- properly include /var/log/faillog and tallylog as ghosts and create them

in post script (#209646) - update gmo files as we patch some po files (#218271) - add use_current_range option to pam_selinux (#220487) - improve the role selection in pam_selinux - remove shortcut on Password: in ja locale (#218271) - revert to old euid and not ruid when setting euid in pam_keyinit (#219486) - rename selinux-namespace patch to namespace-level
2007-01-16 20:14:28 +00:00 · 2007-01-16 20:14:28 +00:00 · 8a453fc0be
commit 8a453fc0be
parent 7ce306a7c7
3 changed files with 233 additions and 29 deletions
--- a/pam-0.99.6.2-selinux-select-context.patch
+++ b/pam-0.99.6.2-selinux-select-context.patch
@ -29,8 +29,8 @@
   </refsect1>
 --- Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c.select-context	2006-12-27 10:59:06.000000000 -0500
-+++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c	2007-01-03 13:40:24.000000000 -0500
+++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c	2007-01-03 16:06:21.000000000 -0500
-@@ -63,8 +63,10 @@
+@@ -63,9 +63,64 @@
 #include <selinux/selinux.h>
 #include <selinux/get_context_list.h>
 #include <selinux/flask.h>
@ -39,9 +39,63 @@
 #include <selinux/context.h>
 +#include <selinux/get_default_type.h>
 +#ifdef HAVE_LIBAUDIT
 +#include <libaudit.h>
 +#include <sys/select.h>
 +#include <errno.h>
 +#endif
 +
 +/* Send audit message */
 +static
 +
 +int send_audit_message(pam_handle_t *pamh, int success, security_context_t default_context,
 +		       security_context_t selected_context)
 +{
 +	int rc=0;
 +#ifdef HAVE_LIBAUDIT
 +	char *msg = NULL;
 +	int audit_fd = audit_open();
 +	security_context_t default_raw=NULL;
 +	security_context_t selected_raw=NULL;
 +	rc = -1;
 +	if (audit_fd < 0) {
 +		pam_syslog(pamh, LOG_ERR, _("Error connecting to audit system.\n"));
 +		return rc;
 +	}
 +	if (selinux_trans_to_raw_context(default_context, &default_raw) < 0) {
 +		pam_syslog(pamh, LOG_ERR, _("Error translating default context.\n"));
 +		goto out;
 +	}
 +	if (selinux_trans_to_raw_context(selected_context, &selected_raw) < 0) {
 +		pam_syslog(pamh, LOG_ERR, _("Error translating selected context.\n"));
 +		goto out;
 +	}
 +	if (asprintf(&msg, "pam: default-context=%s selected-context=%s",
 +		     default_context ? default_raw : "?",
 +		     selected_context ? selected_raw : "?") < 0) {
 +		pam_syslog(pamh, LOG_ERR, ("Error allocating memory.\n"));
 +		goto out;
 +	}
 +	if (audit_log_user_message(audit_fd, AUDIT_USER_ROLE_CHANGE,
 +				   msg, NULL, NULL, NULL, success) <= 0) {
 +		pam_syslog(pamh, LOG_ERR, _("Error sending audit message.\n"));
 +		goto out;
 +	}
 +	rc = 0;
 +      out:
 +	free(msg);
 +	freecon(default_raw);
 +	free(selected_raw);
 +	close(audit_fd);
 +#else
 +	pam_syslog(pamh, LOG_NOTICE, "pam: default-context=%s selected-context=%s success %d", default_context, selected_context, success);
 +#endif
 +	return rc;
 +}
 static int
 send_text (pam_handle_t *pamh, const char *text, int debug)
-@@ -79,69 +81,64 @@
+ {
@@ -79,69 +134,64 @@
  * is responsible for freeing the responses.
