Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 144867 Details for
Bug 220652
LSPP - Role selection at login fails w/ "not a valid security context"
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
The latest version of the select_context patch
pam-0.99.6.2-selinux-select-context.patch (text/plain), 13.71 KB, created by
Tomas Mraz
on 2007-01-04 23:52:16 UTC
(
hide
)
Description:
The latest version of the select_context patch
Filename:
MIME Type:
Creator:
Tomas Mraz
Created:
2007-01-04 23:52:16 UTC
Size:
13.71 KB
patch
obsolete
>--- Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.8.xml.select-context 2006-12-27 10:59:06.000000000 -0500 >+++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.8.xml 2006-12-27 10:59:06.000000000 -0500 >@@ -33,6 +33,9 @@ > <arg choice="opt"> > verbose > </arg> >+ <arg choice="opt"> >+ select_context >+ </arg> > </cmdsynopsis> > </refsynopsisdiv> > >@@ -118,6 +121,17 @@ > </para> > </listitem> > </varlistentry> >+ <varlistentry> >+ <term> >+ <option>select_context</option> >+ </term> >+ <listitem> >+ <para> >+ Attempt to ask the user for a custom security context role. >+ If MLS is on ask also for sensitivity level. >+ </para> >+ </listitem> >+ </varlistentry> > </variablelist> > </refsect1> > >--- Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c.select-context 2006-12-27 10:59:06.000000000 -0500 >+++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c 2007-01-03 16:06:21.000000000 -0500 >@@ -63,9 +63,64 @@ > #include <selinux/selinux.h> > #include <selinux/get_context_list.h> > #include <selinux/flask.h> >+#include <selinux/av_permissions.h> > #include <selinux/selinux.h> > #include <selinux/context.h> >+#include <selinux/get_default_type.h> > >+#ifdef HAVE_LIBAUDIT >+#include <libaudit.h> >+#include <sys/select.h> >+#include <errno.h> >+#endif >+ >+/* Send audit message */ >+static >+ >+int send_audit_message(pam_handle_t *pamh, int success, security_context_t default_context, >+ security_context_t selected_context) >+{ >+ int rc=0; >+#ifdef HAVE_LIBAUDIT >+ char *msg = NULL; >+ int audit_fd = audit_open(); >+ security_context_t default_raw=NULL; >+ security_context_t selected_raw=NULL; >+ rc = -1; >+ if (audit_fd < 0) { >+ pam_syslog(pamh, LOG_ERR, _("Error connecting to audit system.\n")); >+ return rc; >+ } >+ if (selinux_trans_to_raw_context(default_context, &default_raw) < 0) { >+ pam_syslog(pamh, LOG_ERR, _("Error translating default context.\n")); >+ goto out; >+ } >+ if (selinux_trans_to_raw_context(selected_context, &selected_raw) < 0) { >+ pam_syslog(pamh, LOG_ERR, _("Error translating selected context.\n")); >+ goto out; >+ } >+ if (asprintf(&msg, "pam: default-context=%s selected-context=%s", >+ default_context ? default_raw : "?", >+ selected_context ? selected_raw : "?") < 0) { >+ pam_syslog(pamh, LOG_ERR, ("Error allocating memory.\n")); >+ goto out; >+ } >+ if (audit_log_user_message(audit_fd, AUDIT_USER_ROLE_CHANGE, >+ msg, NULL, NULL, NULL, success) <= 0) { >+ pam_syslog(pamh, LOG_ERR, _("Error sending audit message.