Relevant BUGIDs: 1688777

Purpose of commit: new features

Commit summary:
---------------

2007-06-20  Thorsten Kukuk  <kukuk@thkukuk.de>

        * modules/pam_cracklib/pam_cracklib.8.xml: Document new minclass
        option.
        * modules/pam_cracklib/pam_cracklib.c: Add support for minimum
        character classes [#1688777]. Based on patch from Keith Schincke.

        * xtests/tst-pam_cracklib2.c: New, test case for minclass option.
        * xtests/tst-pam_cracklib2.pamd: New, PAM config file for test case.
        * xtests/Makefile.am: Add new testcase.

        * xtests/pam_cracklib.c: Fix comment what this application tests.

        * configure.in: Use /lib64 on x86-64, ppc64, s390x, sparc64

9 files changed, 507 insertions, 275 deletions

diff --git a/modules/pam_cracklib/README b/modules/pam_cracklib/README
index 89e80318..25ec00b4 100644
--- a/modules/pam_cracklib/README
+++ b/modules/pam_cracklib/README
@@ -152,6 +152,14 @@ ocredit=N
     (N < 0) This is the minimum number of other characters that must be met for
     a new password.
 
+minclass=N
+
+    The minimum number of required classes of characters for the new password.
+    The default number is zero. The four classes are digits, upper and lower
+    letters and other characters. The difference to the credit check is that a
+    specific class if of characters is not required. Instead N out of four of
+    the classes are required.
+
 use_authtok
 
