SOURCES: pam-selinux-permit.patch (NEW) - add pam_selinux_permit m...
baggins
baggins at pld-linux.org
Sat Oct 27 17:17:01 CEST 2007
Author: baggins Date: Sat Oct 27 15:17:01 2007 GMT
Module: SOURCES Tag: HEAD
---- Log message:
- add pam_selinux_permit module
---- Files affected:
SOURCES:
pam-selinux-permit.patch (NONE -> 1.1) (NEW)
---- Diffs:
================================================================
Index: SOURCES/pam-selinux-permit.patch
diff -u /dev/null SOURCES/pam-selinux-permit.patch:1.1
--- /dev/null Sat Oct 27 17:17:01 2007
+++ SOURCES/pam-selinux-permit.patch Sat Oct 27 17:16:56 2007
@@ -0,0 +1,473 @@
+Written-by: Tomas Mraz <tmraz at redhat.com>
+Reviewed-by: Karel Zak <kzak at redhat.com>
+
+diff -up /dev/null Linux-PAM-0.99.8.1/modules/pam_selinux/pam_selinux_permit.8.xml
+--- /dev/null 2007-09-17 08:57:19.474470099 +0200
++++ Linux-PAM-0.99.8.1/modules/pam_selinux/pam_selinux_permit.8.xml 2007-09-19 19:37:26.000000000 +0200
+@@ -0,0 +1,182 @@
++<?xml version="1.0" encoding='UTF-8'?>
++<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
++ "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
++
++<refentry id="pam_selinux_permit">
++
++ <refmeta>
++ <refentrytitle>pam_selinux_permit</refentrytitle>
++ <manvolnum>8</manvolnum>
++ <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
++ </refmeta>
++
++ <refnamediv id="pam_selinux_permit-name">
++ <refname>pam_selinux_permit</refname>
++ <refpurpose>PAM module to allow/deny login depending on SELinux enforcement state</refpurpose>
++ </refnamediv>
++
++ <refsynopsisdiv>
++ <cmdsynopsis id="pam_selinux_permit-cmdsynopsis">
++ <command>pam_selinux_permit.so</command>
++ <arg choice="opt">
++ debug
++ </arg>
++ <arg choice="opt">
++ conf=<replaceable>/path/to/config/file</replaceable>
++ </arg>
++ </cmdsynopsis>
++ </refsynopsisdiv>
++
++ <refsect1 id="pam_selinux_permit-description">
++ <title>DESCRIPTION</title>
++ <para>
++ The pam_selinux module allows or denies login depending on SELinux enforcement
++ state.
++ </para>
++ <para>
++ When the user which is logging in matches an entry in the config file
++ he is allowed access only when the SELinux is in enforcing mode. Otherwise
++ he is denied access. For users not matching any entry in the config file
++ the pam_selinux_permit module returns PAM_IGNORE return value.
++ </para>
++ <para>
++ The config file contains a simple list of user names one per line. If the
++ <replaceable>name</replaceable> is prefixed with @ character it means that all
++ users in the group <replaceable>name</replaceable> match. If it is prefixed
++ with a % character the SELinux user is used to match against the <replaceable>name</replaceable>
++ instead of the account name. Note that when SELinux is disabled the
++ SELinux user assigned to the account cannot be determined. This means that
++ such entries are never matched when SELinux is disabled and pam_selinux_permit
++ will return PAM_IGNORE.
++ </para>
++ </refsect1>
++
++ <refsect1 id="pam_selinux_permit-options">
++ <title>OPTIONS</title>
++ <variablelist>
++ <varlistentry>
++ <term>
++ <option>debug</option>
++ </term>
++ <listitem>
++ <para>
++ Turns on debugging via
++ <citerefentry>
++ <refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum>
++ </citerefentry>.
++ </para>
++ </listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>
++ <option>conf=<replaceable>/path/to/config/file</replaceable></option>
++ </term>
++ <listitem>
++ <para>
++ Path to alternative config file overriding the default.