  */
 static int
@ -77,7 +131,7 @@
   while (1) {
     query_response(pamh,
 -		   _("Would you like to enter a security context? [y] "),
-+		   _("Would you like to enter a security context? [n] "), NULL, 
+		   _("Would you like to enter a security context? [N] "), NULL, 
 		   &responses,debug);
 -    if ((responses[0] == 'y') || (responses[0] == 'Y') ||
 -	(responses[0] == '\0') )
@ -144,7 +198,7 @@
 	  }
 	/* Get the string value of the context and see if it is valid. */
 	if (!security_check_context(context_str(new_context))) {
-@@ -151,14 +148,125 @@
+@@ -151,14 +201,125 @@
 	}
 	else
 	  send_text(pamh,_("Not a valid security context"),debug);
@ -270,7 +324,7 @@
 }
 static void
-@@ -273,10 +381,11 @@
+@@ -273,13 +434,15 @@
 {
   int i, debug = 0, ttys=1, has_tty=isatty(0);
   int verbose=0, close_session=0;
@ -283,7 +337,11 @@
   const void *tty = NULL;
   char *seuser=NULL;
   char *level=NULL;
-@@ -295,6 +404,9 @@
+  security_context_t default_user_context=NULL;
   /* Parse arguments. */
   for (i = 0; i < argc; i++) {
@@ -295,6 +458,9 @@
     if (strcmp(argv[i], "close") == 0) {
       close_session = 1;
     }
@ -293,7 +351,7 @@
   }
   if (debug)
-@@ -307,7 +419,7 @@
+@@ -307,7 +473,7 @@
   if (!(selinux_enabled = is_selinux_enabled()>0) )
       return PAM_SUCCESS;
@ -302,7 +360,7 @@
                    username == NULL) {
     return PAM_USER_UNKNOWN;
   }
-@@ -319,19 +431,38 @@
+@@ -319,19 +485,38 @@
 							     &contextlist);
 	  if (debug)
 		  pam_syslog(pamh, LOG_DEBUG, "Username= %s SELinux User = %s Level= %s",
@ -313,18 +371,18 @@
   }
   if (num_contexts > 0) {
 -    user_context = (security_context_t) strdup(contextlist[0]);
-+    security_context_t puser_context=strdup(contextlist[0]);
+    default_user_context=strdup(contextlist[0]);
     freeconary(contextlist);
 -  } else {
-+    if (puser_context == NULL) {
+    if (default_user_context == NULL) {
 +	  pam_syslog(pamh, LOG_ERR, _("Out of memory"));
 +          return PAM_AUTH_ERR;
 +    }
 +    user_context = puser_context;
 +    if (select_context && has_tty) {
-+      user_context = config_context(pamh, puser_context, debug);
+      user_context = config_context(pamh, default_user_context, debug);
 +      freecon(puser_context);
 +      if (user_context == NULL) {
 +        send_audit_message(pamh, 0, default_user_context, default_user_context);
 +	freecon(default_user_context);
 +	pam_syslog(pamh, LOG_ERR, _("Unable to get valid context for %s"),
 +		    username);
 +	pam_prompt (pamh, PAM_ERROR_MSG, NULL,  _("Unable to get valid context for %s"), username);
@ -346,7 +404,7 @@
         if (security_getenforce() == 1)
           return PAM_AUTH_ERR;
         else
-@@ -340,7 +471,7 @@
+@@ -340,7 +525,7 @@
     } else {
         pam_syslog (pamh, LOG_ERR,
 		    "Unable to get valid context for %s, No valid tty",
@ -355,7 +413,17 @@
         if (security_getenforce() == 1)
           return PAM_AUTH_ERR;
         else
-@@ -381,7 +512,7 @@
+@@ -371,6 +556,9 @@
     ttyn=strdup(tty);
     ttyn_context=security_label_tty(pamh,ttyn,user_context);
   }
 +  send_audit_message(pamh, 1, default_user_context, user_context);
 +  freecon(default_user_context);
 +
   ret = setexeccon(user_context);
   if (ret==0 && verbose) {
     char msg[PATH_MAX];
@@ -381,7 +569,7 @@
   if (ret) {
     pam_syslog(pamh, LOG_ERR,
 	       "Error!  Unable to set %s executable context %s.",
@ -364,7 +432,7 @@
     if (security_getenforce() == 1) {
        freecon(user_context);
        return PAM_AUTH_ERR;
-@@ -389,7 +520,7 @@
+@@ -389,7 +577,7 @@
   } else {
     if (debug)
       pam_syslog(pamh, LOG_NOTICE, "set %s security context to %s",
@ -373,7 +441,7 @@
   }
 #ifdef HAVE_SETKEYCREATECON
   ret = setkeycreatecon(user_context);
-@@ -402,7 +533,7 @@
+@@ -402,7 +590,7 @@
   if (ret) {