     This argument is used to force the module to not prompt the user for a new
diff --git a/modules/pam_cracklib/pam_cracklib.8 b/modules/pam_cracklib/pam_cracklib.8
index 526817a4..8ccf8059 100644
--- a/modules/pam_cracklib/pam_cracklib.8
+++ b/modules/pam_cracklib/pam_cracklib.8
@@ -1,11 +1,11 @@
 .\"     Title: pam_cracklib
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\"      Date: 06/02/2006
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
+.\"      Date: 06/20/2007
 .\"    Manual: Linux\-PAM Manual
 .\"    Source: Linux\-PAM Manual
 .\"
-.TH "PAM_CRACKLIB" "8" "06/02/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_CRACKLIB" "8" "06/20/2007" "Linux\-PAM Manual" "Linux\-PAM Manual"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
@@ -28,14 +28,19 @@ The first action is to prompt for a single password, check its strength and then
 The strength checks works in the following manner: at first the
 \fBCracklib\fR
 routine is called to check if the password is part of a dictionary; if this is not the case an additional set of strength checks is done. These checks are:
-.TP 3n
+.PP
 Palindrome
+.RS 4
 Is the new password a palindrome of the old one?
-.TP 3n
+.RE
+.PP
 Case Change Only
+.RS 4
 Is the new password the the old one with only a change of case?
-.TP 3n
+.RE
+.PP
 Similar
+.RS 4
 Is the new password too much like the old one? This is primarily controlled by one argument,
 \fBdifok\fR
 which is a number of characters that if different between the old and new are enough to accept the new password, this defaults to 10 or 1/2 the size of the new password whichever is smaller.
@@ -47,52 +52,70 @@ is available. This argument can be used to specify the minimum length a new pass
 value is ignored. The default value for
 \fBdifignore\fR
 is 23.
-.TP 3n
+.RE
+.PP
 Simple
+.RS 4
 Is the new password too small? This is controlled by 5 arguments
 \fBminlen\fR,
 \fBdcredit\fR,
 \fBucredit\fR,
 \fBlcredit\fR, and
 \fBocredit\fR. See the section on the arguments for the details of how these work and there defaults.
-.TP 3n
+.RE
+.PP
 Rotated
+.RS 4
 Is the new password a rotated version of the old password?
-.TP 3n
+.RE
+.PP
 Already used
+.RS 4
 Was the password used in the past? Previously used passwords are to be found in
 \fI/etc/security/opasswd\fR.
+.RE
 .PP
 This module with no arguments will work well for standard unix password encryption. With md5 encryption, passwords can be longer than 8 characters and the default settings for this module can make it hard for the user to choose a satisfactory new password. Notably, the requirement that the new password contain no more than 1/2 of the characters in the old password becomes a non\-trivial constraint. For example, an old password of the form "the quick brown fox jumped over the lazy dogs" would be difficult to change... In addition, the default action is to allow passwords as small as 5 characters in length. For a md5 systems it can be a good idea to increase the required minimum size of a password. One can then allow more credit for different kinds of characters but accept that the new password may share most of these characters with the old password.
 .SH "OPTIONS"
 .PP
-.TP 3n
+.PP
 \fBdebug\fR
+.RS 4
 This option makes the module write information to
 \fBsyslog\fR(3)
 indicating the behavior of the module (this option does not write password information to the log file).
-.TP 3n
+.RE
+.PP
 \fBtype=\fR\fB\fIXXX\fR\fR
+.RS 4
 The default action is for the module to use the following prompts when requesting passwords: "New UNIX password: " and "Retype UNIX password: ". The default word
 \fIUNIX\fR
 can be replaced with this option.
-.TP 3n
+.RE
+.PP
 \fBretry=\fR\fB\fIN\fR\fR
+.RS 4
 Prompt user at most
 \fIN\fR
 times before returning with error. The default is
 \fI1\fR
-.TP 3n
+.RE
+.PP
 \fBdifok=\fR\fB\fIN\fR\fR
+.RS 4
 This argument will change the default of
 \fI5\fR
 for the number of characters in the new password that must not be present in the old password. In addition, if 1/2 of the characters in the new password are different then the new password will be accepted anyway.
-.TP 3n
+.RE
+.PP
 \fBdifignore=\fR\fB\fIN\fR\fR
+.RS 4
 How many characters should the password have before difok will be ignored. The default is
 \fI23\fR.
-.TP 3n
+.RE
+.PP
 \fBminlen=\fR\fB\fIN\fR\fR
+.RS 4
 The minimum acceptable size for the new password (plus one if credits are not disabled which is the default). In addition to the number of characters in the new password, credit (of +1 in length) is given for each different kind of character (\fIother\fR,
 \fIupper\fR,
 \fIlower\fR
@@ -103,8 +126,10 @@ which is good for a old style UNIX password all of the same type of character bu
 \fICracklib\fR
 itself, a "way too short" limit of 4 which is hard coded in and a defined limit (6) that will be checked without reference to
 \fBminlen\fR. If you want to allow passwords as short as 5 characters you should not use this module.
-.TP 3n
+.RE
+.PP
 \fBdcredit=\fR\fB\fIN\fR\fR
+.RS 4
 (N >= 0) This is the maximum credit for having digits in the new password. If you have less than or
 \fIN\fR
 digits, each digit will count +1 towards meeting the current
@@ -116,8 +141,10 @@ is 1 which is the recommended value for
 less than 10.
 .sp
 (N < 0) This is the minimum number of digits that must be met for a new password.
-.TP 3n
+.RE
+.PP
 \fBucredit=\fR\fB\fIN\fR\fR
+.RS 4
 (N >= 0) This is the maximum credit for having upper case letters in the new password. If you have less than or
 \fIN\fR
 upper case letters each letter will count +1 towards meeting the current
@@ -131,8 +158,10 @@ which is the recommended value for
 less than 10.
 .sp
 (N > 0) This is the minimum number of upper case letters that must be met for a new password.
-.TP 3n
+.RE
+.PP
 \fBlcredit=\fR\fB\fIN\fR\fR
+.RS 4
 (N >= 0) This is the maximum credit for having lower case letters in the new password. If you have less than or
 \fIN\fR
 lower case letters, each letter will count +1 towards meeting the current
@@ -144,8 +173,10 @@ is 1 which is the recommended value for
 less than 10.
 .sp
 (N < 0) This is the minimum number of lower case letters that must be met for a new password.
-.TP 3n
+.RE
+.PP
 \fBocredit=\fR\fB\fIN\fR\fR
+.RS 4
 (N >= 0) This is the maximum credit for having other characters in the new password. If you have less than or
 \fIN\fR
 other characters, each character will count +1 towards meeting the current
@@ -157,16 +188,30 @@ is 1 which is the recommended value for
 less than 10.
 .sp
 (N < 0) This is the minimum number of other characters that must be met for a new password.
-.TP 3n
+.RE
+.PP
+\fBminclass=\fR\fB\fIN\fR\fR
+.RS 4
+The minimum number of required classes of characters for the new password. The default number is zero. The four classes are digits, upper and lower letters and other characters. The difference to the
+\fBcredit\fR
+check is that a specific class if of characters is not required. Instead
+\fIN\fR
+out of four of the classes are required.
+.RE
+.PP
 \fBuse_authtok\fR
+.RS 4
 This argument is used to
 \fIforce\fR
 the module to not prompt the user for a new password but use the one provided by the previously stacked
 \fIpassword\fR
 module.
-.TP 3n
+.RE
+.PP
 \fBdictpath=\fR\fB\fI/path/to/dict\fR\fR
+.RS 4
 Path to the cracklib dictionaries.
+.RE
 .SH "MODULE SERVICES PROVIDED"
 .PP
 Only he
@@ -174,26 +219,34 @@ Only he
 service is supported.
 .SH "RETURN VALUES"
 .PP
-.TP 3n
+.PP
 PAM_SUCCESS
+.RS 4
 The new password passes all checks.
-.TP 3n
+.RE
+.PP
 PAM_AUTHTOK_ERR
+.RS 4
 No new password was entered, the username could not be determined or the new password fails the strength checks.
-.TP 3n
+.RE
+.PP
 PAM_AUTHTOK_RECOVERY_ERR
+.RS 4
 The old password was not supplied by a previous stackked module or got not requested from the user. The first error can happen if
 \fBuse_authtok\fR
 is specified.
-.TP 3n
+.RE
+.PP
 PAM_SERVICE_ERR
+.RS 4
 A internal error occured.
+.RE
 .SH "EXAMPLES"
 .PP
 For an example of the use of this module, we show how it may be stacked with the password component of
 \fBpam_unix\fR(8)
 .sp
-.RS 3n
+.RS 4
 .nf
 #
 # These lines stack two password type modules. In this example the
@@ -213,7 +266,7 @@ Another example (in the
 \fI/etc/pam.d/passwd\fR
 format) is for the case that you want to use md5 password encryption:
 .sp
-.RS 3n
+.RS 4
 .nf
 #%PAM\-1.0
 #
@@ -232,7 +285,7 @@ password  required pam_unix.so use_authtok nullok md5
 .PP
 And here is another example in case you don't want to use credits:
 .sp
-.RS 3n
+.RS 4
 .nf
 #%PAM\-1.0
 #
diff --git a/modules/pam_cracklib/pam_cracklib.8.xml b/modules/pam_cracklib/pam_cracklib.8.xml
index 7edabe0f..f97ad8fb 100644
--- a/modules/pam_cracklib/pam_cracklib.8.xml
+++ b/modules/pam_cracklib/pam_cracklib.8.xml
@@ -331,6 +331,24 @@
 
         <varlistentry>
           <term>
+            <option>minclass=<replaceable>N</replaceable></option>
+          </term>
+          <listitem>
+            <para>
+              The minimum number of required classes of characters for
+              the new password. The default number is zero. The four
+              classes are digits, upper and lower letters and other
+              characters.
+              The difference to the <option>credit</option> check is
+              that a specific class if of characters is not required.
+              Instead <replaceable>N</replaceable> out of four of the
+              classes are required.
+            </para>
+          </listitem>
+        </varlistentry>
+
+        <varlistentry>
+          <term>
             <option>use_authtok</option>
           </term>
           <listitem>
diff --git a/modules/pam_cracklib/pam_cracklib.c b/modules/pam_cracklib/pam_cracklib.c
index d2831345..6decf2bf 100644
--- a/modules/pam_cracklib/pam_cracklib.c
+++ b/modules/pam_cracklib/pam_cracklib.c
@@ -92,6 +92,7 @@ struct cracklib_options {
 	int up_credit;
 	int low_credit;
 	int oth_credit;
+        int min_class;
 	int use_authtok;
 	char prompt_type[BUFSIZ];
         char cracklib_dictpath[PATH_MAX];
@@ -156,6 +157,12 @@ _pam_parse (pam_handle_t *pamh, struct cracklib_options *opt,
 	     opt->oth_credit = strtol(*argv+8,&ep,10);
 	     if (!ep)
 		 opt->oth_credit = 0;
+         } else if (!strncmp(*argv,"minclass=",9)) {
+             opt->min_class = strtol(*argv+9,&ep,10);
+             if (!ep)
+                 opt->min_class = 0;
+                 if (opt->min_class > 4)
+                     opt->min_class = 4 ;
 	 } else if (!strncmp(*argv,"use_authtok",11)) {
 		 opt->use_authtok = 1;
 	 } else if (!strncmp(*argv,"dictpath=",9)) {
@@ -290,6 +297,47 @@ static int similar(struct cracklib_options *opt,
 }
 
