summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChris PeBenito <pebenito@gentoo.org>2003-06-29 00:38:20 +0000
committerChris PeBenito <pebenito@gentoo.org>2003-06-29 00:38:20 +0000
commitab5a93d9563d052c34b00a698050cb7524fd78e0 (patch)
treea154e0900309defe6ee69c52d2f5f1068ae0898d
parentnew version (diff)
downloadgentoo-2-ab5a93d9563d052c34b00a698050cb7524fd78e0.tar.gz
gentoo-2-ab5a93d9563d052c34b00a698050cb7524fd78e0.tar.bz2
gentoo-2-ab5a93d9563d052c34b00a698050cb7524fd78e0.zip
add selinux patch, and missing IUSE
-rw-r--r--sys-apps/pam-login/ChangeLog6
-rw-r--r--sys-apps/pam-login/Manifest9
-rw-r--r--sys-apps/pam-login/files/pam-login-3.11-selinux.diff278
-rw-r--r--sys-apps/pam-login/pam-login-3.11.ebuild11
4 files changed, 298 insertions, 6 deletions
diff --git a/sys-apps/pam-login/ChangeLog b/sys-apps/pam-login/ChangeLog
index 0a53f3def2cf..1d122c30a4c0 100644
--- a/sys-apps/pam-login/ChangeLog
+++ b/sys-apps/pam-login/ChangeLog
@@ -1,6 +1,10 @@
# ChangeLog for sys-apps/pam-login
# Copyright 2002-2003 Gentoo Technologies, Inc.; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-apps/pam-login/ChangeLog,v 1.18 2003/06/24 14:31:13 agriffis Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-apps/pam-login/ChangeLog,v 1.19 2003/06/29 00:38:16 pebenito Exp $
+
+ 28 Jun 2003; Chris PeBenito <pebenito@gentoo.org> pam-login-3.11.ebuild,
+ files/pam-login-3.11-selinux.diff:
+ Added patch for selinux. Added missing IUSE.
24 Jun 2003; Aron Griffis <agriffis@gentoo.org> pam-login-3.11.ebuild:
Mark stable on alpha
diff --git a/sys-apps/pam-login/Manifest b/sys-apps/pam-login/Manifest
index bf98a1588a09..adcffc87922b 100644
--- a/sys-apps/pam-login/Manifest
+++ b/sys-apps/pam-login/Manifest
@@ -1,13 +1,14 @@
-MD5 3445f28fb00ef4a57ce4d5d5a907b73a ChangeLog 2349
+MD5 dee397a9cea8d0a03744544a4913c774 ChangeLog 2510
+MD5 80ca224367493f43b14bdf6a6087ec0c pam-login-3.10.ebuild 1993
MD5 cad011cbd985a979f997fcc4d8bd304c pam-login-3.6-r1.ebuild 1833
MD5 b04418a06d1f88d40e33887a0a19ba82 pam-login-3.6-r2.ebuild 1939
MD5 5739c21cb2f366c515850e7ee5b97eb8 pam-login-3.7.ebuild 1985
-MD5 80ca224367493f43b14bdf6a6087ec0c pam-login-3.10.ebuild 1993
-MD5 5b8a39fd2058f688c3f4b2a0c497b731 pam-login-3.11.ebuild 2130
+MD5 325f34482aa3c3dc2a0cd96709136980 pam-login-3.11.ebuild 2244
+MD5 a5e9be8a38e1b8f784d3cf558cff7a6b files/digest-pam-login-3.10 67
MD5 918ba376dc33a5a1c9f9b0bd048b484b files/digest-pam-login-3.6-r1 66
MD5 918ba376dc33a5a1c9f9b0bd048b484b files/digest-pam-login-3.6-r2 66
MD5 7febd6315d85fcd5196b602732789573 files/digest-pam-login-3.7 66
MD5 21df4caf263fa2ed75e574f9a067b72e files/login.defs 3229
MD5 b3602716045d7154356137da6f5dcbad files/pam-login-3.6-SUPATH.patch 438
-MD5 a5e9be8a38e1b8f784d3cf558cff7a6b files/digest-pam-login-3.10 67
MD5 387e811b73906d5f0e5d4417cccfed0e files/digest-pam-login-3.11 67
