- pam_namespace: fix problem with level polyinst (#438264)

- pam_namespace: improve override checking for umount - pam_selinux: fix syslogging a context after free() (#438338)
2008-03-20 16:50:13 +00:00 · 2008-03-20 16:50:13 +00:00 · 6aa700f64a
commit 6aa700f64a
parent 1ba40631bf
4 changed files with 88 additions and 1 deletions
--- a/pam-0.99.10.0-namespace-level.patch
+++ b/pam-0.99.10.0-namespace-level.patch
@ -0,0 +1,17 @@
+diff -up Linux-PAM-0.99.10.0/modules/pam_namespace/pam_namespace.c.umount Linux-PAM-0.99.10.0/modules/pam_namespace/pam_namespace.c
+--- Linux-PAM-0.99.10.0/modules/pam_namespace/pam_namespace.c.umount	2008-02-13 14:52:13.000000000 +0100
+++ Linux-PAM-0.99.10.0/modules/pam_namespace/pam_namespace.c	2008-03-20 15:29:11.000000000 +0100
+@@ -822,10 +822,11 @@ static int poly_name(const struct polydi
+      */
+ 
+     pm = polyptr->method;
+-    if (pm == LEVEL || pm == USER) {
+    if (pm == LEVEL || pm == CONTEXT)
+ #ifdef WITH_SELINUX
+-        if (!(idata->flags & PAMNS_CTXT_BASED_INST))
+        if (!(idata->flags & PAMNS_CTXT_BASED_INST)) {
+ #else
+    {
+ 	pam_syslog(idata->pamh, LOG_NOTICE,
+ 		"Context and level methods not available, using user method");
+ #endif
--- a/pam-0.99.10.0-namespace-umount.patch
+++ b/pam-0.99.10.0-namespace-umount.patch
@ -0,0 +1,16 @@
+diff -up Linux-PAM-0.99.10.0/modules/pam_namespace/pam_namespace.c.umount Linux-PAM-0.99.10.0/modules/pam_namespace/pam_namespace.c
+--- Linux-PAM-0.99.10.0/modules/pam_namespace/pam_namespace.c.umount	2008-02-13 14:52:13.000000000 +0100
+++ Linux-PAM-0.99.10.0/modules/pam_namespace/pam_namespace.c	2008-03-17 11:40:02.000000000 +0100
+@@ -1528,8 +1528,11 @@ static int setup_namespace(struct instan
+      */
+     for (pptr = idata->polydirs_ptr; pptr; pptr = pptr->next) {
+ 	enum unmnt_op dir_unmnt = unmnt;
+	if (ns_override(pptr, idata, idata->ruid)) {
+	    dir_unmnt = NO_UNMNT;
+	}
+         if (ns_override(pptr, idata, idata->uid)) {
+-    	    if (unmnt == NO_UNMNT || ns_override(pptr, idata, idata->ruid)) {
+    	    if (dir_unmnt == NO_UNMNT) {
+     		continue;
+ 	    } else {
+ 		dir_unmnt = UNMNT_ONLY;
--- a/pam-0.99.10.0-selinux-prev-context.patch
+++ b/pam-0.99.10.0-selinux-prev-context.patch
@ -0,0 +1,43 @@
+diff -up Linux-PAM-0.99.10.0/modules/pam_selinux/pam_selinux.c.prev-context Linux-PAM-0.99.10.0/modules/pam_selinux/pam_selinux.c
+--- Linux-PAM-0.99.10.0/modules/pam_selinux/pam_selinux.c.prev-context	2007-06-18 12:46:48.000000000 +0200
+++ Linux-PAM-0.99.10.0/modules/pam_selinux/pam_selinux.c	2008-03-20 17:38:41.000000000 +0100
+@@ -672,7 +672,7 @@ PAM_EXTERN int
+ pam_sm_close_session(pam_handle_t *pamh, int flags UNUSED,
+ 		     int argc, const char **argv)
+ {
+-  int i, debug = 0,status=0, open_session=0;
+  int i, debug = 0, status = PAM_SUCCESS, open_session = 0;
+   if (! (selinux_enabled ))
+       return PAM_SUCCESS;
+ 
+@@ -702,19 +702,21 @@ pam_sm_close_session(pam_handle_t *pamh,
+     free(ttyn);
+     ttyn=NULL;
+   }
+-  status=setexeccon(prev_user_context);
+-  freecon(prev_user_context);
+-  if (status) {
+-    pam_syslog(pamh, LOG_ERR, "Error!  Unable to set executable context %s.",
+  if (prev_user_context) {
+    if (setexeccon(prev_user_context)) {
+      pam_syslog(pamh, LOG_ERR, "Unable to restore executable context %s.",
+ 	       prev_user_context);
+-    if (security_getenforce() == 1)
+-       return PAM_AUTH_ERR;
+-    else
+-       return PAM_SUCCESS;
+      if (security_getenforce() == 1)
+         status = PAM_AUTH_ERR;
+      else
+         status = PAM_SUCCESS;
+    }
+    freecon(prev_user_context);
+    prev_user_context = NULL;
+   }
+ 
+   if (debug)
+     pam_syslog(pamh, LOG_NOTICE, "setcontext back to orginal");
+ 
+-  return PAM_SUCCESS;
+  return status;
+ }
--- a/pam.spec
+++ b/pam.spec
@ -5,7 +5,7 @@
 Summary: A security tool which provides authentication for applications
 Name: pam
 Version: 0.99.10.0
-Release: 3%{?dist}
+Release: 4%{?dist}
 # The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant
 # as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+,
 # pam_rhosts_auth module is BSD with advertising
@ -30,6 +30,9 @@ Patch20: pam-0.99.10.0-unix-any-user.patch
 Patch21: pam-0.99.10.0-unix-audit-failed.patch
 Patch31: pam-0.99.3.0-cracklib-try-first-pass.patch
 Patch32: pam-0.99.3.0-tally-fail-close.patch
+Patch33: pam-0.99.10.0-namespace-umount.patch
+Patch34: pam-0.99.10.0-namespace-level.patch
+Patch35: pam-0.99.10.0-selinux-prev-context.patch

 %define _sbindir /sbin
 %define _moduledir /%{_lib}/security
@ -107,6 +110,9 @@ popd
 %patch21 -p1 -b .audit-failed
 %patch31 -p1 -b .try-first-pass
 %patch32 -p1 -b .fail-close
+%patch33 -p1 -b .umount
+%patch34 -p1 -b .level
+%patch35 -p1 -b .prev-context

 autoreconf

@ -376,6 +382,11 @@ fi
 %doc doc/adg/*.txt doc/adg/html

 %changelog
+* Thu Mar 20 2008 Tomas Mraz <tmraz@redhat.com> 0.99.10.0-4
+- pam_namespace: fix problem with level polyinst (#438264)
+- pam_namespace: improve override checking for umount
+- pam_selinux: fix syslogging a context after free() (#438338)
+
 * Thu Feb 28 2008 Tomas Mraz <tmraz@redhat.com> 0.99.10.0-3
 - update pam-redhat module tarball
 - update internal db4