fc6/rhel5 fixes

2006-08-21 16:24:02 +00:00 · 2006-08-21 16:24:02 +00:00 · bc3ff95282
commit bc3ff95282
parent 3c367f2f3c
4 changed files with 118 additions and 64 deletions
--- a/util-linux-2.13-mount-context.patch
+++ b/util-linux-2.13-mount-context.patch
@ -1,63 +1,10 @@

 This patch adds to the mount man page docs about context, fscontext and
-defcontext mount options and translate context options from human to raw
-selinux context format.  -- 03/30/2006 Karel Zak <kzak@redhat.com> 
+ defcontext mount options and translate context options from human to raw
+ selinux context format.  -- 03/30/2006 Karel Zak <kzak@redhat.com>

--- util-linux-2.13-pre7/mount/mount.8.cxt	2006-03-30 17:15:06.000000000 +0200
-+++ util-linux-2.13-pre7/mount/mount.8	2006-03-30 17:15:06.000000000 +0200
-@@ -661,6 +661,50 @@
- .BR noexec ", " nosuid ", and " nodev
- (unless overridden by subsequent options, as in the option line
- .BR users,exec,dev,suid ).
-+.TP
-+\fBcontext=\fP\fIcontext\fP, \fBfscontext=\fP\fIcontext\fP and \fBdefcontext=\fP\fIcontext\fP
-+The 
-+.BR context= 
-+option is useful when mounting filesystems that do not support
-+extended attributes, such as a floppy or hard disk formatted with VFAT, or
-+systems that are not normally running under SELinux, such as an ext3 formatted
-+disk from a non-SELinux workstation. You can also use
-+.BR context= 
-+on filesystems you do not trust, such as a floppy. It also helps in compatibility with
-+xattr-supporting filesystems on earlier 2.4.<x> kernel versions. Even where
-+xattrs are supported, you can save time not having to label every file by
-+assigning the entire disk one security context.
-+
-+A commonly used option for removable media is 
-+.BR context=system_u:object_r:removable_t .
-+
-+Two other options are 
-+.BR fscontext= 
-+and 
-+.BR defcontext= ,
-+both of which are mutually exclusive of the context option. This means you
-+can use fscontext and defcontext with each other, but neither can be used with
-+context.
-+
-+The 
-+.BR fscontext= 
-+option works for all filesystems, regardless of their xattr
-+support. The fscontext option sets the overarching filesystem label to a
-+specific security context. This filesystem label is separate from the
-+individual labels on the files. It represents the entire filesystem for
-+certain kinds of permission checks, such as during mount or file creation.
-+Individual file labels are still obtained from the xattrs on the files
-+themselves. The context option actually sets the aggregate context that
-+fscontext provides, in addition to supplying the same label for individual
-+files.
-+
-+You can set the default security context for unlabeled files using 
-+.BR defcontext=
-+option. This overrides the value set for unlabeled files in the policy and requires a
-+file system that supports xattr labeling. 
-+
-+For more details see 
-+.BR selinux (8)
- .RE
- .TP
- .B \-\-bind
--- util-linux-2.13-pre7/mount/mount.c.cxt	2006-03-30 17:15:06.000000000 +0200
-+++ util-linux-2.13-pre7/mount/mount.c	2006-03-30 20:16:57.000000000 +0200
+--- util-linux-2.13-pre6/mount/mount.c.kzak	2006-08-21 11:51:50.000000000 +0200
+++ util-linux-2.13-pre6/mount/mount.c	2006-08-21 11:51:50.000000000 +0200
@@ -21,6 +21,11 @@
 #include <sys/wait.h>
 #include <sys/mount.h>
@ -151,3 +98,68 @@ selinux context format.  -- 03/30/2006 Karel Zak <kzak@redhat.com>
 
 		*extra_opts = xmalloc(len); 
 		**extra_opts = '\0';
+--- util-linux-2.13-pre6/mount/mount.8.kzak	2006-08-21 11:51:50.000000000 +0200
+++ util-linux-2.13-pre6/mount/mount.8	2006-08-21 11:51:50.000000000 +0200
+@@ -660,6 +660,50 @@
+ .BR noexec ", " nosuid ", and " nodev
+ (unless overridden by subsequent options, as in the option line
+ .BR users,exec,dev,suid ).
+.TP
+\fBcontext=\fP\fIcontext\fP, \fBfscontext=\fP\fIcontext\fP and \fBdefcontext=\fP\fIcontext\fP
+The 
+.BR context= 
+option is useful when mounting filesystems that do not support
+extended attributes, such as a floppy or hard disk formatted with VFAT, or
+systems that are not normally running under SELinux, such as an ext3 formatted
+disk from a non-SELinux workstation. You can also use
+.BR context= 
+on filesystems you do not trust, such as a floppy. It also helps in compatibility with
+xattr-supporting filesystems on earlier 2.4.<x> kernel versions. Even where
+xattrs are supported, you can save time not having to label every file by
+assigning the entire disk one security context.
+
+A commonly used option for removable media is 
+.BR context=system_u:object_r:removable_t .
+
+Two other options are 
+.BR fscontext= 
+and 
+.BR defcontext= ,
+both of which are mutually exclusive of the context option. This means you
+can use fscontext and defcontext with each other, but neither can be used with
+context.
+
+The 
+.BR fscontext= 
+option works for all filesystems, regardless of their xattr
+support. The fscontext option sets the overarching filesystem label to a
+specific security context. This filesystem label is separate from the
+individual labels on the files. It represents the entire filesystem for
+certain kinds of permission checks, such as during mount or file creation.
+Individual file labels are still obtained from the xattrs on the files
+themselves. The context option actually sets the aggregate context that
+fscontext provides, in addition to supplying the same label for individual
+files.
+
+You can set the default security context for unlabeled files using 
+.BR defcontext=
+option. This overrides the value set for unlabeled files in the policy and requires a
+file system that supports xattr labeling. 
+
+For more details see 
+.BR selinux (8)
+ .RE
+ .TP
+ .B \-\-bind
+--- util-linux-2.13-pre6/mount/Makefile.am.kzak	2006-08-21 12:13:10.000000000 +0200
+++ util-linux-2.13-pre6/mount/Makefile.am	2006-08-21 12:13:03.000000000 +0200
+@@ -37,6 +37,9 @@
+ man_MANS += pivot_root.8
+ endif
+ 
+if HAVE_SELINUX
+mount_LDADD += -lselinux
+endif
+ 
+ swapon.c: swapargs.h
+ 
--- a/util-linux-login.pamd
+++ b/util-linux-login.pamd
@ -0,0 +1,14 @@
+#%PAM-1.0
+auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
+auth       include      system-auth
+account    required     pam_nologin.so
+account    include      system-auth
+password   include      system-auth
+# pam_selinux.so close should be the first session rule
+session    required     pam_selinux.so close
+session    include      system-auth
+session    required     pam_loginuid.so
+session    optional     pam_console.so
+# pam_selinux.so open should only be followed by sessions to be executed in the user context
+session    required     pam_selinux.so open
+session    optional     pam_keyinit.so force revoke
--- a/util-linux-remote.pamd
+++ b/util-linux-remote.pamd
@ -0,0 +1,14 @@
+#%PAM-1.0
+auth       required     pam_securetty.so
+auth       include      system-auth
+account    required     pam_nologin.so
+account    include      system-auth
+password   include      system-auth
+# pam_selinux.so close should be the first session rule
+session    required     pam_selinux.so close
+session    include      system-auth
+session    required     pam_loginuid.so
+session    optional     pam_console.so
+# pam_selinux.so open should only be followed by sessions to be executed in the user context
+session    required     pam_selinux.so open
+session    optional     pam_keyinit.so force revoke
--- a/util-linux.spec
+++ b/util-linux.spec
@ -9,7 +9,7 @@
 Summary: A collection of basic system utilities.
 Name: util-linux
 Version: 2.13
-Release: 0.39
+Release: 0.40
 License: distributable
 Group: System Environment/Base

@ -47,8 +47,9 @@ BuildRequires: zlib-devel
 ### Sources
 # TODO [stable]: s/2.13-pre6/%{version}/
 Source0: ftp://ftp.win.tue.nl/pub/linux-local/utils/util-linux/util-linux-2.13-pre6.tar.bz2
-Source1: util-linux-selinux.pamd
-Source2: util-linux-chsh-chfn.pamd
+Source1: util-linux-login.pamd
+Source2: util-linux-remote.pamd
+Source3: util-linux-chsh-chfn.pamd
 Source8: nologin.c
 Source9: nologin.8
 Source11: http://download.sourceforge.net/floppyutil/floppy-%{floppyver}.tar.gz
@ -441,9 +442,9 @@ gzip -9nf ${RPM_BUILD_ROOT}%{_infodir}/ipc.info
 { 
  pushd ${RPM_BUILD_ROOT}%{_sysconfdir}/pam.d
  install -m 644 %{SOURCE1} ./login
-  install -m 644 %{SOURCE1} ./remote
-  install -m 644 %{SOURCE2} ./chsh
-  install -m 644 %{SOURCE2} ./chfn
+  install -m 644 %{SOURCE2} ./remote
+  install -m 644 %{SOURCE3} ./chsh
+  install -m 644 %{SOURCE3} ./chfn
  popd
 }

@ -502,6 +503,13 @@ for I in addpart delpart partx; do
 	fi
 done

+# /usr/bin -> /bin
+for I in taskset; do
+	if [ -e $RPM_BUILD_ROOT/usr/bin/$I ]; then
+		mv $RPM_BUILD_ROOT/usr/bin/$I $RPM_BUILD_ROOT/bin/$I
+	fi
+done
+
 # omit info/dir file
 rm -f ${RPM_BUILD_ROOT}%{_infodir}/dir

@ -545,6 +553,7 @@ exit 0
 %attr(755,root,root)	/bin/login
 /bin/more
 /bin/kill
+/bin/taskset

 %config %{_sysconfdir}/pam.d/chfn
 %config %{_sysconfdir}/pam.d/chsh
@ -580,7 +589,6 @@ exit 0

 %{_bindir}/chrt
 %{_bindir}/ionice
-%{_bindir}/taskset

 %{_bindir}/cal
 %attr(4711,root,root)	%{_bindir}/chfn
@ -722,6 +730,12 @@ exit 0
 /sbin/losetup

 %changelog
+* Mon Aug 21 2006 Karel Zak <kzak@redhat.com> 2.13-0.40
+- fix Makefile.am in util-linux-2.13-mount-context.patch
+- fix #201343 - pam_securetty requires known user to work
+                (split PAM login configuration to two files)
+- fix #203358 - change location of taskset binary to allow for early affinity work
+
 * Fri Aug 11 2006 Karel Zak <kzak@redhat.com> 2.13-0.39
 - fix #199745 - non-existant simpleinit(8) mentioned in ctrlaltdel(8)