SOURCES: pam-selinux-nofail.patch (NEW), pam-namespace-level.patch...
baggins
baggins at pld-linux.org
Mon Feb 5 00:29:49 CET 2007
Author: baggins Date: Sun Feb 4 23:29:48 2007 GMT
Module: SOURCES Tag: HEAD
---- Log message:
- selinux fixes and enhancements for pam_selinux and pam_namespace
(patches from Fedora)
---- Files affected:
SOURCES:
pam-selinux-nofail.patch (NONE -> 1.1) (NEW), pam-namespace-level.patch (NONE -> 1.1) (NEW), pam-namespace-no-unmount.patch (NONE -> 1.1) (NEW), pam-namespace-preserve-uid.patch (NONE -> 1.1) (NEW), pam-namespace-unmnt-override.patch (NONE -> 1.1) (NEW), pam-selinux-drop-multiple.patch (NONE -> 1.1) (NEW), pam-selinux-keycreate.patch (NONE -> 1.1) (NEW), pam-selinux-select-context.patch (NONE -> 1.1) (NEW), pam-selinux-use-current-range.patch (NONE -> 1.1) (NEW)
---- Diffs:
================================================================
Index: SOURCES/pam-selinux-nofail.patch
diff -u /dev/null SOURCES/pam-selinux-nofail.patch:1.1
--- /dev/null Mon Feb 5 00:29:48 2007
+++ SOURCES/pam-selinux-nofail.patch Mon Feb 5 00:29:43 2007
@@ -0,0 +1,78 @@
+--- Linux-PAM-0.99.2.1/modules/pam_selinux/pam_selinux.c.nofail 2005-11-29 10:22:05.000000000 +0100
++++ Linux-PAM-0.99.2.1/modules/pam_selinux/pam_selinux.c 2005-12-15 14:12:54.000000000 +0100
+@@ -327,6 +327,8 @@
+ int num_contexts = 0;
+ const void *username = NULL;
+ const void *tty = NULL;
++ char *seuser=NULL;
++ char *level=NULL;
+
+ /* Parse arguments. */
+ for (i = 0; i < argc; i++) {
+@@ -361,7 +363,18 @@
+ username == NULL) {
+ return PAM_AUTH_ERR;
+ }
+- num_contexts = get_ordered_context_list(username, 0, &contextlist);
++
++ if (getseuserbyname(username, &seuser, &level)==0) {
++ num_contexts = get_ordered_context_list_with_level(seuser,
++ level,
++ NULL,
++ &contextlist);
++ if (debug)
++ pam_syslog(pamh, LOG_DEBUG, "Username= %s SELinux User = %s Level= %s",
++ (const char *)username, seuser, level);
++ free(seuser);
++ free(level);
++ }
+ if (num_contexts > 0) {
+ if (multiple && (num_contexts > 1) && has_tty) {
+ user_context = select_context(pamh,contextlist, debug);
+@@ -376,13 +389,19 @@
+ if (user_context == NULL) {
+ pam_syslog (pamh, LOG_ERR, "Unable to get valid context for %s",
+ (const char *)username);
+- return PAM_AUTH_ERR;
++ if (security_getenforce() == 1)
++ return PAM_AUTH_ERR;
++ else
++ return PAM_SUCCESS;
+ }
+ } else {
+ pam_syslog (pamh, LOG_ERR,
+ "Unable to get valid context for %s, No valid tty",
+ (const char *)username);
+- return PAM_AUTH_ERR;
++ if (security_getenforce() == 1)
++ return PAM_AUTH_ERR;
++ else
++ return PAM_SUCCESS;
+ }
+ }
+ if (getexeccon(&prev_user_context)<0) {
+@@ -420,8 +439,10 @@
+ pam_syslog(pamh, LOG_ERR,
+ "Error! Unable to set %s executable context %s.",
+ (const char *)username, user_context);
+- freecon(user_context);
+- return PAM_AUTH_ERR;
++ if (security_getenforce() == 1) {
++ freecon(user_context);
++ return PAM_AUTH_ERR;
