Non-PAM Policycoreutils

Non-PAM Policycoreutils

[Timothy]

[-- Attachment #1: Type: text/plain, Size: 440 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

This patch against policycoreutils 1.26 will make it compile and install
correctly based on the presence of PAM.  Please apply.

Timothy,
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFDTqDBSYq2KfPEK/gRA756AJ9oCl/vMApYBq/OaU3r2f7xDQ/e4wCfUAwq
45D5J2w39LVqofg29jbiAqs=
=jUzT
-----END PGP SIGNATURE-----

[-- Attachment #2: policycoreutils-1.26-nopam.patch --]
[-- Type: text/plain, Size: 3414 bytes --]

--- policycoreutils-1.26/newrole/Makefile	2005-07-18 09:42:21.000000000 -0400
+++ policycoreutils-1.26.slack/newrole/Makefile	2005-10-04 01:03:09.000000000 -0400
@@ -4,10 +4,18 @@
 MANDIR ?= $(PREFIX)/share/man
 ETCDIR ?= $(DESTDIR)/etc
 LOCALEDIR = /usr/share/locale
+PAMH = $(shell ls /usr/include/pam.h 2>/dev/null)
 
 CFLAGS ?= -Werror -Wall -W
-override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DUSE_NLS -DUSE_PAM -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
-LDLIBS += -lselinux -lpam -lpam_misc -L$(PREFIX)/lib
+override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
+LDLIBS += -lselinux -L$(PREFIX)/lib
+ifeq (${PAMH}, /usr/include/pam.h)
+	override CFLAGS += -DUSE_PAM
+	LDLIBS += -lpam -lpam_misc
+else
+	LDLIBS += -lcrypt
+endif
+
 
 TARGETS=$(patsubst %.c,%,$(wildcard *.c))
 
@@ -19,7 +27,10 @@
 	test -d $(MANDIR)/man1 || install -m 755 -d $(MANDIR)/man1
 	install -m 555 newrole $(BINDIR)
 	install -m 644 newrole.1 $(MANDIR)/man1/
+ifeq (${PAMH}, /usr/include/pam.h)
+	test -d $(ETCDIR)/pam.d || install -m 755 -d $(ETCDIR)/pam.d
 	install -m 644 newrole.pamd $(ETCDIR)/pam.d/newrole
+endif
 
 clean:
 	rm -f $(TARGETS) *.o 
--- policycoreutils-1.26/newrole/newrole.c	2005-07-11 15:18:42.000000000 -0400
+++ policycoreutils-1.26.slack/newrole/newrole.c	2005-10-04 00:58:45.000000000 -0400
@@ -215,6 +215,7 @@
  ************************************************************************/
 
 
+#define __USE_XOPEN
 #include <unistd.h>                         /* for getuid(), exit(), crypt() */
 #include <shadow.h>                         /* for shadow passwd functions */
 #include <string.h>                         /* for strlen(), memset() */
--- policycoreutils-1.26/run_init/Makefile	2005-07-18 09:42:21.000000000 -0400
+++ policycoreutils-1.26.slack/run_init/Makefile	2005-10-04 01:02:21.000000000 -0400
@@ -5,10 +5,17 @@
 MANDIR ?= $(PREFIX)/share/man
 ETCDIR ?= $(DESTDIR)/etc
 LOCALEDIR ?= /usr/share/locale
+PAMH = $(shell ls /usr/include/pam.h 2>/dev/null)
 
 CFLAGS ?= -Werror -Wall -W
-override CFLAGS += -I$(PREFIX)/include -DUSE_NLS -DUSE_PAM -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
-LDLIBS += -lselinux -lpam -lpam_misc -L$(PREFIX)/lib
+override CFLAGS += -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
+LDLIBS += -lselinux -L$(PREFIX)/lib
+ifeq (${PAMH}, /usr/include/pam.h)
+	override CFLAGS += -DUSE_PAM
+	LDLIBS += -lpam -lpam_misc
+else
+	LDLIBS += -lcrypt
+endif
 
