Good afternoon,
I finally managed to get the util-linux-2.11b/login to work, and attach the diffs from the SuSE 7.2. util-linux-2.11b/login.c source file.
This login program worked after I commented out these three system calls:
signal(SIGHUP, SIG_IGN); /* ignore signal from TIOCNOTTY */
ioctl(0, TIOCNOTTY, NULL);
signal(SIGHUP, SIG_DFL);
These occur in the "else if (childPID)" block after the fork() (see e.g lines 1239 - 1250 in the SELinux util-linux-2.10/login-utils/login.c); and were commented out in the SuSE 7.2 pam_login source file.
Perhaps this is an improvement introduced in the util-linux-2.11b package? It's not really important, but if some kind soul has the time to explain the purpose of these calls, I'd be grateful.
James Bishop
+#ifdef CONFIG_FLASK
+#include <linux/flask/flask_types.h>
+#include <flask_util.h>
+#include <fs_secure.h>
+#include <ss.h>
+#include <get_user_sid.h>
+#endif
+
#ifdef USE_PAM
# include <security/pam_appl.h>
# include <security/pam_misc.h>
@@ -336,6 +344,17 @@
int ioctlval;
+#ifdef CONFIG_FLASK
+ security_context_t user_context;
+ security_id_t user_sid;
+ security_id_t ttyn_sid; /* The current sid of ttyn device */
+ security_id_t vcsn_sid; /* The current sid of vcsn device */
+ security_id_t vcsan_sid; /* The current sid of vcsan device */
+ security_id_t newdev_sid; /* The new sid of a device */
+ struct stat statbuf;
+ int FLASK_flag;
+#endif
+
signal(SIGALRM, timedout);
alarm((unsigned int)timeout);
signal(SIGQUIT, SIG_IGN);
@@ -751,6 +770,21 @@
}
#endif /* !USE_PAM */
+#ifdef CONFIG_FLASK
+
+ /* Make sure FLASK is really installed on this system */
+ if ( (FLASK_flag = is_flask_enabled()) )
+ {
+ /* Get security context and SID for user */
+ if (!get_user_sid (username, strlen (username), &user_context, &user_sid))
+ {
+ syslog (LOG_ERR, "UNABLE TO GET VALID SID FOR %s", username);
+ exit(0);
+ }
+ }
+
+#endif
+
/* committed to login -- turn off timeout */
alarm((unsigned int)0);
@@ -911,6 +945,23 @@
(gr = getgrnam(TTYGRPNAME)) ? gr->gr_gid : pwd->pw_gid);
chmod(ttyn, TTY_MODE);
+#ifdef CONFIG_FLASK
+ if (FLASK_flag) {
+ if (stat_secure(ttyn, &statbuf, &ttyn_sid) != 0) {
+ perror("stat_secure");
+ exit (0);
+ }
+ if (security_change_sid (user_sid, ttyn_sid, SECCLASS_CHR_FILE, &newdev_sid) != 0) {
+ perror("security_change_sid");
+ exit (0);
+ }
+ if (chsid (ttyn, newdev_sid) != 0) {
+ perror("chsid");
+ exit (0);
+ }
+ }
+#endif
+
#ifdef CHOWNVCS
/* if tty is one of the VC's then change owner and mode of the
special /dev/vcs devices as well */
@@ -919,6 +970,41 @@
chown(vcsan, pwd->pw_uid, (gr ? gr->gr_gid : pwd->pw_gid));
chmod(vcsn, TTY_MODE);
chmod(vcsan, TTY_MODE);
+#ifdef CONFIG_FLASK
+ if (FLASK_flag)
+ {
+ if (stat_secure(vcsn, &statbuf, &vcsn_sid) != 0)
+ {
+ perror("stat_secure");
+ exit (0);
+ }
+ if (security_change_sid (user_sid, vcsn_sid, SECCLASS_CHR_FILE, &newdev_sid) != 0)
+ {
+ perror ("security_change_sid");
+ exit (0);
+ }
+ if (chsid (vcsn, newdev_sid) != 0)
+ {
+ perror("chsid");
+ exit (0);
+ }
+ if (stat_secure(vcsan, &statbuf, &vcsan_sid) != 0)
+ {
+ perror("stat_secure");
+ exit (0);
+ }
+ if (security_change_sid (user_sid, vcsan_sid, SECCLASS_CHR_FILE, &newdev_sid) != 0)
+ {
+ perror("security_change_sid");
+ exit (0);
+ }
+ if (chsid (vcsan, newdev_sid) != 0)
+ {
+ perror("chsid");
+ exit (0);
+ }
+ }
+#endif
}
@@ -1003,6 +1089,43 @@
/* allow tracking of good logins.
-steve philp (sphilp@mail.alliance.net) */
+#ifdef CONFIG_FLASK
+ if (FLASK_flag)
+ {
+ if (pwd->pw_uid == 0) {
+ if (hostname)
+ syslog(LOG_NOTICE, _("ROOT LOGIN ON %s FROM %s USING %s"),
+ tty, hostname, user_context);
+ else
+ syslog(LOG_NOTICE, _("ROOT LOGIN ON %s USING %s"), tty, user_context);
+ } else {
+ if (hostname)
+ syslog(LOG_INFO, _("LOGIN ON %s BY %s FROM %s USING %s"), tty,
+ pwd->pw_name, hostname, user_context);
+ else
+ syslog(LOG_INFO, _("LOGIN ON %s BY %s USING %s"), tty,
+ pwd->pw_name, user_context);
+ }
+ free (user_context);
+ }
+ else
+ {
+ if (pwd->pw_uid == 0) {
+ if (hostname)
+ syslog(LOG_NOTICE, _("ROOT LOGIN ON %s FROM %s"),
+ tty, hostname);
+ else
+ syslog(LOG_NOTICE, _("ROOT LOGIN ON %s"), tty);
+ } else {
+ if (hostname)
+ syslog(LOG_INFO, _("LOGIN ON %s BY %s FROM %s"), tty,
+ pwd->pw_name, hostname);
+ else
+ syslog(LOG_INFO, _("LOGIN ON %s BY %s"), tty,
+ pwd->pw_name);
+ }
+ }
+#else
if (pwd->pw_uid == 0) {
if (hostname)
syslog(LOG_NOTICE, _("ROOT LOGIN ON %s FROM %s"),
@@ -1017,6 +1140,7 @@
syslog(LOG_INFO, _("LOGIN ON %s BY %s"), tty,
pwd->pw_name);
}
+#endif
if (!quietlog) {
struct stat st;
@@ -1057,11 +1181,36 @@
exit(0);
} else if (childPid) {
/* parent - wait for child to finish, then cleanup session */
- signal(SIGHUP, SIG_IGN); /* ignore signal from TIOCNOTTY */
+#if 0
+ signal(SIGHUP, SIG_IGN); /* ignore signal from TIOCNOTTY */
ioctl(0, TIOCNOTTY, NULL);
signal(SIGHUP, SIG_DFL);
wait(NULL);
+
+#ifdef CONFIG_FLASK
+ if (FLASK_flag)
+ {
+ /* We need to change the contexts of the terminal devices back to
+ the system when the user's session ends. */
+ if (chsid (ttyn, ttyn_sid) != 0)
+ {
+ perror("chsid");
+ }
+ if (consoletty(0)) {
+ if (chsid (vcsn, vcsn_sid) != 0)
+ {
+ perror("chsid");
+ }
+ if (chsid (vcsan, vcsan_sid) != 0)
+ {
+ perror("chsid");
+ }
+ }
+ }
+#endif
+
PAM_END;
exit(0);
}
childArgv[childArgc++] = NULL;
+#ifdef CONFIG_FLASK
+ if (FLASK_flag)
+ execvp_secure (childArgv[0], user_sid, childArgv + 1);
+ else
+ execvp(childArgv[0], childArgv + 1);
+#else
execvp(childArgv[0], childArgv + 1);
+#endif
errsv = errno;
-- You have received this message because you are subscribed to the selinux list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.Received on Mon 15 Oct 2001 - 11:54:20 EDT
This archive was generated by hypermail 2.2.0 on Wed 11 Jun 2008 - 08:10:26 EDT