[redhat-lspp] Re: [PATCH 2/3] Re: MLS enforcing PTYs, sshd, and newrole
Daniel J Walsh
dwalsh at redhat.com
Fri Jan 5 16:24:02 UTC 2007
newrole patch. for checking securetty.
diff --exclude-from=exclude --exclude POTFILES.in --exclude='*.po'
--exclude='*.pot' -N -u -r nsapolicycoreutils/newrole/newrole.c
policycoreutils-1.33.8/newrole/newrole.c
--- nsapolicycoreutils/newrole/newrole.c 2007-01-04
17:01:41.000000000 -0500
+++ policycoreutils-1.33.8/newrole/newrole.c 2007-01-05
11:17:36.000000000 -0500
@@ -733,6 +734,7 @@
security_context_t *new_context,
int *preserve_environment)
{
+ int i; /* index for open file descriptors */
int flag_index; /* flag index in argv[] */
int clflag; /* holds codes for command line flags */
char *role_s = NULL; /* role spec'd by user in argv[] */
@@ -741,6 +743,8 @@
char *level_s = NULL; /* level spec'd by user in argv[] */
char *range_ptr = NULL;
security_context_t new_con = NULL;
+ security_context_t tty_con = NULL;
+ int securetty=0;
context_t context = NULL; /* manipulatable form of new_context */
const struct option long_options[] = {
{"role", 1, 0, 'r'},
@@ -793,6 +797,18 @@
"specified\n"));
return -1;
}
+ for (i=0; i < 3; i++) {
+ securetty=0;
+ if (fgetfilecon(i,&tty_con) >= 0) {
+ securetty =
(selinux_check_securetty_context(tty_con) == 1);
+ freecon(tty_con);
+ }
+ if (!securetty) {
+ fprintf(stderr, "Error: you are
not allowed to change levels on a non secure terminal\n");
+ return -1;
+ }
+ }
+
level_s = optarg;
break;
default:
More information about the redhat-lspp
mailing list