newrole patch

newrole patch

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 72 bytes --]

Only uses file descriptor = 0

Reads securetty_context file for matches

[-- Attachment #2: policycoreutils-newrole.patch --]
[-- Type: text/x-patch, Size: 858 bytes --]

--- nsapolicycoreutils/newrole/newrole.c	2007-01-04 17:01:41.000000000 -0500
+++ policycoreutils-1.33.10/newrole/newrole.c	2007-01-09 10:09:19.000000000 -0500
@@ -741,6 +741,7 @@
 	char *level_s = NULL;	/* level spec'd by user in argv[] */
 	char *range_ptr = NULL;
 	security_context_t new_con = NULL;
+	security_context_t tty_con = NULL;
 	context_t context = NULL; /* manipulatable form of new_context */
 	const struct option long_options[] = {
 		{"role", 1, 0, 'r'},
@@ -793,6 +794,15 @@
 					"specified\n"));
 				return -1;
 			}
+			if (fgetfilecon(0,&tty_con) >= 0) {
+				if (selinux_check_securetty_context(tty_con) != 1) {
+					fprintf(stderr, "Error: you are not allowed to change levels on a non secure terminal\n");
+					freecon(tty_con);
+					return -1;
+				}
+				freecon(tty_con);
+			}
+
 			level_s = optarg;
 			break;
 		default:

Re: newrole patch

[Stephen Smalley]

On Tue, 2007-01-09 at 10:10 -0500, Daniel J Walsh wrote:
> Only uses file descriptor = 0
> 
> Reads securetty_context file for matches

Corrected version (to match the return value convention) merged in
policycoreutils 1.33.12.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.