From: "James Bishop" <james.bishop@jrc.it>
To: Stephen Smalley <sds@tislabs.com>, selinux@tycho.nsa.gov
Subject: Re: Compiling for SuSE 7.2
Date: Mon, 15 Oct 2001 17:33:06 +0200 [thread overview]
Message-ID: <3BCB01B2.4060203@jrc.it> (raw)
In-Reply-To: Pine.GSO.4.33.0110111248230.18477-100000@raven
[-- Attachment #1: Type: text/plain, Size: 778 bytes --]
Good afternoon,
I finally managed to get the util-linux-2.11b/login to work, and attach
the diffs from the SuSE 7.2. util-linux-2.11b/login.c source file.
This login program worked after I commented out these three system calls:
signal(SIGHUP, SIG_IGN); /* ignore signal from TIOCNOTTY */
ioctl(0, TIOCNOTTY, NULL);
signal(SIGHUP, SIG_DFL);
These occur in the "else if (childPID)" block after the fork() (see e.g
lines 1239 - 1250 in the SELinux util-linux-2.10/login-utils/login.c);
and were commented out in the SuSE 7.2 pam_login source file.
Perhaps this is an improvement introduced in the util-linux-2.11b
package? It's not really important, but if some kind soul has the time
to explain the purpose of these calls, I'd be grateful.
James Bishop
[-- Attachment #2: login.c.diffs --]
[-- Type: text/plain, Size: 6470 bytes --]
--- util-linux-2.11b/login-utils/login.c Thu Mar 15 11:09:58 2001
+++ selinux/util-linux-2.11b/login-utils/login.c Mon Oct 15 17:08:03 2001
@@ -137,6 +137,14 @@
# include <shadow.h>
#endif
+#ifdef CONFIG_FLASK
+#include <linux/flask/flask_types.h>
+#include <flask_util.h>
+#include <fs_secure.h>
+#include <ss.h>
+#include <get_user_sid.h>
+#endif
+
#ifdef USE_PAM
# include <security/pam_appl.h>
# include <security/pam_misc.h>
@@ -336,6 +344,17 @@
int ioctlval;
#endif
+#ifdef CONFIG_FLASK
+ security_context_t user_context;
+ security_id_t user_sid;
+ security_id_t ttyn_sid; /* The current sid of ttyn device */
+ security_id_t vcsn_sid; /* The current sid of vcsn device */
+ security_id_t vcsan_sid; /* The current sid of vcsan device */
+ security_id_t newdev_sid; /* The new sid of a device */
+ struct stat statbuf;
+ int FLASK_flag;
+#endif
+
signal(SIGALRM, timedout);
alarm((unsigned int)timeout);
signal(SIGQUIT, SIG_IGN);
@@ -751,6 +770,21 @@
}
#endif /* !USE_PAM */
+#ifdef CONFIG_FLASK
+
+ /* Make sure FLASK is really installed on this system */
+ if ( (FLASK_flag = is_flask_enabled()) )
+ {
+ /* Get security context and SID for user */
+ if (!get_user_sid (username, strlen (username), &user_context, &user_sid))
+ {
+ syslog (LOG_ERR, "UNABLE TO GET VALID SID FOR %s", username);
+ exit(0);
+ }
+ }
+
+#endif
+
/* committed to login -- turn off timeout */
alarm((unsigned int)0);
@@ -911,6 +945,23 @@
(gr = getgrnam(TTYGRPNAME)) ? gr->gr_gid : pwd->pw_gid);
chmod(ttyn, TTY_MODE);
+#ifdef CONFIG_FLASK
+ if (FLASK_flag) {
+ if (stat_secure(ttyn, &statbuf, &ttyn_sid) != 0) {
+ perror("stat_secure");
+ exit (0);
+ }
+ if (security_change_sid (user_sid, ttyn_sid, SECCLASS_CHR_FILE, &newdev_sid) != 0) {
+ perror("security_change_sid");
+ exit (0);
+ }
+ if (chsid (ttyn, newdev_sid) != 0) {
+ perror("chsid");
+ exit (0);
+ }
+ }
+#endif
+
#ifdef CHOWNVCS
/* if tty is one of the VC's then change owner and mode of the
special /dev/vcs devices as well */
@@ -919,6 +970,41 @@
chown(vcsan, pwd->pw_uid, (gr ? gr->gr_gid : pwd->pw_gid));
chmod(vcsn, TTY_MODE);
chmod(vcsan, TTY_MODE);
+#ifdef CONFIG_FLASK
+ if (FLASK_flag)
+ {
+ if (stat_secure(vcsn, &statbuf, &vcsn_sid) != 0)
+ {
+ perror("stat_secure");
+ exit (0);
+ }
+ if (security_change_sid (user_sid, vcsn_sid, SECCLASS_CHR_FILE, &newdev_sid) != 0)
+ {
+ perror ("security_change_sid");
+ exit (0);
+ }
+ if (chsid (vcsn, newdev_sid) != 0)
+ {
+ perror("chsid");
+ exit (0);
+ }
+ if (stat_secure(vcsan, &statbuf, &vcsan_sid) != 0)
+ {
+ perror("stat_secure");
+ exit (0);
+ }
+ if (security_change_sid (user_sid, vcsan_sid, SECCLASS_CHR_FILE, &newdev_sid) != 0)
+ {
+ perror("security_change_sid");
+ exit (0);
+ }
+ if (chsid (vcsan, newdev_sid) != 0)
+ {
+ perror("chsid");
+ exit (0);
+ }
+ }
+#endif
}
#endif
@@ -1003,6 +1089,43 @@
/* allow tracking of good logins.
-steve philp (sphilp@mail.alliance.net) */
+#ifdef CONFIG_FLASK
+ if (FLASK_flag)
+ {
+ if (pwd->pw_uid == 0) {
+ if (hostname)
+ syslog(LOG_NOTICE, _("ROOT LOGIN ON %s FROM %s USING %s"),
+ tty, hostname, user_context);
+ else
+ syslog(LOG_NOTICE, _("ROOT LOGIN ON %s USING %s"), tty, user_context);
+ } else {
+ if (hostname)
+ syslog(LOG_INFO, _("LOGIN ON %s BY %s FROM %s USING %s"), tty,
+ pwd->pw_name, hostname, user_context);
+ else
+ syslog(LOG_INFO, _("LOGIN ON %s BY %s USING %s"), tty,
+ pwd->pw_name, user_context);
+ }
+ free (user_context);
+ }
+ else
+ {
+ if (pwd->pw_uid == 0) {
+ if (hostname)
+ syslog(LOG_NOTICE, _("ROOT LOGIN ON %s FROM %s"),
+ tty, hostname);
+ else
+ syslog(LOG_NOTICE, _("ROOT LOGIN ON %s"), tty);
+ } else {
+ if (hostname)
+ syslog(LOG_INFO, _("LOGIN ON %s BY %s FROM %s"), tty,
+ pwd->pw_name, hostname);
+ else
+ syslog(LOG_INFO, _("LOGIN ON %s BY %s"), tty,
+ pwd->pw_name);
+ }
+ }
+#else
if (pwd->pw_uid == 0) {
if (hostname)
syslog(LOG_NOTICE, _("ROOT LOGIN ON %s FROM %s"),
@@ -1017,6 +1140,7 @@
syslog(LOG_INFO, _("LOGIN ON %s BY %s"), tty,
pwd->pw_name);
}
+#endif
if (!quietlog) {
struct stat st;
@@ -1057,11 +1181,36 @@
exit(0);
} else if (childPid) {
/* parent - wait for child to finish, then cleanup session */
- signal(SIGHUP, SIG_IGN); /* ignore signal from TIOCNOTTY */
+#if 0
+ signal(SIGHUP, SIG_IGN); /* ignore signal from TIOCNOTTY */
ioctl(0, TIOCNOTTY, NULL);
signal(SIGHUP, SIG_DFL);
+#endif
wait(NULL);
+
+#ifdef CONFIG_FLASK
+ if (FLASK_flag)
+ {
+ /* We need to change the contexts of the terminal devices back to
+ the system when the user's session ends. */
+ if (chsid (ttyn, ttyn_sid) != 0)
+ {
+ perror("chsid");
+ }
+ if (consoletty(0)) {
+ if (chsid (vcsn, vcsn_sid) != 0)
+ {
+ perror("chsid");
+ }
+ if (chsid (vcsan, vcsan_sid) != 0)
+ {
+ perror("chsid");
+ }
+ }
+ }
+#endif
+
PAM_END;
exit(0);
}
@@ -1112,7 +1261,14 @@
childArgv[childArgc++] = NULL;
+#ifdef CONFIG_FLASK
+ if (FLASK_flag)
+ execvp_secure (childArgv[0], user_sid, childArgv + 1);
+ else
+ execvp(childArgv[0], childArgv + 1);
+#else
execvp(childArgv[0], childArgv + 1);
+#endif
errsv = errno;
next parent reply other threads:[~2001-10-15 15:33 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <Pine.GSO.4.33.0110111248230.18477-100000@raven>
2001-10-15 15:33 ` James Bishop [this message]
2001-10-05 17:09 Compiling for SuSE 7.2 Westerman, Mark
-- strict thread matches above, loose matches on Subject: below --
2001-10-03 13:17 James Bishop
2001-10-03 14:01 ` Stephen Smalley
2001-10-04 12:58 ` James Bishop
2001-10-04 15:24 ` Stephen Smalley
2001-09-04 21:45 ` John Scroggins
2001-10-05 12:56 ` Stephen Smalley
2001-10-05 7:21 ` James Bishop
2001-10-05 12:40 ` Russell Coker
2001-10-05 15:35 ` Stephen Smalley
2001-10-05 13:39 ` Stephen Smalley
2001-10-08 10:14 ` James Bishop
2001-10-08 13:50 ` Stephen Smalley
2001-10-08 16:31 ` James Bishop
2001-10-08 17:41 ` Stephen Smalley
2001-10-11 16:43 ` James Bishop
2001-10-04 12:47 ` Russell Coker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3BCB01B2.4060203@jrc.it \
--to=james.bishop@jrc.it \
--cc=sds@tislabs.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.