diff --git a/.cvsignore b/.cvsignore
index 07b5925..357da6c 100644
--- a/.cvsignore
+++ b/.cvsignore
@@ -1,5 +1,5 @@
db-4.5.20.tar.gz
*.src.rpm
*.tar.bz2
-pam-redhat-0.99.7-1.tar.bz2
-Linux-PAM-0.99.7.1.tar.bz2
+pam-redhat-0.99.8-1.tar.bz2
+Linux-PAM-0.99.8.1.tar.bz2
diff --git a/pam-0.99.2.1-selinux-nofail.patch b/pam-0.99.2.1-selinux-nofail.patch
deleted file mode 100644
index 83dcef7..0000000
--- a/pam-0.99.2.1-selinux-nofail.patch
+++ /dev/null
@@ -1,78 +0,0 @@
---- Linux-PAM-0.99.2.1/modules/pam_selinux/pam_selinux.c.nofail 2005-11-29 10:22:05.000000000 +0100
-+++ Linux-PAM-0.99.2.1/modules/pam_selinux/pam_selinux.c 2005-12-15 14:12:54.000000000 +0100
-@@ -327,6 +327,8 @@
- int num_contexts = 0;
- const void *username = NULL;
- const void *tty = NULL;
-+ char *seuser=NULL;
-+ char *level=NULL;
-
- /* Parse arguments. */
- for (i = 0; i < argc; i++) {
-@@ -361,7 +363,18 @@
- username == NULL) {
- return PAM_AUTH_ERR;
- }
-- num_contexts = get_ordered_context_list(username, 0, &contextlist);
-+
-+ if (getseuserbyname(username, &seuser, &level)==0) {
-+ num_contexts = get_ordered_context_list_with_level(seuser,
-+ level,
-+ NULL,
-+ &contextlist);
-+ if (debug)
-+ pam_syslog(pamh, LOG_DEBUG, "Username= %s SELinux User = %s Level= %s",
-+ (const char *)username, seuser, level);
-+ free(seuser);
-+ free(level);
-+ }
- if (num_contexts > 0) {
- if (multiple && (num_contexts > 1) && has_tty) {
- user_context = select_context(pamh,contextlist, debug);
-@@ -376,13 +389,19 @@
- if (user_context == NULL) {
- pam_syslog (pamh, LOG_ERR, "Unable to get valid context for %s",
- (const char *)username);
-- return PAM_AUTH_ERR;
-+ if (security_getenforce() == 1)
-+ return PAM_AUTH_ERR;
-+ else
-+ return PAM_SUCCESS;
- }
- } else {
- pam_syslog (pamh, LOG_ERR,
- "Unable to get valid context for %s, No valid tty",
- (const char *)username);
-- return PAM_AUTH_ERR;
-+ if (security_getenforce() == 1)
-+ return PAM_AUTH_ERR;
-+ else
-+ return PAM_SUCCESS;
- }
- }
- if (getexeccon(&prev_user_context)<0) {
-@@ -420,8 +439,10 @@
- pam_syslog(pamh, LOG_ERR,
- "Error! Unable to set %s executable context %s.",
- (const char *)username, user_context);
-- freecon(user_context);
-- return PAM_AUTH_ERR;
-+ if (security_getenforce() == 1) {
-+ freecon(user_context);
-+ return PAM_AUTH_ERR;
-+ }
- } else {
- if (debug)
- pam_syslog(pamh, LOG_NOTICE, "set %s security context to %s",
-@@ -471,7 +492,10 @@
- if (status) {
- pam_syslog(pamh, LOG_ERR, "Error! Unable to set executable context %s.",
- prev_user_context);
-- return PAM_AUTH_ERR;
-+ if (security_getenforce() == 1)
-+ return PAM_AUTH_ERR;
-+ else
-+ return PAM_SUCCESS;
- }
-
- if (debug)
diff --git a/pam-0.99.6.2-namespace-dirnames.patch b/pam-0.99.6.2-namespace-dirnames.patch
deleted file mode 100644
index 6e224d0..0000000
--- a/pam-0.99.6.2-namespace-dirnames.patch
+++ /dev/null
@@ -1,206 +0,0 @@
---- Linux-PAM-0.99.6.2/modules/pam_namespace/pam_namespace.h.dirnames 2007-02-26 23:31:26.000000000 +0100
-+++ Linux-PAM-0.99.6.2/modules/pam_namespace/pam_namespace.h 2007-02-27 00:40:04.000000000 +0100
-@@ -89,6 +89,8 @@
- #define PAMNS_IGN_INST_PARENT_MODE 0x00008000 /* Ignore instance parent mode */
- #define PAMNS_NO_UNMOUNT_ON_CLOSE 0x00010000 /* no unmount at session close */
-
-+#define NAMESPACE_MAX_DIR_LEN 80
-+
- /*
- * Polyinstantiation method options, based on user, security context
- * or both
---- Linux-PAM-0.99.6.2/modules/pam_namespace/pam_namespace.c.dirnames 2007-02-26 23:31:26.000000000 +0100
-+++ Linux-PAM-0.99.6.2/modules/pam_namespace/pam_namespace.c 2007-02-27 00:39:51.000000000 +0100
-@@ -436,6 +436,36 @@
- return 0;
- }
-
-+/*
-+ * md5hash generates a hash of the passed in instance directory name.
-+ */
-+static char *md5hash(const char *instname, struct instance_data *idata)
-+{
-+ int i;
-+ char *md5inst = NULL;
-+ char *to;
-+ unsigned char inst_digest[MD5_DIGEST_LENGTH];
-+
-+ /*
-+ * Create MD5 hashes for instance pathname.
-+ */
-+
-+ MD5((const unsigned char *)instname, strlen(instname), inst_digest);
-+
-+ if ((md5inst = malloc(MD5_DIGEST_LENGTH * 2 + 1)) == NULL) {
-+ pam_syslog(idata->pamh, LOG_ERR, "Unable to allocate buffer");
-+ return NULL;
-+ }
-+
-+ to = md5inst;
-+ for (i = 0; i < MD5_DIGEST_LENGTH; i++) {
-+ snprintf(to, 3, "%02x", (unsigned int)inst_digest[i]);
-+ to += 2;
-+ }
-+
-+ return md5inst;
-+}
-+
- #ifdef WITH_SELINUX
- static int form_context(const struct polydir_s *polyptr,
- security_context_t *i_context, security_context_t *origcon,
-@@ -547,12 +577,21 @@
- #endif
- {
- int rc;
-+ char *hash = NULL;
-+#ifdef WITH_SELINUX
-+ security_context_t rawcon = NULL;
-+#endif
-
--# ifdef WITH_SELINUX
-- rc = form_context(polyptr, i_context, origcon, idata);
-+ *i_name = NULL;
-+#ifdef WITH_SELINUX
-+ *i_context = NULL;
-+ *origcon = NULL;
-+ if ((rc=form_context(polyptr, i_context, origcon, idata)) != PAM_SUCCESS) {
-+ return rc;
-+ }
- #endif
-- rc = PAM_SUCCESS;
-
-+ rc = PAM_SESSION_ERR;
- /*
- * Set the name of the polyinstantiated instance dir based on the
- * polyinstantiation method.
-@@ -561,16 +600,20 @@
- case USER:
- if (asprintf(i_name, "%s", idata->user) < 0) {
- *i_name = NULL;
-- rc = PAM_SESSION_ERR;
-- }
-+ goto fail;
-+ }
- break;
-
- #ifdef WITH_SELINUX
- case LEVEL:
- case CONTEXT:
-- if (asprintf(i_name, "%s_%s", *i_context, idata->user) < 0) {
-+ if (selinux_trans_to_raw_context(*i_context, &rawcon) < 0) {
-+ pam_syslog(idata->pamh, LOG_ERR, "Error translating directory context");
-+ goto fail;
-+ }
-+ if (asprintf(i_name, "%s_%s", rawcon, idata->user) < 0) {
- *i_name = NULL;
-- rc = PAM_SESSION_ERR;
-+ goto fail;
- }
- break;
-
-@@ -579,12 +622,48 @@
- default:
- if (idata->flags & PAMNS_DEBUG)
- pam_syslog(idata->pamh, LOG_ERR, "Unknown method");
-- rc = PAM_SESSION_ERR;
-+ goto fail;
- }
-
-- if ((idata->flags & PAMNS_DEBUG) && rc == PAM_SUCCESS)
-+ if (idata->flags & PAMNS_DEBUG)
- pam_syslog(idata->pamh, LOG_DEBUG, "poly_name %s", *i_name);
-
-+ if ((idata->flags & PAMNS_GEN_HASH) || strlen(*i_name) > NAMESPACE_MAX_DIR_LEN) {
-+ hash = md5hash(*i_name, idata);
-+ if (hash == NULL) {
-+ goto fail;
-+ }
-+ if (idata->flags & PAMNS_GEN_HASH) {
-+ free(*i_name);
-+ *i_name = hash;
-+ hash = NULL;
-+ } else {
-+ char *newname;
-+ if (asprintf(&newname, "%.*s_%s", NAMESPACE_MAX_DIR_LEN-1-strlen(hash),
-+ *i_name, hash) < 0) {
-+ goto fail;
-+ }
-+ free(*i_name);
-+ *i_name = newname;
-+ }
-+ }
-+ rc = PAM_SUCCESS;
-+
-+fail:
-+ free(hash);
-+#ifdef WITH_SELINUX
-+ freecon(rawcon);
-+#endif
-+ if (rc != PAM_SUCCESS) {
-+#ifdef WITH_SELINUX
-+ freecon(*i_context);
-+ *i_context = NULL;
-+ freecon(*origcon);
-+ *origcon = NULL;
-+#endif
-+ free(*i_name);
-+ *i_name = NULL;
-+ }
- return rc;
- }
-
-@@ -832,39 +911,6 @@
-
-
- /*
-- * md5hash generates a hash of the passed in instance directory name.
-- */
--static int md5hash(char **instname, struct instance_data *idata)
--{
-- int i;
-- char *md5inst = NULL;
-- char *to;
-- unsigned char inst_digest[MD5_DIGEST_LENGTH];
--
-- /*
-- * Create MD5 hashes for instance pathname.
