diff options
Diffstat (limited to 'modules/pam_selinux')
-rw-r--r-- | modules/pam_selinux/Makefile.am | 11 | ||||
-rw-r--r-- | modules/pam_selinux/Makefile.in | 305 | ||||
-rw-r--r-- | modules/pam_selinux/README | 68 | ||||
-rw-r--r-- | modules/pam_selinux/pam_selinux.8 | 242 | ||||
-rw-r--r-- | modules/pam_selinux/pam_selinux.8.xml | 113 | ||||
-rw-r--r-- | modules/pam_selinux/pam_selinux.c | 716 | ||||
-rw-r--r-- | modules/pam_selinux/pam_selinux_check.8 | 2 |
7 files changed, 717 insertions, 740 deletions
diff --git a/modules/pam_selinux/Makefile.am b/modules/pam_selinux/Makefile.am index 5c83acb..28c60d8 100644 --- a/modules/pam_selinux/Makefile.am +++ b/modules/pam_selinux/Makefile.am @@ -10,7 +10,7 @@ EXTRA_DIST = README $(XMLS) pam_selinux.8 pam_selinux_check.8 \ if HAVE_LIBSELINUX TESTS = tst-pam_selinux - man_MANS = pam_selinux.8 + man_MANS = pam_selinux.8 endif XMLS = README.xml pam_selinux.8.xml @@ -21,12 +21,8 @@ secureconfdir = $(SCONFIGDIR) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ -I$(top_srcdir)/libpam_misc/include -pam_selinux_check_LDFLAGS = $(AM_LDFLAGS) \ - -L$(top_builddir)/libpam -lpam \ - -L$(top_builddir)/libpam_misc -lpam_misc - -pam_selinux_la_LIBADD = -L$(top_builddir)/libpam -lpam @LIBSELINUX@ @LIBAUDIT@ pam_selinux_la_LDFLAGS = -no-undefined -avoid-version -module +pam_selinux_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBSELINUX@ @LIBAUDIT@ if HAVE_VERSIONING pam_selinux_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map endif @@ -34,10 +30,11 @@ endif if HAVE_LIBSELINUX securelib_LTLIBRARIES = pam_selinux.la noinst_PROGRAMS = pam_selinux_check + pam_selinux_check_LDADD = $(top_builddir)/libpam/libpam.la \ + $(top_builddir)/libpam_misc/libpam_misc.la endif if ENABLE_REGENERATE_MAN noinst_DATA = README pam_selinux.8 README: pam_selinux.8.xml -include $(top_srcdir)/Make.xml.rules endif - diff --git a/modules/pam_selinux/Makefile.in b/modules/pam_selinux/Makefile.in index 369fc14..d4899a6 100644 --- a/modules/pam_selinux/Makefile.in +++ b/modules/pam_selinux/Makefile.in @@ -1,8 +1,9 @@ -# Makefile.in generated by automake 1.10.1 from Makefile.am. +# Makefile.in generated by automake 1.11.1 from Makefile.am. # @configure_input@ # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, -# 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc. +# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation, +# Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, # with or without modifications, as long as this notice is preserved. @@ -22,8 +23,9 @@ VPATH = @srcdir@ pkgdatadir = $(datadir)/@PACKAGE@ -pkglibdir = $(libdir)/@PACKAGE@ pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd install_sh_DATA = $(install_sh) -c -m 644 install_sh_PROGRAM = $(install_sh) -c @@ -44,7 +46,7 @@ subdir = modules/pam_selinux DIST_COMMON = README $(srcdir)/Makefile.am $(srcdir)/Makefile.in ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ - $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \ + $(top_srcdir)/m4/iconv.m4 \ $(top_srcdir)/m4/japhar_grep_cflags.m4 \ $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ @@ -53,24 +55,38 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ $(top_srcdir)/m4/libprelude.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ - $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/pkg.m4 \ - $(top_srcdir)/m4/po.m4 $(top_srcdir)/m4/progtest.m4 \ - $(top_srcdir)/configure.in + $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ + $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/configure.in am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) -mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs +mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; am__vpath_adj = case $$p in \ $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ *) f=$$p;; \ esac; -am__strip_dir = `echo $$p | sed -e 's|^.*/||'`; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' am__installdirs = "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)" -securelibLTLIBRARIES_INSTALL = $(INSTALL) LTLIBRARIES = $(securelib_LTLIBRARIES) -pam_selinux_la_DEPENDENCIES = +pam_selinux_la_DEPENDENCIES = $(top_builddir)/libpam/libpam.la pam_selinux_la_SOURCES = pam_selinux.c pam_selinux_la_OBJECTS = pam_selinux.lo pam_selinux_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ @@ -80,13 +96,13 @@ pam_selinux_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ PROGRAMS = $(noinst_PROGRAMS) pam_selinux_check_SOURCES = pam_selinux_check.c pam_selinux_check_OBJECTS = pam_selinux_check.$(OBJEXT) -pam_selinux_check_LDADD = $(LDADD) -pam_selinux_check_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ - $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ - $(pam_selinux_check_LDFLAGS) $(LDFLAGS) -o $@ +@HAVE_LIBSELINUX_TRUE@pam_selinux_check_DEPENDENCIES = \ +@HAVE_LIBSELINUX_TRUE@ $(top_builddir)/libpam/libpam.la \ +@HAVE_LIBSELINUX_TRUE@ $(top_builddir)/libpam_misc/libpam_misc.la DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) -depcomp = $(SHELL) $(top_srcdir)/depcomp +depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp am__depfiles_maybe = depfiles +am__mv = mv -f COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ @@ -104,6 +120,8 @@ MANS = $(man_MANS) DATA = $(noinst_DATA) ETAGS = etags CTAGS = ctags +am__tty_colors = \ +red=; grn=; lgn=; blu=; std= DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ AMTAR = @AMTAR@ @@ -133,7 +151,6 @@ EGREP = @EGREP@ EXEEXT = @EXEEXT@ FGREP = @FGREP@ FO2PDF = @FO2PDF@ -GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ GMSGFMT = @GMSGFMT@ GMSGFMT_015 = @GMSGFMT_015@ GREP = @GREP@ @@ -191,6 +208,7 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ PACKAGE_NAME = @PACKAGE_NAME@ PACKAGE_STRING = @PACKAGE_STRING@ PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ PACKAGE_VERSION = @PACKAGE_VERSION@ PATH_SEPARATOR = @PATH_SEPARATOR@ PIE_CFLAGS = @PIE_CFLAGS@ @@ -208,7 +226,6 @@ USE_NLS = @USE_NLS@ VERSION = @VERSION@ XGETTEXT = @XGETTEXT@ XGETTEXT_015 = @XGETTEXT_015@ -XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@ XMLCATALOG = @XMLCATALOG@ XMLLINT = @XMLLINT@ XML_CATALOG_FILE = @XML_CATALOG_FILE@ @@ -280,21 +297,20 @@ EXTRA_DIST = README $(XMLS) pam_selinux.8 pam_selinux_check.8 \ tst-pam_selinux @HAVE_LIBSELINUX_TRUE@TESTS = tst-pam_selinux -@HAVE_LIBSELINUX_TRUE@man_MANS = pam_selinux.8 +@HAVE_LIBSELINUX_TRUE@man_MANS = pam_selinux.8 XMLS = README.xml pam_selinux.8.xml securelibdir = $(SECUREDIR) secureconfdir = $(SCONFIGDIR) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ -I$(top_srcdir)/libpam_misc/include -pam_selinux_check_LDFLAGS = $(AM_LDFLAGS) \ - -L$(top_builddir)/libpam -lpam \ - -L$(top_builddir)/libpam_misc -lpam_misc - -pam_selinux_la_LIBADD = -L$(top_builddir)/libpam -lpam @LIBSELINUX@ @LIBAUDIT@ pam_selinux_la_LDFLAGS = -no-undefined -avoid-version -module \ $(am__append_1) +pam_selinux_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBSELINUX@ @LIBAUDIT@ @HAVE_LIBSELINUX_TRUE@securelib_LTLIBRARIES = pam_selinux.la +@HAVE_LIBSELINUX_TRUE@pam_selinux_check_LDADD = $(top_builddir)/libpam/libpam.la \ +@HAVE_LIBSELINUX_TRUE@ $(top_builddir)/libpam_misc/libpam_misc.la + @ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README pam_selinux.8 all: all-am @@ -304,14 +320,14 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) @for dep in $?; do \ case '$(am__configure_deps)' in \ *$$dep*) \ - cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ - && exit 0; \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ exit 1;; \ esac; \ done; \ - echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_selinux/Makefile'; \ - cd $(top_srcdir) && \ - $(AUTOMAKE) --gnu modules/pam_selinux/Makefile + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_selinux/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu modules/pam_selinux/Makefile .PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ @@ -329,23 +345,28 @@ $(top_srcdir)/configure: $(am__configure_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh $(ACLOCAL_M4): $(am__aclocal_m4_deps) cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) @$(NORMAL_INSTALL) test -z "$(securelibdir)" || $(MKDIR_P) "$(DESTDIR)$(securelibdir)" - @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ + @list='$(securelib_LTLIBRARIES)'; test -n "$(securelibdir)" || list=; \ + list2=; for p in $$list; do \ if test -f $$p; then \ - f=$(am__strip_dir) \ - echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(securelibdir)/$$f'"; \ - $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(securelibdir)/$$f"; \ + list2="$$list2 $$p"; \ else :; fi; \ - done + done; \ + test -z "$$list2" || { \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(securelibdir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(securelibdir)"; \ + } uninstall-securelibLTLIBRARIES: @$(NORMAL_UNINSTALL) - @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \ - p=$(am__strip_dir) \ - echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(securelibdir)/$$p'"; \ - $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(securelibdir)/$$p"; \ + @list='$(securelib_LTLIBRARIES)'; test -n "$(securelibdir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(securelibdir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(securelibdir)/$$f"; \ done clean-securelibLTLIBRARIES: @@ -360,14 +381,16 @@ pam_selinux.la: $(pam_selinux_la_OBJECTS) $(pam_selinux_la_DEPENDENCIES) $(pam_selinux_la_LINK) $(am_pam_selinux_la_rpath) $(pam_selinux_la_OBJECTS) $(pam_selinux_la_LIBADD) $(LIBS) clean-noinstPROGRAMS: - @list='$(noinst_PROGRAMS)'; for p in $$list; do \ - f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ - echo " rm -f $$p $$f"; \ - rm -f $$p $$f ; \ - done + @list='$(noinst_PROGRAMS)'; test -n "$$list" || exit 0; \ + echo " rm -f" $$list; \ + rm -f $$list || exit $$?; \ + test -n "$(EXEEXT)" || exit 0; \ + list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f" $$list; \ + rm -f $$list pam_selinux_check$(EXEEXT): $(pam_selinux_check_OBJECTS) $(pam_selinux_check_DEPENDENCIES) @rm -f pam_selinux_check$(EXEEXT) - $(pam_selinux_check_LINK) $(pam_selinux_check_OBJECTS) $(pam_selinux_check_LDADD) $(LIBS) + $(LINK) $(pam_selinux_check_OBJECTS) $(pam_selinux_check_LDADD) $(LIBS) mostlyclean-compile: -rm -f *.$(OBJEXT) @@ -380,21 +403,21 @@ distclean-compile: .c.o: @am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< -@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(COMPILE) -c $< .c.obj: @am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` -@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'` .c.lo: @am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< -@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo @AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $< @@ -404,65 +427,58 @@ mostlyclean-libtool: clean-libtool: -rm -rf .libs _libs -install-man8: $(man8_MANS) $(man_MANS) +install-man8: $(man_MANS) @$(NORMAL_INSTALL) test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)" - @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.8*) list="$$list $$i" ;; \ - esac; \ + @list=''; test -n "$(man8dir)" || exit 0; \ + { for i in $$list; do echo "$$i"; done; \ + l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + sed -n '/\.8[a-z]*$$/p'; \ + } | while read p; do \ + if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; echo "$$p"; \ + done | \ + sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \ + sed 'N;N;s,\n, ,g' | { \ + list=; while read file base inst; do \ + if test "$$base" = "$$inst"; then list="$$list $$file"; else \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst" || exit $$?; \ + fi; \ done; \ - for i in $$list; do \ - if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \ - else file=$$i; fi; \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 8*) ;; \ - *) ext='8' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ - $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \ - done + for i in $$list; do echo "$$i"; done | $(am__base_list) | \ + while read files; do \ + test -z "$$files" || { \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man8dir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(man8dir)" || exit $$?; }; \ + done; } + uninstall-man8: @$(NORMAL_UNINSTALL) - @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \ - l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \ - for i in $$l2; do \ - case "$$i" in \ - *.8*) list="$$list $$i" ;; \ - esac; \ - done; \ - for i in $$list; do \ - ext=`echo $$i | sed -e 's/^.*\\.//'`; \ - case "$$ext" in \ - 8*) ;; \ - *) ext='8' ;; \ - esac; \ - inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \ - inst=`echo $$inst | sed -e 's/^.*\///'`; \ - inst=`echo $$inst | sed '$(transform)'`.$$ext; \ - echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \ - rm -f "$(DESTDIR)$(man8dir)/$$inst"; \ - done + @list=''; test -n "$(man8dir)" || exit 0; \ + files=`{ for i in $$list; do echo "$$i"; done; \ + l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + sed -n '/\.8[a-z]*$$/p'; \ + } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ + test -z "$$files" || { \ + echo " ( cd '$(DESTDIR)$(man8dir)' && rm -f" $$files ")"; \ + cd "$(DESTDIR)$(man8dir)" && rm -f $$files; } ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ - $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \ + $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ END { if (nonempty) { for (i in files) print i; }; }'`; \ mkid -fID $$unique tags: TAGS TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) - tags=; \ + set x; \ here=`pwd`; \ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ @@ -470,37 +486,43 @@ TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ done | \ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ END { if (nonempty) { for (i in files) print i; }; }'`; \ - if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ test -n "$$unique" || unique=$$empty_fix; \ - $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ - $$tags $$unique; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ fi ctags: CTAGS CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ $(TAGS_FILES) $(LISP) - tags=; \ list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ unique=`for i in $$list; do \ if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ done | \ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \ END { if (nonempty) { for (i in files) print i; }; }'`; \ - test -z "$(CTAGS_ARGS)$$tags$$unique" \ + test -z "$(CTAGS_ARGS)$$unique" \ || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ - $$tags $$unique + $$unique GTAGS: here=`$(am__cd) $(top_builddir) && pwd` \ - && cd $(top_srcdir) \ - && gtags -i $(GTAGS_ARGS) $$here + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" distclean-tags: -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags check-TESTS: $(TESTS) - @failed=0; all=0; xfail=0; xpass=0; skip=0; ws='[ ]'; \ + @failed=0; all=0; xfail=0; xpass=0; skip=0; \ srcdir=$(srcdir); export srcdir; \ list=' $(TESTS) '; \ + $(am__tty_colors); \ if test -n "$$list"; then \ for tst in $$list; do \ if test -f ./$$tst; then dir=./; \ @@ -509,49 +531,63 @@ check-TESTS: $(TESTS) if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \ all=`expr $$all + 1`; \ case " $(XFAIL_TESTS) " in \ - *$$ws$$tst$$ws*) \ + *[\ \ ]$$tst[\ \ ]*) \ xpass=`expr $$xpass + 1`; \ failed=`expr $$failed + 1`; \ - echo "XPASS: $$tst"; \ + col=$$red; res=XPASS; \ ;; \ *) \ - echo "PASS: $$tst"; \ + col=$$grn; res=PASS; \ ;; \ esac; \ elif test $$? -ne 77; then \ all=`expr $$all + 1`; \ case " $(XFAIL_TESTS) " in \ - *$$ws$$tst$$ws*) \ + *[\ \ ]$$tst[\ \ ]*) \ xfail=`expr $$xfail + 1`; \ - echo "XFAIL: $$tst"; \ + col=$$lgn; res=XFAIL; \ ;; \ *) \ failed=`expr $$failed + 1`; \ - echo "FAIL: $$tst"; \ + col=$$red; res=FAIL; \ ;; \ esac; \ else \ skip=`expr $$skip + 1`; \ - echo "SKIP: $$tst"; \ + col=$$blu; res=SKIP; \ fi; \ + echo "$${col}$$res$${std}: $$tst"; \ done; \ + if test "$$all" -eq 1; then \ + tests="test"; \ + All=""; \ + else \ + tests="tests"; \ + All="All "; \ + fi; \ if test "$$failed" -eq 0; then \ if test "$$xfail" -eq 0; then \ - banner="All $$all tests passed"; \ + banner="$$All$$all $$tests passed"; \ else \ - banner="All $$all tests behaved as expected ($$xfail expected failures)"; \ + if test "$$xfail" -eq 1; then failures=failure; else failures=failures; fi; \ + banner="$$All$$all $$tests behaved as expected ($$xfail expected $$failures)"; \ fi; \ else \ if test "$$xpass" -eq 0; then \ - banner="$$failed of $$all tests failed"; \ + banner="$$failed of $$all $$tests failed"; \ else \ - banner="$$failed of $$all tests did not behave as expected ($$xpass unexpected passes)"; \ + if test "$$xpass" -eq 1; then passes=pass; else passes=passes; fi; \ + banner="$$failed of $$all $$tests did not behave as expected ($$xpass unexpected $$passes)"; \ fi; \ fi; \ dashes="$$banner"; \ skipped=""; \ if test "$$skip" -ne 0; then \ - skipped="($$skip tests were not run)"; \ + if test "$$skip" -eq 1; then \ + skipped="($$skip test was not run)"; \ + else \ + skipped="($$skip tests were not run)"; \ + fi; \ test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \ dashes="$$skipped"; \ fi; \ @@ -562,15 +598,32 @@ check-TESTS: $(TESTS) dashes="$$report"; \ fi; \ dashes=`echo "$$dashes" | sed s/./=/g`; \ - echo "$$dashes"; \ + if test "$$failed" -eq 0; then \ + echo "$$grn$$dashes"; \ + else \ + echo "$$red$$dashes"; \ + fi; \ echo "$$banner"; \ test -z "$$skipped" || echo "$$skipped"; \ test -z "$$report" || echo "$$report"; \ - echo "$$dashes"; \ + echo "$$dashes$$std"; \ test "$$failed" -eq 0; \ else :; fi distdir: $(DISTFILES) + @list='$(MANS)'; if test -n "$$list"; then \ + list=`for p in $$list; do \ + if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ + if test -f "$$d$$p"; then echo "$$d$$p"; else :; fi; done`; \ + if test -n "$$list" && \ + grep 'ab help2man is required to generate this page' $$list >/dev/null; then \ + echo "error: found man pages containing the \`missing help2man' replacement text:" >&2; \ + grep -l 'ab help2man is required to generate this page' $$list | sed 's/^/ /' >&2; \ + echo " to fix them, install help2man, remove and regenerate the man pages;" >&2; \ + echo " typically \`make maintainer-clean' will remove them" >&2; \ + exit 1; \ + else :; fi; \ + else :; fi @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ list='$(DISTFILES)'; \ @@ -586,13 +639,17 @@ distdir: $(DISTFILES) if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ if test -d $$d/$$file; then \ dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ - cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ fi; \ - cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ else \ - test -f $(distdir)/$$file \ - || cp -p $$d/$$file $(distdir)/$$file \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ || exit 1; \ fi; \ done @@ -625,6 +682,7 @@ clean-generic: distclean-generic: -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) maintainer-clean-generic: @echo "This command is intended for maintainers to use" @@ -647,6 +705,8 @@ dvi-am: html: html-am +html-am: + info: info-am info-am: @@ -655,18 +715,28 @@ install-data-am: install-man install-securelibLTLIBRARIES install-dvi: install-dvi-am +install-dvi-am: + install-exec-am: install-html: install-html-am +install-html-am: + install-info: install-info-am +install-info-am: + install-man: install-man8 install-pdf: install-pdf-am +install-pdf-am: + install-ps: install-ps-am +install-ps-am: + installcheck-am: maintainer-clean: maintainer-clean-am @@ -691,7 +761,7 @@ uninstall-am: uninstall-man uninstall-securelibLTLIBRARIES uninstall-man: uninstall-man8 -.MAKE: install-am install-strip +.MAKE: check-am install-am install-strip .PHONY: CTAGS GTAGS all all-am check check-TESTS check-am clean \ clean-generic clean-libtool clean-noinstPROGRAMS \ @@ -711,6 +781,7 @@ uninstall-man: uninstall-man8 @ENABLE_REGENERATE_MAN_TRUE@README: pam_selinux.8.xml @ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules + # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff --git a/modules/pam_selinux/README b/modules/pam_selinux/README index 6721790..fb4d449 100644 --- a/modules/pam_selinux/README +++ b/modules/pam_selinux/README @@ -4,58 +4,66 @@ pam_selinux — PAM module to set the default security context DESCRIPTION -In a nutshell, pam_selinux sets up the default security context for the next -execed shell. - -When an application opens a session using pam_selinux, the shell that gets -executed will be run in the default security context, or if the user chooses -and the pam file allows the selected security context. Also the controlling tty -will have it's security context modified to match the users. - -Adding pam_selinux into a pam file could cause other pam modules to change -their behavior if the exec another application. The close and open option help -mitigate this problem. close option will only cause the close portion of the -pam_selinux to execute, and open will only cause the open portion to run. You -can add pam_selinux to the config file twice. Add the pam_selinux close as the -executes the open pass through the modules, pam_selinux open_session will -happen last. When PAM executes the close pass through the modules pam_selinux -close_session will happen first. +pam_selinux is a PAM module that sets up the default SELinux security context +for the next executed process. + +When a new session is started, the open_session part of the module computes and +sets up the execution security context used for the next execve(2) call, the +file security context for the controlling terminal, and the security context +used for creating a new kernel keyring. + +When the session is ended, the close_session part of the module restores old +security contexts that were in effect before the change made by the +open_session part of the module. + +Adding pam_selinux into the PAM stack might disrupt behavior of other PAM +modules which execute applications. To avoid that, pam_selinux.so open should +be placed after such modules in the PAM stack, and pam_selinux.so close should +be placed before them. When such a placement is not feasible, pam_selinux.so +restore could be used to temporary restore original security contexts. OPTIONS -close +open - Only execute the close_session portion of the module. + Only execute the open_session part of the module. -debug +close - Turns on debugging via syslog(3). + Only execute the close_session part of the module. -open +restore - Only execute the open_session portion of the module. + In open_session part of the module, temporarily restore the security + contexts as they were before the previous call of the module. Another call + of this module without the restore option will set up the new security + contexts again. nottys - Do not try to setup the ttys security context. + Do not setup security context of the controlling terminal. + +debug + + Turn on debug messages via syslog(3). verbose - attempt to inform the user when security context is set. + Attempt to inform the user when security context is set. select_context - Attempt to ask the user for a custom security context role. If MLS is on + Attempt to ask the user for a custom security context role. If MLS is on, ask also for sensitivity level. env_params Attempt to obtain a custom security context role from PAM environment. If - MLS is on obtain also sensitivity level. This option and the select_context - option are mutually exclusive. The respective PAM environment variables are - SELINUX_ROLE_REQUESTED, SELINUX_LEVEL_REQUESTED, and - SELINUX_USE_CURRENT_RANGE. The first two variables are self describing and - the last one if set to 1 makes the PAM module behave as if the + MLS is on, obtain also sensitivity level. This option and the + select_context option are mutually exclusive. The respective PAM + environment variables are SELINUX_ROLE_REQUESTED, SELINUX_LEVEL_REQUESTED, + and SELINUX_USE_CURRENT_RANGE. The first two variables are self describing + and the last one if set to 1 makes the PAM module behave as if the use_current_range was specified on the command line of the module. use_current_range diff --git a/modules/pam_selinux/pam_selinux.8 b/modules/pam_selinux/pam_selinux.8 index 84d975e..acd4f0d 100644 --- a/modules/pam_selinux/pam_selinux.8 +++ b/modules/pam_selinux/pam_selinux.8 @@ -1,161 +1,22 @@ +'\" t .\" Title: pam_selinux .\" Author: [see the "AUTHOR" section] -.\" Generator: DocBook XSL Stylesheets v1.74.0 <http://docbook.sf.net/> -.\" Date: 06/21/2011 +.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> +.\" Date: 06/18/2013 .\" Manual: Linux-PAM Manual .\" Source: Linux-PAM Manual .\" Language: English .\" -.TH "PAM_SELINUX" "8" "06/21/2011" "Linux-PAM Manual" "Linux\-PAM Manual" +.TH "PAM_SELINUX" "8" "06/18/2013" "Linux-PAM Manual" "Linux\-PAM Manual" .\" ----------------------------------------------------------------- -.\" * (re)Define some macros +.\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.\" toupper - uppercase a string (locale-aware) +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.de toupper -.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ -\\$* -.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz -.. -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.\" SH-xref - format a cross-reference to an SH section -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.de SH-xref -.ie n \{\ -.\} -.toupper \\$* -.el \{\ -\\$* -.\} -.. -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.\" SH - level-one heading that works better for non-TTY output -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.de1 SH -.\" put an extra blank line of space above the head in non-TTY output -.if t \{\ -.sp 1 -.\} -.sp \\n[PD]u -.nr an-level 1 -.set-an-margin -.nr an-prevailing-indent \\n[IN] -.fi -.in \\n[an-margin]u -.ti 0 -.HTML-TAG ".NH \\n[an-level]" -.it 1 an-trap -.nr an-no-space-flag 1 -.nr an-break-flag 1 -\." make the size of the head bigger -.ps +3 -.ft B -.ne (2v + 1u) -.ie n \{\ -.\" if n (TTY output), use uppercase -.toupper \\$* -.\} -.el \{\ -.nr an-break-flag 0 -.\" if not n (not TTY), use normal case (not uppercase) -\\$1 -.in \\n[an-margin]u -.ti 0 -.\" if not n (not TTY), put a border/line under subheading -.sp -.6 -\l'\n(.lu' -.\} -.. -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.\" SS - level-two heading that works better for non-TTY output -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.de1 SS -.sp \\n[PD]u -.nr an-level 1 -.set-an-margin -.nr an-prevailing-indent \\n[IN] -.fi -.in \\n[IN]u -.ti \\n[SN]u -.it 1 an-trap -.nr an-no-space-flag 1 -.nr an-break-flag 1 -.ps \\n[PS-SS]u -\." make the size of the head bigger -.ps +2 -.ft B -.ne (2v + 1u) -.if \\n[.$] \&\\$* -.. -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.\" BB/BE - put background/screen (filled box) around block of text -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.de BB -.if t \{\ -.sp -.5 -.br -.in +2n -.ll -2n -.gcolor red -.di BX -.\} -.. -.de EB -.if t \{\ -.if "\\$2"adjust-for-leading-newline" \{\ -.sp -1 -.\} -.br -.di -.in -.ll -.gcolor -.nr BW \\n(.lu-\\n(.i -.nr BH \\n(dn+.5v -.ne \\n(BHu+.5v -.ie "\\$2"adjust-for-leading-newline" \{\ -\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -.\} -.el \{\ -\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[] -.\} -.in 0 -.sp -.5v -.nf -.BX -.in -.sp .5v -.fi -.\} -.. -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.\" BM/EM - put colored marker in margin next to block of text -.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -.de BM -.if t \{\ -.br -.ll -2n -.gcolor red -.di BX -.\} -.. -.de EM -.if t \{\ -.br -.di -.ll -.gcolor -.nr BH \\n(dn -.ne \\n(BHu -\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[] -.in 0 -.nf -.BX -.in -.fi -.\} -.. +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- @@ -166,56 +27,69 @@ .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- -.SH "Name" +.SH "NAME" pam_selinux \- PAM module to set the default security context -.SH "Synopsis" -.fam C +.SH "SYNOPSIS" .HP \w'\fBpam_selinux\&.so\fR\ 'u -\fBpam_selinux\&.so\fR [close] [debug] [open] [nottys] [verbose] [select_context] [env_params] [use_current_range] -.fam +\fBpam_selinux\&.so\fR [open] [close] [restore] [nottys] [debug] [verbose] [select_context] [env_params] [use_current_range] .SH "DESCRIPTION" .PP -In a nutshell, pam_selinux sets up the default security context for the next execed shell\&. +pam_selinux is a PAM module that sets up the default SELinux security context for the next executed process\&. .PP -When an application opens a session using pam_selinux, the shell that gets executed will be run in the default security context, or if the user chooses and the pam file allows the selected security context\&. Also the controlling tty will have it\'s security context modified to match the users\&. +When a new session is started, the open_session part of the module computes and sets up the execution security context used for the next +\fBexecve\fR(2) +call, the file security context for the controlling terminal, and the security context used for creating a new kernel keyring\&. .PP -Adding pam_selinux into a pam file could cause other pam modules to change their behavior if the exec another application\&. The close and open option help mitigate this problem\&. close option will only cause the close portion of the pam_selinux to execute, and open will only cause the open portion to run\&. You can add pam_selinux to the config file twice\&. Add the pam_selinux close as the executes the open pass through the modules, pam_selinux open_session will happen last\&. When PAM executes the close pass through the modules pam_selinux close_session will happen first\&. +When the session is ended, the close_session part of the module restores old security contexts that were in effect before the change made by the open_session part of the module\&. +.PP +Adding pam_selinux into the PAM stack might disrupt behavior of other PAM modules which execute applications\&. To avoid that, +\fIpam_selinux\&.so open\fR +should be placed after such modules in the PAM stack, and +\fIpam_selinux\&.so close\fR +should be placed before them\&. When such a placement is not feasible, +\fIpam_selinux\&.so restore\fR +could be used to temporary restore original security contexts\&. .SH "OPTIONS" .PP -\fBclose\fR +\fBopen\fR .RS 4 -Only execute the close_session portion of the module\&. +Only execute the open_session part of the module\&. .RE .PP -\fBdebug\fR +\fBclose\fR .RS 4 -Turns on debugging via -\fBsyslog\fR(3)\&. +Only execute the close_session part of the module\&. .RE .PP -\fBopen\fR +\fBrestore\fR .RS 4 -Only execute the open_session portion of the module\&. +In open_session part of the module, temporarily restore the security contexts as they were before the previous call of the module\&. Another call of this module without the restore option will set up the new security contexts again\&. .RE .PP \fBnottys\fR .RS 4 -Do not try to setup the ttys security context\&. +Do not setup security context of the controlling terminal\&. +.RE +.PP +\fBdebug\fR +.RS 4 +Turn on debug messages via +\fBsyslog\fR(3)\&. .RE .PP \fBverbose\fR .RS 4 -attempt to inform the user when security context is set\&. +Attempt to inform the user when security context is set\&. .RE .PP \fBselect_context\fR .RS 4 -Attempt to ask the user for a custom security context role\&. If MLS is on ask also for sensitivity level\&. +Attempt to ask the user for a custom security context role\&. If MLS is on, ask also for sensitivity level\&. .RE .PP \fBenv_params\fR .RS 4 -Attempt to obtain a custom security context role from PAM environment\&. If MLS is on obtain also sensitivity level\&. This option and the select_context option are mutually exclusive\&. The respective PAM environment variables are +Attempt to obtain a custom security context role from PAM environment\&. If MLS is on, obtain also sensitivity level\&. This option and the select_context option are mutually exclusive\&. The respective PAM environment variables are \fISELINUX_ROLE_REQUESTED\fR, \fISELINUX_LEVEL_REQUESTED\fR, and \fISELINUX_USE_CURRENT_RANGE\fR\&. The first two variables are self describing and the last one if set to 1 makes the PAM module behave as if the use_current_range was specified on the command line of the module\&. @@ -232,54 +106,46 @@ Only the module type is provided\&. .SH "RETURN VALUES" .PP -PAM_AUTH_ERR +PAM_SUCCESS .RS 4 -Unable to get or set a valid context\&. +The security context was set successfully\&. .RE .PP -PAM_SUCCESS +PAM_SESSION_ERR .RS 4 -The security context was set successfully\&. +Unable to get or set a valid context\&. .RE .PP PAM_USER_UNKNOWN .RS 4 The user is not known to the system\&. .RE +.PP +PAM_BUF_ERR +.RS 4 +Memory allocation error\&. +.RE .SH "EXAMPLES" .sp .if n \{\ .RS 4 .\} -.fam C -.ps -1 .nf -.if t \{\ -.sp -1 -.\} -.BB lightgray adjust-for-leading-newline -.sp -1 - auth required pam_unix\&.so session required pam_permit\&.so session optional pam_selinux\&.so -.EB lightgray adjust-for-leading-newline -.if t \{\ -.sp 1 -.\} .fi -.fam -.ps +1 .if n \{\ .RE .\} .SH "SEE ALSO" .PP - -\fBpam.conf\fR(5), +\fBexecve\fR(2), +\fBtty\fR(4), \fBpam.d\fR(5), -\fBpam\fR(8) +\fBpam\fR(8), +\fBselinux\fR(8) .SH "AUTHOR" .PP pam_selinux was written by Dan Walsh <dwalsh@redhat\&.com>\&. diff --git a/modules/pam_selinux/pam_selinux.8.xml b/modules/pam_selinux/pam_selinux.8.xml index 2c1cdb2..28d465f 100644 --- a/modules/pam_selinux/pam_selinux.8.xml +++ b/modules/pam_selinux/pam_selinux.8.xml @@ -19,18 +19,21 @@ <cmdsynopsis id="pam_selinux-cmdsynopsis"> <command>pam_selinux.so</command> <arg choice="opt"> - close + open </arg> <arg choice="opt"> - debug + close </arg> <arg choice="opt"> - open + restore </arg> <arg choice="opt"> nottys </arg> <arg choice="opt"> + debug + </arg> + <arg choice="opt"> verbose </arg> <arg choice="opt"> @@ -48,26 +51,31 @@ <refsect1 id="pam_selinux-description"> <title>DESCRIPTION</title> <para> - In a nutshell, pam_selinux sets up the default security context for the - next execed shell. + pam_selinux is a PAM module that sets up the default SELinux security + context for the next executed process. + </para> + <para> + When a new session is started, the open_session part of the module + computes and sets up the execution security context used for the next + <citerefentry> + <refentrytitle>execve</refentrytitle><manvolnum>2</manvolnum> + </citerefentry> + call, the file security context for the controlling terminal, and + the security context used for creating a new kernel keyring. </para> <para> - When an application opens a session using pam_selinux, the shell that - gets executed will be run in the default security context, or if the - user chooses and the pam file allows the selected security context. - Also the controlling tty will have it's security context modified to - match the users. + When the session is ended, the close_session part of the module restores + old security contexts that were in effect before the change made + by the open_session part of the module. </para> <para> - Adding pam_selinux into a pam file could cause other pam modules to - change their behavior if the exec another application. The close and - open option help mitigate this problem. close option will only cause - the close portion of the pam_selinux to execute, and open will only - cause the open portion to run. You can add pam_selinux to the config - file twice. Add the pam_selinux close as the executes the open pass - through the modules, pam_selinux open_session will happen last. - When PAM executes the close pass through the modules pam_selinux - close_session will happen first. + Adding pam_selinux into the PAM stack might disrupt behavior of other + PAM modules which execute applications. To avoid that, + <emphasis>pam_selinux.so open</emphasis> should be placed after such + modules in the PAM stack, and <emphasis>pam_selinux.so close</emphasis> + should be placed before them. When such a placement is not feasible, + <emphasis>pam_selinux.so restore</emphasis> could be used to temporary + restore original security contexts. </para> </refsect1> @@ -76,34 +84,34 @@ <variablelist> <varlistentry> <term> - <option>close</option> + <option>open</option> </term> <listitem> <para> - Only execute the close_session portion of the module. + Only execute the open_session part of the module. </para> </listitem> </varlistentry> <varlistentry> <term> - <option>debug</option> + <option>close</option> </term> <listitem> <para> - Turns on debugging via - <citerefentry> - <refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum> - </citerefentry>. + Only execute the close_session part of the module. </para> </listitem> </varlistentry> <varlistentry> <term> - <option>open</option> + <option>restore</option> </term> <listitem> <para> - Only execute the open_session portion of the module. + In open_session part of the module, temporarily restore the + security contexts as they were before the previous call of + the module. Another call of this module without the restore + option will set up the new security contexts again. </para> </listitem> </varlistentry> @@ -113,7 +121,20 @@ </term> <listitem> <para> - Do not try to setup the ttys security context. + Do not setup security context of the controlling terminal. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>debug</option> + </term> + <listitem> + <para> + Turn on debug messages via + <citerefentry> + <refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>. </para> </listitem> </varlistentry> @@ -123,7 +144,7 @@ </term> <listitem> <para> - attempt to inform the user when security context is set. + Attempt to inform the user when security context is set. </para> </listitem> </varlistentry> @@ -134,7 +155,7 @@ <listitem> <para> Attempt to ask the user for a custom security context role. - If MLS is on ask also for sensitivity level. + If MLS is on, ask also for sensitivity level. </para> </listitem> </varlistentry> @@ -145,11 +166,11 @@ <listitem> <para> Attempt to obtain a custom security context role from PAM environment. - If MLS is on obtain also sensitivity level. This option and the - select_context option are mutually exclusive. The respective PAM + If MLS is on, obtain also sensitivity level. This option and the + select_context option are mutually exclusive. The respective PAM environment variables are <emphasis>SELINUX_ROLE_REQUESTED</emphasis>, <emphasis>SELINUX_LEVEL_REQUESTED</emphasis>, and - <emphasis>SELINUX_USE_CURRENT_RANGE</emphasis>. The first two variables + <emphasis>SELINUX_USE_CURRENT_RANGE</emphasis>. The first two variables are self describing and the last one if set to 1 makes the PAM module behave as if the use_current_range was specified on the command line of the module. </para> @@ -181,18 +202,18 @@ <title>RETURN VALUES</title> <variablelist> <varlistentry> - <term>PAM_AUTH_ERR</term> + <term>PAM_SUCCESS</term> <listitem> <para> - Unable to get or set a valid context. + The security context was set successfully. </para> </listitem> </varlistentry> <varlistentry> - <term>PAM_SUCCESS</term> + <term>PAM_SESSION_ERR</term> <listitem> <para> - The security context was set successfully. + Unable to get or set a valid context. </para> </listitem> </varlistentry> @@ -204,6 +225,14 @@ </para> </listitem> </varlistentry> + <varlistentry> + <term>PAM_BUF_ERR</term> + <listitem> + <para> + Memory allocation error. + </para> + </listitem> + </varlistentry> </variablelist> </refsect1> @@ -220,13 +249,19 @@ session optional pam_selinux.so <title>SEE ALSO</title> <para> <citerefentry> - <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum> + <refentrytitle>execve</refentrytitle><manvolnum>2</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>tty</refentrytitle><manvolnum>4</manvolnum> </citerefentry>, <citerefentry> <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> </citerefentry>, <citerefentry> <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>selinux</refentrytitle><manvolnum>8</manvolnum> </citerefentry> </para> </refsect1> diff --git a/modules/pam_selinux/pam_selinux.c b/modules/pam_selinux/pam_selinux.c index f99d433..b96cc23 100644 --- a/modules/pam_selinux/pam_selinux.c +++ b/modules/pam_selinux/pam_selinux.c @@ -87,6 +87,7 @@ int send_audit_message(pam_handle_t *pamh, int success, security_context_t defau int audit_fd = audit_open(); security_context_t default_raw=NULL; security_context_t selected_raw=NULL; + const void *tty = NULL, *rhost = NULL; rc = -1; if (audit_fd < 0) { if (errno == EINVAL || errno == EPROTONOSUPPORT || @@ -95,6 +96,8 @@ int send_audit_message(pam_handle_t *pamh, int success, security_context_t defau pam_syslog(pamh, LOG_ERR, "Error connecting to audit system."); return rc; } + (void)pam_get_item(pamh, PAM_TTY, &tty); + (void)pam_get_item(pamh, PAM_RHOST, &rhost); if (selinux_trans_to_raw_context(default_context, &default_raw) < 0) { pam_syslog(pamh, LOG_ERR, "Error translating default context."); default_raw = NULL; @@ -110,7 +113,7 @@ int send_audit_message(pam_handle_t *pamh, int success, security_context_t defau goto out; } if (audit_log_user_message(audit_fd, AUDIT_USER_ROLE_CHANGE, - msg, NULL, NULL, NULL, success) <= 0) { + msg, rhost, NULL, tty, success) <= 0) { pam_syslog(pamh, LOG_ERR, "Error sending audit message."); goto out; } @@ -142,7 +145,7 @@ query_response (pam_handle_t *pamh, const char *text, const char *def, char **response, int debug) { int rc; - if (def) + if (def) rc = pam_prompt (pamh, PAM_PROMPT_ECHO_ON, response, "%s [%s] ", text, def); else rc = pam_prompt (pamh, PAM_PROMPT_ECHO_ON, response, "%s ", text); @@ -150,7 +153,7 @@ query_response (pam_handle_t *pamh, const char *text, const char *def, if (*response == NULL) { rc = PAM_CONV_ERR; } - + if (rc != PAM_SUCCESS) { pam_syslog(pamh, LOG_WARNING, "No response to query: %s", text); } else if (debug) @@ -158,81 +161,6 @@ query_response (pam_handle_t *pamh, const char *text, const char *def, return rc; } -static security_context_t -manual_context (pam_handle_t *pamh, const char *user, int debug) -{ - security_context_t newcon=NULL; - context_t new_context; - int mls_enabled = is_selinux_mls_enabled(); - char *type=NULL; - char *response=NULL; - - while (1) { - if (query_response(pamh, - _("Would you like to enter a security context? [N] "), NULL, - &response, debug) != PAM_SUCCESS) - return NULL; - - if ((response[0] == 'y') || (response[0] == 'Y')) - { - if (mls_enabled) - new_context = context_new ("user:role:type:level"); - else - new_context = context_new ("user:role:type"); - - if (!new_context) - goto fail_set; - - if (context_user_set (new_context, user)) - goto fail_set; - - _pam_drop(response); - /* Allow the user to enter each field of the context individually */ - if (query_response(pamh, _("role:"), NULL, &response, debug) == PAM_SUCCESS && - response[0] != '\0') { - if (context_role_set (new_context, response)) - goto fail_set; - if (get_default_type(response, &type)) - goto fail_set; - if (context_type_set (new_context, type)) - goto fail_set; - _pam_drop(type); - } - _pam_drop(response); - - if (mls_enabled) - { - if (query_response(pamh, _("level:"), NULL, &response, debug) == PAM_SUCCESS && - response[0] != '\0') { - if (context_range_set (new_context, response)) - goto fail_set; - } - _pam_drop(response); - } - - /* Get the string value of the context and see if it is valid. */ - if (!security_check_context(context_str(new_context))) { - newcon = strdup(context_str(new_context)); - context_free (new_context); - return newcon; - } - else - send_text(pamh,_("Not a valid security context"),debug); - - context_free (new_context); - } - else { - _pam_drop(response); - return NULL; - } - } /* end while */ - fail_set: - free(type); - _pam_drop(response); - context_free (new_context); - return NULL; -} - static int mls_range_allowed(pam_handle_t *pamh, security_context_t src, security_context_t dst, int debug) { struct av_decision avd; @@ -283,7 +211,7 @@ config_context (pam_handle_t *pamh, security_context_t defaultcon, int use_curre while (1) { if (query_response(pamh, - _("Would you like to enter a different role or level?"), "n", + _("Would you like to enter a different role or level?"), "n", &response, debug) == PAM_SUCCESS) { resp_val = response[0]; _pam_drop(response); @@ -293,22 +221,22 @@ config_context (pam_handle_t *pamh, security_context_t defaultcon, int use_curre if ((resp_val == 'y') || (resp_val == 'Y')) { if ((new_context = context_new(defaultcon)) == NULL) - goto fail_set; + goto fail_set; /* Allow the user to enter role and level individually */ - if (query_response(pamh, _("role:"), context_role_get(new_context), + if (query_response(pamh, _("role:"), context_role_get(new_context), &response, debug) == PAM_SUCCESS && response[0]) { if (get_default_type(response, &type)) { pam_prompt (pamh, PAM_ERROR_MSG, NULL, _("No default type for role %s\n"), response); _pam_drop(response); continue; } else { - if (context_role_set(new_context, response)) + if (context_role_set(new_context, response)) goto fail_set; if (context_type_set (new_context, type)) goto fail_set; _pam_drop(type); - } + } } _pam_drop(response); @@ -320,9 +248,9 @@ config_context (pam_handle_t *pamh, security_context_t defaultcon, int use_curre if (getcon(&mycon) != 0) goto fail_set; - my_context = context_new(mycon); + my_context = context_new(mycon); if (my_context == NULL) { - freecon(mycon); + freecon(mycon); goto fail_set; } freecon(mycon); @@ -331,11 +259,11 @@ config_context (pam_handle_t *pamh, security_context_t defaultcon, int use_curre goto fail_set; } context_free(my_context); - } else if (query_response(pamh, _("level:"), context_range_get(new_context), + } else if (query_response(pamh, _("level:"), context_range_get(new_context), &response, debug) == PAM_SUCCESS && response[0]) { if (context_range_set(new_context, response)) goto fail_set; - } + } _pam_drop(response); } @@ -355,7 +283,7 @@ config_context (pam_handle_t *pamh, security_context_t defaultcon, int use_curre if (mls_enabled && !mls_range_allowed(pamh, defaultcon, newcon, debug)) { pam_syslog(pamh, LOG_NOTICE, "Security context %s is not allowed for %s", defaultcon, newcon); - send_audit_message(pamh, 0, defaultcon, newcon); + send_audit_message(pamh, 0, defaultcon, newcon); free(newcon); goto fail_range; @@ -380,7 +308,7 @@ config_context (pam_handle_t *pamh, security_context_t defaultcon, int use_curre context_free (new_context); send_audit_message(pamh, 0, defaultcon, NULL); fail_range: - return NULL; + return NULL; } static security_context_t @@ -405,7 +333,7 @@ context_from_env (pam_handle_t *pamh, security_context_t defaultcon, int env_par pam_syslog(pamh, LOG_NOTICE, "No default type for role %s", env); goto fail_set; } else { - if (context_role_set(new_context, env)) + if (context_role_set(new_context, env)) goto fail_set; if (context_type_set(new_context, type)) goto fail_set; @@ -449,7 +377,7 @@ context_from_env (pam_handle_t *pamh, security_context_t defaultcon, int env_par if (debug) pam_syslog(pamh, LOG_NOTICE, "Selected Security Context %s", newcon); - + /* Get the string value of the context and see if it is valid. */ if (security_check_context(newcon)) { pam_syslog(pamh, LOG_NOTICE, "Not a valid security context %s", newcon); @@ -480,139 +408,296 @@ context_from_env (pam_handle_t *pamh, security_context_t defaultcon, int env_par return newcon; } +#define DATANAME "pam_selinux_context" +typedef struct { + security_context_t exec_context; + security_context_t prev_exec_context; + security_context_t default_user_context; + security_context_t tty_context; + security_context_t prev_tty_context; + char *tty_path; +} module_data_t; + +static void +free_module_data(module_data_t *data) +{ + free(data->tty_path); + freecon(data->prev_tty_context); + freecon(data->tty_context); + freecon(data->default_user_context); + freecon(data->prev_exec_context); + if (data->exec_context != data->default_user_context) + freecon(data->exec_context); + memset(data, 0, sizeof(*data)); + free(data); +} + static void -security_restorelabel_tty(const pam_handle_t *pamh, - const char *tty, security_context_t context) +cleanup(pam_handle_t *pamh UNUSED, void *data, int err UNUSED) +{ + free_module_data(data); +} + +static const module_data_t * +get_module_data(const pam_handle_t *pamh) +{ + const void *data; + + return (pam_get_data(pamh, DATANAME, &data) == PAM_SUCCESS) ? data : NULL; +} + +static const char * +get_item(const pam_handle_t *pamh, int item_type) +{ + const void *item; + + return (pam_get_item(pamh, item_type, &item) == PAM_SUCCESS) ? item : NULL; +} + +static int +set_exec_context(const pam_handle_t *pamh, security_context_t context) +{ + if (setexeccon(context) == 0) + return 0; + pam_syslog(pamh, LOG_ERR, "Setting executable context \"%s\" failed: %m", + context ? context : ""); + return -1; +} + +static int +set_file_context(const pam_handle_t *pamh, security_context_t context, + const char *file) { - char ttybuf[PATH_MAX]; - const char *ptr; + if (!file) + return 0; + if (setfilecon(file, context) == 0 || errno == ENOENT) + return 0; + pam_syslog(pamh, LOG_ERR, "Setting file context \"%s\" failed for %s: %m", + context ? context : "", file); + return -1; +} - if (context==NULL) - return; +static int +compute_exec_context(pam_handle_t *pamh, module_data_t *data, + int select_context, int use_current_range, + int env_params, int debug) +{ + const char *username; - if(strncmp("/dev/", tty, 5)) { - snprintf(ttybuf,sizeof(ttybuf),"/dev/%s",tty); - ptr = ttybuf; +#ifdef HAVE_GETSEUSER + const char *service; +#endif + char *seuser = NULL; + char *level = NULL; + security_context_t *contextlist = NULL; + int num_contexts = 0; + + if (!