use links instead of w3m to create txt documentation

- recognize login session in pam_sepermit to prevent gdm from locking (#969174)
- add support for disabling password logging in pam_tty_audit

pam-1.1.6-sepermit-user.patch

@@ -0,0 +1,58 @@
+diff -up Linux-PAM-1.1.6/modules/pam_sepermit/Makefile.am.sepermit Linux-PAM-1.1.6/modules/pam_sepermit/Makefile.am
+--- Linux-PAM-1.1.6/modules/pam_sepermit/Makefile.am.sepermit	2013-07-24 12:55:08.822987098 -0400
++++ Linux-PAM-1.1.6/modules/pam_sepermit/Makefile.am	2013-07-24 12:55:11.653004214 -0400
+@@ -24,7 +24,7 @@ AM_CFLAGS = -I$(top_srcdir)/libpam/inclu
+ 	-D SEPERMIT_CONF_FILE=\"$(SCONFIGDIR)/sepermit.conf\" \
+ 	-D SEPERMIT_LOCKDIR=\"$(sepermitlockdir)\"
+ 
+-pam_sepermit_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBSELINUX@
++pam_sepermit_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBSELINUX@ -lsystemd-login
+ pam_sepermit_la_LDFLAGS = -no-undefined -avoid-version -module
+ if HAVE_VERSIONING
+   pam_sepermit_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
+diff -up Linux-PAM-1.1.6/modules/pam_sepermit/pam_sepermit.c.sepermit Linux-PAM-1.1.6/modules/pam_sepermit/pam_sepermit.c
+--- Linux-PAM-1.1.6/modules/pam_sepermit/pam_sepermit.c.sepermit	2012-08-15 07:08:43.000000000 -0400
++++ Linux-PAM-1.1.6/modules/pam_sepermit/pam_sepermit.c	2013-07-24 13:17:24.088061506 -0400
+@@ -65,6 +65,7 @@
+ #include <security/pam_ext.h>
+ 
+ #include <selinux/selinux.h>
++#include <systemd/sd-login.h>
+ 
+ #define MODULE "pam_sepermit"
+ #define OPT_DELIM ":"
+@@ -187,6 +188,25 @@ sepermit_unlock(pam_handle_t *pamh, void
+ }
+ 
+ static int
++check_user_session(pam_handle_t *pamh) {
++	char *session = NULL;
++	char *class = NULL;
++	int rc;
++
++	if (sd_pid_get_session(0, &session)) 
++		return -1;
++	rc = sd_session_get_class(session, &class);
++	pam_syslog(pamh, LOG_ERR, "Session %s", session);
++	if (rc == 0) {
++		rc = strcmp(class, "user");
++		pam_syslog(pamh, LOG_ERR, "Class %s", class);
++	}
++	free(session);
++	free(class);
++	return rc;
++}
++
++static int
+ sepermit_lock(pam_handle_t *pamh, const char *user, int debug)
+ {
+ 	char buf[PATH_MAX];
+@@ -319,7 +339,7 @@ sepermit_match(pam_handle_t *pamh, const
+ 		if (*sense == PAM_SUCCESS) {
+ 			if (ignore)
+ 				*sense = PAM_IGNORE;
+-			if (geteuid() == 0 && exclusive)
++			if (geteuid() == 0 && exclusive && check_user_session(pamh) != 0)
+ 				if (sepermit_lock(pamh, user, debug) < 0)
+ 					*sense = PAM_AUTH_ERR;
+ 		}

