- (djm) [openbsd-compat/port-linux.c] Suppress logging when attempting
to switch SELinux context away from unconfined_t, based on patch from Jan Chadima; bz#1919 ok dtucker@
This commit is contained in:
parent
4438354870
commit
58ac11a2bd
|
@ -1,3 +1,8 @@
|
||||||
|
20110829
|
||||||
|
- (djm) [openbsd-compat/port-linux.c] Suppress logging when attempting
|
||||||
|
to switch SELinux context away from unconfined_t, based on patch from
|
||||||
|
Jan Chadima; bz#1919 ok dtucker@
|
||||||
|
|
||||||
20110827
|
20110827
|
||||||
- (dtucker) [auth-skey.c] Add log.h to fix build --with-skey.
|
- (dtucker) [auth-skey.c] Add log.h to fix build --with-skey.
|
||||||
|
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
/* $Id: port-linux.c,v 1.15 2011/08/12 00:12:55 dtucker Exp $ */
|
/* $Id: port-linux.c,v 1.16 2011/08/29 06:09:57 djm Exp $ */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com>
|
* Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com>
|
||||||
|
@ -38,6 +38,10 @@
|
||||||
#include <selinux/flask.h>
|
#include <selinux/flask.h>
|
||||||
#include <selinux/get_context_list.h>
|
#include <selinux/get_context_list.h>
|
||||||
|
|
||||||
|
#ifndef SSH_SELINUX_UNCONFINED_TYPE
|
||||||
|
# define SSH_SELINUX_UNCONFINED_TYPE ":unconfined_t:"
|
||||||
|
#endif
|
||||||
|
|
||||||
/* Wrapper around is_selinux_enabled() to log its return value once only */
|
/* Wrapper around is_selinux_enabled() to log its return value once only */
|
||||||
int
|
int
|
||||||
ssh_selinux_enabled(void)
|
ssh_selinux_enabled(void)
|
||||||
|
@ -177,12 +181,13 @@ ssh_selinux_change_context(const char *newname)
|
||||||
{
|
{
|
||||||
int len, newlen;
|
int len, newlen;
|
||||||
char *oldctx, *newctx, *cx;
|
char *oldctx, *newctx, *cx;
|
||||||
|
void (*switchlog) (const char *fmt,...) = logit;
|
||||||
|
|
||||||
if (!ssh_selinux_enabled())
|
if (!ssh_selinux_enabled())
|
||||||
return;
|
return;
|
||||||
|
|
||||||
if (getcon((security_context_t *)&oldctx) < 0) {
|
if (getcon((security_context_t *)&oldctx) < 0) {
|
||||||
logit("%s: getcon failed with %s", __func__, strerror (errno));
|
logit("%s: getcon failed with %s", __func__, strerror(errno));
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
if ((cx = index(oldctx, ':')) == NULL || (cx = index(cx + 1, ':')) ==
|
if ((cx = index(oldctx, ':')) == NULL || (cx = index(cx + 1, ':')) ==
|
||||||
|
@ -191,6 +196,14 @@ ssh_selinux_change_context(const char *newname)
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Check whether we are attempting to switch away from an unconfined
|
||||||
|
* security context.
|
||||||
|
*/
|
||||||
|
if (strncmp(cx, SSH_SELINUX_UNCONFINED_TYPE,
|
||||||
|
sizeof(SSH_SELINUX_UNCONFINED_TYPE) - 1) == 0)
|
||||||
|
switchlog = debug3;
|
||||||
|
|
||||||
newlen = strlen(oldctx) + strlen(newname) + 1;
|
newlen = strlen(oldctx) + strlen(newname) + 1;
|
||||||
newctx = xmalloc(newlen);
|
newctx = xmalloc(newlen);
|
||||||
len = cx - oldctx + 1;
|
len = cx - oldctx + 1;
|
||||||
|
@ -198,11 +211,11 @@ ssh_selinux_change_context(const char *newname)
|
||||||
strlcpy(newctx + len, newname, newlen - len);
|
strlcpy(newctx + len, newname, newlen - len);
|
||||||
if ((cx = index(cx + 1, ':')))
|
if ((cx = index(cx + 1, ':')))
|
||||||
strlcat(newctx, cx, newlen);
|
strlcat(newctx, cx, newlen);
|
||||||
debug3("%s: setting context from '%s' to '%s'", __func__, oldctx,
|
debug3("%s: setting context from '%s' to '%s'", __func__,
|
||||||
newctx);
|
oldctx, newctx);
|
||||||
if (setcon(newctx) < 0)
|
if (setcon(newctx) < 0)
|
||||||
logit("%s: setcon %s from %s failed with %s", __func__, newctx,
|
switchlog("%s: setcon %s from %s failed with %s", __func__,
|
||||||
oldctx, strerror (errno));
|
newctx, oldctx, strerror(errno));
|
||||||
xfree(oldctx);
|
xfree(oldctx);
|
||||||
xfree(newctx);
|
xfree(newctx);
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue