rpms/pam
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- properly include /var/log/faillog and tallylog as ghosts and create them

Browse Source 
in post script (#209646)
- update gmo files as we patch some po files (#218271)
- add use_current_range option to pam_selinux (#220487)
- improve the role selection in pam_selinux
- remove shortcut on Password: in ja locale (#218271)
- revert to old euid and not ruid when setting euid in pam_keyinit
    (#219486)
- rename selinux-namespace patch to namespace-level
This commit is contained in:
Tomáš Mráz 2007-01-16 20:14:28 +00:00
parent 7ce306a7c7
commit 8a453fc0be
3 changed files with 233 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

106
pam-0.99.6.2-selinux-select-context.patch
View File

@ -29,8 +29,8 @@
</refsect1>
--- Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c.select-context 2006-12-27 10:59:06.000000000 -0500
+++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c 2007-01-03 13:40:24.000000000 -0500
@@ -63,8 +63,10 @@
+++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c 2007-01-03 16:06:21.000000000 -0500
@@ -63,9 +63,64 @@
#include <selinux/selinux.h>
#include <selinux/get_context_list.h>
#include <selinux/flask.h>
@ -39,9 +39,63 @@
#include <selinux/context.h>
+#include <selinux/get_default_type.h>
+#ifdef HAVE_LIBAUDIT
+#include <libaudit.h>
+#include <sys/select.h>
+#include <errno.h>
+#endif
+
+/* Send audit message */
+static
+
+int send_audit_message(pam_handle_t *pamh, int success, security_context_t default_context,
+ security_context_t selected_context)
+{
+ int rc=0;
+#ifdef HAVE_LIBAUDIT
+ char *msg = NULL;
+ int audit_fd = audit_open();
+ security_context_t default_raw=NULL;
+ security_context_t selected_raw=NULL;
+ rc = -1;
+ if (audit_fd < 0) {
+ pam_syslog(pamh, LOG_ERR, _("Error connecting to audit system.\n"));
+ return rc;
+ }
+ if (selinux_trans_to_raw_context(default_context, &default_raw) < 0) {
+ pam_syslog(pamh, LOG_ERR, _("Error translating default context.\n"));
+ goto out;
+ }
+ if (selinux_trans_to_raw_context(selected_context, &selected_raw) < 0) {
+ pam_syslog(pamh, LOG_ERR, _("Error translating selected context.\n"));
+ goto out;
+ }
+ if (asprintf(&msg, "pam: default-context=%s selected-context=%s",
+ default_context ? default_raw : "?",
+ selected_context ? selected_raw : "?") < 0) {
+ pam_syslog(pamh, LOG_ERR, ("Error allocating memory.\n"));
+ goto out;
+ }
+ if (audit_log_user_message(audit_fd, AUDIT_USER_ROLE_CHANGE,
+ msg, NULL, NULL, NULL, success) <= 0) {
+ pam_syslog(pamh, LOG_ERR, _("Error sending audit message.\n"));
+ goto out;
+ }
+ rc = 0;
+ out:
+ free(msg);
+ freecon(default_raw);
+ free(selected_raw);
+ close(audit_fd);
+#else
+ pam_syslog(pamh, LOG_NOTICE, "pam: default-context=%s selected-context=%s success %d", default_context, selected_context, success);
+#endif
+ return rc;
+}
static int
send_text (pam_handle_t *pamh, const char *text, int debug)
@@ -79,69 +81,64 @@
{
@@ -79,69 +134,64 @@
* is responsible for freeing the responses.
*/
static int
@ -77,7 +131,7 @@
while (1) {
query_response(pamh,
- _("Would you like to enter a security context? [y] "),
+ _("Would you like to enter a security context? [n] "), NULL,
+ _("Would you like to enter a security context? [N] "), NULL,
&responses,debug);
- if ((responses[0] == 'y') || (responses[0] == 'Y') ||
- (responses[0] == '\0') )
@ -144,7 +198,7 @@
}
/* Get the string value of the context and see if it is valid. */
if (!security_check_context(context_str(new_context))) {
@@ -151,14 +148,125 @@
@@ -151,14 +201,125 @@
}
else
send_text(pamh,_("Not a valid security context"),debug);
@ -270,7 +324,7 @@
}
static void
@@ -273,10 +381,11 @@
@@ -273,13 +434,15 @@
{
int i, debug = 0, ttys=1, has_tty=isatty(0);
int verbose=0, close_session=0;
@ -283,7 +337,11 @@
const void *tty = NULL;
char *seuser=NULL;
char *level=NULL;
@@ -295,6 +404,9 @@
+ security_context_t default_user_context=NULL;
/* Parse arguments. */
for (i = 0; i < argc; i++) {
@@ -295,6 +458,9 @@
if (strcmp(argv[i], "close") == 0) {
close_session = 1;
}
@ -293,7 +351,7 @@
}
if (debug)
@@ -307,7 +419,7 @@
@@ -307,7 +473,7 @@
if (!(selinux_enabled = is_selinux_enabled()>0) )
return PAM_SUCCESS;
@ -302,7 +360,7 @@
username == NULL) {
return PAM_USER_UNKNOWN;
}
@@ -319,19 +431,38 @@
@@ -319,19 +485,38 @@
&contextlist);
if (debug)
pam_syslog(pamh, LOG_DEBUG, "Username= %s SELinux User = %s Level= %s",
@ -313,18 +371,18 @@
}
if (num_contexts > 0) {
- user_context = (security_context_t) strdup(contextlist[0]);
+ security_context_t puser_context=strdup(contextlist[0]);
+ default_user_context=strdup(contextlist[0]);
freeconary(contextlist);
- } else {
+ if (puser_context == NULL) {
+ if (default_user_context == NULL) {
+ pam_syslog(pamh, LOG_ERR, _("Out of memory"));
+ return PAM_AUTH_ERR;
+ }
+ user_context = puser_context;
+ if (select_context && has_tty) {
+ user_context = config_context(pamh, puser_context, debug);
+ freecon(puser_context);
+ user_context = config_context(pamh, default_user_context, debug);
+ if (user_context == NULL) {
+ send_audit_message(pamh, 0, default_user_context, default_user_context);
+ freecon(default_user_context);
+ pam_syslog(pamh, LOG_ERR, _("Unable to get valid context for %s"),
+ username);
+ pam_prompt (pamh, PAM_ERROR_MSG, NULL, _("Unable to get valid context for %s"), username);
@ -346,7 +404,7 @@
if (security_getenforce() == 1)
return PAM_AUTH_ERR;
else
@@ -340,7 +471,7 @@
@@ -340,7 +525,7 @@
} else {
pam_syslog (pamh, LOG_ERR,
"Unable to get valid context for %s, No valid tty",
@ -355,7 +413,17 @@
if (security_getenforce() == 1)
return PAM_AUTH_ERR;
else
@@ -381,7 +512,7 @@
@@ -371,6 +556,9 @@
ttyn=strdup(tty);
ttyn_context=security_label_tty(pamh,ttyn,user_context);
}
+ send_audit_message(pamh, 1, default_user_context, user_context);
+ freecon(default_user_context);
+
ret = setexeccon(user_context);
if (ret==0 && verbose) {
char msg[PATH_MAX];
@@ -381,7 +569,7 @@
if (ret) {
pam_syslog(pamh, LOG_ERR,
"Error! Unable to set %s executable context %s.",
@ -364,7 +432,7 @@
if (security_getenforce() == 1) {
freecon(user_context);
return PAM_AUTH_ERR;
@@ -389,7 +520,7 @@
@@ -389,7 +577,7 @@
} else {
if (debug)
pam_syslog(pamh, LOG_NOTICE, "set %s security context to %s",
@ -373,7 +441,7 @@
}
#ifdef HAVE_SETKEYCREATECON
ret = setkeycreatecon(user_context);
@@ -402,7 +533,7 @@
@@ -402,7 +590,7 @@
if (ret) {
pam_syslog(pamh, LOG_ERR,
"Error! Unable to set %s key creation context %s.",
@ -382,7 +450,7 @@
if (security_getenforce() == 1) {
freecon(user_context);
return PAM_AUTH_ERR;
@@ -410,7 +541,7 @@
@@ -410,7 +598,7 @@
} else {
if (debug)
pam_syslog(pamh, LOG_NOTICE, "set %s key creation context to %s",

