summaryrefslogtreecommitdiff
path: root/modules/pam_selinux
diff options
context:
space:
mode:
Diffstat (limited to 'modules/pam_selinux')
-rw-r--r--modules/pam_selinux/Makefile.am11
-rw-r--r--modules/pam_selinux/Makefile.in306
-rw-r--r--modules/pam_selinux/README68
-rw-r--r--modules/pam_selinux/pam_selinux.8242
-rw-r--r--modules/pam_selinux/pam_selinux.8.xml113
-rw-r--r--modules/pam_selinux/pam_selinux.c716
-rw-r--r--modules/pam_selinux/pam_selinux_check.82
7 files changed, 720 insertions, 738 deletions
diff --git a/modules/pam_selinux/Makefile.am b/modules/pam_selinux/Makefile.am
index 5c83acb4..28c60d84 100644
--- a/modules/pam_selinux/Makefile.am
+++ b/modules/pam_selinux/Makefile.am
@@ -10,7 +10,7 @@ EXTRA_DIST = README $(XMLS) pam_selinux.8 pam_selinux_check.8 \
if HAVE_LIBSELINUX
TESTS = tst-pam_selinux
- man_MANS = pam_selinux.8
+ man_MANS = pam_selinux.8
endif
XMLS = README.xml pam_selinux.8.xml
@@ -21,12 +21,8 @@ secureconfdir = $(SCONFIGDIR)
AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \
-I$(top_srcdir)/libpam_misc/include
-pam_selinux_check_LDFLAGS = $(AM_LDFLAGS) \
- -L$(top_builddir)/libpam -lpam \
- -L$(top_builddir)/libpam_misc -lpam_misc
-
-pam_selinux_la_LIBADD = -L$(top_builddir)/libpam -lpam @LIBSELINUX@ @LIBAUDIT@
pam_selinux_la_LDFLAGS = -no-undefined -avoid-version -module
+pam_selinux_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBSELINUX@ @LIBAUDIT@
if HAVE_VERSIONING
pam_selinux_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
endif
@@ -34,10 +30,11 @@ endif
if HAVE_LIBSELINUX
securelib_LTLIBRARIES = pam_selinux.la
noinst_PROGRAMS = pam_selinux_check
+ pam_selinux_check_LDADD = $(top_builddir)/libpam/libpam.la \
+ $(top_builddir)/libpam_misc/libpam_misc.la
endif
if ENABLE_REGENERATE_MAN
noinst_DATA = README pam_selinux.8
README: pam_selinux.8.xml
-include $(top_srcdir)/Make.xml.rules
endif
-
diff --git a/modules/pam_selinux/Makefile.in b/modules/pam_selinux/Makefile.in
index 8ceefd00..d4899a6d 100644
--- a/modules/pam_selinux/Makefile.in
+++ b/modules/pam_selinux/Makefile.in
@@ -1,8 +1,9 @@
-# Makefile.in generated by automake 1.10.1 from Makefile.am.
+# Makefile.in generated by automake 1.11.1 from Makefile.am.
# @configure_input@
# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
-# 2003, 2004, 2005, 2006, 2007, 2008 Free Software Foundation, Inc.
+# 2003, 2004, 2005, 2006, 2007, 2008, 2009 Free Software Foundation,
+# Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
# with or without modifications, as long as this notice is preserved.
@@ -22,8 +23,9 @@
VPATH = @srcdir@
pkgdatadir = $(datadir)/@PACKAGE@
-pkglibdir = $(libdir)/@PACKAGE@
pkgincludedir = $(includedir)/@PACKAGE@
+pkglibdir = $(libdir)/@PACKAGE@
+pkglibexecdir = $(libexecdir)/@PACKAGE@
am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd
install_sh_DATA = $(install_sh) -c -m 644
install_sh_PROGRAM = $(install_sh) -c
@@ -44,7 +46,7 @@ subdir = modules/pam_selinux
DIST_COMMON = README $(srcdir)/Makefile.am $(srcdir)/Makefile.in
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \
- $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \
+ $(top_srcdir)/m4/iconv.m4 \
$(top_srcdir)/m4/japhar_grep_cflags.m4 \
$(top_srcdir)/m4/jh_path_xml_catalog.m4 \
$(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \
@@ -57,19 +59,34 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \
$(top_srcdir)/m4/progtest.m4 $(top_srcdir)/configure.in
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
$(ACLOCAL_M4)
-mkinstalldirs = $(SHELL) $(top_srcdir)/mkinstalldirs
+mkinstalldirs = $(install_sh) -d
CONFIG_HEADER = $(top_builddir)/config.h
CONFIG_CLEAN_FILES =
+CONFIG_CLEAN_VPATH_FILES =
am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
am__vpath_adj = case $$p in \
$(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
*) f=$$p;; \
esac;
-am__strip_dir = `echo $$p | sed -e 's|^.*/||'`;
+am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`;
+am__install_max = 40
+am__nobase_strip_setup = \
+ srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'`
+am__nobase_strip = \
+ for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||"
+am__nobase_list = $(am__nobase_strip_setup); \
+ for p in $$list; do echo "$$p $$p"; done | \
+ sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \
+ $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \
+ if (++n[$$2] == $(am__install_max)) \
+ { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \
+ END { for (dir in files) print dir, files[dir] }'
+am__base_list = \
+ sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \
+ sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g'
am__installdirs = "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)"
-securelibLTLIBRARIES_INSTALL = $(INSTALL)
LTLIBRARIES = $(securelib_LTLIBRARIES)
-pam_selinux_la_DEPENDENCIES =
+pam_selinux_la_DEPENDENCIES = $(top_builddir)/libpam/libpam.la
pam_selinux_la_SOURCES = pam_selinux.c
pam_selinux_la_OBJECTS = pam_selinux.lo
pam_selinux_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
@@ -79,13 +96,13 @@ pam_selinux_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
PROGRAMS = $(noinst_PROGRAMS)
pam_selinux_check_SOURCES = pam_selinux_check.c
pam_selinux_check_OBJECTS = pam_selinux_check.$(OBJEXT)
-pam_selinux_check_LDADD = $(LDADD)
-pam_selinux_check_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \
- $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \
- $(pam_selinux_check_LDFLAGS) $(LDFLAGS) -o $@
+@HAVE_LIBSELINUX_TRUE@pam_selinux_check_DEPENDENCIES = \
+@HAVE_LIBSELINUX_TRUE@ $(top_builddir)/libpam/libpam.la \
+@HAVE_LIBSELINUX_TRUE@ $(top_builddir)/libpam_misc/libpam_misc.la
DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
-depcomp = $(SHELL) $(top_srcdir)/depcomp
+depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp
am__depfiles_maybe = depfiles
+am__mv = mv -f
COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
@@ -103,6 +120,8 @@ MANS = $(man_MANS)
DATA = $(noinst_DATA)
ETAGS = etags
CTAGS = ctags
+am__tty_colors = \
+red=; grn=; lgn=; blu=; std=
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
AMTAR = @AMTAR@
@@ -132,7 +151,6 @@ EGREP = @EGREP@
EXEEXT = @EXEEXT@
FGREP = @FGREP@
FO2PDF = @FO2PDF@
-GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
GMSGFMT = @GMSGFMT@
GMSGFMT_015 = @GMSGFMT_015@
GREP = @GREP@
@@ -156,7 +174,6 @@ LIBDB = @LIBDB@
LIBDL = @LIBDL@
LIBICONV = @LIBICONV@
LIBINTL = @LIBINTL@
-LIBNSL = @LIBNSL@
LIBOBJS = @LIBOBJS@
LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@
LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@
@@ -178,6 +195,8 @@ MKDIR_P = @MKDIR_P@
MSGFMT = @MSGFMT@
MSGFMT_015 = @MSGFMT_015@
MSGMERGE = @MSGMERGE@
+NIS_CFLAGS = @NIS_CFLAGS@
+NIS_LIBS = @NIS_LIBS@
NM = @NM@
NMEDIT = @NMEDIT@
OBJDUMP = @OBJDUMP@
@@ -189,10 +208,12 @@ PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@
PACKAGE_NAME = @PACKAGE_NAME@
PACKAGE_STRING = @PACKAGE_STRING@
PACKAGE_TARNAME = @PACKAGE_TARNAME@
+PACKAGE_URL = @PACKAGE_URL@
PACKAGE_VERSION = @PACKAGE_VERSION@
PATH_SEPARATOR = @PATH_SEPARATOR@
PIE_CFLAGS = @PIE_CFLAGS@
PIE_LDFLAGS = @PIE_LDFLAGS@
+PKG_CONFIG = @PKG_CONFIG@
POSUB = @POSUB@
RANLIB = @RANLIB@
SCONFIGDIR = @SCONFIGDIR@
@@ -205,7 +226,6 @@ USE_NLS = @USE_NLS@
VERSION = @VERSION@
XGETTEXT = @XGETTEXT@
XGETTEXT_015 = @XGETTEXT_015@
-XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@
XMLCATALOG = @XMLCATALOG@
XMLLINT = @XMLLINT@
XML_CATALOG_FILE = @XML_CATALOG_FILE@
@@ -247,6 +267,8 @@ install_sh = @install_sh@
libc_cv_fpie = @libc_cv_fpie@
libdir = @libdir@
libexecdir = @libexecdir@
+libtirpc_CFLAGS = @libtirpc_CFLAGS@
+libtirpc_LIBS = @libtirpc_LIBS@
localedir = @localedir@
localstatedir = @localstatedir@
lt_ECHO = @lt_ECHO@
@@ -275,21 +297,20 @@ EXTRA_DIST = README $(XMLS) pam_selinux.8 pam_selinux_check.8 \
tst-pam_selinux
@HAVE_LIBSELINUX_TRUE@TESTS = tst-pam_selinux
-@HAVE_LIBSELINUX_TRUE@man_MANS = pam_selinux.8
+@HAVE_LIBSELINUX_TRUE@man_MANS = pam_selinux.8
XMLS = README.xml pam_selinux.8.xml
securelibdir = $(SECUREDIR)
secureconfdir = $(SCONFIGDIR)
AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \
-I$(top_srcdir)/libpam_misc/include
-pam_selinux_check_LDFLAGS = $(AM_LDFLAGS) \
- -L$(top_builddir)/libpam -lpam \
- -L$(top_builddir)/libpam_misc -lpam_misc
-
-pam_selinux_la_LIBADD = -L$(top_builddir)/libpam -lpam @LIBSELINUX@ @LIBAUDIT@
pam_selinux_la_LDFLAGS = -no-undefined -avoid-version -module \
$(am__append_1)
+pam_selinux_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBSELINUX@ @LIBAUDIT@
@HAVE_LIBSELINUX_TRUE@securelib_LTLIBRARIES = pam_selinux.la
+@HAVE_LIBSELINUX_TRUE@pam_selinux_check_LDADD = $(top_builddir)/libpam/libpam.la \
+@HAVE_LIBSELINUX_TRUE@ $(top_builddir)/libpam_misc/libpam_misc.la
+
@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README pam_selinux.8
all: all-am
@@ -299,14 +320,14 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
