diff --git a/pam-0.99.6.2-selinux-select-context.patch b/pam-0.99.6.2-selinux-select-context.patch index 831210f..0a0040e 100644 --- a/pam-0.99.6.2-selinux-select-context.patch +++ b/pam-0.99.6.2-selinux-select-context.patch @@ -29,8 +29,8 @@ --- Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c.select-context 2006-12-27 10:59:06.000000000 -0500 -+++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c 2007-01-03 13:40:24.000000000 -0500 -@@ -63,8 +63,10 @@ ++++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c 2007-01-03 16:06:21.000000000 -0500 +@@ -63,9 +63,64 @@ #include #include #include @@ -39,9 +39,63 @@ #include +#include ++#ifdef HAVE_LIBAUDIT ++#include ++#include ++#include ++#endif ++ ++/* Send audit message */ ++static ++ ++int send_audit_message(pam_handle_t *pamh, int success, security_context_t default_context, ++ security_context_t selected_context) ++{ ++ int rc=0; ++#ifdef HAVE_LIBAUDIT ++ char *msg = NULL; ++ int audit_fd = audit_open(); ++ security_context_t default_raw=NULL; ++ security_context_t selected_raw=NULL; ++ rc = -1; ++ if (audit_fd < 0) { ++ pam_syslog(pamh, LOG_ERR, _("Error connecting to audit system.\n")); ++ return rc; ++ } ++ if (selinux_trans_to_raw_context(default_context, &default_raw) < 0) { ++ pam_syslog(pamh, LOG_ERR, _("Error translating default context.\n")); ++ goto out; ++ } ++ if (selinux_trans_to_raw_context(selected_context, &selected_raw) < 0) { ++ pam_syslog(pamh, LOG_ERR, _("Error translating selected context.\n")); ++ goto out; ++ } ++ if (asprintf(&msg, "pam: default-context=%s selected-context=%s", ++ default_context ? default_raw : "?", ++ selected_context ? selected_raw : "?") < 0) { ++ pam_syslog(pamh, LOG_ERR, ("Error allocating memory.\n")); ++ goto out; ++ } ++ if (audit_log_user_message(audit_fd, AUDIT_USER_ROLE_CHANGE, ++ msg, NULL, NULL, NULL, success) <= 0) { ++ pam_syslog(pamh, LOG_ERR, _("Error sending audit message.\n")); ++ goto out; ++ } ++ rc = 0; ++ out: ++ free(msg); ++ freecon(default_raw); ++ free(selected_raw); ++ close(audit_fd); ++#else ++ pam_syslog(pamh, LOG_NOTICE, "pam: default-context=%s selected-context=%s success %d", default_context, selected_context, success); ++#endif ++ return rc; ++} static int send_text (pam_handle_t *pamh, const char *text, int debug) -@@ -79,69 +81,64 @@ + { +@@ -79,69 +134,64 @@ * is responsible for freeing the responses. */ static int @@ -77,7 +131,7 @@ while (1) { query_response(pamh, - _("Would you like to enter a security context? [y] "), -+ _("Would you like to enter a security context? [n] "), NULL, ++ _("Would you like to enter a security context? [N] "), NULL, &responses,debug); - if ((responses[0] == 'y') || (responses[0] == 'Y') || - (responses[0] == '\0') ) @@ -144,7 +198,7 @@ } /* Get the string value of the context and see if it is valid. */ if (!security_check_context(context_str(new_context))) { -@@ -151,14 +148,125 @@ +@@ -151,14 +201,125 @@ } else send_text(pamh,_("Not a valid security context"),debug); @@ -270,7 +324,7 @@ } static void -@@ -273,10 +381,11 @@ +@@ -273,13 +434,15 @@ { int i, debug = 0, ttys=1, has_tty=isatty(0); int verbose=0, close_session=0; @@ -283,7 +337,11 @@ const void *tty = NULL; char *seuser=NULL; char *level=NULL; -@@ -295,6 +404,9 @@ ++ security_context_t default_user_context=NULL; + + /* Parse arguments. */ + for (i = 0; i < argc; i++) { +@@ -295,6 +458,9 @@ if (strcmp(argv[i], "close") == 0) { close_session = 1; } @@ -293,7 +351,7 @@ } if (debug) -@@ -307,7 +419,7 @@ +@@ -307,7 +473,7 @@ if (!