 /*
+ * enough classes of charecters
+ */
+
+static int minclass (struct cracklib_options *opt,
+		     const char *new)
+{
+    int digits = 0;
+    int uppers = 0;
+    int lowers = 0;
+    int others = 0;
+    int total_class;
+    int i;
+    int retval;
+
+    D(( "called" ));
+    for (i = 0; new[i]; i++)
+       {
+	 if (isdigit (new[i]))
+             digits = 1;
+	 else if (isupper (new[i]))
+             uppers = 1;
+	 else if (islower (new[i]))
+             lowers = 1;
+	 else
+             others = 1;
+       }
+
+    total_class = digits + uppers + lowers + others;
+
+    D (("total class: %d\tmin_class: %d", total_class, opt->min_class));
+
+    if (total_class >= opt->min_class)
+        retval = 0;
+    else
+      retval = 1;
+
+    return retval;
+}
+
+
+/*
  * a nice mix of characters.
  */
 static int simple(struct cracklib_options *opt, const char *new)
@@ -369,43 +417,51 @@ static char * str_lower(char *string)
 	return string;
 }
 
-static const char * password_check(struct cracklib_options *opt, const char *old, const char *new)
+static const char *password_check(struct cracklib_options *opt,
+				  const char *old, const char *new)
 {
 	const char *msg = NULL;
-	char *oldmono, *newmono, *wrapped;
+	char *oldmono = NULL, *newmono, *wrapped = NULL;
 
-	if (strcmp(new, old) == 0) {
-        msg = _("is the same as the old one");
-        return msg;
-    }
+	if (old && strcmp(new, old) == 0) {
+	    msg = _("is the same as the old one");
+	    return msg;
+	}
 
 	newmono = str_lower(x_strdup(new));
-	oldmono = str_lower(x_strdup(old));
-	wrapped = malloc(strlen(oldmono) * 2 + 1);
-	strcpy (wrapped, oldmono);
-	strcat (wrapped, oldmono);
+	if (old) {
+	  oldmono = str_lower(x_strdup(old));
+	  wrapped = malloc(strlen(oldmono) * 2 + 1);
+	  strcpy (wrapped, oldmono);
+	  strcat (wrapped, oldmono);
+	}
 
 	if (palindrome(newmono))
 		msg = _("is a palindrome");
 
-	if (!msg && strcmp(oldmono, newmono) == 0)
+	if (!msg && oldmono && strcmp(oldmono, newmono) == 0)
 		msg = _("case changes only");
 
-	if (!msg && similar(opt, oldmono, newmono))
+	if (!msg && oldmono && similar(opt, oldmono, newmono))
 		msg = _("is too similar to the old one");
 
 	if (!msg && simple(opt, new))
 		msg = _("is too simple");
 
-	if (!msg && strstr(wrapped, newmono))
+	if (!msg && wrapped && strstr(wrapped, newmono))
 		msg = _("is rotated");
 
+	if (!msg && minclass (opt, new))
+	        msg = _("not enough character classes");
+
 	memset(newmono, 0, strlen(newmono));
-	memset(oldmono, 0, strlen(oldmono));
-	memset(wrapped, 0, strlen(wrapped));
 	free(newmono);
-	free(oldmono);
-	free(wrapped);
+	if (old) {
+	  memset(oldmono, 0, strlen(oldmono));
+	  memset(wrapped, 0, strlen(wrapped));
+	  free(oldmono);
+	  free(wrapped);
+	}
 
 	return msg;
 }
@@ -470,7 +526,7 @@ static int _pam_unix_approve_pass(pam_handle_t *pamh,
      * if one wanted to hardwire authentication token strength
      * checking this would be the place
      */
-    msg = password_check(opt, pass_old,pass_new);
+    msg = password_check(opt, pass_old, pass_new);
     if (!msg) {
 	retval = pam_get_item(pamh, PAM_USER, &user);
 	if (retval != PAM_SUCCESS || user == NULL) {
@@ -621,15 +677,13 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags,
             } else {
                 /* check it for strength too... */
 		D(("for strength"));
-                if (oldtoken) {
-                    retval = _pam_unix_approve_pass(pamh,ctrl,&options,
-                                               oldtoken,token1);
-                    if (retval != PAM_SUCCESS) {
-                        if (getuid() || (flags & PAM_CHANGE_EXPIRED_AUTHTOK))
-			    retval = PAM_AUTHTOK_ERR;
-			else
-			    retval = PAM_SUCCESS;
-		    }
+                retval = _pam_unix_approve_pass (pamh, ctrl, &options,
+						 oldtoken, token1);
+		if (retval != PAM_SUCCESS) {
+		    if (getuid() || (flags & PAM_CHANGE_EXPIRED_AUTHTOK))
+		        retval = PAM_AUTHTOK_ERR;
+		    else
+		        retval = PAM_SUCCESS;
                 }
             }
         }
diff --git a/modules/pam_namespace/README b/modules/pam_namespace/README
index c47ba232..cf5814e3 100644
--- a/modules/pam_namespace/README
+++ b/modules/pam_namespace/README
@@ -2,128 +2,167 @@ pam_namespace — PAM module for configuring namespace for a session
 
 ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
 
+DESCRIPTION
 
-pam_namespace module:
-Setup a private namespace with polyinstantiated directories.
-
-THEORY OF OPERATION:
-The pam namespace module consults /etc/security/namespace.conf
-configuration file and sets up a private namespace with polyinstantiated
-directories for a session managed by PAM. A skeleton namespace.conf
-installed by default provides example for polyinstantiating /tmp, /var/tmp
-and users' home directory.
-
-If an executable script /etc/security/namespace.init exists, it
-is used to initialize the namespace every time a new instance directory
-is setup. The script receives the polyinstantiated directory path
-and the instance directory path as its arguments.
-
-Each line in namespace.conf describes a limit for a user in the form:
-
-<polydir>  <instance_prefix>  <method>  <list_of_uids>
-
-Where:
-<polydir> - is the absolute pathname of the directory to polyinstantiate
-      Special entry $HOME is supported to designate user's home directory.
-      This field cannot be blank.
-
-<instance_prefix> - is the string prefix used to build the pathname for the
-        instantiation of <polydir>. The directory security context, or
-        optionally its md5sum string (32 hex characters), is appended to
-        the prefix to generate the final instance directory path.
-        This directory is created if it did not exist already, and is then
-        bind mounted on the <polydir> to provide an instance of <polydir>
-        based on the <method> column. The special string $HOME is replaced with
-        the user's home directory, and $USER with the username.
-        This field cannot be blank.
-
-<method> - is the method used for polyinstantiation. It can take 3 different
-        values; "user" for polyinstantiation based on user name, "context"
-        for polyinstantiation based on process security context, and "both"
-        for polyinstantiation based on both user name and security context.
-        Methods "context" and "both" are only available with SELinux. This
-        field cannot be blank.
-
-<list_of_uids> - is a comma separated list of user names for whom the
-        polyinstantiation is not performed. If left blank, polyinstantiation
-        will be performed for all users.
-
-EXAMPLE /etc/security/namespace.conf configuration file:
-=======================================================
-# Following three lines will polyinstantiate /tmp, /var/tmp and user's home
-# directories. /tmp and /var/tmp will be polyinstantiated based on both
-# security context as well as user name, whereas home directory will
-# be polyinstantiated based on security context only. Polyinstantiation
-# will not be performed for user root and adm for directories /tmp and
-# /var/tmp, whereas home directories will be polyinstantiated for all
-# users. The user name and/or context is appended to the instance prefix.
-#
-# Note that instance directories do not have to reside inside the
-# polyinstantiated directory. In the examples below, instances of /tmp
-# will be created in /tmp-inst directory, where as instances of /var/tmp
-# and users home directories will reside within the directories that
-# are being polyinstantiated.
-#
-# Instance parent directories must exist for the polyinstantiation
-# mechanism to work. By default, they should be created with the mode
-# of 000. pam_namespace module will enforce this mode unless it
-# is explicitly called with an argument to ignore the mode of the
-# instance parent. System administrators should use this argument with
-# caution, as it will reduce security and isolation achieved by
-# polyinstantiation.
-#
-/tmp     /tmp-inst/             both      root,adm
-/var/tmp /var/tmp/tmp-inst/     both      root,adm
-$HOME    $HOME/$USER.inst/inst- context
-
-ARGUMENTS RECOGNIZED:
-    debug
-        Verbose logging by syslog
-
-    unmnt_remnt
-        For programs such as su and newrole, the login session has
-        already setup a polyinstantiated namespace. For these programs,
-        polyinstantiation is performed based on new user id or security
-        context, however the command first needs to undo the
-        polyinstantiation performed by login. This argument instructs
-        the command to first undo previous polyinstantiation before
-        proceeding with new polyinstantiation based on new id/context.
-
-    unmnt_only
-        For trusted programs that want to undo any existing bind mounts
-        and process instance directories on their own, this argument
-        allows them to unmount currently mounted instance directories.
-
-    require_selinux
-        If selinux is not enabled, return failure.
-
-    gen_hash
-        Instead of using the security context string for the instance
-        name, generate and use its md5 hash.
-
-    ignore_config_error
-        If a line in the configuration file corresponding to a
-        polyinstantiated directory contains format error, skip that
-        line process the next line. Without this option, pam will return
-        an error to the calling program resulting in termination
-        of the session.
-
-    ignore_instance_parent_mode
-        Instance parent directories by default are expected to have
-        the restrictive mode of 000. Using this option, an administrator
-        can choose to ignore the mode of the instance parent.
-
-MODULE SERVICES PROVIDED:
-        session            open_session and close_session
-
-USAGE:
-        For the <service>s you need polyinstantiation (login for example)
-        put the following line in /etc/pam.d/<service> as the last line for
-        session group:
-
-        session  required  pam_namespace.so [arguments]
-
-        This module also depends on pam_selinux.so setting the context.
+The pam_namespace PAM module sets up a private namespace for a session with
+polyinstantiated directories. A polyinstantiated directory provides a different
+instance of itself based on user name, or when using SELinux, user name,
+security context or both. If an executable script /etc/security/namespace.init
+exists, it is used to initialize the namespace every time a new instance
+directory is setup. The script receives the polyinstantiated directory path and
+the instance directory path as its arguments.
 
+The pam_namespace module disassociates the session namespace from the parent
+namespace. Any mounts/unmounts performed in the parent namespace, such as
+mounting of devices, are not reflected in the session namespace. To propagate
+selected mount/unmount events from the parent namespace into the disassociated
+session namespace, an administrator may use the special shared-subtree feature.
+For additional information on shared-subtree feature, please refer to the mount
+(8) man page and the shared-subtree description at http://lwn.net/Articles/
+159077 and http://lwn.net/Articles/159092.
 
