- pam_selinux: improve context change auditing (#234781)
- pam_namespace: fix parsing config file with unknown users (#234513)
This commit is contained in:
parent
a28e30cbc4
commit
33d3c087e3
85
pam-0.99.6.2-selinux-audit-context.patch
Normal file
85
pam-0.99.6.2-selinux-audit-context.patch
Normal file
@ -0,0 +1,85 @@
|
||||
--- Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c.audit-context 2007-04-03 17:51:29.000000000 +0200
|
||||
+++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c 2007-04-03 18:15:06.000000000 +0200
|
||||
@@ -88,33 +88,36 @@
|
||||
security_context_t selected_raw=NULL;
|
||||
rc = -1;
|
||||
if (audit_fd < 0) {
|
||||
- pam_syslog(pamh, LOG_ERR, _("Error connecting to audit system.\n"));
|
||||
+ if (errno == EINVAL || errno == EPROTONOSUPPORT ||
|
||||
+ errno == EAFNOSUPPORT)
|
||||
+ return 0; /* No audit support in kernel */
|
||||
+ pam_syslog(pamh, LOG_ERR, _("Error connecting to audit system."));
|
||||
return rc;
|
||||
}
|
||||
if (selinux_trans_to_raw_context(default_context, &default_raw) < 0) {
|
||||
- pam_syslog(pamh, LOG_ERR, _("Error translating default context.\n"));
|
||||
- goto out;
|
||||
+ pam_syslog(pamh, LOG_ERR, _("Error translating default context."));
|
||||
+ default_raw = NULL;
|
||||
}
|
||||
if (selinux_trans_to_raw_context(selected_context, &selected_raw) < 0) {
|
||||
- pam_syslog(pamh, LOG_ERR, _("Error translating selected context.\n"));
|
||||
- goto out;
|
||||
+ pam_syslog(pamh, LOG_ERR, _("Error translating selected context."));
|
||||
+ selected_raw = NULL;
|
||||
}
|
||||
if (asprintf(&msg, "pam: default-context=%s selected-context=%s",
|
||||
- default_context ? default_raw : "?",
|
||||
- selected_context ? selected_raw : "?") < 0) {
|
||||
- pam_syslog(pamh, LOG_ERR, ("Error allocating memory.\n"));
|
||||
+ default_raw ? default_raw : (default_context ? default_context : "?"),
|
||||
+ selected_raw ? selected_raw : (selected_context ? selected_context : "?")) < 0) {
|
||||
+ pam_syslog(pamh, LOG_ERR, ("Error allocating memory."));
|
||||
goto out;
|
||||
}
|
||||
if (audit_log_user_message(audit_fd, AUDIT_USER_ROLE_CHANGE,
|
||||
msg, NULL, NULL, NULL, success) <= 0) {
|
||||
- pam_syslog(pamh, LOG_ERR, _("Error sending audit message.\n"));
|
||||
+ pam_syslog(pamh, LOG_ERR, _("Error sending audit message."));
|
||||
goto out;
|
||||
}
|
||||
rc = 0;
|
||||
out:
|
||||
free(msg);
|
||||
freecon(default_raw);
|
||||
- free(selected_raw);
|
||||
+ freecon(selected_raw);
|
||||
close(audit_fd);
|
||||
#else
|
||||
pam_syslog(pamh, LOG_NOTICE, "pam: default-context=%s selected-context=%s success %d", default_context, selected_context, success);
|
||||
@@ -298,14 +301,17 @@
|
||||
if (mls_enabled && !mls_range_allowed(pamh, puser_context, newcon, debug)) {
|
||||
pam_syslog(pamh, LOG_NOTICE, "Security context %s is not allowed for %s", puser_context, newcon);
|
||||
|
||||
+ send_audit_message(pamh, 0, puser_context, newcon);
|
||||
|
||||
+ free(newcon);
|
||||
goto fail_range;
|
||||
}
|
||||
return newcon;
|
||||
}
|
||||
- else
|
||||
+ else {
|
||||
+ send_audit_message(pamh, 0, puser_context, context_str(new_context));
|
||||
send_text(pamh,_("Not a valid security context"),debug);