\n")); >+ goto out; >+ } >+ rc = 0; >+ out: >+ free(msg); >+ freecon(default_raw); >+ free(selected_raw); >+ close(audit_fd); >+#else >+ pam_syslog(pamh, LOG_NOTICE, "pam: default-context=%s selected-context=%s success %d", default_context, selected_context, success); >+#endif >+ return rc; >+} > static int > send_text (pam_handle_t *pamh, const char *text, int debug) > { >@@ -79,69 +134,64 @@ > * is responsible for freeing the responses. > */ > static int >-query_response (pam_handle_t *pamh, const char *text, >+query_response (pam_handle_t *pamh, const char *text, const char *def, > char **responses, int debug) > { >+ int rc; >+ if (def) >+ rc = pam_prompt (pamh, PAM_PROMPT_ECHO_ON, responses, "%s [%s] ", text, def); >+ else >+ rc = pam_prompt (pamh, PAM_PROMPT_ECHO_ON, responses, "%s ", text); > if (debug) >- pam_syslog(pamh, LOG_NOTICE, "%s", text); >- >- return pam_prompt (pamh, PAM_PROMPT_ECHO_ON, responses, "%s", text); >+ pam_syslog(pamh, LOG_NOTICE, "%s %s", text, responses[0]); >+ return rc; > } > > static security_context_t > manual_context (pam_handle_t *pamh, const char *user, int debug) > { >- security_context_t newcon; >+ security_context_t newcon=NULL; > context_t new_context; > int mls_enabled = is_selinux_mls_enabled(); >- >- char *responses; >+ char *type=NULL; >+ char *responses=NULL; > > while (1) { > query_response(pamh, >- _("Would you like to enter a security context? [y] "), >+ _("Would you like to enter a security context? [N] "), NULL, > &responses,debug); >- if ((responses[0] == 'y') || (responses[0] == 'Y') || >- (responses[0] == '\0') ) >+ if ((responses[0] == 'y') || (responses[0] == 'Y')) > { > if (mls_enabled) > new_context = context_new ("user:role:type:level"); > else > new_context = context_new ("user:role:type"); >- _pam_drop(responses); > >- /* Allow the user to enter each field of the context individually */ >+ if (!new_context) >+ goto fail_set; >+ > if (context_user_set (new_context, user)) >- { >- context_free (new_context); >- return NULL; >- } >- query_response(pamh,_("role: "),&responses,debug); >- if (context_role_set (new_context, responses)) >- { >- _pam_drop(responses); >- context_free (new_context); >- return NULL; >- } >+ goto fail_set; >+ > _pam_drop(responses); >- query_response(pamh,_("type: "),&responses,debug); >- if (context_type_set (new_context, responses)) >- { >- _pam_drop(responses); >- context_free (new_context); >- return NULL; >- } >+ /* Allow the user to enter each field of the context individually */ >+ query_response(pamh,_("role:"), NULL, &responses,debug); >+ if (responses[0] != '\0') { >+ if (context_role_set (new_context, responses)) >+ goto fail_set; >+ if (get_default_type(responses, &type)) >+ goto fail_set; >+ if (context_type_set (new_context, type)) >+ goto fail_set; >+ } > _pam_drop(responses); > if (mls_enabled) > { >- query_response(pamh,_("level: "),&responses,debug); >- if (context_range_set (new_context, responses)) >- { >- _pam_drop(responses); >- context_free (new_context); >- return NULL; >- } >- _pam_drop(responses); >+ query_response(pamh,_("level:"), NULL, &responses,debug); >+ if (responses[0] != '\0') { >+ if (context_range_set (new_context, responses)) >+ goto fail_set; >+ } > } > /* Get the string value of the context and see if it is valid. */ > if (!security_check_context(context_str(new_context))) { >@@ -151,14 +201,125 @@ > } > else > send_text(pamh,_("Not a valid security context"),debug); >+ context_free (new_context); > } > else { > _pam_drop(responses); > return NULL; > } > } /* end while */ >+ fail_set: >+ free(type); >+ _pam_drop(responses); >+ context_free (new_context); >+ return NULL; >+} >+ >+static int mls_range_allowed(pam_handle_t *pamh, security_context_t src, security_context_t dst, int debug) >+{ >+ struct av_decision avd; >+ int retval; >+ unsigned int bit = CONTEXT__CONTAINS; >+ context_t src_context = context_new (src); >+ context_t