Package: openssh-server Version: 1:4.3p2-5 Severity: normal Tags: patch Hi,
The attached patch bring openssh back in compatibility with recent SELinux releases --and includes an autoconf macro for configure.ac. I have tested the patch (after running autoreconf), and indeed, I am using it now. manoj
diff -uBbwr ../debian-current/openssh-4.3p2/configure.ac openssh-4.3p2/configure.ac --- ../debian-current/openssh-4.3p2/configure.ac 2006-10-20 12:53:04.000000000 -0500 +++ openssh-4.3p2/configure.ac 2006-10-20 15:34:53.000000000 -0500 @@ -2996,6 +2996,28 @@ fi ]) +# Check whether user wants SELinux support +SELINUX_MSG="no" +LIBSELINUX="" +AC_ARG_WITH(selinux, + [ --with-selinux[[=LIBSELINUX-PATH]] Enable SELinux support], + [ if test "x$withval" != "xno" ; then + if test "x$withval" != "xyes"; then + CPPFLAGS="$CPPFLAGS -I${withval}/include" + if test -n "${need_dash_r}"; then + LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}" + else + LDFLAGS="-L${withval}/lib ${LDFLAGS}" + fi + fi + AC_DEFINE(WITH_SELINUX,1,[Define if you want SELinux support.]) + SELINUX_MSG="yes" + AC_CHECK_HEADERS(selinux.h) + LIBSELINUX="-lselinux" + fi + ]) +AC_SUBST(LIBSELINUX) + # Check whether user wants Kerberos 5 support KRB5_MSG="no" AC_ARG_WITH(kerberos5, diff -uBbwr ../debian-current/openssh-4.3p2/Makefile.in openssh-4.3p2/Makefile.in --- ../debian-current/openssh-4.3p2/Makefile.in 2006-10-20 12:53:04.000000000 -0500 +++ openssh-4.3p2/Makefile.in 2006-10-20 15:34:48.000000000 -0500 @@ -43,6 +43,7 @@ [EMAIL PROTECTED]@ CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@ [EMAIL PROTECTED]@ [EMAIL PROTECTED]@ [EMAIL PROTECTED]@ [EMAIL PROTECTED]@ [EMAIL PROTECTED]@ @@ -136,7 +137,7 @@ $(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) sshd$(EXEEXT): libssh.a $(LIBCOMPAT) $(SSHDOBJS) - $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBS) + $(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBSELINUX) $(LIBS) scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o $(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) diff -uBbwr ../debian-current/openssh-4.3p2/monitor.c openssh-4.3p2/monitor.c --- ../debian-current/openssh-4.3p2/monitor.c 2006-10-20 12:53:04.000000000 -0500 +++ openssh-4.3p2/monitor.c 2006-10-20 15:34:48.000000000 -0500 @@ -111,6 +111,7 @@ int mm_answer_pwnamallow(int, Buffer *); int mm_answer_auth2_read_banner(int, Buffer *); int mm_answer_authserv(int, Buffer *); +int mm_answer_authrole(int, Buffer *); int mm_answer_authpassword(int, Buffer *); int mm_answer_bsdauthquery(int, Buffer *); int mm_answer_bsdauthrespond(int, Buffer *); @@ -182,6 +183,7 @@ {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign}, {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow}, {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv}, + {MONITOR_REQ_AUTHROLE, MON_ONCE, mm_answer_authrole}, {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner}, {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword}, #ifdef USE_PAM @@ -638,6 +640,7 @@ else { /* Allow service/style information on the auth context */ monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1); + monitor_permit(mon_dispatch, MONITOR_REQ_AUTHROLE, 1); monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1); } @@ -692,6 +695,23 @@ } int +mm_answer_authrole(int sock, Buffer *m) +{ + monitor_permit_authentications(1); + + authctxt->role = buffer_get_string(m, NULL); + debug3("%s: role=%s", + __func__, authctxt->role); + + if (strlen(authctxt->role) == 0) { + xfree(authctxt->role); + authctxt->role = NULL; + } + + return (0); +} + +int mm_answer_authpassword(int sock, Buffer *m) { static int call_count; diff -uBbwr ../debian-current/openssh-4.3p2/monitor.h openssh-4.3p2/monitor.h --- ../debian-current/openssh-4.3p2/monitor.h 2006-10-20 12:53:04.000000000 -0500 +++ openssh-4.3p2/monitor.h 2006-10-20 15:34:48.000000000 -0500 @@ -30,7 +30,7 @@ enum monitor_reqtype { MONITOR_REQ_MODULI, MONITOR_ANS_MODULI, - MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV, + MONITOR_REQ_FREE, MONITOR_REQ_AUTHSERV,MONITOR_REQ_AUTHROLE, MONITOR_REQ_SIGN, MONITOR_ANS_SIGN, MONITOR_REQ_PWNAM, MONITOR_ANS_PWNAM, MONITOR_REQ_AUTH2_READ_BANNER, MONITOR_ANS_AUTH2_READ_BANNER, diff -uBbwr ../debian-current/openssh-4.3p2/monitor_wrap.c openssh-4.3p2/monitor_wrap.c --- ../debian-current/openssh-4.3p2/monitor_wrap.c 2006-10-20 12:53:04.000000000 -0500 +++ openssh-4.3p2/monitor_wrap.c 2006-10-20 15:34:48.000000000 -0500 @@ -272,6 +272,23 @@ buffer_free(&m); } +/* Inform the privileged process about role */ + +void +mm_inform_authrole(char *role) +{ + Buffer m; + + debug3("%s entering", __func__); + + buffer_init(&m); + buffer_put_cstring(&m, role ? role : ""); + + mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, &m); + + buffer_free(&m); +} + /* Do the password authentication */ int mm_auth_password(Authctxt *authctxt, char *password) diff -uBbwr ../debian-current/openssh-4.3p2/monitor_wrap.h openssh-4.3p2/monitor_wrap.h --- ../debian-current/openssh-4.3p2/monitor_wrap.h 2006-10-20 12:53:04.000000000 -0500 +++ openssh-4.3p2/monitor_wrap.h 2006-10-20 15:39:45.000000000 -0500 @@ -44,6 +44,7 @@ DH *mm_choose_dh(int, int, int); int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int); void mm_inform_authserv(char *, char *, char *); +void mm_inform_authrole(char *); struct passwd *mm_getpwnamallow(const char *); char *mm_auth2_read_banner(void); int mm_auth_password(struct Authctxt *, char *); diff -uBbwr ../debian-current/openssh-4.3p2/selinux.c openssh-4.3p2/selinux.c --- ../debian-current/openssh-4.3p2/selinux.c 2006-10-20 12:53:04.000000000 -0500 +++ openssh-4.3p2/selinux.c 2006-10-20 15:57:51.000000000 -0500 @@ -13,20 +11,24 @@ extern Authctxt *the_authctxt; -static security_context_t +static const security_context_t selinux_get_user_context(const char *name) { security_context_t user_context = NULL; char *role = NULL; - int ret = 0; + int ret = -1; + char *seuser=NULL; + char *level=NULL; if (the_authctxt) role = the_authctxt->role; + if (getseuserbyname(name, &seuser, &level)==0) { if (role != NULL && role[0]) - ret = get_default_context_with_role(name, role, NULL, + ret=get_default_context_with_rolelevel(seuser, role, level,NULL, &user_context); else - ret = get_default_context(name, NULL, &user_context); + ret=get_default_context_with_level(seuser, level, NULL,&user_context); + } if (ret < 0) { if (security_getenforce() > 0) fatal("Failed to get default security context for %s.", @@ -42,12 +44,9 @@ void setup_selinux_pty(const char *name, const char *tty) { - security_context_t new_tty_context, user_context, old_tty_context; + if (is_selinux_enabled() > 0) { + security_context_t