+OPTIONS
+
+debug
+
+    A lot of debug information is logged using syslog
+
+unmnt_remnt
+
+    For programs such as su and newrole, the login session has already setup a
+    polyinstantiated namespace. For these programs, polyinstantiation is
+    performed based on new user id or security context, however the command
+    first needs to undo the polyinstantiation performed by login. This argument
+    instructs the command to first undo previous polyinstantiation before
+    proceeding with new polyinstantiation based on new id/context
+
+unmnt_only
+
+    For trusted programs that want to undo any existing bind mounts and process
+    instance directories on their own, this argument allows them to unmount
+    currently mounted instance directories
+
+require_selinux
+
+    If selinux is not enabled, return failure
+
+gen_hash
+
+    Instead of using the security context string for the instance name,
+    generate and use its md5 hash.
+
+ignore_config_error
+
+    If a line in the configuration file corresponding to a polyinstantiated
+    directory contains format error, skip that line process the next line.
+    Without this option, pam will return an error to the calling program
+    resulting in termination of the session.
+
+ignore_instance_parent_mode
+
+    Instance parent directories by default are expected to have the restrictive
+    mode of 000. Using this option, an administrator can choose to ignore the
+    mode of the instance parent. This option should be used with caution as it
+    will reduce security and isolation goals of the polyinstantiation
+    mechanism.
+
+no_unmount_on_close
+
+    For certain trusted programs such as newrole, open session is called from a
+    child process while the parent perfoms close session and pam end functions.
+    For these commands use this option to instruct pam_close_session to not
+    unmount the bind mounted polyinstantiated directory in the parent.
+
+DESCRIPTION
+
+This module allows setup of private namespaces with polyinstantiated
+directories. Directories can be polyinstantiated based on user name or, in the
+case of SELinux, user name, sensitivity level or complete security context. If
+an executable script /etc/security/namespace.init exists, it is used to
+initialize the namespace every time a new instance directory is setup. The
+script receives the polyinstantiated directory path and the instance directory
+path as its arguments.
+
+The /etc/security/namespace.conf file specifies which directories are
+polyinstantiated, how they are polyinstantiated, how instance directories would
+be named, and any users for whom polyinstantiation would not be performed.
+
+When someone logs in, the file namespace.conf is scanned where each non comment
+line represents one polyinstantiated directory with space separated fields as
+follows:
+
+polydir instance_prefix method list_of_uids
+
+The first field, polydir, is the absolute pathname of the directory to
+polyinstantiate. Special entry $HOME is supported to designate user's home
+directory. This field cannot be blank.
+
+The second field, instance_prefix is the string prefix used to build the
+pathname for the instantiation of <polydir>. Depending on the polyinstantiation
+method it is then appended with "instance differentiation string" to generate
+the final instance directory path. This directory is created if it did not
+exist already, and is then bind mounted on the <polydir> to provide an instance
+of <polydir> based on the <method> column. The special string $HOME is replaced
+with the user's home directory, and $USER with the username. This field cannot
+be blank. The directory where polyinstantiated instances are to be created,
+must exist and must have, by default, the mode of 000. The requirement that the
+instance parent be of mode 000 can be overridden with the command line option
+ignore_instance_parent_mode
+
+The third field, method, is the method used for polyinstantiation. It can take
+3 different values; "user" for polyinstantiation based on user name, "level"
+for polyinstantiation based on process MLS level and user name, and "context"
+for polyinstantiation based on process security context and user name Methods
+"context" and "level" are only available with SELinux. This field cannot be
+blank.
+
+The fourth field, list_of_uids, is a comma separated list of user names for
+whom the polyinstantiation is not performed. If left blank, polyinstantiation
+will be performed for all users.
+
+In case of context or level polyinstantiation the SELinux context which is used
+for polyinstantiation is the context used for executing a new process as
+obtained by getexeccon. This context must be set by the calling application or
+pam_selinux.so module. If this context is not set the polyinstatiation will be
+based just on user name.
+
+The "instance differentiation string" is <user name> for "user" method and
+<user name>_<raw directory context> for "context" and "level" methods. If the
+whole string is too long the end of it is replaced with md5sum of itself. Also
+when command line option gen_hash is used the whole string is replaced with
+md5sum of itself.
+
+EXAMPLES
+
+These are some example lines which might be specified in /etc/security/
+namespace.conf.
+
+
+      # The following three lines will polyinstantiate /tmp,
+      # /var/tmp and user's home directories. /tmp and /var/tmp
+      # will be polyinstantiated based on the security level
+      # as well as user name, whereas home directory will be
+      # polyinstantiated based on the full security context and user name.
+      # Polyinstantiation will not be performed for user root
+      # and adm for directories /tmp and /var/tmp, whereas home
+      # directories will be polyinstantiated for all users.
+      #
+      # Note that instance directories do not have to reside inside
+      # the polyinstantiated directory. In the examples below,
+      # instances of /tmp will be created in /tmp-inst directory,
+      # where as instances of /var/tmp and users home directories
+      # will reside within the directories that are being
+      # polyinstantiated.
+      #
+      /tmp     /tmp-inst/               level      root,adm
+      /var/tmp /var/tmp/tmp-inst/    level      root,adm
+      $HOME    $HOME/$USER.inst/inst- context
+    
+
+For the <service>s you need polyinstantiation (login for example) put the
+following line in /etc/pam.d/<service> as the last line for session group:
+
+session required pam_namespace.so [arguments]
+
+This module also depends on pam_selinux.so setting the context.
 