+MD5 bcf75778be1a620e99fcaf5d2c55a504 files/pam-login-3.11-selinux.diff 8237
diff --git a/sys-apps/pam-login/files/pam-login-3.11-selinux.diff b/sys-apps/pam-login/files/pam-login-3.11-selinux.diff
new file mode 100644
index 000000000000..342a29b94671
--- /dev/null
+++ b/sys-apps/pam-login/files/pam-login-3.11-selinux.diff
@@ -0,0 +1,278 @@
+diff -urN pam_login-3.11.orig/configure pam_login-3.11/configure
+--- pam_login-3.11.orig/configure 2003-05-12 08:07:51.000000000 -0500
++++ pam_login-3.11/configure 2003-06-19 12:41:13.000000000 -0500
+@@ -1689,7 +1689,7 @@
+ fi
+
+
+-EXTRA_CFLAGS="-W -Wall -Wbad-function-cast -Wcast-align -Wcast-qual -Winline -Wmissing-declarations -Wmissing-prototypes -Wnested-externs -Wshadow -Wstrict-prototypes -Wundef -Werror"
++EXTRA_CFLAGS="-W -Wall -Wbad-function-cast -Wcast-align -Wcast-qual -Winline -Wmissing-declarations -Wmissing-prototypes -Wnested-externs -Wshadow -Wstrict-prototypes -Wundef "
+ # -Wpointer-arith
+
+ ac_ext=c
+diff -urN pam_login-3.11.orig/src/Makefile.in pam_login-3.11/src/Makefile.in
+--- pam_login-3.11.orig/src/Makefile.in 2003-05-12 08:08:24.000000000 -0500
++++ pam_login-3.11/src/Makefile.in 2003-06-19 14:11:33.000000000 -0500
+@@ -70,7 +70,7 @@
+ LIBICONV = @LIBICONV@
+ LIBINTL = @LIBINTL@
+ LIBOBJS = @LIBOBJS@
+-LIBS = @LIBS@
++LIBS = @LIBS@ -lsecure
+ LTLIBICONV = @LTLIBICONV@
+ LTLIBINTL = @LTLIBINTL@
+ LTLIBOBJS = @LTLIBOBJS@
+diff -urN pam_login-3.11.orig/src/login.c pam_login-3.11/src/login.c
+--- pam_login-3.11.orig/src/login.c 2003-05-12 08:44:45.000000000 -0500
++++ pam_login-3.11/src/login.c 2003-06-19 14:57:57.000000000 -0500
+@@ -67,6 +67,13 @@
+ #include <sys/sysmacros.h>
+ #include <linux/major.h>
+ #include <utmp.h>
++
++#include <linux/flask/flask_types.h>
++#include <flask_util.h>
++#include <fs_secure.h>
++#include <ss.h>
++#include <get_sid_list.h>
++
+ #include <security/pam_appl.h>
+ #include <security/pam_misc.h>
+
+@@ -470,6 +477,23 @@
+ struct passwd resultbuf;
+ struct passwd *pwd;
+
++#define CONTEXTLEN 255
++ security_context_t user_context = NULL;
++ int user_context_len = CONTEXTLEN;
++ security_id_t user_sid;
++ security_id_t* sidlist;
++#define SIDLISTLEN 10
++ int sidlistlen = SIDLISTLEN;
++ int num_sids = 0;
++ security_id_t ttyn_sid; /* The current sid of ttyn device */
++ security_id_t vcsn_sid; /* The current sid of vcsn device */
++ security_id_t vcsan_sid; /* The current sid of vcsan device */
++ security_id_t newdev_sid; /* The new sid of a device */
++ struct stat statbuf;
++ int flask_enabled;
++ int rc;
++ char vcsn[20], vcsan[20];
++
+ init_sighandler ();
+
+ setlocale (LC_ALL, "");
+@@ -858,6 +882,67 @@
+ retcode = pam_setcred (pamh, PAM_ESTABLISH_CRED);
+ PAM_FAIL_CHECK;
+
++ /* Make sure SELINUX is really running on this system */
++ if ( (flask_enabled = is_flask_enabled()) )
++ {
++ /* Get security context and SID for user */
++ sidlistlen = SIDLISTLEN;