(username = get_item(pamh, PAM_USER))) { + pam_syslog(pamh, LOG_ERR, "Cannot obtain the user name"); + return PAM_USER_UNKNOWN; } - else - ptr = tty; - if (setfilecon(ptr, context) && errno != ENOENT) - { - pam_syslog(pamh, LOG_NOTICE, - "Warning! Could not relabel %s with %s, not relabeling: %m", - ptr, context); + /* compute execute context */ +#ifdef HAVE_GETSEUSER + if (!(service = get_item(pamh, PAM_SERVICE))) { + pam_syslog(pamh, LOG_ERR, "Cannot obtain the service name"); + return PAM_SESSION_ERR; } + if (getseuser(username, service, &seuser, &level) == 0) { +#else + if (getseuserbyname(username, &seuser, &level) == 0) { +#endif + num_contexts = get_ordered_context_list_with_level(seuser, level, NULL, + &contextlist); + if (debug) + pam_syslog(pamh, LOG_DEBUG, "Username= %s SELinux User= %s Level= %s", + username, seuser, level); + free(level); + } + if (num_contexts > 0) { + free(seuser); + data->default_user_context = strdup(contextlist[0]); + freeconary(contextlist); + if (!data->default_user_context) { + pam_syslog(pamh, LOG_ERR, "Out of memory"); + return PAM_BUF_ERR; + } + + data->exec_context = data->default_user_context; + if (select_context) + data->exec_context = config_context(pamh, data->default_user_context, + use_current_range, debug); + else if (env_params || use_current_range) + data->exec_context = context_from_env(pamh, data->default_user_context, + env_params, use_current_range, + debug); + } + + if (!data->exec_context) { + pam_syslog(pamh, LOG_ERR, "Unable to get valid context for %s", username); + pam_prompt(pamh, PAM_ERROR_MSG, NULL, + _("Unable to get valid context for %s"), username); + } + + if (getexeccon(&data->prev_exec_context) < 0) + data->prev_exec_context = NULL; + + return PAM_SUCCESS; } -static security_context_t -security_label_tty(pam_handle_t *pamh, char *tty, - security_context_t usercon) +static int +compute_tty_context(const pam_handle_t *pamh, module_data_t *data) { - char ttybuf[PATH_MAX]; - int status=0; - security_context_t newdev_context=NULL; /* The new context of a device */ - security_context_t prev_context=NULL; /* The new context of a device */ - const char *ptr; - - if(strncmp("/dev/", tty, 5)) - { - snprintf(ttybuf,sizeof(ttybuf),"/dev/%s",tty); - ptr = ttybuf; + const char *tty = get_item(pamh, PAM_TTY); + + if (!tty || !*tty || !strcmp(tty, "ssh") || !strncmp(tty, "NODEV", 5)) { + tty = ttyname(STDIN_FILENO); + if (!tty || !*tty) + tty = ttyname(STDOUT_FILENO); + if (!tty || !*tty) + tty = ttyname(STDERR_FILENO); + if (!tty || !*tty) + return PAM_SUCCESS; } - else - ptr = tty; - - if (getfilecon(ptr, &prev_context) < 0) - { - if(errno != ENOENT) - pam_syslog(pamh, LOG_NOTICE, - "Warning! Could not get current context for %s, not relabeling: %m", - ptr); - return NULL; + + if (strncmp("/dev/", tty, 5)) { + if (asprintf(&data->tty_path, "%s%s", "/dev/", tty) < 0) + data->tty_path = NULL; + } else { + data->tty_path = strdup(tty); } - if( security_compute_relabel(usercon,prev_context,SECCLASS_CHR_FILE, - &newdev_context)!=0) - { - pam_syslog(pamh, LOG_NOTICE, - "Warning! Could not get new context for %s, not relabeling: %m", - ptr); - pam_syslog(pamh, LOG_NOTICE, - "usercon=%s, prev_context=%s", usercon, prev_context); - freecon(prev_context); - return NULL; + + if (!data->tty_path) { + pam_syslog(pamh, LOG_ERR, "Out of memory"); + return PAM_BUF_ERR; } - status=setfilecon(ptr,newdev_context); - if (status) - { - pam_syslog(pamh, LOG_NOTICE, - "Warning! Could not relabel %s with %s, not relabeling: %m", - ptr,newdev_context); - freecon(prev_context); - prev_context=NULL; + + if (getfilecon(data->tty_path, &data->prev_tty_context) < 0) { + data->prev_tty_context = NULL; + if (errno == ENOENT) { + free(data->tty_path); + data->tty_path = NULL; + return PAM_SUCCESS; + } + pam_syslog(pamh, LOG_ERR, "Failed to get current context for %s: %m", + data->tty_path); + return (security_getenforce() == 1) ? PAM_SESSION_ERR : PAM_SUCCESS; } - freecon(newdev_context); - return prev_context; -} -static security_context_t user_context=NULL; -static security_context_t prev_user_context=NULL; -static security_context_t ttyn_context=NULL; /* The current context of ttyn device */ -static int selinux_enabled=0; -static char *ttyn=NULL; + if (security_compute_relabel(data->exec_context, data->prev_tty_context, + SECCLASS_CHR_FILE, &data->tty_context)) { + data->tty_context = NULL; + pam_syslog(pamh, LOG_ERR, "Failed to compute new context for %s: %m", + data->tty_path); + freecon(data->prev_tty_context); + data->prev_tty_context = NULL; + free(data->tty_path); + data->tty_path = NULL; + return (security_getenforce() == 1) ? PAM_SESSION_ERR : PAM_SUCCESS; + } -PAM_EXTERN int -pam_sm_authenticate(pam_handle_t *pamh UNUSED, int flags UNUSED, - int argc UNUSED, const char **argv UNUSED) + return PAM_SUCCESS; +} + +static int +restore_context(const pam_handle_t *pamh, const module_data_t *data, int debug) { - /* Fail by default. */ - return PAM_AUTH_ERR; + int err; + + if (!data) { + if (debug) + pam_syslog(pamh, LOG_NOTICE, "No context to restore"); + return PAM_SUCCESS; + } + + if (debug && data->tty_path) + pam_syslog(pamh, LOG_NOTICE, + "Restore file context of tty %s: [%s] -> [%s]", + data->tty_path, + data->tty_context ? data->tty_context : "", + data->prev_tty_context ? data->prev_tty_context : ""); + err = set_file_context(pamh, data->prev_tty_context, data->tty_path); + + if (debug) + pam_syslog(pamh, LOG_NOTICE, "Restore executable context: [%s] -> [%s]", + data->exec_context, + data->prev_exec_context ? data->prev_exec_context : ""); + err |= set_exec_context(pamh, data->prev_exec_context); + + if (err && security_getenforce() == 1) + return PAM_SESSION_ERR; + + return PAM_SUCCESS; } -PAM_EXTERN int -pam_sm_setcred(pam_handle_t *pamh UNUSED, int flags UNUSED, - int argc UNUSED, const char **argv UNUSED) +static int +set_context(pam_handle_t *pamh, const module_data_t *data, + int debug, int verbose) { - return PAM_SUCCESS; + int rc, err; + + if (debug && data->tty_path) + pam_syslog(pamh, LOG_NOTICE, "Set file context of tty %s: [%s] -> [%s]", + data->tty_path, + data->prev_tty_context ? data->prev_tty_context : "", + data->tty_context ? data->tty_context : ""); + err = set_file_context(pamh, data->tty_context, data->tty_path); + + if (debug) + pam_syslog(pamh, LOG_NOTICE, "Set executable context: [%s] -> [%s]", + data->prev_exec_context ? data->prev_exec_context : "", + data->exec_context); + rc = set_exec_context(pamh, data->exec_context); + err |= rc; + + send_audit_message(pamh, !rc, data->default_user_context, data->exec_context); + if (verbose && !rc) { + char msg[PATH_MAX]; + + snprintf(msg, sizeof(msg), + _("Security Context %s Assigned"), data->exec_context); + send_text(pamh, msg, debug); + } +#ifdef HAVE_SETKEYCREATECON + if (debug) + pam_syslog(pamh, LOG_NOTICE, "Set key creation context to %s", + data->exec_context ? data->exec_context : ""); + rc = setkeycreatecon(data->exec_context); + err |= rc; + if (rc) + pam_syslog(pamh, LOG_ERR, "Setting key creation context %s failed: %m", + data->exec_context ? data->exec_context : ""); + if (verbose && !rc) { + char msg[PATH_MAX]; + + snprintf(msg, sizeof(msg), + _("Key Creation Context %s Assigned"), data->exec_context); + send_text(pamh, msg, debug); + } +#endif + + if (err && security_getenforce() == 1) + return PAM_SESSION_ERR; + + return PAM_SUCCESS; } -PAM_EXTERN int -pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, - int argc, const char **argv) +static int +create_context(pam_handle_t *pamh, int argc, const char **argv, + int debug, int verbose) { - int i, debug = 0, ttys=1; - int verbose=0, close_session=0; + int i; + int ttys = 1; int select_context = 0; int use_current_range = 0; - int ret = 0; - security_context_t* contextlist = NULL; - int num_contexts = 0; int env_params = 0; - const char *username; - const void *void_username; - const void *tty = NULL; - char *seuser=NULL; - char *level=NULL; - security_context_t default_user_context=NULL; -#ifdef HAVE_GETSEUSER - const void *void_service; - const char *service; -#endif + module_data_t *data; /* Parse arguments. */ for (i = 0; i < argc; i++) { - if (strcmp(argv[i], "debug") == 0) { - debug = 1; - } if (strcmp(argv[i], "nottys") == 0) { ttys = 0; } - if (strcmp(argv[i], "verbose") == 0) { - verbose = 1; - } - if (strcmp(argv[i], "close") == 0) { - close_session = 1; - } if (strcmp(argv[i], "select_context") == 0) { select_context = 1; } @@ -623,172 +708,111 @@ pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, env_params = 1; } } - - if (debug) - pam_syslog(pamh, LOG_NOTICE, "Open Session"); + + if (is_selinux_enabled() <= 0) { + if (debug) + pam_syslog(pamh, LOG_NOTICE, "SELinux is not enabled"); + return PAM_SUCCESS; + } if (select_context && env_params) { - pam_syslog(pamh, LOG_ERR, "select_context cannot be used with env_params"); + pam_syslog(pamh, LOG_ERR, + "select_context cannot be used with env_params"); select_context = 0; } - /* this module is only supposed to execute close_session */ - if (close_session) - return PAM_SUCCESS; + if (!