From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: <4526D6F3.5010009@us.ibm.com> Date: Fri, 06 Oct 2006 17:21:39 -0500 From: Michael C Thompson MIME-Version: 1.0 To: SE Linux , Stephen Smalley Subject: [PATCH 4/4] make newrole suid Content-Type: multipart/mixed; boundary="------------030007090805050607000003" Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov This is a multi-part message in MIME format. --------------030007090805050607000003 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit This is the 4th of 4 patches. This patch applies against policycoreutils-1.30.30-1. Changes: * Makefile now has AUDIT_LOG_PRIV and NAMESPACE_PRIV, as well as LSPP_PRIV (causes both previous to be on) * Adds newrole-lspp.pamd Signed-off-by: Michael Thompson --------------030007090805050607000003 Content-Type: text/x-diff; name="03-update_support_files.patch" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="03-update_support_files.patch" diff -Naur policycoreutils-1.30.30.suid/newrole/Makefile policycoreutils-1.30.30.dev/newrole/Makefile --- policycoreutils-1.30.30.suid/newrole/Makefile 2006-09-29 10:50:27.000000000 -0500 +++ policycoreutils-1.30.30.dev/newrole/Makefile 2006-10-06 16:25:13.000000000 -0500 @@ -6,10 +6,18 @@ LOCALEDIR = /usr/share/locale PAMH = $(shell ls /usr/include/security/pam_appl.h 2>/dev/null) AUDITH = $(shell ls /usr/include/libaudit.h 2>/dev/null) -# If LOG_AUDIT_PRIV is y, then newrole will be made into setuid root program. -# This is so that we have the CAP_AUDIT_WRITE capability. newrole will -# shed all privileges and change to the user's uid. -LOG_AUDIT_PRIV ?= n +# Enable capabilities to permit newrole to generate audit records. +# This will make newrole a setuid root program. +# The capabilities used are: CAP_AUDIT_WRITE. +AUDIT_LOG_PRIV ?= n +# Enable capabilities to permit newrole to utilitize the pam_namespace module. +# This will make newrole a setuid root program. +# The capabilities used are: CAP_SYS_ADMIN, CAP_CHOWN, CAP_FOWNER and +# CAP_DAC_OVERRIDE. +NAMESPACE_PRIV ?= n +# If LSPP_PRIV is y, then newrole will be made into setuid root program. +# Enabling this option will force AUDIT_LOG_PRIV and NAMESPACE_PRIV to be y. +LSPP_PRIV ?= n VERSION = $(shell cat ../VERSION) CFLAGS ?= -Werror -Wall -W @@ -26,10 +34,21 @@ override CFLAGS += -DUSE_AUDIT LDLIBS += -laudit endif -ifeq (${LOG_AUDIT_PRIV},y) - override CFLAGS += -DLOG_AUDIT_PRIV - LDLIBS += -lcap +ifeq (${LSPP_PRIV},y) + override AUDIT_LOG_PRIV=y + override NAMESPACE_PRIV=y +endif +ifeq (${AUDIT_LOG_PRIV},y) + override CFLAGS += -DAUDIT_LOG_PRIV + IS_SUID=y +endif +ifeq (${NAMESPACE_PRIV},y) + override CFLAGS += -DNAMESPACE_PRIV + IS_SUID=y +endif +ifeq (${IS_SUID},y) MODE := 4555 + LDLIBS += -lcap else MODE := 555 endif @@ -37,6 +56,7 @@ TARGETS=$(patsubst %.c,%,$(wildcard *.c)) all: $(TARGETS) + chmod 4555 newrole; chcon -u system_u -t newrole_exec_t newrole install: all test -d $(BINDIR) || install -m 755 -d $(BINDIR) @@ -46,8 +66,12 @@ install -m 644 newrole.1 $(MANDIR)/man1/ ifeq (${PAMH}, /usr/include/security/pam_appl.h) test -d $(ETCDIR)/pam.d || install -m 755 -d $(ETCDIR)/pam.d +ifeq (${LSPP_PRIV},y) + install -m 644 newrole-lspp.pamd $(ETCDIR)/pam.d/newrole +else install -m 644 newrole.pamd $(ETCDIR)/pam.d/newrole endif +endif clean: rm -f $(TARGETS) *.o diff -Naur policycoreutils-1.30.30.suid/newrole/newrole-lspp.pamd policycoreutils-1.30.30.dev/newrole/newrole-lspp.pamd --- policycoreutils-1.30.30.suid/newrole/newrole-lspp.pamd 1969-12-31 18:00:00.000000000 -0600 +++ policycoreutils-1.30.30.dev/newrole/newrole-lspp.pamd 2006-10-04 16:11:21.000000000 -0500 @@ -0,0 +1,5 @@ +#%PAM-1.0 +auth include system-auth +account include system-auth +password include system-auth +session required pam_namespace.so unmnt_remnt no_unmount_on_close --------------030007090805050607000003-- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.