-- */
--
-- MD5((unsigned char *)*instname, strlen(*instname), inst_digest);
--
-- if ((md5inst = malloc(MD5_DIGEST_LENGTH * 2 + 1)) == NULL) {
-- pam_syslog(idata->pamh, LOG_ERR, "Unable to allocate buffer");
-- return PAM_SESSION_ERR;
-- }
--
-- to = md5inst;
-- for (i = 0; i < MD5_DIGEST_LENGTH; i++) {
-- snprintf(to, 3, "%02x", (unsigned int)inst_digest[i]);
-- to += 3;
-- }
--
-- free(*instname);
-- *instname = md5inst;
--
-- return PAM_SUCCESS;
--}
--
--/*
- * This function performs the namespace setup for a particular directory
- * that is being polyinstantiated. It creates an MD5 hash of instance
- * directory, calls create_dirs to create it with appropriate
-@@ -914,14 +960,6 @@
- #endif
- }
-
-- if (idata->flags & PAMNS_GEN_HASH) {
-- retval = md5hash(&instname, idata);
-- if (retval < 0) {
-- pam_syslog(idata->pamh, LOG_ERR, "Error generating md5 hash");
-- goto error_out;
-- }
-- }
--
- if (asprintf(&inst_dir, "%s%s", polyptr->instance_prefix, instname) < 0)
- goto error_out;
-
diff --git a/pam-0.99.6.2-namespace-docfix.patch b/pam-0.99.6.2-namespace-docfix.patch
deleted file mode 100644
index 66620c8..0000000
--- a/pam-0.99.6.2-namespace-docfix.patch
+++ /dev/null
@@ -1,18 +0,0 @@
---- Linux-PAM-0.99.6.2/modules/pam_namespace/namespace.conf.5.xml.docfix 2007-04-03 17:51:29.000000000 +0200
-+++ Linux-PAM-0.99.6.2/modules/pam_namespace/namespace.conf.5.xml 2007-04-23 19:04:10.000000000 +0200
-@@ -86,6 +86,15 @@
- for all users.
-
-
-+
-+ In case of context or level polyinstantiation the SELinux context
-+ which is used for polyinstantiation is the context used for executing
-+ a new process as obtained by getexeccon. This context must be set
-+ by the calling application or pam_selinux.so
-+ module. If this context is not set the polyinstatiation will be
-+ based just on user name.
-+
-+
-
-
-
diff --git a/pam-0.99.6.2-namespace-preserve-uid.patch b/pam-0.99.6.2-namespace-preserve-uid.patch
deleted file mode 100644
index d4cdf14..0000000
--- a/pam-0.99.6.2-namespace-preserve-uid.patch
+++ /dev/null
@@ -1,8 +0,0 @@
---- Linux-PAM-0.99.6.2/modules/pam_namespace/namespace.init.preserve-uid 2006-06-27 15:07:43.000000000 +0200
-+++ Linux-PAM-0.99.6.2/modules/pam_namespace/namespace.init 2006-10-13 10:51:03.000000000 +0200
-@@ -1,4 +1,4 @@
--#!/bin/sh
-+#!/bin/sh -p
- # This is only a boilerplate for the instance initialization script.
- # It receives polydir path as $1 and the instance path as $2.
- #
diff --git a/pam-0.99.6.2-selinux-audit-context.patch b/pam-0.99.6.2-selinux-audit-context.patch
deleted file mode 100644
index 08908f2..0000000
--- a/pam-0.99.6.2-selinux-audit-context.patch
+++ /dev/null
@@ -1,85 +0,0 @@
---- Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c.audit-context 2007-04-03 17:51:29.000000000 +0200
-+++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c 2007-04-03 18:15:06.000000000 +0200
-@@ -88,33 +88,36 @@
- security_context_t selected_raw=NULL;
- rc = -1;
- if (audit_fd < 0) {
-- pam_syslog(pamh, LOG_ERR, _("Error connecting to audit system.\n"));
-+ if (errno == EINVAL || errno == EPROTONOSUPPORT ||
-+ errno == EAFNOSUPPORT)
-+ return 0; /* No audit support in kernel */
-+ pam_syslog(pamh, LOG_ERR, _("Error connecting to audit system."));
- return rc;
- }
- if (selinux_trans_to_raw_context(default_context, &default_raw) < 0) {
-- pam_syslog(pamh, LOG_ERR, _("Error translating default context.\n"));
-- goto out;
-+ pam_syslog(pamh, LOG_ERR, _("Error translating default context."));
-+ default_raw = NULL;
- }
- if (selinux_trans_to_raw_context(selected_context, &selected_raw) < 0) {
-- pam_syslog(pamh, LOG_ERR, _("Error translating selected context.\n"));
-- goto out;
-+ pam_syslog(pamh, LOG_ERR, _("Error translating selected context."));
-+ selected_raw = NULL;
- }
- if (asprintf(&msg, "pam: default-context=%s selected-context=%s",
-- default_context ? default_raw : "?",
-- selected_context ? selected_raw : "?") < 0) {
-- pam_syslog(pamh, LOG_ERR, ("Error allocating memory.\n"));
-+ default_raw ? default_raw : (default_context ? default_context : "?"),
-+ selected_raw ? selected_raw : (selected_context ? selected_context : "?")) < 0) {
-+ pam_syslog(pamh, LOG_ERR, ("Error allocating memory."));
- goto out;
- }
- if (audit_log_user_message(audit_fd, AUDIT_USER_ROLE_CHANGE,
- msg, NULL, NULL, NULL, success) <= 0) {
-- pam_syslog(pamh, LOG_ERR, _("Error sending audit message.\n"));
-+ pam_syslog(pamh, LOG_ERR, _("Error sending audit message."));
- goto out;
- }
- rc = 0;
- out:
- free(msg);
- freecon(default_raw);
-- free(selected_raw);
-+ freecon(selected_raw);
- close(audit_fd);
- #else
- pam_syslog(pamh, LOG_NOTICE, "pam: default-context=%s selected-context=%s success %d", default_context, selected_context, success);
-@@ -298,14 +301,17 @@
- if (mls_enabled && !mls_range_allowed(pamh, puser_context, newcon, debug)) {
- pam_syslog(pamh, LOG_NOTICE, "Security context %s is not allowed for %s", puser_context, newcon);
-
-+ send_audit_message(pamh, 0, puser_context, newcon);
-
-+ free(newcon);
- goto fail_range;
- }
- return newcon;
- }
-- else
-+ else {
-+ send_audit_message(pamh, 0, puser_context, context_str(new_context));
- send_text(pamh,_("Not a valid security context"),debug);
--
-+ }
- context_free(new_context); /* next time around allocates another */
- }
- else
-@@ -318,6 +324,7 @@
- free(type);
- _pam_drop(responses);
- context_free (new_context);
-+ send_audit_message(pamh, 0, puser_context, NULL);
- fail_range:
- return NULL;
- }
-@@ -509,7 +516,6 @@
- if (select_context && has_tty) {
- user_context = config_context(pamh, default_user_context, debug);
- if (user_context == NULL) {
-- send_audit_message(pamh, 0, default_user_context, default_user_context);
- freecon(default_user_context);
- pam_syslog(pamh, LOG_ERR, _("Unable to get valid context for %s"),
- username);
diff --git a/pam-0.99.6.2-selinux-drop-multiple.patch b/pam-0.99.6.2-selinux-drop-multiple.patch
deleted file mode 100644
index 6b7d88a..0000000
--- a/pam-0.99.6.2-selinux-drop-multiple.patch
+++ /dev/null
@@ -1,125 +0,0 @@
---- Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.8.xml.drop-multiple 2006-06-18 10:26:59.000000000 +0200
-+++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.8.xml 2006-11-10 17:47:16.000000000 +0100
-@@ -25,9 +25,6 @@
- debug
-
-
-- multiple
--
--
- open
-
-
-@@ -93,18 +90,6 @@
-
-
-
--
--
--
--
-- Tells pam_selinux.so to allow the user to select the
-- security context they will login with, if the user has
-- more than one role.
--
--
--
--
--
-
-
-
---- Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c.drop-multiple 2006-11-10 17:44:33.000000000 +0100
-+++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c 2006-11-10 17:44:33.000000000 +0100
-@@ -89,56 +89,6 @@
- }
-
- static security_context_t
--select_context (pam_handle_t *pamh, security_context_t* contextlist,
-- int debug)
--{
-- char *responses;
-- char *text=calloc(PATH_MAX,1);
--
-- if (text == NULL)
-- return (security_context_t) strdup(contextlist[0]);
--
-- snprintf(text, PATH_MAX,
-- _("Your default context is %s. \n"), contextlist[0]);
-- send_text(pamh,text,debug);
-- free(text);
-- query_response(pamh,_("Do you want to choose a different one? [n]"),
-- &responses,debug);
-- if (responses && ((responses[0] == 'y') ||
-- (responses[0] == 'Y')))
-- {
-- int choice=0;
-- int i;
-- const char *prompt=_("Enter number of choice: ");
-- int len=strlen(prompt);
-- char buf[PATH_MAX];
--
-- _pam_drop(responses);
-- for (i = 0; contextlist[i]; i++) {
-- len+=strlen(contextlist[i]) + 10;
-- }
-- text=calloc(len,1);
-- for (i = 0; contextlist[i]; i++) {
-- snprintf(buf, PATH_MAX,
-- "[%d] %s\n", i+1, contextlist[i]);
-- strncat(text,buf,len);
-- }
-- strcat(text,prompt);
-- while ((choice < 1) || (choice > i)) {
-- query_response(pamh,text,&responses,debug);
-- choice = strtol (responses, NULL, 10);
-- _pam_drop(responses);
-- }
-- free(text);
-- return (security_context_t) strdup(contextlist[choice-1]);
-- }
-- else if (responses)
-- _pam_drop(responses);
--
-- return (security_context_t) strdup(contextlist[0]);
--}
--
--static security_context_t
- manual_context (pam_handle_t *pamh, const char *user, int debug)
- {
- security_context_t newcon;
-@@ -322,7 +272,7 @@
- int argc, const char **argv)
- {
- int i, debug = 0, ttys=1, has_tty=isatty(0);
-- int verbose=0, multiple=0, close_session=0;
-+ int verbose=0, close_session=0;
- int ret = 0;
- security_context_t* contextlist = NULL;
- int num_contexts = 0;
-@@ -342,9 +292,6 @@
- if (strcmp(argv[i], "verbose") == 0) {
- verbose = 1;
- }
-- if (strcmp(argv[i], "multiple") == 0) {
-- multiple = 1;
-- }
- if (strcmp(argv[i], "close") == 0) {
- close_session = 1;
- }
-@@ -377,13 +324,8 @@
- free(level);
- }
- if (num_contexts > 0) {
-- if (multiple && (num_contexts > 1) && has_tty) {
-- user_context = select_context(pamh,contextlist, debug);
-- freeconary(contextlist);
-- } else {
-- user_context = (security_context_t) strdup(contextlist[0]);
-- freeconary(contextlist);
-- }
-+ user_context = (security_context_t) strdup(contextlist[0]);
-+ freeconary(contextlist);
- } else {
- if (has_tty) {
- user_context = manual_context(pamh,username,debug);
diff --git a/pam-0.99.6.2-selinux-keycreate.patch b/pam-0.99.6.2-selinux-keycreate.patch
deleted file mode 100644
index 9747b0b..0000000
--- a/pam-0.99.6.2-selinux-keycreate.patch
+++ /dev/null
@@ -1,42 +0,0 @@
---- Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c.keycreate 2006-08-31 17:26:46.000000000 +0200
-+++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c 2006-08-31 19:01:05.000000000 +0200
-@@ -391,6 +391,28 @@
- pam_syslog(pamh, LOG_NOTICE, "set %s security context to %s",
- (const char *)username, user_context);
- }
-+#ifdef HAVE_SETKEYCREATECON
-+ ret = setkeycreatecon(user_context);
-+ if (ret==0 && verbose) {
-+ char msg[PATH_MAX];
-+ snprintf(msg, sizeof(msg),
-+ _("Key Creation Context %s Assigned"), user_context);
-+ verbose_message(pamh, msg, debug);
-+ }
-+ if (ret) {
-+ pam_syslog(pamh, LOG_ERR,
-+ "Error! Unable to set %s key creation context %s.",
-+ (const char *)username, user_context);
-+ if (security_getenforce() == 1) {
-+ freecon(user_context);
-+ return PAM_AUTH_ERR;
-+ }
-+ } else {
-+ if (debug)
-+ pam_syslog(pamh, LOG_NOTICE, "set %s key creation context to %s",
-+ (const char *)username, user_context);
-+ }
-+#endif
- freecon(user_context);
-
- return PAM_SUCCESS;
---- Linux-PAM-0.99.6.2/configure.in.keycreate 2006-08-31 17:26:46.000000000 +0200
-+++ Linux-PAM-0.99.6.2/configure.in 2006-08-31 18:59:52.000000000 +0200
-@@ -397,7 +397,7 @@
- AC_CHECK_FUNCS(strcspn strdup strspn strstr strtol uname)
- AC_CHECK_FUNCS(getpwnam_r getpwuid_r getgrnam_r getgrgid_r getspnam_r)
- AC_CHECK_FUNCS(getgrouplist getline getdelim)
--AC_CHECK_FUNCS(inet_ntop inet_pton ruserok_af)
-+AC_CHECK_FUNCS(inet_ntop inet_pton ruserok_af setkeycreatecon)
-
- AC_CHECK_FUNCS(unshare, [UNSHARE=yes], [UNSHARE=no])
- AM_CONDITIONAL([HAVE_UNSHARE], [test "$UNSHARE" = yes])
diff --git a/pam-0.99.6.2-selinux-select-context.patch b/pam-0.99.6.2-selinux-select-context.patch
deleted file mode 100644
index 475369c..0000000
--- a/pam-0.99.6.2-selinux-select-context.patch
+++ /dev/null
@@ -1,463 +0,0 @@
---- Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.8.xml.select-context 2007-02-21 20:38:10.000000000 +0100
-+++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.8.xml 2007-02-21 20:38:11.000000000 +0100
-@@ -33,6 +33,9 @@
-
- verbose
-
-+
-+ select_context
-+
-
-
-
-@@ -118,6 +121,17 @@
-
-
-
-+
-+
-+
-+
-+
-+
-+ Attempt to ask the user for a custom security context role.