(data = calloc(1, sizeof(*data)))) { + pam_syslog(pamh, LOG_ERR, "Out of memory"); + return PAM_BUF_ERR; + } - if (!(selinux_enabled = is_selinux_enabled()>0) ) - return PAM_SUCCESS; + i = compute_exec_context(pamh, data, select_context, use_current_range, + env_params, debug); + if (i != PAM_SUCCESS) { + free_module_data(data); + return i; + } - if (pam_get_item(pamh, PAM_USER, &void_username) != PAM_SUCCESS || - void_username == NULL) { - return PAM_USER_UNKNOWN; + if (!data->exec_context) { + free_module_data(data); + return (security_getenforce() == 1) ? PAM_SESSION_ERR : PAM_SUCCESS; } - username = void_username; -#ifdef HAVE_GETSEUSER - if (pam_get_item(pamh, PAM_SERVICE, (void *) &void_service) != PAM_SUCCESS || - void_service == NULL) { - return PAM_SESSION_ERR; + if (ttys && (i = compute_tty_context(pamh, data)) != PAM_SUCCESS) { + free_module_data(data); + return i; } - service = void_service; - if (getseuser(username, service, &seuser, &level) == 0) { -#else - if (getseuserbyname(username, &seuser, &level) == 0) { -#endif - num_contexts = get_ordered_context_list_with_level(seuser, - level, - NULL, - &contextlist); - if (debug) - pam_syslog(pamh, LOG_DEBUG, "Username= %s SELinux User = %s Level= %s", - username, seuser, level); - free(level); + if ((i = pam_set_data(pamh, DATANAME, data, cleanup)) != PAM_SUCCESS) { + pam_syslog(pamh, LOG_ERR, "Error saving context: %m"); + free_module_data(data); + return i; } - if (num_contexts > 0) { - free(seuser); - default_user_context=strdup(contextlist[0]); - freeconary(contextlist); - if (default_user_context == NULL) { - pam_syslog(pamh, LOG_ERR, "Out of memory"); - return PAM_BUF_ERR; - } - user_context = default_user_context; - if (select_context) { - user_context = config_context(pamh, default_user_context, use_current_range, debug); - } else if (env_params || use_current_range) { - user_context = context_from_env(pamh, default_user_context, env_params, use_current_range, debug); - } + return set_context(pamh, data, debug, verbose); +} - if (user_context == NULL) { - freecon(default_user_context); - pam_syslog(pamh, LOG_ERR, "Unable to get valid context for %s", - username); - pam_prompt (pamh, PAM_ERROR_MSG, NULL, _("Unable to get valid context for %s"), username); - if (security_getenforce() == 1) - return PAM_AUTH_ERR; - else - return PAM_SUCCESS; - } - } - else { - if (seuser != NULL) { - user_context = manual_context(pamh,seuser,debug); - free(seuser); - } - if (user_context == NULL) { - pam_syslog (pamh, LOG_ERR, "Unable to get valid context for %s", - username); - if (security_getenforce() == 1) - return PAM_AUTH_ERR; - else - return PAM_SUCCESS; - } - } +PAM_EXTERN int +pam_sm_authenticate(pam_handle_t *pamh UNUSED, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) +{ + /* Fail by default. */ + return PAM_AUTH_ERR; +} - if (getexeccon(&prev_user_context)<0) { - prev_user_context=NULL; - } - if (ttys) { - /* Get the name of the terminal. */ - if (pam_get_item(pamh, PAM_TTY, &tty) != PAM_SUCCESS) { - tty = NULL; - } +PAM_EXTERN int +pam_sm_setcred(pam_handle_t *pamh UNUSED, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) +{ + return PAM_SUCCESS; +} - if ((tty == NULL) || (strlen(tty) == 0) || - strcmp(tty, "ssh") == 0 || strncmp(tty, "NODEV", 5) == 0) { - tty = ttyname(STDIN_FILENO); - if ((tty == NULL) || (strlen(tty) == 0)) { - tty = ttyname(STDOUT_FILENO); - } - if ((tty == NULL) || (strlen(tty) == 0)) { - tty = ttyname(STDERR_FILENO); - } +PAM_EXTERN int +pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, + int argc, const char **argv) +{ + const module_data_t *data; + int i, debug = 0, verbose = 0, close_session = 0, restore = 0; + + /* Parse arguments. */ + for (i = 0; i < argc; i++) { + if (strcmp(argv[i], "debug") == 0) { + debug = 1; } - } - if (ttys && tty) { - ttyn=strdup(tty); - ttyn_context=security_label_tty(pamh,ttyn,user_context); - } - send_audit_message(pamh, 1, default_user_context, user_context); - if (default_user_context != user_context) { - freecon(default_user_context); - } - ret = setexeccon(user_context); - if (ret==0 && verbose) { - char msg[PATH_MAX]; - snprintf(msg, sizeof(msg), - _("Security Context %s Assigned"), user_context); - send_text(pamh, msg, debug); - } - if (ret) { - pam_syslog(pamh, LOG_ERR, - "Error! Unable to set %s executable context %s.", - username, user_context); - if (security_getenforce() == 1) { - freecon(user_context); - return PAM_AUTH_ERR; + if (strcmp(argv[i], "verbose") == 0) { + verbose = 1; } - } else { - if (debug) - pam_syslog(pamh, LOG_NOTICE, "set %s security context to %s", - username, user_context); - } -#ifdef HAVE_SETKEYCREATECON - ret = setkeycreatecon(user_context); - if (ret==0 && verbose) { - char msg[PATH_MAX]; - snprintf(msg, sizeof(msg), - _("Key Creation Context %s Assigned"), user_context); - send_text(pamh, msg, debug); - } - if (ret) { - pam_syslog(pamh, LOG_ERR, - "Error! Unable to set %s key creation context %s.", - username, user_context); - if (security_getenforce() == 1) { - freecon(user_context); - return PAM_AUTH_ERR; + if (strcmp(argv[i], "close") == 0) { + close_session = 1; + } + if (strcmp(argv[i], "restore") == 0) { + restore = 1; } - } else { - if (debug) - pam_syslog(pamh, LOG_NOTICE, "set %s key creation context to %s", - username, user_context); } -#endif - freecon(user_context); - return PAM_SUCCESS; + if (debug) + pam_syslog(pamh, LOG_NOTICE, "Open Session"); + + /* Is this module supposed to execute close_session only? */ + if (close_session) + return PAM_SUCCESS; + + data = get_module_data(pamh); + + /* Is this module supposed only to restore original context? */ + if (restore) + return restore_context(pamh, data, debug); + + /* If there is a saved context, this module is supposed to set it again. */ + return data ? set_context(pamh, data, debug, verbose) : + create_context(pamh, argc, argv, debug, verbose); } PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh, int flags UNUSED, int argc, const char **argv) { - int i, debug = 0, status = PAM_SUCCESS, open_session = 0; - if (! (selinux_enabled )) - return PAM_SUCCESS; + int i, debug = 0, open_session = 0; /* Parse arguments. */ for (i = 0; i < argc; i++) { @@ -803,34 +827,10 @@ pam_sm_close_session(pam_handle_t *pamh, int flags UNUSED, if (debug) pam_syslog(pamh, LOG_NOTICE, "Close Session"); + /* Is this module supposed to execute open_session only? */ if (open_session) return PAM_SUCCESS; - if (ttyn) { - if (debug) - pam_syslog(pamh, LOG_NOTICE, "Restore tty %s -> %s", - ttyn,ttyn_context); - - security_restorelabel_tty(pamh,ttyn,ttyn_context); - freecon(ttyn_context); - free(ttyn); - ttyn=NULL; - } - - if (setexeccon(prev_user_context)) { - pam_syslog(pamh, LOG_ERR, "Unable to restore executable context %s.", - prev_user_context ? prev_user_context : ""); - if (security_getenforce() == 1) - status = PAM_AUTH_ERR; - else - status = PAM_SUCCESS; - } else if (debug) - pam_syslog(pamh, LOG_NOTICE, "Executable context back to original"); - - if (prev_user_context) { - freecon(prev_user_context); - prev_user_context = NULL; - } - - return status; + /* Restore original context. */ + return restore_context(pamh, get_module_data(pamh), debug); } diff --git a/modules/pam_selinux/pam_selinux_check.8 b/modules/pam_selinux/pam_selinux_check.8 index d6fcdff..34f578d 100644 --- a/modules/pam_selinux/pam_selinux_check.8 +++ b/modules/pam_selinux/pam_selinux_check.8 @@ -29,7 +29,7 @@ returns an exit code of 0 for success and > 0 on error: pam_selinux(8) .SH BUGS -Let's hope not, but if you find any, please email the author. +Let's hope not, but if you find any, please email the author. .SH AUTHOR Dan Walsh <dwalsh@redhat.com> |