++ }
+ } else {
+ if (debug)
+ pam_syslog(pamh, LOG_NOTICE, "set %s security context to %s",
+@@ -471,7 +492,10 @@
+ if (status) {
+ pam_syslog(pamh, LOG_ERR, "Error! Unable to set executable context %s.",
+ prev_user_context);
+- return PAM_AUTH_ERR;
++ if (security_getenforce() == 1)
++ return PAM_AUTH_ERR;
++ else
++ return PAM_SUCCESS;
+ }
+
+ if (debug)
================================================================
Index: SOURCES/pam-namespace-level.patch
diff -u /dev/null SOURCES/pam-namespace-level.patch:1.1
--- /dev/null Mon Feb 5 00:29:48 2007
+++ SOURCES/pam-namespace-level.patch Mon Feb 5 00:29:43 2007
@@ -0,0 +1,250 @@
+--- Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.c.level 2007-01-19 08:33:11.000000000 -0500
++++ Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.c 2007-01-19 08:33:11.000000000 -0500
+@@ -244,23 +244,29 @@
+ }
+ strcpy(poly.dir, dir);
+ strcpy(poly.instance_prefix, instance_prefix);
+- if (strcmp(method, "user") == 0)
+- poly.method = USER;
++
++ poly.method = NONE;
++ if (strcmp(method, "user") == 0)
++ poly.method = USER;
++
+ #ifdef WITH_SELINUX
+- else if (strcmp(method, "context") == 0) {
++ if (strcmp(method, "level") == 0) {
+ if (idata->flags & PAMNS_CTXT_BASED_INST)
+- poly.method = CONTEXT;
++ poly.method = LEVEL;
+ else
+ poly.method = USER;
+- } else if (strcmp(method, "both") == 0) {
++ }
++
++ if (strcmp(method, "context") == 0) {
+ if (idata->flags & PAMNS_CTXT_BASED_INST)
+- poly.method = BOTH;
++ poly.method = CONTEXT;
+ else
+ poly.method = USER;
+ }
+
+ #endif
+- else {
++
++ if ( poly.method == NONE) {
+ pam_syslog(idata->pamh, LOG_NOTICE, "Illegal method");
+ goto skipping;
+ }
+@@ -448,19 +454,23 @@
+ return PAM_SESSION_ERR;
+ }
+
++ if (polyptr->method == USER) return PAM_SUCCESS;
++
++ rc = getexeccon(&scon);
++ if (rc < 0 || scon == NULL) {
++ pam_syslog(idata->pamh, LOG_ERR,
++ "Error getting exec context, %m");
++ return PAM_SESSION_ERR;
++ }
++
+ /*
+ * If polyinstantiating based on security context, get current
+ * process security context, get security class for directories,
+ * and ask the policy to provide security context of the
+ * polyinstantiated instance directory.
+ */
+- if ((polyptr->method == CONTEXT) || (polyptr->method == BOTH)) {
+- rc = getexeccon(&scon);
+- if (rc < 0 || scon == NULL) {
+- pam_syslog(idata->pamh, LOG_ERR,
+- "Error getting exec context, %m");
+- return PAM_SESSION_ERR;
+- }
++
++ if (polyptr->method == CONTEXT) {
+ tclass = string_to_security_class("dir");
+
+ if (security_compute_member(scon, *origcon, tclass,
+@@ -473,7 +483,48 @@
+ pam_syslog(idata->pamh, LOG_DEBUG,
+ "member context returned by policy %s", *i_context);
+ freecon(scon);
++ return PAM_SUCCESS;
+ }
++
++ /*
++ * If polyinstantiating based on security level, get current
++ * process security context, get security class for directories,
++ * and change the directories MLS Level to match process.