@for dep in $?; do \
case '$(am__configure_deps)' in \
*$$dep*) \
- cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \
- && exit 0; \
+ ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \
+ && { if test -f $@; then exit 0; else break; fi; }; \
exit 1;; \
esac; \
done; \
- echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_selinux/Makefile'; \
- cd $(top_srcdir) && \
- $(AUTOMAKE) --gnu modules/pam_selinux/Makefile
+ echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_selinux/Makefile'; \
+ $(am__cd) $(top_srcdir) && \
+ $(AUTOMAKE) --gnu modules/pam_selinux/Makefile
.PRECIOUS: Makefile
Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
@case '$?' in \
@@ -324,23 +345,28 @@ $(top_srcdir)/configure: $(am__configure_deps)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(ACLOCAL_M4): $(am__aclocal_m4_deps)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
+$(am__aclocal_m4_deps):
install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES)
@$(NORMAL_INSTALL)
test -z "$(securelibdir)" || $(MKDIR_P) "$(DESTDIR)$(securelibdir)"
- @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \
+ @list='$(securelib_LTLIBRARIES)'; test -n "$(securelibdir)" || list=; \
+ list2=; for p in $$list; do \
if test -f $$p; then \
- f=$(am__strip_dir) \
- echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) '$$p' '$(DESTDIR)$(securelibdir)/$$f'"; \
- $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(securelibLTLIBRARIES_INSTALL) $(INSTALL_STRIP_FLAG) "$$p" "$(DESTDIR)$(securelibdir)/$$f"; \
+ list2="$$list2 $$p"; \
else :; fi; \
- done
+ done; \
+ test -z "$$list2" || { \
+ echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(securelibdir)'"; \
+ $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(securelibdir)"; \
+ }
uninstall-securelibLTLIBRARIES:
@$(NORMAL_UNINSTALL)
- @list='$(securelib_LTLIBRARIES)'; for p in $$list; do \
- p=$(am__strip_dir) \
- echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(securelibdir)/$$p'"; \
- $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(securelibdir)/$$p"; \
+ @list='$(securelib_LTLIBRARIES)'; test -n "$(securelibdir)" || list=; \
+ for p in $$list; do \
+ $(am__strip_dir) \
+ echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(securelibdir)/$$f'"; \
+ $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(securelibdir)/$$f"; \
done
clean-securelibLTLIBRARIES:
@@ -355,14 +381,16 @@ pam_selinux.la: $(pam_selinux_la_OBJECTS) $(pam_selinux_la_DEPENDENCIES)
$(pam_selinux_la_LINK) $(am_pam_selinux_la_rpath) $(pam_selinux_la_OBJECTS) $(pam_selinux_la_LIBADD) $(LIBS)
clean-noinstPROGRAMS:
- @list='$(noinst_PROGRAMS)'; for p in $$list; do \
- f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \
- echo " rm -f $$p $$f"; \
- rm -f $$p $$f ; \
- done
+ @list='$(noinst_PROGRAMS)'; test -n "$$list" || exit 0; \
+ echo " rm -f" $$list; \
+ rm -f $$list || exit $$?; \
+ test -n "$(EXEEXT)" || exit 0; \
+ list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
+ echo " rm -f" $$list; \
+ rm -f $$list
pam_selinux_check$(EXEEXT): $(pam_selinux_check_OBJECTS) $(pam_selinux_check_DEPENDENCIES)
@rm -f pam_selinux_check$(EXEEXT)
- $(pam_selinux_check_LINK) $(pam_selinux_check_OBJECTS) $(pam_selinux_check_LDADD) $(LIBS)
+ $(LINK) $(pam_selinux_check_OBJECTS) $(pam_selinux_check_LDADD) $(LIBS)
mostlyclean-compile:
-rm -f *.$(OBJEXT)
@@ -375,21 +403,21 @@ distclean-compile:
.c.o:
@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(COMPILE) -c $<
.c.obj:
@am__fastdepCC_TRUE@ $(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
-@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
+@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(COMPILE) -c `$(CYGPATH_W) '$<'`
.c.lo:
@am__fastdepCC_TRUE@ $(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
-@am__fastdepCC_TRUE@ mv -f $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
+@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo
@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
@am__fastdepCC_FALSE@ $(LTCOMPILE) -c -o $@ $<
@@ -399,65 +427,58 @@ mostlyclean-libtool:
clean-libtool:
-rm -rf .libs _libs
-install-man8: $(man8_MANS) $(man_MANS)
+install-man8: $(man_MANS)
@$(NORMAL_INSTALL)
test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)"
- @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \
- l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
- for i in $$l2; do \
- case "$$i" in \
- *.8*) list="$$list $$i" ;; \
- esac; \
+ @list=''; test -n "$(man8dir)" || exit 0; \
+ { for i in $$list; do echo "$$i"; done; \
+ l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \
+ sed -n '/\.8[a-z]*$$/p'; \
+ } | while read p; do \
+ if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
+ echo "$$d$$p"; echo "$$p"; \
+ done | \
+ sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
+ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \
+ sed 'N;N;s,\n, ,g' | { \
+ list=; while read file base inst; do \
+ if test "$$base" = "$$inst"; then list="$$list $$file"; else \
+ echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \
+ $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst" || exit $$?; \
+ fi; \
done; \
- for i in $$list; do \
- if test -f $(srcdir)/$$i; then file=$(srcdir)/$$i; \
- else file=$$i; fi; \
- ext=`echo $$i | sed -e 's/^.*\\.//'`; \
- case "$$ext" in \
- 8*) ;; \
- *) ext='8' ;; \
- esac; \
- inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
- inst=`echo $$inst | sed -e 's/^.*\///'`; \
- inst=`echo $$inst | sed '$(transform)'`.$$ext; \
- echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \
- $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst"; \
- done
+ for i in $$list; do echo "$$i"; done | $(am__base_list) | \
+ while read files; do \
+ test -z "$$files" || { \
+ echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man8dir)'"; \
+ $(INSTALL_DATA) $$files "$(DESTDIR)$(man8dir)" || exit $$?; }; \
+ done; }
+
uninstall-man8:
@$(NORMAL_UNINSTALL)
- @list='$(man8_MANS) $(dist_man8_MANS) $(nodist_man8_MANS)'; \
- l2='$(man_MANS) $(dist_man_MANS) $(nodist_man_MANS)'; \
- for i in $$l2; do \
- case "$$i" in \
- *.8*) list="$$list $$i" ;; \
- esac; \
- done; \
- for i in $$list; do \
- ext=`echo $$i | sed -e 's/^.*\\.//'`; \
- case "$$ext" in \
- 8*) ;; \
- *) ext='8' ;; \
- esac; \
- inst=`echo $$i | sed -e 's/\\.[0-9a-z]*$$//'`; \
- inst=`echo $$inst | sed -e 's/^.*\///'`; \
- inst=`echo $$inst | sed '$(transform)'`.$$ext; \
- echo " rm -f '$(DESTDIR)$(man8dir)/$$inst'"; \
- rm -f "$(DESTDIR)$(man8dir)/$$inst"; \
- done
+ @list=''; test -n "$(man8dir)" || exit 0; \
+ files=`{ for i in $$list; do echo "$$i"; done; \
+ l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \
+ sed -n '/\.8[a-z]*$$/p'; \
+ } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
+ -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
+ test -z "$$files" || { \
+ echo " ( cd '$(DESTDIR)$(man8dir)' && rm -f" $$files ")"; \
+ cd "$(DESTDIR)$(man8dir)" && rm -f $$files; }
ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES)
list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
unique=`for i in $$list; do \
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
done | \
- $(AWK) '{ files[$$0] = 1; nonemtpy = 1; } \
+ $(AWK) '{ files[$$0] = 1; nonempty = 1; } \
END { if (nonempty) { for (i in files) print i; }; }'`; \
mkid -fID $$unique
tags: TAGS
TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
$(TAGS_FILES) $(LISP)
- tags=; \
+ set x; \
here=`pwd`; \
list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
unique=`for i in $$list; do \
@@ -465,37 +486,43 @@ TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
done | \
$(AWK) '{ files[$$0] = 1; nonempty = 1; } \
END { if (nonempty) { for (i in files) print i; }; }'`; \
- if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \
+ shift; \
+ if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \
test -n "$$unique" || unique=$$empty_fix; \
- $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
- $$tags $$unique; \
+ if test $$# -gt 0; then \
+ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+ "$$@" $$unique; \
+ else \
+ $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \
+ $$unique; \
+ fi; \
fi
ctags: CTAGS
CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \
$(TAGS_FILES) $(LISP)
- tags=; \
list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \
unique=`for i in $$list; do \
if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \
done | \
$(AWK) '{ files[$$0] = 1; nonempty = 1; } \
END { if (nonempty) { for (i in files) print i; }; }'`; \
- test -z "$(CTAGS_ARGS)$$tags$$unique" \
+ test -z "$(CTAGS_ARGS)$$unique" \
|| $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \
- $$tags $$unique
+ $$unique
GTAGS:
here=`$(am__cd) $(top_builddir) && pwd` \
- && cd $(top_srcdir) \
- && gtags -i $(GTAGS_ARGS) $$here
+ && $(am__cd) $(top_srcdir) \
