diff --git a/pam-0.99.6.2-selinux-audit-context.patch b/pam-0.99.6.2-selinux-audit-context.patch new file mode 100644 index 0000000..08908f2 --- /dev/null +++ b/pam-0.99.6.2-selinux-audit-context.patch @@ -0,0 +1,85 @@ +--- Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c.audit-context 2007-04-03 17:51:29.000000000 +0200 ++++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c 2007-04-03 18:15:06.000000000 +0200 +@@ -88,33 +88,36 @@ + security_context_t selected_raw=NULL; + rc = -1; + if (audit_fd < 0) { +- pam_syslog(pamh, LOG_ERR, _("Error connecting to audit system.\n")); ++ if (errno == EINVAL || errno == EPROTONOSUPPORT || ++ errno == EAFNOSUPPORT) ++ return 0; /* No audit support in kernel */ ++ pam_syslog(pamh, LOG_ERR, _("Error connecting to audit system.")); + return rc; + } + if (selinux_trans_to_raw_context(default_context, &default_raw) < 0) { +- pam_syslog(pamh, LOG_ERR, _("Error translating default context.\n")); +- goto out; ++ pam_syslog(pamh, LOG_ERR, _("Error translating default context.")); ++ default_raw = NULL; + } + if (selinux_trans_to_raw_context(selected_context, &selected_raw) < 0) { +- pam_syslog(pamh, LOG_ERR, _("Error translating selected context.\n")); +- goto out; ++ pam_syslog(pamh, LOG_ERR, _("Error translating selected context.")); ++ selected_raw = NULL; + } + if (asprintf(&msg, "pam: default-context=%s selected-context=%s", +- default_context ? default_raw : "?", +- selected_context ? selected_raw : "?") < 0) { +- pam_syslog(pamh, LOG_ERR, ("Error allocating memory.\n")); ++ default_raw ? default_raw : (default_context ? default_context : "?"), ++ selected_raw ? selected_raw : (selected_context ? selected_context : "?")) < 0) { ++ pam_syslog(pamh, LOG_ERR, ("Error allocating memory.")); + goto out; + } + if (audit_log_user_message(audit_fd, AUDIT_USER_ROLE_CHANGE, + msg, NULL, NULL, NULL, success) <= 0) { +- pam_syslog(pamh, LOG_ERR, _("Error sending audit message.\n")); ++ pam_syslog(pamh, LOG_ERR, _("Error sending audit message.")); + goto out; + } + rc = 0; + out: + free(msg); + freecon(default_raw); +- free(selected_raw); ++ freecon(selected_raw); + close(audit_fd); + #else + pam_syslog(pamh, LOG_NOTICE, "pam: default-context=%s selected-context=%s success %d", default_context, selected_context, success); +@@ -298,14 +301,17 @@ + if (mls_enabled && !mls_range_allowed(pamh, puser_context, newcon, debug)) { + pam_syslog(pamh, LOG_NOTICE, "Security context %s is not allowed for %s", puser_context, newcon); + ++ send_audit_message(pamh, 0, puser_context, newcon); + ++ free(newcon); + goto fail_range; + } + return newcon; + } +- else ++ else { ++ send_audit_message(pamh, 0, puser_context, context_str(new_context)); + send_text(pamh,_("Not a valid security context"),debug); +- ++ } + context_free(new_context); /* next time around allocates another */ + } + else +@@ -318,6 +324,7 @@ + free(type); + _pam_drop(responses); + context_free (new_context); ++ send_audit_message(pamh, 0, puser_context, NULL); + fail_range: + return NULL; + } +@@ -509,7 +516,6 @@ + if (select_context && has_tty) { + user_context = config_context(pamh, default_user_context, debug); + if (user_context == NULL) { +- send_audit_message(pamh, 0, default_user_context, default_user_context); + freecon(default_user_context); + pam_syslog(pamh, LOG_ERR, _("Unable to get valid context for %s"), + username); diff --git a/pam-0.99.7.1-namespace-unknown-user.patch b/pam-0.99.7.1-namespace-unknown-user.patch new file mode 100644 index 0000000..e659435 --- /dev/null +++ b/pam-0.99.7.1-namespace-unknown-user.patch @@ -0,0 +1,20 @@ +--- Linux-PAM-0.99.7.1/modules/pam_namespace/pam_namespace.c.unknown-user 2007-04-13 17:12:40.000000000 +0200 ++++ Linux-PAM-0.99.7.1/modules/pam_namespace/pam_namespace.c 2007-04-13 18:11:57.000000000 +0200 +@@ -302,11 +302,14 @@ + *tptr = '\0'; + + pwd = pam_modutil_getpwnam(idata->pamh, ustr); +- *uidptr = pwd->pw_uid; +- if (i < count - 1) { +- ustr = tptr + 1; ++ if (pwd == NULL) { ++ pam_syslog(idata->pamh, LOG_ERR, "Unknown user %s in configuration", ustr); ++ poly.num_uids--; ++ } else { ++ *uidptr = pwd->pw_uid; + uidptr++; + } ++ ustr = tptr + 1; + } + } + diff --git a/pam.spec b/pam.spec index 4e50980..aa3c21d 100644 --- a/pam.spec +++ b/pam.spec @@ -11,7 +11,7 @@ Summary: A security tool which provides authentication for applications Name: pam Version: 0.99.7.1 -Release: 4%{?dist} +Release: 5%{?dist} License: GPL or BSD Group: System Environment/Base Source0: http://ftp.us.kernel.org/pub/linux/libs/pam/pre/library/Linux-PAM-%{version}.tar.bz2 @@ -43,6 +43,8 @@ Patch93: pam-0.99.7.0-namespace-level.patch Patch94: pam-0.99.7.0-namespace-unmnt-override.patch Patch95: pam-0.99.6.2-selinux-use-current-range.patch Patch96: pam-0.99.6.2-namespace-dirnames.patch +Patch97: pam-0.99.7.1-namespace-unknown-user.patch +Patch98: pam-0.99.6.2-selinux-audit-context.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) Requires: cracklib, cracklib-dicts >= 2.8 @@ -114,6 +116,8 @@ cp %{SOURCE7} . %patch94 -p1 -b .unmnt-override %patch95 -p1 -b .range %patch96 -p1 -b .dirnames +%patch97 -p1 -b .unknown-user +%patch98 -p1 -b .audit-context autoreconf @@ -402,6 +406,10 @@ fi %doc doc/adg/*.txt doc/adg/html %changelog +* Fri Apr 13 2007 Tomas Mraz 0.99.7.1-5 +- pam_selinux: improve context change auditing (#234781) +- pam_namespace: fix parsing config file with unknown users (#234513) + * Fri Mar 23 2007 Tomas Mraz 0.99.7.1-4 - pam_console: always decrement use count (#230823) - pam_namespace: use raw context for poly dir name (#227345)