chpasswd, chgpasswd: open audit when starting
This commit is contained in:
parent
f884cd4c94
commit
abed79ee4e
@ -1,6 +1,6 @@
|
|||||||
diff -up shadow-4.2.1/src/chgpasswd.c.selinux-perms shadow-4.2.1/src/chgpasswd.c
|
diff -up shadow-4.2.1/src/chgpasswd.c.selinux-perms shadow-4.2.1/src/chgpasswd.c
|
||||||
--- shadow-4.2.1/src/chgpasswd.c.selinux-perms 2014-03-01 19:59:51.000000000 +0100
|
--- shadow-4.2.1/src/chgpasswd.c.selinux-perms 2014-03-01 19:59:51.000000000 +0100
|
||||||
+++ shadow-4.2.1/src/chgpasswd.c 2016-05-26 20:56:56.723676087 +0200
|
+++ shadow-4.2.1/src/chgpasswd.c 2016-05-30 11:57:53.635841186 +0200
|
||||||
@@ -39,6 +39,13 @@
|
@@ -39,6 +39,13 @@
|
||||||
#include <pwd.h>
|
#include <pwd.h>
|
||||||
#include <stdio.h>
|
#include <stdio.h>
|
||||||
@ -25,7 +25,7 @@ diff -up shadow-4.2.1/src/chgpasswd.c.selinux-perms shadow-4.2.1/src/chgpasswd.c
|
|||||||
/* local function prototypes */
|
/* local function prototypes */
|
||||||
static void fail_exit (int code);
|
static void fail_exit (int code);
|
||||||
static /*@noreturn@*/void usage (int status);
|
static /*@noreturn@*/void usage (int status);
|
||||||
@@ -300,6 +310,62 @@ static void check_perms (void)
|
@@ -300,6 +310,63 @@ static void check_perms (void)
|
||||||
#endif /* ACCT_TOOLS_SETUID */
|
#endif /* ACCT_TOOLS_SETUID */
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -44,16 +44,17 @@ diff -up shadow-4.2.1/src/chgpasswd.c.selinux-perms shadow-4.2.1/src/chgpasswd.c
|
|||||||
+ char *buf;
|
+ char *buf;
|
||||||
+
|
+
|
||||||
+ if (vasprintf (&buf, fmt, ap) < 0)
|
+ if (vasprintf (&buf, fmt, ap) < 0)
|
||||||
+ return 0;
|
+ goto ret;
|
||||||
+ audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL,
|
+ audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL,
|
||||||
+ NULL, 0);
|
+ NULL, 0);
|
||||||
+ audit_close(audit_fd);
|
+ audit_close(audit_fd);
|
||||||
+ free(buf);
|
+ free(buf);
|
||||||
+ return 0;
|
+ goto ret;
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+#endif
|
+#endif
|
||||||
+ vsyslog (LOG_USER | LOG_INFO, fmt, ap);
|
+ vsyslog (LOG_USER | LOG_INFO, fmt, ap);
|
||||||
|
+ret:
|
||||||
+ va_end(ap);
|
+ va_end(ap);
|
||||||
+ return 0;
|
+ return 0;
|
||||||
+}
|
+}
|
||||||
@ -88,7 +89,7 @@ diff -up shadow-4.2.1/src/chgpasswd.c.selinux-perms shadow-4.2.1/src/chgpasswd.c
|
|||||||
/*
|
/*
|
||||||
* open_files - lock and open the group databases
|
* open_files - lock and open the group databases
|
||||||
*/
|
*/
|
||||||
@@ -393,6 +459,7 @@ int main (int argc, char **argv)
|
@@ -393,6 +460,7 @@ int main (int argc, char **argv)
|
||||||
|
|
||||||
const struct group *gr;
|
const struct group *gr;
|
||||||
struct group newgr;
|
struct group newgr;
|
||||||
@ -96,10 +97,14 @@ diff -up shadow-4.2.1/src/chgpasswd.c.selinux-perms shadow-4.2.1/src/chgpasswd.c
|
|||||||
int errors = 0;
|
int errors = 0;
|
||||||
int line = 0;
|
int line = 0;
|
||||||
|
|
||||||
@@ -408,8 +475,29 @@ int main (int argc, char **argv)
|
@@ -408,8 +476,33 @@ int main (int argc, char **argv)
|
||||||
|
|
||||||
OPENLOG ("chgpasswd");
|
OPENLOG ("chgpasswd");
|
||||||
|
|
||||||
|
+#ifdef WITH_AUDIT
|
||||||
|
+ audit_help_open ();
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
+ /*
|
+ /*
|
||||||
+ * Determine the name of the user that invoked this command. This
|
+ * Determine the name of the user that invoked this command. This
|
||||||
+ * is really hit or miss because there are so many ways that command
|
+ * is really hit or miss because there are so many ways that command
|
||||||
@ -126,7 +131,7 @@ diff -up shadow-4.2.1/src/chgpasswd.c.selinux-perms shadow-4.2.1/src/chgpasswd.c