 TARGETS=$(patsubst %.c,%,$(wildcard *.c))
 
@@ -25,7 +32,9 @@
 	install -m 555 open_init_pty $(SBINDIR)
 	install -m 644 run_init.8 $(MANDIR)/man8/
 	install -m 644 open_init_pty.8 $(MANDIR)/man8/
+ifeq (${PAMH}, /usr/include/pam.h)
 	install -m 644 run_init.pamd $(ETCDIR)/pam.d/run_init
+endif
 
 clean:
 	-rm -f $(TARGETS) *.o 
--- policycoreutils-1.26/run_init/run_init.c	2005-01-21 07:55:20.000000000 -0500
+++ policycoreutils-1.26.slack/run_init/run_init.c	2005-10-04 00:58:20.000000000 -0400
@@ -145,6 +145,7 @@
  *
  ************************************************************************/
 
+#define __USE_XOPEN
 #include <unistd.h>                         /* for getuid(), exit(), crypt() */
 #include <shadow.h>                         /* for shadow passwd functions */
 #include <string.h>                         /* for strlen(), memset() */

Re: Non-PAM Policycoreutils

[Stephen Smalley]

On Thu, 2005-10-13 at 14:00 -0400, Timothy wrote:
> This patch against policycoreutils 1.26 will make it compile and install
> correctly based on the presence of PAM.  Please apply.

Thanks.   However:

> +PAMH = $(shell ls /usr/include/pam.h 2>/dev/null)

/usr/include/pam.h is unrelated to PAM on my systems.  It is a header
provided by the netpbm library containing a Portable Arbitrary Map image
format definition.   PAM headers are under /usr/include/security, e.g.
see the #include's in newrole.c or run_init.c.

Also, while not strictly necessary, it is preferable to submit patches
generated against the sourceforge CVS tree - less likely to end up with
rejects that way.  Anonymous pserver access is available, see
http://sourceforge.net/cvs/?group_id=21266

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Non-PAM Policycoreutils

[Timothy]

[-- Attachment #1: Type: text/plain, Size: 1188 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Stephen Smalley wrote:

> On Thu, 2005-10-13 at 14:00 -0400, Timothy wrote:
> 
>>This patch against policycoreutils 1.26 will make it compile and install
>>correctly based on the presence of PAM.  Please apply.
> 
> 
> Thanks.   However:
> 
> 
>>+PAMH = $(shell ls /usr/include/pam.h 2>/dev/null)
> 
> 
> /usr/include/pam.h is unrelated to PAM on my systems.  It is a header
> provided by the netpbm library containing a Portable Arbitrary Map image
> format definition.   PAM headers are under /usr/include/security, e.g.
> see the #include's in newrole.c or run_init.c.
> 
> Also, while not strictly necessary, it is preferable to submit patches
> generated against the sourceforge CVS tree - less likely to end up with
> rejects that way.  Anonymous pserver access is available, see
> http://sourceforge.net/cvs/?group_id=21266
> 

Fixed and tested against CVS.  New patch attached.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFDTrMLSYq2KfPEK/gRA55mAJ9EfxCirzaive/if2r+EivpiogycwCeI287
DQ1d5IQQ+ErvwEaiRe31R+4=
=NWCk
-----END PGP SIGNATURE-----

[-- Attachment #2: policycoreutils-nopam.patch --]
[-- Type: text/plain, Size: 3498 bytes --]

--- policycoreutils-1.26/newrole/Makefile	2005-07-18 09:42:21.000000000 -0400
+++ policycoreutils-1.26.slack/newrole/Makefile	2005-10-04 01:03:09.000000000 -0400
@@ -4,10 +4,18 @@
 MANDIR ?= $(PREFIX)/share/man
 ETCDIR ?= $(DESTDIR)/etc
 LOCALEDIR = /usr/share/locale
+PAMH = $(shell ls /usr/include/security/pam_appl.h 2>/dev/null)
 