++ </para>
++ </listitem>
++ </varlistentry>
++ </variablelist>
++ </refsect1>
++
++ <refsect1 id="pam_selinux_permit-services">
++ <title>MODULE SERVICES PROVIDED</title>
++ <para>
++ Only the <option>auth</option> and <option>account</option>
++ services are supported.
++ </para>
++ </refsect1>
++
++ <refsect1 id='pam_selinux_permit-return_values'>
++ <title>RETURN VALUES</title>
++ <variablelist>
++ <varlistentry>
++ <term>PAM_AUTH_ERR</term>
++ <listitem>
++ <para>
++ SELinux is disabled or in the permissive mode and the user
++ matches.
++ </para>
++ </listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>PAM_SUCCESS</term>
++ <listitem>
++ <para>
++ SELinux is in the enforcing mode and the user matches.
++ </para>
++ </listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>PAM_IGNORE</term>
++ <listitem>
++ <para>
++ The user does not match any entry in the config file.
++ </para>
++ </listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>PAM_USER_UNKNOWN</term>
++ <listitem>
++ <para>
++ The module was unable to determine the user's name.
++ </para>
++ </listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>PAM_SERVICE_ERR</term>
++ <listitem>
++ <para>
++ Error during reading or parsing the config file.
++ </para>
++ </listitem>
++ </varlistentry>
++ </variablelist>
++ </refsect1>
++
++ <refsect1 id="pam_selinux_permit-files">
++ <title>FILES</title>
++ <variablelist>
++ <varlistentry>
++ <term><filename>/etc/security/sepermit.conf</filename></term>
++ <listitem>
++ <para>Default configuration file</para>
++ </listitem>
++ </varlistentry>
++ </variablelist>
++ </refsect1>
++
++ <refsect1 id='pam_selinux_permit-examples'>
++ <title>EXAMPLES</title>
++ <programlisting>
++auth [success=done ignore=ignore default=bad] pam_selinux_permit.so
++auth required pam_unix.so
++account required pam_unix.so
++session required pam_permit.so
++ </programlisting>
++ </refsect1>
++
++ <refsect1 id='pam_selinux_permit-see_also'>
++ <title>SEE ALSO</title>
++ <para>
++ <citerefentry>
++ <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
++ </citerefentry>,
++ <citerefentry>
++ <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum>
++ </citerefentry>,
++ <citerefentry>
++ <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
++ </citerefentry>
++ </para>
++ </refsect1>
++
++ <refsect1 id='pam_selinux_permit-author'>
++ <title>AUTHOR</title>
++ <para>
++ pam_selinux_permit was written by Tomas Mraz <tmraz at redhat.com>.
++ </para>
++ </refsect1>
++
++</refentry>
+diff -up /dev/null Linux-PAM-0.99.8.1/modules/pam_selinux/pam_selinux_permit.c
+--- /dev/null 2007-09-17 08:57:19.474470099 +0200
++++ Linux-PAM-0.99.8.1/modules/pam_selinux/pam_selinux_permit.c 2007-09-19 20:29:47.000000000 +0200
+@@ -0,0 +1,222 @@
++/******************************************************************************
++ * A module for Linux-PAM that allows/denies acces based on SELinux state.
++ *
++ * Copyright (c) 2007 Red Hat, Inc.
++ * Written by Tomas Mraz <tmraz at redhat.com>
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the above copyright
++ * notice, and the entire permission notice in its entirety,
++ * including the disclaimer of warranties.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ * notice, this list of conditions and the following disclaimer in the
++ * documentation and/or other materials provided with the distribution.
++ * 3. The name of the author may not be used to endorse or promote
++ * products derived from this software without specific prior
++ * written permission.
++ *
++ * ALTERNATIVELY, this product may be distributed under the terms of
++ * the GNU Public License, in which case the provisions of the GPL are
++ * required INSTEAD OF the above restrictions. (This clause is
++ * necessary due to a potential bad interaction between the GPL and
++ * the restrictions contained in a BSD-style copyright.)
++ *
++ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
++ * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
++ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
++ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
++ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
++ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
++ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
++ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
++ * OF THE POSSIBILITY OF SUCH DAMAGE.
++ *
++ */
++
++#include "config.h"
++
++#include <errno.h>
++#include <pwd.h>
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++#include <syslog.h>
++#include <ctype.h>
++
++#define PAM_SM_AUTH
++#define PAM_SM_ACCOUNT
++
++#include <security/pam_modules.h>
++#include <security/_pam_macros.h>
++#include <security/pam_modutil.h>
++#include <security/pam_ext.h>
++
++#include <selinux/selinux.h>
++
++/* return 0 when matched, -1 when unmatched, pam error otherwise */
++static int
++sepermit_match(pam_handle_t *pamh, const char *cfgfile, const char *user,
++ const char *seuser, int debug)
++{
++ FILE *f;
++ char *line = NULL;
++ char *start;
++ size_t len = 0;
++ int matched = 0;
++
++ f = fopen(cfgfile, "r");
++
++ if (!f) {
++ pam_syslog(pamh, LOG_ERR, "Failed to open config file %s: %m", cfgfile);
++ return PAM_SERVICE_ERR;
++ }
++
++ while (!matched && getline(&line, &len, f) != -1) {
++ size_t n;
++
++ if (line[0] == '#')
++ continue;
++
++ start = line;
++ while (isspace(*start))
++ ++start;
++ n = strlen(start);
++ while (n > 0 && isspace(start[n-1])) {
++ --n;
++ }
++ if (n == 0)
++ continue;
++
++ start[n] = '\0';
++
++ switch (start[0]) {
++ case '@':
++ ++start;
++ if (debug)
++ pam_syslog(pamh, LOG_NOTICE, "Matching user %s against group %s", user, start);
++ if (pam_modutil_user_in_group_nam_nam(pamh, user, start)) {
++ matched = 1;
++ }
++ break;
++ case '%':
++ ++start;
++ if (debug)
++ pam_syslog(pamh, LOG_NOTICE, "Matching seuser %s against seuser %s", seuser, start);
++ if (strcmp(seuser, start) == 0) {
++ matched = 1;
++ }
++ break;
++ default:
++ if (debug)
++ pam_syslog(pamh, LOG_NOTICE, "Matching user %s against user %s", user, start);
++ if (strcmp(user, start) == 0) {
++ matched = 1;
++ }
++ }
++ }
++
++ free(line);
++ fclose(f);
++ return matched ? 0 : -1;
++}
++
++PAM_EXTERN int
++pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED,
++ int argc, const char **argv)
++{
++ int i;
++ int rv;
++ int debug = 0;
++ int sense = PAM_AUTH_ERR;
++ const char *user = NULL;
++ char *seuser = NULL;
++ char *level = NULL;
++ const char *cfgfile = SEPERMIT_CONF_FILE;
++
++ /* Parse arguments. */
++ for (i = 0; i < argc; i++) {
++ if (strcmp(argv[i], "debug") == 0) {
++ debug = 1;
++ }
++ if (strcmp(argv[i], "conf=") == 0) {
++ cfgfile = argv[i] + 5;
++ }
++ }
++
++ if (debug)
++ pam_syslog(pamh, LOG_NOTICE, "Parsing config file: %s", cfgfile);
++
++ if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || user == NULL
++ || *user == '\0') {
++ pam_syslog(pamh, LOG_ERR, "Cannot determine the user's name");
++ return PAM_USER_UNKNOWN;
++ }
++
++ if (is_selinux_enabled() > 0) {
++ if (security_getenforce() == 1) {
++ if (debug)
++ pam_syslog(pamh, LOG_NOTICE, "Enforcing mode, access will be allowed on match");
++ sense = PAM_SUCCESS;
++ }
++
++ if (getseuserbyname(user, &seuser, &level) != 0) {
++ seuser = NULL;
++ level = NULL;
++ pam_syslog(pamh, LOG_ERR, "getseuserbyname failed: %m");
++ }
++ }
++
++ if (debug && sense != PAM_SUCCESS)
++ pam_syslog(pamh, LOG_NOTICE, "Access will not be allowed on match");
++
++ rv = sepermit_match(pamh, cfgfile, user, seuser, debug);
++
++ if (debug)
++ pam_syslog(pamh, LOG_NOTICE, "sepermit_match returned: %d", rv);
++
++ free(seuser);
++ free(level);
++
++ switch (rv) {
++ case -1:
++ return PAM_IGNORE;
++ case 0:
++ return sense;
++ }
++
++ return rv;
++}
++
++PAM_EXTERN int
++pam_sm_setcred (pam_handle_t *pamh UNUSED, int flags UNUSED,
++ int argc UNUSED, const char **argv UNUSED)
++{
++ return PAM_IGNORE;
++}
++
++PAM_EXTERN int
++pam_sm_acct_mgmt(pam_handle_t *pamh, int flags,
++ int argc, const char **argv)
++{
++ return pam_sm_authenticate(pamh, flags, argc, argv);
++}
++
++#ifdef PAM_STATIC
++
++/* static module data */
++
++struct pam_module _pam_access_modstruct = {
++ "pam_access",
++ pam_sm_authenticate,
++ pam_sm_setcred,
++ pam_sm_acct_mgmt,
++ NULL,
++ NULL,
++ NULL
++};
++#endif
++
+diff -up /dev/null Linux-PAM-0.99.8.1/modules/pam_selinux/sepermit.conf
+--- /dev/null 2007-09-17 08:57:19.474470099 +0200
++++ Linux-PAM-0.99.8.1/modules/pam_selinux/sepermit.conf 2007-09-19 19:37:26.000000000 +0200
+@@ -0,0 +1,6 @@
++# /etc/security/sepermit.conf
++#
++# Each line contains either:
++# - an user name
++# - a group name, with @group syntax
++# - a SELinux user name, with %seuser syntax
+diff -up Linux-PAM-0.99.8.1/modules/pam_selinux/Makefile.am.permit Linux-PAM-0.99.8.1/modules/pam_selinux/Makefile.am
+--- Linux-PAM-0.99.8.1/modules/pam_selinux/Makefile.am.permit 2007-01-23 11:09:25.000000000 +0100
++++ Linux-PAM-0.99.8.1/modules/pam_selinux/Makefile.am 2007-09-19 19:37:26.000000000 +0200
+@@ -5,20 +5,21 @@
+ CLEANFILES = *~
+
+ EXTRA_DIST = README $(XMLS) pam_selinux.8 pam_selinux_check.8 \
+- tst-pam_selinux
++ pam_seliux_permit.8 sepermit.conf tst-pam_selinux
+
+ if HAVE_LIBSELINUX
+ TESTS = tst-pam_selinux
+- man_MANS = pam_selinux.8
++ man_MANS = pam_selinux.8 pam_selinux_permit.8
+ endif
+
+-XMLS = README.xml pam_selinux.8.xml
++XMLS = README.xml pam_selinux.8.xml pam_selinux_permit.8.xml
+
+ securelibdir = $(SECUREDIR)
+ secureconfdir = $(SCONFIGDIR)
+
+ AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \
+- -I$(top_srcdir)/libpam_misc/include
++ -I$(top_srcdir)/libpam_misc/include \
++ -D SEPERMIT_CONF_FILE=\"$(SCONFIGDIR)/sepermit.conf\"
+ AM_LDFLAGS = -no-undefined \
+ -L$(top_builddir)/libpam -lpam @LIBSELINUX@
+
+@@ -30,12 +31,16 @@ if HAVE_VERSIONING
+ -Wl,--version-script=$(srcdir)/../modules.map
+ endif
+
++pam_selinux_permit_la_LDFLAGS= $(pam_selinux_la_LDFLAGS)
++
++secureconf_DATA = sepermit.conf
++
+ if HAVE_LIBSELINUX
+- securelib_LTLIBRARIES = pam_selinux.la
++ securelib_LTLIBRARIES = pam_selinux.la pam_selinux_permit.la
+ noinst_PROGRAMS = pam_selinux_check
+ endif
+ if ENABLE_REGENERATE_MAN
+-noinst_DATA = README pam_selinux.8
++noinst_DATA = README pam_selinux.8 pam_selinux_permit.8
+ README: pam_selinux.8.xml
+ -include $(top_srcdir)/Make.xml.rules
+ endif
================================================================
More information about the pld-cvs-commit
mailing list