--- util-linux-2.11b/login-utils/login.c Thu Mar 15 11:09:58 2001 +++ selinux/util-linux-2.11b/login-utils/login.c Mon Oct 15 17:08:03 2001 @@ -137,6 +137,14 @@ # include #endif +#ifdef CONFIG_FLASK +#include +#include +#include +#include +#include +#endif + #ifdef USE_PAM # include # include @@ -336,6 +344,17 @@ int ioctlval; #endif +#ifdef CONFIG_FLASK + security_context_t user_context; + security_id_t user_sid; + security_id_t ttyn_sid; /* The current sid of ttyn device */ + security_id_t vcsn_sid; /* The current sid of vcsn device */ + security_id_t vcsan_sid; /* The current sid of vcsan device */ + security_id_t newdev_sid; /* The new sid of a device */ + struct stat statbuf; + int FLASK_flag; +#endif + signal(SIGALRM, timedout); alarm((unsigned int)timeout); signal(SIGQUIT, SIG_IGN); @@ -751,6 +770,21 @@ } #endif /* !USE_PAM */ +#ifdef CONFIG_FLASK + + /* Make sure FLASK is really installed on this system */ + if ( (FLASK_flag = is_flask_enabled()) ) + { + /* Get security context and SID for user */ + if (!get_user_sid (username, strlen (username), &user_context, &user_sid)) + { + syslog (LOG_ERR, "UNABLE TO GET VALID SID FOR %s", username); + exit(0); + } + } + +#endif + /* committed to login -- turn off timeout */ alarm((unsigned int)0); @@ -911,6 +945,23 @@ (gr = getgrnam(TTYGRPNAME)) ? gr->gr_gid : pwd->pw_gid); chmod(ttyn, TTY_MODE); +#ifdef CONFIG_FLASK + if (FLASK_flag) { + if (stat_secure(ttyn, &statbuf, &ttyn_sid) != 0) { + perror("stat_secure"); + exit (0); + } + if (security_change_sid (user_sid, ttyn_sid, SECCLASS_CHR_FILE, &newdev_sid) != 0) { + perror("security_change_sid"); + exit (0); + } + if (chsid (ttyn, newdev_sid) != 0) { + perror("chsid"); + exit (0); + } + } +#endif + #ifdef CHOWNVCS /* if tty is one of the VC's then change owner and mode of the special /dev/vcs devices as well */ @@ -919,6 +970,41 @@ chown(vcsan, pwd->pw_uid, (gr ? gr->gr_gid : pwd->pw_gid)); chmod(vcsn, TTY_MODE); chmod(vcsan, TTY_MODE); +#ifdef CONFIG_FLASK + if (FLASK_flag) + { + if (stat_secure(vcsn, &statbuf, &vcsn_sid) != 0) + { + perror("stat_secure"); + exit (0); + } + if (security_change_sid (user_sid, vcsn_sid, SECCLASS_CHR_FILE, &newdev_sid) != 0) + { + perror ("security_change_sid"); + exit (0); + } + if (chsid (vcsn, newdev_sid) != 0) + { + perror("chsid"); + exit (0); + } + if (stat_secure(vcsan, &statbuf, &vcsan_sid) != 0) + { + perror("stat_secure"); + exit (0); + } + if (security_change_sid (user_sid, vcsan_sid, SECCLASS_CHR_FILE, &newdev_sid) != 0) + { + perror("security_change_sid"); + exit (0); + } + if (chsid (vcsan, newdev_sid) != 0) + { + perror("chsid"); + exit (0); + } + } +#endif } #endif @@ -1003,6 +1089,43 @@ /* allow tracking of good logins. -steve philp (sphilp@mail.alliance.net) */ +#ifdef CONFIG_FLASK + if (FLASK_flag) + { + if (pwd->pw_uid == 0) { + if (hostname) + syslog(LOG_NOTICE, _("ROOT LOGIN ON %s FROM %s USING %s"), + tty, hostname, user_context); + else + syslog(LOG_NOTICE, _("ROOT LOGIN ON %s USING %s"), tty, user_context); + } else { + if (hostname) + syslog(LOG_INFO, _("LOGIN ON %s BY %s FROM %s USING %s"), tty, + pwd->pw_name, hostname, user_context); + else + syslog(LOG_INFO, _("LOGIN ON %s BY %s USING %s"), tty, + pwd->pw_name, user_context); + } + free (user_context); + } + else + { + if (pwd->pw_uid == 0) { + if (hostname) + syslog(LOG_NOTICE, _("ROOT LOGIN ON %s FROM %s"), + tty, hostname); + else + syslog(LOG_NOTICE, _("ROOT LOGIN ON %s"), tty); + } else { + if (hostname) + syslog(LOG_INFO, _("LOGIN ON %s BY %s FROM %s"), tty, + pwd->pw_name, hostname); + else + syslog(LOG_INFO, _("LOGIN ON %s BY %s"), tty, + pwd->pw_name); + } + } +#else if (pwd->pw_uid == 0) { if (hostname) syslog(LOG_NOTICE, _("ROOT LOGIN ON %s FROM %s"), @@ -1017,6 +1140,7 @@ syslog(LOG_INFO, _("LOGIN ON %s BY %s"), tty, pwd->pw_name); } +#endif if (!quietlog) { struct stat st; @@ -1057,11 +1181,36 @@ exit(0); } else if (childPid) { /* parent - wait for child to finish, then cleanup session */ - signal(SIGHUP, SIG_IGN); /* ignore signal from TIOCNOTTY */ +#if 0 + signal(SIGHUP, SIG_IGN); /* ignore signal from TIOCNOTTY */ ioctl(0, TIOCNOTTY, NULL); signal(SIGHUP, SIG_DFL); +#endif wait(NULL); + +#ifdef CONFIG_FLASK + if (FLASK_flag) + { + /* We need to change the contexts of the terminal devices back to + the system when the user's session ends. */ + if (chsid (ttyn, ttyn_sid) != 0) + { + perror("chsid"); + } + if (consoletty(0)) { + if (chsid (vcsn, vcsn_sid) != 0) + { + perror("chsid"); + } + if (chsid (vcsan, vcsan_sid) != 0) + { + perror("chsid"); + } + } + } +#endif + PAM_END; exit(0); } @@ -1112,7 +1261,14 @@ childArgv[childArgc++] = NULL; +#ifdef CONFIG_FLASK + if (FLASK_flag) + execvp_secure (childArgv[0], user_sid, childArgv + 1); + else + execvp(childArgv[0], childArgv + 1); +#else execvp(childArgv[0], childArgv + 1); +#endif errsv = errno;