(selinux_enabled = is_selinux_enabled()>0) ) return PAM_SUCCESS; @@ -302,7 +360,7 @@ username == NULL) { return PAM_USER_UNKNOWN; } -@@ -319,19 +431,38 @@ +@@ -319,19 +485,38 @@ &contextlist); if (debug) pam_syslog(pamh, LOG_DEBUG, "Username= %s SELinux User = %s Level= %s", @@ -313,18 +371,18 @@ } if (num_contexts > 0) { - user_context = (security_context_t) strdup(contextlist[0]); -+ security_context_t puser_context=strdup(contextlist[0]); ++ default_user_context=strdup(contextlist[0]); freeconary(contextlist); - } else { -+ if (puser_context == NULL) { ++ if (default_user_context == NULL) { + pam_syslog(pamh, LOG_ERR, _("Out of memory")); + return PAM_AUTH_ERR; + } -+ user_context = puser_context; + if (select_context && has_tty) { -+ user_context = config_context(pamh, puser_context, debug); -+ freecon(puser_context); ++ user_context = config_context(pamh, default_user_context, debug); + if (user_context == NULL) { ++ send_audit_message(pamh, 0, default_user_context, default_user_context); ++ freecon(default_user_context); + pam_syslog(pamh, LOG_ERR, _("Unable to get valid context for %s"), + username); + pam_prompt (pamh, PAM_ERROR_MSG, NULL, _("Unable to get valid context for %s"), username); @@ -346,7 +404,7 @@ if (security_getenforce() == 1) return PAM_AUTH_ERR; else -@@ -340,7 +471,7 @@ +@@ -340,7 +525,7 @@ } else { pam_syslog (pamh, LOG_ERR, "Unable to get valid context for %s, No valid tty", @@ -355,7 +413,17 @@ if (security_getenforce() == 1) return PAM_AUTH_ERR; else -@@ -381,7 +512,7 @@ +@@ -371,6 +556,9 @@ + ttyn=strdup(tty); + ttyn_context=security_label_tty(pamh,ttyn,user_context); + } ++ send_audit_message(pamh, 1, default_user_context, user_context); ++ freecon(default_user_context); ++ + ret = setexeccon(user_context); + if (ret==0 && verbose) { + char msg[PATH_MAX]; +@@ -381,7 +569,7 @@ if (ret) { pam_syslog(pamh, LOG_ERR, "Error! Unable to set %s executable context %s.", @@ -364,7 +432,7 @@ if (security_getenforce() == 1) { freecon(user_context); return PAM_AUTH_ERR; -@@ -389,7 +520,7 @@ +@@ -389,7 +577,7 @@ } else { if (debug) pam_syslog(pamh, LOG_NOTICE, "set %s security context to %s", @@ -373,7 +441,7 @@ } #ifdef HAVE_SETKEYCREATECON ret = setkeycreatecon(user_context); -@@ -402,7 +533,7 @@ +@@ -402,7 +590,7 @@ if (ret) { pam_syslog(pamh, LOG_ERR, "Error! Unable to set %s key creation context %s.", @@ -382,7 +450,7 @@ if (security_getenforce() == 1) { freecon(user_context); return PAM_AUTH_ERR; -@@ -410,7 +541,7 @@ +@@ -410,7 +598,7 @@ } else { if (debug) pam_syslog(pamh, LOG_NOTICE, "set %s key creation context to %s", diff --git a/pam-0.99.6.2-selinux-use-current-range.patch b/pam-0.99.6.2-selinux-use-current-range.patch new file mode 100644 index 0000000..d2836a7 --- /dev/null +++ b/pam-0.99.6.2-selinux-use-current-range.patch @@ -0,0 +1,113 @@ +--- Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c.range 2007-01-04 23:29:04.000000000 +0100 ++++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c 2007-01-05 13:30:31.000000000 +0100 +@@ -435,6 +435,7 @@ + int i, debug = 0, ttys=1, has_tty=isatty(0); + int verbose=0, close_session=0; + int select_context = 0; ++ int use_current_range = 0; + int ret = 0; + security_context_t* contextlist = NULL; + int num_contexts = 0; +@@ -461,11 +462,19 @@ + if (strcmp(argv[i], "select_context") == 0) { + select_context = 1; + } ++ if (strcmp(argv[i], "use_current_range") == 0) { ++ use_current_range = 1; ++ } + } +- ++ + if (debug) + pam_syslog(pamh, LOG_NOTICE, "Open Session"); + ++ if (select_context && use_current_range) { ++ pam_syslog(pamh, LOG_ERR, "select_context cannot be used with use_current_range"); ++ select_context = 0; ++ } ++ + /* this module is only supposed to execute close_session */ + if (close_session) + return PAM_SUCCESS; +@@ -532,6 +541,51 @@ + return PAM_SUCCESS; + } + } ++ ++ if (use_current_range && is_selinux_mls_enabled()) { ++ security_context_t process_context=NULL; ++ if (getcon(&process_context) == 0) { ++ context_t pcon, ucon; ++ char *process_level=NULL; ++ security_context_t orig_context; ++ ++ if (user_context) ++ orig_context = user_context; ++ else ++ orig_context = default_user_context; ++ ++ pcon = context_new(process_context); ++ freecon(process_context); ++ process_level = strdup(context_range_get(pcon)); ++ context_free(pcon); ++ ++ if (debug) ++ pam_syslog (pamh, LOG_DEBUG, "process level=%s", process_level); ++ ++ ucon = context_new(orig_context); ++ ++ context_range_set(ucon, process_level); ++ free(process_level); ++ ++ if (!mls_range_allowed(pamh, orig_context, context_str(ucon), debug)) { ++ send_text(pamh, _("Requested MLS level not in permitted range"), debug); ++ /* even if default_user_context is NULL audit that anyway */ ++ send_audit_message(pamh, 0, default_user_context, context_str(ucon)); ++ context_free(ucon); ++ return PAM_AUTH_ERR; ++ } ++ ++ if (debug) ++ pam_syslog (pamh, LOG_DEBUG, "adjusted context=%s", context_str(ucon)); ++ ++ /* replace the user context with the level adjusted one */ ++ freecon(user_context); ++ user_context = strdup(context_str(ucon)); ++ ++ context_free(ucon); ++ } ++ } ++ + if (getexeccon(&prev_user_context)<0) { + prev_user_context=NULL; + } +--- Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.8.xml.range 2007-01-04 23:29:04.000000000 +0100 ++++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.8.xml 2007-01-04 23:35:03.000000000 +0100 +@@ -36,6 +36,9 @@ + + select_context + ++ ++ use_current_range ++ + + + +@@ -132,6 +135,17 @@ + + + ++ ++ ++ ++ ++ ++ ++ Use the sensitivity range of the process for the user context. ++ This option and the select_context option are mutually exclusive. ++ ++ ++ + + + diff --git a/pam.spec b/pam.spec index b2f9788..b54c4ad 100644 --- a/pam.spec +++ b/pam.spec @@ -11,7 +11,7 @@ Summary: A security tool which provides authentication for applications Name: pam Version: 0.99.6.2 -Release: 7%{?dist} +Release: 8%{?dist} License: GPL or BSD Group: System Environment/Base