From 055b81078c63f8f75d5adedb0734b5a4b66d260e Mon Sep 17 00:00:00 2001
From: ikerexxe <ipedrosa@redhat.com>
Date: Wed, 11 Mar 2020 16:42:15 +0100
Subject: [PATCH] pam_selinux: check unknown object classes or permissions in
 current policy

---
 ....1-pam_selinux-check-unknown-objects.patch | 96 +++++++++++++++++++
 pam.spec                                      |  7 +-
 2 files changed, 102 insertions(+), 1 deletion(-)
 create mode 100644 pam-1.3.1-pam_selinux-check-unknown-objects.patch

diff --git a/pam-1.3.1-pam_selinux-check-unknown-objects.patch b/pam-1.3.1-pam_selinux-check-unknown-objects.patch
new file mode 100644
index 0000000..4c55c97
--- /dev/null
+++ b/pam-1.3.1-pam_selinux-check-unknown-objects.patch
@@ -0,0 +1,96 @@
+From c6c51832af8e7724cfbd454daa65a6644f5b45c2 Mon Sep 17 00:00:00 2001
+From: ikerexxe <ipedrosa@redhat.com>
+Date: Fri, 6 Mar 2020 15:04:09 +0100
+Subject: [PATCH] pam_selinux: check unknown object classes or permissions in
+ current policy
+
+Explanation: check whether unknown object classes or permissions are allowed or denied in the current policy
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1680961
+---
+ modules/pam_selinux/pam_selinux.c | 50 +++++--------------------------
+ 1 file changed, 8 insertions(+), 42 deletions(-)
+
+diff --git a/modules/pam_selinux/pam_selinux.c b/modules/pam_selinux/pam_selinux.c
+index 96f9c831..827f5942 100644
+--- a/modules/pam_selinux/pam_selinux.c
++++ b/modules/pam_selinux/pam_selinux.c
+@@ -157,42 +157,6 @@ query_response (pam_handle_t *pamh, const char *text, const char *def,
+   return rc;
+ }
+ 
+-static int mls_range_allowed(pam_handle_t *pamh, security_context_t src, security_context_t dst, int debug)
+-{
+-  struct av_decision avd;
+-  int retval;
+-  security_class_t class;
+-  access_vector_t bit;
+-  context_t src_context;
+-  context_t dst_context;
+-
+-  class = string_to_security_class("context");
+-  if (!class) {
+-    pam_syslog(pamh, LOG_ERR, "Failed to translate security class context. %m");
+-    return 0;
+-  }
+-
+-  bit = string_to_av_perm(class, "contains");
+-  if (!bit) {
+-    pam_syslog(pamh, LOG_ERR, "Failed to translate av perm contains. %m");
+-    return 0;
+-  }
+-
+-  src_context = context_new (src);
+-  dst_context = context_new (dst);
+-  context_range_set(dst_context, context_range_get(src_context));
+-  if (debug)
+-    pam_syslog(pamh, LOG_NOTICE, "Checking if %s mls range valid for  %s", dst, context_str(dst_context));
+-
+-  retval = security_compute_av(context_str(dst_context), dst, class, bit, &avd);
+-  context_free(src_context);
+-  context_free(dst_context);
+-  if (retval || ((bit & avd.allowed) != bit))
+-    return 0;
+-
+-  return 1;
+-}
+-
+ static security_context_t
+ config_context (pam_handle_t *pamh, security_context_t defaultcon, int use_current_range, int debug)
+ {
+@@ -274,16 +238,17 @@ config_context (pam_handle_t *pamh, security_context_t defaultcon, int use_curre
+ 	    goto fail_set;
+ 	  context_free(new_context);
+ 
+-          /* we have to check that this user is allowed to go into the
+-             range they have specified ... role is tied to an seuser, so that'll
+-             be checked at setexeccon time */
+-          if (mls_enabled && !mls_range_allowed(pamh, defaultcon, newcon, debug)) {
++    /* we have to check that this user is allowed to go into the
++        range they have specified ... role is tied to an seuser, so that'll
++        be checked at setexeccon time */
++    if (mls_enabled &&
++        selinux_check_access(defaultcon, newcon, "context", "contains", NULL) != 0) {
+ 	    pam_syslog(pamh, LOG_NOTICE, "Security context %s is not allowed for %s", defaultcon, newcon);
+ 
+ 	    send_audit_message(pamh, 0, defaultcon, newcon);
+ 
+ 	    free(newcon);
+-            goto fail_range;
++	    goto fail_range;
+ 	  }
+ 	  return newcon;
+ 	}
+@@ -385,7 +350,8 @@ context_from_env (pam_handle_t *pamh, security_context_t defaultcon, int env_par
+   /* we have to check that this user is allowed to go into the
+      range they have specified ... role is tied to an seuser, so that'll
+      be checked at setexeccon time */
+-  if (mls_enabled && !mls_range_allowed(pamh, defaultcon, newcon, debug)) {
++  if (mls_enabled &&
++      selinux_check_access(defaultcon, newcon, "context", "contains", NULL) != 0) {
+     pam_syslog(pamh, LOG_NOTICE, "Security context %s is not allowed for %s", defaultcon, newcon);
+ 
+     goto fail_set;
+-- 
+2.24.1
+
diff --git a/pam.spec b/pam.spec
index a05c50d..a5381b8 100644
--- a/pam.spec
+++ b/pam.spec
@@ -3,7 +3,7 @@
 Summary: An extensible library which provides authentication for applications
 Name: pam
 Version: 1.3.1
-Release: 23%{?dist}
+Release: 24%{?dist}
 # The library is BSD licensed with option to relicense as GPLv2+
 # - this option is redundant as the BSD license allows that anyway.
 # pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
@@ -62,6 +62,7 @@ Patch50: pam-1.3.1-fds-closing.patch
 Patch51: pam-1.3.1-authtok-verify-fix.patch
 Patch52: pam-1.3.1-add-pam_usertype.patch
 Patch53: pam-1.3.1-add-pam_usertype-fix-backport.patch
+Patch54: pam-1.3.1-pam_selinux-check-unknown-objects.patch
 
 %global _pamlibdir %{_libdir}
 %global _moduledir %{_libdir}/security
@@ -154,6 +155,7 @@ cp %{SOURCE18} .
 %patch51 -p1 -b .authtok-verify-fix
 %patch52 -p1 -b .add-pam_usertype
 %patch53 -p1 -b .add-pam_usertype-backport
+%patch54 -p1 -b .pam_selinux-check-unknown-objects
 
 autoreconf -i
 
@@ -404,6 +406,9 @@ done
 %doc doc/specs/rfc86.0.txt
 
 %changelog
+* Mon Mar 9 2020 Iker Pedrosa <ipedrosa@redhat.com> - 1.3.1-24
+- pam_selinux: check unknown object classes or permissions in current policy
+
 * Tue Feb 4 2020 Pavel Březina <pbrezina@redhat.com> - 1.3.1-23
 - Add pam_usertype.so