diff --git a/pam-1.3.1-pam_selinux-check-unknown-objects.patch b/pam-1.3.1-pam_selinux-check-unknown-objects.patch new file mode 100644 index 0000000..4c55c97 --- /dev/null +++ b/pam-1.3.1-pam_selinux-check-unknown-objects.patch @@ -0,0 +1,96 @@ +From c6c51832af8e7724cfbd454daa65a6644f5b45c2 Mon Sep 17 00:00:00 2001 +From: ikerexxe +Date: Fri, 6 Mar 2020 15:04:09 +0100 +Subject: [PATCH] pam_selinux: check unknown object classes or permissions in + current policy + +Explanation: check whether unknown object classes or permissions are allowed or denied in the current policy + +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1680961 +--- + modules/pam_selinux/pam_selinux.c | 50 +++++-------------------------- + 1 file changed, 8 insertions(+), 42 deletions(-) + +diff --git a/modules/pam_selinux/pam_selinux.c b/modules/pam_selinux/pam_selinux.c +index 96f9c831..827f5942 100644 +--- a/modules/pam_selinux/pam_selinux.c ++++ b/modules/pam_selinux/pam_selinux.c +@@ -157,42 +157,6 @@ query_response (pam_handle_t *pamh, const char *text, const char *def, + return rc; + } + +-static int mls_range_allowed(pam_handle_t *pamh, security_context_t src, security_context_t dst, int debug) +-{ +- struct av_decision avd; +- int retval; +- security_class_t class; +- access_vector_t bit; +- context_t src_context; +- context_t dst_context; +- +- class = string_to_security_class("context"); +- if (!class) { +- pam_syslog(pamh, LOG_ERR, "Failed to translate security class context. %m"); +- return 0; +- } +- +- bit = string_to_av_perm(class, "contains"); +- if (!bit) { +- pam_syslog(pamh, LOG_ERR, "Failed to translate av perm contains. %m"); +- return 0; +- } +- +- src_context = context_new (src); +- dst_context = context_new (dst); +- context_range_set(dst_context, context_range_get(src_context)); +- if (debug) +- pam_syslog(pamh, LOG_NOTICE, "Checking if %s mls range valid for %s", dst, context_str(dst_context)); +- +- retval = security_compute_av(context_str(dst_context), dst, class, bit, &avd); +- context_free(src_context); +- context_free(dst_context); +- if (retval || ((bit & avd.allowed) != bit)) +- return 0; +- +- return 1; +-} +- + static security_context_t + config_context (pam_handle_t *pamh, security_context_t defaultcon, int use_current_range, int debug) + { +@@ -274,16 +238,17 @@ config_context (pam_handle_t *pamh, security_context_t defaultcon, int use_curre + goto fail_set; + context_free(new_context); + +- /* we have to check that this user is allowed to go into the +- range they have specified ... role is tied to an seuser, so that'll +- be checked at setexeccon time */ +- if (mls_enabled && !mls_range_allowed(pamh, defaultcon, newcon, debug)) { ++ /* we have to check that this user is allowed to go into the ++ range they have specified ... role is tied to an seuser, so that'll ++ be checked at setexeccon time */ ++ if (mls_enabled && ++ selinux_check_access(defaultcon, newcon, "context", "contains", NULL) != 0) { + pam_syslog(pamh, LOG_NOTICE, "Security context %s is not allowed for %s", defaultcon, newcon); + + send_audit_message(pamh, 0, defaultcon, newcon); + + free(newcon); +- goto fail_range; ++ goto fail_range; + } + return newcon; + } +@@ -385,7 +350,8 @@ context_from_env (pam_handle_t *pamh, security_context_t defaultcon, int env_par + /* we have to check that this user is allowed to go into the + range they have specified ... role is tied to an seuser, so that'll + be checked at setexeccon time */ +- if (mls_enabled && !mls_range_allowed(pamh, defaultcon, newcon, debug)) { ++ if (mls_enabled && ++ selinux_check_access(defaultcon, newcon, "context", "contains", NULL) != 0) { + pam_syslog(pamh, LOG_NOTICE, "Security context %s is not allowed for %s", defaultcon, newcon); + + goto fail_set; +-- +2.24.1 + diff --git a/pam.spec b/pam.spec index a05c50d..a5381b8 100644 --- a/pam.spec +++ b/pam.spec @@ -3,7 +3,7 @@ Summary: An extensible library which provides authentication for applications Name: pam Version: 1.3.1 -Release: 23%{?dist} +Release: 24%{?dist} # The library is BSD licensed with option to relicense as GPLv2+ # - this option is redundant as the BSD license allows that anyway. # pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+. @@ -62,6 +62,7 @@ Patch50: pam-1.3.1-fds-closing.patch Patch51: pam-1.3.1-authtok-verify-fix.patch Patch52: pam-1.3.1-add-pam_usertype.patch Patch53: pam-1.3.1-add-pam_usertype-fix-backport.patch +Patch54: pam-1.3.1-pam_selinux-check-unknown-objects.patch %global _pamlibdir %{_libdir} %global _moduledir %{_libdir}/security @@ -154,6 +155,7 @@ cp %{SOURCE18} . %patch51 -p1 -b .authtok-verify-fix %patch52 -p1 -b .add-pam_usertype %patch53 -p1 -b .add-pam_usertype-backport +%patch54 -p1 -b .pam_selinux-check-unknown-objects autoreconf -i @@ -404,6 +406,9 @@ done %doc doc/specs/rfc86.0.txt %changelog +* Mon Mar 9 2020 Iker Pedrosa - 1.3.1-24 +- pam_selinux: check unknown object classes or permissions in current policy + * Tue Feb 4 2020 Pavel Březina - 1.3.1-23 - Add pam_usertype.so