* [PATCH 4/4] make newrole suid
@ 2006-10-06 22:21 Michael C Thompson
2006-10-06 22:28 ` Michael C Thompson
0 siblings, 1 reply; 2+ messages in thread
From: Michael C Thompson @ 2006-10-06 22:21 UTC (permalink / raw)
To: SE Linux, Stephen Smalley
[-- Attachment #1: Type: text/plain, Size: 290 bytes --]
This is the 4th of 4 patches.
This patch applies against policycoreutils-1.30.30-1.
Changes:
* Makefile now has AUDIT_LOG_PRIV and NAMESPACE_PRIV, as well as
LSPP_PRIV (causes both previous to be on)
* Adds newrole-lspp.pamd
Signed-off-by: Michael Thompson <thompsmc@us.ibm.com>
[-- Attachment #2: 03-update_support_files.patch --]
[-- Type: text/x-diff, Size: 2917 bytes --]
diff -Naur policycoreutils-1.30.30.suid/newrole/Makefile policycoreutils-1.30.30.dev/newrole/Makefile
--- policycoreutils-1.30.30.suid/newrole/Makefile 2006-09-29 10:50:27.000000000 -0500
+++ policycoreutils-1.30.30.dev/newrole/Makefile 2006-10-06 16:25:13.000000000 -0500
@@ -6,10 +6,18 @@
LOCALEDIR = /usr/share/locale
PAMH = $(shell ls /usr/include/security/pam_appl.h 2>/dev/null)
AUDITH = $(shell ls /usr/include/libaudit.h 2>/dev/null)
-# If LOG_AUDIT_PRIV is y, then newrole will be made into setuid root program.
-# This is so that we have the CAP_AUDIT_WRITE capability. newrole will
-# shed all privileges and change to the user's uid.
-LOG_AUDIT_PRIV ?= n
+# Enable capabilities to permit newrole to generate audit records.
+# This will make newrole a setuid root program.
+# The capabilities used are: CAP_AUDIT_WRITE.
+AUDIT_LOG_PRIV ?= n
+# Enable capabilities to permit newrole to utilitize the pam_namespace module.
+# This will make newrole a setuid root program.
+# The capabilities used are: CAP_SYS_ADMIN, CAP_CHOWN, CAP_FOWNER and
+# CAP_DAC_OVERRIDE.
+NAMESPACE_PRIV ?= n
+# If LSPP_PRIV is y, then newrole will be made into setuid root program.
+# Enabling this option will force AUDIT_LOG_PRIV and NAMESPACE_PRIV to be y.
+LSPP_PRIV ?= n
VERSION = $(shell cat ../VERSION)
CFLAGS ?= -Werror -Wall -W
@@ -26,10 +34,21 @@
override CFLAGS += -DUSE_AUDIT
LDLIBS += -laudit
endif
-ifeq (${LOG_AUDIT_PRIV},y)
- override CFLAGS += -DLOG_AUDIT_PRIV
- LDLIBS += -lcap
+ifeq (${LSPP_PRIV},y)
+ override AUDIT_LOG_PRIV=y
+ override NAMESPACE_PRIV=y
+endif
+ifeq (${AUDIT_LOG_PRIV},y)
+ override CFLAGS += -DAUDIT_LOG_PRIV
+ IS_SUID=y
+endif
+ifeq (${NAMESPACE_PRIV},y)
+ override CFLAGS += -DNAMESPACE_PRIV
+ IS_SUID=y
+endif
+ifeq (${IS_SUID},y)
MODE := 4555
+ LDLIBS += -lcap
else
MODE := 555
endif
@@ -37,6 +56,7 @@
TARGETS=$(patsubst %.c,%,$(wildcard *.c))
all: $(TARGETS)
+ chmod 4555 newrole; chcon -u system_u -t newrole_exec_t newrole
install: all
test -d $(BINDIR) || install -m 755 -d $(BINDIR)
@@ -46,8 +66,12 @@
install -m 644 newrole.1 $(MANDIR)/man1/
ifeq (${PAMH}, /usr/include/security/pam_appl.h)
test -d $(ETCDIR)/pam.d || install -m 755 -d $(ETCDIR)/pam.d
+ifeq (${LSPP_PRIV},y)
+ install -m 644 newrole-lspp.pamd $(ETCDIR)/pam.d/newrole
+else
install -m 644 newrole.pamd $(ETCDIR)/pam.d/newrole
endif
+endif
clean:
rm -f $(TARGETS) *.o
diff -Naur policycoreutils-1.30.30.suid/newrole/newrole-lspp.pamd policycoreutils-1.30.30.dev/newrole/newrole-lspp.pamd
--- policycoreutils-1.30.30.suid/newrole/newrole-lspp.pamd 1969-12-31 18:00:00.000000000 -0600
+++ policycoreutils-1.30.30.dev/newrole/newrole-lspp.pamd 2006-10-04 16:11:21.000000000 -0500
@@ -0,0 +1,5 @@
+#%PAM-1.0
+auth include system-auth
+account include system-auth
+password include system-auth
+session required pam_namespace.so unmnt_remnt no_unmount_on_close
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [PATCH 4/4] make newrole suid
2006-10-06 22:21 [PATCH 4/4] make newrole suid Michael C Thompson
@ 2006-10-06 22:28 ` Michael C Thompson
0 siblings, 0 replies; 2+ messages in thread
From: Michael C Thompson @ 2006-10-06 22:28 UTC (permalink / raw)
To: Michael C Thompson; +Cc: SE Linux, Stephen Smalley
[-- Attachment #1: Type: text/plain, Size: 560 bytes --]
Michael C Thompson wrote:
> This is the 4th of 4 patches.
