chpasswd, chgpasswd: open audit when starting
This commit is contained in:
parent
f884cd4c94
commit
abed79ee4e
@ -1,6 +1,6 @@
|
||||
diff -up shadow-4.2.1/src/chgpasswd.c.selinux-perms shadow-4.2.1/src/chgpasswd.c
|
||||
--- shadow-4.2.1/src/chgpasswd.c.selinux-perms 2014-03-01 19:59:51.000000000 +0100
|
||||
+++ shadow-4.2.1/src/chgpasswd.c 2016-05-26 20:56:56.723676087 +0200
|
||||
+++ shadow-4.2.1/src/chgpasswd.c 2016-05-30 11:57:53.635841186 +0200
|
||||
@@ -39,6 +39,13 @@
|
||||
#include <pwd.h>
|
||||
#include <stdio.h>
|
||||
@ -25,7 +25,7 @@ diff -up shadow-4.2.1/src/chgpasswd.c.selinux-perms shadow-4.2.1/src/chgpasswd.c
|
||||
/* local function prototypes */
|
||||
static void fail_exit (int code);
|
||||
static /*@noreturn@*/void usage (int status);
|
||||
@@ -300,6 +310,62 @@ static void check_perms (void)
|
||||
@@ -300,6 +310,63 @@ static void check_perms (void)
|
||||
#endif /* ACCT_TOOLS_SETUID */
|
||||
}
|
||||
|
||||
@ -44,16 +44,17 @@ diff -up shadow-4.2.1/src/chgpasswd.c.selinux-perms shadow-4.2.1/src/chgpasswd.c
|
||||
+ char *buf;
|
||||
+
|
||||
+ if (vasprintf (&buf, fmt, ap) < 0)
|
||||
+ return 0;
|
||||
+ goto ret;
|
||||
+ audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL,
|
||||
+ NULL, 0);
|
||||
+ audit_close(audit_fd);
|
||||
+ free(buf);
|
||||
+ return 0;
|
||||
+ goto ret;
|
||||
+ }
|
||||
+
|
||||
+#endif
|
||||
+ vsyslog (LOG_USER | LOG_INFO, fmt, ap);
|
||||
+ret:
|
||||
+ va_end(ap);
|
||||
+ return 0;
|
||||
+}
|
||||
@ -88,7 +89,7 @@ diff -up shadow-4.2.1/src/chgpasswd.c.selinux-perms shadow-4.2.1/src/chgpasswd.c
|
||||
/*
|
||||
* open_files - lock and open the group databases
|
||||
*/
|
||||
@@ -393,6 +459,7 @@ int main (int argc, char **argv)
|
||||
@@ -393,6 +460,7 @@ int main (int argc, char **argv)
|
||||
|
||||
const struct group *gr;
|
||||
struct group newgr;
|
||||
@ -96,10 +97,14 @@ diff -up shadow-4.2.1/src/chgpasswd.c.selinux-perms shadow-4.2.1/src/chgpasswd.c
|
||||
int errors = 0;
|
||||
int line = 0;
|
||||
|
||||
@@ -408,8 +475,29 @@ int main (int argc, char **argv)
|
||||
@@ -408,8 +476,33 @@ int main (int argc, char **argv)
|
||||
|
||||
OPENLOG ("chgpasswd");
|
||||
|
||||
+#ifdef WITH_AUDIT
|
||||
+ audit_help_open ();
|
||||
+#endif
|
||||
+
|
||||
+ /*
|
||||
+ * Determine the name of the user that invoked this command. This
|
||||
+ * is really hit or miss because there are so many ways that command
|
||||
@ -126,7 +131,7 @@ diff -up shadow-4.2.1/src/chgpasswd.c.selinux-perms shadow-4.2.1/src/chgpasswd.c
|
||||
#ifdef SHADOWGRP
|
||||
is_shadow_grp = sgr_file_present ();
|
||||
#endif
|
||||
@@ -536,6 +624,15 @@ int main (int argc, char **argv)
|
||||
@@ -536,6 +629,15 @@ int main (int argc, char **argv)
|
||||
newgr.gr_passwd = cp;
|
||||
}
|
||||
|
||||
@ -144,7 +149,7 @@ diff -up shadow-4.2.1/src/chgpasswd.c.selinux-perms shadow-4.2.1/src/chgpasswd.c
|
||||
* be written to the group file later, after all the
|
||||
diff -up shadow-4.2.1/src/chpasswd.c.selinux-perms shadow-4.2.1/src/chpasswd.c
|
||||
--- shadow-4.2.1/src/chpasswd.c.selinux-perms 2014-03-01 19:59:51.000000000 +0100
|
||||
+++ shadow-4.2.1/src/chpasswd.c 2016-05-26 20:40:56.190224029 +0200
|
||||
+++ shadow-4.2.1/src/chpasswd.c 2016-05-30 11:58:23.034484807 +0200
|
||||
@@ -39,6 +39,13 @@
|
||||
#include <pwd.h>
|
||||
#include <stdio.h>
|
||||
@ -159,7 +164,7 @@ diff -up shadow-4.2.1/src/chpasswd.c.selinux-perms shadow-4.2.1/src/chpasswd.c
|
||||
#ifdef USE_PAM
|
||||
#include "pam_defs.h"
|
||||
#endif /* USE_PAM */
|
||||
@@ -297,6 +304,62 @@ static void check_perms (void)
|
||||
@@ -297,6 +304,63 @@ static void check_perms (void)
|
||||
#endif /* USE_PAM */
|
||||
}
|
||||
|
||||