new_tty_context=NULL, user_context=NULL, old_tty_context=NULL; - if (is_selinux_enabled() <= 0) - return; - - new_tty_context = old_tty_context = NULL; user_context = selinux_get_user_context(name); if (getfilecon(tty, &old_tty_context) < 0) { @@ -66,20 +65,18 @@ } freecon(old_tty_context); } - if (user_context) + if (user_context) { freecon(user_context); } + } +} void -setup_selinux_exec_context(const char *name) +setup_selinux_exec_context(char *name) { - security_context_t user_context; - - if (is_selinux_enabled() <= 0) - return; - - user_context = selinux_get_user_context(name); + if (is_selinux_enabled() > 0) { + security_context_t user_context=selinux_get_user_context(name); if (setexeccon(user_context)) { if (security_getenforce() > 0) fatal("Failed to set exec security context %s for %s.", @@ -89,23 +86,10 @@ "Continuing in permissive mode", user_context, name); } - if (user_context) + if (user_context) { freecon(user_context); } - -#else /* WITH_SELINUX */ - -void -setup_selinux_pty(const char *name, const char *tty) -{ - (void) name; - (void) tty; } - -void -setup_selinux_exec_context(const char *name) -{ - (void) name; } #endif /* WITH_SELINUX */ diff -uBbwr ../debian-current/openssh-4.3p2/selinux.h openssh-4.3p2/selinux.h --- ../debian-current/openssh-4.3p2/selinux.h 2006-10-20 12:53:04.000000000 -0500 +++ openssh-4.3p2/selinux.h 2006-10-20 15:41:29.000000000 -0500 @@ -1,7 +1,15 @@ #ifndef SELINUX_H #define SELINUX_H +# ifdef WITH_SELINUX + extern void setup_selinux_pty(const char *, const char *); extern void setup_selinux_exec_context(const char *); +# else + +static inline void setup_selinux_pty(const char *name, const char *tty) {} +static inline void setup_selinux_exec_context(const char *name) {} + +#endif /* WITH_SELINUX */ #endif /* SELINUX_H */
-- System Information: Debian Release: testing/unstable APT prefers unstable APT policy: (990, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.18-mh1-skas3-v9-pre9-fremap Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8) Versions of packages openssh-server depends on: ii adduser 3.99 Add and remove users and groups ii debconf 1.5.6 Debian configuration management sy ii dpkg 1.13.24 package maintenance system for Deb ii libc6 2.3.6.ds1-6 GNU C Library: Shared libraries ii libcomer 1.39+1.40-WIP-2006.10.02+dfsg-1 common error description library ii libkrb53 1.4.4-3 MIT Kerberos runtime libraries ii libpam-m 0.79-3.2 Pluggable Authentication Modules f ii libpam-r 0.79-3.2 Runtime support for the PAM librar ii libpam0g 0.79-3.2 Pluggable Authentication Modules l ii libselin 1.32-2 SELinux shared libraries ii libssl0. 0.9.8c-3 SSL shared libraries ii libwrap0 7.6.dbs-11 Wietse Venema's TCP wrappers libra ii openssh- 1:4.3p2-5 Secure shell client, an rlogin/rsh ii zlib1g 1:1.2.3-13 compression library - runtime openssh-server recommends no packages. -- debconf information: ssh/insecure_rshd: * ssh/forward_warning: ssh/encrypted_host_key_but_no_keygen: ssh/insecure_telnetd: ssh/new_config: true * ssh/use_old_init_script: true ssh/disable_cr_auth: false * ssh/protocol2_only: false -- Once, I read that a man be never stronger than when he truly realizes how weak he is. -- Jim Starlin, "Captain Marvel #31" Manoj Srivastava <[EMAIL PROTECTED]> <http://www.golden-gryphon.com/> 1024D/BF24424C print 4966 F272 D093 B493 410B 924B 21BA DABB BF24 424C