++ */
++
++ if (polyptr->method == LEVEL) {
++ context_t scontext = NULL;
++ context_t fcontext = NULL;
++ rc = PAM_SESSION_ERR;
++
++ scontext = context_new(scon);
++ if (! scontext) {
++ pam_syslog(idata->pamh, LOG_ERR, "out of memory");
++ goto fail;
++ }
++ fcontext = context_new(*origcon);
++ if (! fcontext) {
++ pam_syslog(idata->pamh, LOG_ERR, "out of memory");
++ goto fail;
++ }
++ if (context_range_set(fcontext, context_range_get(scontext)) != 0) {
++ pam_syslog(idata->pamh, LOG_ERR, "Unable to set MLS Componant of context");
++ goto fail;
++ }
++ *i_context=strdup(context_str(fcontext));
++ if (! *i_context) {
++ pam_syslog(idata->pamh, LOG_ERR, "out of memory");
++ goto fail;
++ }
++
++ rc = PAM_SUCCESS;
++ fail:
++ context_free(scontext);
++ context_free(fcontext);
++ freecon(scon);
++ return rc;
++ }
++ /* Should never get here */
+ return PAM_SUCCESS;
+ }
+ #endif
+@@ -514,19 +565,14 @@
+ break;
+
+ #ifdef WITH_SELINUX
++ case LEVEL:
+ case CONTEXT:
+- if (asprintf(i_name, "%s", *i_context) < 0) {
+- *i_name = NULL;
+- rc = PAM_SESSION_ERR;
+- }
+- break;
+-
+- case BOTH:
+ if (asprintf(i_name, "%s_%s", *i_context, idata->user) < 0) {
+ *i_name = NULL;
+ rc = PAM_SESSION_ERR;
+ }
+ break;
++
+ #endif /* WITH_SELINUX */
+
+ default:
+@@ -1158,7 +1204,7 @@
+ #ifdef WITH_SELINUX
+ if (is_selinux_enabled())
+ idata.flags |= PAMNS_SELINUX_ENABLED;
+- if (ctxt_based_inst_needed())
++ if (ctxt_based_inst_needed())
+ idata.flags |= PAMNS_CTXT_BASED_INST;
+ #endif
+
+--- Linux-PAM-0.99.7.0/modules/pam_namespace/namespace.conf.level 2006-06-27 09:07:43.000000000 -0400
++++ Linux-PAM-0.99.7.0/modules/pam_namespace/namespace.conf 2007-01-19 08:33:11.000000000 -0500
+@@ -4,12 +4,10 @@
+ #
+ # Uncommenting the following three lines will polyinstantiate
+ # /tmp, /var/tmp and user's home directories. /tmp and /var/tmp will
+-# be polyinstantiated based on both security context as well as user
+-# name, whereas home directory will be polyinstantiated based on
+-# security context only. Polyinstantion will not be performed for
+-# user root and adm for directories /tmp and /var/tmp, whereas home
+-# directories will be polyinstantiated for all users. The user name
+-# and/or context is appended to the instance prefix.
++# be polyinstantiated based on the MLS level part of the security context as well as user
++# name, Polyinstantion will not be performed for user root and adm for directories
++# /tmp and /var/tmp, whereas home directories will be polyinstantiated for all users.
++# The user name and context is appended to the instance prefix.
+ #
+ # Note that instance directories do not have to reside inside the
+ # polyinstantiated directory. In the examples below, instances of /tmp
+@@ -25,6 +23,6 @@
+ # caution, as it will reduce security and isolation achieved by
+ # polyinstantiation.
+ #
+-#/tmp /tmp-inst/ both root,adm
+-#/var/tmp /var/tmp/tmp-inst/ both root,adm
+-#$HOME $HOME/$USER.inst/inst- context
++#/tmp /tmp-inst/ level root,adm
++#/var/tmp /var/tmp/tmp-inst/ level root,adm
++#$HOME $HOME/$USER.inst/ level
+--- Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.h.level 2007-01-19 08:33:11.000000000 -0500
++++ Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.h 2007-01-19 08:33:11.000000000 -0500
+@@ -63,6 +63,7 @@
+
+ #ifdef WITH_SELINUX
+ #include <selinux/selinux.h>
++#include <selinux/context.h>
+ #endif
+
+ #ifndef CLONE_NEWNS
+@@ -93,9 +94,10 @@
+ * or both
+ */
+ enum polymethod {
++ NONE,
+ USER,
+ CONTEXT,
+- BOTH,
++ LEVEL,
+ };
+
+ /*
+--- Linux-PAM-0.99.7.0/modules/pam_namespace/namespace.conf.5.xml.level 2006-06-27 09:07:43.000000000 -0400
++++ Linux-PAM-0.99.7.0/modules/pam_namespace/namespace.conf.5.xml 2007-01-19 08:33:11.000000000 -0500
+@@ -22,7 +22,7 @@
+ <para>
+ This module allows setup of private namespaces with polyinstantiated
+ directories. Directories can be polyinstantiated based on user name
+- or, in the case of SELinux, user name, security context or both. If an
++ or, in the case of SELinux, user name, sensitivity level or complete security context. If an
+ executable script <filename>/etc/security/namespace.init</filename>
+ exists, it is used to initialize the namespace every time a new instance
+ directory is setup. The script receives the polyinstantiated
+@@ -72,10 +72,10 @@
+ <para>
+ The third field, <replaceable>method</replaceable>, is the method
+ used for polyinstantiation. It can take 3 different values; "user"
+- for polyinstantiation based on user name, "context" for
+- polyinstantiation based on process security context, and "both"
+- for polyinstantiation based on both user name and security context.