@ -178,16 +183,17 @@ diff -up shadow-4.2.1/src/chpasswd.c.selinux-perms shadow-4.2.1/src/chpasswd.c
|
||||
+ char *buf;
|
||||
+
|
||||
+ if (vasprintf (&buf, fmt, ap) < 0)
|
||||
+ return 0;
|
||||
+ goto ret;
|
||||
+ audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL,
|
||||
+ NULL, 0);
|
||||
+ audit_close(audit_fd);
|
||||
+ free(buf);
|
||||
+ return 0;
|
||||
+ goto ret;
|
||||
+ }
|
||||
+
|
||||
+#endif
|
||||
+ vsyslog (LOG_USER | LOG_INFO, fmt, ap);
|
||||
+ret:
|
||||
+ va_end(ap);
|
||||
+ return 0;
|
||||
+}
|
||||
@ -222,8 +228,14 @@ diff -up shadow-4.2.1/src/chpasswd.c.selinux-perms shadow-4.2.1/src/chpasswd.c
|
||||
/*
|
||||
* open_files - lock and open the password databases
|
||||
*/
|
||||
@@ -407,6 +470,10 @@ int main (int argc, char **argv)
|
||||
@@ -405,8 +469,16 @@ int main (int argc, char **argv)
|
||||
|
||||
OPENLOG ("chpasswd");
|
||||
|
||||
+#ifdef WITH_AUDIT
|
||||
+ audit_help_open ();
|
||||
+#endif
|
||||
+
|
||||
check_perms ();
|
||||
|
||||
+#ifdef WITH_SELINUX
|
||||
@ -233,7 +245,7 @@ diff -up shadow-4.2.1/src/chpasswd.c.selinux-perms shadow-4.2.1/src/chpasswd.c
|
||||
#ifdef USE_PAM
|
||||
if (!use_pam)
|
||||
#endif /* USE_PAM */
|
||||
@@ -566,6 +633,11 @@ int main (int argc, char **argv)
|
||||
@@ -566,6 +638,11 @@ int main (int argc, char **argv)
|
||||
newpw.pw_passwd = cp;
|
||||
}
|
||||
|
||||
@ -246,8 +258,8 @@ diff -up shadow-4.2.1/src/chpasswd.c.selinux-perms shadow-4.2.1/src/chpasswd.c
|
||||
* The updated password file entry is then put back and will
|
||||
* be written to the password file later, after all the
|
||||
diff -up shadow-4.2.1/src/Makefile.am.selinux-perms shadow-4.2.1/src/Makefile.am
|
||||
--- shadow-4.2.1/src/Makefile.am.selinux-perms 2016-05-26 19:02:07.000000000 +0200
|
||||
+++ shadow-4.2.1/src/Makefile.am 2016-05-26 20:38:52.738468738 +0200
|
||||
--- shadow-4.2.1/src/Makefile.am.selinux-perms 2016-05-27 16:04:00.896475284 +0200
|
||||
+++ shadow-4.2.1/src/Makefile.am 2016-05-27 16:04:00.899475353 +0200
|
||||
@@ -84,9 +84,9 @@ chage_LDADD = $(LDADD) $(LIBPAM_SUID)
|
||||
newuidmap_LDADD = $(LDADD) $(LIBSELINUX)
|
||||
newgidmap_LDADD = $(LDADD) $(LIBSELINUX)
|
||||
@ -261,8 +273,8 @@ diff -up shadow-4.2.1/src/Makefile.am.selinux-perms shadow-4.2.1/src/Makefile.am
|
||||
groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
|
||||
groupdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
|
||||
diff -up shadow-4.2.1/src/Makefile.in.selinux-perms shadow-4.2.1/src/Makefile.in
|
||||
--- shadow-4.2.1/src/Makefile.in.selinux-perms 2016-05-26 19:02:07.000000000 +0200
|
||||
+++ shadow-4.2.1/src/Makefile.in 2016-05-26 20:40:03.547049098 +0200
|
||||
--- shadow-4.2.1/src/Makefile.in.selinux-perms 2016-05-27 16:04:00.896475284 +0200
|
||||
+++ shadow-4.2.1/src/Makefile.in 2016-05-27 16:04:00.899475353 +0200
|
||||
@@ -521,9 +521,9 @@ chage_LDADD = $(LDADD) $(LIBPAM_SUID) $(
|
||||
newuidmap_LDADD = $(LDADD) $(LIBSELINUX)
|
||||
newgidmap_LDADD = $(LDADD) $(LIBSELINUX)
|
||||
|
@ -1,7 +1,7 @@
|
||||
Summary: Utilities for managing accounts and shadow password files
|
||||
Name: shadow-utils
|
||||
Version: 4.2.1
|
||||
Release: 9%{?dist}
|
||||
Release: 10%{?dist}
|
||||
Epoch: 2
|
||||
URL: http://pkg-shadow.alioth.debian.org/
|
||||
Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.xz
|
||||
@ -257,6 +257,9 @@ rm -rf $RPM_BUILD_ROOT
|
||||
%{_mandir}/man8/vigr.8*
|
||||
|
||||
%changelog
|
||||
* Mon May 30 2016 Tomáš Mráz <tmraz@redhat.com> - 2:4.2.1-10
|
||||
- chpasswd, chgpasswd: open audit when starting
|
||||
|
||||
* Thu May 26 2016 Tomáš Mráz <tmraz@redhat.com> - 2:4.2.1-9
|
||||
- chgpasswd: do not remove it
|
||||
- chpasswd, chgpasswd: add selinux_check_access call (#1336902)
|
||||
|
Loading…
Reference in New Issue
Block a user