Relevant BUGIDs:

Purpose of commit: bugfix, new feature

Commit summary:
---------------
2008-02-13  Tomas Mraz  <t8m@centrum.cz>

        * modules/pam_namespace/Makefile.am: Add argv_parse files and namespace.d
        dir.
        * modules/pam_namespace/argv_parse.c: New file.
        * modules/pam_namespace/argv_parse.h: New file.
        * modules/pam_namespace/namespace.conf.5.xml: Document new features.
        * modules/pam_namespace/pam_namespace.8.xml: Likewise.
        * modules/pam_namespace/pam_namespace.h: Use SECURECONF_DIR define.
        Define NAMESPACE_D_DIR and NAMESPACE_D_GLOB. Define new option flags
        and polydir flags.
        (polydir_s): Add rdir, replace exclusive with flags, add init_script,
        owner, group, and mode.
        (instance_data): Add ruser, gid, and ruid.
        * modules/pam_namespace/pam_namespace.c: Remove now unused copy_ent().
        (add_polydir_entry): Add the entry directly, no copy.
        (del_polydir): New function.
        (del_polydir_list): Call del_polydir().
        (expand_variables, parse_create_params, parse_iscript_params,
        parse_method): New functions.
        (process_line): Call expand_variables() on polydir and instance prefix.
        Call argv_parse() instead of strtok_r(). Allocate struct polydir_s on heap.
        (parse_config_file): Parse .conf files from namespace.d dir after
        namespace.conf.
        (form_context): Call getcon() or get_default_context_with_level() when
        appropriate flags are set.
        (poly_name): Handle shared polydir flag.
        (inst_init): Execute non-default init script when specified.
        (create_polydir): New function.
        (create_dirs): Remove the code which checks the polydir. Do not call
        inst_init() when noinit flag is set.
        (ns_setup): Check the polydir and eventually create it if the create flag
        is set.
        (setup_namespace): Use ruser uid from idata. Set the namespace polydir
        pam data only when namespace was set up correctly. Unmount polydir
        based on ruser.
        (get_user_data): New function.
        (pam_sm_open_session): Check for use_current_context and
        use_default_context options. Call get_user_data().
        (pam_sm_close_session): Call get_user_data().

1 files changed, 55 insertions, 3 deletions

diff --git a/modules/pam_namespace/pam_namespace.8.xml b/modules/pam_namespace/pam_namespace.8.xml
index f47bb81b..32c5359d 100644
--- a/modules/pam_namespace/pam_namespace.8.xml
+++ b/modules/pam_namespace/pam_namespace.8.xml
@@ -46,6 +46,12 @@
       <arg choice="opt">
         no_unmount_on_close
       </arg>
+      <arg choice="opt">
+        use_current_context
+      </arg>
+      <arg choice="opt">
+        use_default_context
+      </arg>
     </cmdsynopsis>
   </refsynopsisdiv>
 
@@ -200,13 +206,42 @@
         </listitem>
       </varlistentry>
 
+      <varlistentry>
+        <term>
+          <option>use_current_context</option>
+        </term>
+        <listitem>
+          <para>
+	    Useful for services which do not change the SELinux context
+	    with setexeccon call. The module will use the current SELinux
+	    context of the calling process for the level and context
+	    polyinstantiation.
+          </para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term>
+          <option>use_default_context</option>
+        </term>
+        <listitem>
+          <para>
+	    Useful for services which do not use pam_selinux for changing
+	    the SELinux context with setexeccon call. The module will use
+	    the default SELinux context of the user for the level and context
+	    polyinstantiation.
+          </para>
+        </listitem>
+      </varlistentry>
+
     </variablelist>
   </refsect1>
 
   <refsect1 id="pam_namespace-services">
     <title>MODULE SERVICES PROVIDED</title>
     <para>
-      The <option>session</option> service is supported.
+      The <option>session</option> service is supported. The module must not
+      be called from multithreaded processes.
     </para>
   </refsect1>
 
@@ -246,7 +281,21 @@
       <varlistentry>
         <term><filename>/etc/security/namespace.conf</filename></term>
         <listitem>
-          <para>Configuration file</para>
+          <para>Main configuration file</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><filename>/etc/security/namespace.d</filename></term>
+        <listitem>
+          <para>Directory for additional configuration files</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><filename>/etc/security/namespace.init</filename></term>
+        <listitem>
+          <para>Init script for instance directories</para>
         </listitem>
       </varlistentry>
     </variablelist>
@@ -332,7 +381,10 @@
     <para>
       The namespace setup scheme was designed by Stephen Smalley, Janak Desai
       and Chad Sellers.
-      The pam_namespace PAM module was developed by Janak Desai &lt;janak@us.ibm.com&gt;, Chad Sellers &lt;csellers@tresys.com&gt; and Steve Grubb &lt;sgrubb@redhat.com&gt;.
+      The pam_namespace PAM module was developed by Janak Desai &lt;janak@us.ibm.com&gt;,
+      Chad Sellers &lt;csellers@tresys.com&gt; and Steve Grubb &lt;sgrubb@redhat.com&gt;.
+      Additional improvements by Xavier Toth &lt;txtoth@gmail.com&gt; and Tomas Mraz
+      &lt;tmraz@redhat.com&gt;.
     </para>
   </refsect1>
 </refentry>