dst_context = context_new (dst); >+ context_range_set(dst_context, context_range_get(src_context)); >+ if (debug) >+ pam_syslog(pamh, LOG_NOTICE, "Checking if %s mls range valid for %s", dst, context_str(dst_context)); >+ >+ retval = security_compute_av(context_str(dst_context), dst, SECCLASS_CONTEXT, bit, &avd); >+ context_free(src_context); >+ context_free(dst_context); >+ if (retval || ((bit & avd.allowed) != bit)) >+ return 0; >+ >+ return 1; >+} >+ >+static security_context_t >+config_context (pam_handle_t *pamh, security_context_t puser_context, int debug) >+{ >+ security_context_t newcon=NULL; >+ context_t new_context; >+ int mls_enabled = is_selinux_mls_enabled(); >+ char *responses=NULL; >+ char *type=NULL; >+ char resp_val = 0; >+ >+ pam_prompt (pamh, PAM_TEXT_INFO, NULL, _("Default Security Context %s\n"), puser_context); >+ >+ while (1) { >+ query_response(pamh, >+ _("Would you like to enter a different role or level?"), "n", >+ &responses,debug); >+ >+ resp_val = responses[0]; >+ _pam_drop(responses); >+ if ((resp_val == 'y') || (resp_val == 'Y')) >+ { >+ new_context = context_new(puser_context); >+ >+ /* Allow the user to enter role and level individually */ >+ query_response(pamh,_("role:"), context_role_get(new_context), >+ &responses, debug); >+ if (responses[0]) { >+ if (get_default_type(responses, &type)) { >+ pam_prompt (pamh, PAM_ERROR_MSG, NULL, _("No default type for role %s\n"), responses); >+ _pam_drop(responses); >+ continue; >+ } else { >+ if (context_role_set(new_context, responses)) >+ goto fail_set; >+ if (context_type_set (new_context, type)) >+ goto fail_set; >+ } >+ } >+ _pam_drop(responses); >+ if (mls_enabled) >+ { >+ query_response(pamh,_("level:"), context_range_get(new_context), >+ &responses, debug); >+ if (responses[0]) { >+ if (context_range_set(new_context, responses)) >+ goto fail_set; >+ } >+ _pam_drop(responses); >+ } >+ if (debug) >+ pam_syslog(pamh, LOG_NOTICE, "Selected Security Context %s", context_str(new_context)); >+ >+ /* Get the string value of the context and see if it is valid. */ >+ if (!security_check_context(context_str(new_context))) { >+ newcon = strdup(context_str(new_context)); >+ context_free (new_context); >+ >+ /* we have to check that this user is allowed to go into the >+ range they have specified ... role is tied to an seuser, so that'll >+ be checked at setexeccon time */ >+ if (mls_enabled && !mls_range_allowed(pamh, puser_context, newcon, debug)) { >+ pam_syslog(pamh, LOG_NOTICE, "Security context %s is not allowed for %s", puser_context, newcon); >+ >+ >+ goto fail_range; >+ } >+ return newcon; >+ } >+ else >+ send_text(pamh,_("Not a valid security context"),debug); >+ >+ context_free(new_context); /* next time around allocates another */ >+ } >+ else >+ return strdup(puser_context); >+ } /* end while */ > > return NULL; >+ >+ fail_set: >+ free(type); >+ _pam_drop(responses); >+ context_free (new_context); >+ fail_range: >+ return NULL; > } > > static void >@@ -273,13 +434,15 @@ > { > int i, debug = 0, ttys=1, has_tty=isatty(0); > int verbose=0, close_session=0; >+ int select_context = 0; > int ret = 0; > security_context_t* contextlist = NULL; > int num_contexts = 0; >- const void *username = NULL; >+ const char *username = NULL; > const void *tty = NULL; > char *seuser=NULL; > char *level=NULL; >+ security_context_t default_user_context=NULL; > > /* Parse arguments. */ > for (i = 0; i < argc; i++) { >@@ -295,6 +458,9 @@ > if (strcmp(argv[i], "close") == 0) { > close_session = 1; > } >+ if (strcmp(argv[i], "select_context") == 0) { >+ select_context = 1; >+ } > } > > if (debug) >@@ -307,7 +473,7 @@ > if (!