-+ If MLS is on ask also for sensitivity level.
-+
-+
-+
-
-
-
---- Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c.select-context 2007-02-21 20:38:10.000000000 +0100
-+++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c 2007-02-21 20:44:01.000000000 +0100
-@@ -63,9 +63,64 @@
- #include
- #include
- #include
-+#include
- #include
- #include
-+#include
-
-+#ifdef HAVE_LIBAUDIT
-+#include
-+#include
-+#include
-+#endif
-+
-+/* Send audit message */
-+static
-+
-+int send_audit_message(pam_handle_t *pamh, int success, security_context_t default_context,
-+ security_context_t selected_context)
-+{
-+ int rc=0;
-+#ifdef HAVE_LIBAUDIT
-+ char *msg = NULL;
-+ int audit_fd = audit_open();
-+ security_context_t default_raw=NULL;
-+ security_context_t selected_raw=NULL;
-+ rc = -1;
-+ if (audit_fd < 0) {
-+ pam_syslog(pamh, LOG_ERR, _("Error connecting to audit system.\n"));
-+ return rc;
-+ }
-+ if (selinux_trans_to_raw_context(default_context, &default_raw) < 0) {
-+ pam_syslog(pamh, LOG_ERR, _("Error translating default context.\n"));
-+ goto out;
-+ }
-+ if (selinux_trans_to_raw_context(selected_context, &selected_raw) < 0) {
-+ pam_syslog(pamh, LOG_ERR, _("Error translating selected context.\n"));
-+ goto out;
-+ }
-+ if (asprintf(&msg, "pam: default-context=%s selected-context=%s",
-+ default_context ? default_raw : "?",
-+ selected_context ? selected_raw : "?") < 0) {
-+ pam_syslog(pamh, LOG_ERR, ("Error allocating memory.\n"));
-+ goto out;
-+ }
-+ if (audit_log_user_message(audit_fd, AUDIT_USER_ROLE_CHANGE,
-+ msg, NULL, NULL, NULL, success) <= 0) {
-+ pam_syslog(pamh, LOG_ERR, _("Error sending audit message.\n"));
-+ goto out;
-+ }
-+ rc = 0;
-+ out:
-+ free(msg);
-+ freecon(default_raw);
-+ free(selected_raw);
-+ close(audit_fd);
-+#else
-+ pam_syslog(pamh, LOG_NOTICE, "pam: default-context=%s selected-context=%s success %d", default_context, selected_context, success);
-+#endif
-+ return rc;
-+}
- static int
- send_text (pam_handle_t *pamh, const char *text, int debug)
- {
-@@ -79,69 +134,64 @@
- * is responsible for freeing the responses.
- */
- static int
--query_response (pam_handle_t *pamh, const char *text,
-+query_response (pam_handle_t *pamh, const char *text, const char *def,
- char **responses, int debug)
- {
-+ int rc;
-+ if (def)
-+ rc = pam_prompt (pamh, PAM_PROMPT_ECHO_ON, responses, "%s [%s] ", text, def);
-+ else
-+ rc = pam_prompt (pamh, PAM_PROMPT_ECHO_ON, responses, "%s ", text);
- if (debug)
-- pam_syslog(pamh, LOG_NOTICE, "%s", text);
--
-- return pam_prompt (pamh, PAM_PROMPT_ECHO_ON, responses, "%s", text);
-+ pam_syslog(pamh, LOG_NOTICE, "%s %s", text, responses[0]);
-+ return rc;
- }
-
- static security_context_t
- manual_context (pam_handle_t *pamh, const char *user, int debug)
- {
-- security_context_t newcon;
-+ security_context_t newcon=NULL;
- context_t new_context;
- int mls_enabled = is_selinux_mls_enabled();
--
-- char *responses;
-+ char *type=NULL;
-+ char *responses=NULL;
-
- while (1) {
- query_response(pamh,
-- _("Would you like to enter a security context? [y] "),
-+ _("Would you like to enter a security context? [N] "), NULL,
- &responses,debug);
-- if ((responses[0] == 'y') || (responses[0] == 'Y') ||
-- (responses[0] == '\0') )
-+ if ((responses[0] == 'y') || (responses[0] == 'Y'))
- {
- if (mls_enabled)
- new_context = context_new ("user:role:type:level");
- else
- new_context = context_new ("user:role:type");
-- _pam_drop(responses);
-
-- /* Allow the user to enter each field of the context individually */
-+ if (!new_context)
-+ goto fail_set;
-+
- if (context_user_set (new_context, user))
-- {
-- context_free (new_context);
-- return NULL;
-- }
-- query_response(pamh,_("role: "),&responses,debug);
-- if (context_role_set (new_context, responses))
-- {
-- _pam_drop(responses);
-- context_free (new_context);
-- return NULL;
-- }
-+ goto fail_set;
-+
- _pam_drop(responses);
-- query_response(pamh,_("type: "),&responses,debug);
-- if (context_type_set (new_context, responses))
-- {
-- _pam_drop(responses);
-- context_free (new_context);
-- return NULL;
-- }
-+ /* Allow the user to enter each field of the context individually */
-+ query_response(pamh,_("role:"), NULL, &responses,debug);
-+ if (responses[0] != '\0') {
-+ if (context_role_set (new_context, responses))
-+ goto fail_set;
-+ if (get_default_type(responses, &type))
-+ goto fail_set;
-+ if (context_type_set (new_context, type))
-+ goto fail_set;
-+ }
- _pam_drop(responses);
- if (mls_enabled)
- {
-- query_response(pamh,_("level: "),&responses,debug);
-- if (context_range_set (new_context, responses))
-- {
-- _pam_drop(responses);
-- context_free (new_context);
-- return NULL;
-- }
-- _pam_drop(responses);
-+ query_response(pamh,_("level:"), NULL, &responses,debug);
-+ if (responses[0] != '\0') {
-+ if (context_range_set (new_context, responses))
-+ goto fail_set;
-+ }
- }
- /* Get the string value of the context and see if it is valid. */
- if (!security_check_context(context_str(new_context))) {
-@@ -151,14 +201,125 @@
- }
- else
- send_text(pamh,_("Not a valid security context"),debug);
-+ context_free (new_context);
- }
- else {
- _pam_drop(responses);
- return NULL;
- }
- } /* end while */
-+ fail_set:
-+ free(type);
-+ _pam_drop(responses);
-+ context_free (new_context);
-+ return NULL;
-+}
-+
-+static int mls_range_allowed(pam_handle_t *pamh, security_context_t src, security_context_t dst, int debug)
-+{
-+ struct av_decision avd;
-+ int retval;
-+ unsigned int bit = CONTEXT__CONTAINS;
-+ context_t src_context = context_new (src);
-+ context_t dst_context = context_new (dst);
-+ context_range_set(dst_context, context_range_get(src_context));
-+ if (debug)
-+ pam_syslog(pamh, LOG_NOTICE, "Checking if %s mls range valid for %s", dst, context_str(dst_context));
-+
-+ retval = security_compute_av(context_str(dst_context), dst, SECCLASS_CONTEXT, bit, &avd);
-+ context_free(src_context);
-+ context_free(dst_context);
-+ if (retval || ((bit & avd.allowed) != bit))
-+ return 0;
-+
-+ return 1;
-+}
-+
-+static security_context_t
-+config_context (pam_handle_t *pamh, security_context_t puser_context, int debug)
-+{
-+ security_context_t newcon=NULL;
-+ context_t new_context;
-+ int mls_enabled = is_selinux_mls_enabled();
-+ char *responses=NULL;
-+ char *type=NULL;
-+ char resp_val = 0;
-+
-+ pam_prompt (pamh, PAM_TEXT_INFO, NULL, _("Default Security Context %s\n"), puser_context);
-+
-+ while (1) {
-+ query_response(pamh,
-+ _("Would you like to enter a different role or level?"), "n",
-+ &responses,debug);
-+
-+ resp_val = responses[0];
-+ _pam_drop(responses);
-+ if ((resp_val == 'y') || (resp_val == 'Y'))
-+ {
-+ new_context = context_new(puser_context);
-+
-+ /* Allow the user to enter role and level individually */
-+ query_response(pamh,_("role:"), context_role_get(new_context),
-+ &responses, debug);
-+ if (responses[0]) {
-+ if (get_default_type(responses, &type)) {
-+ pam_prompt (pamh, PAM_ERROR_MSG, NULL, _("No default type for role %s\n"), responses);
-+ _pam_drop(responses);
-+ continue;
-+ } else {
-+ if (context_role_set(new_context, responses))
-+ goto fail_set;
-+ if (context_type_set (new_context, type))
-+ goto fail_set;
-+ }
-+ }
-+ _pam_drop(responses);
-+ if (mls_enabled)
-+ {
-+ query_response(pamh,_("level:"), context_range_get(new_context),
-+ &responses, debug);
-+ if (responses[0]) {
-+ if (context_range_set(new_context, responses))
-+ goto fail_set;
-+ }
-+ _pam_drop(responses);
-+ }
-+ if (debug)
-+ pam_syslog(pamh, LOG_NOTICE, "Selected Security Context %s", context_str(new_context));
-+
-+ /* Get the string value of the context and see if it is valid. */
-+ if (!security_check_context(context_str(new_context))) {
-+ newcon = strdup(context_str(new_context));
-+ context_free (new_context);
