114 lines
3.3 KiB
Diff
114 lines
3.3 KiB
Diff
|
--- Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c.range 2007-01-04 23:29:04.000000000 +0100
|
||
|
+++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c 2007-01-05 13:30:31.000000000 +0100
|
||
|
@@ -435,6 +435,7 @@
|
||
|
int i, debug = 0, ttys=1, has_tty=isatty(0);
|
||
|
int verbose=0, close_session=0;
|
||
|
int select_context = 0;
|
||
|
+ int use_current_range = 0;
|
||
|
int ret = 0;
|
||
|
security_context_t* contextlist = NULL;
|
||
|
int num_contexts = 0;
|
||
|
@@ -461,11 +462,19 @@
|
||
|
if (strcmp(argv[i], "select_context") == 0) {
|
||
|
select_context = 1;
|
||
|
}
|
||
|
+ if (strcmp(argv[i], "use_current_range") == 0) {
|
||
|
+ use_current_range = 1;
|
||
|
+ }
|
||
|
}
|
||
|
-
|
||
|
+
|
||
|
if (debug)
|
||
|
pam_syslog(pamh, LOG_NOTICE, "Open Session");
|
||
|
|
||
|
+ if (select_context && use_current_range) {
|
||
|
+ pam_syslog(pamh, LOG_ERR, "select_context cannot be used with use_current_range");
|
||
|
+ select_context = 0;
|
||
|
+ }
|
||
|
+
|
||
|
/* this module is only supposed to execute close_session */
|
||
|
if (close_session)
|
||
|
return PAM_SUCCESS;
|
||
|
@@ -532,6 +541,51 @@
|
||
|
return PAM_SUCCESS;
|
||
|
}
|
||
|
}
|
||
|
+
|
||
|
+ if (use_current_range && is_selinux_mls_enabled()) {
|
||
|
+ security_context_t process_context=NULL;
|
||
|
+ if (getcon(&process_context) == 0) {
|
||
|
+ context_t pcon, ucon;
|
||
|
+ char *process_level=NULL;
|
||
|
+ security_context_t orig_context;
|
||
|
+
|
||
|
+ if (user_context)
|
||
|
+ orig_context = user_context;
|
||
|
+ else
|
||
|
+ orig_context = default_user_context;
|
||
|
+
|
||
|
+ pcon = context_new(process_context);
|
||
|
+ freecon(process_context);
|
||
|
+ process_level = strdup(context_range_get(pcon));
|
||
|
+ context_free(pcon);
|
||
|
+
|
||
|
+ if (debug)
|
||
|
+ pam_syslog (pamh, LOG_DEBUG, "process level=%s", process_level);
|
||
|
+
|
||
|
+ ucon = context_new(orig_context);
|
||
|
+
|
||
|
+ context_range_set(ucon, process_level);
|
||
|
+ free(process_level);
|
||
|
+
|
||
|
+ if (!mls_range_allowed(pamh, orig_context, context_str(ucon), debug)) {
|
||
|
+ send_text(pamh, _("Requested MLS level not in permitted range"), debug);
|
||
|
+ /* even if default_user_context is NULL audit that anyway */
|
||
|
+ send_audit_message(pamh, 0, default_user_context, context_str(ucon));
|
||
|
+ context_free(ucon);
|
||
|
+ return PAM_AUTH_ERR;
|
||
|
+ }
|
||
|
+
|
||
|
+ if (debug)
|
||
|
+ pam_syslog (pamh, LOG_DEBUG, "adjusted context=%s", context_str(ucon));
|
||
|
+
|
||
|
+ /* replace the user context with the level adjusted one */
|
||
|
+ freecon(user_context);
|
||
|
+ user_context = strdup(context_str(ucon));
|
||
|
+
|
||
|
+ context_free(ucon);
|
||
|
+ }
|
||
|
+ }
|
||
|
+
|
||
|
if (getexeccon(&prev_user_context)<0) {
|
||
|
prev_user_context=NULL;
|
||
|
}
|
||
|
--- Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.8.xml.range 2007-01-04 23:29:04.000000000 +0100
|
||
|
+++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.8.xml 2007-01-04 23:35:03.000000000 +0100
|
||
|
@@ -36,6 +36,9 @@
|
||
|
<arg choice="opt">
|
||
|
select_context
|
||
|
</arg>
|
||
|
+ <arg choice="opt">
|
||
|
+ use_current_range
|
||
|
+ </arg>
|
||
|
</cmdsynopsis>
|
||
|
</refsynopsisdiv>
|
||
|
|
||
|
@@ -132,6 +135,17 @@
|
||
|
</para>
|
||
|
</listitem>
|
||
|
</varlistentry>
|
||
|
+ <varlistentry>
|
||
|
+ <term>
|
||
|
+ <option>use_current_range</option>
|
||
|
+ </term>
|
||
|
+ <listitem>
|
||
|
+ <para>
|
||
|
+ Use the sensitivity range of the process for the user context.
|
||
|
+ This option and the select_context option are mutually exclusive.
|
||
|
+ </para>
|
||
|
+ </listitem>
|
||
|
+ </varlistentry>
|
||
|
</variablelist>
|
||
|
</refsect1>
|
||
|
|