1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
|
From 9498b3c8ad8661c59b027af45df29c4228518192 Mon Sep 17 00:00:00 2001
From: Damien Miller <djm@mindrot.org>
Date: Mon, 26 Feb 2018 12:17:22 +1100
Subject: avoid inclusion of deprecated selinux/flask.h
Use string_to_security_class() instead.
Bug-Debian: https://bugs.debian.org/950473
Origin: upstream, https://anongit.mindrot.org/openssh.git/commit/?id=bda709b8e13d3eef19e69c2d1684139e3af728f5
Last-Update: 2020-07-25
Patch-Name: avoid-hardcoded-selinux-class.patch
---
openbsd-compat/port-linux.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
index e4c5d1b7c..8c5325cc3 100644
--- a/openbsd-compat/port-linux.c
+++ b/openbsd-compat/port-linux.c
@@ -33,7 +33,6 @@
#ifdef WITH_SELINUX
#include <selinux/selinux.h>
-#include <selinux/flask.h>
#include <selinux/get_context_list.h>
#ifndef SSH_SELINUX_UNCONFINED_TYPE
@@ -139,6 +138,7 @@ ssh_selinux_setup_pty(char *pwname, const char *tty)
security_context_t new_tty_ctx = NULL;
security_context_t user_ctx = NULL;
security_context_t old_tty_ctx = NULL;
+ security_class_t chrclass;
if (!ssh_selinux_enabled())
return;
@@ -153,9 +153,12 @@ ssh_selinux_setup_pty(char *pwname, const char *tty)
error("%s: getfilecon: %s", __func__, strerror(errno));
goto out;
}
-
+ if ((chrclass = string_to_security_class("chr_file")) == 0) {
+ error("%s: couldn't get security class for chr_file", __func__);
+ goto out;
+ }
if (security_compute_relabel(user_ctx, old_tty_ctx,
- SECCLASS_CHR_FILE, &new_tty_ctx) != 0) {
+ chrclass, &new_tty_ctx) != 0) {
error("%s: security_compute_relabel: %s",
__func__, strerror(errno));
goto out;
|