+ && gtags -i $(GTAGS_ARGS) "$$here"
distclean-tags:
-rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags
check-TESTS: $(TESTS)
- @failed=0; all=0; xfail=0; xpass=0; skip=0; ws='[ ]'; \
+ @failed=0; all=0; xfail=0; xpass=0; skip=0; \
srcdir=$(srcdir); export srcdir; \
list=' $(TESTS) '; \
+ $(am__tty_colors); \
if test -n "$$list"; then \
for tst in $$list; do \
if test -f ./$$tst; then dir=./; \
@@ -504,49 +531,63 @@ check-TESTS: $(TESTS)
if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \
all=`expr $$all + 1`; \
case " $(XFAIL_TESTS) " in \
- *$$ws$$tst$$ws*) \
+ *[\ \ ]$$tst[\ \ ]*) \
xpass=`expr $$xpass + 1`; \
failed=`expr $$failed + 1`; \
- echo "XPASS: $$tst"; \
+ col=$$red; res=XPASS; \
;; \
*) \
- echo "PASS: $$tst"; \
+ col=$$grn; res=PASS; \
;; \
esac; \
elif test $$? -ne 77; then \
all=`expr $$all + 1`; \
case " $(XFAIL_TESTS) " in \
- *$$ws$$tst$$ws*) \
+ *[\ \ ]$$tst[\ \ ]*) \
xfail=`expr $$xfail + 1`; \
- echo "XFAIL: $$tst"; \
+ col=$$lgn; res=XFAIL; \
;; \
*) \
failed=`expr $$failed + 1`; \
- echo "FAIL: $$tst"; \
+ col=$$red; res=FAIL; \
;; \
esac; \
else \
skip=`expr $$skip + 1`; \
- echo "SKIP: $$tst"; \
+ col=$$blu; res=SKIP; \
fi; \
+ echo "$${col}$$res$${std}: $$tst"; \
done; \
+ if test "$$all" -eq 1; then \
+ tests="test"; \
+ All=""; \
+ else \
+ tests="tests"; \
+ All="All "; \
+ fi; \
if test "$$failed" -eq 0; then \
if test "$$xfail" -eq 0; then \
- banner="All $$all tests passed"; \
+ banner="$$All$$all $$tests passed"; \
else \
- banner="All $$all tests behaved as expected ($$xfail expected failures)"; \
+ if test "$$xfail" -eq 1; then failures=failure; else failures=failures; fi; \
+ banner="$$All$$all $$tests behaved as expected ($$xfail expected $$failures)"; \
fi; \
else \
if test "$$xpass" -eq 0; then \
- banner="$$failed of $$all tests failed"; \
+ banner="$$failed of $$all $$tests failed"; \
else \
- banner="$$failed of $$all tests did not behave as expected ($$xpass unexpected passes)"; \
+ if test "$$xpass" -eq 1; then passes=pass; else passes=passes; fi; \
+ banner="$$failed of $$all $$tests did not behave as expected ($$xpass unexpected $$passes)"; \
fi; \
fi; \
dashes="$$banner"; \
skipped=""; \
if test "$$skip" -ne 0; then \
- skipped="($$skip tests were not run)"; \
+ if test "$$skip" -eq 1; then \
+ skipped="($$skip test was not run)"; \
+ else \
+ skipped="($$skip tests were not run)"; \
+ fi; \
test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \
dashes="$$skipped"; \
fi; \
@@ -557,15 +598,32 @@ check-TESTS: $(TESTS)
dashes="$$report"; \
fi; \
dashes=`echo "$$dashes" | sed s/./=/g`; \
- echo "$$dashes"; \
+ if test "$$failed" -eq 0; then \
+ echo "$$grn$$dashes"; \
+ else \
+ echo "$$red$$dashes"; \
+ fi; \
echo "$$banner"; \
test -z "$$skipped" || echo "$$skipped"; \
test -z "$$report" || echo "$$report"; \
- echo "$$dashes"; \
+ echo "$$dashes$$std"; \
test "$$failed" -eq 0; \
else :; fi
distdir: $(DISTFILES)
+ @list='$(MANS)'; if test -n "$$list"; then \
+ list=`for p in $$list; do \
+ if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
+ if test -f "$$d$$p"; then echo "$$d$$p"; else :; fi; done`; \
+ if test -n "$$list" && \
+ grep 'ab help2man is required to generate this page' $$list >/dev/null; then \
+ echo "error: found man pages containing the \`missing help2man' replacement text:" >&2; \
+ grep -l 'ab help2man is required to generate this page' $$list | sed 's/^/ /' >&2; \
+ echo " to fix them, install help2man, remove and regenerate the man pages;" >&2; \
+ echo " typically \`make maintainer-clean' will remove them" >&2; \
+ exit 1; \
+ else :; fi; \
+ else :; fi
@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
list='$(DISTFILES)'; \
@@ -581,13 +639,17 @@ distdir: $(DISTFILES)
if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \
if test -d $$d/$$file; then \
dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \
+ if test -d "$(distdir)/$$file"; then \
+ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
+ fi; \
if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \
- cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \
+ cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \
+ find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \
fi; \
- cp -pR $$d/$$file $(distdir)$$dir || exit 1; \
+ cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \
else \
- test -f $(distdir)/$$file \
- || cp -p $$d/$$file $(distdir)/$$file \
+ test -f "$(distdir)/$$file" \
+ || cp -p $$d/$$file "$(distdir)/$$file" \
|| exit 1; \
fi; \
done
@@ -620,6 +682,7 @@ clean-generic:
distclean-generic:
-test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES)
+ -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES)
maintainer-clean-generic:
@echo "This command is intended for maintainers to use"
@@ -642,6 +705,8 @@ dvi-am:
html: html-am
+html-am:
+
info: info-am
info-am:
@@ -650,18 +715,28 @@ install-data-am: install-man install-securelibLTLIBRARIES
install-dvi: install-dvi-am
+install-dvi-am:
+
install-exec-am:
install-html: install-html-am
+install-html-am:
+
install-info: install-info-am
+install-info-am:
+
install-man: install-man8
install-pdf: install-pdf-am
+install-pdf-am:
+
install-ps: install-ps-am
+install-ps-am:
+
installcheck-am:
maintainer-clean: maintainer-clean-am
@@ -686,7 +761,7 @@ uninstall-am: uninstall-man uninstall-securelibLTLIBRARIES
uninstall-man: uninstall-man8
-.MAKE: install-am install-strip
+.MAKE: check-am install-am install-strip
.PHONY: CTAGS GTAGS all all-am check check-TESTS check-am clean \
clean-generic clean-libtool clean-noinstPROGRAMS \
@@ -706,6 +781,7 @@ uninstall-man: uninstall-man8
@ENABLE_REGENERATE_MAN_TRUE@README: pam_selinux.8.xml
@ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules
+
# Tell versions [3.59,3.63) of GNU make to not export all variables.
# Otherwise a system limit (for SysV at least) may be exceeded.
.NOEXPORT:
diff --git a/modules/pam_selinux/README b/modules/pam_selinux/README
index 67217905..fb4d4499 100644
--- a/modules/pam_selinux/README
+++ b/modules/pam_selinux/README
@@ -4,58 +4,66 @@ pam_selinux — PAM module to set the default security context
DESCRIPTION
-In a nutshell, pam_selinux sets up the default security context for the next
-execed shell.
-
-When an application opens a session using pam_selinux, the shell that gets
-executed will be run in the default security context, or if the user chooses
-and the pam file allows the selected security context. Also the controlling tty
-will have it's security context modified to match the users.
-
-Adding pam_selinux into a pam file could cause other pam modules to change
-their behavior if the exec another application. The close and open option help
-mitigate this problem. close option will only cause the close portion of the
-pam_selinux to execute, and open will only cause the open portion to run. You
-can add pam_selinux to the config file twice. Add the pam_selinux close as the
-executes the open pass through the modules, pam_selinux open_session will
-happen last. When PAM executes the close pass through the modules pam_selinux
-close_session will happen first.
+pam_selinux is a PAM module that sets up the default SELinux security context
+for the next executed process.
+
+When a new session is started, the open_session part of the module computes and
+sets up the execution security context used for the next execve(2) call, the
+file security context for the controlling terminal, and the security context
+used for creating a new kernel keyring.
+
+When the session is ended, the close_session part of the module restores old
+security contexts that were in effect before the change made by the
+open_session part of the module.
+
+Adding pam_selinux into the PAM stack might disrupt behavior of other PAM
+modules which execute applications. To avoid that, pam_selinux.so open should
+be placed after such modules in the PAM stack, and pam_selinux.so close should
+be placed before them. When such a placement is not feasible, pam_selinux.so
+restore could be used to temporary restore original security contexts.
OPTIONS
-close
+open
- Only execute the close_session portion of the module.
+ Only execute the open_session part of the module.
-debug
+close
- Turns on debugging via syslog(3).
+ Only execute the close_session part of the module.
-open
+restore
- Only execute the open_session portion of the module.
+ In open_session part of the module, temporarily restore the security
+ contexts as they were before the previous call of the module. Another call
+ of this module without the restore option will set up the new security
+ contexts again.
nottys
- Do not try to setup the ttys security context.
+ Do not setup security context of the controlling terminal.
+
+debug
+
+ Turn on debug messages via syslog(3).
verbose
- attempt to inform the user when security context is set.
