From: Michael C Thompson <thompsmc@us.ibm.com>
To: Michael C Thompson <thompsmc@us.ibm.com>
Cc: SE Linux <selinux@tycho.nsa.gov>, Stephen Smalley <sds@tycho.nsa.gov>
Subject: [PATCH 1/8] make newrole suid (take 3)
Date: Thu, 02 Nov 2006 19:02:31 -0600 [thread overview]
Message-ID: <454A9527.2010909@us.ibm.com> (raw)
In-Reply-To: <454A8F35.2020006@us.ibm.com>
[-- Attachment #1: Type: text/plain, Size: 557 bytes --]
Michael C Thompson wrote:
> The 8 patches are as follows:
> 1) Modifications to Makefile to support future patch needs
> Add newrole-lspp.pamd
This is the 1st of 8 patches.
This patch applies against policycoreutils-1.30.30-1.
This patch adds the new lspp pam.d support file for namespaces,
and includes new compile-time options to the Makefile.
Changes:
* Makefile now has AUDIT_LOG_PRIV and NAMESPACE_PRIV, as well as
LSPP_PRIV (causes both previous to be on)
* Adds newrole-lspp.pamd
Signed-off-by: Michael Thompson <thompsmc@us.ibm.com>
[-- Attachment #2: 01-prep_non_source.patch --]
[-- Type: text/x-diff, Size: 2457 bytes --]
diff -Naur policycoreutils-1.30.30/newrole/Makefile policycoreutils-1.30.30.suid/newrole/Makefile
--- policycoreutils-1.30.30/newrole/Makefile 2006-09-29 10:50:27.000000000 -0500
+++ policycoreutils-1.30.30.suid/newrole/Makefile 2006-11-02 12:13:15.000000000 -0600
@@ -10,6 +10,19 @@
# This is so that we have the CAP_AUDIT_WRITE capability. newrole will
# shed all privileges and change to the user's uid.
LOG_AUDIT_PRIV ?= n
+
+# Enable capabilities to permit newrole to generate audit records.
+# This will make newrole a setuid root program.
+# The capabilities used are: CAP_AUDIT_WRITE.
+AUDIT_LOG_PRIV ?= n
+# Enable capabilities to permit newrole to utilitize the pam_namespace module.
+# This will make newrole a setuid root program.
+# The capabilities used are: CAP_SYS_ADMIN, CAP_CHOWN, CAP_FOWNER and
+# CAP_DAC_OVERRIDE.
+NAMESPACE_PRIV ?= n
+# If LSPP_PRIV is y, then newrole will be made into setuid root program.
+# Enabling this option will force AUDIT_LOG_PRIV and NAMESPACE_PRIV to be y.
+LSPP_PRIV ?= n
VERSION = $(shell cat ../VERSION)
CFLAGS ?= -Werror -Wall -W
@@ -26,6 +39,26 @@
override CFLAGS += -DUSE_AUDIT
LDLIBS += -laudit
endif
+
+ifeq (${LSPP_PRIV},y)
+ override AUDIT_LOG_PRIV=y
+ override NAMESPACE_PRIV=y
+endif
+ifeq (${AUDIT_LOG_PRIV},y)
+ override CFLAGS += -DAUDIT_LOG_PRIV
+ IS_SUID=y
+endif
+ifeq (${NAMESPACE_PRIV},y)
+ override CFLAGS += -DNAMESPACE_PRIV
+ IS_SUID=y
+endif
+ifeq (${IS_SUID},y)
+ MODE := 4555
+ LDLIBS += -lcap
+else
+ MODE := 0555
+endif
+
ifeq (${LOG_AUDIT_PRIV},y)
override CFLAGS += -DLOG_AUDIT_PRIV
LDLIBS += -lcap
@@ -46,8 +79,12 @@
install -m 644 newrole.1 $(MANDIR)/man1/
ifeq (${PAMH}, /usr/include/security/pam_appl.h)
test -d $(ETCDIR)/pam.d || install -m 755 -d $(ETCDIR)/pam.d
+ifeq (${LSPP_PRIV},y)
+ install -m 644 newrole-lspp.pamd $(ETCDIR)/pam.d/newrole
+else
install -m 644 newrole.pamd $(ETCDIR)/pam.d/newrole
endif
+endif
clean:
rm -f $(TARGETS) *.o
diff -Naur policycoreutils-1.30.30/newrole/newrole-lspp.pamd policycoreutils-1.30.30.suid/newrole/newrole-lspp.pamd
--- policycoreutils-1.30.30/newrole/newrole-lspp.pamd 1969-12-31 18:00:00.000000000 -0600
+++ policycoreutils-1.30.30.suid/newrole/newrole-lspp.pamd 2006-11-02 12:11:19.000000000 -0600
@@ -0,0 +1,5 @@
+#%PAM-1.0
+auth include system-auth
+account include system-auth
+password include system-auth
+session required pam_namespace.so unmnt_remnt no_unmount_on_close
next prev parent reply other threads:[~2006-11-03 1:02 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-11-03 0:37 [PATCH 0/8] make newrole suid (take 3) Michael C Thompson
2006-11-03 1:02 ` Michael C Thompson [this message]
2006-11-03 1:03 ` [PATCH 2/8] " Michael C Thompson
2006-11-07 4:54 ` Serge E. Hallyn
2006-11-07 19:41 ` Michael C Thompson
2006-11-03 1:04 ` [PATCH 3/8] " Michael C Thompson
2006-11-03 1:05 ` [PATCH 4/8] " Michael C Thompson
2006-11-07 5:23 ` Serge E. Hallyn
2006-11-07 20:09 ` Michael C Thompson
2006-11-08 17:32 ` Serge E. Hallyn
2006-11-08 19:35 ` Michael C Thompson
2006-11-09 5:15 ` Serge E. Hallyn
2006-11-09 13:57 ` Stephen Smalley
2006-11-09 16:37 ` Serge E. Hallyn
2006-11-09 20:06 ` Stephen Smalley
2006-11-09 21:21 ` Serge E. Hallyn
2006-11-09 20:22 ` Michael C Thompson
2006-11-09 20:27 ` Stephen Smalley
2006-11-03 1:05 ` [PATCH 5/8] " Michael C Thompson
2006-11-03 1:06 ` [PATCH 6/8] " Michael C Thompson
2006-11-03 1:06 ` [PATCH 7/8] " Michael C Thompson
2006-11-03 1:07 ` [PATCH 8/8] " Michael C Thompson
2006-11-14 0:08 ` [PATCH 0/8] " Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=454A9527.2010909@us.ibm.com \
--to=thompsmc@us.ibm.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.