-+
-+ /* we have to check that this user is allowed to go into the
-+ range they have specified ... role is tied to an seuser, so that'll
-+ be checked at setexeccon time */
-+ if (mls_enabled && !mls_range_allowed(pamh, puser_context, newcon, debug)) {
-+ pam_syslog(pamh, LOG_NOTICE, "Security context %s is not allowed for %s", puser_context, newcon);
-+
-+
-+ goto fail_range;
-+ }
-+ return newcon;
-+ }
-+ else
-+ send_text(pamh,_("Not a valid security context"),debug);
-+
-+ context_free(new_context); /* next time around allocates another */
-+ }
-+ else
-+ return strdup(puser_context);
-+ } /* end while */
-
- return NULL;
-+
-+ fail_set:
-+ free(type);
-+ _pam_drop(responses);
-+ context_free (new_context);
-+ fail_range:
-+ return NULL;
- }
-
- static void
-@@ -273,13 +434,15 @@
- {
- int i, debug = 0, ttys=1, has_tty=isatty(0);
- int verbose=0, close_session=0;
-+ int select_context = 0;
- int ret = 0;
- security_context_t* contextlist = NULL;
- int num_contexts = 0;
-- const void *username = NULL;
-+ const char *username = NULL;
- const void *tty = NULL;
- char *seuser=NULL;
- char *level=NULL;
-+ security_context_t default_user_context=NULL;
-
- /* Parse arguments. */
- for (i = 0; i < argc; i++) {
-@@ -295,6 +458,9 @@
- if (strcmp(argv[i], "close") == 0) {
- close_session = 1;
- }
-+ if (strcmp(argv[i], "select_context") == 0) {
-+ select_context = 1;
-+ }
- }
-
- if (debug)
-@@ -307,7 +473,7 @@
- if (!(selinux_enabled = is_selinux_enabled()>0) )
- return PAM_SUCCESS;
-
-- if (pam_get_item(pamh, PAM_USER, &username) != PAM_SUCCESS ||
-+ if (pam_get_item(pamh, PAM_USER, (void *) &username) != PAM_SUCCESS ||
- username == NULL) {
- return PAM_USER_UNKNOWN;
- }
-@@ -319,19 +485,39 @@
- &contextlist);
- if (debug)
- pam_syslog(pamh, LOG_DEBUG, "Username= %s SELinux User = %s Level= %s",
-- (const char *)username, seuser, level);
-+ username, seuser, level);
- free(seuser);
- free(level);
- }
- if (num_contexts > 0) {
-- user_context = (security_context_t) strdup(contextlist[0]);
-+ default_user_context=strdup(contextlist[0]);
- freeconary(contextlist);
-- } else {
-+ if (default_user_context == NULL) {
-+ pam_syslog(pamh, LOG_ERR, _("Out of memory"));
-+ return PAM_AUTH_ERR;
-+ }
-+ user_context = default_user_context;
-+ if (select_context && has_tty) {
-+ user_context = config_context(pamh, default_user_context, debug);
-+ if (user_context == NULL) {
-+ send_audit_message(pamh, 0, default_user_context, default_user_context);
-+ freecon(default_user_context);
-+ pam_syslog(pamh, LOG_ERR, _("Unable to get valid context for %s"),
-+ username);
-+ pam_prompt (pamh, PAM_ERROR_MSG, NULL, _("Unable to get valid context for %s"), username);
-+ if (security_getenforce() == 1)
-+ return PAM_AUTH_ERR;
-+ else
-+ return PAM_SUCCESS;
-+ }
-+ }
-+ }
-+ else {
- if (has_tty) {
-- user_context = manual_context(pamh,username,debug);
-+ user_context = manual_context(pamh,seuser,debug);
- if (user_context == NULL) {
- pam_syslog (pamh, LOG_ERR, "Unable to get valid context for %s",
-- (const char *)username);
-+ username);
- if (security_getenforce() == 1)
- return PAM_AUTH_ERR;
- else
-@@ -340,7 +526,7 @@
- } else {
- pam_syslog (pamh, LOG_ERR,
- "Unable to get valid context for %s, No valid tty",
-- (const char *)username);
-+ username);
- if (security_getenforce() == 1)
- return PAM_AUTH_ERR;
- else
-@@ -371,6 +557,10 @@
- ttyn=strdup(tty);
- ttyn_context=security_label_tty(pamh,ttyn,user_context);
- }
-+ send_audit_message(pamh, 1, default_user_context, user_context);
-+ if (default_user_context != user_context) {
-+ freecon(default_user_context);
-+ }
- ret = setexeccon(user_context);
- if (ret==0 && verbose) {
- char msg[PATH_MAX];
-@@ -381,7 +571,7 @@
- if (ret) {
- pam_syslog(pamh, LOG_ERR,
- "Error! Unable to set %s executable context %s.",
-- (const char *)username, user_context);
-+ username, user_context);
- if (security_getenforce() == 1) {
- freecon(user_context);
- return PAM_AUTH_ERR;
-@@ -389,7 +579,7 @@
- } else {
- if (debug)
- pam_syslog(pamh, LOG_NOTICE, "set %s security context to %s",
-- (const char *)username, user_context);
-+ username, user_context);
- }
- #ifdef HAVE_SETKEYCREATECON
- ret = setkeycreatecon(user_context);
-@@ -402,7 +592,7 @@
- if (ret) {
- pam_syslog(pamh, LOG_ERR,
- "Error! Unable to set %s key creation context %s.",
-- (const char *)username, user_context);
-+ username, user_context);
- if (security_getenforce() == 1) {
- freecon(user_context);
- return PAM_AUTH_ERR;
-@@ -410,7 +600,7 @@
- } else {
- if (debug)
- pam_syslog(pamh, LOG_NOTICE, "set %s key creation context to %s",
-- (const char *)username, user_context);
-+ username, user_context);
- }
- #endif
- freecon(user_context);
diff --git a/pam-0.99.6.2-selinux-use-current-range.patch b/pam-0.99.6.2-selinux-use-current-range.patch
deleted file mode 100644
index d2836a7..0000000
--- a/pam-0.99.6.2-selinux-use-current-range.patch
+++ /dev/null
@@ -1,113 +0,0 @@
---- Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c.range 2007-01-04 23:29:04.000000000 +0100
-+++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c 2007-01-05 13:30:31.000000000 +0100
-@@ -435,6 +435,7 @@
- int i, debug = 0, ttys=1, has_tty=isatty(0);
- int verbose=0, close_session=0;
- int select_context = 0;
-+ int use_current_range = 0;
- int ret = 0;
- security_context_t* contextlist = NULL;
- int num_contexts = 0;
-@@ -461,11 +462,19 @@
- if (strcmp(argv[i], "select_context") == 0) {
- select_context = 1;
- }
-+ if (strcmp(argv[i], "use_current_range") == 0) {
-+ use_current_range = 1;
-+ }
- }
--
-+
- if (debug)
- pam_syslog(pamh, LOG_NOTICE, "Open Session");
-
-+ if (select_context && use_current_range) {
-+ pam_syslog(pamh, LOG_ERR, "select_context cannot be used with use_current_range");
-+ select_context = 0;
-+ }
-+
- /* this module is only supposed to execute close_session */
- if (close_session)
- return PAM_SUCCESS;
-@@ -532,6 +541,51 @@
- return PAM_SUCCESS;
- }
- }
-+
-+ if (use_current_range && is_selinux_mls_enabled()) {
-+ security_context_t process_context=NULL;
-+ if (getcon(&process_context) == 0) {
-+ context_t pcon, ucon;
-+ char *process_level=NULL;
-+ security_context_t orig_context;
-+
-+ if (user_context)
-+ orig_context = user_context;
-+ else
-+ orig_context = default_user_context;
-+
-+ pcon = context_new(process_context);
-+ freecon(process_context);
-+ process_level = strdup(context_range_get(pcon));
-+ context_free(pcon);
-+
-+ if (debug)
-+ pam_syslog (pamh, LOG_DEBUG, "process level=%s", process_level);
-+
-+ ucon = context_new(orig_context);
-+
-+ context_range_set(ucon, process_level);
-+ free(process_level);
-+
-+ if (!mls_range_allowed(pamh, orig_context, context_str(ucon), debug)) {
-+ send_text(pamh, _("Requested MLS level not in permitted range"), debug);
-+ /* even if default_user_context is NULL audit that anyway */
-+ send_audit_message(pamh, 0, default_user_context, context_str(ucon));
-+ context_free(ucon);
-+ return PAM_AUTH_ERR;
-+ }
-+
-+ if (debug)
-+ pam_syslog (pamh, LOG_DEBUG, "adjusted context=%s", context_str(ucon));
-+
-+ /* replace the user context with the level adjusted one */
-+ freecon(user_context);
-+ user_context = strdup(context_str(ucon));
-+
-+ context_free(ucon);
-+ }
-+ }
-+
- if (getexeccon(&prev_user_context)<0) {
- prev_user_context=NULL;
- }
---- Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.8.xml.range 2007-01-04 23:29:04.000000000 +0100
-+++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.8.xml 2007-01-04 23:35:03.000000000 +0100
-@@ -36,6 +36,9 @@
-
- select_context
-
-+
-+ use_current_range
-+
-
-
-
-@@ -132,6 +135,17 @@
-
-
-
-+
-+
-+
-+
-+
-+
-+ Use the sensitivity range of the process for the user context.
-+ This option and the select_context option are mutually exclusive.
