- pam_selinux: improve context change auditing (#234781)

- pam_namespace: fix parsing config file with unknown users (#234513)

pam-0.99.6.2-selinux-audit-context.patch

@@ -0,0 +1,85 @@
+--- Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c.audit-context	2007-04-03 17:51:29.000000000 +0200
++++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c	2007-04-03 18:15:06.000000000 +0200
+@@ -88,33 +88,36 @@
+ 	security_context_t selected_raw=NULL;
+ 	rc = -1;
+ 	if (audit_fd < 0) {
+-		pam_syslog(pamh, LOG_ERR, _("Error connecting to audit system.\n"));
++		if (errno == EINVAL || errno == EPROTONOSUPPORT ||
++                                        errno == EAFNOSUPPORT)
++                        return 0; /* No audit support in kernel */
++		pam_syslog(pamh, LOG_ERR, _("Error connecting to audit system."));
+ 		return rc;
+ 	}
+ 	if (selinux_trans_to_raw_context(default_context, &default_raw) < 0) {
+-		pam_syslog(pamh, LOG_ERR, _("Error translating default context.\n"));
+-		goto out;
++		pam_syslog(pamh, LOG_ERR, _("Error translating default context."));
++		default_raw = NULL;
+ 	}
+ 	if (selinux_trans_to_raw_context(selected_context, &selected_raw) < 0) {
+-		pam_syslog(pamh, LOG_ERR, _("Error translating selected context.\n"));
+-		goto out;
++		pam_syslog(pamh, LOG_ERR, _("Error translating selected context."));
++		selected_raw = NULL;
+ 	}
+ 	if (asprintf(&msg, "pam: default-context=%s selected-context=%s",
+-		     default_context ? default_raw : "?",
+-		     selected_context ? selected_raw : "?") < 0) {
+-		pam_syslog(pamh, LOG_ERR, ("Error allocating memory.\n"));
++		     default_raw ? default_raw : (default_context ? default_context : "?"),
++		     selected_raw ? selected_raw : (selected_context ? selected_context : "?")) < 0) {
++		pam_syslog(pamh, LOG_ERR, ("Error allocating memory."));
+ 		goto out;
+ 	}
+ 	if (audit_log_user_message(audit_fd, AUDIT_USER_ROLE_CHANGE,
+ 				   msg, NULL, NULL, NULL, success) <= 0) {
+-		pam_syslog(pamh, LOG_ERR, _("Error sending audit message.\n"));
++		pam_syslog(pamh, LOG_ERR, _("Error sending audit message."));
+ 		goto out;
+ 	}
+ 	rc = 0;
+       out:
+ 	free(msg);
+ 	freecon(default_raw);
+-	free(selected_raw);
++	freecon(selected_raw);
+ 	close(audit_fd);
+ #else
+ 	pam_syslog(pamh, LOG_NOTICE, "pam: default-context=%s selected-context=%s success %d", default_context, selected_context, success);
+@@ -298,14 +301,17 @@
+           if (mls_enabled && !mls_range_allowed(pamh, puser_context, newcon, debug)) {
+ 	    pam_syslog(pamh, LOG_NOTICE, "Security context %s is not allowed for %s", puser_context, newcon);
+ 
++    	    send_audit_message(pamh, 0, puser_context, newcon);
+ 
++	    free(newcon);
+             goto fail_range;
+ 	  }
+ 	  return newcon;
+ 	}
+-	else
++	else {
++	  send_audit_message(pamh, 0, puser_context, context_str(new_context));
+ 	  send_text(pamh,_("Not a valid security context"),debug);
+-
++	}
+         context_free(new_context); /* next time around allocates another */
+       }
+     else
+@@ -318,6 +324,7 @@
+   free(type);
+   _pam_drop(responses);
+   context_free (new_context);
++  send_audit_message(pamh, 0, puser_context, NULL);
+  fail_range:
+   return NULL;  
+ }
+@@ -509,7 +516,6 @@
+     if (select_context && has_tty) {
+       user_context = config_context(pamh, default_user_context, debug);
+       if (user_context == NULL) {
+-        send_audit_message(pamh, 0, default_user_context, default_user_context);
+ 	freecon(default_user_context);
+ 	pam_syslog(pamh, LOG_ERR, _("Unable to get valid context for %s"),
+ 		    username);

pam-0.99.7.1-namespace-unknown-user.patch

@@ -0,0 +1,20 @@
+--- Linux-PAM-0.99.7.1/modules/pam_namespace/pam_namespace.c.unknown-user	2007-04-13 17:12:40.000000000 +0200
++++ Linux-PAM-0.99.7.1/modules/pam_namespace/pam_namespace.c	2007-04-13 18:11:57.000000000 +0200
+@@ -302,11 +302,14 @@
+                 *tptr = '\0';
+ 
+             pwd = pam_modutil_getpwnam(idata->pamh, ustr);
+-            *uidptr = pwd->pw_uid;
+-            if (i < count - 1) {
+-                ustr = tptr + 1;
++            if (pwd == NULL) {
++        	pam_syslog(idata->pamh, LOG_ERR, "Unknown user %s in configuration", ustr);
++        	poly.num_uids--;	
++            } else {
++                *uidptr = pwd->pw_uid;
+                 uidptr++;
+             }
++            ustr = tptr + 1;
+         }
+     }
+ 

pam.spec

@@ -11,7 +11,7 @@
 Summary: A security tool which provides authentication for applications
 Name: pam
 Version: 0.99.7.1
-Release: 4%{?dist}
+Release: 5%{?dist}
 License: GPL or BSD
 Group: System Environment/Base
 Source0: http://ftp.us.kernel.org/pub/linux/libs/pam/pre/library/Linux-PAM-%{version}.tar.bz2
@@ -43,6 +43,8 @@ Patch93: pam-0.99.7.0-namespace-level.patch
 Patch94: pam-0.99.7.0-namespace-unmnt-override.patch
 Patch95: pam-0.99.6.2-selinux-use-current-range.patch
 Patch96: pam-0.99.6.2-namespace-dirnames.patch
+Patch97: pam-0.99.7.1-namespace-unknown-user.patch
+Patch98: pam-0.99.6.2-selinux-audit-context.patch
 
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 Requires: cracklib, cracklib-dicts >= 2.8
@@ -114,6 +116,8 @@ cp %{SOURCE7} .
 %patch94 -p1 -b .unmnt-override
 %patch95 -p1 -b .range
 %patch96 -p1 -b .dirnames
+%patch97 -p1 -b .unknown-user
+%patch98 -p1 -b .audit-context
 
 autoreconf
 
@@ -402,6 +406,10 @@ fi
 %doc doc/adg/*.txt doc/adg/html
 
 %changelog
+* Fri Apr 13 2007 Tomas Mraz <tmraz@redhat.com> 0.99.7.1-5
+- pam_selinux: improve context change auditing (#234781)
+- pam_namespace: fix parsing config file with unknown users (#234513)
+
 * Fri Mar 23 2007 Tomas Mraz <tmraz@redhat.com> 0.99.7.1-4
 - pam_console: always decrement use count (#230823)
 - pam_namespace: use raw context for poly dir name (#227345)