> This patch applies against policycoreutils-1.30.30-1.
>
> Changes:
> * Makefile now has AUDIT_LOG_PRIV and NAMESPACE_PRIV, as well as
> LSPP_PRIV (causes both previous to be on)
> * Adds newrole-lspp.pamd
>
> Signed-off-by: Michael Thompson <thompsmc@us.ibm.com>
Please ignore the previously sent patch. There is an extra, naughty line
in Makefile I was using for testing, but failed to catch.
The correct (I hope) patch is attached.
Signed-off-by: Michael Thompson <thompsmc@us.ibm.com>
[-- Attachment #2: 03-update_support_files.patch --]
[-- Type: text/x-diff, Size: 2683 bytes --]
diff -Naur policycoreutils-1.30.30/newrole/Makefile policycoreutils-1.30.30.suid/newrole/Makefile
--- policycoreutils-1.30.30/newrole/Makefile 2006-09-29 10:50:27.000000000 -0500
+++ policycoreutils-1.30.30.suid/newrole/Makefile 2006-10-06 17:25:33.000000000 -0500
@@ -6,10 +6,18 @@
LOCALEDIR = /usr/share/locale
PAMH = $(shell ls /usr/include/security/pam_appl.h 2>/dev/null)
AUDITH = $(shell ls /usr/include/libaudit.h 2>/dev/null)
-# If LOG_AUDIT_PRIV is y, then newrole will be made into setuid root program.
-# This is so that we have the CAP_AUDIT_WRITE capability. newrole will
-# shed all privileges and change to the user's uid.
-LOG_AUDIT_PRIV ?= n
+# Enable capabilities to permit newrole to generate audit records.
+# This will make newrole a setuid root program.
+# The capabilities used are: CAP_AUDIT_WRITE.
+AUDIT_LOG_PRIV ?= n
+# Enable capabilities to permit newrole to utilitize the pam_namespace module.
+# This will make newrole a setuid root program.
+# The capabilities used are: CAP_SYS_ADMIN, CAP_CHOWN, CAP_FOWNER and
+# CAP_DAC_OVERRIDE.
+NAMESPACE_PRIV ?= n
+# If LSPP_PRIV is y, then newrole will be made into setuid root program.
+# Enabling this option will force AUDIT_LOG_PRIV and NAMESPACE_PRIV to be y.
+LSPP_PRIV ?= n
VERSION = $(shell cat ../VERSION)
CFLAGS ?= -Werror -Wall -W
@@ -26,10 +34,21 @@
override CFLAGS += -DUSE_AUDIT
LDLIBS += -laudit
endif
-ifeq (${LOG_AUDIT_PRIV},y)
- override CFLAGS += -DLOG_AUDIT_PRIV
- LDLIBS += -lcap
+ifeq (${LSPP_PRIV},y)
+ override AUDIT_LOG_PRIV=y
+ override NAMESPACE_PRIV=y
+endif
+ifeq (${AUDIT_LOG_PRIV},y)
+ override CFLAGS += -DAUDIT_LOG_PRIV
+ IS_SUID=y
+endif
+ifeq (${NAMESPACE_PRIV},y)
+ override CFLAGS += -DNAMESPACE_PRIV
+ IS_SUID=y
+endif
+ifeq (${IS_SUID},y)
MODE := 4555
+ LDLIBS += -lcap
else
MODE := 555
endif
@@ -46,8 +65,12 @@
install -m 644 newrole.1 $(MANDIR)/man1/
ifeq (${PAMH}, /usr/include/security/pam_appl.h)
test -d $(ETCDIR)/pam.d || install -m 755 -d $(ETCDIR)/pam.d
+ifeq (${LSPP_PRIV},y)
+ install -m 644 newrole-lspp.pamd $(ETCDIR)/pam.d/newrole
+else
install -m 644 newrole.pamd $(ETCDIR)/pam.d/newrole
endif
+endif
clean:
rm -f $(TARGETS) *.o
diff -Naur policycoreutils-1.30.30/newrole/newrole-lspp.pamd policycoreutils-1.30.30.suid/newrole/newrole-lspp.pamd
--- policycoreutils-1.30.30/newrole/newrole-lspp.pamd 1969-12-31 18:00:00.000000000 -0600
+++ policycoreutils-1.30.30.suid/newrole/newrole-lspp.pamd 2006-10-06 17:25:26.000000000 -0500
@@ -0,0 +1,5 @@
+#%PAM-1.0
+auth include system-auth
+account include system-auth
+password include system-auth
+session required pam_namespace.so unmnt_remnt no_unmount_on_close
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2006-10-06 22:28 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-10-06 22:21 [PATCH 4/4] make newrole suid Michael C Thompson
2006-10-06 22:28 ` Michael C Thompson
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.