dropbear icon indicating copy to clipboard operation
dropbear copied to clipboard

Published 20 hours ago verified publisher icon mkj

added selinux support

Open ensc opened this issue 6 years ago • 1 comments

Commit adds SELinux support to dropbear by:

  • adding a new '--enable-selinux' option to configure; by default, it is disabled. This option defines an ENABLE_SELINUX preprocessor macro.

  • mapping the unix username to the SELinux user which is stored in a new 'user_sid' attribute in the AuthState object

  • relabeling the controlling pty

  • setting the context for the next execve() call to the user_sid

Operations above will not be done when SELinux is disabled. Failures will generate LOG_ERR messages and in enforcing SELinux mode, dropbear_exit() will be called.

Signed-off-by: Enrico Scholz [email protected]

ensc avatar Nov 11 '18 12:11 ensc

I think, I addressed all the issues.

I am using it in an OpenEmbedded based project:

  • see https://gitlab.com/ensc-groups/bpi-router for toplevel project
  • the SELinux related changes are in https://gitlab.com/ensc-groups/bpi-router/de.ensc.bpi-router/tree/master/meta-core/recipes-selinux/dropbear
  • the dropbear SELinux policy (based upon recent 'minimum' policy) is in https://gitlab.com/ensc-groups/bpi-router/tools/selinux-policy/tree/master/policy; perhaps labeling dropbear files as sshd_exec_t will work too but I never tried it
  • you will need something like https://gitlab.com/ensc-groups/bpi-router/tools/selinux-policy/blob/master/contexts/default_contexts

ensc avatar Nov 23 '18 15:11 ensc