-+
-+
-+
-
-
-
diff --git a/pam-0.99.7.0-dbpam.patch b/pam-0.99.7.0-dbpam.patch
deleted file mode 100644
index 2e3387e..0000000
--- a/pam-0.99.7.0-dbpam.patch
+++ /dev/null
@@ -1,11 +0,0 @@
---- Linux-PAM-0.99.7.0/configure.in.dbpam 2007-01-19 07:39:09.000000000 -0500
-+++ Linux-PAM-0.99.7.0/configure.in 2007-01-19 07:40:07.000000000 -0500
-@@ -348,7 +348,7 @@
- WITH_DB=$enableval, WITH_DB=yes)
- if test x"$WITH_DB" != xno ; then
- if test x"$WITH_DB" = xyes -o x"$WITH_DB" = xdb ; then
-- AC_CHECK_LIB([db], [db_create], LIBDB="-ldb", LIBDB="")
-+ AC_CHECK_LIB([db], [db_create_pam], LIBDB="-ldb", LIBDB="")
- if test -z "$LIBDB" ; then
- AC_CHECK_LIB([db], [dbm_store], LIBDB="-ldb", LIBDB="")
- fi
diff --git a/pam-0.99.7.0-namespace-level.patch b/pam-0.99.7.0-namespace-level.patch
deleted file mode 100644
index 2c18a90..0000000
--- a/pam-0.99.7.0-namespace-level.patch
+++ /dev/null
@@ -1,250 +0,0 @@
---- Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.c.level 2007-01-19 08:33:11.000000000 -0500
-+++ Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.c 2007-01-19 08:33:11.000000000 -0500
-@@ -244,23 +244,29 @@
- }
- strcpy(poly.dir, dir);
- strcpy(poly.instance_prefix, instance_prefix);
-- if (strcmp(method, "user") == 0)
-- poly.method = USER;
-+
-+ poly.method = NONE;
-+ if (strcmp(method, "user") == 0)
-+ poly.method = USER;
-+
- #ifdef WITH_SELINUX
-- else if (strcmp(method, "context") == 0) {
-+ if (strcmp(method, "level") == 0) {
- if (idata->flags & PAMNS_CTXT_BASED_INST)
-- poly.method = CONTEXT;
-+ poly.method = LEVEL;
- else
- poly.method = USER;
-- } else if (strcmp(method, "both") == 0) {
-+ }
-+
-+ if (strcmp(method, "context") == 0) {
- if (idata->flags & PAMNS_CTXT_BASED_INST)
-- poly.method = BOTH;
-+ poly.method = CONTEXT;
- else
- poly.method = USER;
- }
-
- #endif
-- else {
-+
-+ if ( poly.method == NONE) {
- pam_syslog(idata->pamh, LOG_NOTICE, "Illegal method");
- goto skipping;
- }
-@@ -448,19 +454,23 @@
- return PAM_SESSION_ERR;
- }
-
-+ if (polyptr->method == USER) return PAM_SUCCESS;
-+
-+ rc = getexeccon(&scon);
-+ if (rc < 0 || scon == NULL) {
-+ pam_syslog(idata->pamh, LOG_ERR,
-+ "Error getting exec context, %m");
-+ return PAM_SESSION_ERR;
-+ }
-+
- /*
- * If polyinstantiating based on security context, get current
- * process security context, get security class for directories,
- * and ask the policy to provide security context of the
- * polyinstantiated instance directory.
- */
-- if ((polyptr->method == CONTEXT) || (polyptr->method == BOTH)) {
-- rc = getexeccon(&scon);
-- if (rc < 0 || scon == NULL) {
-- pam_syslog(idata->pamh, LOG_ERR,
-- "Error getting exec context, %m");
-- return PAM_SESSION_ERR;
-- }
-+
-+ if (polyptr->method == CONTEXT) {
- tclass = string_to_security_class("dir");
-
- if (security_compute_member(scon, *origcon, tclass,
-@@ -473,7 +483,48 @@
- pam_syslog(idata->pamh, LOG_DEBUG,
- "member context returned by policy %s", *i_context);
- freecon(scon);
-+ return PAM_SUCCESS;
- }
-+
-+ /*
-+ * If polyinstantiating based on security level, get current
-+ * process security context, get security class for directories,
-+ * and change the directories MLS Level to match process.
-+ */
-+
-+ if (polyptr->method == LEVEL) {
-+ context_t scontext = NULL;
-+ context_t fcontext = NULL;
-+ rc = PAM_SESSION_ERR;
-+
-+ scontext = context_new(scon);
-+ if (! scontext) {
-+ pam_syslog(idata->pamh, LOG_ERR, "out of memory");
-+ goto fail;
-+ }
-+ fcontext = context_new(*origcon);
-+ if (! fcontext) {
-+ pam_syslog(idata->pamh, LOG_ERR, "out of memory");
-+ goto fail;
-+ }
-+ if (context_range_set(fcontext, context_range_get(scontext)) != 0) {
-+ pam_syslog(idata->pamh, LOG_ERR, "Unable to set MLS Componant of context");
-+ goto fail;
-+ }
-+ *i_context=strdup(context_str(fcontext));
-+ if (! *i_context) {
-+ pam_syslog(idata->pamh, LOG_ERR, "out of memory");
-+ goto fail;
-+ }
-+
-+ rc = PAM_SUCCESS;
-+ fail:
-+ context_free(scontext);
-+ context_free(fcontext);
-+ freecon(scon);
-+ return rc;
-+ }
-+ /* Should never get here */
- return PAM_SUCCESS;
- }
- #endif
-@@ -514,19 +565,14 @@
- break;
-
- #ifdef WITH_SELINUX
-+ case LEVEL:
- case CONTEXT:
-- if (asprintf(i_name, "%s", *i_context) < 0) {
-- *i_name = NULL;
-- rc = PAM_SESSION_ERR;
-- }
-- break;
--
-- case BOTH:
- if (asprintf(i_name, "%s_%s", *i_context, idata->user) < 0) {
- *i_name = NULL;
- rc = PAM_SESSION_ERR;
- }
- break;
-+
- #endif /* WITH_SELINUX */
-
- default:
-@@ -1158,7 +1204,7 @@
- #ifdef WITH_SELINUX
- if (is_selinux_enabled())
- idata.flags |= PAMNS_SELINUX_ENABLED;
-- if (ctxt_based_inst_needed())
-+ if (ctxt_based_inst_needed())
- idata.flags |= PAMNS_CTXT_BASED_INST;
- #endif
-
---- Linux-PAM-0.99.7.0/modules/pam_namespace/namespace.conf.level 2006-06-27 09:07:43.000000000 -0400
-+++ Linux-PAM-0.99.7.0/modules/pam_namespace/namespace.conf 2007-01-19 08:33:11.000000000 -0500
-@@ -4,12 +4,10 @@
- #
- # Uncommenting the following three lines will polyinstantiate
- # /tmp, /var/tmp and user's home directories. /tmp and /var/tmp will
--# be polyinstantiated based on both security context as well as user
--# name, whereas home directory will be polyinstantiated based on
--# security context only. Polyinstantion will not be performed for
--# user root and adm for directories /tmp and /var/tmp, whereas home
--# directories will be polyinstantiated for all users. The user name
--# and/or context is appended to the instance prefix.
-+# be polyinstantiated based on the MLS level part of the security context as well as user
-+# name, Polyinstantion will not be performed for user root and adm for directories
-+# /tmp and /var/tmp, whereas home directories will be polyinstantiated for all users.
-+# The user name and context is appended to the instance prefix.
- #
- # Note that instance directories do not have to reside inside the
- # polyinstantiated directory. In the examples below, instances of /tmp
-@@ -25,6 +23,6 @@
- # caution, as it will reduce security and isolation achieved by
- # polyinstantiation.
- #
--#/tmp /tmp-inst/ both root,adm
--#/var/tmp /var/tmp/tmp-inst/ both root,adm
--#$HOME $HOME/$USER.inst/inst- context
-+#/tmp /tmp-inst/ level root,adm
-+#/var/tmp /var/tmp/tmp-inst/ level root,adm
-+#$HOME $HOME/$USER.inst/ level
---- Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.h.level 2007-01-19 08:33:11.000000000 -0500
-+++ Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.h 2007-01-19 08:33:11.000000000 -0500
-@@ -63,6 +63,7 @@
-
- #ifdef WITH_SELINUX
- #include
-+#include
- #endif
-
- #ifndef CLONE_NEWNS
-@@ -93,9 +94,10 @@
- * or both
- */
- enum polymethod {
-+ NONE,
- USER,
- CONTEXT,
-- BOTH,
-+ LEVEL,
- };
-
- /*
---- Linux-PAM-0.99.7.0/modules/pam_namespace/namespace.conf.5.xml.level 2006-06-27 09:07:43.000000000 -0400
-+++ Linux-PAM-0.99.7.0/modules/pam_namespace/namespace.conf.5.xml 2007-01-19 08:33:11.000000000 -0500
-@@ -22,7 +22,7 @@
-
- This module allows setup of private namespaces with polyinstantiated
- directories. Directories can be polyinstantiated based on user name
-- or, in the case of SELinux, user name, security context or both. If an
-+ or, in the case of SELinux, user name, sensitivity level or complete security context. If an
- executable script /etc/security/namespace.init
- exists, it is used to initialize the namespace every time a new instance
- directory is setup. The script receives the polyinstantiated
-@@ -72,10 +72,10 @@
-
- The third field, method, is the method
- used for polyinstantiation. It can take 3 different values; "user"
-- for polyinstantiation based on user name, "context" for
-- polyinstantiation based on process security context, and "both"
-- for polyinstantiation based on both user name and security context.
-- Methods "context" and "both" are only available with SELinux. This
-+ for polyinstantiation based on user name, "level" for
-+ polyinstantiation based on process MLS level and user name, and "context" for
-+ polyinstantiation based on process security context and user name
-+ Methods "context" and "level" are only available with SELinux. This
- field cannot be blank.
-
-
-@@ -98,9 +98,9 @@
-
- # The following three lines will polyinstantiate /tmp,
- # /var/tmp and user's home directories. /tmp and /var/tmp
-- # will be polyinstantiated based on both security context
-+ # will be polyinstantiated based on the security level
- # as well as user name, whereas home directory will be
-- # polyinstantiated based on security context only.
-+ # polyinstantiated based on the full security context and user name.
- # Polyinstantiation will not be performed for user root
- # and adm for directories /tmp and /var/tmp, whereas home
- # directories will be polyinstantiated for all users.
-@@ -112,8 +112,8 @@
- # will reside within the directories that are being
- # polyinstantiated.
- #
-- /tmp /tmp-inst/ both root,adm
-- /var/tmp /var/tmp/tmp-inst/ both root,adm
-+ /tmp /tmp-inst/ level root,adm
-+ /var/tmp /var/tmp/tmp-inst/ level root,adm
- $HOME $HOME/$USER.inst/inst- context
-
-
diff --git a/pam-0.99.7.0-namespace-no-unmount.patch b/pam-0.99.7.0-namespace-no-unmount.patch
deleted file mode 100644
index c5a02b7..0000000
--- a/pam-0.99.7.0-namespace-no-unmount.patch
+++ /dev/null
@@ -1,95 +0,0 @@
---- Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.c.no-unmount 2006-10-24 07:45:36.000000000 -0400
-+++ Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.c 2007-01-19 08:08:58.000000000 -0500
-@@ -1266,12 +1266,30 @@
- idata.flags |= PAMNS_DEBUG;
- if (strcmp(argv[i], "ignore_config_error") == 0)
- idata.flags |= PAMNS_IGN_CONFIG_ERR;
-+ if (strcmp(argv[i], "no_unmount_on_close") == 0)
-+ idata.flags |= PAMNS_NO_UNMOUNT_ON_CLOSE;
- }
-
- if (idata.flags & PAMNS_DEBUG)
- pam_syslog(idata.pamh, LOG_DEBUG, "close_session - start");
-
- /*
-+ * For certain trusted programs such as newrole, open session
-+ * is called from a child process while the parent perfoms
-+ * close session and pam end functions. For these commands
-+ * pam_close_session should not perform the unmount of the
-+ * polyinstantiatied directory because it will result in
-+ * undoing of parents polyinstantiatiaion. These commands
-+ * will invoke pam_namespace with the "no_unmount_on_close"
-+ * argument.