(selinux_enabled = is_selinux_enabled()>0) ) > return PAM_SUCCESS; > >- if (pam_get_item(pamh, PAM_USER, &username) != PAM_SUCCESS || >+ if (pam_get_item(pamh, PAM_USER, (void *) &username) != PAM_SUCCESS || > username == NULL) { > return PAM_USER_UNKNOWN; > } >@@ -319,19 +485,38 @@ > &contextlist); > if (debug) > pam_syslog(pamh, LOG_DEBUG, "Username= %s SELinux User = %s Level= %s", >- (const char *)username, seuser, level); >+ username, seuser, level); > free(seuser); > free(level); > } > if (num_contexts > 0) { >- user_context = (security_context_t) strdup(contextlist[0]); >+ default_user_context=strdup(contextlist[0]); > freeconary(contextlist); >- } else { >+ if (default_user_context == NULL) { >+ pam_syslog(pamh, LOG_ERR, _("Out of memory")); >+ return PAM_AUTH_ERR; >+ } >+ if (select_context && has_tty) { >+ user_context = config_context(pamh, default_user_context, debug); >+ if (user_context == NULL) { >+ send_audit_message(pamh, 0, default_user_context, default_user_context); >+ freecon(default_user_context); >+ pam_syslog(pamh, LOG_ERR, _("Unable to get valid context for %s"), >+ username); >+ pam_prompt (pamh, PAM_ERROR_MSG, NULL, _("Unable to get valid context for %s"), username); >+ if (security_getenforce() == 1) >+ return PAM_AUTH_ERR; >+ else >+ return PAM_SUCCESS; >+ } >+ } >+ } >+ else { > if (has_tty) { >- user_context = manual_context(pamh,username,debug); >+ user_context = manual_context(pamh,seuser,debug); > if (user_context == NULL) { > pam_syslog (pamh, LOG_ERR, "Unable to get valid context for %s", >- (const char *)username); >+ username); > if (security_getenforce() == 1) > return PAM_AUTH_ERR; > else >@@ -340,7 +525,7 @@ > } else { > pam_syslog (pamh, LOG_ERR, > "Unable to get valid context for %s, No valid tty", >- (const char *)username); >+ username); > if (security_getenforce() == 1) > return PAM_AUTH_ERR; > else >@@ -371,6 +556,9 @@ > ttyn=strdup(tty); > ttyn_context=security_label_tty(pamh,ttyn,user_context); > } >+ send_audit_message(pamh, 1, default_user_context, user_context); >+ freecon(default_user_context); >+ > ret = setexeccon(user_context); > if (ret==0 && verbose) { > char msg[PATH_MAX]; >@@ -381,7 +569,7 @@ > if (ret) { > pam_syslog(pamh, LOG_ERR, > "Error! Unable to set %s executable context %s.", >- (const char *)username, user_context); >+ username, user_context); > if (security_getenforce() == 1) { > freecon(user_context); > return PAM_AUTH_ERR; >@@ -389,7 +577,7 @@ > } else { > if (debug) > pam_syslog(pamh, LOG_NOTICE, "set %s security context to %s", >- (const char *)username, user_context); >+ username, user_context); > } > #ifdef HAVE_SETKEYCREATECON > ret = setkeycreatecon(user_context); >@@ -402,7 +590,7 @@ > if (ret) { > pam_syslog(pamh, LOG_ERR, > "Error! Unable to set %s key creation context %s.", >- (const char *)username, user_context); >+ username, user_context); > if (security_getenforce() == 1) { > freecon(user_context); > return PAM_AUTH_ERR; >@@ -410,7 +598,7 @@ > } else { > if (debug) > pam_syslog(pamh, LOG_NOTICE, "set %s key creation context to %s", >- (const char *)username, user_context); >+ username, user_context); > } > #endif > freecon(user_context);
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=144867">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 220652
: 144867