 CFLAGS ?= -Werror -Wall -W
-override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DUSE_NLS -DUSE_PAM -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
-LDLIBS += -lselinux -lpam -lpam_misc -L$(PREFIX)/lib
+override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
+LDLIBS += -lselinux -L$(PREFIX)/lib
+ifeq (${PAMH}, /usr/include/security/pam_appl.h)
+	override CFLAGS += -DUSE_PAM
+	LDLIBS += -lpam -lpam_misc
+else
+	LDLIBS += -lcrypt
+endif
+
 
 TARGETS=$(patsubst %.c,%,$(wildcard *.c))
 
@@ -19,7 +27,10 @@
 	test -d $(MANDIR)/man1 || install -m 755 -d $(MANDIR)/man1
 	install -m 555 newrole $(BINDIR)
 	install -m 644 newrole.1 $(MANDIR)/man1/
+ifeq (${PAMH}, /usr/include/security/pam_appl.h)
+	test -d $(ETCDIR)/pam.d || install -m 755 -d $(ETCDIR)/pam.d
 	install -m 644 newrole.pamd $(ETCDIR)/pam.d/newrole
+endif
 
 clean:
 	rm -f $(TARGETS) *.o 
--- policycoreutils-1.26/newrole/newrole.c	2005-07-11 15:18:42.000000000 -0400
+++ policycoreutils-1.26.slack/newrole/newrole.c	2005-10-04 00:58:45.000000000 -0400
@@ -215,6 +215,7 @@
  ************************************************************************/
 
 
+#define __USE_XOPEN
 #include <unistd.h>                         /* for getuid(), exit(), crypt() */
 #include <shadow.h>                         /* for shadow passwd functions */
 #include <string.h>                         /* for strlen(), memset() */
--- policycoreutils-1.26/run_init/Makefile	2005-07-18 09:42:21.000000000 -0400
+++ policycoreutils-1.26.slack/run_init/Makefile	2005-10-04 01:02:21.000000000 -0400
@@ -5,10 +5,17 @@
 MANDIR ?= $(PREFIX)/share/man
 ETCDIR ?= $(DESTDIR)/etc
 LOCALEDIR ?= /usr/share/locale
+PAMH = $(shell ls /usr/include/security/pam_appl.h 2>/dev/null)
 
 CFLAGS ?= -Werror -Wall -W
-override CFLAGS += -I$(PREFIX)/include -DUSE_NLS -DUSE_PAM -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
-LDLIBS += -lselinux -lpam -lpam_misc -L$(PREFIX)/lib
+override CFLAGS += -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
+LDLIBS += -lselinux -L$(PREFIX)/lib
+ifeq (${PAMH}, /usr/include/security/pam_appl.h)
+	override CFLAGS += -DUSE_PAM
+	LDLIBS += -lpam -lpam_misc
+else
+	LDLIBS += -lcrypt
+endif
 
 TARGETS=$(patsubst %.c,%,$(wildcard *.c))
 
@@ -25,7 +32,9 @@
 	install -m 555 open_init_pty $(SBINDIR)
 	install -m 644 run_init.8 $(MANDIR)/man8/
 	install -m 644 open_init_pty.8 $(MANDIR)/man8/
+ifeq (${PAMH}, /usr/include/security/pam_appl.h)
 	install -m 644 run_init.pamd $(ETCDIR)/pam.d/run_init
+endif
 
 clean:
 	-rm -f $(TARGETS) *.o 
--- policycoreutils-1.26/run_init/run_init.c	2005-01-21 07:55:20.000000000 -0500
+++ policycoreutils-1.26.slack/run_init/run_init.c	2005-10-04 00:58:20.000000000 -0400
@@ -145,6 +145,7 @@
  *
  ************************************************************************/
 
+#define __USE_XOPEN
 #include <unistd.h>                         /* for getuid(), exit(), crypt() */
 #include <shadow.h>                         /* for shadow passwd functions */
 #include <string.h>                         /* for strlen(), memset() */

Re: Non-PAM Policycoreutils

[Stephen Smalley]

On Thu, 2005-10-13 at 15:18 -0400, Timothy wrote:
> Fixed and tested against CVS.  New patch attached.