pam-1.1.6-tty-audit-echo.patch

@@ -0,0 +1,100 @@
+diff -up Linux-PAM-1.1.6/configure.in.tty-audit-echo Linux-PAM-1.1.6/configure.in
+--- Linux-PAM-1.1.6/configure.in.tty-audit-echo	2013-08-07 15:41:08.245745447 +0200
++++ Linux-PAM-1.1.6/configure.in	2013-08-07 18:13:04.358958936 +0200
+@@ -386,6 +386,10 @@ if test x"$WITH_LIBAUDIT" != xno ; then
+         fi
+         if test ! -z "$HAVE_AUDIT_TTY_STATUS" ; then
+             AC_DEFINE([HAVE_AUDIT_TTY_STATUS], 1, [Define to 1 if struct audit_tty_status exists.])
++
++            AC_CHECK_MEMBERS([struct audit_tty_status.log_passwd], [],
++                            AC_MSG_WARN([audit_tty_status.log_passwd is not available.  The log_passwd option is disabled.]),
++                            [[#include <libaudit.h>]])
+         fi
+ else
+ 	LIBAUDIT=""
+diff -up Linux-PAM-1.1.6/modules/pam_tty_audit/pam_tty_audit.8.xml.tty-audit-echo Linux-PAM-1.1.6/modules/pam_tty_audit/pam_tty_audit.8.xml
+--- Linux-PAM-1.1.6/modules/pam_tty_audit/pam_tty_audit.8.xml.tty-audit-echo	2012-08-15 13:08:43.000000000 +0200
++++ Linux-PAM-1.1.6/modules/pam_tty_audit/pam_tty_audit.8.xml	2013-08-07 18:08:55.310028229 +0200
+@@ -77,6 +77,19 @@
+           </para>
+         </listitem>
+       </varlistentry>
++      <varlistentry>
++        <term>
++          <option>log_passwd</option>
++        </term>
++        <listitem>
++          <para>
++	   Log keystrokes when ECHO mode is off but ICANON mode is active.
++	   This is the mode in which the tty is placed during password entry.
++	   By default, passwords are not logged.  This option may not be
++	   available on older kernels (3.9?).
++          </para>
++        </listitem>
++      </varlistentry>
+     </variablelist>
+   </refsect1>
+ 
+@@ -161,6 +174,8 @@ session	required pam_tty_audit.so disabl
+       <para>
+         pam_tty_audit was written by Miloslav Trma&ccaron;
+ 	&lt;mitr@redhat.com&gt;.
++        The log_passwd option was added by Richard Guy Briggs
++        &lt;rgb@redhat.com&gt;.
+       </para>
+   </refsect1>
+ 
+diff -up Linux-PAM-1.1.6/modules/pam_tty_audit/pam_tty_audit.c.tty-audit-echo Linux-PAM-1.1.6/modules/pam_tty_audit/pam_tty_audit.c
+--- Linux-PAM-1.1.6/modules/pam_tty_audit/pam_tty_audit.c.tty-audit-echo	2012-08-15 13:08:43.000000000 +0200
++++ Linux-PAM-1.1.6/modules/pam_tty_audit/pam_tty_audit.c	2013-08-07 18:09:29.428694493 +0200
+@@ -201,6 +201,9 @@ pam_sm_open_session (pam_handle_t *pamh,
+   struct audit_tty_status *old_status, new_status;
+   const char *user;
+   int i, fd, open_only;
++#ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD
++  int log_passwd;
++#endif /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */
+ 
+   (void)flags;
+ 
+@@ -212,6 +215,9 @@ pam_sm_open_session (pam_handle_t *pamh,
+ 
+   command = CMD_NONE;
+   open_only = 0;
++#ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD
++  log_passwd = 0;
++#endif /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */
+   for (i = 0; i < argc; i++)
+     {
+       if (strncmp (argv[i], "enable=", 7) == 0
+@@ -237,6 +243,14 @@ pam_sm_open_session (pam_handle_t *pamh,
+ 	}
+       else if (strcmp (argv[i], "open_only") == 0)
+ 	open_only = 1;
++      else if (strcmp (argv[i], "log_passwd") == 0)
++#ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD
++        log_passwd = 1;
++#else /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */
++        pam_syslog (pamh, LOG_WARNING,
++                    "The log_passwd option was not available at compile time.");
++#warning "pam_tty_audit: The log_passwd option is not available.  Please upgrade your headers/kernel."
++#endif /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */
+       else
+ 	{
+ 	  pam_syslog (pamh, LOG_ERR, "unknown option `%s'", argv[i]);
+@@ -262,7 +276,14 @@ pam_sm_open_session (pam_handle_t *pamh,
+     }
+ 
+   new_status.enabled = (command == CMD_ENABLE ? 1 : 0);
+-  if (old_status->enabled == new_status.enabled)
++#ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD
++  new_status.log_passwd = log_passwd;
++#endif /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */
++  if (old_status->enabled == new_status.enabled
++#ifdef HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD
++      && old_status->log_passwd == new_status.log_passwd
++#endif /* HAVE_STRUCT_AUDIT_TTY_STATUS_LOG_PASSWD */
++     )
+     {
+       open_only = 1; /* to clean up old_status */
+       goto ok_fd;