+ Attempt to inform the user when security context is set.
select_context
- Attempt to ask the user for a custom security context role. If MLS is on
+ Attempt to ask the user for a custom security context role. If MLS is on,
ask also for sensitivity level.
env_params
Attempt to obtain a custom security context role from PAM environment. If
- MLS is on obtain also sensitivity level. This option and the select_context
- option are mutually exclusive. The respective PAM environment variables are
- SELINUX_ROLE_REQUESTED, SELINUX_LEVEL_REQUESTED, and
- SELINUX_USE_CURRENT_RANGE. The first two variables are self describing and
- the last one if set to 1 makes the PAM module behave as if the
+ MLS is on, obtain also sensitivity level. This option and the
+ select_context option are mutually exclusive. The respective PAM
+ environment variables are SELINUX_ROLE_REQUESTED, SELINUX_LEVEL_REQUESTED,
+ and SELINUX_USE_CURRENT_RANGE. The first two variables are self describing
+ and the last one if set to 1 makes the PAM module behave as if the
use_current_range was specified on the command line of the module.
use_current_range
diff --git a/modules/pam_selinux/pam_selinux.8 b/modules/pam_selinux/pam_selinux.8
index c7f744b8..acd4f0d2 100644
--- a/modules/pam_selinux/pam_selinux.8
+++ b/modules/pam_selinux/pam_selinux.8
@@ -1,161 +1,22 @@
+'\" t
.\" Title: pam_selinux
.\" Author: [see the "AUTHOR" section]
-.\" Generator: DocBook XSL Stylesheets v1.74.0 <http://docbook.sf.net/>
-.\" Date: 07/08/2010
+.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
+.\" Date: 06/18/2013
.\" Manual: Linux-PAM Manual
.\" Source: Linux-PAM Manual
.\" Language: English
.\"
-.TH "PAM_SELINUX" "8" "07/08/2010" "Linux-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_SELINUX" "8" "06/18/2013" "Linux-PAM Manual" "Linux\-PAM Manual"
.\" -----------------------------------------------------------------
-.\" * (re)Define some macros
+.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-.\" toupper - uppercase a string (locale-aware)
+.\" http://bugs.debian.org/507673
+.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-.de toupper
-.tr aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ
-\\$*
-.tr aabbccddeeffgghhiijjkkllmmnnooppqqrrssttuuvvwwxxyyzz
-..
-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-.\" SH-xref - format a cross-reference to an SH section
-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-.de SH-xref
-.ie n \{\
-.\}
-.toupper \\$*
-.el \{\
-\\$*
-.\}
-..
-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-.\" SH - level-one heading that works better for non-TTY output
-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-.de1 SH
-.\" put an extra blank line of space above the head in non-TTY output
-.if t \{\
-.sp 1
-.\}
-.sp \\n[PD]u
-.nr an-level 1
-.set-an-margin
-.nr an-prevailing-indent \\n[IN]
-.fi
-.in \\n[an-margin]u
-.ti 0
-.HTML-TAG ".NH \\n[an-level]"
-.it 1 an-trap
-.nr an-no-space-flag 1
-.nr an-break-flag 1
-\." make the size of the head bigger
-.ps +3
-.ft B
-.ne (2v + 1u)
-.ie n \{\
-.\" if n (TTY output), use uppercase
-.toupper \\$*
-.\}
-.el \{\
-.nr an-break-flag 0
-.\" if not n (not TTY), use normal case (not uppercase)
-\\$1
-.in \\n[an-margin]u
-.ti 0
-.\" if not n (not TTY), put a border/line under subheading
-.sp -.6
-\l'\n(.lu'
-.\}
-..
-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-.\" SS - level-two heading that works better for non-TTY output
-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-.de1 SS
-.sp \\n[PD]u
-.nr an-level 1
-.set-an-margin
-.nr an-prevailing-indent \\n[IN]
-.fi
-.in \\n[IN]u
-.ti \\n[SN]u
-.it 1 an-trap
-.nr an-no-space-flag 1
-.nr an-break-flag 1
-.ps \\n[PS-SS]u
-\." make the size of the head bigger
-.ps +2
-.ft B
-.ne (2v + 1u)
-.if \\n[.$] \&\\$*
-..
-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-.\" BB/BE - put background/screen (filled box) around block of text
-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-.de BB
-.if t \{\
-.sp -.5
-.br
-.in +2n
-.ll -2n
-.gcolor red
-.di BX
-.\}
-..
-.de EB
-.if t \{\
-.if "\\$2"adjust-for-leading-newline" \{\
-.sp -1
-.\}
-.br
-.di
-.in
-.ll
-.gcolor
-.nr BW \\n(.lu-\\n(.i
-.nr BH \\n(dn+.5v
-.ne \\n(BHu+.5v
-.ie "\\$2"adjust-for-leading-newline" \{\
-\M[\\$1]\h'1n'\v'+.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
-.\}
-.el \{\
-\M[\\$1]\h'1n'\v'-.5v'\D'P \\n(BWu 0 0 \\n(BHu -\\n(BWu 0 0 -\\n(BHu'\M[]
-.\}
-.in 0
-.sp -.5v
-.nf
-.BX
-.in
-.sp .5v
-.fi
-.\}
-..
-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-.\" BM/EM - put colored marker in margin next to block of text
-.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-.de BM
-.if t \{\
-.br
-.ll -2n
-.gcolor red
-.di BX
-.\}
-..
-.de EM
-.if t \{\
-.br
-.di
-.ll
-.gcolor
-.nr BH \\n(dn
-.ne \\n(BHu
-\M[\\$1]\D'P -.75n 0 0 \\n(BHu -(\\n[.i]u - \\n(INu - .75n) 0 0 -\\n(BHu'\M[]
-.in 0
-.nf
-.BX
-.in
-.fi
-.\}
-..
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
@@ -166,56 +27,69 @@
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
-.SH "Name"
+.SH "NAME"
pam_selinux \- PAM module to set the default security context
-.SH "Synopsis"
-.fam C
+.SH "SYNOPSIS"
.HP \w'\fBpam_selinux\&.so\fR\ 'u
-\fBpam_selinux\&.so\fR [close] [debug] [open] [nottys] [verbose] [select_context] [env_params] [use_current_range]
-.fam
+\fBpam_selinux\&.so\fR [open] [close] [restore] [nottys] [debug] [verbose] [select_context] [env_params] [use_current_range]
.SH "DESCRIPTION"
.PP
-In a nutshell, pam_selinux sets up the default security context for the next execed shell\&.
+pam_selinux is a PAM module that sets up the default SELinux security context for the next executed process\&.
.PP
-When an application opens a session using pam_selinux, the shell that gets executed will be run in the default security context, or if the user chooses and the pam file allows the selected security context\&. Also the controlling tty will have it\'s security context modified to match the users\&.
+When a new session is started, the open_session part of the module computes and sets up the execution security context used for the next
+\fBexecve\fR(2)
+call, the file security context for the controlling terminal, and the security context used for creating a new kernel keyring\&.
.PP
-Adding pam_selinux into a pam file could cause other pam modules to change their behavior if the exec another application\&. The close and open option help mitigate this problem\&. close option will only cause the close portion of the pam_selinux to execute, and open will only cause the open portion to run\&. You can add pam_selinux to the config file twice\&. Add the pam_selinux close as the executes the open pass through the modules, pam_selinux open_session will happen last\&. When PAM executes the close pass through the modules pam_selinux close_session will happen first\&.
+When the session is ended, the close_session part of the module restores old security contexts that were in effect before the change made by the open_session part of the module\&.
+.PP
+Adding pam_selinux into the PAM stack might disrupt behavior of other PAM modules which execute applications\&. To avoid that,
+\fIpam_selinux\&.so open\fR
+should be placed after such modules in the PAM stack, and
+\fIpam_selinux\&.so close\fR
+should be placed before them\&. When such a placement is not feasible,
+\fIpam_selinux\&.so restore\fR
+could be used to temporary restore original security contexts\&.
.SH "OPTIONS"
.PP
-\fBclose\fR
+\fBopen\fR
.RS 4
-Only execute the close_session portion of the module\&.
+Only execute the open_session part of the module\&.
.RE
.PP
-\fBdebug\fR
+\fBclose\fR
.RS 4
-Turns on debugging via
-\fBsyslog\fR(3)\&.
+Only execute the close_session part of the module\&.
.RE
.PP
-\fBopen\fR
+\fBrestore\fR
.RS 4
-Only execute the open_session portion of the module\&.
+In open_session part of the module, temporarily restore the security contexts as they were before the previous call of the module\&. Another call of this module without the restore option will set up the new security contexts again\&.
.RE
.PP
\fBnottys\fR
.RS 4
-Do not try to setup the ttys security context\&.
+Do not setup security context of the controlling terminal\&.
+.RE
+.PP
+\fBdebug\fR
+.RS 4
+Turn on debug messages via
+\fBsyslog\fR(3)\&.
.RE
.PP
\fBverbose\fR
.RS 4
-attempt to inform the user when security context is set\&.
+Attempt to inform the user when security context is set\&.
.RE
.PP
\fBselect_context\fR
.RS 4
-Attempt to ask the user for a custom security context role\&. If MLS is on ask also for sensitivity level\&.
+Attempt to ask the user for a custom security context role\&. If MLS is on, ask also for sensitivity level\&.
.RE
.PP
\fBenv_params\fR
.RS 4
-Attempt to obtain a custom security context role from PAM environment\&. If MLS is on obtain also sensitivity level\&. This option and the select_context option are mutually exclusive\&. The respective PAM environment variables are
+Attempt to obtain a custom security context role from PAM environment\&. If MLS is on, obtain also sensitivity level\&. This option and the select_context option are mutually exclusive\&. The respective PAM environment variables are
\fISELINUX_ROLE_REQUESTED\fR,
\fISELINUX_LEVEL_REQUESTED\fR, and
\fISELINUX_USE_CURRENT_RANGE\fR\&. The first two variables are self describing and the last one if set to 1 makes the PAM module behave as if the use_current_range was specified on the command line of the module\&.
@@ -232,54 +106,46 @@ Only the
module type is provided\&.
.SH "RETURN VALUES"
.PP
-PAM_AUTH_ERR
+PAM_SUCCESS
.RS 4
-Unable to get or set a valid context\&.
+The security context was set successfully\&.
.RE
.PP
-PAM_SUCCESS
+PAM_SESSION_ERR
.RS 4
-The security context was set successfully\&.
+Unable to get or set a valid context\&.