+- Methods "context" and "both" are only available with SELinux. This
++ for polyinstantiation based on user name, "level" for
++ polyinstantiation based on process MLS level and user name, and "context" for
++ polyinstantiation based on process security context and user name
++ Methods "context" and "level" are only available with SELinux. This
+ field cannot be blank.
+ </para>
+
+@@ -98,9 +98,9 @@
+ <literallayout>
+ # The following three lines will polyinstantiate /tmp,
+ # /var/tmp and user's home directories. /tmp and /var/tmp
+- # will be polyinstantiated based on both security context
++ # will be polyinstantiated based on the security level
+ # as well as user name, whereas home directory will be
+- # polyinstantiated based on security context only.
++ # polyinstantiated based on the full security context and user name.
+ # Polyinstantiation will not be performed for user root
+ # and adm for directories /tmp and /var/tmp, whereas home
+ # directories will be polyinstantiated for all users.
+@@ -112,8 +112,8 @@
+ # will reside within the directories that are being
+ # polyinstantiated.
+ #
+- /tmp /tmp-inst/ both root,adm
+- /var/tmp /var/tmp/tmp-inst/ both root,adm
++ /tmp /tmp-inst/ level root,adm
++ /var/tmp /var/tmp/tmp-inst/ level root,adm
+ $HOME $HOME/$USER.inst/inst- context
+ </literallayout>
+
================================================================
Index: SOURCES/pam-namespace-no-unmount.patch
diff -u /dev/null SOURCES/pam-namespace-no-unmount.patch:1.1
--- /dev/null Mon Feb 5 00:29:49 2007
+++ SOURCES/pam-namespace-no-unmount.patch Mon Feb 5 00:29:43 2007
@@ -0,0 +1,95 @@
+--- Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.c.no-unmount 2006-10-24 07:45:36.000000000 -0400
++++ Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.c 2007-01-19 08:08:58.000000000 -0500
+@@ -1266,12 +1266,30 @@
+ idata.flags |= PAMNS_DEBUG;
+ if (strcmp(argv[i], "ignore_config_error") == 0)
+ idata.flags |= PAMNS_IGN_CONFIG_ERR;
++ if (strcmp(argv[i], "no_unmount_on_close") == 0)
++ idata.flags |= PAMNS_NO_UNMOUNT_ON_CLOSE;
+ }
+
+ if (idata.flags & PAMNS_DEBUG)
+ pam_syslog(idata.pamh, LOG_DEBUG, "close_session - start");
+
+ /*
++ * For certain trusted programs such as newrole, open session
++ * is called from a child process while the parent perfoms
++ * close session and pam end functions. For these commands
++ * pam_close_session should not perform the unmount of the
++ * polyinstantiatied directory because it will result in
++ * undoing of parents polyinstantiatiaion. These commands
++ * will invoke pam_namespace with the "no_unmount_on_close"
++ * argument.
++ */
++ if (idata.flags & PAMNS_NO_UNMOUNT_ON_CLOSE) {
++ if (idata.flags & PAMNS_DEBUG)
++ pam_syslog(idata.pamh, LOG_DEBUG, "close_session - sucessful");
++ return PAM_SUCCESS;
++ }
++
++ /*
+ * Lookup user and fill struct items
+ */
+ retval = pam_get_item(idata.pamh, PAM_USER, (void*) &user_name );
+--- Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.8.xml.no-unmount 2006-06-27 09:07:44.000000000 -0400
++++ Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.8.xml 2007-01-19 07:45:02.000000000 -0500
+@@ -43,6 +43,9 @@
+ <arg choice="opt">
+ ignore_instance_parent_mode
+ </arg>
++ <arg choice="opt">
++ no_unmount_on_close
++ </arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+@@ -179,6 +182,22 @@
+ </listitem>
+ </varlistentry>
+
++ <varlistentry>
++ <term>
++ <option>no_unmount_on_close</option>
++ </term>
++ <listitem>
++ <para>
++ For certain trusted programs such as newrole, open session
++ is called from a child process while the parent perfoms
++ close session and pam end functions. For these commands
++ use this option to instruct pam_close_session to not
++ unmount the bind mounted polyinstantiated directory in the
++ parent.
