diff options
Diffstat (limited to 'modules/pam_selinux')
-rw-r--r-- | modules/pam_selinux/Makefile.am | 40 | ||||
-rw-r--r-- | modules/pam_selinux/Makefile.in | 1150 | ||||
-rw-r--r-- | modules/pam_selinux/README | 85 | ||||
-rw-r--r-- | modules/pam_selinux/README.xml | 41 | ||||
-rw-r--r-- | modules/pam_selinux/pam_selinux.8 | 151 | ||||
-rw-r--r-- | modules/pam_selinux/pam_selinux.8.xml | 276 | ||||
-rw-r--r-- | modules/pam_selinux/pam_selinux.c | 841 | ||||
-rw-r--r-- | modules/pam_selinux/pam_selinux_check.8 | 35 | ||||
-rw-r--r-- | modules/pam_selinux/pam_selinux_check.c | 161 | ||||
-rwxr-xr-x | modules/pam_selinux/tst-pam_selinux | 2 |
10 files changed, 2782 insertions, 0 deletions
diff --git a/modules/pam_selinux/Makefile.am b/modules/pam_selinux/Makefile.am new file mode 100644 index 0000000..28c60d8 --- /dev/null +++ b/modules/pam_selinux/Makefile.am @@ -0,0 +1,40 @@ +# +# Copyright (c) 2005, 2006, 2007 Thorsten Kukuk <kukuk@thkukuk.de> +# + +CLEANFILES = *~ +MAINTAINERCLEANFILES = $(MANS) README + +EXTRA_DIST = README $(XMLS) pam_selinux.8 pam_selinux_check.8 \ + tst-pam_selinux + +if HAVE_LIBSELINUX + TESTS = tst-pam_selinux + man_MANS = pam_selinux.8 +endif + +XMLS = README.xml pam_selinux.8.xml + +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) + +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + -I$(top_srcdir)/libpam_misc/include + +pam_selinux_la_LDFLAGS = -no-undefined -avoid-version -module +pam_selinux_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBSELINUX@ @LIBAUDIT@ +if HAVE_VERSIONING + pam_selinux_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map +endif + +if HAVE_LIBSELINUX + securelib_LTLIBRARIES = pam_selinux.la + noinst_PROGRAMS = pam_selinux_check + pam_selinux_check_LDADD = $(top_builddir)/libpam/libpam.la \ + $(top_builddir)/libpam_misc/libpam_misc.la +endif +if ENABLE_REGENERATE_MAN +noinst_DATA = README pam_selinux.8 +README: pam_selinux.8.xml +-include $(top_srcdir)/Make.xml.rules +endif diff --git a/modules/pam_selinux/Makefile.in b/modules/pam_selinux/Makefile.in new file mode 100644 index 0000000..6c39eef --- /dev/null +++ b/modules/pam_selinux/Makefile.in @@ -0,0 +1,1150 @@ +# Makefile.in generated by automake 1.13.4 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994-2013 Free Software Foundation, Inc. + +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +# +# Copyright (c) 2005, 2006, 2007 Thorsten Kukuk <kukuk@thkukuk.de> +# + + + +VPATH = @srcdir@ +am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__make_running_with_option = \ + case $${target_option-} in \ + ?) ;; \ + *) echo "am__make_running_with_option: internal error: invalid" \ + "target option '$${target_option-}' specified" >&2; \ + exit 1;; \ + esac; \ + has_opt=no; \ + sane_makeflags=$$MAKEFLAGS; \ + if $(am__is_gnu_make); then \ + sane_makeflags=$$MFLAGS; \ + else \ + case $$MAKEFLAGS in \ + *\\[\ \ ]*) \ + bs=\\; \ + sane_makeflags=`printf '%s\n' "$$MAKEFLAGS" \ + | sed "s/$$bs$$bs[$$bs $$bs ]*//g"`;; \ + esac; \ + fi; \ + skip_next=no; \ + strip_trailopt () \ + { \ + flg=`printf '%s\n' "$$flg" | sed "s/$$1.*$$//"`; \ + }; \ + for flg in $$sane_makeflags; do \ + test $$skip_next = yes && { skip_next=no; continue; }; \ + case $$flg in \ + *=*|--*) continue;; \ + -*I) strip_trailopt 'I'; skip_next=yes;; \ + -*I?*) strip_trailopt 'I';; \ + -*O) strip_trailopt 'O'; skip_next=yes;; \ + -*O?*) strip_trailopt 'O';; \ + -*l) strip_trailopt 'l'; skip_next=yes;; \ + -*l?*) strip_trailopt 'l';; \ + -[dEDm]) skip_next=yes;; \ + -[JT]) skip_next=yes;; \ + esac; \ + case $$flg in \ + *$$target_option*) has_opt=yes; break;; \ + esac; \ + done; \ + test $$has_opt = yes +am__make_dryrun = (target_option=n; $(am__make_running_with_option)) +am__make_keepgoing = (target_option=k; $(am__make_running_with_option)) +pkgdatadir = $(datadir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkglibexecdir = $(libexecdir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +@HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map +@HAVE_LIBSELINUX_TRUE@noinst_PROGRAMS = pam_selinux_check$(EXEEXT) +subdir = modules/pam_selinux +DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ + $(top_srcdir)/build-aux/depcomp \ + $(top_srcdir)/build-aux/test-driver README +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \ + $(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \ + $(top_srcdir)/m4/japhar_grep_cflags.m4 \ + $(top_srcdir)/m4/jh_path_xml_catalog.m4 \ + $(top_srcdir)/m4/ld-O1.m4 $(top_srcdir)/m4/ld-as-needed.m4 \ + $(top_srcdir)/m4/ld-no-undefined.m4 $(top_srcdir)/m4/lib-ld.m4 \ + $(top_srcdir)/m4/lib-link.m4 $(top_srcdir)/m4/lib-prefix.m4 \ + $(top_srcdir)/m4/libprelude.m4 $(top_srcdir)/m4/libtool.m4 \ + $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ + $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ + $(top_srcdir)/m4/nls.m4 $(top_srcdir)/m4/po.m4 \ + $(top_srcdir)/m4/progtest.m4 $(top_srcdir)/configure.ac +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_HEADER = $(top_builddir)/config.h +CONFIG_CLEAN_FILES = +CONFIG_CLEAN_VPATH_FILES = +am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`; +am__vpath_adj = case $$p in \ + $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \ + *) f=$$p;; \ + esac; +am__strip_dir = f=`echo $$p | sed -e 's|^.*/||'`; +am__install_max = 40 +am__nobase_strip_setup = \ + srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*|]/\\\\&/g'` +am__nobase_strip = \ + for p in $$list; do echo "$$p"; done | sed -e "s|$$srcdirstrip/||" +am__nobase_list = $(am__nobase_strip_setup); \ + for p in $$list; do echo "$$p $$p"; done | \ + sed "s| $$srcdirstrip/| |;"' / .*\//!s/ .*/ ./; s,\( .*\)/[^/]*$$,\1,' | \ + $(AWK) 'BEGIN { files["."] = "" } { files[$$2] = files[$$2] " " $$1; \ + if (++n[$$2] == $(am__install_max)) \ + { print $$2, files[$$2]; n[$$2] = 0; files[$$2] = "" } } \ + END { for (dir in files) print dir, files[dir] }' +am__base_list = \ + sed '$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;$$!N;s/\n/ /g' | \ + sed '$$!N;$$!N;$$!N;$$!N;s/\n/ /g' +am__uninstall_files_from_dir = { \ + test -z "$$files" \ + || { test ! -d "$$dir" && test ! -f "$$dir" && test ! -r "$$dir"; } \ + || { echo " ( cd '$$dir' && rm -f" $$files ")"; \ + $(am__cd) "$$dir" && rm -f $$files; }; \ + } +am__installdirs = "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)" +LTLIBRARIES = $(securelib_LTLIBRARIES) +pam_selinux_la_DEPENDENCIES = $(top_builddir)/libpam/libpam.la +pam_selinux_la_SOURCES = pam_selinux.c +pam_selinux_la_OBJECTS = pam_selinux.lo +AM_V_lt = $(am__v_lt_@AM_V@) +am__v_lt_ = $(am__v_lt_@AM_DEFAULT_V@) +am__v_lt_0 = --silent +am__v_lt_1 = +pam_selinux_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \ + $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \ + $(AM_CFLAGS) $(CFLAGS) $(pam_selinux_la_LDFLAGS) $(LDFLAGS) -o \ + $@ +@HAVE_LIBSELINUX_TRUE@am_pam_selinux_la_rpath = -rpath $(securelibdir) +PROGRAMS = $(noinst_PROGRAMS) +pam_selinux_check_SOURCES = pam_selinux_check.c +pam_selinux_check_OBJECTS = pam_selinux_check.$(OBJEXT) +@HAVE_LIBSELINUX_TRUE@pam_selinux_check_DEPENDENCIES = \ +@HAVE_LIBSELINUX_TRUE@ $(top_builddir)/libpam/libpam.la \ +@HAVE_LIBSELINUX_TRUE@ $(top_builddir)/libpam_misc/libpam_misc.la +AM_V_P = $(am__v_P_@AM_V@) +am__v_P_ = $(am__v_P_@AM_DEFAULT_V@) +am__v_P_0 = false +am__v_P_1 = : +AM_V_GEN = $(am__v_GEN_@AM_V@) +am__v_GEN_ = $(am__v_GEN_@AM_DEFAULT_V@) +am__v_GEN_0 = @echo " GEN " $@; +am__v_GEN_1 = +AM_V_at = $(am__v_at_@AM_V@) +am__v_at_ = $(am__v_at_@AM_DEFAULT_V@) +am__v_at_0 = @ +am__v_at_1 = +DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir) +depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp +am__depfiles_maybe = depfiles +am__mv = mv -f +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) \ + $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ + $(AM_CFLAGS) $(CFLAGS) +AM_V_CC = $(am__v_CC_@AM_V@) +am__v_CC_ = $(am__v_CC_@AM_DEFAULT_V@) +am__v_CC_0 = @echo " CC " $@; +am__v_CC_1 = +CCLD = $(CC) +LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(AM_LDFLAGS) $(LDFLAGS) -o $@ +AM_V_CCLD = $(am__v_CCLD_@AM_V@) +am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) +am__v_CCLD_0 = @echo " CCLD " $@; +am__v_CCLD_1 = +SOURCES = pam_selinux.c pam_selinux_check.c +DIST_SOURCES = pam_selinux.c pam_selinux_check.c +am__can_run_installinfo = \ + case $$AM_UPDATE_INFO_DIR in \ + n|no|NO) false;; \ + *) (install-info --version) >/dev/null 2>&1;; \ + esac +man8dir = $(mandir)/man8 +NROFF = nroff +MANS = $(man_MANS) +DATA = $(noinst_DATA) +am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP) +# Read a list of newline-separated strings from the standard input, +# and print each of them once, without duplicates. Input order is +# *not* preserved. +am__uniquify_input = $(AWK) '\ + BEGIN { nonempty = 0; } \ + { items[$$0] = 1; nonempty = 1; } \ + END { if (nonempty) { for (i in items) print i; }; } \ +' +# Make sure the list of sources is unique. This is necessary because, +# e.g., the same source file might be shared among _SOURCES variables +# for different programs/libraries. +am__define_uniq_tagged_files = \ + list='$(am__tagged_files)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | $(am__uniquify_input)` +ETAGS = etags +CTAGS = ctags +am__tty_colors_dummy = \ + mgn= red= grn= lgn= blu= brg= std=; \ + am__color_tests=no +am__tty_colors = { \ + $(am__tty_colors_dummy); \ + if test "X$(AM_COLOR_TESTS)" = Xno; then \ + am__color_tests=no; \ + elif test "X$(AM_COLOR_TESTS)" = Xalways; then \ + am__color_tests=yes; \ + elif test "X$$TERM" != Xdumb && { test -t 1; } 2>/dev/null; then \ + am__color_tests=yes; \ + fi; \ + if test $$am__color_tests = yes; then \ + red='[0;31m'; \ + grn='[0;32m'; \ + lgn='[1;32m'; \ + blu='[1;34m'; \ + mgn='[0;35m'; \ + brg='[1m'; \ + std='[m'; \ + fi; \ +} +am__recheck_rx = ^[ ]*:recheck:[ ]* +am__global_test_result_rx = ^[ ]*:global-test-result:[ ]* +am__copy_in_global_log_rx = ^[ ]*:copy-in-global-log:[ ]* +# A command that, given a newline-separated list of test names on the +# standard input, print the name of the tests that are to be re-run +# upon "make recheck". +am__list_recheck_tests = $(AWK) '{ \ + recheck = 1; \ + while ((rc = (getline line < ($$0 ".trs"))) != 0) \ + { \ + if (rc < 0) \ + { \ + if ((getline line2 < ($$0 ".log")) < 0) \ + recheck = 0; \ + break; \ + } \ + else if (line ~ /$(am__recheck_rx)[nN][Oo]/) \ + { \ + recheck = 0; \ + break; \ + } \ + else if (line ~ /$(am__recheck_rx)[yY][eE][sS]/) \ + { \ + break; \ + } \ + }; \ + if (recheck) \ + print $$0; \ + close ($$0 ".trs"); \ + close ($$0 ".log"); \ +}' +# A command that, given a newline-separated list of test names on the +# standard input, create the global log from their .trs and .log files. +am__create_global_log = $(AWK) ' \ +function fatal(msg) \ +{ \ + print "fatal: making $@: " msg | "cat >&2"; \ + exit 1; \ +} \ +function rst_section(header) \ +{ \ + print header; \ + len = length(header); \ + for (i = 1; i <= len; i = i + 1) \ + printf "="; \ + printf "\n\n"; \ +} \ +{ \ + copy_in_global_log = 1; \ + global_test_result = "RUN"; \ + while ((rc = (getline line < ($$0 ".trs"))) != 0) \ + { \ + if (rc < 0) \ + fatal("failed to read from " $$0 ".trs"); \ + if (line ~ /$(am__global_test_result_rx)/) \ + { \ + sub("$(am__global_test_result_rx)", "", line); \ + sub("[ ]*$$", "", line); \ + global_test_result = line; \ + } \ + else if (line ~ /$(am__copy_in_global_log_rx)[nN][oO]/) \ + copy_in_global_log = 0; \ + }; \ + if (copy_in_global_log) \ + { \ + rst_section(global_test_result ": " $$0); \ + while ((rc = (getline line < ($$0 ".log"))) != 0) \ + { \ + if (rc < 0) \ + fatal("failed to read from " $$0 ".log"); \ + print line; \ + }; \ + printf "\n"; \ + }; \ + close ($$0 ".trs"); \ + close ($$0 ".log"); \ +}' +# Restructured Text title. +am__rst_title = { sed 's/.*/ & /;h;s/./=/g;p;x;s/ *$$//;p;g' && echo; } +# Solaris 10 'make', and several other traditional 'make' implementations, +# pass "-e" to $(SHELL), and POSIX 2008 even requires this. Work around it +# by disabling -e (using the XSI extension "set +e") if it's set. +am__sh_e_setup = case $$- in *e*) set +e;; esac +# Default flags passed to test drivers. +am__common_driver_flags = \ + --color-tests "$$am__color_tests" \ + --enable-hard-errors "$$am__enable_hard_errors" \ + --expect-failure "$$am__expect_failure" +# To be inserted before the command running the test. Creates the +# directory for the log if needed. Stores in $dir the directory +# containing $f, in $tst the test, in $log the log. Executes the +# developer- defined test setup AM_TESTS_ENVIRONMENT (if any), and +# passes TESTS_ENVIRONMENT. Set up options for the wrapper that +# will run the test scripts (or their associated LOG_COMPILER, if +# thy have one). +am__check_pre = \ +$(am__sh_e_setup); \ +$(am__vpath_adj_setup) $(am__vpath_adj) \ +$(am__tty_colors); \ +srcdir=$(srcdir); export srcdir; \ +case "$@" in \ + */*) am__odir=`echo "./$@" | sed 's|/[^/]*$$||'`;; \ + *) am__odir=.;; \ +esac; \ +test "x$$am__odir" = x"." || test -d "$$am__odir" \ + || $(MKDIR_P) "$$am__odir" || exit $$?; \ +if test -f "./$$f"; then dir=./; \ +elif test -f "$$f"; then dir=; \ +else dir="$(srcdir)/"; fi; \ +tst=$$dir$$f; log='$@'; \ +if test -n '$(DISABLE_HARD_ERRORS)'; then \ + am__enable_hard_errors=no; \ +else \ + am__enable_hard_errors=yes; \ +fi; \ +case " $(XFAIL_TESTS) " in \ + *[\ \ ]$$f[\ \ ]* | *[\ \ ]$$dir$$f[\ \ ]*) \ + am__expect_failure=yes;; \ + *) \ + am__expect_failure=no;; \ +esac; \ +$(AM_TESTS_ENVIRONMENT) $(TESTS_ENVIRONMENT) +# A shell command to get the names of the tests scripts with any registered +# extension removed (i.e., equivalently, the names of the test logs, with +# the '.log' extension removed). The result is saved in the shell variable +# '$bases'. This honors runtime overriding of TESTS and TEST_LOGS. Sadly, +# we cannot use something simpler, involving e.g., "$(TEST_LOGS:.log=)", +# since that might cause problem with VPATH rewrites for suffix-less tests. +# See also 'test-harness-vpath-rewrite.sh' and 'test-trs-basic.sh'. +am__set_TESTS_bases = \ + bases='$(TEST_LOGS)'; \ + bases=`for i in $$bases; do echo $$i; done | sed 's/\.log$$//'`; \ + bases=`echo $$bases` +RECHECK_LOGS = $(TEST_LOGS) +AM_RECURSIVE_TARGETS = check recheck +TEST_SUITE_LOG = test-suite.log +TEST_EXTENSIONS = @EXEEXT@ .test +LOG_DRIVER = $(SHELL) $(top_srcdir)/build-aux/test-driver +LOG_COMPILE = $(LOG_COMPILER) $(AM_LOG_FLAGS) $(LOG_FLAGS) +am__set_b = \ + case '$@' in \ + */*) \ + case '$*' in \ + */*) b='$*';; \ + *) b=`echo '$@' | sed 's/\.log$$//'`; \ + esac;; \ + *) \ + b='$*';; \ + esac +am__test_logs1 = $(TESTS:=.log) +am__test_logs2 = $(am__test_logs1:@EXEEXT@.log=.log) +TEST_LOGS = $(am__test_logs2:.test.log=.log) +TEST_LOG_DRIVER = $(SHELL) $(top_srcdir)/build-aux/test-driver +TEST_LOG_COMPILE = $(TEST_LOG_COMPILER) $(AM_TEST_LOG_FLAGS) \ + $(TEST_LOG_FLAGS) +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AMTAR = @AMTAR@ +AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +BROWSER = @BROWSER@ +BUILD_CFLAGS = @BUILD_CFLAGS@ +BUILD_CPPFLAGS = @BUILD_CPPFLAGS@ +BUILD_LDFLAGS = @BUILD_LDFLAGS@ +CC = @CC@ +CCDEPMODE = @CCDEPMODE@ +CC_FOR_BUILD = @CC_FOR_BUILD@ +CFLAGS = @CFLAGS@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DEFS = @DEFS@ +DEPDIR = @DEPDIR@ +DLLTOOL = @DLLTOOL@ +DSYMUTIL = @DSYMUTIL@ +DUMPBIN = @DUMPBIN@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +FGREP = @FGREP@ +FO2PDF = @FO2PDF@ +GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@ +GMSGFMT = @GMSGFMT@ +GMSGFMT_015 = @GMSGFMT_015@ +GREP = @GREP@ +HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +INTLLIBS = @INTLLIBS@ +INTL_MACOSX_LIBS = @INTL_MACOSX_LIBS@ +LD = @LD@ +LDFLAGS = @LDFLAGS@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBAUDIT = @LIBAUDIT@ +LIBCRACK = @LIBCRACK@ +LIBCRYPT = @LIBCRYPT@ +LIBDB = @LIBDB@ +LIBDL = @LIBDL@ +LIBICONV = @LIBICONV@ +LIBINTL = @LIBINTL@ +LIBOBJS = @LIBOBJS@ +LIBPRELUDE_CFLAGS = @LIBPRELUDE_CFLAGS@ +LIBPRELUDE_CONFIG = @LIBPRELUDE_CONFIG@ +LIBPRELUDE_CONFIG_PREFIX = @LIBPRELUDE_CONFIG_PREFIX@ +LIBPRELUDE_LDFLAGS = @LIBPRELUDE_LDFLAGS@ +LIBPRELUDE_LIBS = @LIBPRELUDE_LIBS@ +LIBPRELUDE_PREFIX = @LIBPRELUDE_PREFIX@ +LIBPRELUDE_PTHREAD_CFLAGS = @LIBPRELUDE_PTHREAD_CFLAGS@ +LIBS = @LIBS@ +LIBSELINUX = @LIBSELINUX@ +LIBTOOL = @LIBTOOL@ +LIPO = @LIPO@ +LN_S = @LN_S@ +LTLIBICONV = @LTLIBICONV@ +LTLIBINTL = @LTLIBINTL@ +LTLIBOBJS = @LTLIBOBJS@ +MAKEINFO = @MAKEINFO@ +MANIFEST_TOOL = @MANIFEST_TOOL@ +MKDIR_P = @MKDIR_P@ +MSGFMT = @MSGFMT@ +MSGFMT_015 = @MSGFMT_015@ +MSGMERGE = @MSGMERGE@ +NIS_CFLAGS = @NIS_CFLAGS@ +NIS_LIBS = @NIS_LIBS@ +NM = @NM@ +NMEDIT = @NMEDIT@ +NSL_CFLAGS = @NSL_CFLAGS@ +NSL_LIBS = @NSL_LIBS@ +OBJDUMP = @OBJDUMP@ +OBJEXT = @OBJEXT@ +OTOOL = @OTOOL@ +OTOOL64 = @OTOOL64@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_URL = @PACKAGE_URL@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PIE_CFLAGS = @PIE_CFLAGS@ +PIE_LDFLAGS = @PIE_LDFLAGS@ +PKG_CONFIG = @PKG_CONFIG@ +PKG_CONFIG_LIBDIR = @PKG_CONFIG_LIBDIR@ +PKG_CONFIG_PATH = @PKG_CONFIG_PATH@ +POSUB = @POSUB@ +RANLIB = @RANLIB@ +SCONFIGDIR = @SCONFIGDIR@ +SECUREDIR = @SECUREDIR@ +SED = @SED@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +STRIP = @STRIP@ +TIRPC_CFLAGS = @TIRPC_CFLAGS@ +TIRPC_LIBS = @TIRPC_LIBS@ +USE_NLS = @USE_NLS@ +VERSION = @VERSION@ +XGETTEXT = @XGETTEXT@ +XGETTEXT_015 = @XGETTEXT_015@ +XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@ +XMLCATALOG = @XMLCATALOG@ +XMLLINT = @XMLLINT@ +XML_CATALOG_FILE = @XML_CATALOG_FILE@ +XSLTPROC = @XSLTPROC@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_AR = @ac_ct_AR@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_DUMPBIN = @ac_ct_DUMPBIN@ +am__include = @am__include@ +am__leading_dot = @am__leading_dot@ +am__quote = @am__quote@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libc_cv_fpie = @libc_cv_fpie@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pam_cv_ld_O1 = @pam_cv_ld_O1@ +pam_cv_ld_as_needed = @pam_cv_ld_as_needed@ +pam_cv_ld_no_undefined = @pam_cv_ld_no_undefined@ +pam_xauth_path = @pam_xauth_path@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_build_prefix = @top_build_prefix@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +CLEANFILES = *~ +MAINTAINERCLEANFILES = $(MANS) README +EXTRA_DIST = README $(XMLS) pam_selinux.8 pam_selinux_check.8 \ + tst-pam_selinux + +@HAVE_LIBSELINUX_TRUE@TESTS = tst-pam_selinux +@HAVE_LIBSELINUX_TRUE@man_MANS = pam_selinux.8 +XMLS = README.xml pam_selinux.8.xml +securelibdir = $(SECUREDIR) +secureconfdir = $(SCONFIGDIR) +AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \ + -I$(top_srcdir)/libpam_misc/include + +pam_selinux_la_LDFLAGS = -no-undefined -avoid-version -module \ + $(am__append_1) +pam_selinux_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBSELINUX@ @LIBAUDIT@ +@HAVE_LIBSELINUX_TRUE@securelib_LTLIBRARIES = pam_selinux.la +@HAVE_LIBSELINUX_TRUE@pam_selinux_check_LDADD = $(top_builddir)/libpam/libpam.la \ +@HAVE_LIBSELINUX_TRUE@ $(top_builddir)/libpam_misc/libpam_misc.la + +@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README pam_selinux.8 +all: all-am + +.SUFFIXES: +.SUFFIXES: .c .lo .log .o .obj .test .test$(EXEEXT) .trs +$(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + ( cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh ) \ + && { if test -f $@; then exit 0; else break; fi; }; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_selinux/Makefile'; \ + $(am__cd) $(top_srcdir) && \ + $(AUTOMAKE) --gnu modules/pam_selinux/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(am__aclocal_m4_deps): + +install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES) + @$(NORMAL_INSTALL) + @list='$(securelib_LTLIBRARIES)'; test -n "$(securelibdir)" || list=; \ + list2=; for p in $$list; do \ + if test -f $$p; then \ + list2="$$list2 $$p"; \ + else :; fi; \ + done; \ + test -z "$$list2" || { \ + echo " $(MKDIR_P) '$(DESTDIR)$(securelibdir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(securelibdir)" || exit 1; \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 '$(DESTDIR)$(securelibdir)'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=install $(INSTALL) $(INSTALL_STRIP_FLAG) $$list2 "$(DESTDIR)$(securelibdir)"; \ + } + +uninstall-securelibLTLIBRARIES: + @$(NORMAL_UNINSTALL) + @list='$(securelib_LTLIBRARIES)'; test -n "$(securelibdir)" || list=; \ + for p in $$list; do \ + $(am__strip_dir) \ + echo " $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f '$(DESTDIR)$(securelibdir)/$$f'"; \ + $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=uninstall rm -f "$(DESTDIR)$(securelibdir)/$$f"; \ + done + +clean-securelibLTLIBRARIES: + -test -z "$(securelib_LTLIBRARIES)" || rm -f $(securelib_LTLIBRARIES) + @list='$(securelib_LTLIBRARIES)'; \ + locs=`for p in $$list; do echo $$p; done | \ + sed 's|^[^/]*$$|.|; s|/[^/]*$$||; s|$$|/so_locations|' | \ + sort -u`; \ + test -z "$$locs" || { \ + echo rm -f $${locs}; \ + rm -f $${locs}; \ + } + +pam_selinux.la: $(pam_selinux_la_OBJECTS) $(pam_selinux_la_DEPENDENCIES) $(EXTRA_pam_selinux_la_DEPENDENCIES) + $(AM_V_CCLD)$(pam_selinux_la_LINK) $(am_pam_selinux_la_rpath) $(pam_selinux_la_OBJECTS) $(pam_selinux_la_LIBADD) $(LIBS) + +clean-noinstPROGRAMS: + @list='$(noinst_PROGRAMS)'; test -n "$$list" || exit 0; \ + echo " rm -f" $$list; \ + rm -f $$list || exit $$?; \ + test -n "$(EXEEXT)" || exit 0; \ + list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f" $$list; \ + rm -f $$list + +pam_selinux_check$(EXEEXT): $(pam_selinux_check_OBJECTS) $(pam_selinux_check_DEPENDENCIES) $(EXTRA_pam_selinux_check_DEPENDENCIES) + @rm -f pam_selinux_check$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(pam_selinux_check_OBJECTS) $(pam_selinux_check_LDADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_selinux.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_selinux_check.Po@am__quote@ + +.c.o: +@am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $< + +.c.obj: +@am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'` +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $< +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs +install-man8: $(man_MANS) + @$(NORMAL_INSTALL) + @list1=''; \ + list2='$(man_MANS)'; \ + test -n "$(man8dir)" \ + && test -n "`echo $$list1$$list2`" \ + || exit 0; \ + echo " $(MKDIR_P) '$(DESTDIR)$(man8dir)'"; \ + $(MKDIR_P) "$(DESTDIR)$(man8dir)" || exit 1; \ + { for i in $$list1; do echo "$$i"; done; \ + if test -n "$$list2"; then \ + for i in $$list2; do echo "$$i"; done \ + | sed -n '/\.8[a-z]*$$/p'; \ + fi; \ + } | while read p; do \ + if test -f $$p; then d=; else d="$(srcdir)/"; fi; \ + echo "$$d$$p"; echo "$$p"; \ + done | \ + sed -e 'n;s,.*/,,;p;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,' | \ + sed 'N;N;s,\n, ,g' | { \ + list=; while read file base inst; do \ + if test "$$base" = "$$inst"; then list="$$list $$file"; else \ + echo " $(INSTALL_DATA) '$$file' '$(DESTDIR)$(man8dir)/$$inst'"; \ + $(INSTALL_DATA) "$$file" "$(DESTDIR)$(man8dir)/$$inst" || exit $$?; \ + fi; \ + done; \ + for i in $$list; do echo "$$i"; done | $(am__base_list) | \ + while read files; do \ + test -z "$$files" || { \ + echo " $(INSTALL_DATA) $$files '$(DESTDIR)$(man8dir)'"; \ + $(INSTALL_DATA) $$files "$(DESTDIR)$(man8dir)" || exit $$?; }; \ + done; } + +uninstall-man8: + @$(NORMAL_UNINSTALL) + @list=''; test -n "$(man8dir)" || exit 0; \ + files=`{ for i in $$list; do echo "$$i"; done; \ + l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \ + sed -n '/\.8[a-z]*$$/p'; \ + } | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \ + -e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \ + dir='$(DESTDIR)$(man8dir)'; $(am__uninstall_files_from_dir) + +ID: $(am__tagged_files) + $(am__define_uniq_tagged_files); mkid -fID $$unique +tags: tags-am +TAGS: tags + +tags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + set x; \ + here=`pwd`; \ + $(am__define_uniq_tagged_files); \ + shift; \ + if test -z "$(ETAGS_ARGS)$$*$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + if test $$# -gt 0; then \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + "$$@" $$unique; \ + else \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$unique; \ + fi; \ + fi +ctags: ctags-am + +CTAGS: ctags +ctags-am: $(TAGS_DEPENDENCIES) $(am__tagged_files) + $(am__define_uniq_tagged_files); \ + test -z "$(CTAGS_ARGS)$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && $(am__cd) $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) "$$here" +cscopelist: cscopelist-am + +cscopelist-am: $(am__tagged_files) + list='$(am__tagged_files)'; \ + case "$(srcdir)" in \ + [\\/]* | ?:[\\/]*) sdir="$(srcdir)" ;; \ + *) sdir=$(subdir)/$(srcdir) ;; \ + esac; \ + for i in $$list; do \ + if test -f "$$i"; then \ + echo "$(subdir)/$$i"; \ + else \ + echo "$$sdir/$$i"; \ + fi; \ + done >> $(top_builddir)/cscope.files + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +# Recover from deleted '.trs' file; this should ensure that +# "rm -f foo.log; make foo.trs" re-run 'foo.test', and re-create +# both 'foo.log' and 'foo.trs'. Break the recipe in two subshells +# to avoid problems with "make -n". +.log.trs: + rm -f $< $@ + $(MAKE) $(AM_MAKEFLAGS) $< + +# Leading 'am--fnord' is there to ensure the list of targets does not +# expand to empty, as could happen e.g. with make check TESTS=''. +am--fnord $(TEST_LOGS) $(TEST_LOGS:.log=.trs): $(am__force_recheck) +am--force-recheck: + @: + +$(TEST_SUITE_LOG): $(TEST_LOGS) + @$(am__set_TESTS_bases); \ + am__f_ok () { test -f "$$1" && test -r "$$1"; }; \ + redo_bases=`for i in $$bases; do \ + am__f_ok $$i.trs && am__f_ok $$i.log || echo $$i; \ + done`; \ + if test -n "$$redo_bases"; then \ + redo_logs=`for i in $$redo_bases; do echo $$i.log; done`; \ + redo_results=`for i in $$redo_bases; do echo $$i.trs; done`; \ + if $(am__make_dryrun); then :; else \ + rm -f $$redo_logs && rm -f $$redo_results || exit 1; \ + fi; \ + fi; \ + if test -n "$$am__remaking_logs"; then \ + echo "fatal: making $(TEST_SUITE_LOG): possible infinite" \ + "recursion detected" >&2; \ + else \ + am__remaking_logs=yes $(MAKE) $(AM_MAKEFLAGS) $$redo_logs; \ + fi; \ + if $(am__make_dryrun); then :; else \ + st=0; \ + errmsg="fatal: making $(TEST_SUITE_LOG): failed to create"; \ + for i in $$redo_bases; do \ + test -f $$i.trs && test -r $$i.trs \ + || { echo "$$errmsg $$i.trs" >&2; st=1; }; \ + test -f $$i.log && test -r $$i.log \ + || { echo "$$errmsg $$i.log" >&2; st=1; }; \ + done; \ + test $$st -eq 0 || exit 1; \ + fi + @$(am__sh_e_setup); $(am__tty_colors); $(am__set_TESTS_bases); \ + ws='[ ]'; \ + results=`for b in $$bases; do echo $$b.trs; done`; \ + test -n "$$results" || results=/dev/null; \ + all=` grep "^$$ws*:test-result:" $$results | wc -l`; \ + pass=` grep "^$$ws*:test-result:$$ws*PASS" $$results | wc -l`; \ + fail=` grep "^$$ws*:test-result:$$ws*FAIL" $$results | wc -l`; \ + skip=` grep "^$$ws*:test-result:$$ws*SKIP" $$results | wc -l`; \ + xfail=`grep "^$$ws*:test-result:$$ws*XFAIL" $$results | wc -l`; \ + xpass=`grep "^$$ws*:test-result:$$ws*XPASS" $$results | wc -l`; \ + error=`grep "^$$ws*:test-result:$$ws*ERROR" $$results | wc -l`; \ + if test `expr $$fail + $$xpass + $$error` -eq 0; then \ + success=true; \ + else \ + success=false; \ + fi; \ + br='==================='; br=$$br$$br$$br$$br; \ + result_count () \ + { \ + if test x"$$1" = x"--maybe-color"; then \ + maybe_colorize=yes; \ + elif test x"$$1" = x"--no-color"; then \ + maybe_colorize=no; \ + else \ + echo "$@: invalid 'result_count' usage" >&2; exit 4; \ + fi; \ + shift; \ + desc=$$1 count=$$2; \ + if test $$maybe_colorize = yes && test $$count -gt 0; then \ + color_start=$$3 color_end=$$std; \ + else \ + color_start= color_end=; \ + fi; \ + echo "$${color_start}# $$desc $$count$${color_end}"; \ + }; \ + create_testsuite_report () \ + { \ + result_count $$1 "TOTAL:" $$all "$$brg"; \ + result_count $$1 "PASS: " $$pass "$$grn"; \ + result_count $$1 "SKIP: " $$skip "$$blu"; \ + result_count $$1 "XFAIL:" $$xfail "$$lgn"; \ + result_count $$1 "FAIL: " $$fail "$$red"; \ + result_count $$1 "XPASS:" $$xpass "$$red"; \ + result_count $$1 "ERROR:" $$error "$$mgn"; \ + }; \ + { \ + echo "$(PACKAGE_STRING): $(subdir)/$(TEST_SUITE_LOG)" | \ + $(am__rst_title); \ + create_testsuite_report --no-color; \ + echo; \ + echo ".. contents:: :depth: 2"; \ + echo; \ + for b in $$bases; do echo $$b; done \ + | $(am__create_global_log); \ + } >$(TEST_SUITE_LOG).tmp || exit 1; \ + mv $(TEST_SUITE_LOG).tmp $(TEST_SUITE_LOG); \ + if $$success; then \ + col="$$grn"; \ + else \ + col="$$red"; \ + test x"$$VERBOSE" = x || cat $(TEST_SUITE_LOG); \ + fi; \ + echo "$${col}$$br$${std}"; \ + echo "$${col}Testsuite summary for $(PACKAGE_STRING)$${std}"; \ + echo "$${col}$$br$${std}"; \ + create_testsuite_report --maybe-color; \ + echo "$$col$$br$$std"; \ + if $$success; then :; else \ + echo "$${col}See $(subdir)/$(TEST_SUITE_LOG)$${std}"; \ + if test -n "$(PACKAGE_BUGREPORT)"; then \ + echo "$${col}Please report to $(PACKAGE_BUGREPORT)$${std}"; \ + fi; \ + echo "$$col$$br$$std"; \ + fi; \ + $$success || exit 1 + +check-TESTS: + @list='$(RECHECK_LOGS)'; test -z "$$list" || rm -f $$list + @list='$(RECHECK_LOGS:.log=.trs)'; test -z "$$list" || rm -f $$list + @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) + @set +e; $(am__set_TESTS_bases); \ + log_list=`for i in $$bases; do echo $$i.log; done`; \ + trs_list=`for i in $$bases; do echo $$i.trs; done`; \ + log_list=`echo $$log_list`; trs_list=`echo $$trs_list`; \ + $(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) TEST_LOGS="$$log_list"; \ + exit $$?; +recheck: all + @test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) + @set +e; $(am__set_TESTS_bases); \ + bases=`for i in $$bases; do echo $$i; done \ + | $(am__list_recheck_tests)` || exit 1; \ + log_list=`for i in $$bases; do echo $$i.log; done`; \ + log_list=`echo $$log_list`; \ + $(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) \ + am__force_recheck=am--force-recheck \ + TEST_LOGS="$$log_list"; \ + exit $$? +tst-pam_selinux.log: tst-pam_selinux + @p='tst-pam_selinux'; \ + b='tst-pam_selinux'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +.test.log: + @p='$<'; \ + $(am__set_b); \ + $(am__check_pre) $(TEST_LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) +@am__EXEEXT_TRUE@.test$(EXEEXT).log: +@am__EXEEXT_TRUE@ @p='$<'; \ +@am__EXEEXT_TRUE@ $(am__set_b); \ +@am__EXEEXT_TRUE@ $(am__check_pre) $(TEST_LOG_DRIVER) --test-name "$$f" \ +@am__EXEEXT_TRUE@ --log-file $$b.log --trs-file $$b.trs \ +@am__EXEEXT_TRUE@ $(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \ +@am__EXEEXT_TRUE@ "$$tst" $(AM_TESTS_FD_REDIRECT) + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d "$(distdir)/$$file"; then \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -fpR $(srcdir)/$$file "$(distdir)$$dir" || exit 1; \ + find "$(distdir)/$$file" -type d ! -perm -700 -exec chmod u+rwx {} \;; \ + fi; \ + cp -fpR $$d/$$file "$(distdir)$$dir" || exit 1; \ + else \ + test -f "$(distdir)/$$file" \ + || cp -p $$d/$$file "$(distdir)/$$file" \ + || exit 1; \ + fi; \ + done +check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) check-TESTS +check: check-am +all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(MANS) $(DATA) +installdirs: + for dir in "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)"; do \ + test -z "$$dir" || $(MKDIR_P) "$$dir"; \ + done +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + if test -z '$(STRIP)'; then \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + install; \ + else \ + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'" install; \ + fi +mostlyclean-generic: + -test -z "$(TEST_LOGS)" || rm -f $(TEST_LOGS) + -test -z "$(TEST_LOGS:.log=.trs)" || rm -f $(TEST_LOGS:.log=.trs) + -test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG) + +clean-generic: + -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + -test . = "$(srcdir)" || test -z "$(CONFIG_CLEAN_VPATH_FILES)" || rm -f $(CONFIG_CLEAN_VPATH_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." + -test -z "$(MAINTAINERCLEANFILES)" || rm -f $(MAINTAINERCLEANFILES) +clean: clean-am + +clean-am: clean-generic clean-libtool clean-noinstPROGRAMS \ + clean-securelibLTLIBRARIES mostlyclean-am + +distclean: distclean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +html-am: + +info: info-am + +info-am: + +install-data-am: install-man install-securelibLTLIBRARIES + +install-dvi: install-dvi-am + +install-dvi-am: + +install-exec-am: + +install-html: install-html-am + +install-html-am: + +install-info: install-info-am + +install-info-am: + +install-man: install-man8 + +install-pdf: install-pdf-am + +install-pdf-am: + +install-ps: install-ps-am + +install-ps-am: + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -rf ./$(DEPDIR) + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: uninstall-man uninstall-securelibLTLIBRARIES + +uninstall-man: uninstall-man8 + +.MAKE: check-am install-am install-strip + +.PHONY: CTAGS GTAGS TAGS all all-am check check-TESTS check-am clean \ + clean-generic clean-libtool clean-noinstPROGRAMS \ + clean-securelibLTLIBRARIES cscopelist-am ctags ctags-am \ + distclean distclean-compile distclean-generic \ + distclean-libtool distclean-tags distdir dvi dvi-am html \ + html-am info info-am install install-am install-data \ + install-data-am install-dvi install-dvi-am install-exec \ + install-exec-am install-html install-html-am install-info \ + install-info-am install-man install-man8 install-pdf \ + install-pdf-am install-ps install-ps-am \ + install-securelibLTLIBRARIES install-strip installcheck \ + installcheck-am installdirs maintainer-clean \ + maintainer-clean-generic mostlyclean mostlyclean-compile \ + mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ + recheck tags tags-am uninstall uninstall-am uninstall-man \ + uninstall-man8 uninstall-securelibLTLIBRARIES + +@ENABLE_REGENERATE_MAN_TRUE@README: pam_selinux.8.xml +@ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules + +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/modules/pam_selinux/README b/modules/pam_selinux/README new file mode 100644 index 0000000..fb4d449 --- /dev/null +++ b/modules/pam_selinux/README @@ -0,0 +1,85 @@ +pam_selinux — PAM module to set the default security context + +━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ + +DESCRIPTION + +pam_selinux is a PAM module that sets up the default SELinux security context +for the next executed process. + +When a new session is started, the open_session part of the module computes and +sets up the execution security context used for the next execve(2) call, the +file security context for the controlling terminal, and the security context +used for creating a new kernel keyring. + +When the session is ended, the close_session part of the module restores old +security contexts that were in effect before the change made by the +open_session part of the module. + +Adding pam_selinux into the PAM stack might disrupt behavior of other PAM +modules which execute applications. To avoid that, pam_selinux.so open should +be placed after such modules in the PAM stack, and pam_selinux.so close should +be placed before them. When such a placement is not feasible, pam_selinux.so +restore could be used to temporary restore original security contexts. + +OPTIONS + +open + + Only execute the open_session part of the module. + +close + + Only execute the close_session part of the module. + +restore + + In open_session part of the module, temporarily restore the security + contexts as they were before the previous call of the module. Another call + of this module without the restore option will set up the new security + contexts again. + +nottys + + Do not setup security context of the controlling terminal. + +debug + + Turn on debug messages via syslog(3). + +verbose + + Attempt to inform the user when security context is set. + +select_context + + Attempt to ask the user for a custom security context role. If MLS is on, + ask also for sensitivity level. + +env_params + + Attempt to obtain a custom security context role from PAM environment. If + MLS is on, obtain also sensitivity level. This option and the + select_context option are mutually exclusive. The respective PAM + environment variables are SELINUX_ROLE_REQUESTED, SELINUX_LEVEL_REQUESTED, + and SELINUX_USE_CURRENT_RANGE. The first two variables are self describing + and the last one if set to 1 makes the PAM module behave as if the + use_current_range was specified on the command line of the module. + +use_current_range + + Use the sensitivity level of the current process for the user context + instead of the default level. Also suppresses asking of the sensitivity + level from the user or obtaining it from PAM environment. + +EXAMPLES + +auth required pam_unix.so +session required pam_permit.so +session optional pam_selinux.so + + +AUTHOR + +pam_selinux was written by Dan Walsh <dwalsh@redhat.com>. + diff --git a/modules/pam_selinux/README.xml b/modules/pam_selinux/README.xml new file mode 100644 index 0000000..7e1baf5 --- /dev/null +++ b/modules/pam_selinux/README.xml @@ -0,0 +1,41 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" +"http://www.docbook.org/xml/4.3/docbookx.dtd" +[ +<!-- +<!ENTITY pamaccess SYSTEM "pam_selinux.8.xml"> +--> +]> + +<article> + + <articleinfo> + + <title> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_selinux.8.xml" xpointer='xpointer(//refnamediv[@id = "pam_selinux-name"]/*)'/> + </title> + + </articleinfo> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_selinux.8.xml" xpointer='xpointer(//refsect1[@id = "pam_selinux-description"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_selinux.8.xml" xpointer='xpointer(//refsect1[@id = "pam_selinux-options"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_selinux.8.xml" xpointer='xpointer(//refsect1[@id = "pam_selinux-examples"]/*)'/> + </section> + + <section> + <xi:include xmlns:xi="http://www.w3.org/2001/XInclude" + href="pam_selinux.8.xml" xpointer='xpointer(//refsect1[@id = "pam_selinux-author"]/*)'/> + </section> + +</article> diff --git a/modules/pam_selinux/pam_selinux.8 b/modules/pam_selinux/pam_selinux.8 new file mode 100644 index 0000000..5822cc1 --- /dev/null +++ b/modules/pam_selinux/pam_selinux.8 @@ -0,0 +1,151 @@ +'\" t +.\" Title: pam_selinux +.\" Author: [see the "AUTHOR" section] +.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> +.\" Date: 05/18/2017 +.\" Manual: Linux-PAM Manual +.\" Source: Linux-PAM Manual +.\" Language: English +.\" +.TH "PAM_SELINUX" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual" +.\" ----------------------------------------------------------------- +.\" * Define some portability stuff +.\" ----------------------------------------------------------------- +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.\" http://bugs.debian.org/507673 +.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html +.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +.ie \n(.g .ds Aq \(aq +.el .ds Aq ' +.\" ----------------------------------------------------------------- +.\" * set default formatting +.\" ----------------------------------------------------------------- +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.\" ----------------------------------------------------------------- +.\" * MAIN CONTENT STARTS HERE * +.\" ----------------------------------------------------------------- +.SH "NAME" +pam_selinux \- PAM module to set the default security context +.SH "SYNOPSIS" +.HP \w'\fBpam_selinux\&.so\fR\ 'u +\fBpam_selinux\&.so\fR [open] [close] [restore] [nottys] [debug] [verbose] [select_context] [env_params] [use_current_range] +.SH "DESCRIPTION" +.PP +pam_selinux is a PAM module that sets up the default SELinux security context for the next executed process\&. +.PP +When a new session is started, the open_session part of the module computes and sets up the execution security context used for the next +\fBexecve\fR(2) +call, the file security context for the controlling terminal, and the security context used for creating a new kernel keyring\&. +.PP +When the session is ended, the close_session part of the module restores old security contexts that were in effect before the change made by the open_session part of the module\&. +.PP +Adding pam_selinux into the PAM stack might disrupt behavior of other PAM modules which execute applications\&. To avoid that, +\fIpam_selinux\&.so open\fR +should be placed after such modules in the PAM stack, and +\fIpam_selinux\&.so close\fR +should be placed before them\&. When such a placement is not feasible, +\fIpam_selinux\&.so restore\fR +could be used to temporary restore original security contexts\&. +.SH "OPTIONS" +.PP +\fBopen\fR +.RS 4 +Only execute the open_session part of the module\&. +.RE +.PP +\fBclose\fR +.RS 4 +Only execute the close_session part of the module\&. +.RE +.PP +\fBrestore\fR +.RS 4 +In open_session part of the module, temporarily restore the security contexts as they were before the previous call of the module\&. Another call of this module without the restore option will set up the new security contexts again\&. +.RE +.PP +\fBnottys\fR +.RS 4 +Do not setup security context of the controlling terminal\&. +.RE +.PP +\fBdebug\fR +.RS 4 +Turn on debug messages via +\fBsyslog\fR(3)\&. +.RE +.PP +\fBverbose\fR +.RS 4 +Attempt to inform the user when security context is set\&. +.RE +.PP +\fBselect_context\fR +.RS 4 +Attempt to ask the user for a custom security context role\&. If MLS is on, ask also for sensitivity level\&. +.RE +.PP +\fBenv_params\fR +.RS 4 +Attempt to obtain a custom security context role from PAM environment\&. If MLS is on, obtain also sensitivity level\&. This option and the select_context option are mutually exclusive\&. The respective PAM environment variables are +\fISELINUX_ROLE_REQUESTED\fR, +\fISELINUX_LEVEL_REQUESTED\fR, and +\fISELINUX_USE_CURRENT_RANGE\fR\&. The first two variables are self describing and the last one if set to 1 makes the PAM module behave as if the use_current_range was specified on the command line of the module\&. +.RE +.PP +\fBuse_current_range\fR +.RS 4 +Use the sensitivity level of the current process for the user context instead of the default level\&. Also suppresses asking of the sensitivity level from the user or obtaining it from PAM environment\&. +.RE +.SH "MODULE TYPES PROVIDED" +.PP +Only the +\fBsession\fR +module type is provided\&. +.SH "RETURN VALUES" +.PP +PAM_SUCCESS +.RS 4 +The security context was set successfully\&. +.RE +.PP +PAM_SESSION_ERR +.RS 4 +Unable to get or set a valid context\&. +.RE +.PP +PAM_USER_UNKNOWN +.RS 4 +The user is not known to the system\&. +.RE +.PP +PAM_BUF_ERR +.RS 4 +Memory allocation error\&. +.RE +.SH "EXAMPLES" +.sp +.if n \{\ +.RS 4 +.\} +.nf +auth required pam_unix\&.so +session required pam_permit\&.so +session optional pam_selinux\&.so + +.fi +.if n \{\ +.RE +.\} +.SH "SEE ALSO" +.PP +\fBexecve\fR(2), +\fBtty\fR(4), +\fBpam.d\fR(5), +\fBpam\fR(8), +\fBselinux\fR(8) +.SH "AUTHOR" +.PP +pam_selinux was written by Dan Walsh <dwalsh@redhat\&.com>\&. diff --git a/modules/pam_selinux/pam_selinux.8.xml b/modules/pam_selinux/pam_selinux.8.xml new file mode 100644 index 0000000..28d465f --- /dev/null +++ b/modules/pam_selinux/pam_selinux.8.xml @@ -0,0 +1,276 @@ +<?xml version="1.0" encoding='UTF-8'?> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN" + "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd"> + +<refentry id="pam_selinux"> + + <refmeta> + <refentrytitle>pam_selinux</refentrytitle> + <manvolnum>8</manvolnum> + <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo> + </refmeta> + + <refnamediv id="pam_selinux-name"> + <refname>pam_selinux</refname> + <refpurpose>PAM module to set the default security context</refpurpose> + </refnamediv> + + <refsynopsisdiv> + <cmdsynopsis id="pam_selinux-cmdsynopsis"> + <command>pam_selinux.so</command> + <arg choice="opt"> + open + </arg> + <arg choice="opt"> + close + </arg> + <arg choice="opt"> + restore + </arg> + <arg choice="opt"> + nottys + </arg> + <arg choice="opt"> + debug + </arg> + <arg choice="opt"> + verbose + </arg> + <arg choice="opt"> + select_context + </arg> + <arg choice="opt"> + env_params + </arg> + <arg choice="opt"> + use_current_range + </arg> + </cmdsynopsis> + </refsynopsisdiv> + + <refsect1 id="pam_selinux-description"> + <title>DESCRIPTION</title> + <para> + pam_selinux is a PAM module that sets up the default SELinux security + context for the next executed process. + </para> + <para> + When a new session is started, the open_session part of the module + computes and sets up the execution security context used for the next + <citerefentry> + <refentrytitle>execve</refentrytitle><manvolnum>2</manvolnum> + </citerefentry> + call, the file security context for the controlling terminal, and + the security context used for creating a new kernel keyring. + </para> + <para> + When the session is ended, the close_session part of the module restores + old security contexts that were in effect before the change made + by the open_session part of the module. + </para> + <para> + Adding pam_selinux into the PAM stack might disrupt behavior of other + PAM modules which execute applications. To avoid that, + <emphasis>pam_selinux.so open</emphasis> should be placed after such + modules in the PAM stack, and <emphasis>pam_selinux.so close</emphasis> + should be placed before them. When such a placement is not feasible, + <emphasis>pam_selinux.so restore</emphasis> could be used to temporary + restore original security contexts. + </para> + </refsect1> + + <refsect1 id="pam_selinux-options"> + <title>OPTIONS</title> + <variablelist> + <varlistentry> + <term> + <option>open</option> + </term> + <listitem> + <para> + Only execute the open_session part of the module. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>close</option> + </term> + <listitem> + <para> + Only execute the close_session part of the module. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>restore</option> + </term> + <listitem> + <para> + In open_session part of the module, temporarily restore the + security contexts as they were before the previous call of + the module. Another call of this module without the restore + option will set up the new security contexts again. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>nottys</option> + </term> + <listitem> + <para> + Do not setup security context of the controlling terminal. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>debug</option> + </term> + <listitem> + <para> + Turn on debug messages via + <citerefentry> + <refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum> + </citerefentry>. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>verbose</option> + </term> + <listitem> + <para> + Attempt to inform the user when security context is set. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>select_context</option> + </term> + <listitem> + <para> + Attempt to ask the user for a custom security context role. + If MLS is on, ask also for sensitivity level. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>env_params</option> + </term> + <listitem> + <para> + Attempt to obtain a custom security context role from PAM environment. + If MLS is on, obtain also sensitivity level. This option and the + select_context option are mutually exclusive. The respective PAM + environment variables are <emphasis>SELINUX_ROLE_REQUESTED</emphasis>, + <emphasis>SELINUX_LEVEL_REQUESTED</emphasis>, and + <emphasis>SELINUX_USE_CURRENT_RANGE</emphasis>. The first two variables + are self describing and the last one if set to 1 makes the PAM module behave as + if the use_current_range was specified on the command line of the module. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term> + <option>use_current_range</option> + </term> + <listitem> + <para> + Use the sensitivity level of the current process for the user context + instead of the default level. Also suppresses asking of the + sensitivity level from the user or obtaining it from PAM environment. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id="pam_selinux-types"> + <title>MODULE TYPES PROVIDED</title> + <para> + Only the <option>session</option> module type is provided. + </para> + </refsect1> + + <refsect1 id='pam_selinux-return_values'> + <title>RETURN VALUES</title> + <variablelist> + <varlistentry> + <term>PAM_SUCCESS</term> + <listitem> + <para> + The security context was set successfully. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_SESSION_ERR</term> + <listitem> + <para> + Unable to get or set a valid context. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_USER_UNKNOWN</term> + <listitem> + <para> + The user is not known to the system. + </para> + </listitem> + </varlistentry> + <varlistentry> + <term>PAM_BUF_ERR</term> + <listitem> + <para> + Memory allocation error. + </para> + </listitem> + </varlistentry> + </variablelist> + </refsect1> + + <refsect1 id='pam_selinux-examples'> + <title>EXAMPLES</title> + <programlisting> +auth required pam_unix.so +session required pam_permit.so +session optional pam_selinux.so + </programlisting> + </refsect1> + + <refsect1 id='pam_selinux-see_also'> + <title>SEE ALSO</title> + <para> + <citerefentry> + <refentrytitle>execve</refentrytitle><manvolnum>2</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>tty</refentrytitle><manvolnum>4</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum> + </citerefentry>, + <citerefentry> + <refentrytitle>selinux</refentrytitle><manvolnum>8</manvolnum> + </citerefentry> + </para> + </refsect1> + + <refsect1 id='pam_selinux-author'> + <title>AUTHOR</title> + <para> + pam_selinux was written by Dan Walsh <dwalsh@redhat.com>. + </para> + </refsect1> + +</refentry> diff --git a/modules/pam_selinux/pam_selinux.c b/modules/pam_selinux/pam_selinux.c new file mode 100644 index 0000000..348cdd4 --- /dev/null +++ b/modules/pam_selinux/pam_selinux.c @@ -0,0 +1,841 @@ +/****************************************************************************** + * A module for Linux-PAM that will set the default security context after login + * via PAM. + * + * Copyright (c) 2003-2008 Red Hat, Inc. + * Written by Dan Walsh <dwalsh@redhat.com> + * Additional improvements by Tomas Mraz <tmraz@redhat.com> + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +#include "config.h" + +#include <errno.h> +#include <limits.h> +#include <pwd.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <unistd.h> +#include <sys/types.h> +#include <sys/stat.h> +#include <fcntl.h> +#include <syslog.h> + +#define PAM_SM_AUTH +#define PAM_SM_SESSION + +#include <security/pam_modules.h> +#include <security/_pam_macros.h> +#include <security/pam_modutil.h> +#include <security/pam_ext.h> + +#include <selinux/selinux.h> +#include <selinux/get_context_list.h> +#include <selinux/flask.h> +#include <selinux/av_permissions.h> +#include <selinux/selinux.h> +#include <selinux/context.h> +#include <selinux/get_default_type.h> + +#ifdef HAVE_LIBAUDIT +#include <libaudit.h> +#include <sys/select.h> +#include <errno.h> +#endif + +/* Send audit message */ +static + +int send_audit_message(pam_handle_t *pamh, int success, security_context_t default_context, + security_context_t selected_context) +{ + int rc=0; +#ifdef HAVE_LIBAUDIT + char *msg = NULL; + int audit_fd = audit_open(); + security_context_t default_raw=NULL; + security_context_t selected_raw=NULL; + const void *tty = NULL, *rhost = NULL; + rc = -1; + if (audit_fd < 0) { + if (errno == EINVAL || errno == EPROTONOSUPPORT || + errno == EAFNOSUPPORT) + return 0; /* No audit support in kernel */ + pam_syslog(pamh, LOG_ERR, "Error connecting to audit system."); + return rc; + } + (void)pam_get_item(pamh, PAM_TTY, &tty); + (void)pam_get_item(pamh, PAM_RHOST, &rhost); + if (selinux_trans_to_raw_context(default_context, &default_raw) < 0) { + pam_syslog(pamh, LOG_ERR, "Error translating default context."); + default_raw = NULL; + } + if (selinux_trans_to_raw_context(selected_context, &selected_raw) < 0) { + pam_syslog(pamh, LOG_ERR, "Error translating selected context."); + selected_raw = NULL; + } + if (asprintf(&msg, "pam: default-context=%s selected-context=%s", + default_raw ? default_raw : (default_context ? default_context : "?"), + selected_raw ? selected_raw : (selected_context ? selected_context : "?")) < 0) { + pam_syslog(pamh, LOG_ERR, "Error allocating memory."); + goto out; + } + if (audit_log_user_message(audit_fd, AUDIT_USER_ROLE_CHANGE, + msg, rhost, NULL, tty, success) <= 0) { + pam_syslog(pamh, LOG_ERR, "Error sending audit message."); + goto out; + } + rc = 0; + out: + free(msg); + freecon(default_raw); + freecon(selected_raw); + close(audit_fd); +#else + pam_syslog(pamh, LOG_NOTICE, "pam: default-context=%s selected-context=%s success %d", default_context, selected_context, success); +#endif + return rc; +} +static int +send_text (pam_handle_t *pamh, const char *text, int debug) +{ + if (debug) + pam_syslog(pamh, LOG_NOTICE, "%s", text); + return pam_info (pamh, "%s", text); +} + +/* + * This function sends a message to the user and gets the response. The caller + * is responsible for freeing the responses. + */ +static int +query_response (pam_handle_t *pamh, const char *text, const char *def, + char **response, int debug) +{ + int rc; + if (def) + rc = pam_prompt (pamh, PAM_PROMPT_ECHO_ON, response, "%s [%s] ", text, def); + else + rc = pam_prompt (pamh, PAM_PROMPT_ECHO_ON, response, "%s ", text); + + if (*response == NULL) { + rc = PAM_CONV_ERR; + } + + if (rc != PAM_SUCCESS) { + pam_syslog(pamh, LOG_WARNING, "No response to query: %s", text); + } else if (debug) + pam_syslog(pamh, LOG_NOTICE, "%s %s", text, *response); + return rc; +} + +static int mls_range_allowed(pam_handle_t *pamh, security_context_t src, security_context_t dst, int debug) +{ + struct av_decision avd; + int retval; + security_class_t class; + access_vector_t bit; + context_t src_context; + context_t dst_context; + + class = string_to_security_class("context"); + if (!class) { + pam_syslog(pamh, LOG_ERR, "Failed to translate security class context. %m"); + return 0; + } + + bit = string_to_av_perm(class, "contains"); + if (!bit) { + pam_syslog(pamh, LOG_ERR, "Failed to translate av perm contains. %m"); + return 0; + } + + src_context = context_new (src); + dst_context = context_new (dst); + context_range_set(dst_context, context_range_get(src_context)); + if (debug) + pam_syslog(pamh, LOG_NOTICE, "Checking if %s mls range valid for %s", dst, context_str(dst_context)); + + retval = security_compute_av(context_str(dst_context), dst, class, bit, &avd); + context_free(src_context); + context_free(dst_context); + if (retval || ((bit & avd.allowed) != bit)) + return 0; + + return 1; +} + +static security_context_t +config_context (pam_handle_t *pamh, security_context_t defaultcon, int use_current_range, int debug) +{ + security_context_t newcon=NULL; + context_t new_context; + int mls_enabled = is_selinux_mls_enabled(); + char *response=NULL; + char *type=NULL; + char resp_val = 0; + + pam_prompt (pamh, PAM_TEXT_INFO, NULL, _("Default Security Context %s\n"), defaultcon); + + while (1) { + if (query_response(pamh, + _("Would you like to enter a different role or level?"), "n", + &response, debug) == PAM_SUCCESS) { + resp_val = response[0]; + _pam_drop(response); + } else { + resp_val = 'N'; + } + if ((resp_val == 'y') || (resp_val == 'Y')) + { + if ((new_context = context_new(defaultcon)) == NULL) + goto fail_set; + + /* Allow the user to enter role and level individually */ + if (query_response(pamh, _("role:"), context_role_get(new_context), + &response, debug) == PAM_SUCCESS && response[0]) { + if (get_default_type(response, &type)) { + pam_prompt (pamh, PAM_ERROR_MSG, NULL, _("No default type for role %s\n"), response); + _pam_drop(response); + continue; + } else { + if (context_role_set(new_context, response)) + goto fail_set; + if (context_type_set (new_context, type)) + goto fail_set; + _pam_drop(type); + } + } + _pam_drop(response); + + if (mls_enabled) + { + if (use_current_range) { + security_context_t mycon = NULL; + context_t my_context; + + if (getcon(&mycon) != 0) + goto fail_set; + my_context = context_new(mycon); + if (my_context == NULL) { + freecon(mycon); + goto fail_set; + } + freecon(mycon); + if (context_range_set(new_context, context_range_get(my_context))) { + context_free(my_context); + goto fail_set; + } + context_free(my_context); + } else if (query_response(pamh, _("level:"), context_range_get(new_context), + &response, debug) == PAM_SUCCESS && response[0]) { + if (context_range_set(new_context, response)) + goto fail_set; + } + _pam_drop(response); + } + + if (debug) + pam_syslog(pamh, LOG_NOTICE, "Selected Security Context %s", context_str(new_context)); + + /* Get the string value of the context and see if it is valid. */ + if (!security_check_context(context_str(new_context))) { + newcon = strdup(context_str(new_context)); + if (newcon == NULL) + goto fail_set; + context_free(new_context); + + /* we have to check that this user is allowed to go into the + range they have specified ... role is tied to an seuser, so that'll + be checked at setexeccon time */ + if (mls_enabled && !mls_range_allowed(pamh, defaultcon, newcon, debug)) { + pam_syslog(pamh, LOG_NOTICE, "Security context %s is not allowed for %s", defaultcon, newcon); + + send_audit_message(pamh, 0, defaultcon, newcon); + + free(newcon); + goto fail_range; + } + return newcon; + } + else { + send_audit_message(pamh, 0, defaultcon, context_str(new_context)); + send_text(pamh,_("Not a valid security context"),debug); + } + context_free(new_context); /* next time around allocates another */ + } + else + return strdup(defaultcon); + } /* end while */ + + return NULL; + + fail_set: + free(type); + _pam_drop(response); + context_free (new_context); + send_audit_message(pamh, 0, defaultcon, NULL); + fail_range: + return NULL; +} + +static security_context_t +context_from_env (pam_handle_t *pamh, security_context_t defaultcon, int env_params, int use_current_range, int debug) +{ + security_context_t newcon = NULL; + context_t new_context; + context_t my_context = NULL; + int mls_enabled = is_selinux_mls_enabled(); + const char *env = NULL; + char *type = NULL; + int fail = 1; + + if ((new_context = context_new(defaultcon)) == NULL) + goto fail_set; + + if (env_params && (env = pam_getenv(pamh, "SELINUX_ROLE_REQUESTED")) != NULL && env[0] != '\0') { + if (debug) + pam_syslog(pamh, LOG_NOTICE, "Requested role: %s", env); + + if (get_default_type(env, &type)) { + pam_syslog(pamh, LOG_NOTICE, "No default type for role %s", env); + goto fail_set; + } else { + if (context_role_set(new_context, env)) + goto fail_set; + if (context_type_set(new_context, type)) + goto fail_set; + } + } + + if (mls_enabled) { + if ((env = pam_getenv(pamh, "SELINUX_USE_CURRENT_RANGE")) != NULL && env[0] == '1') { + if (debug) + pam_syslog(pamh, LOG_NOTICE, "SELINUX_USE_CURRENT_RANGE is set"); + use_current_range = 1; + } + + if (use_current_range) { + security_context_t mycon = NULL; + + if (getcon(&mycon) != 0) + goto fail_set; + my_context = context_new(mycon); + if (my_context == NULL) { + freecon(mycon); + goto fail_set; + } + freecon(mycon); + env = context_range_get(my_context); + } else { + env = pam_getenv(pamh, "SELINUX_LEVEL_REQUESTED"); + } + + if (env != NULL && env[0] != '\0') { + if (debug) + pam_syslog(pamh, LOG_NOTICE, "Requested level: %s", env); + if (context_range_set(new_context, env)) + goto fail_set; + } + } + + newcon = strdup(context_str(new_context)); + if (newcon == NULL) + goto fail_set; + + if (debug) + pam_syslog(pamh, LOG_NOTICE, "Selected Security Context %s", newcon); + + /* Get the string value of the context and see if it is valid. */ + if (security_check_context(newcon)) { + pam_syslog(pamh, LOG_NOTICE, "Not a valid security context %s", newcon); + + goto fail_set; + } + + /* we have to check that this user is allowed to go into the + range they have specified ... role is tied to an seuser, so that'll + be checked at setexeccon time */ + if (mls_enabled && !mls_range_allowed(pamh, defaultcon, newcon, debug)) { + pam_syslog(pamh, LOG_NOTICE, "Security context %s is not allowed for %s", defaultcon, newcon); + + goto fail_set; + } + + fail = 0; + + fail_set: + free(type); + context_free(my_context); + context_free(new_context); + if (fail) { + send_audit_message(pamh, 0, defaultcon, newcon); + freecon(newcon); + newcon = NULL; + } + return newcon; +} + +#define DATANAME "pam_selinux_context" +typedef struct { + security_context_t exec_context; + security_context_t prev_exec_context; + security_context_t default_user_context; + security_context_t tty_context; + security_context_t prev_tty_context; + char *tty_path; +} module_data_t; + +static void +free_module_data(module_data_t *data) +{ + free(data->tty_path); + freecon(data->prev_tty_context); + freecon(data->tty_context); + freecon(data->default_user_context); + freecon(data->prev_exec_context); + if (data->exec_context != data->default_user_context) + freecon(data->exec_context); + memset(data, 0, sizeof(*data)); + free(data); +} + +static void +cleanup(pam_handle_t *pamh UNUSED, void *data, int err UNUSED) +{ + free_module_data(data); +} + +static const module_data_t * +get_module_data(const pam_handle_t *pamh) +{ + const void *data; + + return (pam_get_data(pamh, DATANAME, &data) == PAM_SUCCESS) ? data : NULL; +} + +static const char * +get_item(const pam_handle_t *pamh, int item_type) +{ + const void *item; + + return (pam_get_item(pamh, item_type, &item) == PAM_SUCCESS) ? item : NULL; +} + +static int +set_exec_context(const pam_handle_t *pamh, security_context_t context) +{ + if (setexeccon(context) == 0) + return 0; + pam_syslog(pamh, LOG_ERR, "Setting executable context \"%s\" failed: %m", + context ? context : ""); + return -1; +} + +static int +set_file_context(const pam_handle_t *pamh, security_context_t context, + const char *file) +{ + if (!file) + return 0; + if (setfilecon(file, context) == 0 || errno == ENOENT) + return 0; + pam_syslog(pamh, LOG_ERR, "Setting file context \"%s\" failed for %s: %m", + context ? context : "", file); + return -1; +} + +static int +compute_exec_context(pam_handle_t *pamh, module_data_t *data, + int select_context, int use_current_range, + int env_params, int debug) +{ + const char *username; + +#ifdef HAVE_GETSEUSER + const char *service; +#endif + char *seuser = NULL; + char *level = NULL; + security_context_t *contextlist = NULL; + int num_contexts = 0; + const struct passwd *pwd; + + if (!(username = get_item(pamh, PAM_USER))) { + pam_syslog(pamh, LOG_ERR, "Cannot obtain the user name"); + return PAM_USER_UNKNOWN; + } + + if ((pwd = pam_modutil_getpwnam(pamh, username)) != NULL) { + username = pwd->pw_name; + } /* ignore error and keep using original username */ + + /* compute execute context */ +#ifdef HAVE_GETSEUSER + if (!(service = get_item(pamh, PAM_SERVICE))) { + pam_syslog(pamh, LOG_ERR, "Cannot obtain the service name"); + return PAM_SESSION_ERR; + } + if (getseuser(username, service, &seuser, &level) == 0) { +#else + if (getseuserbyname(username, &seuser, &level) == 0) { +#endif + num_contexts = get_ordered_context_list_with_level(seuser, level, NULL, + &contextlist); + if (debug) + pam_syslog(pamh, LOG_DEBUG, "Username= %s SELinux User= %s Level= %s", + username, seuser, level); + free(level); + } + if (num_contexts > 0) { + free(seuser); + data->default_user_context = strdup(contextlist[0]); + freeconary(contextlist); + if (!data->default_user_context) { + pam_syslog(pamh, LOG_CRIT, "Out of memory"); + return PAM_BUF_ERR; + } + + data->exec_context = data->default_user_context; + if (select_context) + data->exec_context = config_context(pamh, data->default_user_context, + use_current_range, debug); + else if (env_params || use_current_range) + data->exec_context = context_from_env(pamh, data->default_user_context, + env_params, use_current_range, + debug); + } + + if (!data->exec_context) { + pam_syslog(pamh, LOG_ERR, "Unable to get valid context for %s", username); + pam_prompt(pamh, PAM_ERROR_MSG, NULL, + _("Unable to get valid context for %s"), username); + } + + if (getexeccon(&data->prev_exec_context) < 0) + data->prev_exec_context = NULL; + + return PAM_SUCCESS; +} + +static int +compute_tty_context(const pam_handle_t *pamh, module_data_t *data) +{ + const char *tty = get_item(pamh, PAM_TTY); + + if (!tty || !*tty || !strcmp(tty, "ssh") || !strncmp(tty, "NODEV", 5)) { + tty = ttyname(STDIN_FILENO); + if (!tty || !*tty) + tty = ttyname(STDOUT_FILENO); + if (!tty || !*tty) + tty = ttyname(STDERR_FILENO); + if (!tty || !*tty) + return PAM_SUCCESS; + } + + if (strncmp("/dev/", tty, 5)) { + if (asprintf(&data->tty_path, "%s%s", "/dev/", tty) < 0) + data->tty_path = NULL; + } else { + data->tty_path = strdup(tty); + } + + if (!data->tty_path) { + pam_syslog(pamh, LOG_CRIT, "Out of memory"); + return PAM_BUF_ERR; + } + + if (getfilecon(data->tty_path, &data->prev_tty_context) < 0) { + data->prev_tty_context = NULL; + if (errno == ENOENT) { + free(data->tty_path); + data->tty_path = NULL; + return PAM_SUCCESS; + } + pam_syslog(pamh, LOG_ERR, "Failed to get current context for %s: %m", + data->tty_path); + return (security_getenforce() == 1) ? PAM_SESSION_ERR : PAM_SUCCESS; + } + + if (security_compute_relabel(data->exec_context, data->prev_tty_context, + SECCLASS_CHR_FILE, &data->tty_context)) { + data->tty_context = NULL; + pam_syslog(pamh, LOG_ERR, "Failed to compute new context for %s: %m", + data->tty_path); + freecon(data->prev_tty_context); + data->prev_tty_context = NULL; + free(data->tty_path); + data->tty_path = NULL; + return (security_getenforce() == 1) ? PAM_SESSION_ERR : PAM_SUCCESS; + } + + return PAM_SUCCESS; +} + +static int +restore_context(const pam_handle_t *pamh, const module_data_t *data, int debug) +{ + int err; + + if (!data) { + if (debug) + pam_syslog(pamh, LOG_NOTICE, "No context to restore"); + return PAM_SUCCESS; + } + + if (debug && data->tty_path) + pam_syslog(pamh, LOG_NOTICE, + "Restore file context of tty %s: [%s] -> [%s]", + data->tty_path, + data->tty_context ? data->tty_context : "", + data->prev_tty_context ? data->prev_tty_context : ""); + err = set_file_context(pamh, data->prev_tty_context, data->tty_path); + + if (debug) + pam_syslog(pamh, LOG_NOTICE, "Restore executable context: [%s] -> [%s]", + data->exec_context, + data->prev_exec_context ? data->prev_exec_context : ""); + err |= set_exec_context(pamh, data->prev_exec_context); + + if (err && security_getenforce() == 1) + return PAM_SESSION_ERR; + + return PAM_SUCCESS; +} + +static int +set_context(pam_handle_t *pamh, const module_data_t *data, + int debug, int verbose) +{ + int rc, err; + + if (debug && data->tty_path) + pam_syslog(pamh, LOG_NOTICE, "Set file context of tty %s: [%s] -> [%s]", + data->tty_path, + data->prev_tty_context ? data->prev_tty_context : "", + data->tty_context ? data->tty_context : ""); + err = set_file_context(pamh, data->tty_context, data->tty_path); + + if (debug) + pam_syslog(pamh, LOG_NOTICE, "Set executable context: [%s] -> [%s]", + data->prev_exec_context ? data->prev_exec_context : "", + data->exec_context); + rc = set_exec_context(pamh, data->exec_context); + err |= rc; + + send_audit_message(pamh, !rc, data->default_user_context, data->exec_context); + if (verbose && !rc) { + char msg[PATH_MAX]; + + snprintf(msg, sizeof(msg), + _("Security Context %s Assigned"), data->exec_context); + send_text(pamh, msg, debug); + } +#ifdef HAVE_SETKEYCREATECON + if (debug) + pam_syslog(pamh, LOG_NOTICE, "Set key creation context to %s", + data->exec_context ? data->exec_context : ""); + rc = setkeycreatecon(data->exec_context); + err |= rc; + if (rc) + pam_syslog(pamh, LOG_ERR, "Setting key creation context %s failed: %m", + data->exec_context ? data->exec_context : ""); + if (verbose && !rc) { + char msg[PATH_MAX]; + + snprintf(msg, sizeof(msg), + _("Key Creation Context %s Assigned"), data->exec_context); + send_text(pamh, msg, debug); + } +#endif + + if (err && security_getenforce() == 1) + return PAM_SESSION_ERR; + + return PAM_SUCCESS; +} + +static int +create_context(pam_handle_t *pamh, int argc, const char **argv, + int debug, int verbose) +{ + int i; + int ttys = 1; + int select_context = 0; + int use_current_range = 0; + int env_params = 0; + module_data_t *data; + + /* Parse arguments. */ + for (i = 0; i < argc; i++) { + if (strcmp(argv[i], "nottys") == 0) { + ttys = 0; + } + if (strcmp(argv[i], "select_context") == 0) { + select_context = 1; + } + if (strcmp(argv[i], "use_current_range") == 0) { + use_current_range = 1; + } + if (strcmp(argv[i], "env_params") == 0) { + env_params = 1; + } + } + + if (is_selinux_enabled() <= 0) { + if (debug) + pam_syslog(pamh, LOG_NOTICE, "SELinux is not enabled"); + return PAM_SUCCESS; + } + + if (select_context && env_params) { + pam_syslog(pamh, LOG_ERR, + "select_context cannot be used with env_params"); + select_context = 0; + } + + if (!(data = calloc(1, sizeof(*data)))) { + pam_syslog(pamh, LOG_CRIT, "Out of memory"); + return PAM_BUF_ERR; + } + + i = compute_exec_context(pamh, data, select_context, use_current_range, + env_params, debug); + if (i != PAM_SUCCESS) { + free_module_data(data); + return i; + } + + if (!data->exec_context) { + free_module_data(data); + return (security_getenforce() == 1) ? PAM_SESSION_ERR : PAM_SUCCESS; + } + + if (ttys && (i = compute_tty_context(pamh, data)) != PAM_SUCCESS) { + free_module_data(data); + return i; + } + + if ((i = pam_set_data(pamh, DATANAME, data, cleanup)) != PAM_SUCCESS) { + pam_syslog(pamh, LOG_ERR, "Error saving context: %m"); + free_module_data(data); + return i; + } + + return set_context(pamh, data, debug, verbose); +} + +int +pam_sm_authenticate(pam_handle_t *pamh UNUSED, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) +{ + /* Fail by default. */ + return PAM_AUTH_ERR; +} + +int +pam_sm_setcred(pam_handle_t *pamh UNUSED, int flags UNUSED, + int argc UNUSED, const char **argv UNUSED) +{ + return PAM_SUCCESS; +} + +int +pam_sm_open_session(pam_handle_t *pamh, int flags UNUSED, + int argc, const char **argv) +{ + const module_data_t *data; + int i, debug = 0, verbose = 0, close_session = 0, restore = 0; + + /* Parse arguments. */ + for (i = 0; i < argc; i++) { + if (strcmp(argv[i], "debug") == 0) { + debug = 1; + } + if (strcmp(argv[i], "verbose") == 0) { + verbose = 1; + } + if (strcmp(argv[i], "close") == 0) { + close_session = 1; + } + if (strcmp(argv[i], "restore") == 0) { + restore = 1; + } + } + + if (debug) + pam_syslog(pamh, LOG_NOTICE, "Open Session"); + + /* Is this module supposed to execute close_session only? */ + if (close_session) + return PAM_SUCCESS; + + data = get_module_data(pamh); + + /* Is this module supposed only to restore original context? */ + if (restore) + return restore_context(pamh, data, debug); + + /* If there is a saved context, this module is supposed to set it again. */ + return data ? set_context(pamh, data, debug, verbose) : + create_context(pamh, argc, argv, debug, verbose); +} + +int +pam_sm_close_session(pam_handle_t *pamh, int flags UNUSED, + int argc, const char **argv) +{ + int i, debug = 0, open_session = 0; + + /* Parse arguments. */ + for (i = 0; i < argc; i++) { + if (strcmp(argv[i], "debug") == 0) { + debug = 1; + } + if (strcmp(argv[i], "open") == 0) { + open_session = 1; + } + } + + if (debug) + pam_syslog(pamh, LOG_NOTICE, "Close Session"); + + /* Is this module supposed to execute open_session only? */ + if (open_session) + return PAM_SUCCESS; + + /* Restore original context. */ + return restore_context(pamh, get_module_data(pamh), debug); +} diff --git a/modules/pam_selinux/pam_selinux_check.8 b/modules/pam_selinux/pam_selinux_check.8 new file mode 100644 index 0000000..34f578d --- /dev/null +++ b/modules/pam_selinux/pam_selinux_check.8 @@ -0,0 +1,35 @@ +.TH pam_selinux_check 8 2002/05/23 "Red Hat Linux" "System Administrator's Manual" +.SH NAME +pam_selinux_check \- login program to test pam_selinux.so +.SH SYNOPSIS +.B pam_selinux_check [user] +.br + +.SH DESCRIPTION +With no arguments, +.B pam_selinux_check +will prompt for user + +.SH OPTIONS +.IP target_user +The user to login as. + +.SH DIAGNOSTICS +You must setup a /etc/pam.d/pam_selinux_check file, in order for the check to work. + +When checking if a selinux is valid, +.B pam_selinux_check +returns an exit code of 0 for success and > 0 on error: + +.nf +1: Authentication failure +.fi + +.SH SEE ALSO +pam_selinux(8) + +.SH BUGS +Let's hope not, but if you find any, please email the author. + +.SH AUTHOR +Dan Walsh <dwalsh@redhat.com> diff --git a/modules/pam_selinux/pam_selinux_check.c b/modules/pam_selinux/pam_selinux_check.c new file mode 100644 index 0000000..30526d3 --- /dev/null +++ b/modules/pam_selinux/pam_selinux_check.c @@ -0,0 +1,161 @@ +/****************************************************************************** + * A module for Linux-PAM that will set the default security context after login + * via PAM. + * + * Copyright (c) 2003 Red Hat, Inc. + * Written by Dan Walsh <dwalsh@redhat.com> + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, and the entire permission notice in its entirety, + * including the disclaimer of warranties. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. The name of the author may not be used to endorse or promote + * products derived from this software without specific prior + * written permission. + * + * ALTERNATIVELY, this product may be distributed under the terms of + * the GNU Public License, in which case the provisions of the GPL are + * required INSTEAD OF the above restrictions. (This clause is + * necessary due to a potential bad interaction between the GPL and + * the restrictions contained in a BSD-style copyright.) + * + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED + * OF THE POSSIBILITY OF SUCH DAMAGE. + * + */ + +/************************************************************************ + * + * All PAM code goes in this section. + * + ************************************************************************/ + +#include "config.h" + +#include <errno.h> +#include <syslog.h> +#include <unistd.h> /* for getuid(), exit(), getopt() */ +#include <signal.h> +#include <sys/wait.h> /* for wait() */ + +#include <security/pam_appl.h> /* for PAM functions */ +#include <security/pam_misc.h> /* for misc_conv PAM utility function */ + +#define SERVICE_NAME "pam_selinux_check" /* the name of this program for PAM */ + /* The file containing the context to run + * the scripts under. */ +int authenticate_via_pam( const char *user , pam_handle_t **pamh); + +/* authenticate_via_pam() + * + * in: user + * out: nothing + * return: value condition + * ----- --------- + * 1 pam thinks that the user authenticated themselves properly + * 0 otherwise + * + * this function uses pam to authenticate the user running this + * program. this is the only function in this program that makes pam + * calls. + * + */ + +int authenticate_via_pam( const char *user , pam_handle_t **pamh) { + + struct pam_conv *conv; + int result = 0; /* our result, set to 0 (not authenticated) by default */ + + /* this is a jump table of functions for pam to use when it wants to * + * communicate with the user. we'll be using misc_conv(), which is * + * provided for us via pam_misc.h. */ + struct pam_conv pam_conversation = { + misc_conv, + NULL + }; + conv = &pam_conversation; + + + /* make `p_pam_handle' a valid pam handle so we can use it when * + * calling pam functions. */ + if( PAM_SUCCESS != pam_start( SERVICE_NAME, + user, + conv, + pamh ) ) { + fprintf( stderr, _("failed to initialize PAM\n") ); + exit( -1 ); + } + + if( PAM_SUCCESS != pam_set_item(*pamh, PAM_RUSER, user)) + { + fprintf( stderr, _("failed to pam_set_item()\n") ); + exit( -1 ); + } + + /* Ask PAM to authenticate the user running this program */ + if( PAM_SUCCESS == pam_authenticate(*pamh,0) ) { + if ( PAM_SUCCESS == pam_open_session(*pamh, 0) ) + result = 1; /* user authenticated OK! */ + } + return( result ); + +} /* authenticate_via_pam() */ + +int +main (int argc, char **argv) +{ + pam_handle_t *pamh; + int childPid; + + if (argc < 1) + exit (-1); + + if (!authenticate_via_pam(argv[1],&pamh)) + exit(-1); + + childPid = fork(); + if (childPid < 0) { + /* error in fork() */ + fprintf(stderr, _("login: failure forking: %m")); + pam_close_session(pamh, 0); + /* We're done with PAM. Free `pam_handle'. */ + pam_end( pamh, PAM_SUCCESS ); + exit(0); + } + if (childPid) { + close(0); close(1); close(2); + struct sigaction sa; + memset(&sa,0,sizeof(sa)); + sa.sa_handler = SIG_IGN; + sigaction(SIGQUIT, &sa, NULL); + sigaction(SIGINT, &sa, NULL); + while(wait(NULL) == -1 && errno == EINTR) /**/ ; + openlog("login", LOG_ODELAY, LOG_AUTHPRIV); + pam_close_session(pamh, 0); + /* We're done with PAM. Free `pam_handle'. */ + pam_end( pamh, PAM_SUCCESS ); + exit(0); + } + argv[0]=strdup ("/bin/sh"); + argv[1]=NULL; + + /* NOTE: The environment has not been sanitized. LD_PRELOAD and other fun + * things could be set. */ + execv("/bin/sh",argv); + fprintf(stderr,"Failure\n"); + return 0; +} diff --git a/modules/pam_selinux/tst-pam_selinux b/modules/pam_selinux/tst-pam_selinux new file mode 100755 index 0000000..14c3d82 --- /dev/null +++ b/modules/pam_selinux/tst-pam_selinux @@ -0,0 +1,2 @@ +#!/bin/sh +../../tests/tst-dlopen .libs/pam_selinux.so |