.RE
.PP
PAM_USER_UNKNOWN
.RS 4
The user is not known to the system\&.
.RE
+.PP
+PAM_BUF_ERR
+.RS 4
+Memory allocation error\&.
+.RE
.SH "EXAMPLES"
.sp
.if n \{\
.RS 4
.\}
-.fam C
-.ps -1
.nf
-.if t \{\
-.sp -1
-.\}
-.BB lightgray adjust-for-leading-newline
-.sp -1
-
auth required pam_unix\&.so
session required pam_permit\&.so
session optional pam_selinux\&.so
-.EB lightgray adjust-for-leading-newline
-.if t \{\
-.sp 1
-.\}
.fi
-.fam
-.ps +1
.if n \{\
.RE
.\}
.SH "SEE ALSO"
.PP
-
-\fBpam.conf\fR(5),
+\fBexecve\fR(2),
+\fBtty\fR(4),
\fBpam.d\fR(5),
-\fBpam\fR(8)
+\fBpam\fR(8),
+\fBselinux\fR(8)
.SH "AUTHOR"
.PP
pam_selinux was written by Dan Walsh <dwalsh@redhat\&.com>\&.
diff --git a/modules/pam_selinux/pam_selinux.8.xml b/modules/pam_selinux/pam_selinux.8.xml
index 2c1cdb24..28d465f5 100644
--- a/modules/pam_selinux/pam_selinux.8.xml
+++ b/modules/pam_selinux/pam_selinux.8.xml
@@ -19,18 +19,21 @@
<cmdsynopsis id="pam_selinux-cmdsynopsis">
<command>pam_selinux.so</command>
<arg choice="opt">
- close
+ open
</arg>
<arg choice="opt">
- debug
+ close
</arg>
<arg choice="opt">
- open
+ restore
</arg>
<arg choice="opt">
nottys
</arg>
<arg choice="opt">
+ debug
+ </arg>
+ <arg choice="opt">
verbose
</arg>
<arg choice="opt">
@@ -48,26 +51,31 @@
<refsect1 id="pam_selinux-description">
<title>DESCRIPTION</title>
<para>
- In a nutshell, pam_selinux sets up the default security context for the
- next execed shell.
+ pam_selinux is a PAM module that sets up the default SELinux security
+ context for the next executed process.
+ </para>
+ <para>
+ When a new session is started, the open_session part of the module
+ computes and sets up the execution security context used for the next
+ <citerefentry>
+ <refentrytitle>execve</refentrytitle><manvolnum>2</manvolnum>
+ </citerefentry>
+ call, the file security context for the controlling terminal, and
+ the security context used for creating a new kernel keyring.
</para>
<para>
- When an application opens a session using pam_selinux, the shell that
- gets executed will be run in the default security context, or if the
- user chooses and the pam file allows the selected security context.
- Also the controlling tty will have it's security context modified to
- match the users.
+ When the session is ended, the close_session part of the module restores
+ old security contexts that were in effect before the change made
+ by the open_session part of the module.
</para>
<para>
- Adding pam_selinux into a pam file could cause other pam modules to
- change their behavior if the exec another application. The close and
- open option help mitigate this problem. close option will only cause
- the close portion of the pam_selinux to execute, and open will only
- cause the open portion to run. You can add pam_selinux to the config
- file twice. Add the pam_selinux close as the executes the open pass
- through the modules, pam_selinux open_session will happen last.
- When PAM executes the close pass through the modules pam_selinux
- close_session will happen first.
+ Adding pam_selinux into the PAM stack might disrupt behavior of other
+ PAM modules which execute applications. To avoid that,
+ <emphasis>pam_selinux.so open</emphasis> should be placed after such
+ modules in the PAM stack, and <emphasis>pam_selinux.so close</emphasis>
+ should be placed before them. When such a placement is not feasible,
+ <emphasis>pam_selinux.so restore</emphasis> could be used to temporary
+ restore original security contexts.
</para>
</refsect1>
@@ -76,34 +84,34 @@
<variablelist>
<varlistentry>
<term>
- <option>close</option>
+ <option>open</option>
</term>
<listitem>
<para>
- Only execute the close_session portion of the module.
+ Only execute the open_session part of the module.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
- <option>debug</option>
+ <option>close</option>
</term>
<listitem>
<para>
- Turns on debugging via
- <citerefentry>
- <refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum>
- </citerefentry>.
+ Only execute the close_session part of the module.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
- <option>open</option>
+ <option>restore</option>
</term>
<listitem>
<para>
- Only execute the open_session portion of the module.
+ In open_session part of the module, temporarily restore the
+ security contexts as they were before the previous call of
+ the module. Another call of this module without the restore
+ option will set up the new security contexts again.
</para>
</listitem>
</varlistentry>
@@ -113,7 +121,20 @@
</term>
<listitem>
<para>
- Do not try to setup the ttys security context.
+ Do not setup security context of the controlling terminal.
+ </para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>debug</option>
+ </term>
+ <listitem>
+ <para>
+ Turn on debug messages via
+ <citerefentry>
+ <refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum>
+ </citerefentry>.
</para>
</listitem>
</varlistentry>
@@ -123,7 +144,7 @@
</term>
<listitem>
<para>
- attempt to inform the user when security context is set.
+ Attempt to inform the user when security context is set.
</para>
</listitem>
</varlistentry>
@@ -134,7 +155,7 @@
<listitem>
<para>
Attempt to ask the user for a custom security context role.
- If MLS is on ask also for sensitivity level.
+ If MLS is on, ask also for sensitivity level.
</para>
</listitem>
</varlistentry>
@@ -145,11 +166,11 @@
<listitem>
<para>
Attempt to obtain a custom security context role from PAM environment.
- If MLS is on obtain also sensitivity level. This option and the
- select_context option are mutually exclusive. The respective PAM
+ If MLS is on, obtain also sensitivity level. This option and the
+ select_context option are mutually exclusive. The respective PAM
environment variables are <emphasis>SELINUX_ROLE_REQUESTED</emphasis>,
<emphasis>SELINUX_LEVEL_REQUESTED</emphasis>, and
- <emphasis>SELINUX_USE_CURRENT_RANGE</emphasis>. The first two variables
+ <emphasis>SELINUX_USE_CURRENT_RANGE</emphasis>. The first two variables
are self describing and the last one if set to 1 makes the PAM module behave as
if the use_current_range was specified on the command line of the module.
</para>
@@ -181,18 +202,18 @@
<title>RETURN VALUES</title>
<variablelist>
<varlistentry>
- <term>PAM_AUTH_ERR</term>
+ <term>PAM_SUCCESS</term>
<listitem>
<para>
- Unable to get or set a valid context.
+ The security context was set successfully.
</para>
</listitem>
</varlistentry>
<varlistentry>
- <term>PAM_SUCCESS</term>
+ <term>PAM_SESSION_ERR</term>
<listitem>
<para>
- The security context was set successfully.
+ Unable to get or set a valid context.
</para>
</listitem>
</varlistentry>
@@ -204,6 +225,14 @@
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>PAM_BUF_ERR</term>
+ <listitem>
+ <para>
+ Memory allocation error.