diff --git a/modules/pam_namespace/namespace.conf.5 b/modules/pam_namespace/namespace.conf.5
index ff325a21..0a4d98e4 100644
--- a/modules/pam_namespace/namespace.conf.5
+++ b/modules/pam_namespace/namespace.conf.5
@@ -1,96 +1,101 @@
-.\"Generated by db2man.xsl. Don't modify this, modify the source.
-.de Sh \" Subsection
-.br
-.if t .Sp
-.ne 5
-.PP
-\fB\\$1\fR
-.PP
-..
-.de Sp \" Vertical space (when we can't use .PP)
-.if t .sp .5v
-.if n .sp
-..
-.de Ip \" List item
-.br
-.ie \\n(.$>=3 .ne \\$3
-.el .ne 3
-.IP "\\$1" \\$2
-..
-.TH "NAMESPACE.CONF" 5 "" "" ""
-.SH NAME
+.\"     Title: namespace.conf
+.\"    Author: 
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
+.\"      Date: 06/20/2007
+.\"    Manual: Linux\-PAM Manual
+.\"    Source: Linux\-PAM Manual
+.\"
+.TH "NAMESPACE.CONF" "5" "06/20/2007" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.\" disable hyphenation
+.nh
+.\" disable justification (adjust text to left margin only)
+.ad l
+.SH "NAME"
 namespace.conf \- the namespace configuration file
 .SH "DESCRIPTION"
-
 .PP
-This module allows setup of private namespaces with polyinstantiated directories\&. Directories can be polyinstantiated based on user name or, in the case of SELinux, user name, security context or both\&. If an executable script \fI/etc/security/namespace\&.init\fR exists, it is used to initialize the namespace every time a new instance directory is setup\&. The script receives the polyinstantiated directory path and the instance directory path as its arguments\&.
-
+This module allows setup of private namespaces with polyinstantiated directories. Directories can be polyinstantiated based on user name or, in the case of SELinux, user name, sensitivity level or complete security context. If an executable script
+\fI/etc/security/namespace.init\fR
+exists, it is used to initialize the namespace every time a new instance directory is setup. The script receives the polyinstantiated directory path and the instance directory path as its arguments.
 .PP
-The \fI/etc/security/namespace\&.conf\fR file specifies which directories are polyinstantiated, how they are polyinstantiated, how instance directories would be named, and any users for whom polyinstantiation would not be performed\&.
-
+The
+\fI/etc/security/namespace.conf\fR
+file specifies which directories are polyinstantiated, how they are polyinstantiated, how instance directories would be named, and any users for whom polyinstantiation would not be performed.
 .PP
-When someone logs in, the file \fInamespace\&.conf\fR is scanned where each non comment line represents one polyinstantiated directory with space separated fields as follows:
-
+When someone logs in, the file
+\fInamespace.conf\fR
+is scanned where each non comment line represents one polyinstantiated directory with space separated fields as follows:
 .PP
- \fIpolydir\fR  \fI instance_prefix\fR  \fI method\fR  \fI list_of_uids\fR 
 
+\fIpolydir\fR
+\fI instance_prefix\fR
+\fI method\fR
+\fI list_of_uids\fR
 .PP
-The first field, \fIpolydir\fR, is the absolute pathname of the directory to polyinstantiate\&. Special entry $HOME is supported to designate user's home directory\&. This field cannot be blank\&.
-
+The first field,
+\fIpolydir\fR, is the absolute pathname of the directory to polyinstantiate. Special entry $HOME is supported to designate user's home directory. This field cannot be blank.
 .PP
-The second field, \fIinstance_prefix\fR is the string prefix used to build the pathname for the instantiation of <polydir>\&. The directory security context, or optionally its md5sum string (32 hex characters), is appended to the prefix to generate the final instance directory path\&. This directory is created if it did not exist already, and is then bind mounted on the <polydir> to provide an instance of <polydir> based on the <method> column\&. The special string $HOME is replaced with the user's home directory, and $USER with the username\&. This field cannot be blank\&. The directory where polyinstantiated instances are to be created, must exist and must have, by default, the mode of 000\&. The requirement that the instance parent be of mode 000 can be overridden with the command line option <ignore_instance_parent_mode>
-
+The second field,
+\fIinstance_prefix\fR
+is the string prefix used to build the pathname for the instantiation of <polydir>. Depending on the polyinstantiation
+\fImethod\fR
+it is then appended with "instance differentiation string" to generate the final instance directory path. This directory is created if it did not exist already, and is then bind mounted on the <polydir> to provide an instance of <polydir> based on the <method> column. The special string $HOME is replaced with the user's home directory, and $USER with the username. This field cannot be blank. The directory where polyinstantiated instances are to be created, must exist and must have, by default, the mode of 000. The requirement that the instance parent be of mode 000 can be overridden with the command line option
+\fIignore_instance_parent_mode\fR
 .PP
-The third field, \fImethod\fR, is the method used for polyinstantiation\&. It can take 3 different values; "user" for polyinstantiation based on user name, "context" for polyinstantiation based on process security context, and "both" for polyinstantiation based on both user name and security context\&. Methods "context" and "both" are only available with SELinux\&. This field cannot be blank\&.
-
+The third field,
+\fImethod\fR, is the method used for polyinstantiation. It can take 3 different values; "user" for polyinstantiation based on user name, "level" for polyinstantiation based on process MLS level and user name, and "context" for polyinstantiation based on process security context and user name Methods "context" and "level" are only available with SELinux. This field cannot be blank.
 .PP
-The fourth field, \fIlist_of_uids\fR, is a comma separated list of user names for whom the polyinstantiation is not performed\&. If left blank, polyinstantiation will be performed for all users\&.
-
+The fourth field,
+\fIlist_of_uids\fR, is a comma separated list of user names for whom the polyinstantiation is not performed. If left blank, polyinstantiation will be performed for all users.
+.PP
+In case of context or level polyinstantiation the SELinux context which is used for polyinstantiation is the context used for executing a new process as obtained by getexeccon. This context must be set by the calling application or
+\fIpam_selinux.so\fR
+module. If this context is not set the polyinstatiation will be based just on user name.
+.PP
+The "instance differentiation string" is <user name> for "user" method and <user name>_<raw directory context> for "context" and "level" methods. If the whole string is too long the end of it is replaced with md5sum of itself. Also when command line option
+\fIgen_hash\fR
+is used the whole string is replaced with md5sum of itself.
 .SH "EXAMPLES"
-
 .PP
-These are some example lines which might be specified in \fI/etc/security/namespace\&.conf\fR\&.
-
+These are some example lines which might be specified in
+\fI/etc/security/namespace.conf\fR.
+.sp
+.RS 4
 .nf
-
       # The following three lines will polyinstantiate /tmp,
-      # /var/tmp and user's home directories\&. /tmp and /var/tmp
-      # will be polyinstantiated based on both security context
+      # /var/tmp and user's home directories. /tmp and /var/tmp
+      # will be polyinstantiated based on the security level
       # as well as user name, whereas home directory will be
-      # polyinstantiated based on security context only\&.
+      # polyinstantiated based on the full security context and user name.
       # Polyinstantiation will not be performed for user root
       # and adm for directories /tmp and /var/tmp, whereas home
-      # directories will be polyinstantiated for all users\&.
+      # directories will be polyinstantiated for all users.
       #
       # Note that instance directories do not have to reside inside
-      # the polyinstantiated directory\&. In the examples below,
+      # the polyinstantiated directory. In the examples below,
       # instances of /tmp will be created in /tmp\-inst directory,
       # where as instances of /var/tmp and users home directories
       # will reside within the directories that are being
-      # polyinstantiated\&.
+      # polyinstantiated.
       #
-      /tmp     /tmp\-inst/       	both      root,adm
-      /var/tmp /var/tmp/tmp\-inst/   	both      root,adm
-      $HOME    $HOME/$USER\&.inst/inst\- context
+      /tmp     /tmp\-inst/               level      root,adm
+      /var/tmp /var/tmp/tmp\-inst/   	level      root,adm
+      $HOME    $HOME/$USER.inst/inst\- context
     