Source0: http://ftp.us.kernel.org/pub/linux/libs/pam/pre/library/Linux-PAM-%{version}.tar.bz2 @@ -40,8 +40,10 @@ Patch89: pam-0.99.6.2-namespace-overflow.patch Patch90: pam-0.99.6.2-keyinit-setgid.patch Patch91: pam-0.99.6.2-unix-username.patch Patch92: pam-0.99.6.2-selinux-select-context.patch +Patch93: pam-0.99.6.2-namespace-level.patch +Patch94: pam-0.99.6.2-ja-no-shortcut.patch +Patch95: pam-0.99.6.2-selinux-use-current-range.patch Patch100: pam-0.99.6.2-reconf.patch -Patch101: pam-0.99.6.2-selinux-namespace.patch BuildRoot: %{_tmppath}/%{name}-root Requires: cracklib, cracklib-dicts >= 2.8 @@ -50,7 +52,7 @@ Prereq: grep, mktemp, sed, coreutils, /sbin/ldconfig BuildRequires: autoconf, automake, libtool BuildRequires: bison, flex, sed BuildRequires: cracklib-devel, cracklib-dicts >= 2.8 -BuildRequires: perl, pkgconfig +BuildRequires: perl, pkgconfig, gettext %if %{WITH_AUDIT} BuildRequires: audit-libs-devel >= 1.0.8 Requires: audit-libs >= 1.0.8 @@ -109,9 +111,10 @@ cp %{SOURCE7} . %patch90 -p1 -b .setgid %patch91 -p1 -b .username %patch92 -p1 -b .select-context - +%patch93 -p1 -b .selinux-namespace +%patch94 -p1 -b .no-shortcut +%patch95 -p1 -b .range %patch100 -p1 -b .reconf -%patch101 -p1 -b .selinux-namespace #autoreconf %build @@ -150,6 +153,10 @@ LDFLAGS=-L${topdir}/%{_lib} ; export LDFLAGS --libdir=/%{_lib} \ --includedir=%{_includedir}/security \ --enable-isadir=../../%{_lib}/security +# we must explicitely update-gmo as we patch a po file +pushd po +make update-gmo +popd make %install @@ -280,6 +287,12 @@ if [ "$USEMD5" = "no" ] ; then rm -f $tmp fi fi +if [ ! -a /var/log/faillog ] ; then + install -m 600 /dev/null /var/log/faillog +fi +if [ ! -a /var/log/tallylog ] ; then + install -m 600 /dev/null /var/log/tallylog +fi %postun -p /sbin/ldconfig @@ -372,8 +385,8 @@ fi %dir %{_sysconfdir}/security/console.perms.d %config %{_sysconfdir}/security/console.perms.d/50-default.perms %dir /var/run/console -%config(noreplace) %verify(not md5 size mtime) /var/log/faillog -%config(noreplace) %verify(not md5 size mtime) /var/log/tallylog +%ghost %verify(not md5 size mtime) /var/log/faillog +%ghost %verify(not md5 size mtime) /var/log/tallylog %{_mandir}/man5/* %{_mandir}/man8/* @@ -388,12 +401,22 @@ fi %doc doc/adg/*.txt doc/adg/html %changelog +* Tue Jan 16 2007 Tomas Mraz 0.99.6.2-8 +- properly include /var/log/faillog and tallylog as ghosts + and create them in post script (#209646) +- update gmo files as we patch some po files (#218271) +- add use_current_range option to pam_selinux (#220487) +- improve the role selection in pam_selinux +- remove shortcut on Password: in ja locale (#218271) +- revert to old euid and not ruid when setting euid in pam_keyinit (#219486) +- rename selinux-namespace patch to namespace-level + * Thu Dec 1 2006 Dan Walsh 0.99.6.2-7 -- Fix selection of role +- fix selection of role * Thu Dec 1 2006 Dan Walsh 0.99.6.2-6 -- Fix pam_namespace to only change MLS componant -Resolves: Bug #216184 +- add possibility to pam_namespace to only change MLS component +- Resolves: Bug #216184 * Thu Nov 30 2006 Tomas Mraz 0.99.6.2-5 - add select-context option to pam_selinux (#213812)