++ </para>
++ </listitem>
++ </varlistentry>
++
+ </variablelist>
+ </refsect1>
+
+--- Linux-PAM-0.99.7.0/modules/pam_namespace/README.xml.no-unmount 2006-06-28 03:22:43.000000000 -0400
++++ Linux-PAM-0.99.7.0/modules/pam_namespace/README.xml 2007-01-19 07:45:02.000000000 -0500
+@@ -121,6 +121,14 @@
+ the restrictive mode of 000. Using this option, an administrator
+ can choose to ignore the mode of the instance parent.
+
++ no_unmount_on_close
++ For certain trusted programs such as newrole, open session
++ is called from a child process while the parent perfoms
++ close session and pam end functions. For these commands
++ use this option to instruct pam_close_session to not
++ unmount the bind mounted polyinstantiated directory in the
++ parent.
++
+ MODULE SERVICES PROVIDED:
+ session open_session and close_session
+
+--- Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.h.no-unmount 2006-07-28 07:59:28.000000000 -0400
++++ Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.h 2007-01-19 07:45:02.000000000 -0500
+@@ -86,6 +86,7 @@
+ #define PAMNS_GEN_HASH 0x00002000 /* Generate md5 hash for inst names */
+ #define PAMNS_IGN_CONFIG_ERR 0x00004000 /* Ignore format error in conf file */
+ #define PAMNS_IGN_INST_PARENT_MODE 0x00008000 /* Ignore instance parent mode */
++#define PAMNS_NO_UNMOUNT_ON_CLOSE 0x00010000 /* no unmount at session close */
+
+ /*
+ * Polyinstantiation method options, based on user, security context
================================================================
Index: SOURCES/pam-namespace-preserve-uid.patch
diff -u /dev/null SOURCES/pam-namespace-preserve-uid.patch:1.1
--- /dev/null Mon Feb 5 00:29:49 2007
+++ SOURCES/pam-namespace-preserve-uid.patch Mon Feb 5 00:29:43 2007
@@ -0,0 +1,8 @@
+--- Linux-PAM-0.99.6.2/modules/pam_namespace/namespace.init.preserve-uid 2006-06-27 15:07:43.000000000 +0200
++++ Linux-PAM-0.99.6.2/modules/pam_namespace/namespace.init 2006-10-13 10:51:03.000000000 +0200
+@@ -1,4 +1,4 @@
+-#!/bin/sh
++#!/bin/sh -p
+ # This is only a boilerplate for the instance initialization script.
+ # It receives polydir path as $1 and the instance path as $2.
+ #
================================================================
Index: SOURCES/pam-namespace-unmnt-override.patch
diff -u /dev/null SOURCES/pam-namespace-unmnt-override.patch:1.1
--- /dev/null Mon Feb 5 00:29:49 2007
+++ SOURCES/pam-namespace-unmnt-override.patch Mon Feb 5 00:29:43 2007
@@ -0,0 +1,125 @@
+--- Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.c.unmnt-override 2007-01-22 14:06:31.000000000 +0100
++++ Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.c 2007-01-23 16:41:57.000000000 +0100
+@@ -417,17 +417,18 @@
+ * uids for the polyinstantiated directory, polyinstantiation is not
+ * performed for that user for that directory.
+ */
+-static int ns_override(struct polydir_s *polyptr, struct instance_data *idata)
++static int ns_override(struct polydir_s *polyptr, struct instance_data *idata,
++ uid_t uid)
+ {
+ unsigned int i;
+
+ if (idata->flags & PAMNS_DEBUG)
+ pam_syslog(idata->pamh, LOG_DEBUG,
+ "Checking for ns override in dir %s for uid %d",
+- polyptr->dir, idata->uid);
++ polyptr->dir, uid);
+
+ for (i = 0; i < polyptr->num_uids; i++) {
+- if (idata->uid == polyptr->uid[i]) {
++ if (uid == polyptr->uid[i]) {
+ return 1;
+ }
+ }
+@@ -1013,21 +1014,46 @@
+ int retval = 0, need_poly = 0, changing_dir = 0;
+ char *cptr, *fptr, poly_parent[PATH_MAX];
+ struct polydir_s *pptr;
++ uid_t req_uid;
++ const void *ruser_name;
++ struct passwd *pwd;
+
+ if (idata->flags & PAMNS_DEBUG)
+ pam_syslog(idata->pamh, LOG_DEBUG, "Set up namespace for pid %d",
+ getpid());
+
++ retval = pam_get_item(idata->pamh, PAM_RUSER, &ruser_name);
++ if (ruser_name == NULL || retval != PAM_SUCCESS) {
++ retval = PAM_SUCCESS;
++ req_uid = getuid();
++ } else {
++ pwd = pam_modutil_getpwnam(idata->pamh, ruser_name);
++ if (pwd != NULL) {
++ req_uid = pwd->pw_uid;
++ } else {
++ req_uid = getuid();
++ }
++ }
++
+ /*
+ * Cycle through all polyinstantiated directory entries to see if
+ * polyinstantiation is needed at all.
