
| index 2871fe9..39b9c08 100644 |
| |
| |
| @@ -629,7 +629,7 @@ privsep_preauth_child(void) |
| demote_sensitive_data(); |
| |
| #ifdef WITH_SELINUX |
| - ssh_selinux_change_context("sshd_net_t"); |
| + sshd_selinux_change_privsep_preauth_context(); |
| #endif |
| |
| /* Demote the child */ |