From 76f4b127d2f34da40aed776819d8772a601bd3fa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Mr=C3=A1z?= <tmraz@fedoraproject.org>
Date: Thu, 29 Oct 2009 15:54:52 +0000
Subject: [PATCH] - pam_xauth: set the approprate context when creating .xauth
 files     (#531530)

---
 pam-1.1.0-xauth-context.patch | 92 +++++++++++++++++++++++++++++++++++
 pam.spec                      |  7 ++-
 2 files changed, 98 insertions(+), 1 deletion(-)
 create mode 100644 pam-1.1.0-xauth-context.patch

diff --git a/pam-1.1.0-xauth-context.patch b/pam-1.1.0-xauth-context.patch
new file mode 100644
index 0000000..91c08ba
--- /dev/null
+++ b/pam-1.1.0-xauth-context.patch
@@ -0,0 +1,92 @@
+diff -up Linux-PAM-1.1.0/modules/pam_xauth/Makefile.am.xauth-context Linux-PAM-1.1.0/modules/pam_xauth/Makefile.am
+--- Linux-PAM-1.1.0/modules/pam_xauth/Makefile.am.xauth-context	2006-06-09 18:44:08.000000000 +0200
++++ Linux-PAM-1.1.0/modules/pam_xauth/Makefile.am	2009-10-29 14:34:18.000000000 +0100
+@@ -16,7 +16,7 @@ secureconfdir = $(SCONFIGDIR)
+ 
+ AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include
+ AM_LDFLAGS = -no-undefined -avoid-version -module \
+-	-L$(top_builddir)/libpam -lpam
++	-L$(top_builddir)/libpam -lpam @LIBSELINUX@
+ if HAVE_VERSIONING
+   AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
+ endif
+diff -up Linux-PAM-1.1.0/modules/pam_xauth/pam_xauth.c.xauth-context Linux-PAM-1.1.0/modules/pam_xauth/pam_xauth.c
+--- Linux-PAM-1.1.0/modules/pam_xauth/pam_xauth.c.xauth-context	2009-04-09 10:07:29.000000000 +0200
++++ Linux-PAM-1.1.0/modules/pam_xauth/pam_xauth.c	2009-10-29 16:13:21.000000000 +0100
+@@ -57,6 +57,12 @@
+ #include <security/pam_modutil.h>
+ #include <security/pam_ext.h>
+ 
++#ifdef WITH_SELINUX
++#include <selinux/selinux.h>
++#include <selinux/label.h>
++#include <sys/stat.h>
++#endif
++
+ #define DATANAME "pam_xauth_cookie_file"
+ #define XAUTHENV "XAUTHORITY"
+ #define HOMEENV  "HOME"
+@@ -461,6 +467,10 @@ pam_sm_open_session (pam_handle_t *pamh,
+ 			  getuid(), getgid(),
+ 			  xauth, "-f", cookiefile, "nlist", display,
+ 			  NULL) == 0) {
++		int save_errno;
++#ifdef WITH_SELINUX
++		security_context_t context = NULL;
++#endif
+ 		/* Check that we got a cookie.  If not, we get creative. */
+ 		if (((cookie == NULL) || (strlen(cookie) == 0)) &&
+ 		    ((strncmp(display, "localhost:", 10) == 0) ||
+@@ -545,12 +555,41 @@ pam_sm_open_session (pam_handle_t *pamh,
+ 		/* Generate a new file to hold the data. */
+ 		euid = geteuid();
+ 		setfsuid(tpwd->pw_uid);
+-		fd = mkstemp(xauthority + strlen(XAUTHENV) + 1);
++		
++#ifdef WITH_SELINUX
++		if (is_selinux_enabled() > 0) {
++			struct selabel_handle *ctx = selabel_open(SELABEL_CTX_FILE, NULL, 0);
++			if (ctx != NULL) {
++				if (selabel_lookup(ctx, &context,
++						   xauthority + sizeof(XAUTHENV), S_IFREG) != 0) {
++					pam_syslog(pamh, LOG_WARNING,
++						   "could not get SELinux label for '%s'",
++						   xauthority + sizeof(XAUTHENV));
++				}
++				selabel_close(ctx);
++				if (setfscreatecon(context)) {
++					pam_syslog(pamh, LOG_WARNING,
++						   "setfscreatecon(%s) failed: %m", context);
++				}
++			}
++		}
++		fd = mkstemp(xauthority + sizeof(XAUTHENV));
++		save_errno = errno;
++		if (context != NULL) {
++			free(context);
++			setfscreatecon(NULL);
++		}
++#else
++		fd = mkstemp(xauthority + sizeof(XAUTHENV));
++		save_errno = errno;
++#endif
++
+ 		setfsuid(euid);
+ 		if (fd == -1) {
++			errno = save_errno;
+ 			pam_syslog(pamh, LOG_ERR,
+ 				   "error creating temporary file `%s': %m",
+-				   xauthority + strlen(XAUTHENV) + 1);
++				   xauthority + sizeof(XAUTHENV));
+ 			retval = PAM_SESSION_ERR;
+ 			goto cleanup;
+ 		}
+@@ -563,7 +602,7 @@ pam_sm_open_session (pam_handle_t *pamh,
+ 		/* Get a copy of the filename to save as a data item for
+ 		 * removal at session-close time. */
+ 		free(cookiefile);
+-		cookiefile = strdup(xauthority + strlen(XAUTHENV) + 1);
++		cookiefile = strdup(xauthority + sizeof(XAUTHENV));
+ 
+ 		/* Save the filename. */
+ 		if (pam_set_data(pamh, DATANAME, cookiefile, cleanup) != PAM_SUCCESS) {
diff --git a/pam.spec b/pam.spec
index 1676b5a..738acb2 100644
--- a/pam.spec
+++ b/pam.spec
@@ -3,7 +3,7 @@
 Summary: An extensible library which provides authentication for applications
 Name: pam
 Version: 1.1.0
-Release: 5%{?dist}
+Release: 6%{?dist}
 # The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant
 # as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+,
 License: BSD and GPLv2+
@@ -26,6 +26,7 @@ Patch2:  pam-1.0.91-std-noclose.patch
 Patch3:  pam-1.1.0-cracklib-authtok.patch
 Patch4:  pam-1.1.0-console-nochmod.patch
 Patch5:  pam-1.1.0-notally.patch
+Patch6:  pam-1.1.0-xauth-context.patch
 
 %define _sbindir /sbin
 %define _moduledir /%{_lib}/security
@@ -91,6 +92,7 @@ mv pam-redhat-%{pam_redhat_version}/* modules
 %patch3 -p1 -b .authtok
 %patch4 -p1 -b .nochmod
 %patch5 -p1 -b .notally
+%patch6 -p1 -b .xauth-context
 
 libtoolize -f
 autoreconf
@@ -323,6 +325,9 @@ fi
 %doc doc/adg/*.txt doc/adg/html
 
 %changelog
+* Thu Oct 29 2009 Tomas Mraz <tmraz@redhat.com> 1.1.0-6
+- pam_xauth: set the approprate context when creating .xauth files (#531530)
+
 * Tue Sep  1 2009 Tomas Mraz <tmraz@redhat.com> 1.1.0-5
 - do not change permissions with pam_console_apply
 - drop obsolete pam_tally module and the faillog file (#461258)