diff options
author | Chris PeBenito <pebenito@gentoo.org> | 2003-06-29 00:38:20 +0000 |
---|---|---|
committer | Chris PeBenito <pebenito@gentoo.org> | 2003-06-29 00:38:20 +0000 |
commit | ab5a93d9563d052c34b00a698050cb7524fd78e0 (patch) | |
tree | a154e0900309defe6ee69c52d2f5f1068ae0898d | |
parent | new version (diff) | |
download | gentoo-2-ab5a93d9563d052c34b00a698050cb7524fd78e0.tar.gz gentoo-2-ab5a93d9563d052c34b00a698050cb7524fd78e0.tar.bz2 gentoo-2-ab5a93d9563d052c34b00a698050cb7524fd78e0.zip |
add selinux patch, and missing IUSE
-rw-r--r-- | sys-apps/pam-login/ChangeLog | 6 | ||||
-rw-r--r-- | sys-apps/pam-login/Manifest | 9 | ||||
-rw-r--r-- | sys-apps/pam-login/files/pam-login-3.11-selinux.diff | 278 | ||||
-rw-r--r-- | sys-apps/pam-login/pam-login-3.11.ebuild | 11 |
4 files changed, 298 insertions, 6 deletions
diff --git a/sys-apps/pam-login/ChangeLog b/sys-apps/pam-login/ChangeLog index 0a53f3def2cf..1d122c30a4c0 100644 --- a/sys-apps/pam-login/ChangeLog +++ b/sys-apps/pam-login/ChangeLog @@ -1,6 +1,10 @@ # ChangeLog for sys-apps/pam-login # Copyright 2002-2003 Gentoo Technologies, Inc.; Distributed under the GPL v2 -# $Header: /var/cvsroot/gentoo-x86/sys-apps/pam-login/ChangeLog,v 1.18 2003/06/24 14:31:13 agriffis Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-apps/pam-login/ChangeLog,v 1.19 2003/06/29 00:38:16 pebenito Exp $ + + 28 Jun 2003; Chris PeBenito <pebenito@gentoo.org> pam-login-3.11.ebuild, + files/pam-login-3.11-selinux.diff: + Added patch for selinux. Added missing IUSE. 24 Jun 2003; Aron Griffis <agriffis@gentoo.org> pam-login-3.11.ebuild: Mark stable on alpha diff --git a/sys-apps/pam-login/Manifest b/sys-apps/pam-login/Manifest index bf98a1588a09..adcffc87922b 100644 --- a/sys-apps/pam-login/Manifest +++ b/sys-apps/pam-login/Manifest @@ -1,13 +1,14 @@ -MD5 3445f28fb00ef4a57ce4d5d5a907b73a ChangeLog 2349 +MD5 dee397a9cea8d0a03744544a4913c774 ChangeLog 2510 +MD5 80ca224367493f43b14bdf6a6087ec0c pam-login-3.10.ebuild 1993 MD5 cad011cbd985a979f997fcc4d8bd304c pam-login-3.6-r1.ebuild 1833 MD5 b04418a06d1f88d40e33887a0a19ba82 pam-login-3.6-r2.ebuild 1939 MD5 5739c21cb2f366c515850e7ee5b97eb8 pam-login-3.7.ebuild 1985 -MD5 80ca224367493f43b14bdf6a6087ec0c pam-login-3.10.ebuild 1993 -MD5 5b8a39fd2058f688c3f4b2a0c497b731 pam-login-3.11.ebuild 2130 +MD5 325f34482aa3c3dc2a0cd96709136980 pam-login-3.11.ebuild 2244 +MD5 a5e9be8a38e1b8f784d3cf558cff7a6b files/digest-pam-login-3.10 67 MD5 918ba376dc33a5a1c9f9b0bd048b484b files/digest-pam-login-3.6-r1 66 MD5 918ba376dc33a5a1c9f9b0bd048b484b files/digest-pam-login-3.6-r2 66 MD5 7febd6315d85fcd5196b602732789573 files/digest-pam-login-3.7 66 MD5 21df4caf263fa2ed75e574f9a067b72e files/login.defs 3229 MD5 b3602716045d7154356137da6f5dcbad files/pam-login-3.6-SUPATH.patch 438 -MD5 a5e9be8a38e1b8f784d3cf558cff7a6b files/digest-pam-login-3.10 67 MD5 387e811b73906d5f0e5d4417cccfed0e files/digest-pam-login-3.11 