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect1>
@@ -220,13 +249,19 @@ session optional pam_selinux.so
<title>SEE ALSO</title>
<para>
<citerefentry>
- <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
+ <refentrytitle>execve</refentrytitle><manvolnum>2</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>tty</refentrytitle><manvolnum>4</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>selinux</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>
</para>
</refsect1>
diff --git a/modules/pam_selinux/pam_selinux.c b/modules/pam_selinux/pam_selinux.c
index f99d433a..b96cc236 100644
--- a/modules/pam_selinux/pam_selinux.c
+++ b/modules/pam_selinux/pam_selinux.c
@@ -87,6 +87,7 @@ int send_audit_message(pam_handle_t *pamh, int success, security_context_t defau
int audit_fd = audit_open();
security_context_t default_raw=NULL;
security_context_t selected_raw=NULL;
+ const void *tty = NULL, *rhost = NULL;
rc = -1;
if (audit_fd < 0) {
if (errno == EINVAL || errno == EPROTONOSUPPORT ||
@@ -95,6 +96,8 @@ int send_audit_message(pam_handle_t *pamh, int success, security_context_t defau
pam_syslog(pamh, LOG_ERR, "Error connecting to audit system.");
return rc;
}
+ (void)pam_get_item(pamh, PAM_TTY, &tty);
+ (void)pam_get_item(pamh, PAM_RHOST, &rhost);
if (selinux_trans_to_raw_context(default_context, &default_raw) < 0) {
pam_syslog(pamh, LOG_ERR, "Error translating default context.");
default_raw = NULL;
@@ -110,7 +113,7 @@ int send_audit_message(pam_handle_t *pamh, int success, security_context_t defau
goto out;
}
if (audit_log_user_message(audit_fd, AUDIT_USER_ROLE_CHANGE,
- msg, NULL, NULL, NULL, success) <= 0) {
+ msg, rhost, NULL, tty, success) <= 0) {
pam_syslog(pamh, LOG_ERR, "Error sending audit message.");
goto out;
}
@@ -142,7 +145,7 @@ query_response (pam_handle_t *pamh, const char *text, const char *def,
char **response, int debug)
{
int rc;
- if (def)
+ if (def)
rc = pam_prompt (pamh, PAM_PROMPT_ECHO_ON, response, "%s [%s] ", text, def);
else
rc = pam_prompt (pamh, PAM_PROMPT_ECHO_ON, response, "%s ", text);
@@ -150,7 +153,7 @@ query_response (pam_handle_t *pamh, const char *text, const char *def,
if (*response == NULL) {
rc = PAM_CONV_ERR;
}
-
+
if (rc != PAM_SUCCESS) {
pam_syslog(pamh, LOG_WARNING, "No response to query: %s", text);
} else if (debug)
@@ -158,81 +161,6 @@ query_response (pam_handle_t *pamh, const char *text, const char *def,
return rc;
}
-static security_context_t
-manual_context (pam_handle_t *pamh, const char *user, int debug)
-{
- security_context_t newcon=NULL;
- context_t new_context;
- int mls_enabled = is_selinux_mls_enabled();
- char *type=NULL;
- char *response=NULL;
-
- while (1) {
- if (query_response(pamh,
- _("Would you like to enter a security context? [N] "), NULL,
- &response, debug) != PAM_SUCCESS)
- return NULL;
-
- if ((response[0] == 'y') || (response[0] == 'Y'))
- {
- if (mls_enabled)
- new_context = context_new ("user:role:type:level");
- else
- new_context = context_new ("user:role:type");
-
- if (!new_context)
- goto fail_set;
-
- if (context_user_set (new_context, user))
- goto fail_set;
-
- _pam_drop(response);
- /* Allow the user to enter each field of the context individually */
- if (query_response(pamh, _("role:"), NULL, &response, debug) == PAM_SUCCESS &&
- response[0] != '\0') {
- if (context_role_set (new_context, response))
- goto fail_set;
- if (get_default_type(response, &type))
- goto fail_set;
- if (context_type_set (new_context, type))
- goto fail_set;
- _pam_drop(type);
- }
- _pam_drop(response);
-
- if (mls_enabled)
- {
- if (query_response(pamh, _("level:"), NULL, &response, debug) == PAM_SUCCESS &&
- response[0] != '\0') {
- if (context_range_set (new_context, response))
- goto fail_set;
- }
- _pam_drop(response);
- }
-
- /* Get the string value of the context and see if it is valid. */
- if (!security_check_context(context_str(new_context))) {
- newcon = strdup(context_str(new_context));
- context_free (new_context);
- return newcon;
- }
- else
- send_text(pamh,_("Not a valid security context"),debug);
-
- context_free (new_context);
- }
- else {
- _pam_drop(response);
- return NULL;
- }
- } /* end while */
- fail_set:
- free(type);
- _pam_drop(response);
- context_free (new_context);
- return NULL;
-}
-
static int mls_range_allowed(pam_handle_t *pamh, security_context_t src, security_context_t dst, int debug)
{
struct av_decision avd;
@@ -283,7 +211,7 @@ config_context (pam_handle_t *pamh, security_context_t defaultcon, int use_curre
while (1) {
if (query_response(pamh,
- _("Would you like to enter a different role or level?"), "n",
+ _("Would you like to enter a different role or level?"), "n",
&response, debug) == PAM_SUCCESS) {
resp_val = response[0];
_pam_drop(response);
@@ -293,22 +221,22 @@ config_context (pam_handle_t *pamh, security_context_t defaultcon, int use_curre
if ((resp_val == 'y') || (resp_val == 'Y'))
{
if ((new_context = context_new(defaultcon)) == NULL)
- goto fail_set;
+ goto fail_set;
/* Allow the user to enter role and level individually */
- if (query_response(pamh, _("role:"), context_role_get(new_context),
+ if (query_response(pamh, _("role:"), context_role_get(new_context),
&response, debug) == PAM_SUCCESS && response[0]) {
if (get_default_type(response, &type)) {
pam_prompt (pamh, PAM_ERROR_MSG, NULL, _("No default type for role %s\n"), response);
_pam_drop(response);
continue;
} else {
- if (context_role_set(new_context, response))
+ if (context_role_set(new_context, response))
goto fail_set;
if (context_type_set (new_context, type))
goto fail_set;
_pam_drop(type);
- }
+ }
}
_pam_drop(response);
@@ -320,9 +248,9 @@ config_context (pam_handle_t *pamh, security_context_t defaultcon, int use_curre
if (getcon(&mycon) != 0)
goto fail_set;
- my_context = context_new(mycon);
+ my_context = context_new(mycon);
if (my_context == NULL) {
- freecon(mycon);
+ freecon(mycon);
goto fail_set;
}
freecon(mycon);
@@ -331,11 +259,11 @@ config_context (pam_handle_t *pamh, security_context_t defaultcon, int use_curre
goto fail_set;
}
context_free(my_context);
- } else if (query_response(pamh, _("level:"), context_range_get(new_context),
+ } else if (query_response(pamh, _("level:"), context_range_get(new_context),
&response, debug) == PAM_SUCCESS && response[0]) {
if (context_range_set(new_context, response))
goto fail_set;
- }
+ }
_pam_drop(response);
}
@@ -355,7 +283,7 @@ config_context (pam_handle_t *pamh, security_context_t defaultcon, int use_curre
if (mls_enabled && !mls_range_allowed(pamh, defaultcon, newcon, debug)) {
pam_syslog(pamh, LOG_NOTICE, "Security context %s is not allowed for %s", defaultcon, newcon);
- send_audit_message(pamh, 0, defaultcon, newcon);
+ send_audit_message(pamh, 0, defaultcon, newcon);
free(newcon);
goto fail_range;
@@ -380,7 +308,7 @@ config_context (pam_handle_t *pamh, security_context_t defaultcon, int use_curre
context_free (new_context);
send_audit_message(pamh, 0, defaultcon, NULL);
fail_range:
- return NULL;
+ return NULL;
}
static security_context_t
@@ -405,7 +333,7 @@ context_from_env (pam_handle_t *pamh, security_context_t defaultcon, int env_par
pam_syslog(pamh, LOG_NOTICE, "No default type for role %s", env);
goto fail_set;
} else {
- if (context_role_set(new_context, env))
+ if (context_role_set(new_context, env))
goto fail_set;
if (context_type_set(new_context, type))
goto fail_set;
@@ -449,7 +377,7 @@ context_from_env (pam_handle_t *pamh, security_context_t defaultcon, int env_par
if (debug)
pam_syslog(pamh, LOG_NOTICE, "Selected Security Context %s", newcon);
-
+
/* Get the string value of the context and see if it is valid. */
if (security_check_context(newcon)) {
pam_syslog(pamh, LOG_NOTICE, "Not a valid security context %s", newcon);
@@ -480,139 +408,296 @@ context_from_env (pam_handle_t *pamh, security_context_t defaultcon, int env_par
return newcon;
}
+#define DATANAME "pam_selinux_context"
+typedef struct {
+ security_context_t exec_context;
+ security_context_t prev_exec_context;
+ security_context_t default_user_context;
+ security_context_t tty_context;
+ security_context_t prev_tty_context;
+ char *tty_path;
+} module_data_t;
+
+static void
+free_module_data(module_data_t *data)
+{
+ free(data->tty_path);
+ freecon(data->prev_tty_context);
+ freecon(data->tty_context);
+ freecon(data->default_user_context);
+ freecon(data->prev_exec_context);
+ if (data->exec_context != data->default_user_context)
+ freecon(data->exec_context);
+ memset(data, 0, sizeof(*data));
+ free(data);
+}
+
static void
-security_restorelabel_tty(const pam_handle_t *pamh,
- const char *tty, security_context_t context)
+cleanup(pam_handle_t *pamh UNUSED, void *data, int err UNUSED)
+{
+ free_module_data(data);
+}
+
+static const module_data_t *
+get_module_data(const pam_handle_t *pamh)
+{
+ const void *data;
+
+ return (pam_get_data(pamh, DATANAME, &data) == PAM_SUCCESS) ? data : NULL;
+}
+
+static const char *
+get_item(const pam_handle_t *pamh, int item_type)
+{
+ const void *item;
+
