Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 153655 Details for
Bug 237876
pam_namespace behavior in case of SELinux exec context not set
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
patch
pam-0.99.7.0-namespace-method-change.patch (text/plain), 6.60 KB, created by
Ted X Toth
on 2007-04-27 18:22:11 UTC
(
hide
)
Description:
patch
Filename:
MIME Type:
Creator:
Ted X Toth
Created:
2007-04-27 18:22:11 UTC
Size:
6.60 KB
patch
obsolete
>--- Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.c 2007-04-26 16:00:14.000000000 -0500 >+++ Linux-PAM-0.99.7.0.new/modules/pam_namespace/pam_namespace.c 2007-04-26 15:07:27.000000000 -0500 >@@ -31,6 +31,7 @@ > */ > > #include "pam_namespace.h" >+#include "libpam/pam_private.h" > > /* > * Copies the contents of ent into pent >@@ -251,21 +252,15 @@ > > poly.method = NONE; > if (strcmp(method, "user") == 0) >- poly.method = USER; >+ poly.method = USER; > > #ifdef WITH_SELINUX > if (strcmp(method, "level") == 0) { >- if (idata->flags & PAMNS_CTXT_BASED_INST) >- poly.method = LEVEL; >- else >- poly.method = USER; >+ poly.method = LEVEL; > } > > if (strcmp(method, "context") == 0) { >- if (idata->flags & PAMNS_CTXT_BASED_INST) >- poly.method = CONTEXT; >- else >- poly.method = USER; >+ poly.method = CONTEXT; > } > > #endif >@@ -447,6 +442,7 @@ > int rc = PAM_SUCCESS; > security_context_t scon = NULL; > security_class_t tclass; >+ char *selinuxuser, *level; > > /* > * Get the security context of the directory to polyinstantiate. >@@ -460,11 +456,65 @@ > > if (polyptr->method == USER) return PAM_SUCCESS; > >- rc = getexeccon(&scon); >- if (rc < 0 || scon == NULL) { >+ /* >+ If we're running in su and su_getcon was specified >+ use getcon to get the context >+ */ >+ if (strcmp(idata->pamh->service_name, "su") == 0) { >+ if (idata->flags & PAMNS_SU_GETCON) { >+ rc = getcon(&scon); >+ if (rc < 0 || scon == NULL) { >+ pam_syslog(idata->pamh, LOG_ERR, >+ "Error getting context, %m"); >+ return PAM_SESSION_ERR; >+ } >+ } >+ else { >+ if (idata->flags & PAMNS_DEBUG) >+ pam_syslog(idata->pamh, LOG_DEBUG, >+ "Use su_getcon option if you want to polyinstantiate based on su's context."); >+ return PAM_SESSION_ERR; >+ } >+ } >+ else { >+ /* >+ Check whether setexeccon was called prior to opening the pam session. >+ */ >+ rc = getexeccon(&scon); >+ if (rc < 0 || scon == NULL) { >+ /* >+ setexeccon wasn't called. If user_default_context_fallback was set >+ use the users default context. >+ */ >+ if (idata->flags & PAMNS_USER_DEFAULT_CONTEXT_FALLBACK) { >+ rc = getseuserbyname(idata->user, &selinuxuser, &level); >+ if (rc < 0) { > pam_syslog(idata->pamh, LOG_ERR, >- "Error getting exec context, %m"); >+ "Error getting selinux user, %m"); > return PAM_SESSION_ERR; >+ } >+ if (idata->flags & PAMNS_DEBUG) >+ pam_syslog(idata->pamh, LOG_DEBUG, >+ "selinux user %s level %s", selinuxuser, level); >+ >+ rc = get_default_context_with_level(selinuxuser, level, NULL, &scon); >+ free(selinuxuser); >+ free(level); >+ if (rc < 0) { >+ pam_syslog(idata->pamh, LOG_ERR, >+ "Error getting selinux user default context, %m"); >+ return PAM_SESSION_ERR; >+ } >+ if (idata->flags & PAMNS_DEBUG) >+ pam_syslog(idata->pamh, LOG_DEBUG, >+ "selinux user default context %s", scon); >+ } >+ else { >+ pam_syslog(idata->pamh, LOG_ERR, >+ "Error no available context because setexeccon has not been called."); >+ return PAM_SESSION_ERR; >+ } >+ } > } > > /* >@@ -515,6 +565,10 @@ > pam_syslog(idata->pamh, LOG_ERR, "Unable to set MLS Componant of context"); > goto fail; > } >+ if (idata->flags & PAMNS_DEBUG) >+ pam_syslog(idata->pamh, LOG_DEBUG, >+ "context_range_set %s %s", context_str(fcontext), context_str(scontext)); >+ > *i_context=strdup(context_str(fcontext)); > if (! *i_context) { > pam_syslog(idata->pamh, LOG_ERR, "out of memory"); >@@ -569,6 +623,9 @@ > # ifdef WITH_SELINUX > char *filename = NULL; > rc = form_context(polyptr, i_context, origcon, idata); >+ if (rc != PAM_SUCCESS) { >+ return rc; >+ } > #endif > rc = PAM_SUCCESS; > >@@ -1242,6 +1299,10 @@ > idata.flags |= PAMNS_IGN_CONFIG_ERR; > if (strcmp(argv[i], "ignore_instance_parent_mode") == 0) > idata.flags |= PAMNS_IGN_INST_PARENT_MODE; >+ if (strcmp(argv[i], "user_default_context_fallback") == 0) >+ idata.flags |= PAMNS_USER_DEFAULT_CONTEXT_FALLBACK; >+ if (strcmp(argv[i], "su_getcon") == 0) >+ idata.flags |= PAMNS_SU_GETCON; > if (strcmp(argv[i], "unmnt_remnt") == 0) > unmnt = UNMNT_REMNT; > if (strcmp(argv[i], "unmnt_only") == 0) >--- Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.h 2007-04-26 16:00:14.000000000 -0500 >+++ Linux-PAM-0.99.7.0.new/modules/pam_namespace/pam_namespace.h 2007-04-25 13:54:52.000000000 -0500 >@@ -88,6 +88,8 @@ > #define PAMNS_IGN_CONFIG_ERR 0x00004000 /* Ignore format error in conf file */ > #define PAMNS_IGN_INST_PARENT_MODE 0x00008000 /* Ignore instance parent mode */ > #define PAMNS_NO_UNMOUNT_ON_CLOSE 0x00010000 /* no unmount at session close */ >+#define PAMNS_USER_DEFAULT_CONTEXT_FALLBACK 0x00020000 /* if getexeccon fails use user default context */ >+#define PAMNS_SU_GETCON 0x00040000 /* if called from 'su' use getcon for context */ > > /* > * Polyinstantiation method options, based on user, security context >--- Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.8.xml 2007-04-26 16:00:14.000000000 -0500 >+++ Linux-PAM-0.99.7.0.new/modules/pam_namespace/pam_namespace.8.xml 2007-04-26 09:49:54.000000000 -0500 >@@ -46,6 +46,12 @@ > <arg choice="opt"> > no_unmount_on_close > </arg> >+ <arg choice="opt"> >+ su_getcon >+ </arg> >+ <arg choice="opt"> >+ user_default_context_fallback >+ </arg> > </cmdsynopsis> > </refsynopsisdiv> > >@@ -198,6 +204,37 @@ > </listitem> > </varlistentry> > >+ <varlistentry> >+ <term> >+ <option>su_getcon</option> >+ </term> >+ <listitem> >+ <para> >+ When using su enabling this option causes pam to use the parent >+ processes context for the polyinstantiated directories. This >+ option only affects the context and level polyinstantiation >+ methods. >+ </para> >+ </listitem> >+ </varlistentry> >+ >+ <varlistentry> >+ <term> >+ <option>user_default_context_fallback</option> >+ </term> >+ <listitem> >+ <para> >+ If setexeccon has not been called by the calling process >+ enabling this option causes pam to use the users default >+ context for the polyinstantiated directories. For example >+ gdm does not call setexeccon prior to opening the pam session >+ so without setting this option no context or level based >+ polyinstantiation will occur. This option only affects the >+ context and level polyinstantiation methods. >+ </para> >+ </listitem> >+ </varlistentry> >+ > </variablelist> > </refsect1> >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=153655">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 237876
: 153655