-+ */
-+ if (idata.flags & PAMNS_NO_UNMOUNT_ON_CLOSE) {
-+ if (idata.flags & PAMNS_DEBUG)
-+ pam_syslog(idata.pamh, LOG_DEBUG, "close_session - sucessful");
-+ return PAM_SUCCESS;
-+ }
-+
-+ /*
- * Lookup user and fill struct items
- */
- retval = pam_get_item(idata.pamh, PAM_USER, (void*) &user_name );
---- Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.8.xml.no-unmount 2006-06-27 09:07:44.000000000 -0400
-+++ Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.8.xml 2007-01-19 07:45:02.000000000 -0500
-@@ -43,6 +43,9 @@
-
- ignore_instance_parent_mode
-
-+
-+ no_unmount_on_close
-+
-
-
-
-@@ -179,6 +182,22 @@
-
-
-
-+
-+
-+
-+
-+
-+
-+ For certain trusted programs such as newrole, open session
-+ is called from a child process while the parent perfoms
-+ close session and pam end functions. For these commands
-+ use this option to instruct pam_close_session to not
-+ unmount the bind mounted polyinstantiated directory in the
-+ parent.
-+
-+
-+
-+
-
-
-
---- Linux-PAM-0.99.7.0/modules/pam_namespace/README.xml.no-unmount 2006-06-28 03:22:43.000000000 -0400
-+++ Linux-PAM-0.99.7.0/modules/pam_namespace/README.xml 2007-01-19 07:45:02.000000000 -0500
-@@ -121,6 +121,14 @@
- the restrictive mode of 000. Using this option, an administrator
- can choose to ignore the mode of the instance parent.
-
-+ no_unmount_on_close
-+ For certain trusted programs such as newrole, open session
-+ is called from a child process while the parent perfoms
-+ close session and pam end functions. For these commands
-+ use this option to instruct pam_close_session to not
-+ unmount the bind mounted polyinstantiated directory in the
-+ parent.
-+
- MODULE SERVICES PROVIDED:
- session open_session and close_session
-
---- Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.h.no-unmount 2006-07-28 07:59:28.000000000 -0400
-+++ Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.h 2007-01-19 07:45:02.000000000 -0500
-@@ -86,6 +86,7 @@
- #define PAMNS_GEN_HASH 0x00002000 /* Generate md5 hash for inst names */
- #define PAMNS_IGN_CONFIG_ERR 0x00004000 /* Ignore format error in conf file */
- #define PAMNS_IGN_INST_PARENT_MODE 0x00008000 /* Ignore instance parent mode */
-+#define PAMNS_NO_UNMOUNT_ON_CLOSE 0x00010000 /* no unmount at session close */
-
- /*
- * Polyinstantiation method options, based on user, security context
diff --git a/pam-0.99.7.0-namespace-unmnt-override.patch b/pam-0.99.7.0-namespace-unmnt-override.patch
deleted file mode 100644
index 204c289..0000000
--- a/pam-0.99.7.0-namespace-unmnt-override.patch
+++ /dev/null
@@ -1,125 +0,0 @@
---- Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.c.unmnt-override 2007-01-22 14:06:31.000000000 +0100
-+++ Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.c 2007-01-23 16:41:57.000000000 +0100
-@@ -417,17 +417,18 @@
- * uids for the polyinstantiated directory, polyinstantiation is not
- * performed for that user for that directory.
- */
--static int ns_override(struct polydir_s *polyptr, struct instance_data *idata)
-+static int ns_override(struct polydir_s *polyptr, struct instance_data *idata,
-+ uid_t uid)
- {
- unsigned int i;
-
- if (idata->flags & PAMNS_DEBUG)
- pam_syslog(idata->pamh, LOG_DEBUG,
- "Checking for ns override in dir %s for uid %d",
-- polyptr->dir, idata->uid);
-+ polyptr->dir, uid);
-
- for (i = 0; i < polyptr->num_uids; i++) {
-- if (idata->uid == polyptr->uid[i]) {
-+ if (uid == polyptr->uid[i]) {
- return 1;
- }
- }
-@@ -1013,21 +1014,46 @@
- int retval = 0, need_poly = 0, changing_dir = 0;
- char *cptr, *fptr, poly_parent[PATH_MAX];
- struct polydir_s *pptr;
-+ uid_t req_uid;
-+ const void *ruser_name;
-+ struct passwd *pwd;
-
- if (idata->flags & PAMNS_DEBUG)
- pam_syslog(idata->pamh, LOG_DEBUG, "Set up namespace for pid %d",
- getpid());
-
-+ retval = pam_get_item(idata->pamh, PAM_RUSER, &ruser_name);
-+ if (ruser_name == NULL || retval != PAM_SUCCESS) {
-+ retval = PAM_SUCCESS;
-+ req_uid = getuid();
-+ } else {
-+ pwd = pam_modutil_getpwnam(idata->pamh, ruser_name);
-+ if (pwd != NULL) {
-+ req_uid = pwd->pw_uid;
-+ } else {
-+ req_uid = getuid();
-+ }
-+ }
-+
- /*
- * Cycle through all polyinstantiated directory entries to see if
- * polyinstantiation is needed at all.
- */
- for (pptr = idata->polydirs_ptr; pptr; pptr = pptr->next) {
-- if (ns_override(pptr, idata)) {
-- if (idata->flags & PAMNS_DEBUG)
-- pam_syslog(idata->pamh, LOG_DEBUG,
-+ if (ns_override(pptr, idata, idata->uid)) {
-+ if (unmnt == NO_UNMNT || ns_override(pptr, idata, req_uid)) {
-+ if (idata->flags & PAMNS_DEBUG)
-+ pam_syslog(idata->pamh, LOG_DEBUG,
- "Overriding poly for user %d for dir %s",
- idata->uid, pptr->dir);
-+ } else {
-+ if (idata->flags & PAMNS_DEBUG)
-+ pam_syslog(idata->pamh, LOG_DEBUG,
-+ "Need unmount ns for user %d for dir %s",
-+ idata->uid, pptr->dir);
-+ need_poly = 1;
-+ break;
-+ }
- continue;
- } else {
- if (idata->flags & PAMNS_DEBUG)
-@@ -1057,15 +1083,20 @@
- * call ns_setup to setup polyinstantiation for a particular entry.
- */
- for (pptr = idata->polydirs_ptr; pptr; pptr = pptr->next) {
-- if (ns_override(pptr, idata))
-- continue;
-- else {
-- if (idata->flags & PAMNS_DEBUG)
-+ enum unmnt_op dir_unmnt = unmnt;
-+ if (ns_override(pptr, idata, idata->uid)) {
-+ if (unmnt == NO_UNMNT || ns_override(pptr, idata, req_uid)) {
-+ continue;
-+ } else {
-+ dir_unmnt = UNMNT_ONLY;
-+ }
-+ }
-+ if (idata->flags & PAMNS_DEBUG)
- pam_syslog(idata->pamh, LOG_DEBUG,
- "Setting poly ns for user %d for dir %s",
- idata->uid, pptr->dir);
-
-- if ((unmnt == UNMNT_REMNT) || (unmnt == UNMNT_ONLY)) {
-+ if ((dir_unmnt == UNMNT_REMNT) || (dir_unmnt == UNMNT_ONLY)) {
- /*
- * Check to see if process current directory is in the
- * bind mounted instance_parent directory that we are trying to
-@@ -1105,13 +1136,12 @@
- } else if (idata->flags & PAMNS_DEBUG)
- pam_syslog(idata->pamh, LOG_DEBUG, "Umount succeeded %s",
- pptr->dir);
-- }
-+ }
-
-- if (unmnt != UNMNT_ONLY) {
-+ if (dir_unmnt != UNMNT_ONLY) {
- retval = ns_setup(pptr, idata);
- if (retval != PAM_SUCCESS)
- break;
-- }
- }
- }
-
-@@ -1138,7 +1168,7 @@
- * appropriate polyinstantiated instance directories.