|
|||||||
#ifdef SHADOWGRP
|
#ifdef SHADOWGRP
|
||||||
is_shadow_grp = sgr_file_present ();
|
is_shadow_grp = sgr_file_present ();
|
||||||
#endif
|
#endif
|
||||||
@@ -536,6 +624,15 @@ int main (int argc, char **argv)
|
@@ -536,6 +629,15 @@ int main (int argc, char **argv)
|
||||||
newgr.gr_passwd = cp;
|
newgr.gr_passwd = cp;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -144,7 +149,7 @@ diff -up shadow-4.2.1/src/chgpasswd.c.selinux-perms shadow-4.2.1/src/chgpasswd.c
|
|||||||
* be written to the group file later, after all the
|
* be written to the group file later, after all the
|
||||||
diff -up shadow-4.2.1/src/chpasswd.c.selinux-perms shadow-4.2.1/src/chpasswd.c
|
diff -up shadow-4.2.1/src/chpasswd.c.selinux-perms shadow-4.2.1/src/chpasswd.c
|
||||||
--- shadow-4.2.1/src/chpasswd.c.selinux-perms 2014-03-01 19:59:51.000000000 +0100
|
--- shadow-4.2.1/src/chpasswd.c.selinux-perms 2014-03-01 19:59:51.000000000 +0100
|
||||||
+++ shadow-4.2.1/src/chpasswd.c 2016-05-26 20:40:56.190224029 +0200
|
+++ shadow-4.2.1/src/chpasswd.c 2016-05-30 11:58:23.034484807 +0200
|
||||||
@@ -39,6 +39,13 @@
|
@@ -39,6 +39,13 @@
|
||||||
#include <pwd.h>
|
#include <pwd.h>
|
||||||
#include <stdio.h>
|
#include <stdio.h>
|
||||||
@ -159,7 +164,7 @@ diff -up shadow-4.2.1/src/chpasswd.c.selinux-perms shadow-4.2.1/src/chpasswd.c
|
|||||||
#ifdef USE_PAM
|
#ifdef USE_PAM
|
||||||
#include "pam_defs.h"
|
#include "pam_defs.h"
|
||||||
#endif /* USE_PAM */
|
#endif /* USE_PAM */
|
||||||
@@ -297,6 +304,62 @@ static void check_perms (void)
|
@@ -297,6 +304,63 @@ static void check_perms (void)
|
||||||
#endif /* USE_PAM */
|
#endif /* USE_PAM */
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -178,16 +183,17 @@ diff -up shadow-4.2.1/src/chpasswd.c.selinux-perms shadow-4.2.1/src/chpasswd.c
|
|||||||
+ char *buf;
|
+ char *buf;
|
||||||
+
|
+
|
||||||
+ if (vasprintf (&buf, fmt, ap) < 0)
|
+ if (vasprintf (&buf, fmt, ap) < 0)
|
||||||
+ return 0;
|
+ goto ret;
|
||||||
+ audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL,
|
+ audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL,
|
||||||
+ NULL, 0);
|
+ NULL, 0);
|
||||||
+ audit_close(audit_fd);
|
+ audit_close(audit_fd);
|
||||||
+ free(buf);
|
+ free(buf);
|
||||||
+ return 0;
|
+ goto ret;
|
||||||
+ }
|
+ }
|
||||||
+
|
+
|
||||||
+#endif
|
+#endif
|
||||||
+ vsyslog (LOG_USER | LOG_INFO, fmt, ap);
|
+ vsyslog (LOG_USER | LOG_INFO, fmt, ap);
|
||||||
|
+ret:
|
||||||
+ va_end(ap);
|
+ va_end(ap);
|
||||||
+ return 0;
|
+ return 0;
|
||||||
+}
|
+}
|
||||||
@ -222,8 +228,14 @@ diff -up shadow-4.2.1/src/chpasswd.c.selinux-perms shadow-4.2.1/src/chpasswd.c
|
|||||||
/*
|
/*
|
||||||
* open_files - lock and open the password databases
|
* open_files - lock and open the password databases
|
||||||
*/
|
*/
|
||||||
@@ -407,6 +470,10 @@ int main (int argc, char **argv)
|
@@ -405,8 +469,16 @@ int main (int argc, char **argv)
|
||||||
|
|
||||||
|
OPENLOG ("chpasswd");
|
||||||
|
|
||||||
|
+#ifdef WITH_AUDIT
|
||||||
|
+ audit_help_open ();
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
check_perms ();
|
check_perms ();
|
||||||
|
|
||||||
+#ifdef WITH_SELINUX
|
+#ifdef WITH_SELINUX
|
||||||
@ -233,7 +245,7 @@ diff -up shadow-4.2.1/src/chpasswd.c.selinux-perms shadow-4.2.1/src/chpasswd.c
|
|||||||
#ifdef USE_PAM
|
#ifdef USE_PAM
|
||||||
if (!use_pam)
|
if (!use_pam)
|
||||||
#endif /* USE_PAM */
|
#endif /* USE_PAM */
|
||||||
@@ -566,6 +633,11 @@ int main (int argc, char **argv)
|
@@ -566,6 +638,11 @@ int main (int argc, char **argv)
|
||||||
newpw.pw_passwd = cp;
|