++ sidlist = malloc (sidlistlen*sizeof(security_id_t));
++ if (sidlist == 0) {
++ fprintf(stderr, "login: no memory for SID list.\n");
++ exit (0);
++ }
++
++ num_sids = get_ordered_sid_list (username, 0, sidlist, &sidlistlen);
++ if (num_sids <= 0 && sidlistlen > SIDLISTLEN) {
++ security_id_t *tmplist;
++ tmplist = realloc (sidlist, sidlistlen*sizeof(security_id_t));
++ if (tmplist) {
++ sidlist = tmplist;
++ num_sids = get_ordered_sid_list (username, 0, sidlist,
++ &sidlistlen);
++ }
++ }
++
++ if (num_sids <= 0) {
++ fprintf(stderr, "login: unable to obtain SIDs for %s.\n", username);
++ if (manual_user_enter_sid (username, &user_sid))
++ {
++ syslog (LOG_ERR, "UNABLE TO GET VALID SID FOR %s", username);
++ exit(0);
++ }
++ }
++ else
++ {
++ query_user_sid (sidlist, num_sids, &user_sid);
++ }
++
++ free (sidlist);
++
++ user_context_len = CONTEXTLEN;
++ user_context = malloc(user_context_len);
++ if (!user_context) {
++ fprintf(stderr, "login: no memory for security context.\n");
++ exit (0);
++ }
++ rc = security_sid_to_context(user_sid,user_context,&user_context_len);
++ if (rc < 0 && user_context_len > CONTEXTLEN)
++ {
++ security_context_t tmpcon;
++ tmpcon = realloc (user_context, user_context_len);
++ if (tmpcon) {
++ user_context = tmpcon;
++ rc = security_sid_to_context (user_sid, user_context,
++ &user_context_len);
++ }
++ }
++ if (rc < 0) {
++ free (user_context);
++ syslog (LOG_ERR, "PROBLEM OBTAINING CONTEXT FOR %s", username);
++ exit (0);
++ }
++ }
++
+ /* committed to login -- turn off timeout */
+ alarm ((unsigned int) 0);
+
+@@ -1013,13 +1098,25 @@
+ chown (ttyn, pwd->pw_uid, gid);
+ chmod (ttyn, getdef_num ("TTYPERM", 0600));
+
++ if (flask_enabled) {
++ if (stat_secure(ttyn, &statbuf, &ttyn_sid) != 0) {
++ perror("stat_secure");
++ exit (0);
++ }
++ if (security_change_sid (user_sid, ttyn_sid, SECCLASS_CHR_FILE, &newdev_sid) != 0) {
++ perror("security_change_sid");
++ exit (0);
++ }
++ if (chsid (ttyn, newdev_sid) != 0) {
++ perror("chsid");
++ exit (0);
++ }
++ }
++
+ /* if tty is one of the VC's then change owner and mode of the
+ special /dev/vcs devices as well */
+ if (consoletty (0))
+ {
+-#if 0
+- char vcsn[20], vcsan[20];
+-
+ /* find names of Virtual Console devices */
+ char *p = ttyn;
+ /* find number of tty */
+@@ -1030,7 +1127,7 @@
+ strcat (vcsn, p);
+ strcpy (vcsan, "/dev/vcsa");
+ strcat (vcsan, p);
+-
++#if 0
+ /*
+ * Please don't add code to chown /dev/vcs* to the user logging in -
+ * it's a potential security hole. I wouldn't like the previous user
+@@ -1043,6 +1140,42 @@
+ chmod (vcsn, getdef_num ("TTYPERM", 0600));
+ chmod (vcsan, getdef_num ("TTYPERM", 0600));
+ #endif
++
++ if (flask_enabled)
++ {
++ if (stat_secure(vcsn, &statbuf, &vcsn_sid) != 0)
++ {
++ perror("stat_secure");
++ exit (0);
++ }
++ if (security_change_sid (user_sid, vcsn_sid, SECCLASS_CHR_FILE, &newdev_sid) != 0)
++ {