Thanks.  Why do you need to define __USE_XOPEN?  And should that always
be done or just in the non-PAM case, i.e. CFLAGS+=-D__USE_XOPEN in the
else clause of the Makefiles?

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Non-PAM Policycoreutils

[Timothy]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Stephen Smalley wrote:

> On Thu, 2005-10-13 at 15:18 -0400, Timothy wrote:
> 
>>Fixed and tested against CVS.  New patch attached.
> 
> 
> Thanks.  Why do you need to define __USE_XOPEN?  And should that always
> be done or just in the non-PAM case, i.e. CFLAGS+=-D__USE_XOPEN in the
> else clause of the Makefiles?
> 

The crypt defined in unistd.h is only read if __USE_XOPEN is defined so
it's required or make will fail for non-pam builds because the function
authenticate_via_shadow_passwd uses crypt.  I tried to add that define
to the CFLAGS in the makefile but it does not see that it is defined for
some reason and still errors out.

Timothy,
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFDTrvdSYq2KfPEK/gRA6YCAJ9lpOdS7vXxcSmLUefj0rw23ii9+gCePSfA
NKVY75SH5vCRdPQBoGRUP30=
=Y+Gp
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Non-PAM Policycoreutils

[Stephen Smalley]

On Thu, 2005-10-13 at 15:56 -0400, Timothy wrote:
> The crypt defined in unistd.h is only read if __USE_XOPEN is defined so
> it's required or make will fail for non-pam builds because the function
> authenticate_via_shadow_passwd uses crypt.  I tried to add that define
> to the CFLAGS in the makefile but it does not see that it is defined for
> some reason and still errors out.

Hmm...actually, since it is wrapped by the #else for USE_PAM, it isn't a
problem to have it in the .c file, but I noticed that the man page for
crypt(3) on my system says to define _XOPEN_SOURCE instead of directly
defining __USE_XOPEN (features.h enables the latter when the former is
enabled).  Note that the former only has a single leading underscore,
unlike the latter.  Does #define'ing _XOPEN_SOURCE work for you there
instead of __USE_XOPEN?

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Non-PAM Policycoreutils

[Timothy]

[-- Attachment #1: Type: text/plain, Size: 1295 bytes --]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Stephen Smalley wrote:
> On Thu, 2005-10-13 at 15:56 -0400, Timothy wrote:
> 
>>The crypt defined in unistd.h is only read if __USE_XOPEN is defined so
>>it's required or make will fail for non-pam builds because the function
>>authenticate_via_shadow_passwd uses crypt.  I tried to add that define
>>to the CFLAGS in the makefile but it does not see that it is defined for
>>some reason and still errors out.
> 
> 
> Hmm...actually, since it is wrapped by the #else for USE_PAM, it isn't a
> problem to have it in the .c file, but I noticed that the man page for
> crypt(3) on my system says to define _XOPEN_SOURCE instead of directly
> defining __USE_XOPEN (features.h enables the latter when the former is
> enabled).  Note that the former only has a single leading underscore,
> unlike the latter.  Does #define'ing _XOPEN_SOURCE work for you there
> instead of __USE_XOPEN?
> 

Just _XOPEN_SOURCE caused new errors but _XOPEN_SOURCE defined to 500
works.  New patch attached.

