- pam_selinux: restore execcon properly (#443667)

2008-04-22 19:48:10 +00:00 · 2008-04-22 19:48:10 +00:00 · be4deb2d92
commit be4deb2d92
parent 4acfdf0540
2 changed files with 38 additions and 1 deletions
--- a/pam-1.0.1-selinux-restore-execcon.patch
+++ b/pam-1.0.1-selinux-restore-execcon.patch
@ -0,0 +1,32 @@
+diff -up Linux-PAM-1.0.1/modules/pam_selinux/pam_selinux.c.restore-execcon Linux-PAM-1.0.1/modules/pam_selinux/pam_selinux.c
+--- Linux-PAM-1.0.1/modules/pam_selinux/pam_selinux.c.restore-execcon	2008-03-20 18:06:32.000000000 +0100
+++ Linux-PAM-1.0.1/modules/pam_selinux/pam_selinux.c	2008-04-22 21:11:34.000000000 +0200
+@@ -702,21 +702,21 @@ pam_sm_close_session(pam_handle_t *pamh,
+     free(ttyn);
+     ttyn=NULL;
+   }
+-  if (prev_user_context) {
+-    if (setexeccon(prev_user_context)) {
+
+  if (setexeccon(prev_user_context)) {
+       pam_syslog(pamh, LOG_ERR, "Unable to restore executable context %s.",
+-	       prev_user_context);
+	       prev_user_context ? prev_user_context : "");
+       if (security_getenforce() == 1)
+          status = PAM_AUTH_ERR;
+       else
+          status = PAM_SUCCESS;
+-    }
+  } else if (debug)
+      pam_syslog(pamh, LOG_NOTICE, "Executable context back to original");
+
+  if (prev_user_context) {
+     freecon(prev_user_context);
+     prev_user_context = NULL;
+   }
+ 
+-  if (debug)
+-    pam_syslog(pamh, LOG_NOTICE, "setcontext back to orginal");
+-
+   return status;
+ }
--- a/pam.spec
+++ b/pam.spec
@ -5,7 +5,7 @@
 Summary: A security tool which provides authentication for applications
 Name: pam
 Version: 1.0.1
-Release: 1%{?dist}
+Release: 2%{?dist}
 # The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant
 # as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+,
 # pam_rhosts_auth module is BSD with advertising
@ -26,6 +26,7 @@ Patch1:  pam-0.99.7.0-redhat-modules.patch
 Patch2:  db-4.6.18-glibc.patch
 Patch4:  pam-0.99.8.1-dbpam.patch
 Patch10: pam-1.0.0-sepermit-screensaver.patch
+Patch11: pam-1.0.1-selinux-restore-execcon.patch
 Patch21: pam-0.99.10.0-unix-audit-failed.patch
 Patch31: pam-0.99.3.0-cracklib-try-first-pass.patch
 Patch32: pam-0.99.3.0-tally-fail-close.patch
@ -102,6 +103,7 @@ pushd db-%{db_version}
 popd
 %patch4 -p1 -b .dbpam
 %patch10 -p1 -b .screensaver
+%patch11 -p1 -b .restore-execcon
 %patch21 -p1 -b .audit-failed
 %patch31 -p1 -b .try-first-pass
 %patch32 -p1 -b .fail-close
@ -374,6 +376,9 @@ fi
 %doc doc/adg/*.txt doc/adg/html

 %changelog
+* Tue Apr 22 2008 Tomas Mraz <tmraz@redhat.com> 1.0.1-2
+- pam_selinux: restore execcon properly (#443667)
+
 * Fri Apr 18 2008 Tomas Mraz <tmraz@redhat.com> 1.0.1-1
 - upgrade to new upstream release (one bugfix only)
 - fix pam_sepermit use in screensavers