From: Michael C Thompson <thompsmc@us.ibm.com>
To: Michael C Thompson <thompsmc@us.ibm.com>
Cc: SE Linux <selinux@tycho.nsa.gov>,
Daniel J Walsh <dwalsh@redhat.com>,
Stephen Smalley <sds@tycho.nsa.gov>
Subject: [PATCH 4/4] newrole suid functionality (take 2)
Date: Tue, 17 Oct 2006 13:43:38 -0500 [thread overview]
Message-ID: <4535245A.4010307@us.ibm.com> (raw)
In-Reply-To: <45351FC9.2080204@us.ibm.com>
[-- Attachment #1: Type: text/plain, Size: 914 bytes --]
Michael C Thompson wrote:
> This is the intro to a set of four patches.
>
> These patches are an attempt to make newrole be an acceptably secure
> suid root program, to provide it with the capabilities to generate audit
> records (existing) and handle polyinstatiation (new).
>
> The 4 patches are as follows:
> 1) New functions introduced to newrole.c, new and existing functionality
> 2) Changes to existing functions in newrole.c
> 3) Updates to main in newrole.c to use the aforementioned changes
> 4) Changes to the Makefile to allow building of newrole with the
> changes and introduction of newrole-lspp.pamd
This is the 4th of 4 patches.
This patch applies against policycoreutils-1.30.30-1.
Changes:
* Makefile now has AUDIT_LOG_PRIV and NAMESPACE_PRIV, as well as
LSPP_PRIV (causes both previous to be on)
* Adds newrole-lspp.pamd
Signed-off-by: Michael Thompson <thompsmc@us.ibm.com>
[-- Attachment #2: 04-update_Makefile_add_lspp.patch --]
[-- Type: text/x-diff, Size: 2703 bytes --]
diff -Naur policycoreutils-1.30.30.orig/newrole/Makefile policycoreutils-1.30.30.suid/newrole/Makefile
--- policycoreutils-1.30.30.orig/newrole/Makefile 2006-09-29 10:50:27.000000000 -0500
+++ policycoreutils-1.30.30.suid/newrole/Makefile 2006-10-17 12:58:01.000000000 -0500
@@ -6,10 +6,18 @@
LOCALEDIR = /usr/share/locale
PAMH = $(shell ls /usr/include/security/pam_appl.h 2>/dev/null)
AUDITH = $(shell ls /usr/include/libaudit.h 2>/dev/null)
-# If LOG_AUDIT_PRIV is y, then newrole will be made into setuid root program.
-# This is so that we have the CAP_AUDIT_WRITE capability. newrole will
-# shed all privileges and change to the user's uid.
-LOG_AUDIT_PRIV ?= n
+# Enable capabilities to permit newrole to generate audit records.
+# This will make newrole a setuid root program.
+# The capabilities used are: CAP_AUDIT_WRITE.
+AUDIT_LOG_PRIV ?= n
+# Enable capabilities to permit newrole to utilitize the pam_namespace module.
+# This will make newrole a setuid root program.
+# The capabilities used are: CAP_SYS_ADMIN, CAP_CHOWN, CAP_FOWNER and
+# CAP_DAC_OVERRIDE.
+NAMESPACE_PRIV ?= n
+# If LSPP_PRIV is y, then newrole will be made into setuid root program.
+# Enabling this option will force AUDIT_LOG_PRIV and NAMESPACE_PRIV to be y.
+LSPP_PRIV ?= y
VERSION = $(shell cat ../VERSION)
CFLAGS ?= -Werror -Wall -W
@@ -26,10 +34,21 @@
override CFLAGS += -DUSE_AUDIT
LDLIBS += -laudit
endif
-ifeq (${LOG_AUDIT_PRIV},y)
- override CFLAGS += -DLOG_AUDIT_PRIV
- LDLIBS += -lcap
+ifeq (${LSPP_PRIV},y)
+ override AUDIT_LOG_PRIV=y
+ override NAMESPACE_PRIV=y
+endif
+ifeq (${AUDIT_LOG_PRIV},y)
+ override CFLAGS += -DAUDIT_LOG_PRIV
+ IS_SUID=y
+endif
+ifeq (${NAMESPACE_PRIV},y)
+ override CFLAGS += -DNAMESPACE_PRIV
+ IS_SUID=y
+endif
+ifeq (${IS_SUID},y)
MODE := 4555
+ LDLIBS += -lcap
else
MODE := 555
endif
@@ -46,8 +65,12 @@
install -m 644 newrole.1 $(MANDIR)/man1/
ifeq (${PAMH}, /usr/include/security/pam_appl.h)
test -d $(ETCDIR)/pam.d || install -m 755 -d $(ETCDIR)/pam.d
+ifeq (${LSPP_PRIV},y)
+ install -m 644 newrole-lspp.pamd $(ETCDIR)/pam.d/newrole
+else
install -m 644 newrole.pamd $(ETCDIR)/pam.d/newrole
endif
+endif
clean:
rm -f $(TARGETS) *.o
diff -Naur policycoreutils-1.30.30.orig/newrole/newrole-lspp.pamd policycoreutils-1.30.30.suid/newrole/newrole-lspp.pamd
--- policycoreutils-1.30.30.orig/newrole/newrole-lspp.pamd 1969-12-31 18:00:00.000000000 -0600
+++ policycoreutils-1.30.30.suid/newrole/newrole-lspp.pamd 2006-10-17 12:58:01.000000000 -0500
@@ -0,0 +1,5 @@
+#%PAM-1.0
+auth include system-auth
+account include system-auth
+password include system-auth
+session required pam_namespace.so unmnt_remnt no_unmount_on_close
next prev parent reply other threads:[~2006-10-17 18:43 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-10-17 18:24 [PATCH 0/4] newrole suid functionality (take 2) Michael C Thompson
2006-10-17 18:38 ` [PATCH 1/4] " Michael C Thompson
2006-10-17 18:40 ` [PATCH 0/4] " Michael C Thompson
2006-10-17 18:42 ` [PATCH 3/4] " Michael C Thompson
2006-10-23 19:05 ` Stephen Smalley
2006-10-23 19:29 ` Michael C Thompson
2006-11-02 17:22 ` Michael C Thompson
2006-11-02 18:34 ` Stephen Smalley
2006-11-02 20:35 ` Michael C Thompson
2006-11-02 20:54 ` Stephen Smalley
2006-11-02 21:38 ` Michael C Thompson
2006-10-17 18:43 ` Michael C Thompson [this message]
2006-10-23 19:09 ` [PATCH 4/4] " Stephen Smalley
2006-10-23 19:30 ` Michael C Thompson
2006-10-23 18:56 ` [PATCH 0/4] " Stephen Smalley
2006-10-23 19:26 ` Michael C Thompson
2006-11-02 17:18 ` Michael C Thompson
2006-11-02 18:21 ` Stephen Smalley
2006-11-02 18:38 ` Michael C Thompson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4535245A.4010307@us.ibm.com \
--to=thompsmc@us.ibm.com \
--cc=dwalsh@redhat.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.