Timothy,

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFDTtuGSYq2KfPEK/gRA2etAJ43Z4KRzStnX5Z/CTd2q/VURf9PhgCffkGq
yAzwBdfbzgKWH/3WAm6Kjww=
=5PaU
-----END PGP SIGNATURE-----

[-- Attachment #2: policycoreutils-nopam.patch --]
[-- Type: text/plain, Size: 2526 bytes --]

--- policycoreutils/newrole/Makefile	2005-07-18 10:13:55.000000000 -0400
+++ policycoreutils-1.26.slack/newrole/Makefile	2005-10-04 02:22:03.000000000 -0400
@@ -4,10 +4,19 @@
 MANDIR ?= $(PREFIX)/share/man
 ETCDIR ?= $(DESTDIR)/etc
 LOCALEDIR = /usr/share/locale
+PAMH = $(shell ls /usr/include/security/pam_appl.h 2>/dev/null)
 
 CFLAGS ?= -Werror -Wall -W
-override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DUSE_NLS -DUSE_PAM -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
-LDLIBS += -lselinux -lpam -lpam_misc -L$(PREFIX)/lib
+override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
+LDLIBS += -lselinux -L$(PREFIX)/lib
+ifeq (${PAMH}, /usr/include/security/pam_appl.h)
+	override CFLAGS += -DUSE_PAM
+	LDLIBS += -lpam -lpam_misc
+else
+	override CFLAGS += -D_XOPEN_SOURCE=500
+	LDLIBS += -lcrypt
+endif
+
 
 TARGETS=$(patsubst %.c,%,$(wildcard *.c))
 
@@ -19,7 +28,10 @@
 	test -d $(MANDIR)/man1 || install -m 755 -d $(MANDIR)/man1
 	install -m 555 newrole $(BINDIR)
 	install -m 644 newrole.1 $(MANDIR)/man1/
+ifeq (${PAMH}, /usr/include/security/pam_appl.h)
+	test -d $(ETCDIR)/pam.d || install -m 755 -d $(ETCDIR)/pam.d
 	install -m 644 newrole.pamd $(ETCDIR)/pam.d/newrole
+endif
 
 clean:
 	rm -f $(TARGETS) *.o 
--- policycoreutils/run_init/Makefile	2005-07-18 10:13:56.000000000 -0400
+++ policycoreutils-1.26.slack/run_init/Makefile	2005-10-04 02:22:29.000000000 -0400
@@ -5,10 +5,18 @@
 MANDIR ?= $(PREFIX)/share/man
 ETCDIR ?= $(DESTDIR)/etc
 LOCALEDIR ?= /usr/share/locale
+PAMH = $(shell ls /usr/include/security/pam_appl.h 2>/dev/null)
 
 CFLAGS ?= -Werror -Wall -W
-override CFLAGS += -I$(PREFIX)/include -DUSE_NLS -DUSE_PAM -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
-LDLIBS += -lselinux -lpam -lpam_misc -L$(PREFIX)/lib
+override CFLAGS += -I$(PREFIX)/include -DUSE_NLS -DLOCALEDIR="\"$(LOCALEDIR)\"" -DPACKAGE="\"policycoreutils\""
+LDLIBS += -lselinux -L$(PREFIX)/lib
+ifeq (${PAMH}, /usr/include/security/pam_appl.h)
+	override CFLAGS += -DUSE_PAM
+	LDLIBS += -lpam -lpam_misc
+else
+	override CFLAGS += -D_XOPEN_SOURCE=500
+	LDLIBS += -lcrypt
+endif
 
 TARGETS=$(patsubst %.c,%,$(wildcard *.c))
 
@@ -25,7 +33,9 @@
 	install -m 555 open_init_pty $(SBINDIR)
 	install -m 644 run_init.8 $(MANDIR)/man8/
 	install -m 644 open_init_pty.8 $(MANDIR)/man8/
+ifeq (${PAMH}, /usr/include/security/pam_appl.h)
 	install -m 644 run_init.pamd $(ETCDIR)/pam.d/run_init
+endif
 
 clean:
 	-rm -f $(TARGETS) *.o 

Re: Non-PAM Policycoreutils

[Stephen Smalley]

On Thu, 2005-10-13 at 18:11 -0400, Timothy wrote:
> Just _XOPEN_SOURCE caused new errors but _XOPEN_SOURCE defined to 500
> works.  New patch attached.

Thanks, merged into policycoreutils 1.27.12.

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.