diff options
| author | Damien Miller <djm@mindrot.org> | 2011-08-29 16:09:52 +1000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2011-08-29 16:09:52 +1000 |
| commit | 58ac11a2bd0935aee87b8cc60e2b724e71c41207 (patch) | |
| tree | dc4f2e7cb9990e4efb2f3602da3a2a8c66f6a6c4 | |
| parent | 4438354870aa3bdbf52d9bc7bf20c85aa3fff1f9 (diff) | |
- (djm) [openbsd-compat/port-linux.c] Suppress logging when attempting
to switch SELinux context away from unconfined_t, based on patch from
Jan Chadima; bz#1919 ok dtucker@
| -rw-r--r-- | ChangeLog | 5 | ||||
| -rw-r--r-- | openbsd-compat/port-linux.c | 25 |
2 files changed, 24 insertions, 6 deletions
@@ -1,3 +1,8 @@ +20110829 + - (djm) [openbsd-compat/port-linux.c] Suppress logging when attempting + to switch SELinux context away from unconfined_t, based on patch from + Jan Chadima; bz#1919 ok dtucker@ + 20110827 - (dtucker) [auth-skey.c] Add log.h to fix build --with-skey. diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c index be763656..ea8dff40 100644 --- a/openbsd-compat/port-linux.c +++ b/openbsd-compat/port-linux.c @@ -1,4 +1,4 @@ -/* $Id: port-linux.c,v 1.15 2011/08/12 00:12:55 dtucker Exp $ */ +/* $Id: port-linux.c,v 1.16 2011/08/29 06:09:57 djm Exp $ */ /* * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com> @@ -38,6 +38,10 @@ #include <selinux/flask.h> #include <selinux/get_context_list.h> +#ifndef SSH_SELINUX_UNCONFINED_TYPE +# define SSH_SELINUX_UNCONFINED_TYPE ":unconfined_t:" +#endif + /* Wrapper around is_selinux_enabled() to log its return value once only */ int ssh_selinux_enabled(void) @@ -177,12 +181,13 @@ ssh_selinux_change_context(const char *newname) { int len, newlen; char *oldctx, *newctx, *cx; + void (*switchlog) (const char *fmt,...) = logit; if (!ssh_selinux_enabled()) return; if (getcon((security_context_t *)&oldctx) < 0) { - logit("%s: getcon failed with %s", __func__, strerror (errno)); + logit("%s: getcon failed with %s", __func__, strerror(errno)); return; } if ((cx = index(oldctx, ':')) == NULL || (cx = index(cx + 1, ':')) == @@ -191,6 +196,14 @@ ssh_selinux_change_context(const char *newname) return; } + /* + * Check whether we are attempting to switch away from an unconfined + * security context. + */ + if (strncmp(cx, SSH_SELINUX_UNCONFINED_TYPE, + sizeof(SSH_SELINUX_UNCONFINED_TYPE) - 1) == 0) + switchlog = debug3; + newlen = strlen(oldctx) + strlen(newname) + 1; newctx = xmalloc(newlen); len = cx - oldctx + 1; @@ -198,11 +211,11 @@ ssh_selinux_change_context(const char *newname) strlcpy(newctx + len, newname, newlen - len); if ((cx = index(cx + 1, ':'))) strlcat(newctx, cx, newlen); - debug3("%s: setting context from '%s' to '%s'", __func__, oldctx, - newctx); + debug3("%s: setting context from '%s' to '%s'", __func__, + oldctx, newctx); if (setcon(newctx) < 0) - logit("%s: setcon %s from %s failed with %s", __func__, newctx, - oldctx, strerror (errno)); + switchlog("%s: setcon %s from %s failed with %s", __func__, + newctx, oldctx, strerror(errno)); xfree(oldctx); xfree(newctx); } |