newpw.pw_passwd = cp;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -246,8 +258,8 @@ diff -up shadow-4.2.1/src/chpasswd.c.selinux-perms shadow-4.2.1/src/chpasswd.c
|
|||||||
* The updated password file entry is then put back and will
|
* The updated password file entry is then put back and will
|
||||||
* be written to the password file later, after all the
|
* be written to the password file later, after all the
|
||||||
diff -up shadow-4.2.1/src/Makefile.am.selinux-perms shadow-4.2.1/src/Makefile.am
|
diff -up shadow-4.2.1/src/Makefile.am.selinux-perms shadow-4.2.1/src/Makefile.am
|
||||||
--- shadow-4.2.1/src/Makefile.am.selinux-perms 2016-05-26 19:02:07.000000000 +0200
|
--- shadow-4.2.1/src/Makefile.am.selinux-perms 2016-05-27 16:04:00.896475284 +0200
|
||||||
+++ shadow-4.2.1/src/Makefile.am 2016-05-26 20:38:52.738468738 +0200
|
+++ shadow-4.2.1/src/Makefile.am 2016-05-27 16:04:00.899475353 +0200
|
||||||
@@ -84,9 +84,9 @@ chage_LDADD = $(LDADD) $(LIBPAM_SUID)
|
@@ -84,9 +84,9 @@ chage_LDADD = $(LDADD) $(LIBPAM_SUID)
|
||||||
newuidmap_LDADD = $(LDADD) $(LIBSELINUX)
|
newuidmap_LDADD = $(LDADD) $(LIBSELINUX)
|
||||||
newgidmap_LDADD = $(LDADD) $(LIBSELINUX)
|
newgidmap_LDADD = $(LDADD) $(LIBSELINUX)
|
||||||
@ -261,8 +273,8 @@ diff -up shadow-4.2.1/src/Makefile.am.selinux-perms shadow-4.2.1/src/Makefile.am
|
|||||||
groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
|
groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
|
||||||
groupdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
|
groupdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
|
||||||
diff -up shadow-4.2.1/src/Makefile.in.selinux-perms shadow-4.2.1/src/Makefile.in
|
diff -up shadow-4.2.1/src/Makefile.in.selinux-perms shadow-4.2.1/src/Makefile.in
|
||||||
--- shadow-4.2.1/src/Makefile.in.selinux-perms 2016-05-26 19:02:07.000000000 +0200
|
--- shadow-4.2.1/src/Makefile.in.selinux-perms 2016-05-27 16:04:00.896475284 +0200
|
||||||
+++ shadow-4.2.1/src/Makefile.in 2016-05-26 20:40:03.547049098 +0200
|
+++ shadow-4.2.1/src/Makefile.in 2016-05-27 16:04:00.899475353 +0200
|
||||||
@@ -521,9 +521,9 @@ chage_LDADD = $(LDADD) $(LIBPAM_SUID) $(
|
@@ -521,9 +521,9 @@ chage_LDADD = $(LDADD) $(LIBPAM_SUID) $(
|
||||||
newuidmap_LDADD = $(LDADD) $(LIBSELINUX)
|
newuidmap_LDADD = $(LDADD) $(LIBSELINUX)
|
||||||
newgidmap_LDADD = $(LDADD) $(LIBSELINUX)
|
newgidmap_LDADD = $(LDADD) $(LIBSELINUX)
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
Summary: Utilities for managing accounts and shadow password files
|
Summary: Utilities for managing accounts and shadow password files
|
||||||
Name: shadow-utils
|
Name: shadow-utils
|
||||||
Version: 4.2.1
|
Version: 4.2.1
|
||||||
Release: 9%{?dist}
|
Release: 10%{?dist}
|
||||||
Epoch: 2
|
Epoch: 2
|
||||||
URL: http://pkg-shadow.alioth.debian.org/
|
URL: http://pkg-shadow.alioth.debian.org/
|
||||||
Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.xz
|
Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.xz
|
||||||
@ -257,6 +257,9 @@ rm -rf $RPM_BUILD_ROOT
|
|||||||
%{_mandir}/man8/vigr.8*
|
%{_mandir}/man8/vigr.8*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon May 30 2016 Tomáš Mráz <tmraz@redhat.com> - 2:4.2.1-10
|
||||||
|
- chpasswd, chgpasswd: open audit when starting
|
||||||
|
|
||||||
* Thu May 26 2016 Tomáš Mráz <tmraz@redhat.com> - 2:4.2.1-9
|
* Thu May 26 2016 Tomáš Mráz <tmraz@redhat.com> - 2:4.2.1-9
|
||||||
- chgpasswd: do not remove it
|
- chgpasswd: do not remove it
|
||||||
- chpasswd, chgpasswd: add selinux_check_access call (#1336902)
|
- chpasswd, chgpasswd: add selinux_check_access call (#1336902)
|
||||||
|
Loading…
Reference in New Issue
Block a user