--- openssh/session.c +++ openssh/session.c @@ -66,6 +66,11 @@ #include "ssh-gss.h" #endif +#ifdef WITH_SELINUX +#include +#include +#endif + /* func */ Session *session_new(void); @@ -1304,6 +1309,19 @@ #endif if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) fatal("Failed to set uids to %u.", (u_int) pw->pw_uid); +#ifdef WITH_SELINUX + if (is_selinux_enabled()) + { + security_context_t scontext; + if (get_default_context(pw->pw_name,NULL,&scontext)) + fatal("Failed to get default security context for %s.", pw->pw_name); + if (setexeccon(scontext)) { + freecon(scontext); + fatal("Failed to set exec security context %s for %s.", scontext, pw->pw_name); + } + freecon(scontext); + } +#endif } static void --- openssh/sshpty.c +++ openssh/sshpty.c @@ -30,6 +30,12 @@ #define O_NOCTTY 0 #endif +#ifdef WITH_SELINUX +#include +#include +#include +#endif + /* * Allocates and opens a pty. Returns 0 if no pty could be allocated, or * nonzero if a pty was successfully allocated. On success, open file @@ -196,6 +202,37 @@ * Warn but continue if filesystem is read-only and the uids match/ * tty is owned by root. */ +#ifdef WITH_SELINUX + if (is_selinux_enabled()) { + security_context_t new_tty_context=NULL, + user_context=NULL, old_tty_context=NULL; + + if (get_default_context(pw->pw_name,NULL,&user_context)) + fatal("Failed to get default security context for %s.", pw->pw_name); + + if (getfilecon(tty, &old_tty_context)<0) { + error("getfilecon(%.100s) failed: %.100s", tty, + strerror(errno)); + } + else + { + if ( security_compute_relabel(user_context,old_tty_context,SECCLASS_CHR_FILE,&new_tty_context)!=0) { + error("security_compute_relabel(%.100s) failed: %.100s", tty, + strerror(errno)); + } + else + { + if (setfilecon (tty, new_tty_context) != 0) { + error("setfilecon(%.100s, %s) failed: %.100s", + tty, new_tty_context, strerror(errno)); + } + freecon(new_tty_context); + } + freecon(old_tty_context); + } + freecon(user_context); + } +#endif if (stat(tty, &st)) fatal("stat(%.100s) failed: %.100s", tty, strerror(errno));