113
pam-0.99.6.2-selinux-use-current-range.patch Normal file
View File

@ -0,0 +1,113 @@
--- Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c.range 2007-01-04 23:29:04.000000000 +0100
+++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c 2007-01-05 13:30:31.000000000 +0100
@@ -435,6 +435,7 @@
int i, debug = 0, ttys=1, has_tty=isatty(0);
int verbose=0, close_session=0;
int select_context = 0;
+ int use_current_range = 0;
int ret = 0;
security_context_t* contextlist = NULL;
int num_contexts = 0;
@@ -461,11 +462,19 @@
if (strcmp(argv[i], "select_context") == 0) {
select_context = 1;
}
+ if (strcmp(argv[i], "use_current_range") == 0) {
+ use_current_range = 1;
+ }
}
-
+
if (debug)
pam_syslog(pamh, LOG_NOTICE, "Open Session");
+ if (select_context && use_current_range) {
+ pam_syslog(pamh, LOG_ERR, "select_context cannot be used with use_current_range");
+ select_context = 0;
+ }
+
/* this module is only supposed to execute close_session */
if (close_session)
return PAM_SUCCESS;
@@ -532,6 +541,51 @@
return PAM_SUCCESS;
}
}
+
+ if (use_current_range && is_selinux_mls_enabled()) {
+ security_context_t process_context=NULL;
+ if (getcon(&process_context) == 0) {
+ context_t pcon, ucon;
+ char *process_level=NULL;
+ security_context_t orig_context;
+
+ if (user_context)
+ orig_context = user_context;
+ else
+ orig_context = default_user_context;
+
+ pcon = context_new(process_context);
+ freecon(process_context);
+ process_level = strdup(context_range_get(pcon));
+ context_free(pcon);
+
+ if (debug)
+ pam_syslog (pamh, LOG_DEBUG, "process level=%s", process_level);
+
+ ucon = context_new(orig_context);
+
+ context_range_set(ucon, process_level);
+ free(process_level);
+
+ if (!mls_range_allowed(pamh, orig_context, context_str(ucon), debug)) {
+ send_text(pamh, _("Requested MLS level not in permitted range"), debug);
+ /* even if default_user_context is NULL audit that anyway */
+ send_audit_message(pamh, 0, default_user_context, context_str(ucon));
+ context_free(ucon);
+ return PAM_AUTH_ERR;
+ }
+
+ if (debug)
+ pam_syslog (pamh, LOG_DEBUG, "adjusted context=%s", context_str(ucon));
+
+ /* replace the user context with the level adjusted one */
+ freecon(user_context);
+ user_context = strdup(context_str(ucon));
+
+ context_free(ucon);
+ }
+ }
+
if (getexeccon(&prev_user_context)<0) {
prev_user_context=NULL;
}
--- Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.8.xml.range 2007-01-04 23:29:04.000000000 +0100
+++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.8.xml 2007-01-04 23:35:03.000000000 +0100
@@ -36,6 +36,9 @@
<arg choice="opt">
select_context
</arg>
+ <arg choice="opt">
+ use_current_range
+ </arg>
</cmdsynopsis>
</refsynopsisdiv>
@@ -132,6 +135,17 @@
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>
+ <option>use_current_range</option>
+ </term>
+ <listitem>
+ <para>
+ Use the sensitivity range of the process for the user context.
+ This option and the select_context option are mutually exclusive.
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect1>

