From 6fe43fb34e16b5da4e41c581e4564249c39a2e4d Mon Sep 17 00:00:00 2001 From: ikerexxe Date: Fri, 13 Mar 2020 10:54:34 +0100 Subject: [PATCH] Revert "pam_selinux: check unknown object classes or permissions in current policy" This reverts commit 04993bd30fbf249db9e65db97345f9cc25c61fcd. --- ....1-pam_selinux-check-unknown-objects.patch | 96 ------------------- pam.spec | 9 +- 2 files changed, 5 insertions(+), 100 deletions(-) delete mode 100644 pam-1.3.1-pam_selinux-check-unknown-objects.patch diff --git a/pam-1.3.1-pam_selinux-check-unknown-objects.patch b/pam-1.3.1-pam_selinux-check-unknown-objects.patch deleted file mode 100644 index 4c55c97..0000000 --- a/pam-1.3.1-pam_selinux-check-unknown-objects.patch +++ /dev/null @@ -1,96 +0,0 @@ -From c6c51832af8e7724cfbd454daa65a6644f5b45c2 Mon Sep 17 00:00:00 2001 -From: ikerexxe -Date: Fri, 6 Mar 2020 15:04:09 +0100 -Subject: [PATCH] pam_selinux: check unknown object classes or permissions in - current policy - -Explanation: check whether unknown object classes or permissions are allowed or denied in the current policy - -Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1680961 ---- - modules/pam_selinux/pam_selinux.c | 50 +++++-------------------------- - 1 file changed, 8 insertions(+), 42 deletions(-) - -diff --git a/modules/pam_selinux/pam_selinux.c b/modules/pam_selinux/pam_selinux.c -index 96f9c831..827f5942 100644 ---- a/modules/pam_selinux/pam_selinux.c -+++ b/modules/pam_selinux/pam_selinux.c -@@ -157,42 +157,6 @@ query_response (pam_handle_t *pamh, const char *text, const char *def, - return rc; - } - --static int mls_range_allowed(pam_handle_t *pamh, security_context_t src, security_context_t dst, int debug) --{ -- struct av_decision avd; -- int retval; -- security_class_t class; -- access_vector_t bit; -- context_t src_context; -- context_t dst_context; -- -- class = string_to_security_class("context"); -- if (!class) { -- pam_syslog(pamh, LOG_ERR, "Failed to translate security class context. %m"); -- return 0; -- } -- -- bit = string_to_av_perm(class, "contains"); -- if (!bit) { -- pam_syslog(pamh, LOG_ERR, "Failed to translate av perm contains. %m"); -- return 0; -- } -- -- src_context = context_new (src); -- dst_context = context_new (dst); -- context_range_set(dst_context, context_range_get(src_context)); -- if (debug) -- pam_syslog(pamh, LOG_NOTICE, "Checking if %s mls range valid for %s", dst, context_str(dst_context)); -- -- retval = security_compute_av(context_str(dst_context), dst, class, bit, &avd); -- context_free(src_context); -- context_free(dst_context); -- if (retval || ((bit & avd.allowed) != bit)) -- return 0; -- -- return 1; --} -- - static security_context_t - config_context (pam_handle_t *pamh, security_context_t defaultcon, int use_current_range, int debug) - { -@@ -274,16 +238,17 @@ config_context (pam_handle_t *pamh, security_context_t defaultcon, int use_curre - goto fail_set; - context_free(new_context); - -- /* we have to check that this user is allowed to go into the -- range they have specified ... role is tied to an seuser, so that'll -- be checked at setexeccon time */ -- if (mls_enabled && !mls_range_allowed(pamh, defaultcon, newcon, debug)) { -+ /* we have to check that this user is allowed to go into the -+ range they have specified ... role is tied to an seuser, so that'll -+ be checked at setexeccon time */ -+ if (mls_enabled && -+ selinux_check_access(defaultcon, newcon, "context", "contains", NULL) != 0) { - pam_syslog(pamh, LOG_NOTICE, "Security context %s is not allowed for %s", defaultcon, newcon); - - send_audit_message(pamh, 0, defaultcon, newcon); - - free(newcon); -- goto fail_range; -+ goto fail_range; - } - return newcon; - } -@@ -385,7 +350,8 @@ context_from_env (pam_handle_t *pamh, security_context_t defaultcon, int env_par - /* we have to check that this user is allowed to go into the - range they have specified ... role is tied to an seuser, so that'll - be checked at setexeccon time */ -- if (mls_enabled && !mls_range_allowed(pamh, defaultcon, newcon, debug)) { -+ if (mls_enabled && -+ selinux_check_access(defaultcon, newcon, "context", "contains", NULL) != 0) { - pam_syslog(pamh, LOG_NOTICE, "Security context %s is not allowed for %s", defaultcon, newcon); - - goto fail_set; --- -2.24.1 - diff --git a/pam.spec b/pam.spec index 1b1d134..e2a5590 100644 --- a/pam.spec +++ b/pam.spec @@ -3,7 +3,7 @@ Summary: An extensible library which provides authentication for applications Name: pam Version: 1.3.1 -Release: 22%{?dist} +Release: 23%{?dist} # The library is BSD licensed with option to relicense as GPLv2+ # - this option is redundant as the BSD license allows that anyway. # pam_timestamp, pam_loginuid, and pam_console modules are GPLv2+. @@ -60,7 +60,6 @@ Patch48: pam-1.3.1-unix-improve-logging.patch Patch49: pam-1.3.1-tty-audit-manfix.patch Patch50: pam-1.3.1-fds-closing.patch Patch51: pam-1.3.1-authtok-verify-fix.patch -Patch52: pam-1.3.1-pam_selinux-check-unknown-objects.patch %global _pamlibdir %{_libdir} %global _moduledir %{_libdir}/security @@ -151,7 +150,6 @@ cp %{SOURCE18} . %patch49 -p1 -b .tty-audit-manfix %patch50 -p1 -b .fds-closing %patch51 -p1 -b .authtok-verify-fix -%patch52 -p1 -b .pam_selinux-check-unknown-objects autoreconf -i @@ -401,7 +399,10 @@ done %doc doc/specs/rfc86.0.txt %changelog -* Mon Mar 9 2020 Iker Pedrosa - 1.3.1-24 +* Fri Mar 13 2020 Iker Pedrosa - 1.3.1-23 +- revert previous change + +* Mon Mar 9 2020 Iker Pedrosa - 1.3.1-22 - pam_selinux: check unknown object classes or permissions in current policy * Wed Dec 18 2019 Tomáš Mráz 1.3.1-21