+ return (pam_get_item(pamh, item_type, &item) == PAM_SUCCESS) ? item : NULL;
+}
+
+static int
+set_exec_context(const pam_handle_t *pamh, security_context_t context)
+{
+ if (setexeccon(context) == 0)
+ return 0;
+ pam_syslog(pamh, LOG_ERR, "Setting executable context \"%s\" failed: %m",
+ context ? context : "");
+ return -1;
+}
+
+static int
+set_file_context(const pam_handle_t *pamh, security_context_t context,
+ const char *file)
{
- char ttybuf[PATH_MAX];
- const char *ptr;
+ if (!file)
+ return 0;
+ if (setfilecon(file, context) == 0 || errno == ENOENT)
+ return 0;
+ pam_syslog(pamh, LOG_ERR, "Setting file context \"%s\" failed for %s: %m",
+ context ? context : "", file);
+ return -1;
+}
- if (context==NULL)
- return;
+static int
+compute_exec_context(pam_handle_t *pamh, module_data_t *data,
+ int select_context, int use_current_range,
+ int env_params, int debug)
+{
+ const char *username;
- if(strncmp("/dev/", tty, 5)) {
- snprintf(ttybuf,sizeof(ttybuf),"/dev/%s",tty);
- ptr = ttybuf;
+#ifdef HAVE_GETSEUSER
+ const char *service;
+#endif
+ char *seuser = NULL;
+ char *level = NULL;
+ security_context_t *contextlist = NULL;
+ int num_contexts = 0;
+
+ if (!(username = get_item(pamh, PAM_USER))) {
+ pam_syslog(pamh, LOG_ERR, "Cannot obtain the user name");
+ return PAM_USER_UNKNOWN;
}
- else
- ptr = tty;
- if (setfilecon(ptr, context) && errno != ENOENT)
- {
- pam_syslog(pamh, LOG_NOTICE,
- "Warning! Could not relabel %s with %s, not relabeling: %m",
- ptr, context);
+ /* compute execute context */
+#ifdef HAVE_GETSEUSER
+ if (!(service = get_item(pamh, PAM_SERVICE))) {
+ pam_syslog(pamh, LOG_ERR, "Cannot obtain the service name");
+ return PAM_SESSION_ERR;
}
+ if (getseuser(username, service, &seuser, &level) == 0) {
+#else
+ if (getseuserbyname(username, &seuser, &level) == 0) {
+#endif
+ num_contexts = get_ordered_context_list_with_level(seuser, level, NULL,
+ &contextlist);
+ if (debug)
+ pam_syslog(pamh, LOG_DEBUG, "Username= %s SELinux User= %s Level= %s",
+ username, seuser, level);
+ free(level);
+ }
+ if (num_contexts > 0) {
+ free(seuser);
+ data->default_user_context = strdup(contextlist[0]);
+ freeconary(contextlist);
+ if (!data->default_user_context) {
+ pam_syslog(pamh, LOG_ERR, "Out of memory");
+ return PAM_BUF_ERR;
+ }
+
+ data->exec_context = data->default_user_context;
+ if (select_context)
+ data->exec_context = config_context(pamh, data->default_user_context,
+ use_current_range, debug);
+ else if (env_params || use_current_range)
+ data->exec_context = context_from_env(pamh, data->default_user_context,
+ env_params, use_current_range,
+ debug);
+ }
+
+ if (!data->exec_context) {
+ pam_syslog(pamh, LOG_ERR, "Unable to get valid context for %s", username);
+ pam_prompt(pamh, PAM_ERROR_MSG, NULL,
+ _("Unable to get valid context for %s"), username);
+ }
+
+ if (getexeccon(&data->prev_exec_context) < 0)
+ data->prev_exec_context = NULL;
+
+ return PAM_SUCCESS;
}
-static security_context_t
-security_label_tty(pam_handle_t *pamh, char *tty,
- security_context_t usercon)
+static int
+compute_tty_context(const pam_handle_t *pamh, module_data_t *data)
{
- char ttybuf[PATH_MAX];
- int status=0;
- security_context_t newdev_context=NULL; /* The new context of a device */
- security_context_t prev_context=NULL; /* The new context of a device */
- const char *ptr;
-
- if(strncmp("/dev/", tty, 5))
- {
- snprintf(ttybuf,sizeof(ttybuf),"/dev/%s",tty);
- ptr = ttybuf;
+ const char *tty = get_item(pamh, PAM_TTY);
+
+ if (!tty || !*tty || !strcmp(tty, "ssh") || !strncmp(tty, "NODEV", 5)) {
+ tty = ttyname(STDIN_FILENO);
+ if (!tty || !*tty)
+ tty = ttyname(STDOUT_FILENO);
+ if (!tty || !*tty)
+ tty = ttyname(STDERR_FILENO);
+ if (!tty || !*tty)
+ return PAM_SUCCESS;
}
- else
- ptr = tty;
-
- if (getfilecon(ptr, &prev_context) < 0)
- {
- if(errno != ENOENT)
- pam_syslog(pamh, LOG_NOTICE,
- "Warning! Could not get current context for %s, not relabeling: %m",
- ptr);
- return NULL;
+
+ if (strncmp("/dev/", tty, 5)) {
+ if (asprintf(&data->tty_path, "%s%s", "/dev/", tty) < 0)
+ data->tty_path = NULL;
+ } else {
+ data->tty_path = strdup(tty);
}
- if( security_compute_relabel(usercon,prev_context,SECCLASS_CHR_FILE,
- &newdev_context)!=0)
- {
- pam_syslog(pamh, LOG_NOTICE,
- "Warning! Could not get new context for %s, not relabeling: %m",
- ptr);
- pam_syslog(pamh, LOG_NOTICE,
- "usercon=%s, prev_context=%s", usercon, prev_context);
- freecon(prev_context);
- return NULL;
+
+ if (!data->tty_path) {
+ pam_syslog(pamh, LOG_ERR, "Out of memory");
+ return PAM_BUF_ERR;
}
- status=setfilecon(ptr,newdev_context);
- if (status)
- {
- pam_syslog(pamh, LOG_NOTICE,
- "Warning! Could not relabel %s with %s, not relabeling: %m",
- ptr,newdev_context);
- freecon(prev_context);
- prev_context=NULL;
+
+ if (getfilecon(data->tty_path, &data->prev_tty_context) < 0) {
+ data->prev_tty_context = NULL;
+ if (errno == ENOENT) {
+ free(data->tty_path);
+ data->tty_path = NULL;
+ return PAM_SUCCESS;
+ }
+ pam_syslog(pamh, LOG_ERR, "Failed to get current context for %s: %m",
+ data->tty_path);
+ return (security_getenforce() == 1) ? PAM_SESSION_ERR : PAM_SUCCESS;
}
- freecon(newdev_context);
- return prev_context;
-}
-static security_context_t user_context=NULL;
-static security_context_t prev_user_context=NULL;
-static security_context_t ttyn_context=NULL; /* The current context of ttyn device */
-static int selinux_enabled=0;
-static char *ttyn=NULL;
+ if (security_compute_relabel(data->exec_context, data->prev_tty_context,
+ SECCLASS_CHR_FILE, &data->tty_context)) {
+ data->tty_context = NULL;
+ pam_syslog(pamh, LOG_ERR, "Failed to compute new context for %s: %m",
+ data->tty_path);
+ freecon(data->prev_tty_context);
+ data->prev_tty_context = NULL;
+ free(data->tty_path);
+ data->tty_path = NULL;
+ return (security_getenforce() == 1) ? PAM_SESSION_ERR : PAM_SUCCESS;
+ }
-PAM_EXTERN int
-pam_sm_authenticate(pam_handle_t *pamh UNUSED, int flags UNUSED,
- int argc UNUSED, const char **argv UNUSED)
+ return PAM_SUCCESS;
+}
+
+static int
+restore_context(const pam_handle_t *pamh, const module_data_t *data, int debug)
{
- /* Fail by default. */
- return PAM_AUTH_ERR;
+ int err;
+
+ if (!data) {
+ if (debug)
+ pam_syslog(pamh, LOG_NOTICE, "No context to restore");
+ return PAM_SUCCESS;
+ }
+
+ if (debug && data->tty_path)
+ pam_syslog(pamh, LOG_NOTICE,
+ "Restore file context of tty %s: [%s] -> [%s]",
+ data->tty_path,
+ data->tty_context ? data->tty_context : "",
+ data->prev_tty_context ? data->prev_tty_context : "");
+ err = set_file_context(pamh, data->prev_tty_context, data->tty_path);
+
+ if (debug)
+ pam_syslog(pamh, LOG_NOTICE, "Restore executable context: [%s] -> [%s]",
+ data->exec_context,
+ data->prev_exec_context ? data->prev_exec_context : "");
+ err |= set_exec_context(pamh, data->prev_exec_context);
+
+ if (err && security_getenforce() == 1)
+ return PAM_SESSION_ERR;
+
+ return PAM_SUCCESS;
}
-PAM_EXTERN int
-pam_sm_setcred(pam_handle_t *pamh UNUSED, int flags UNUSED,
- int argc UNUSED, const char **argv UNUSED)
+static int
+set_context(pam_handle_t *pamh, const module_data_t *data,
+ int debug, int verbose)
{
- return PAM_SUCCESS;
+ int rc, err;
+
+ if (debug && data->tty_path)
+ pam_syslog(pamh, LOG_NOTICE, "Set file context of tty %s: [%s] -> [%s]",
+ data->tty_path,
+ data->prev_tty_context ? data->prev_tty_context : "",
+ data->tty_context ? data->tty_context : "");
+ err = set_file_context(pamh, data->tty_context, data->tty_path);
+
+ if (debug)
+ pam_syslog(pamh, LOG_NOTICE, "Set executable context: [%s] -> [%s]",
+ data->prev_exec_context ? data->prev_exec_context : "",
+ data->exec_context);
+ rc = set_exec_context(pamh, data->exec_context);
+ err |= rc;
+
+ send_audit_message(pamh, !rc, data->default_user_context, data->exec_context);
+ if (verbose && !rc) {
+ char msg[PATH_MAX];
+
+ snprintf(msg, sizeof(msg),
+ _("Security Context %s Assigned"), data->exec_context);
+ send_text(pamh, msg, debug);
+ }
+#ifdef HAVE_SETKEYCREATECON
+ if (debug)
+ pam_syslog(pamh, LOG_NOTICE, "Set key creation context to %s",
+ data->exec_context ? data->exec_context : "");
+ rc = setkeycreatecon(data->exec_context);
+ err |= rc;
+ if (rc)
+ pam_syslog(pamh, LOG_ERR, "Setting key creation context %s failed: %m",
+ data->exec_context ? data->exec_context : "");
+ if (verbose && !rc) {
+ char msg[PATH_MAX];
+
+ snprintf(msg, sizeof(msg),
+ _("Key Creation Context %s Assigned"), data->exec_context);
+ send_text(pamh, msg, debug);
+ }
+#endif
+
+ if (err && security_getenforce() == 1)
+ return PAM_SESSION_ERR;
+
+ return PAM_SUCCESS;
}
-PAM_EXTERN int
-pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED,
- int argc, const char **argv)
+static int
+create_context(pam_handle_t *pamh, int argc, const char **argv,
+ int debug, int verbose)
{
- int i, debug = 0, ttys=1;
- int verbose=0, close_session=0;
+ int i;
+ int ttys = 1;
int select_context = 0;
int use_current_range = 0;
- int ret = 0;
- security_context_t* contextlist = NULL;
- int num_contexts = 0;
int env_params = 0;