43
pam.spec
View File

@ -11,7 +11,7 @@
Summary: A security tool which provides authentication for applications
Name: pam
Version: 0.99.6.2
Release: 7%{?dist}
Release: 8%{?dist}
License: GPL or BSD
Group: System Environment/Base
Source0: http://ftp.us.kernel.org/pub/linux/libs/pam/pre/library/Linux-PAM-%{version}.tar.bz2
@ -40,8 +40,10 @@ Patch89: pam-0.99.6.2-namespace-overflow.patch
Patch90: pam-0.99.6.2-keyinit-setgid.patch
Patch91: pam-0.99.6.2-unix-username.patch
Patch92: pam-0.99.6.2-selinux-select-context.patch
Patch93: pam-0.99.6.2-namespace-level.patch
Patch94: pam-0.99.6.2-ja-no-shortcut.patch
Patch95: pam-0.99.6.2-selinux-use-current-range.patch
Patch100: pam-0.99.6.2-reconf.patch
Patch101: pam-0.99.6.2-selinux-namespace.patch
BuildRoot: %{_tmppath}/%{name}-root
Requires: cracklib, cracklib-dicts >= 2.8
@ -50,7 +52,7 @@ Prereq: grep, mktemp, sed, coreutils, /sbin/ldconfig
BuildRequires: autoconf, automake, libtool
BuildRequires: bison, flex, sed
BuildRequires: cracklib-devel, cracklib-dicts >= 2.8
BuildRequires: perl, pkgconfig
BuildRequires: perl, pkgconfig, gettext
%if %{WITH_AUDIT}
BuildRequires: audit-libs-devel >= 1.0.8
Requires: audit-libs >= 1.0.8
@ -109,9 +111,10 @@ cp %{SOURCE7} .
%patch90 -p1 -b .setgid
%patch91 -p1 -b .username
%patch92 -p1 -b .select-context
%patch93 -p1 -b .selinux-namespace
%patch94 -p1 -b .no-shortcut
%patch95 -p1 -b .range
%patch100 -p1 -b .reconf
%patch101 -p1 -b .selinux-namespace
#autoreconf
%build
@ -150,6 +153,10 @@ LDFLAGS=-L${topdir}/%{_lib} ; export LDFLAGS
--libdir=/%{_lib} \
--includedir=%{_includedir}/security \
--enable-isadir=../../%{_lib}/security
# we must explicitely update-gmo as we patch a po file
pushd po
make update-gmo
popd
make
%install
@ -280,6 +287,12 @@ if [ "$USEMD5" = "no" ] ; then
rm -f $tmp
fi
fi
if [ ! -a /var/log/faillog ] ; then
install -m 600 /dev/null /var/log/faillog
fi
if [ ! -a /var/log/tallylog ] ; then
install -m 600 /dev/null /var/log/tallylog
fi
%postun -p /sbin/ldconfig
@ -372,8 +385,8 @@ fi
%dir %{_sysconfdir}/security/console.perms.d
%config %{_sysconfdir}/security/console.perms.d/50-default.perms
%dir /var/run/console
%config(noreplace) %verify(not md5 size mtime) /var/log/faillog
%config(noreplace) %verify(not md5 size mtime) /var/log/tallylog
%ghost %verify(not md5 size mtime) /var/log/faillog
%ghost %verify(not md5 size mtime) /var/log/tallylog
%{_mandir}/man5/*
%{_mandir}/man8/*
@ -388,12 +401,22 @@ fi
%doc doc/adg/*.txt doc/adg/html
%changelog
* Tue Jan 16 2007 Tomas Mraz <tmraz@redhat.com> 0.99.6.2-8
- properly include /var/log/faillog and tallylog as ghosts
and create them in post script (#209646)
- update gmo files as we patch some po files (#218271)
- add use_current_range option to pam_selinux (#220487)
- improve the role selection in pam_selinux
- remove shortcut on Password: in ja locale (#218271)
- revert to old euid and not ruid when setting euid in pam_keyinit (#219486)
- rename selinux-namespace patch to namespace-level
* Thu Dec 1 2006 Dan Walsh <dwalsh@redhat.com> 0.99.6.2-7
- Fix selection of role
- fix selection of role
* Thu Dec 1 2006 Dan Walsh <dwalsh@redhat.com> 0.99.6.2-6
- Fix pam_namespace to only change MLS componant
Resolves: Bug #216184
- add possibility to pam_namespace to only change MLS component
- Resolves: Bug #216184
* Thu Nov 30 2006 Tomas Mraz <tmraz@redhat.com> 0.99.6.2-5
- add select-context option to pam_selinux (#213812)