diff options
Diffstat (limited to 'modules/pam_selinux/pam_selinux.c')
| -rw-r--r-- | modules/pam_selinux/pam_selinux.c | 52 |
1 files changed, 38 insertions, 14 deletions
diff --git a/modules/pam_selinux/pam_selinux.c b/modules/pam_selinux/pam_selinux.c index 64fabafd..f99d433a 100644 --- a/modules/pam_selinux/pam_selinux.c +++ b/modules/pam_selinux/pam_selinux.c @@ -196,6 +196,7 @@ manual_context (pam_handle_t *pamh, const char *user, int debug) goto fail_set; if (context_type_set (new_context, type)) goto fail_set; + _pam_drop(type); } _pam_drop(response); @@ -236,19 +237,35 @@ static int mls_range_allowed(pam_handle_t *pamh, security_context_t src, securit { struct av_decision avd; int retval; - unsigned int bit = CONTEXT__CONTAINS; - context_t src_context = context_new (src); - context_t dst_context = context_new (dst); + security_class_t class; + access_vector_t bit; + context_t src_context; + context_t dst_context; + + class = string_to_security_class("context"); + if (!class) { + pam_syslog(pamh, LOG_ERR, "Failed to translate security class context. %m"); + return 0; + } + + bit = string_to_av_perm(class, "contains"); + if (!bit) { + pam_syslog(pamh, LOG_ERR, "Failed to translate av perm contains. %m"); + return 0; + } + + src_context = context_new (src); + dst_context = context_new (dst); context_range_set(dst_context, context_range_get(src_context)); if (debug) pam_syslog(pamh, LOG_NOTICE, "Checking if %s mls range valid for %s", dst, context_str(dst_context)); - retval = security_compute_av(context_str(dst_context), dst, SECCLASS_CONTEXT, bit, &avd); + retval = security_compute_av(context_str(dst_context), dst, class, bit, &avd); context_free(src_context); context_free(dst_context); if (retval || ((bit & avd.allowed) != bit)) return 0; - + return 1; } @@ -290,6 +307,7 @@ config_context (pam_handle_t *pamh, security_context_t defaultcon, int use_curre goto fail_set; if (context_type_set (new_context, type)) goto fail_set; + _pam_drop(type); } } _pam_drop(response); @@ -374,6 +392,7 @@ context_from_env (pam_handle_t *pamh, security_context_t defaultcon, int env_par int mls_enabled = is_selinux_mls_enabled(); const char *env = NULL; char *type = NULL; + int fail = 1; if ((new_context = context_new(defaultcon)) == NULL) goto fail_set; @@ -434,9 +453,6 @@ context_from_env (pam_handle_t *pamh, security_context_t defaultcon, int env_par /* Get the string value of the context and see if it is valid. */ if (security_check_context(newcon)) { pam_syslog(pamh, LOG_NOTICE, "Not a valid security context %s", newcon); - send_audit_message(pamh, 0, defaultcon, newcon); - freecon(newcon); - newcon = NULL; goto fail_set; } @@ -446,16 +462,21 @@ context_from_env (pam_handle_t *pamh, security_context_t defaultcon, int env_par be checked at setexeccon time */ if (mls_enabled && !mls_range_allowed(pamh, defaultcon, newcon, debug)) { pam_syslog(pamh, LOG_NOTICE, "Security context %s is not allowed for %s", defaultcon, newcon); - send_audit_message(pamh, 0, defaultcon, newcon); - freecon(newcon); - newcon = NULL; + + goto fail_set; } + fail = 0; + fail_set: free(type); context_free(my_context); context_free(new_context); - send_audit_message(pamh, 0, defaultcon, NULL); + if (fail) { + send_audit_message(pamh, 0, defaultcon, newcon); + freecon(newcon); + newcon = NULL; + } return newcon; } @@ -642,10 +663,10 @@ pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, if (debug) pam_syslog(pamh, LOG_DEBUG, "Username= %s SELinux User = %s Level= %s", username, seuser, level); - free(seuser); free(level); } if (num_contexts > 0) { + free(seuser); default_user_context=strdup(contextlist[0]); freeconary(contextlist); if (default_user_context == NULL) { @@ -672,7 +693,10 @@ pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, } } else { - user_context = manual_context(pamh,seuser,debug); + if (seuser != NULL) { + user_context = manual_context(pamh,seuser,debug); + free(seuser); + } if (user_context == NULL) { pam_syslog (pamh, LOG_ERR, "Unable to get valid context for %s", username); |