- const char *username;
- const void *void_username;
- const void *tty = NULL;
- char *seuser=NULL;
- char *level=NULL;
- security_context_t default_user_context=NULL;
-#ifdef HAVE_GETSEUSER
- const void *void_service;
- const char *service;
-#endif
+ module_data_t *data;
/* Parse arguments. */
for (i = 0; i < argc; i++) {
- if (strcmp(argv[i], "debug") == 0) {
- debug = 1;
- }
if (strcmp(argv[i], "nottys") == 0) {
ttys = 0;
}
- if (strcmp(argv[i], "verbose") == 0) {
- verbose = 1;
- }
- if (strcmp(argv[i], "close") == 0) {
- close_session = 1;
- }
if (strcmp(argv[i], "select_context") == 0) {
select_context = 1;
}
@@ -623,172 +708,111 @@ pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED,
env_params = 1;
}
}
-
- if (debug)
- pam_syslog(pamh, LOG_NOTICE, "Open Session");
+
+ if (is_selinux_enabled() <= 0) {
+ if (debug)
+ pam_syslog(pamh, LOG_NOTICE, "SELinux is not enabled");
+ return PAM_SUCCESS;
+ }
if (select_context && env_params) {
- pam_syslog(pamh, LOG_ERR, "select_context cannot be used with env_params");
+ pam_syslog(pamh, LOG_ERR,
+ "select_context cannot be used with env_params");
select_context = 0;
}
- /* this module is only supposed to execute close_session */
- if (close_session)
- return PAM_SUCCESS;
+ if (!(data = calloc(1, sizeof(*data)))) {
+ pam_syslog(pamh, LOG_ERR, "Out of memory");
+ return PAM_BUF_ERR;
+ }
- if (!(selinux_enabled = is_selinux_enabled()>0) )
- return PAM_SUCCESS;
+ i = compute_exec_context(pamh, data, select_context, use_current_range,
+ env_params, debug);
+ if (i != PAM_SUCCESS) {
+ free_module_data(data);
+ return i;
+ }
- if (pam_get_item(pamh, PAM_USER, &void_username) != PAM_SUCCESS ||
- void_username == NULL) {
- return PAM_USER_UNKNOWN;
+ if (!data->exec_context) {
+ free_module_data(data);
+ return (security_getenforce() == 1) ? PAM_SESSION_ERR : PAM_SUCCESS;
}
- username = void_username;
-#ifdef HAVE_GETSEUSER
- if (pam_get_item(pamh, PAM_SERVICE, (void *) &void_service) != PAM_SUCCESS ||
- void_service == NULL) {
- return PAM_SESSION_ERR;
+ if (ttys && (i = compute_tty_context(pamh, data)) != PAM_SUCCESS) {
+ free_module_data(data);
+ return i;
}
- service = void_service;
- if (getseuser(username, service, &seuser, &level) == 0) {
-#else
- if (getseuserbyname(username, &seuser, &level) == 0) {
-#endif
- num_contexts = get_ordered_context_list_with_level(seuser,
- level,
- NULL,
- &contextlist);
- if (debug)
- pam_syslog(pamh, LOG_DEBUG, "Username= %s SELinux User = %s Level= %s",
- username, seuser, level);
- free(level);
+ if ((i = pam_set_data(pamh, DATANAME, data, cleanup)) != PAM_SUCCESS) {
+ pam_syslog(pamh, LOG_ERR, "Error saving context: %m");
+ free_module_data(data);
+ return i;
}
- if (num_contexts > 0) {
- free(seuser);
- default_user_context=strdup(contextlist[0]);
- freeconary(contextlist);
- if (default_user_context == NULL) {
- pam_syslog(pamh, LOG_ERR, "Out of memory");
- return PAM_BUF_ERR;
- }
- user_context = default_user_context;
- if (select_context) {
- user_context = config_context(pamh, default_user_context, use_current_range, debug);
- } else if (env_params || use_current_range) {
- user_context = context_from_env(pamh, default_user_context, env_params, use_current_range, debug);
- }
+ return set_context(pamh, data, debug, verbose);
+}
- if (user_context == NULL) {
- freecon(default_user_context);
- pam_syslog(pamh, LOG_ERR, "Unable to get valid context for %s",
- username);
- pam_prompt (pamh, PAM_ERROR_MSG, NULL, _("Unable to get valid context for %s"), username);
- if (security_getenforce() == 1)
- return PAM_AUTH_ERR;
- else
- return PAM_SUCCESS;
- }
- }
- else {
- if (seuser != NULL) {
- user_context = manual_context(pamh,seuser,debug);
- free(seuser);
- }
- if (user_context == NULL) {
- pam_syslog (pamh, LOG_ERR, "Unable to get valid context for %s",
- username);
- if (security_getenforce() == 1)
- return PAM_AUTH_ERR;
- else
- return PAM_SUCCESS;
- }
- }
+PAM_EXTERN int
+pam_sm_authenticate(pam_handle_t *pamh UNUSED, int flags UNUSED,
+ int argc UNUSED, const char **argv UNUSED)
+{
+ /* Fail by default. */
+ return PAM_AUTH_ERR;
+}
- if (getexeccon(&prev_user_context)<0) {
- prev_user_context=NULL;
- }
- if (ttys) {
- /* Get the name of the terminal. */
- if (pam_get_item(pamh, PAM_TTY, &tty) != PAM_SUCCESS) {
- tty = NULL;
- }
+PAM_EXTERN int
+pam_sm_setcred(pam_handle_t *pamh UNUSED, int flags UNUSED,
+ int argc UNUSED, const char **argv UNUSED)
+{
+ return PAM_SUCCESS;
+}
- if ((tty == NULL) || (strlen(tty) == 0) ||
- strcmp(tty, "ssh") == 0 || strncmp(tty, "NODEV", 5) == 0) {
- tty = ttyname(STDIN_FILENO);
- if ((tty == NULL) || (strlen(tty) == 0)) {
- tty = ttyname(STDOUT_FILENO);
- }
- if ((tty == NULL) || (strlen(tty) == 0)) {
- tty = ttyname(STDERR_FILENO);
- }
+PAM_EXTERN int
+pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED,
+ int argc, const char **argv)
+{
+ const module_data_t *data;
+ int i, debug = 0, verbose = 0, close_session = 0, restore = 0;
+
+ /* Parse arguments. */
+ for (i = 0; i < argc; i++) {
+ if (strcmp(argv[i], "debug") == 0) {
+ debug = 1;
}
- }
- if (ttys && tty) {
- ttyn=strdup(tty);
- ttyn_context=security_label_tty(pamh,ttyn,user_context);
- }
- send_audit_message(pamh, 1, default_user_context, user_context);
- if (default_user_context != user_context) {
- freecon(default_user_context);
- }
- ret = setexeccon(user_context);
- if (ret==0 && verbose) {
- char msg[PATH_MAX];
- snprintf(msg, sizeof(msg),
- _("Security Context %s Assigned"), user_context);
- send_text(pamh, msg, debug);
- }
- if (ret) {
- pam_syslog(pamh, LOG_ERR,
- "Error! Unable to set %s executable context %s.",
- username, user_context);
- if (security_getenforce() == 1) {
- freecon(user_context);
- return PAM_AUTH_ERR;
+ if (strcmp(argv[i], "verbose") == 0) {
+ verbose = 1;
}
- } else {
- if (debug)
- pam_syslog(pamh, LOG_NOTICE, "set %s security context to %s",
- username, user_context);
- }
-#ifdef HAVE_SETKEYCREATECON
- ret = setkeycreatecon(user_context);
- if (ret==0 && verbose) {
- char msg[PATH_MAX];
- snprintf(msg, sizeof(msg),
- _("Key Creation Context %s Assigned"), user_context);
- send_text(pamh, msg, debug);
- }
- if (ret) {
- pam_syslog(pamh, LOG_ERR,
- "Error! Unable to set %s key creation context %s.",
- username, user_context);
- if (security_getenforce() == 1) {
- freecon(user_context);
- return PAM_AUTH_ERR;
+ if (strcmp(argv[i], "close") == 0) {
+ close_session = 1;
+ }
+ if (strcmp(argv[i], "restore") == 0) {
+ restore = 1;
}
- } else {
- if (debug)
- pam_syslog(pamh, LOG_NOTICE, "set %s key creation context to %s",
- username, user_context);
}
-#endif
- freecon(user_context);
- return PAM_SUCCESS;
+ if (debug)
+ pam_syslog(pamh, LOG_NOTICE, "Open Session");
+
+ /* Is this module supposed to execute close_session only? */
+ if (close_session)
+ return PAM_SUCCESS;
+
+ data = get_module_data(pamh);
+
+ /* Is this module supposed only to restore original context? */
+ if (restore)
+ return restore_context(pamh, data, debug);
+
+ /* If there is a saved context, this module is supposed to set it again. */
+ return data ? set_context(pamh, data, debug, verbose) :
+ create_context(pamh, argc, argv, debug, verbose);
}
PAM_EXTERN int
pam_sm_close_session(pam_handle_t *pamh, int flags UNUSED,
int argc, const char **argv)
{
- int i, debug = 0, status = PAM_SUCCESS, open_session = 0;
- if (! (selinux_enabled ))
- return PAM_SUCCESS;
+ int i, debug = 0, open_session = 0;
/* Parse arguments. */
for (i = 0; i < argc; i++) {
@@ -803,34 +827,10 @@ pam_sm_close_session(pam_handle_t *pamh, int flags UNUSED,
if (debug)
pam_syslog(pamh, LOG_NOTICE, "Close Session");
+ /* Is this module supposed to execute open_session only? */
if (open_session)
return PAM_SUCCESS;
- if (ttyn) {
- if (debug)
- pam_syslog(pamh, LOG_NOTICE, "Restore tty %s -> %s",
- ttyn,ttyn_context);
-
- security_restorelabel_tty(pamh,ttyn,ttyn_context);
- freecon(ttyn_context);
- free(ttyn);
- ttyn=NULL;
- }
-
- if (setexeccon(prev_user_context)) {
- pam_syslog(pamh, LOG_ERR, "Unable to restore executable context %s.",
- prev_user_context ? prev_user_context : "");
- if (security_getenforce() == 1)
- status = PAM_AUTH_ERR;
- else
- status = PAM_SUCCESS;
- } else if (debug)
- pam_syslog(pamh, LOG_NOTICE, "Executable context back to original");
-
- if (prev_user_context) {
- freecon(prev_user_context);
- prev_user_context = NULL;
- }
-
- return status;
+ /* Restore original context. */
+ return restore_context(pamh, get_module_data(pamh), debug);
}
diff --git a/modules/pam_selinux/pam_selinux_check.8 b/modules/pam_selinux/pam_selinux_check.8
index d6fcdff1..34f578d7 100644
--- a/modules/pam_selinux/pam_selinux_check.8
+++ b/modules/pam_selinux/pam_selinux_check.8
@@ -29,7 +29,7 @@ returns an exit code of 0 for success and > 0 on error:
pam_selinux(8)
.SH BUGS
-Let's hope not, but if you find any, please email the author.
+Let's hope not, but if you find any, please email the author.
.SH AUTHOR
Dan Walsh <dwalsh@redhat.com>
generated by cgit v1.2.3 (git 2.25.1) at 2024-04-25 12:01:59 +0000