 .fi
-
+.RE
 .PP
-For the <service>s you need polyinstantiation (login for example) put the following line in /etc/pam\&.d/<service> as the last line for session group:
-
+For the <service>s you need polyinstantiation (login for example) put the following line in /etc/pam.d/<service> as the last line for session group:
 .PP
-session required pam_namespace\&.so [arguments]
-
+session required pam_namespace.so [arguments]
 .PP
-This module also depends on pam_selinux\&.so setting the context\&.
-
+This module also depends on pam_selinux.so setting the context.
 .SH "SEE ALSO"
-
 .PP
- \fBpam_namespace\fR(8), \fBpam\&.d\fR(5), \fBpam\fR(8) 
 
+\fBpam_namespace\fR(8),
+\fBpam.d\fR(5),
+\fBpam\fR(8)
 .SH "AUTHORS"
-
 .PP
-The namespace\&.conf manual page was written by Janak Desai <janak@us\&.ibm\&.com>\&.
-
+The namespace.conf manual page was written by Janak Desai <janak@us.ibm.com>.
diff --git a/modules/pam_namespace/pam_namespace.8 b/modules/pam_namespace/pam_namespace.8
index 126cfc88..8d136c99 100644
--- a/modules/pam_namespace/pam_namespace.8
+++ b/modules/pam_namespace/pam_namespace.8
@@ -1,11 +1,11 @@
 .\"     Title: pam_namespace
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\"      Date: 06/27/2006
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
+.\"      Date: 06/20/2007
 .\"    Manual: Linux\-PAM Manual
 .\"    Source: Linux\-PAM Manual
 .\"
-.TH "PAM_NAMESPACE" "8" "06/27/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_NAMESPACE" "8" "06/20/2007" "Linux\-PAM Manual" "Linux\-PAM Manual"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
@@ -14,7 +14,7 @@
 pam_namespace \- PAM module for configuring namespace for a session
 .SH "SYNOPSIS"
 .HP 17
-\fBpam_namespace.so\fR [debug] [unmnt_remnt] [unmnt_only] [require_selinux] [gen_hash] [ignore_config_error] [ignore_instance_parent_mode]
+\fBpam_namespace.so\fR [debug] [unmnt_remnt] [unmnt_only] [require_selinux] [gen_hash] [ignore_config_error] [ignore_instance_parent_mode] [no_unmount_on_close]
 .SH "DESCRIPTION"
 .PP
 The pam_namespace PAM module sets up a private namespace for a session with polyinstantiated directories. A polyinstantiated directory provides a different instance of itself based on user name, or when using SELinux, user name, security context or both. If an executable script
@@ -23,46 +23,73 @@ exists, it is used to initialize the namespace every time a new instance directo
 .PP
 The pam_namespace module disassociates the session namespace from the parent namespace. Any mounts/unmounts performed in the parent namespace, such as mounting of devices, are not reflected in the session namespace. To propagate selected mount/unmount events from the parent namespace into the disassociated session namespace, an administrator may use the special shared\-subtree feature. For additional information on shared\-subtree feature, please refer to the mount(8) man page and the shared\-subtree description at http://lwn.net/Articles/159077 and http://lwn.net/Articles/159092.
 .SH "OPTIONS"
-.TP 3n
+.PP
 \fBdebug\fR
+.RS 4
 A lot of debug information is logged using syslog
-.TP 3n
+.RE
+.PP
 \fBunmnt_remnt\fR
+.RS 4
 For programs such as su and newrole, the login session has already setup a polyinstantiated namespace. For these programs, polyinstantiation is performed based on new user id or security context, however the command first needs to undo the polyinstantiation performed by login. This argument instructs the command to first undo previous polyinstantiation before proceeding with new polyinstantiation based on new id/context
-.TP 3n
+.RE
+.PP
 \fBunmnt_only\fR
+.RS 4
 For trusted programs that want to undo any existing bind mounts and process instance directories on their own, this argument allows them to unmount currently mounted instance directories
-.TP 3n
+.RE
+.PP
 \fBrequire_selinux\fR
+.RS 4
 If selinux is not enabled, return failure
-.TP 3n
+.RE
+.PP
 \fBgen_hash\fR
+.RS 4
 Instead of using the security context string for the instance name, generate and use its md5 hash.
-.TP 3n
+.RE
+.PP
 \fBignore_config_error\fR
+.RS 4
 If a line in the configuration file corresponding to a polyinstantiated directory contains format error, skip that line process the next line. Without this option, pam will return an error to the calling program resulting in termination of the session.
-.TP 3n
+.RE
+.PP
 \fBignore_instance_parent_mode\fR
+.RS 4
 Instance parent directories by default are expected to have the restrictive mode of 000. Using this option, an administrator can choose to ignore the mode of the instance parent. This option should be used with caution as it will reduce security and isolation goals of the polyinstantiation mechanism.
+.RE
+.PP
+\fBno_unmount_on_close\fR
+.RS 4
+For certain trusted programs such as newrole, open session is called from a child process while the parent perfoms close session and pam end functions. For these commands use this option to instruct pam_close_session to not unmount the bind mounted polyinstantiated directory in the parent.
+.RE
 .SH "MODULE SERVICES PROVIDED"
 .PP
 The
 \fBsession\fR
 service is supported.
 .SH "RETURN VALUES"
-.TP 3n
+.PP
 PAM_SUCCESS
+.RS 4
 Namespace setup was successful.
-.TP 3n
+.RE
+.PP
 PAM_SERVICE_ERR
+.RS 4
 Unexpected system error occurred while setting up namespace.
-.TP 3n
+.RE
+.PP
 PAM_SESSION_ERR
+.RS 4
 Unexpected namespace configuration error occurred.
+.RE
 .SH "FILES"
-.TP 3n
+.PP
 \fI/etc/security/namespace.conf\fR
+.RS 4
 Configuration file
+.RE
 .SH "EXAMPLES"
 .PP
 For the <service>s you need polyinstantiation (login for example) put the following line in /etc/pam.d/<service> as the last line for session group:
@@ -80,7 +107,7 @@ to ensure that the X server and its clients can appropriately access the communi
 .PP
 
