Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

added selinux support #70

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

added selinux support #70

wants to merge 2 commits into from

Conversation

ensc
Copy link

@ensc ensc commented Nov 11, 2018

Commit adds SELinux support to dropbear by:

  • adding a new '--enable-selinux' option to configure; by default, it
    is disabled. This option defines an ENABLE_SELINUX preprocessor
    macro.

  • mapping the unix username to the SELinux user which is stored in a
    new 'user_sid' attribute in the AuthState object

  • relabeling the controlling pty

  • setting the context for the next execve() call to the user_sid

Operations above will not be done when SELinux is disabled. Failures will
generate LOG_ERR messages and in enforcing SELinux mode, dropbear_exit()
will be called.

Signed-off-by: Enrico Scholz [email protected]

@ensc ensc changed the title added selinu support added selinux support Nov 11, 2018
mkj
mkj requested changes Nov 12, 2018
View reviewed changes
Copy link
Owner

@mkj mkj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks. I've noted a few changes.
Out of interest what platform are you using?

Makefile.in Outdated Show resolved Hide resolved
auth.h Outdated Show resolved Hide resolved
common-session.c Outdated Show resolved Hide resolved
common-session.c Outdated Show resolved Hide resolved
svr-chansession.c Show resolved Hide resolved
@ensc
added selinux support
4a2bcf8 
Commit adds SELinux support to dropbear by:

- adding a new '--enable-selinux' option to configure; by default, it
  is disabled.  This option defines an ENABLE_SELINUX preprocessor
  macro.

- mapping the unix username to the SELinux user which is stored in a
  new 'user_sid' attribute in the AuthState object

- relabeling the controlling pty

- setting the context for the next execve() call to the user_sid

Operations above will not be done when SELinux is disabled.  Failures will
generate LOG_ERR messages and in enforcing SELinux mode, dropbear_exit()
will be called.

Signed-off-by: Enrico Scholz <[email protected]>
@ensc
Copy link
Author

ensc commented Nov 23, 2018

I think, I addressed all the issues.

I am using it in an OpenEmbedded based project:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mkj mkj mkj requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ensc @mkj