     pam_syslog(pamh, LOG_ERR,
 	       "Error!  Unable to set %s key creation context %s.",
@ -382,7 +450,7 @@
     if (security_getenforce() == 1) {
        freecon(user_context);
        return PAM_AUTH_ERR;
-@@ -410,7 +541,7 @@
+@@ -410,7 +598,7 @@
   } else {
     if (debug)
       pam_syslog(pamh, LOG_NOTICE, "set %s key creation context to %s",
--- a/pam-0.99.6.2-selinux-use-current-range.patch
+++ b/pam-0.99.6.2-selinux-use-current-range.patch
@ -0,0 +1,113 @@
 --- Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c.range	2007-01-04 23:29:04.000000000 +0100
 +++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c	2007-01-05 13:30:31.000000000 +0100
@@ -435,6 +435,7 @@
   int i, debug = 0, ttys=1, has_tty=isatty(0);
   int verbose=0, close_session=0;
   int select_context = 0;
 +  int use_current_range = 0;
   int ret = 0;
   security_context_t* contextlist = NULL;
   int num_contexts = 0;
@@ -461,11 +462,19 @@
     if (strcmp(argv[i], "select_context") == 0) {
       select_context = 1;
     }
 +    if (strcmp(argv[i], "use_current_range") == 0) {
 +      use_current_range = 1;
 +    }
   }
 -
 +  
   if (debug)
     pam_syslog(pamh, LOG_NOTICE, "Open Session");
 +  if (select_context && use_current_range) {
 +    pam_syslog(pamh, LOG_ERR, "select_context cannot be used with use_current_range");
 +    select_context = 0;
 +  }
 +
   /* this module is only supposed to execute close_session */
   if (close_session)
       return PAM_SUCCESS;
@@ -532,6 +541,51 @@
           return PAM_SUCCESS;
     }
   }
 +
 +  if (use_current_range && is_selinux_mls_enabled()) {
 +    security_context_t process_context=NULL;    
 +    if (getcon(&process_context) == 0) {
 +      context_t pcon, ucon;
 +      char *process_level=NULL;
 +      security_context_t orig_context;
 +      
 +      if (user_context)
 +        orig_context = user_context;
 +      else
 +        orig_context = default_user_context;
 +
 +      pcon = context_new(process_context);
 +      freecon(process_context);
 +      process_level = strdup(context_range_get(pcon));
 +      context_free(pcon);
 +
 +      if (debug)
 +        pam_syslog (pamh, LOG_DEBUG, "process level=%s", process_level);
 +
 +      ucon = context_new(orig_context);
 +
 +      context_range_set(ucon, process_level);
 +      free(process_level);
 +
 +      if (!mls_range_allowed(pamh, orig_context, context_str(ucon), debug)) {
 +	send_text(pamh, _("Requested MLS level not in permitted range"), debug);
 +	/* even if default_user_context is NULL audit that anyway */
 +	send_audit_message(pamh, 0, default_user_context, context_str(ucon));
 +	context_free(ucon);
 +	return PAM_AUTH_ERR;
 +      }
 +
 +      if (debug)
 +        pam_syslog (pamh, LOG_DEBUG, "adjusted context=%s", context_str(ucon));
 +
 +      /* replace the user context with the level adjusted one */
 +      freecon(user_context);
 +      user_context = strdup(context_str(ucon));
 +
 +      context_free(ucon);
 +    }
 +  }
 +
   if (getexeccon(&prev_user_context)<0) {
     prev_user_context=NULL;
   }
 --- Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.8.xml.range	2007-01-04 23:29:04.000000000 +0100
 +++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.8.xml	2007-01-04 23:35:03.000000000 +0100
@@ -36,6 +36,9 @@
       <arg choice="opt">
 	select_context
       </arg>
 +      <arg choice="opt">
 +	use_current_range
 +      </arg>
     </cmdsynopsis>
   </refsynopsisdiv>
@@ -132,6 +135,17 @@
           </para>
         </listitem>
       </varlistentry>
 +      <varlistentry>
 +        <term>
 +          <option>use_current_range</option>
 +        </term>
 +        <listitem>
 +          <para>
 +            Use the sensitivity range of the process for the user context.
 +            This option and the select_context option are mutually exclusive.