pam-1.1.6-use-links.patch

@@ -0,0 +1,15 @@
+diff -up Linux-PAM-1.1.6/configure.in.links Linux-PAM-1.1.6/configure.in
+--- Linux-PAM-1.1.6/configure.in.links	2013-04-24 13:13:36.000000000 +0200
++++ Linux-PAM-1.1.6/configure.in	2013-08-07 14:08:03.818055990 +0200
+@@ -548,9 +548,9 @@ JH_CHECK_XML_CATALOG([-//OASIS//DTD DocB
+ JH_CHECK_XML_CATALOG([http://docbook.sourceforge.net/release/xsl/current/manpages/docbook.xsl],
+                 [DocBook XSL Stylesheets], [], enable_docu=no)
+ 
+-AC_PATH_PROG([BROWSER], [w3m])
++AC_PATH_PROG([BROWSER], [links])
+ if test ! -z "$BROWSER"; then
+-     BROWSER="$BROWSER -T text/html -dump"
++     BROWSER="$BROWSER -no-numbering -no-references -dump"
+ else
+      enable_docu=no
+ fi

pam.spec

@@ -3,7 +3,7 @@
 Summary: An extensible library which provides authentication for applications
 Name: pam
 Version: 1.1.6
-Release: 13%{?dist}
+Release: 14%{?dist}
 # The library is BSD licensed with option to relicense as GPLv2+
 # - this option is redundant as the BSD license allows that anyway.
 # pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
@@ -60,6 +60,9 @@ Patch27: pam-1.1.6-strict-aliasing.patch
 Patch28: pam-1.1.6-selinux-manualctx.patch
 Patch29: pam-1.1.6-pwhistory-helper.patch
 Patch30: pam-1.1.6-rootok-audit.patch
+Patch31: pam-1.1.6-use-links.patch
+Patch32: pam-1.1.6-sepermit-user.patch
+Patch33: pam-1.1.6-tty-audit-echo.patch
 
 %define _pamlibdir %{_libdir}
 %define _moduledir %{_libdir}/security
@@ -91,8 +94,9 @@ Requires: libselinux >= 1.33.2
 %endif
 Requires: glibc >= 2.3.90-37
 BuildRequires: libdb-devel
+BuildRequires: systemd-devel
 # Following deps are necessary only to build the pam library documentation.
-BuildRequires: linuxdoc-tools, w3m, libxslt
+BuildRequires: linuxdoc-tools, elinks, libxslt
 BuildRequires: docbook-style-xsl, docbook-dtds
 
 URL: http://www.linux-pam.org/
@@ -145,6 +149,9 @@ mv pam-redhat-%{pam_redhat_version}/* modules
 %patch28 -p1 -b .manualctx
 %patch29 -p1 -b .pwhhelper
 %patch30 -p1 -b .audit
+%patch31 -p1 -b .links
+%patch32 -p1 -b .sepermit-user
+%patch33 -p1 -b .tty-audit-echo
 
 
 %build
@@ -393,6 +400,11 @@ fi
 %doc doc/adg/*.txt doc/adg/html
 
 %changelog
+* Wed Aug  7 2013 Tomáš Mráz <tmraz@redhat.com> 1.1.6-14
+- use links instead of w3m to create txt documentation
+- recognize login session in pam_sepermit to prevent gdm from locking (#969174)
+- add support for disabling password logging in pam_tty_audit
+
 * Sat Aug 03 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 1.1.6-13
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild