Revert "pam_selinux: check unknown object classes or permissions in current policy"
This reverts commit 04993bd30fbf249db9e65db97345f9cc25c61fcd.
This commit is contained in:
ikerexxe
parent
04993bd30f
commit
6fe43fb34e
@ -1,96 +0,0 @@
|
||||
From c6c51832af8e7724cfbd454daa65a6644f5b45c2 Mon Sep 17 00:00:00 2001
|
||||
From: ikerexxe <ipedrosa@redhat.com>
|
||||
Date: Fri, 6 Mar 2020 15:04:09 +0100
|
||||
Subject: [PATCH] pam_selinux: check unknown object classes or permissions in
|
||||
current policy
|
||||
|
||||
Explanation: check whether unknown object classes or permissions are allowed or denied in the current policy
|
||||
|
||||
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1680961
|
||||
---
|
||||
modules/pam_selinux/pam_selinux.c | 50 +++++--------------------------
|
||||
1 file changed, 8 insertions(+), 42 deletions(-)
|
||||
|
||||
diff --git a/modules/pam_selinux/pam_selinux.c b/modules/pam_selinux/pam_selinux.c
|
||||
index 96f9c831..827f5942 100644
|
||||
--- a/modules/pam_selinux/pam_selinux.c
|
||||
+++ b/modules/pam_selinux/pam_selinux.c
|
||||
@@ -157,42 +157,6 @@ query_response (pam_handle_t *pamh, const char *text, const char *def,
|
||||
return rc;
|
||||
}
|
||||
|
||||
-static int mls_range_allowed(pam_handle_t *pamh, security_context_t src, security_context_t dst, int debug)
|
||||
-{
|
||||
- struct av_decision avd;
|
||||
- int retval;
|
||||
- security_class_t class;
|
||||
- access_vector_t bit;
|
||||
- context_t src_context;
|
||||
- context_t dst_context;
|
||||
-
|
||||
- class = string_to_security_class("context");
|
||||
- if (!class) {
|
||||
- pam_syslog(pamh, LOG_ERR, "Failed to translate security class context. %m");
|
||||
- return 0;
|
||||
- }
|
||||
-
|
||||
- bit = string_to_av_perm(class, "contains");
|
||||
- if (!bit) {
|
||||
- pam_syslog(pamh, LOG_ERR, "Failed to translate av perm contains. %m");
|
||||
- return 0;
|
||||
- }
|
||||
-
|
||||
- src_context = context_new (src);
|
||||
- dst_context = context_new (dst);
|
||||
- context_range_set(dst_context, context_range_get(src_context));
|
||||
- if (debug)
|
||||
- pam_syslog(pamh, LOG_NOTICE, "Checking if %s mls range valid for %s", dst, context_str(dst_context));
|
||||
-
|
||||
- retval = security_compute_av(context_str(dst_context), dst, class, bit, &avd);
|
||||
- context_free(src_context);
|
||||
- context_free(dst_context);
|
||||
- if (retval || ((bit & avd.allowed) != bit))
|
||||
- return 0;
|
||||
-
|
||||
- return 1;
|
||||
-}
|
||||
-
|
||||
static security_context_t
|
||||
config_context (pam_handle_t *pamh, security_context_t defaultcon, int use_current_range, int debug)
|
||||
{
|
||||
@@ -274,16 +238,17 @@ config_context (pam_handle_t *pamh, security_context_t defaultcon, int use_curre
|
||||
goto fail_set;
|
||||
context_free(new_context);
|
||||
|
||||
- /* we have to check that this user is allowed to go into the
|
||||
- range they have specified ... role is tied to an seuser, so that'll
|
||||
- be checked at setexeccon time */
|
||||
- if (mls_enabled && !mls_range_allowed(pamh, defaultcon, newcon, debug)) {
|
||||
+ /* we have to check that this user is allowed to go into the
|
||||
+ range they have specified ... role is tied to an seuser, so that'll
|
||||
+ be checked at setexeccon time */
|
||||
+ if (mls_enabled &&
|
||||
+ selinux_check_access(defaultcon, newcon, "context", "contains", NULL) != 0) {
|
||||
pam_syslog(pamh, LOG_NOTICE, "Security context %s is not allowed for %s", defaultcon, newcon);
|
||||
|
||||
send_audit_message(pamh, 0, defaultcon, newcon);
|
||||
|
||||
free(newcon);
|
||||
- goto fail_range;
|
||||
+ goto fail_range;
|
||||
}
|
||||
return newcon;
|
||||
}
|
||||
@@ -385,7 +350,8 @@ context_from_env (pam_handle_t *pamh, security_context_t defaultcon, int env_par
|
||||
/* we have to check that this user is allowed to go into the
|
||||
range they have specified ... role is tied to an seuser, so that'll
|
||||
be checked at setexeccon time */
|
||||
- if (mls_enabled && !mls_range_allowed(pamh, defaultcon, newcon, debug)) {
|
||||
+ if (mls_enabled &&
|
||||
+ selinux_check_access(defaultcon, newcon, "context", "contains", NULL) != 0) {
|
||||
pam_syslog(pamh, LOG_NOTICE, "Security context %s is not allowed for %s", defaultcon, newcon);
|
||||
|
||||
goto fail_set;
|
||||
--
|
||||
2.24.1
|
||||
|
||||
9
pam.spec
9
pam.spec
@ -3,7 +3,7 @@
|
||||
Summary: An extensible library which provides authentication for applications
|
||||
Name: pam
|
||||
Version: 1.3.1
|
||||
Release: 22%{?dist}
|
||||
Release: 23%{?dist}
|
||||
# The library is BSD licensed with option to relicense as GPLv2+
|
||||
# - this option is redundant as the BSD license allows that anyway.
|
||||
# pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+.
|
||||
@ -60,7 +60,6 @@ Patch48: pam-1.3.1-unix-improve-logging.patch
|
||||
Patch49: pam-1.3.1-tty-audit-manfix.patch
|
||||
Patch50: pam-1.3.1-fds-closing.patch
|
||||
Patch51: pam-1.3.1-authtok-verify-fix.patch
|
||||
Patch52: pam-1.3.1-pam_selinux-check-unknown-objects.patch
|
||||
|
||||
%global _pamlibdir %{_libdir}
|
||||
%global _moduledir %{_libdir}/security
|
||||
@ -151,7 +150,6 @@ cp %{SOURCE18} .
|
||||
%patch49 -p1 -b .tty-audit-manfix
|
||||
%patch50 -p1 -b .fds-closing
|
||||
%patch51 -p1 -b .authtok-verify-fix
|
||||
%patch52 -p1 -b .pam_selinux-check-unknown-objects
|
||||
|
||||
autoreconf -i
|
||||
|
||||
@ -401,7 +399,10 @@ done
|
||||
%doc doc/specs/rfc86.0.txt
|
||||
|
||||
%changelog
|
||||
* Mon Mar 9 2020 Iker Pedrosa <ipedrosa@redhat.com> - 1.3.1-24
|
||||
* Fri Mar 13 2020 Iker Pedrosa <ipedrosa@redhat.com> - 1.3.1-23
|
||||
- revert previous change
|
||||
|
||||
* Mon Mar 9 2020 Iker Pedrosa <ipedrosa@redhat.com> - 1.3.1-22
|
||||
- pam_selinux: check unknown object classes or permissions in current policy
|
||||
|
||||
* Wed Dec 18 2019 Tomáš Mráz <tmraz@redhat.com> 1.3.1-21
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user