++ perror ("security_change_sid");
++ exit (0);
++ }
++ if (chsid (vcsn, newdev_sid) != 0)
++ {
++ perror("chsid");
++ exit (0);
++ }
++ if (stat_secure(vcsan, &statbuf, &vcsan_sid) != 0)
++ {
++ perror("stat_secure");
++ exit (0);
++ }
++ if (security_change_sid (user_sid, vcsan_sid, SECCLASS_CHR_FILE, &newdev_sid) != 0)
++ {
++ perror("security_change_sid");
++ exit (0);
++ }
++ if (chsid (vcsan, newdev_sid) != 0)
++ {
++ perror("chsid");
++ exit (0);
++ }
++
++ }
++
+ }
+
+ setgid (pwd->pw_gid);
+@@ -1123,6 +1256,23 @@
+
+ setproctitle ("login", username);
+
++ if (flask_enabled) {
++ /* note the SELinux login context */
++ if (pwd->pw_uid == 0) {
++ if (hostname)
++ syslog(LOG_NOTICE, _("ROOT LOGIN ON %s FROM %s USING %s"), ttyn, hostname, user_context);
++ else
++ syslog(LOG_NOTICE, _("ROOT LOGIN ON %s USING %s"), ttyn, user_context);
++ } else {
++ if (hostname)
++ syslog(LOG_INFO, _("LOGIN ON %s BY %s FROM %s USING %s"), ttyn, pwd->pw_name, hostname, user_context);
++ else
++ syslog(LOG_INFO, _("LOGIN ON %s BY %s USING %s"), ttyn, pwd->pw_name, user_context);
++ }
++
++ free(user_context);
++ }
++
+ if (!quietlog)
+ motd ();
+
+@@ -1170,6 +1320,27 @@
+ fprintf (stderr, _("login: waitpid (%d, NULL, 0) failed: %s\n"),
+ childPid, strerror (errsv));
+ }
++
++ if (flask_enabled)
++ {
++ /* We need to change the contexts of the terminal devices back to
++ the system when the user's session ends. */
++ if (chsid (ttyn, ttyn_sid) != 0)
++ {
++ perror("chsid");
++ }
++ if (consoletty(0)) {
++ if (chsid (vcsn, vcsn_sid) != 0)
++ {
++ perror("chsid");
++ }
++ if (chsid (vcsan, vcsan_sid) != 0)
++ {
++ perror("chsid");
++ }
++ }
++ }
++
+ PAM_END;
+ exit (0);
+ }
+@@ -1241,7 +1412,10 @@
+
+ childArgv[childArgc++] = NULL;
+
+- execvp (childArgv[0], childArgv + 1);
++ if (flask_enabled)
++ execvp_secure (childArgv[0], user_sid, childArgv + 1);
++ else
++ execvp(childArgv[0], childArgv + 1);
+
+ errsv = errno;
+
diff --git a/sys-apps/pam-login/pam-login-3.11.ebuild b/sys-apps/pam-login/pam-login-3.11.ebuild
index 512a1a285b9e..5a19a66e9d3e 100644
--- a/sys-apps/pam-login/pam-login-3.11.ebuild
+++ b/sys-apps/pam-login/pam-login-3.11.ebuild
@@ -1,10 +1,12 @@
# Copyright 1999-2003 Gentoo Technologies, Inc.
# Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-apps/pam-login/pam-login-3.11.ebuild,v 1.5 2003/06/24 14:31:13 agriffis Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-apps/pam-login/pam-login-3.11.ebuild,v 1.6 2003/06/29 00:38:16 pebenito Exp $
inherit gnuconfig
+IUSE="nls selinux"
+
# Do we want to backup an old login.defs, and forcefully
# install a new version?
FORCE_LOGIN_DEFS="no"
@@ -23,6 +25,13 @@ DEPEND="virtual/glibc
sys-libs/pam
>=sys-apps/shadow-4.0.2-r5"
+src_unpack() {
+ unpack ${A}
+
+ cd ${S}
+ use selinux && epatch ${FILESDIR}/${P}-selinux.diff
+}
+
src_compile() {
# Fix configure scripts to recognize linux-mips