- */
- for (pptr = idata->polydirs_ptr; pptr; pptr = pptr->next) {
-- if (ns_override(pptr, idata))
-+ if (ns_override(pptr, idata, idata->uid))
- continue;
- else {
- if (idata->flags & PAMNS_DEBUG)
diff --git a/pam-0.99.7.1-namespace-unknown-user.patch b/pam-0.99.7.1-namespace-unknown-user.patch
deleted file mode 100644
index e659435..0000000
--- a/pam-0.99.7.1-namespace-unknown-user.patch
+++ /dev/null
@@ -1,20 +0,0 @@
---- Linux-PAM-0.99.7.1/modules/pam_namespace/pam_namespace.c.unknown-user 2007-04-13 17:12:40.000000000 +0200
-+++ Linux-PAM-0.99.7.1/modules/pam_namespace/pam_namespace.c 2007-04-13 18:11:57.000000000 +0200
-@@ -302,11 +302,14 @@
- *tptr = '\0';
-
- pwd = pam_modutil_getpwnam(idata->pamh, ustr);
-- *uidptr = pwd->pw_uid;
-- if (i < count - 1) {
-- ustr = tptr + 1;
-+ if (pwd == NULL) {
-+ pam_syslog(idata->pamh, LOG_ERR, "Unknown user %s in configuration", ustr);
-+ poly.num_uids--;
-+ } else {
-+ *uidptr = pwd->pw_uid;
- uidptr++;
- }
-+ ustr = tptr + 1;
- }
- }
-
diff --git a/pam-0.99.7.1-unix-allow-pwmodify.patch b/pam-0.99.7.1-unix-allow-pwmodify.patch
deleted file mode 100644
index 2a0914c..0000000
--- a/pam-0.99.7.1-unix-allow-pwmodify.patch
+++ /dev/null
@@ -1,16 +0,0 @@
---- Linux-PAM-0.99.7.1/modules/pam_unix/pam_unix_passwd.c.pwmodify 2006-12-20 12:08:59.000000000 +0100
-+++ Linux-PAM-0.99.7.1/modules/pam_unix/pam_unix_passwd.c 2007-02-21 21:01:48.000000000 +0100
-@@ -1077,13 +1077,6 @@
- user);
- return PAM_USER_UNKNOWN;
- }
-- if (!_unix_shadowed(pwd) &&
-- (strchr(pwd->pw_passwd, '*') != NULL)) {
-- pam_syslog(pamh, LOG_DEBUG,
-- "user \"%s\" does not have modifiable password",
-- user);
-- return PAM_USER_UNKNOWN;
-- }
- }
-
- /*
diff --git a/pam-0.99.7.1-unix-bigcrypt.patch b/pam-0.99.7.1-unix-bigcrypt.patch
deleted file mode 100644
index f7bdbed..0000000
--- a/pam-0.99.7.1-unix-bigcrypt.patch
+++ /dev/null
@@ -1,126 +0,0 @@
---- Linux-PAM-0.99.7.1/modules/pam_unix/support.c.bigcrypt 2007-01-23 10:41:21.000000000 +0100
-+++ Linux-PAM-0.99.7.1/modules/pam_unix/support.c 2007-06-01 15:11:51.000000000 +0200
-@@ -679,7 +679,7 @@
- }
- }
- } else {
-- int salt_len = strlen(salt);
-+ size_t salt_len = strlen(salt);
- if (!salt_len) {
- /* the stored password is NULL */
- if (off(UNIX__NONULL, ctrl)) {/* this means we've succeeded */
-@@ -689,19 +689,19 @@
- D(("user has empty password - access denied"));
- retval = PAM_AUTH_ERR;
- }
-- } else if (!p || (*salt == '*')) {
-+ } else if (!p || *salt == '*' || *salt == '!') {
- retval = PAM_AUTH_ERR;
- } else {
- if (!strncmp(salt, "$1$", 3)) {
- pp = Goodcrypt_md5(p, salt);
-- if (strcmp(pp, salt) != 0) {
-+ if (pp && strcmp(pp, salt) != 0) {
- _pam_delete(pp);
- pp = Brokencrypt_md5(p, salt);
- }
- } else if (*salt != '$' && salt_len >= 13) {
- pp = bigcrypt(p, salt);
-- if (strlen(pp) > salt_len) {
-- pp[salt_len] = '\0';
-+ if (pp && salt_len == 13 && strlen(pp) > salt_len) {
-+ _pam_overwrite(pp + salt_len);
- }
- } else {
- /*
-@@ -715,7 +715,7 @@
- /* the moment of truth -- do we agree with the password? */
- D(("comparing state of pp[%s] and salt[%s]", pp, salt));
-
-- if (strcmp(pp, salt) == 0) {
-+ if (pp && strcmp(pp, salt) == 0) {
- retval = PAM_SUCCESS;
- } else {
- retval = PAM_AUTH_ERR;
---- Linux-PAM-0.99.7.1/modules/pam_unix/unix_chkpwd.c.bigcrypt 2006-10-24 12:01:49.000000000 +0200
-+++ Linux-PAM-0.99.7.1/modules/pam_unix/unix_chkpwd.c 2007-06-01 15:08:46.000000000 +0200
-@@ -144,7 +144,7 @@
- char *salt = NULL;
- char *pp = NULL;
- int retval = PAM_AUTH_ERR;
-- int salt_len;
-+ size_t salt_len;
-
- /* UNIX passwords area */
- setpwent();
-@@ -189,6 +189,8 @@
- return (nullok == 0) ? PAM_AUTH_ERR : PAM_SUCCESS;
- }
- if (p == NULL || strlen(p) == 0) {
-+ _pam_overwrite(salt);
-+ _pam_drop(salt);
- return PAM_AUTHTOK_ERR;
- }
-
-@@ -196,11 +198,13 @@
- retval = PAM_AUTH_ERR;
- if (!strncmp(salt, "$1$", 3)) {
- pp = Goodcrypt_md5(p, salt);
-- if (strcmp(pp, salt) == 0) {
-+ if (pp && strcmp(pp, salt) == 0) {
- retval = PAM_SUCCESS;
- } else {
-+ _pam_overwrite(pp);
-+ _pam_drop(pp);
- pp = Brokencrypt_md5(p, salt);
-- if (strcmp(pp, salt) == 0)
-+ if (pp && strcmp(pp, salt) == 0)
- retval = PAM_SUCCESS;
- }
- } else if (*salt == '$') {
-@@ -209,10 +213,10 @@
- * libcrypt nows about it? We should try it.
- */
- pp = x_strdup (crypt(p, salt));
-- if (strcmp(pp, salt) == 0) {
-+ if (pp && strcmp(pp, salt) == 0) {
- retval = PAM_SUCCESS;
- }
-- } else if ((*salt == '*') || (salt_len < 13)) {
-+ } else if (*salt == '*' || *salt == '!' || salt_len < 13) {
- retval = PAM_AUTH_ERR;
- } else {
- pp = bigcrypt(p, salt);
-@@ -223,24 +227,21 @@
- * have been truncated for storage relative to the output
- * of bigcrypt here. As such we need to compare only the
- * stored string with the subset of bigcrypt's result.
-- * Bug 521314: the strncmp comparison is for legacy support.
-+ * Bug 521314.
- */
-- if (strncmp(pp, salt, salt_len) == 0) {
-+ if (pp && salt_len == 13 && strlen(pp) > salt_len) {
-+ _pam_overwrite(pp+salt_len);
-+ }
-+
-+ if (pp && strcmp(pp, salt) == 0) {
- retval = PAM_SUCCESS;
- }
- }
- p = NULL; /* no longer needed here */
-
- /* clean up */
-- {
-- char *tp = pp;
-- if (pp != NULL) {
-- while (tp && *tp)
-- *tp++ = '\0';
-- free(pp);
-- }
-- pp = tp = NULL;
-- }
-+ _pam_overwrite(pp);
-+ _pam_drop(pp);
-
- return retval;
- }
diff --git a/pam-0.99.8.1-dbpam.patch b/pam-0.99.8.1-dbpam.patch
new file mode 100644
index 0000000..dfb7344
--- /dev/null
+++ b/pam-0.99.8.1-dbpam.patch
@@ -0,0 +1,11 @@
+--- Linux-PAM-0.99.8.1/configure.in.dbpam 2007-07-23 13:59:20.000000000 +0200
++++ Linux-PAM-0.99.8.1/configure.in 2007-07-23 14:06:54.000000000 +0200
+@@ -355,7 +355,7 @@
+ AC_HELP_STRING([--with-db-uniquename=extension],[Unique name for db libraries and functions.]))
+ if test x"$WITH_DB" != xno ; then
+ if test x"$WITH_DB" = xyes -o x"$WITH_DB" = xdb ; then
+- AC_CHECK_LIB([db$with_db_uniquename], [db_create$with_db_uniquename], LIBDB="-ldb$with_db_uniquename", LIBDB="")
++ AC_CHECK_LIB([db], [db_create$with_db_uniquename], LIBDB="-ldb", LIBDB="")
+ if test -z "$LIBDB" ; then
+ AC_CHECK_LIB([db$with_db_uniquename], [dbm_store$with_db_uniquename], LIBDB="-ldb$with_db_uniquename", LIBDB="")
+ fi
diff --git a/pam-0.99.7.1-unix-update-helper.patch b/pam-0.99.8.1-unix-update-helper.patch
similarity index 97%
rename from pam-0.99.7.1-unix-update-helper.patch
rename to pam-0.99.8.1-unix-update-helper.patch
index b8d253c..013b9f4 100644
--- a/pam-0.99.7.1-unix-update-helper.patch
+++ b/pam-0.99.8.1-unix-update-helper.patch
@@ -1,5 +1,5 @@
---- /dev/null 2007-05-28 11:10:34.936447748 +0200
-+++ Linux-PAM-0.99.7.1/modules/pam_unix/passupdate.c 2007-06-01 15:13:57.000000000 +0200
+--- /dev/null 2007-07-08 21:11:04.052436262 +0200
++++ Linux-PAM-0.99.8.1/modules/pam_unix/passupdate.c 2007-07-23 13:40:56.000000000 +0200
@@ -0,0 +1,560 @@
+/*
+ * Main coding by Elliot Lee , Red Hat Software.
@@ -561,8 +561,8 @@
+ return PAM_AUTHTOK_ERR;
+ }
+}
---- Linux-PAM-0.99.7.1/modules/pam_unix/pam_unix_acct.c.update-helper 2006-06-27 10:38:14.000000000 +0200
-+++ Linux-PAM-0.99.7.1/modules/pam_unix/pam_unix_acct.c 2007-06-01 15:13:57.000000000 +0200
+--- Linux-PAM-0.99.8.1/modules/pam_unix/pam_unix_acct.c.update-helper 2006-06-27 10:38:14.000000000 +0200
++++ Linux-PAM-0.99.8.1/modules/pam_unix/pam_unix_acct.c 2007-07-23 13:40:56.000000000 +0200
@@ -124,11 +124,11 @@
}
@@ -621,8 +621,8 @@
} else if (_unix_shadowed (pwent))
spent = pam_modutil_getspnam (pamh, uname);
else
---- Linux-PAM-0.99.7.1/modules/pam_unix/pam_unix_passwd.c.update-helper 2007-06-01 15:13:57.000000000 +0200
-+++ Linux-PAM-0.99.7.1/modules/pam_unix/pam_unix_passwd.c 2007-06-01 15:13:57.000000000 +0200
+--- Linux-PAM-0.99.8.1/modules/pam_unix/pam_unix_passwd.c.update-helper 2007-04-30 12:47:30.000000000 +0200
++++ Linux-PAM-0.99.8.1/modules/pam_unix/pam_unix_passwd.c 2007-07-23 13:54:55.000000000 +0200
@@ -2,6 +2,7 @@
* Main coding by Elliot Lee , Red Hat Software.
* Copyright (C) 1996.