|
||||
-
|
||||
+ }
|
||||
context_free(new_context); /* next time around allocates another */
|
||||
}
|
||||
else
|
||||
@@ -318,6 +324,7 @@
|
||||
free(type);
|
||||
_pam_drop(responses);
|
||||
context_free (new_context);
|
||||
+ send_audit_message(pamh, 0, puser_context, NULL);
|
||||
fail_range:
|
||||
return NULL;
|
||||
}
|
||||
@@ -509,7 +516,6 @@
|
||||
if (select_context && has_tty) {
|
||||
user_context = config_context(pamh, default_user_context, debug);
|
||||
if (user_context == NULL) {
|
||||
- send_audit_message(pamh, 0, default_user_context, default_user_context);
|
||||
freecon(default_user_context);
|
||||
pam_syslog(pamh, LOG_ERR, _("Unable to get valid context for %s"),
|
||||
username);
|
20
pam-0.99.7.1-namespace-unknown-user.patch
Normal file
20
pam-0.99.7.1-namespace-unknown-user.patch
Normal file
@ -0,0 +1,20 @@
|
||||
--- Linux-PAM-0.99.7.1/modules/pam_namespace/pam_namespace.c.unknown-user 2007-04-13 17:12:40.000000000 +0200
|
||||
+++ Linux-PAM-0.99.7.1/modules/pam_namespace/pam_namespace.c 2007-04-13 18:11:57.000000000 +0200
|
||||
@@ -302,11 +302,14 @@
|
||||
*tptr = '\0';
|
||||
|
||||
pwd = pam_modutil_getpwnam(idata->pamh, ustr);
|
||||
- *uidptr = pwd->pw_uid;
|
||||
- if (i < count - 1) {
|
||||
- ustr = tptr + 1;
|
||||
+ if (pwd == NULL) {
|
||||
+ pam_syslog(idata->pamh, LOG_ERR, "Unknown user %s in configuration", ustr);
|
||||
+ poly.num_uids--;
|
||||
+ } else {
|
||||
+ *uidptr = pwd->pw_uid;
|
||||
uidptr++;
|
||||
}
|
||||
+ ustr = tptr + 1;
|
||||
}
|
||||
}
|
||||
|
10
pam.spec
10
pam.spec
@ -11,7 +11,7 @@
|
||||
Summary: A security tool which provides authentication for applications
|
||||
Name: pam
|
||||
Version: 0.99.7.1
|
||||
Release: 4%{?dist}
|
||||
Release: 5%{?dist}
|
||||
License: GPL or BSD
|
||||
Group: System Environment/Base
|
||||
Source0: http://ftp.us.kernel.org/pub/linux/libs/pam/pre/library/Linux-PAM-%{version}.tar.bz2
|
||||
@ -43,6 +43,8 @@ Patch93: pam-0.99.7.0-namespace-level.patch
|
||||
Patch94: pam-0.99.7.0-namespace-unmnt-override.patch
|
||||
Patch95: pam-0.99.6.2-selinux-use-current-range.patch
|
||||
Patch96: pam-0.99.6.2-namespace-dirnames.patch
|
||||
Patch97: pam-0.99.7.1-namespace-unknown-user.patch
|
||||
Patch98: pam-0.99.6.2-selinux-audit-context.patch
|
||||
|
||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
||||
Requires: cracklib, cracklib-dicts >= 2.8
|
||||
@ -114,6 +116,8 @@ cp %{SOURCE7} .
|
||||
%patch94 -p1 -b .unmnt-override
|
||||
%patch95 -p1 -b .range
|
||||
%patch96 -p1 -b .dirnames
|
||||
%patch97 -p1 -b .unknown-user
|
||||
%patch98 -p1 -b .audit-context
|
||||
|
||||
autoreconf
|
||||
|
||||
@ -402,6 +406,10 @@ fi
|
||||
%doc doc/adg/*.txt doc/adg/html
|
||||
|
||||
%changelog
|
||||
* Fri Apr 13 2007 Tomas Mraz <tmraz@redhat.com> 0.99.7.1-5
|
||||
- pam_selinux: improve context change auditing (#234781)
|
||||
- pam_namespace: fix parsing config file with unknown users (#234513)
|
||||
|
||||
* Fri Mar 23 2007 Tomas Mraz <tmraz@redhat.com> 0.99.7.1-4
|
||||
- pam_console: always decrement use count (#230823)
|
||||
- pam_namespace: use raw context for poly dir name (#227345)
|
||||
|
Loading…
Reference in New Issue
Block a user