diff -Naur policycoreutils-1.30.30/newrole/Makefile policycoreutils-1.30.30.suid/newrole/Makefile --- policycoreutils-1.30.30/newrole/Makefile 2006-09-29 10:50:27.000000000 -0500 +++ policycoreutils-1.30.30.suid/newrole/Makefile 2006-11-02 12:13:15.000000000 -0600 @@ -10,6 +10,19 @@ # This is so that we have the CAP_AUDIT_WRITE capability. newrole will # shed all privileges and change to the user's uid. LOG_AUDIT_PRIV ?= n + +# Enable capabilities to permit newrole to generate audit records. +# This will make newrole a setuid root program. +# The capabilities used are: CAP_AUDIT_WRITE. +AUDIT_LOG_PRIV ?= n +# Enable capabilities to permit newrole to utilitize the pam_namespace module. +# This will make newrole a setuid root program. +# The capabilities used are: CAP_SYS_ADMIN, CAP_CHOWN, CAP_FOWNER and +# CAP_DAC_OVERRIDE. +NAMESPACE_PRIV ?= n +# If LSPP_PRIV is y, then newrole will be made into setuid root program. +# Enabling this option will force AUDIT_LOG_PRIV and NAMESPACE_PRIV to be y. +LSPP_PRIV ?= n VERSION = $(shell cat ../VERSION) CFLAGS ?= -Werror -Wall -W @@ -26,6 +39,26 @@ override CFLAGS += -DUSE_AUDIT LDLIBS += -laudit endif + +ifeq (${LSPP_PRIV},y) + override AUDIT_LOG_PRIV=y + override NAMESPACE_PRIV=y +endif +ifeq (${AUDIT_LOG_PRIV},y) + override CFLAGS += -DAUDIT_LOG_PRIV + IS_SUID=y +endif +ifeq (${NAMESPACE_PRIV},y) + override CFLAGS += -DNAMESPACE_PRIV + IS_SUID=y +endif +ifeq (${IS_SUID},y) + MODE := 4555 + LDLIBS += -lcap +else + MODE := 0555 +endif + ifeq (${LOG_AUDIT_PRIV},y) override CFLAGS += -DLOG_AUDIT_PRIV LDLIBS += -lcap @@ -46,8 +79,12 @@ install -m 644 newrole.1 $(MANDIR)/man1/ ifeq (${PAMH}, /usr/include/security/pam_appl.h) test -d $(ETCDIR)/pam.d || install -m 755 -d $(ETCDIR)/pam.d +ifeq (${LSPP_PRIV},y) + install -m 644 newrole-lspp.pamd $(ETCDIR)/pam.d/newrole +else install -m 644 newrole.pamd $(ETCDIR)/pam.d/newrole endif +endif clean: rm -f $(TARGETS) *.o diff -Naur policycoreutils-1.30.30/newrole/newrole-lspp.pamd policycoreutils-1.30.30.suid/newrole/newrole-lspp.pamd --- policycoreutils-1.30.30/newrole/newrole-lspp.pamd 1969-12-31 18:00:00.000000000 -0600 +++ policycoreutils-1.30.30.suid/newrole/newrole-lspp.pamd 2006-11-02 12:11:19.000000000 -0600 @@ -0,0 +1,5 @@ +#%PAM-1.0 +auth include system-auth +account include system-auth +password include system-auth +session required pam_namespace.so unmnt_remnt no_unmount_on_close