From f36ffc1042ecbadeeaf05a1488209a4dbded5630 Mon Sep 17 00:00:00 2001 From: mitr Date: Sep 02 2004 21:59:34 +0000 Subject: Remove the separate SELinux patch now --- diff --git a/Makefile.am b/Makefile.am index bbd38fa..287685e 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1,5 +1,5 @@ SUBDIRS = po docs lib apps samples python modules -EXTRA_DIST = libuser.spec libuser-selinux.patch +EXTRA_DIST = libuser.spec sysconf_DATA = libuser.conf pkgconfigdir = $(libdir)/pkgconfig diff --git a/libuser-selinux.patch b/libuser-selinux.patch deleted file mode 100644 index 9588565..0000000 --- a/libuser-selinux.patch +++ /dev/null @@ -1,663 +0,0 @@ -diff -urN libuser/apps/apputil.c libuser-0.51.9/apps/apputil.c ---- libuser/apps/apputil.c 2004-08-30 22:21:00.000000000 +0200 -+++ libuser-0.51.9/apps/apputil.c 2004-08-31 17:32:50.944059120 +0200 -@@ -46,6 +46,59 @@ - #include "../lib/error.h" - #include "apputil.h" - -+#ifdef WITH_SELINUX -+#include -+#include -+#include -+#include -+int checkAccess(const char *chuser, int access) { -+ int status=-1; -+ security_context_t user_context; -+ char *user=NULL; -+ if( getprevcon(&user_context)==0 ) { -+ context_t c=context_new(user_context); -+ user=context_user_get(c); -+ if (strcmp(chuser, user) == 0) { -+ status=0; -+ } else { -+ struct av_decision avd; -+ int retval = security_compute_av(user_context, -+ user_context, -+ SECCLASS_PASSWD, -+ access, -+ &avd); -+ -+ if ((retval == 0) && -+ ((access & avd.allowed) == access)) { -+ status=0; -+ } -+ } -+ context_free(c); -+ freecon(user_context); -+ } -+ return status; -+} -+ -+int setupDefaultContext(char *orig_file) { -+ if (is_selinux_enabled()>0) { -+ security_context_t scontext; -+ -+ if (getfilecon(orig_file,&scontext)<0) { -+ return 1; -+ } -+ -+ if (setfscreatecon(scontext) < 0) -+ { -+ freecon(scontext); -+ return 1; -+ } -+ freecon(scontext); -+ } -+ return 0; -+} -+#endif -+ -+ - /* Populate a user's home directory, copying data from a named skeleton - * directory, setting all ownerships as given, and setting the mode of - * the top-level directory as given. */ -@@ -433,6 +486,26 @@ - conv.conv = misc_conv; - conv.appdata_ptr = NULL; - -+#ifdef WITH_SELINUX -+ if (is_selinux_enabled()>0) { -+ if(getuid() == 0) { -+ if (checkAccess(user,(int) PASSWD__CHFN)!=0) { -+ security_context_t user_context; -+ if (getprevcon(&user_context) < 0) -+ user_context=(security_context_t) strdup(_("Unknown user context")); -+ fprintf(stderr, _("%s is not authorized to change the finger info of %s\n"), -+ user_context, user); -+ freecon(user_context); -+ exit(1); -+ } -+ } -+ if (setupDefaultContext("/etc/passwd") != 0) { -+ fprintf(stderr,_("Can't set default context for /etc/passwd")); -+ exit(1); -+ } -+ } -+#endif -+ - /* Start up PAM. */ - if (pam_start(appname, user, &conv, &pamh) != PAM_SUCCESS) { - fprintf(stderr, _("Error initializing PAM.\n")); -diff -urN libuser/apps/Makefile.am libuser-0.51.9/apps/Makefile.am ---- libuser/apps/Makefile.am 2004-08-24 18:01:04.000000000 +0200 -+++ libuser-0.51.9/apps/Makefile.am 2004-08-31 17:32:50.951058056 +0200 -@@ -13,8 +13,8 @@ - luserdel \ - lusermod - --AM_CFLAGS = -I@PYTHON_INC@ @GOBJECT_CFLAGS@ --LDADD = ../lib/libuser.la @GOBJECT_LIBS@ @PAM_MISC_LIBS@ @POPT_LIBS@ @CRYPT_LIBS@ -+AM_CFLAGS = -I@PYTHON_INC@ @GOBJECT_CFLAGS@ -DWITH_SELINUX -+LDADD = ../lib/libuser.la @GOBJECT_LIBS@ @PAM_MISC_LIBS@ @POPT_LIBS@ @CRYPT_LIBS@ -lselinux - - lchsh_SOURCES = \ - apputil.c \ -diff -urN libuser/modules/files.c libuser-0.51.9/modules/files.c ---- libuser/modules/files.c 2004-08-30 23:03:13.000000000 +0200 -+++ libuser-0.51.9/modules/files.c 2004-08-31 17:32:51.027046504 +0200 -@@ -35,6 +35,51 @@ - #include "../lib/user_private.h" - #include "default.-c" - -+#ifdef WITH_SELINUX -+#include -+static security_context_t prev_context=NULL; -+static gboolean setDefaultContext(char *filename, -+ struct lu_error **error) -+{ -+ if (is_selinux_enabled()>0) { -+ security_context_t scontext=NULL; -+ if (getfilecon(filename, &scontext) < 0) { -+ lu_error_new(error, lu_error_stat, -+ _("couldn't get security context `%s': %s"), filename, -+ strerror(errno)); -+ return FALSE; -+ } -+ if (getfscreatecon(&prev_context) < 0 ) { -+ freecon(scontext); -+ lu_error_new(error, lu_error_stat, -+ _("couldn't set default security context: %s"), -+ strerror(errno)); -+ return FALSE; -+ } -+ if (setfscreatecon(scontext) < 0 ) { -+ freecon(scontext); -+ lu_error_new(error, lu_error_stat, -+ _("couldn't set default security context to `%s': %s"), scontext, -+ strerror(errno)); -+ return FALSE; -+ } -+ freecon(scontext); -+ } -+ return TRUE; -+} -+static void resetDefaultContext(struct lu_error **error) -+{ -+ if (setfscreatecon(prev_context) < 0 ) { -+ lu_error_new(error, lu_error_stat, -+ _("couldn't reset default security context to `%s': %s"), prev_context, -+ strerror(errno)); -+ } -+ if (prev_context) { -+ freecon(prev_context); -+ prev_context=NULL; -+ } -+} -+#endif - #define CHUNK_SIZE (LINE_MAX * 4) - - LU_MODULE_INIT(libuser_files_init) -@@ -809,10 +854,16 @@ - filename = g_strconcat(dir, "/", base_name, NULL); - g_free(key); - -+#ifdef WITH_SELINUX -+ if (! setDefaultContext(filename,error)) { -+ g_free(filename); -+ return FALSE; -+ } -+#endif - /* Create a backup copy of the file we're about to modify. */ - if (lu_files_create_backup(filename, error) == FALSE) { - g_free(filename); -- return FALSE; -+ goto fail; - } - - /* Open the file. */ -@@ -822,14 +873,14 @@ - _("couldn't open `%s': %s"), filename, - strerror(errno)); - g_free(filename); -- return FALSE; -+ goto fail; - } - - /* Lock the file. */ - if ((lock = lu_util_lock_obtain(fd, error)) == NULL) { - close(fd); - g_free(filename); -- return FALSE; -+ goto fail; - } - - /* Read the file's size. */ -@@ -840,7 +891,7 @@ - lu_util_lock_free(lock); - close(fd); - g_free(filename); -- return FALSE; -+ goto fail; - } - - /* Generate a new line with the right data in it, and allocate space -@@ -876,7 +927,7 @@ - g_free(fragment2); - g_free(contents); - g_free(filename); -- return FALSE; -+ goto fail; - } - - /* Check if the beginning of the file is the same as the beginning -@@ -890,7 +941,7 @@ - g_free(fragment2); - g_free(contents); - g_free(filename); -- return FALSE; -+ goto fail; - } else - /* If not, search for a newline followed by the beginning of - * the entry. */ -@@ -903,7 +954,7 @@ - g_free(fragment2); - g_free(contents); - g_free(filename); -- return FALSE; -+ goto fail; - } - /* Hooray, we can add this entry at the end of the file. */ - offset = lseek(fd, 0, SEEK_END); -@@ -917,7 +968,7 @@ - g_free(fragment2); - g_free(contents); - g_free(filename); -- return FALSE; -+ goto fail; - } - /* If the last byte in the file isn't a newline, add one, and silently - * curse people who use text editors (which shall remain unnamed) which -@@ -942,7 +993,7 @@ - g_free(fragment2); - g_free(contents); - g_free(filename); -- return FALSE; -+ goto fail; - } else { - /* Hey, it succeeded. */ - ret = TRUE; -@@ -953,7 +1004,13 @@ - lu_util_lock_free(lock); - close(fd); - g_free(filename); -- -+ goto done; -+ fail: -+ ret=FALSE; -+ done: -+#ifdef WITH_SELINUX -+ resetDefaultContext(error); -+#endif - return ret; - } - -@@ -1074,7 +1131,7 @@ - char *p, *q, *new_value; - GValueArray *names = NULL, *values = NULL; - GValue *value; -- gboolean ret = FALSE; -+ gboolean ret = TRUE; - - g_assert(module != NULL); - g_assert(base_name != NULL); -@@ -1112,10 +1169,16 @@ - filename = g_strconcat(dir, "/", base_name, NULL); - g_free(key); - -+#ifdef WITH_SELINUX -+ if (! setDefaultContext(filename,error)) { -+ g_free(filename); -+ return FALSE; -+ } -+#endif - /* Create a backup file. */ - if (lu_files_create_backup(filename, error) == FALSE) { - g_free(filename); -- return FALSE; -+ goto fail; - } - - /* Open the file to be modified. */ -@@ -1125,14 +1188,14 @@ - _("couldn't open `%s': %s"), filename, - strerror(errno)); - g_free(filename); -- return FALSE; -+ goto fail; - } - - /* Lock the file. */ - if ((lock = lu_util_lock_obtain(fd, error)) == NULL) { - close(fd); - g_free(filename); -- return FALSE; -+ goto fail; - } - - /* We iterate over all of the fields individually. */ -@@ -1192,7 +1255,7 @@ - lu_util_lock_free(lock); - close(fd); - g_free(filename); -- return FALSE; -+ goto fail; - } - - /* We may have just renamed the account (we're safe assuming -@@ -1208,7 +1271,7 @@ - lu_util_lock_free(lock); - close(fd); - g_free(filename); -- return FALSE; -+ goto fail; - } - } else - if (ent->type == lu_group) { -@@ -1220,7 +1283,7 @@ - lu_util_lock_free(lock); - close(fd); - g_free(filename); -- return FALSE; -+ goto fail; - } - } else { - g_assert_not_reached(); -@@ -1231,8 +1294,14 @@ - lu_util_lock_free(lock); - close(fd); - g_free(filename); -- -- return TRUE; -+ goto done; -+ fail: -+ ret=FALSE; -+ done: -+#ifdef WITH_SELINUX -+ resetDefaultContext(error); -+#endif -+ return ret; - } - - /* Modify an entry in the passwd file. */ -@@ -1285,6 +1354,7 @@ - generic_del(struct lu_module *module, const char *base_name, - struct lu_ent *ent, struct lu_error **error) - { -+ gboolean ret=TRUE; - GValueArray *name = NULL; - GValue *value; - char *contents = NULL, *filename = NULL, *key = NULL; -@@ -1318,10 +1388,16 @@ - filename = g_strconcat(dir, "/", base_name, NULL); - g_free(key); - -+#ifdef WITH_SELINUX -+ if (! setDefaultContext(filename,error)) { -+ g_free(filename); -+ return FALSE; -+ } -+#endif - /* Create a backup of that file. */ - if (lu_files_create_backup(filename, error) == FALSE) { - g_free(filename); -- return FALSE; -+ goto fail; - } - - /* Open the file to be modified. */ -@@ -1331,14 +1407,14 @@ - _("couldn't open `%s': %s"), filename, - strerror(errno)); - g_free(filename); -- return FALSE; -+ goto fail; - } - - /* Lock the file. */ - if ((lock = lu_util_lock_obtain(fd, error)) == NULL) { - close(fd); - g_free(filename); -- return FALSE; -+ goto fail; - } - - /* Determine the file's size. */ -@@ -1349,7 +1425,7 @@ - lu_util_lock_free(lock); - close(fd); - g_free(filename); -- return FALSE; -+ goto fail; - } - - /* Allocate space to hold the file and read it all in. */ -@@ -1362,7 +1438,7 @@ - lu_util_lock_free(lock); - close(fd); - g_free(filename); -- return FALSE; -+ goto fail; - } - - /* Generate string versions of what the beginning of a line might -@@ -1408,7 +1484,7 @@ - lu_util_lock_free(lock); - close(fd); - g_free(filename); -- return TRUE; -+ goto done; - } - - /* Otherwise we need to write the new data to the file. Jump back to -@@ -1421,7 +1497,7 @@ - lu_util_lock_free(lock); - close(fd); - g_free(filename); -- return FALSE; -+ goto fail; - } - - /* Write the new contents out. */ -@@ -1433,7 +1509,7 @@ - lu_util_lock_free(lock); - close(fd); - g_free(filename); -- return FALSE; -+ goto fail; - } - - /* Truncate the file to the new (certainly shorter) length. */ -@@ -1444,8 +1520,14 @@ - lu_util_lock_free(lock); - close(fd); - g_free(filename); -- -- return TRUE; -+ goto done; -+ fail: -+ ret=FALSE; -+ done: -+#ifdef WITH_SELINUX -+ resetDefaultContext(error); -+#endif -+ return ret; - } - - /* Remove a user from the passwd file. */ -@@ -1547,10 +1629,16 @@ - filename = g_strconcat(dir, "/", base_name, NULL); - g_free(key); - -+#ifdef WITH_SELINUX -+ if (! setDefaultContext(filename,error)) { -+ g_free(filename); -+ return FALSE; -+ } -+#endif - /* Create a backup of the file. */ - if (lu_files_create_backup(filename, error) == FALSE) { - g_free(filename); -- return FALSE; -+ goto fail; - } - - /* Open the file. */ -@@ -1560,14 +1648,14 @@ - _("couldn't open `%s': %s"), filename, - strerror(errno)); - g_free(filename); -- return FALSE; -+ goto fail; - } - - /* Lock the file. */ - if ((lock = lu_util_lock_obtain(fd, error)) == NULL) { - close(fd); - g_free(filename); -- return FALSE; -+ goto fail; - } - - /* Generate a string representation of the name. */ -@@ -1588,7 +1676,7 @@ - close(fd); - g_free(namestring); - g_free(filename); -- return FALSE; -+ goto fail; - } - - /* Check that we actually care about this. If there's a non-empty, -@@ -1600,7 +1688,8 @@ - g_free(value); - g_free(namestring); - g_free(filename); -- return TRUE; -+ ret = TRUE; -+ goto done; - } - - /* Generate a new value for the file. */ -@@ -1614,7 +1703,7 @@ - close(fd); - g_free(namestring); - g_free(filename); -- return FALSE; -+ goto fail; - } - - /* Clean up. */ -@@ -1623,7 +1712,14 @@ - g_free(namestring); - g_free(filename); - -- return TRUE; -+ goto done; -+ fail: -+ ret=FALSE; -+ done: -+#ifdef WITH_SELINUX -+ resetDefaultContext(error); -+#endif -+ return ret; - } - - /* Check if an account [password] is locked. */ -@@ -1834,7 +1930,7 @@ - const char *dir; - int fd = -1; - gpointer lock; -- gboolean ret = FALSE; -+ gboolean ret = TRUE; - - /* Get the name of this account. */ - g_assert((ent->type == lu_user) || (ent->type == lu_group)); -@@ -1857,10 +1953,16 @@ - filename = g_strconcat(dir, "/", base_name, NULL); - g_free(key); - -+#ifdef WITH_SELINUX -+ if (! setDefaultContext(filename,error)) { -+ g_free(filename); -+ return FALSE; -+ } -+#endif - /* Create a backup of the file. */ - if (lu_files_create_backup(filename, error) == FALSE) { - g_free(filename); -- return FALSE; -+ goto fail; - } - - /* Open the file. */ -@@ -1870,14 +1972,14 @@ - _("couldn't open `%s': %s"), filename, - strerror(errno)); - g_free(filename); -- return FALSE; -+ goto fail; - } - - /* Lock the file. */ - if ((lock = lu_util_lock_obtain(fd, error)) == NULL) { - close(fd); - g_free(filename); -- return FALSE; -+ goto fail; - } - - /* Get the name of the account. */ -@@ -1898,7 +2000,7 @@ - close(fd); - g_free(namestring); - g_free(filename); -- return FALSE; -+ goto fail; - } - - /* If we don't really care, nod our heads and smile. */ -@@ -1907,7 +2009,7 @@ - close(fd); - g_free(namestring); - g_free(filename); -- return TRUE; -+ goto done; - } - - /* The crypt prefix indicates that the password is already hashed. If -@@ -1926,14 +2028,20 @@ - close(fd); - g_free(namestring); - g_free(filename); -- return FALSE; -+ goto fail; - } - - lu_util_lock_free(lock); - close(fd); - g_free(namestring); - g_free(filename); -- -+ goto done; -+ fail: -+ ret=FALSE; -+ done: -+#ifdef WITH_SELINUX -+ resetDefaultContext(error); -+#endif - return ret; - } - -diff -urN libuser/modules/Makefile.am libuser-0.51.9/modules/Makefile.am ---- libuser/modules/Makefile.am 2004-08-31 17:06:52.000000000 +0200 -+++ libuser-0.51.9/modules/Makefile.am 2004-08-31 17:35:40.584269888 +0200 -@@ -1,4 +1,4 @@ --AM_CFLAGS = -I../include -I@PYTHON_INC@ @GOBJECT_CFLAGS@ -D_LIBUSER_MODULE -+AM_CFLAGS = -I../include -I@PYTHON_INC@ @GOBJECT_CFLAGS@ -D_LIBUSER_MODULE -DWITH_SELINUX - - EXTRA_LTLIBRARIES = \ - libuser_files.la \ -@@ -11,7 +11,7 @@ - pkglib_LTLIBRARIES = $(MODULES:.so=.la) - - AM_LDFLAGS = -module -avoid-version -export-dynamic -rpath '$(pkglibdir)' \ -- @GOBJECT_LIBS@ ../lib/libuser.la -+ @GOBJECT_LIBS@ ../lib/libuser.la -lselinux - - libuser_files_la_SOURCES = files.c - libuser_shadow_la_SOURCES = files.c -diff -urN libuser/python/Makefile.am libuser-0.51.9/python/Makefile.am ---- libuser/python/Makefile.am 2004-08-31 17:06:52.000000000 +0200 -+++ libuser-0.51.9/python/Makefile.am 2004-08-31 17:38:03.957473848 +0200 -@@ -11,7 +11,8 @@ - - libusermodule_la_SOURCES = libusermodule.c common.h debug.h ../apps/apputil.c - libusermodule_la_LDFLAGS = -module -avoid-version -export-dynamic \ -- -rpath '$(pythonexecdir)' @GOBJECT_LIBS@ @PAM_MISC_LIBS@ @CRYPT_LIBS@ -+ -rpath '$(pythonexecdir)' @GOBJECT_LIBS@ @PAM_MISC_LIBS@ @CRYPT_LIBS@ \ -+ -lselinux - libusermodule_la_LIBADD = ../lib/libuser.la - - libuserquotamodule_la_SOURCES = quotamodule.c debug.h -diff -urN libuser/samples/Makefile.am libuser-0.51.9/samples/Makefile.am ---- libuser/samples/Makefile.am 2004-08-24 18:01:05.000000000 +0200 -+++ libuser-0.51.9/samples/Makefile.am 2004-08-31 17:32:51.043044072 +0200 -@@ -15,7 +15,7 @@ - - homedir_SOURCES = homedir.c - --homedir_LDADD = ../apps/apputil.o ../lib/libuser.la @GOBJECT_LIBS@ @PAM_MISC_LIBS@ @CRYPT_LIBS@ -+homedir_LDADD = ../apps/apputil.o ../lib/libuser.la @GOBJECT_LIBS@ @PAM_MISC_LIBS@ @CRYPT_LIBS@ -lselinux - - lookup_SOURCES = lookup.c -