 .sp
-.RS 3n
+.RS 4
 .nf
       1. Disable the use of font server by commenting out "FontPath"
          line in /etc/X11/xorg.conf. If you do want to use the font server
diff --git a/modules/pam_selinux/README b/modules/pam_selinux/README
index 4268d3fb..9e841f2e 100644
--- a/modules/pam_selinux/README
+++ b/modules/pam_selinux/README
@@ -31,11 +31,6 @@ debug
 
     Turns on debugging via syslog(3).
 
-multiple
-
-    Tells pam_selinux.so to allow the user to select the security context they
-    will login with, if the user has more than one role.
-
 open
 
     Only execute the open_session portion of the module.
@@ -48,6 +43,16 @@ verbose
 
     attempt to inform the user when security context is set.
 
+select_context
+
+    Attempt to ask the user for a custom security context role. If MLS is on
+    ask also for sensitivity level.
+
+use_current_range
+
+    Use the sensitivity range of the process for the user context. This option
+    and the select_context option are mutually exclusive.
+
 EXAMPLES
 
 auth     required  pam_unix.so
diff --git a/modules/pam_selinux/pam_selinux.8 b/modules/pam_selinux/pam_selinux.8
index f44fc684..6709ac9c 100644
--- a/modules/pam_selinux/pam_selinux.8
+++ b/modules/pam_selinux/pam_selinux.8
@@ -1,11 +1,11 @@
 .\"     Title: pam_selinux
 .\"    Author: 
-.\" Generator: DocBook XSL Stylesheets v1.70.1 <http://docbook.sf.net/>
-.\"      Date: 06/18/2006
+.\" Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
+.\"      Date: 06/20/2007
 .\"    Manual: Linux\-PAM Manual
 .\"    Source: Linux\-PAM Manual
 .\"
-.TH "PAM_SELINUX" "8" "06/18/2006" "Linux\-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_SELINUX" "8" "06/20/2007" "Linux\-PAM Manual" "Linux\-PAM Manual"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
@@ -14,7 +14,7 @@
 pam_selinux \- PAM module to set the default security context
 .SH "SYNOPSIS"
 .HP 15
-\fBpam_selinux.so\fR [close] [debug] [multiple] [open] [nottys] [verbose]
+\fBpam_selinux.so\fR [close] [debug] [open] [nottys] [verbose] [select_context] [use_current_range]
 .SH "DESCRIPTION"
 .PP
 In a nutshell, pam_selinux sets up the default security context for the next execed shell.
@@ -23,43 +23,66 @@ When an application opens a session using pam_selinux, the shell that gets execu
 .PP
 Adding pam_selinux into a pam file could cause other pam modules to change their behavior if the exec another application. The close and open option help mitigate this problem. close option will only cause the close portion of the pam_selinux to execute, and open will only cause the open portion to run. You can add pam_selinux to the config file twice. Add the pam_selinux close as the executes the open pass through the modules, pam_selinux open_session will happen last. When PAM executes the close pass through the modules pam_selinux close_session will happen first.
 .SH "OPTIONS"
-.TP 3n
+.PP
 \fBclose\fR
+.RS 4
 Only execute the close_session portion of the module.
-.TP 3n
+.RE
+.PP
 \fBdebug\fR
+.RS 4
 Turns on debugging via
 \fBsyslog\fR(3).
-.TP 3n
-\fBmultiple\fR
-Tells pam_selinux.so to allow the user to select the security context they will login with, if the user has more than one role.
-.TP 3n
+.RE
+.PP
 \fBopen\fR
+.RS 4
 Only execute the open_session portion of the module.
-.TP 3n
+.RE
+.PP
 \fBnottys\fR
+.RS 4
 Do not try to setup the ttys security context.
-.TP 3n
+.RE
+.PP
 \fBverbose\fR
+.RS 4
 attempt to inform the user when security context is set.
+.RE
+.PP
+\fBselect_context\fR
+.RS 4
+Attempt to ask the user for a custom security context role. If MLS is on ask also for sensitivity level.
+.RE
+.PP
+\fBuse_current_range\fR
+.RS 4
+Use the sensitivity range of the process for the user context. This option and the select_context option are mutually exclusive.
+.RE
 .SH "MODULE SERVICES PROVIDED"
 .PP
 Only the
 \fBsession\fR
 service is supported.
 .SH "RETURN VALUES"
-.TP 3n
+.PP
 PAM_AUTH_ERR
+.RS 4
 Unable to get or set a valid context.
-.TP 3n
+.RE
+.PP
 PAM_SUCCESS
+.RS 4
 The security context was set successfull.
-.TP 3n
+.RE
+.PP
 PAM_USER_UNKNOWN
+.RS 4
 The user is not known to the system.
+.RE
 .SH "EXAMPLES"
 .sp
-.RS 3n
+.RS 4
 .nf
 auth     required  pam_unix.so
 session  required  pam_permit.so