67 +MD5 bcf75778be1a620e99fcaf5d2c55a504 files/pam-login-3.11-selinux.diff 8237 diff --git a/sys-apps/pam-login/files/pam-login-3.11-selinux.diff b/sys-apps/pam-login/files/pam-login-3.11-selinux.diff new file mode 100644 index 000000000000..342a29b94671 --- /dev/null +++ b/sys-apps/pam-login/files/pam-login-3.11-selinux.diff @@ -0,0 +1,278 @@ +diff -urN pam_login-3.11.orig/configure pam_login-3.11/configure +--- pam_login-3.11.orig/configure 2003-05-12 08:07:51.000000000 -0500 ++++ pam_login-3.11/configure 2003-06-19 12:41:13.000000000 -0500 +@@ -1689,7 +1689,7 @@ + fi + + +-EXTRA_CFLAGS="-W -Wall -Wbad-function-cast -Wcast-align -Wcast-qual -Winline -Wmissing-declarations -Wmissing-prototypes -Wnested-externs -Wshadow -Wstrict-prototypes -Wundef -Werror" ++EXTRA_CFLAGS="-W -Wall -Wbad-function-cast -Wcast-align -Wcast-qual -Winline -Wmissing-declarations -Wmissing-prototypes -Wnested-externs -Wshadow -Wstrict-prototypes -Wundef " + # -Wpointer-arith + + ac_ext=c +diff -urN pam_login-3.11.orig/src/Makefile.in pam_login-3.11/src/Makefile.in +--- pam_login-3.11.orig/src/Makefile.in 2003-05-12 08:08:24.000000000 -0500 ++++ pam_login-3.11/src/Makefile.in 2003-06-19 14:11:33.000000000 -0500 +@@ -70,7 +70,7 @@ + LIBICONV = @LIBICONV@ + LIBINTL = @LIBINTL@ + LIBOBJS = @LIBOBJS@ +-LIBS = @LIBS@ ++LIBS = @LIBS@ -lsecure + LTLIBICONV = @LTLIBICONV@ + LTLIBINTL = @LTLIBINTL@ + LTLIBOBJS = @LTLIBOBJS@ +diff -urN pam_login-3.11.orig/src/login.c pam_login-3.11/src/login.c +--- pam_login-3.11.orig/src/login.c 2003-05-12 08:44:45.000000000 -0500 ++++ pam_login-3.11/src/login.c 2003-06-19 14:57:57.000000000 -0500 +@@ -67,6 +67,13 @@ + #include <sys/sysmacros.h> + #include <linux/major.h> + #include <utmp.h> ++ ++#include <linux/flask/flask_types.h> ++#include <flask_util.h> ++#include <fs_secure.h> ++#include <ss.h> ++#include <get_sid_list.h> ++ + #include <security/pam_appl.h> + #include <security/pam_misc.h> + +@@ -470,6 +477,23 @@ + struct passwd resultbuf; + struct passwd *pwd; + ++#define CONTEXTLEN 255 ++ security_context_t user_context = NULL; ++ int user_context_len = CONTEXTLEN; ++ security_id_t user_sid; ++ security_id_t* sidlist; ++#define SIDLISTLEN 10 ++ int sidlistlen = SIDLISTLEN; ++ int num_sids = 0; ++ security_id_t ttyn_sid; /* The current sid of ttyn device */ ++ security_id_t vcsn_sid; /* The current sid of vcsn device */ ++ security_id_t vcsan_sid; /* The current sid of vcsan device */ ++ security_id_t newdev_sid; /* The new sid of a device */ ++ struct stat statbuf; ++ int flask_enabled; ++ int rc; ++ char vcsn[20], vcsan[20]; ++ + init_sighandler (); + + setlocale (LC_ALL, ""); +@@ -858,6 +882,67 @@ + retcode = pam_setcred (pamh, PAM_ESTABLISH_CRED); + PAM_FAIL_CHECK; + ++ /* Make sure SELINUX is really running on this system */ ++ if ( (flask_enabled = is_flask_enabled()) ) ++ { ++ /* Get security context and SID for user */ ++ sidlistlen = SIDLISTLEN; ++ sidlist = malloc (sidlistlen*sizeof(security_id_t)); ++ if (sidlist == 0) { ++ fprintf(stderr, "login: no memory for SID list.