 +          </para>
 +        </listitem>
 +      </varlistentry>
     </variablelist>
   </refsect1>
--- a/pam.spec
+++ b/pam.spec
@ -11,7 +11,7 @@
 Summary: A security tool which provides authentication for applications
 Name: pam
 Version: 0.99.6.2
-Release: 7%{?dist}
+Release: 8%{?dist}
 License: GPL or BSD
 Group: System Environment/Base
 Source0: http://ftp.us.kernel.org/pub/linux/libs/pam/pre/library/Linux-PAM-%{version}.tar.bz2
@ -40,8 +40,10 @@ Patch89: pam-0.99.6.2-namespace-overflow.patch
 Patch90: pam-0.99.6.2-keyinit-setgid.patch
 Patch91: pam-0.99.6.2-unix-username.patch
 Patch92: pam-0.99.6.2-selinux-select-context.patch
 Patch93: pam-0.99.6.2-namespace-level.patch
 Patch94: pam-0.99.6.2-ja-no-shortcut.patch
 Patch95: pam-0.99.6.2-selinux-use-current-range.patch
 Patch100: pam-0.99.6.2-reconf.patch
 Patch101: pam-0.99.6.2-selinux-namespace.patch
 BuildRoot: %{_tmppath}/%{name}-root
 Requires: cracklib, cracklib-dicts >= 2.8
@ -50,7 +52,7 @@ Prereq: grep, mktemp, sed, coreutils, /sbin/ldconfig
 BuildRequires: autoconf, automake, libtool
 BuildRequires: bison, flex, sed
 BuildRequires: cracklib-devel, cracklib-dicts >= 2.8
-BuildRequires: perl, pkgconfig
+BuildRequires: perl, pkgconfig, gettext
 %if %{WITH_AUDIT}
 BuildRequires: audit-libs-devel >= 1.0.8
 Requires: audit-libs >= 1.0.8
@ -109,9 +111,10 @@ cp %{SOURCE7} .
 %patch90 -p1 -b .setgid
 %patch91 -p1 -b .username
 %patch92 -p1 -b .select-context
-
+%patch93 -p1 -b .selinux-namespace
 %patch94 -p1 -b .no-shortcut
 %patch95 -p1 -b .range
 %patch100 -p1 -b .reconf
 %patch101 -p1 -b .selinux-namespace
 #autoreconf
 %build
@ -150,6 +153,10 @@ LDFLAGS=-L${topdir}/%{_lib} ; export LDFLAGS
 	--libdir=/%{_lib} \
 	--includedir=%{_includedir}/security \
 	--enable-isadir=../../%{_lib}/security
 # we must explicitely update-gmo as we patch a po file
 pushd po
 make update-gmo
 popd
 make
 %install
@ -280,6 +287,12 @@ if [ "$USEMD5" = "no" ] ; then
 		rm -f $tmp
 	fi
 fi
 if [ ! -a /var/log/faillog ] ; then
 	install -m 600 /dev/null /var/log/faillog
 fi
 if [ ! -a /var/log/tallylog ] ; then
 	install -m 600 /dev/null /var/log/tallylog
 fi
 %postun -p /sbin/ldconfig
@ -372,8 +385,8 @@ fi
 %dir %{_sysconfdir}/security/console.perms.d
 %config %{_sysconfdir}/security/console.perms.d/50-default.perms
 %dir /var/run/console
-%config(noreplace) %verify(not md5 size mtime) /var/log/faillog
+%ghost %verify(not md5 size mtime) /var/log/faillog
-%config(noreplace) %verify(not md5 size mtime) /var/log/tallylog
+%ghost %verify(not md5 size mtime) /var/log/tallylog
 %{_mandir}/man5/*
 %{_mandir}/man8/*
@ -388,12 +401,22 @@ fi
 %doc doc/adg/*.txt doc/adg/html
 %changelog
 * Tue Jan 16 2007 Tomas Mraz <tmraz@redhat.com> 0.99.6.2-8
 - properly include /var/log/faillog and tallylog as ghosts
  and create them in post script (#209646)
 - update gmo files as we patch some po files (#218271)
 - add use_current_range option to pam_selinux (#220487)
 - improve the role selection in pam_selinux
 - remove shortcut on Password: in ja locale (#218271)
 - revert to old euid and not ruid when setting euid in pam_keyinit (#219486)
 - rename selinux-namespace patch to namespace-level
 * Thu Dec 1 2006 Dan Walsh <dwalsh@redhat.com> 0.99.6.2-7
- Fix selection of role
+- fix selection of role
 * Thu Dec 1 2006 Dan Walsh <dwalsh@redhat.com> 0.99.6.2-6
- Fix pam_namespace to only change MLS componant
+- add possibility to pam_namespace to only change MLS component
-Resolves: Bug #216184
+- Resolves: Bug #216184
 * Thu Nov 30 2006 Tomas Mraz <tmraz@redhat.com> 0.99.6.2-5
 - add select-context option to pam_selinux (#213812)