@@ -838,7 +838,7 @@
static int check_old_password(const char *forwho, const char *newpass)
{
static char buf[16384];
-@@ -353,392 +335,6 @@
+@@ -354,393 +336,6 @@
return retval;
}
@@ -921,11 +921,12 @@
-
- while (fgets(buf, 16380, opwfile)) {
- if (!strncmp(buf, forwho, strlen(forwho))) {
+- char *sptr;
- buf[strlen(buf) - 1] = '\0';
-- s_luser = strtok(buf, ":");
-- s_uid = strtok(NULL, ":");
-- s_npas = strtok(NULL, ":");
-- s_pas = strtok(NULL, ":");
+- s_luser = strtok_r(buf, ":", &sptr);
+- s_uid = strtok_r(NULL, ":", &sptr);
+- s_npas = strtok_r(NULL, ":", &sptr);
+- s_pas = strtok_r(NULL, ":", &sptr);
- npas = strtol(s_npas, NULL, 10) + 1;
- while (npas > howmany) {
- s_pas = strpbrk(s_pas, ",");
@@ -1231,7 +1232,7 @@
static int _do_setpass(pam_handle_t* pamh, const char *forwho,
const char *fromwhat,
char *towhat, unsigned int ctrl, int remember)
-@@ -767,7 +363,7 @@
+@@ -769,7 +364,7 @@
/* Unlock passwd file to avoid deadlock */
#ifdef USE_LCKPWDF
@@ -1240,7 +1241,7 @@
#endif
unlocked = 1;
-@@ -830,33 +426,22 @@
+@@ -832,33 +427,22 @@
if (_unix_comesfromsource(pamh, forwho, 1, 0)) {
#ifdef USE_LCKPWDF
if(unlocked) {
@@ -1280,7 +1281,7 @@
if (retval == PAM_SUCCESS)
if (!_unix_shadowed(pwd))
retval = _update_passwd(pamh, forwho, "x");
-@@ -868,7 +453,7 @@
+@@ -870,7 +454,7 @@
done:
#ifdef USE_LCKPWDF
@@ -1289,7 +1290,7 @@
#endif
return retval;
-@@ -889,13 +474,17 @@
+@@ -891,13 +475,17 @@
if (_unix_shadowed(pwd)) {
/* ...and shadow password file entry for this user, if shadowing
is enabled */
@@ -1313,7 +1314,7 @@
#endif
if (spwdent == NULL)
return PAM_AUTHINFO_UNAVAIL;
-@@ -1018,7 +607,7 @@
+@@ -1020,7 +608,7 @@
int argc, const char **argv)
{
unsigned int ctrl, lctrl;
@@ -1322,7 +1323,7 @@
int remember = -1;
/* */
-@@ -1238,49 +827,40 @@
+@@ -1240,49 +828,40 @@
return retval;
}
#ifdef USE_LCKPWDF
@@ -1383,7 +1384,7 @@
#endif
return retval;
}
-@@ -1324,7 +904,7 @@
+@@ -1326,7 +905,7 @@
"out of memory for password");
pass_new = pass_old = NULL; /* tidy up */
#ifdef USE_LCKPWDF
@@ -1392,7 +1393,7 @@
#endif
return PAM_BUF_ERR;
}
-@@ -1347,7 +927,7 @@
+@@ -1349,7 +928,7 @@
retval = _do_setpass(pamh, user, pass_old, tpass, ctrl,
remember);
@@ -1401,8 +1402,8 @@
_pam_delete(tpass);
pass_old = pass_new = NULL;
---- /dev/null 2007-05-28 11:10:34.936447748 +0200
-+++ Linux-PAM-0.99.7.1/modules/pam_unix/passverify.h 2007-06-01 15:13:57.000000000 +0200
+--- /dev/null 2007-07-08 21:11:04.052436262 +0200
++++ Linux-PAM-0.99.8.1/modules/pam_unix/passverify.h 2007-07-23 13:40:56.000000000 +0200
@@ -0,0 +1,60 @@
+/*
+ * This program is designed to run setuid(root) or with sufficient
@@ -1464,8 +1465,8 @@
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
---- Linux-PAM-0.99.7.1/modules/pam_unix/unix_chkpwd.c.update-helper 2007-06-01 15:13:57.000000000 +0200
-+++ Linux-PAM-0.99.7.1/modules/pam_unix/unix_chkpwd.c 2007-06-01 15:16:00.000000000 +0200
+--- Linux-PAM-0.99.8.1/modules/pam_unix/unix_chkpwd.c.update-helper 2007-03-12 15:35:14.000000000 +0100
++++ Linux-PAM-0.99.8.1/modules/pam_unix/unix_chkpwd.c 2007-07-23 13:40:56.000000000 +0200
@@ -41,386 +41,7 @@
#include "md5.h"
@@ -1928,8 +1929,8 @@
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
---- /dev/null 2007-05-28 11:10:34.936447748 +0200
-+++ Linux-PAM-0.99.7.1/modules/pam_unix/unix_update.c 2007-06-01 15:13:57.000000000 +0200
+--- /dev/null 2007-07-08 21:11:04.052436262 +0200
++++ Linux-PAM-0.99.8.1/modules/pam_unix/unix_update.c 2007-07-23 13:40:56.000000000 +0200
@@ -0,0 +1,262 @@
+/*
+ * This program is designed to run setuid(root) or with sufficient
@@ -2193,8 +2194,8 @@
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
---- /dev/null 2007-05-28 11:10:34.936447748 +0200
-+++ Linux-PAM-0.99.7.1/modules/pam_unix/passverify.c 2007-06-01 15:13:57.000000000 +0200
+--- /dev/null 2007-07-08 21:11:04.052436262 +0200
++++ Linux-PAM-0.99.8.1/modules/pam_unix/passverify.c 2007-07-23 13:40:56.000000000 +0200
@@ -0,0 +1,308 @@
+/*
+ * This program is designed to run setuid(root) or with sufficient
@@ -2504,8 +2505,8 @@
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
---- Linux-PAM-0.99.7.1/modules/pam_unix/Makefile.am.update-helper 2006-12-18 19:50:50.000000000 +0100
-+++ Linux-PAM-0.99.7.1/modules/pam_unix/Makefile.am 2007-06-01 15:15:04.000000000 +0200
+--- Linux-PAM-0.99.8.1/modules/pam_unix/Makefile.am.update-helper 2006-12-18 19:50:50.000000000 +0100
++++ Linux-PAM-0.99.8.1/modules/pam_unix/Makefile.am 2007-07-23 13:40:56.000000000 +0200
@@ -16,7 +16,8 @@
secureconfdir = $(SCONFIGDIR)
diff --git a/pam.spec b/pam.spec
index c7caaed..83a0b08 100644
--- a/pam.spec
+++ b/pam.spec
@@ -6,12 +6,12 @@
%define pwdb_version 0.62
%define db_version 4.5.20
%define db_conflicting_version 4.6.0
-%define pam_redhat_version 0.99.7-1
+%define pam_redhat_version 0.99.8-1
Summary: A security tool which provides authentication for applications
Name: pam
-Version: 0.99.7.1
-Release: 6%{?dist}
+Version: 0.99.8.1
+Release: 1%{?dist}
License: GPL or BSD
Group: System Environment/Base
Source0: http://ftp.us.kernel.org/pub/linux/libs/pam/pre/library/Linux-PAM-%{version}.tar.bz2
@@ -27,27 +27,12 @@ Source10: config-util.5
Patch1: pam-0.99.7.0-redhat-modules.patch
Patch2: pam-0.99.7.1-console-more-displays.patch
Patch3: pam-0.99.7.1-console-decrement.patch
-Patch22: pam-0.99.7.1-unix-allow-pwmodify.patch
-Patch23: pam-0.99.7.1-unix-bigcrypt.patch
-Patch24: pam-0.99.7.1-unix-update-helper.patch
+Patch4: pam-0.99.8.1-dbpam.patch
+Patch24: pam-0.99.8.1-unix-update-helper.patch
Patch25: pam-0.99.7.1-unix-hpux-aging.patch
-Patch34: pam-0.99.7.0-dbpam.patch
-Patch70: pam-0.99.2.1-selinux-nofail.patch
-Patch80: pam-0.99.6.2-selinux-drop-multiple.patch
-Patch81: pam-0.99.3.0-cracklib-try-first-pass.patch
-Patch82: pam-0.99.3.0-tally-fail-close.patch
-Patch84: pam-0.99.6.2-selinux-keycreate.patch
-Patch86: pam-0.99.7.0-namespace-no-unmount.patch
-Patch87: pam-0.99.6.2-namespace-preserve-uid.patch
-Patch92: pam-0.99.6.2-selinux-select-context.patch
-Patch93: pam-0.99.7.0-namespace-level.patch
-Patch94: pam-0.99.7.0-namespace-unmnt-override.patch
-Patch95: pam-0.99.6.2-selinux-use-current-range.patch
-Patch96: pam-0.99.6.2-namespace-dirnames.patch
-Patch97: pam-0.99.7.1-namespace-unknown-user.patch
-Patch98: pam-0.99.6.2-selinux-audit-context.patch
-Patch99: pam-0.99.6.2-namespace-docfix.patch
-Patch100: pam-0.99.7.1-namespace-temp-logon.patch
+Patch31: pam-0.99.3.0-cracklib-try-first-pass.patch
+Patch32: pam-0.99.3.0-tally-fail-close.patch
+Patch40: pam-0.99.7.1-namespace-temp-logon.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Requires: cracklib, cracklib-dicts >= 2.8
@@ -103,27 +88,12 @@ cp %{SOURCE7} .
%patch1 -p1 -b .redhat-modules
%patch2 -p1 -b .displays
%patch3 -p1 -b .decrement
-%patch22 -p1 -b .pwmodify
-%patch23 -p1 -b .bigcrypt
+%patch4 -p1 -b .dbpam
%patch24 -p1 -b .update-helper
%patch25 -p1 -b .unix-hpux-aging
-%patch34 -p1 -b .dbpam
-%patch70 -p1 -b .nofail
-%patch80 -p1 -b .drop-multiple
-%patch81 -p1 -b .try-first-pass
-%patch82 -p1 -b .fail-close
-%patch84 -p1 -b .keycreate
-%patch86 -p1 -b .no-unmount
-%patch87 -p1 -b .preserve-uid
-%patch92 -p1 -b .select-context
-%patch93 -p1 -b .level
-%patch94 -p1 -b .unmnt-override
-%patch95 -p1 -b .range
-%patch96 -p1 -b .dirnames
-%patch97 -p1 -b .unknown-user
-%patch98 -p1 -b .audit-context
-%patch99 -p1 -b .docfix
-%patch100 -p1 -b .temp-logon
+%patch31 -p1 -b .try-first-pass
+%patch32 -p1 -b .fail-close
+%patch40 -p1 -b .temp-logon
autoreconf
@@ -162,7 +132,8 @@ LDFLAGS=-L${topdir}/%{_lib} ; export LDFLAGS
%configure \
--libdir=/%{_lib} \
--includedir=%{_includedir}/security \
- --enable-isadir=../../%{_lib}/security
+ --enable-isadir=../../%{_lib}/security \
+ --with-db-uniquename=_pam
make
%install
@@ -413,6 +384,10 @@ fi
%doc doc/adg/*.txt doc/adg/html
%changelog
+* Mon Jul 23 2007 Tomas Mraz 0.99.8.1-1
+- upgrade to latest upstream version
+- add some firewire devices to default console perms (#240770)
+
* Thu Apr 26 2007 Tomas Mraz 0.99.7.1-6
- pam_namespace: better document behavior on failure (#237249)
- pam_unix: split out passwd change to a new helper binary (#236316)
diff --git a/sources b/sources
index d583211..02424fc 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
b0f1c777708cb8e9d37fb47e7ed3312d db-4.5.20.tar.gz
-66845048120c71205bd3363264f2bfe7 pam-redhat-0.99.7-1.tar.bz2
-385458dfb4633071594e255a6ebec9da Linux-PAM-0.99.7.1.tar.bz2
+2a23dc703b550223206021ff03b1e434 pam-redhat-0.99.8-1.tar.bz2
+a6472db4afe13850cb401922211bba4e Linux-PAM-0.99.8.1.tar.bz2