\n"); ++ exit (0); ++ } ++ ++ num_sids = get_ordered_sid_list (username, 0, sidlist, &sidlistlen); ++ if (num_sids <= 0 && sidlistlen > SIDLISTLEN) { ++ security_id_t *tmplist; ++ tmplist = realloc (sidlist, sidlistlen*sizeof(security_id_t)); ++ if (tmplist) { ++ sidlist = tmplist; ++ num_sids = get_ordered_sid_list (username, 0, sidlist, ++ &sidlistlen); ++ } ++ } ++ ++ if (num_sids <= 0) { ++ fprintf(stderr, "login: unable to obtain SIDs for %s.\n", username); ++ if (manual_user_enter_sid (username, &user_sid)) ++ { ++ syslog (LOG_ERR, "UNABLE TO GET VALID SID FOR %s", username); ++ exit(0); ++ } ++ } ++ else ++ { ++ query_user_sid (sidlist, num_sids, &user_sid); ++ } ++ ++ free (sidlist); ++ ++ user_context_len = CONTEXTLEN; ++ user_context = malloc(user_context_len); ++ if (!user_context) { ++ fprintf(stderr, "login: no memory for security context.\n"); ++ exit (0); ++ } ++ rc = security_sid_to_context(user_sid,user_context,&user_context_len); ++ if (rc < 0 && user_context_len > CONTEXTLEN) ++ { ++ security_context_t tmpcon; ++ tmpcon = realloc (user_context, user_context_len); ++ if (tmpcon) { ++ user_context = tmpcon; ++ rc = security_sid_to_context (user_sid, user_context, ++ &user_context_len); ++ } ++ } ++ if (rc < 0) { ++ free (user_context); ++ syslog (LOG_ERR, "PROBLEM OBTAINING CONTEXT FOR %s", username); ++ exit (0); ++ } ++ } ++ + /* committed to login -- turn off timeout */ + alarm ((unsigned int) 0); + +@@ -1013,13 +1098,25 @@ + chown (ttyn, pwd->pw_uid, gid); + chmod (ttyn, getdef_num ("TTYPERM", 0600)); + ++ if (flask_enabled) { ++ if (stat_secure(ttyn, &statbuf, &ttyn_sid) != 0) { ++ perror("stat_secure"); ++ exit (0); ++ } ++ if (security_change_sid (user_sid, ttyn_sid, SECCLASS_CHR_FILE, &newdev_sid) != 0) { ++ perror("security_change_sid"); ++ exit (0); ++ } ++ if (chsid (ttyn, newdev_sid) != 0) { ++ perror("chsid"); ++ exit (0); ++ } ++ } ++ + /* if tty is one of the VC's then change owner and mode of the + special /dev/vcs devices as well */ + if (consoletty (0)) + { +-#if 0 +- char vcsn[20], vcsan[20]; +- + /* find names of Virtual Console devices */ + char *p = ttyn; + /* find number of tty */ +@@ -1030,7 +1127,7 @@ + strcat (vcsn, p); + strcpy (vcsan, "/dev/vcsa"); + strcat (vcsan, p); +- ++#if 0 + /* + * Please don't add code to chown /dev/vcs* to the user logging in - + * it's a potential security hole. I wouldn't like the previous user +@@ -1043,6 +1140,42 @@ + chmod (vcsn, getdef_num ("TTYPERM", 0600)); + chmod (vcsan, getdef_num ("TTYPERM", 0600)); + #endif ++ ++ if (flask_enabled) ++ { ++ if (stat_secure(vcsn, &statbuf, &vcsn_sid) != 0) ++ { ++ perror("stat_secure"); ++ exit (0); ++ } ++ if (security_change_sid (user_sid, vcsn_sid, SECCLASS_CHR_FILE, &newdev_sid) != 0) ++ { ++ perror ("security_change_sid"); ++ exit (0); ++ } ++ if (chsid (vcsn, newdev_sid) != 0) ++ { ++ perror("chsid"); ++ exit (0); ++ } ++ if (stat_secure(vcsan, &statbuf, &vcsan_sid) != 0) ++ { ++ perror("stat_secure"); ++ exit (0); ++ } ++ if (security_change_sid (user_sid, vcsan_sid, SECCLASS_CHR_FILE, &newdev_sid) != 0) ++ { ++ perror("security_change_sid"); ++ exit (0); ++ } ++ if (chsid (vcsan, newdev_sid) != 0) ++ { ++ perror("chsid"); ++ exit (0); ++ } ++ ++ } ++ + } + + setgid (pwd->pw_gid); +@@ -1123,6 +1256,23 @@ + + setproctitle ("login", username); + ++ if (flask_enabled) { ++ /* note the SELinux login context */ ++ if (pwd->pw_uid == 0) { ++ if (hostname) ++ syslog(LOG_NOTICE, _("ROOT LOGIN ON %s FROM %s USING %s"), ttyn, hostname, user_context); ++ else ++ syslog(LOG_NOTICE, _("ROOT LOGIN ON %s USING %s"), ttyn, user_context); ++ } else { ++ if (hostname) ++ syslog(LOG_INFO, _("LOGIN ON %s BY %s FROM %s USING %s"), ttyn, pwd->pw_name, hostname, user_context); ++ else ++ syslog(LOG_INFO, _("LOGIN ON %s BY %s USING %s"), ttyn, pwd->pw_name, user_context); ++ } ++ ++ free(user_context); ++ } ++ + if (!quietlog) + motd (); + +@@ -1170,6 +1320,27 @@ + fprintf (stderr, _("login: waitpid (%d, NULL, 0) failed: %s\n"), + childPid, strerror (errsv)); + } ++ ++ if (flask_enabled) ++ { ++ /* We need to change the contexts of the terminal devices back to ++ the system when the user's session ends. */ ++ if (chsid (ttyn, ttyn_sid) != 0) ++ { ++ perror("chsid"); ++ } ++ if (consoletty(0)) { ++ if (chsid (vcsn, vcsn_sid) != 0) ++ { ++ perror("chsid"); ++ } ++ if (chsid (vcsan, vcsan_sid) != 0) ++ { ++ perror("chsid"); ++ } ++ } ++ } ++ + PAM_END; + exit (0); + } +@@ -1241,7 +1412,10 @@ + + childArgv[childArgc++] = NULL; + +- execvp (childArgv[0], childArgv + 1); ++ if (flask_enabled) ++ execvp_secure (childArgv[0], user_sid, childArgv + 1); ++ else ++ execvp(childArgv[0], childArgv + 1); + + errsv = errno; + diff --git a/sys-apps/pam-login/pam-login-3.11.ebuild b/sys-apps/pam-login/pam-login-3.11.ebuild index 512a1a285b9e..5a19a66e9d3e 100644 --- a/sys-apps/pam-login/pam-login-3.11.ebuild +++ b/sys-apps/pam-login/pam-login-3.11.ebuild @@ -1,10 +1,12 @@ # Copyright 1999-2003 Gentoo Technologies, Inc. # Distributed under the terms of the GNU General Public License v2 -# $Header: /var/cvsroot/gentoo-x86/sys-apps/pam-login/pam-login-3.11.ebuild,v 1.5 2003/06/24 14:31:13 agriffis Exp $ +# $Header: /var/cvsroot/gentoo-x86/sys-apps/pam-login/pam-login-3.11.ebuild,v 1.6 2003/06/29 00:38:16 pebenito Exp $ inherit gnuconfig +IUSE="nls selinux" + # Do we want to backup an old login.defs, and forcefully # install a new version? FORCE_LOGIN_DEFS="no" @@ -23,6 +25,13 @@ DEPEND="virtual/glibc sys-libs/pam >=sys-apps/shadow-4.0.2-r5" +src_unpack() { + unpack ${A} + + cd ${S} + use selinux && epatch ${FILESDIR}/${P}-selinux.diff +} + src_compile() { # Fix configure scripts to recognize linux-mips |