+ */
+ for (pptr = idata->polydirs_ptr; pptr; pptr = pptr->next) {
+- if (ns_override(pptr, idata)) {
+- if (idata->flags & PAMNS_DEBUG)
+- pam_syslog(idata->pamh, LOG_DEBUG,
++ if (ns_override(pptr, idata, idata->uid)) {
++ if (unmnt == NO_UNMNT || ns_override(pptr, idata, req_uid)) {
++ if (idata->flags & PAMNS_DEBUG)
++ pam_syslog(idata->pamh, LOG_DEBUG,
+ "Overriding poly for user %d for dir %s",
+ idata->uid, pptr->dir);
++ } else {
++ if (idata->flags & PAMNS_DEBUG)
++ pam_syslog(idata->pamh, LOG_DEBUG,
++ "Need unmount ns for user %d for dir %s",
++ idata->uid, pptr->dir);
++ need_poly = 1;
++ break;
++ }
+ continue;
+ } else {
+ if (idata->flags & PAMNS_DEBUG)
+@@ -1057,15 +1083,20 @@
+ * call ns_setup to setup polyinstantiation for a particular entry.
+ */
+ for (pptr = idata->polydirs_ptr; pptr; pptr = pptr->next) {
+- if (ns_override(pptr, idata))
+- continue;
+- else {
+- if (idata->flags & PAMNS_DEBUG)
++ enum unmnt_op dir_unmnt = unmnt;
++ if (ns_override(pptr, idata, idata->uid)) {
++ if (unmnt == NO_UNMNT || ns_override(pptr, idata, req_uid)) {
++ continue;
++ } else {
++ dir_unmnt = UNMNT_ONLY;
++ }
++ }
++ if (idata->flags & PAMNS_DEBUG)
+ pam_syslog(idata->pamh, LOG_DEBUG,
+ "Setting poly ns for user %d for dir %s",
+ idata->uid, pptr->dir);
+
+- if ((unmnt == UNMNT_REMNT) || (unmnt == UNMNT_ONLY)) {
++ if ((dir_unmnt == UNMNT_REMNT) || (dir_unmnt == UNMNT_ONLY)) {
+ /*
+ * Check to see if process current directory is in the
+ * bind mounted instance_parent directory that we are trying to
+@@ -1105,13 +1136,12 @@
+ } else if (idata->flags & PAMNS_DEBUG)
+ pam_syslog(idata->pamh, LOG_DEBUG, "Umount succeeded %s",
+ pptr->dir);
+- }
++ }
+
+- if (unmnt != UNMNT_ONLY) {
++ if (dir_unmnt != UNMNT_ONLY) {
+ retval = ns_setup(pptr, idata);
+ if (retval != PAM_SUCCESS)
+ break;
+- }
+ }
+ }
+
+@@ -1138,7 +1168,7 @@
+ * appropriate polyinstantiated instance directories.
+ */
+ for (pptr = idata->polydirs_ptr; pptr; pptr = pptr->next) {
+- if (ns_override(pptr, idata))
++ if (ns_override(pptr, idata, idata->uid))
+ continue;
+ else {
+ if (idata->flags & PAMNS_DEBUG)
================================================================
Index: SOURCES/pam-selinux-drop-multiple.patch
diff -u /dev/null SOURCES/pam-selinux-drop-multiple.patch:1.1
--- /dev/null Mon Feb 5 00:29:49 2007
+++ SOURCES/pam-selinux-drop-multiple.patch Mon Feb 5 00:29:43 2007
@@ -0,0 +1,125 @@
+--- Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.8.xml.drop-multiple 2006-06-18 10:26:59.000000000 +0200
++++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.8.xml 2006-11-10 17:47:16.000000000 +0100
+@@ -25,9 +25,6 @@
+ debug
+ </arg>
<<Diff was trimmed, longer than 597 lines>>
More information about the pld-cvs-commit
mailing list