Relevant BUGIDs: rhbz#531530

Purpose of commit: bugfix

Commit summary:
---------------
2009-10-29  Tomas Mraz  <t8m@centrum.cz>

        * modules/pam_xauth/Makefile.am: Link with libselinux.
        * modules/pam_xauth/pam_xauth.c(pam_sm_open_session): Call
        setfscreatecon() if selinux is enabled to create the .xauth file
        with the right label. Original idea by Dan Walsh.

diff --git a/ChangeLog b/ChangeLog
index 86d033ad7d715513f2dfbecbdec8e6d353ba9ff1..803082601f0c317afe631ce529b9a84202e9648d 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2009-10-29  Tomas Mraz  <t8m@centrum.cz>
+
+       * modules/pam_xauth/Makefile.am: Link with libselinux.
+       * modules/pam_xauth/pam_xauth.c(pam_sm_open_session): Call
+       setfscreatecon() if selinux is enabled to create the .xauth file
+       with the right label. Original idea by Dan Walsh.
+
 2009-10-08  Tomas Mraz  <t8m@centrum.cz>
 
        * modules/pam_tty_audit/pam_tty_audit.8.xml: Add notice about aureport

diff --git a/modules/pam_xauth/Makefile.am b/modules/pam_xauth/Makefile.am
index 816d50e9b239e258f548b76508482c4f80d2824f..db089adba6c776dd89b7d6e4e950a4260aeba1f2 100644 (file)
--- a/modules/pam_xauth/Makefile.am
+++ b/modules/pam_xauth/Makefile.am
@@ -17,7 +17,7 @@ secureconfdir = $(SCONFIGDIR)
 
 AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include
 AM_LDFLAGS = -no-undefined -avoid-version -module \
-       -L$(top_builddir)/libpam -lpam
+       -L$(top_builddir)/libpam -lpam @LIBSELINUX@
 if HAVE_VERSIONING
   AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
 endif

diff --git a/modules/pam_xauth/pam_xauth.c b/modules/pam_xauth/pam_xauth.c
index bc72a8c1c699e7ad99cbef132b95c640bc393609..0a94db4fd5663e975bec1315345f95b6536f2a53 100644 (file)
--- a/modules/pam_xauth/pam_xauth.c
+++ b/modules/pam_xauth/pam_xauth.c
@@ -57,6 +57,12 @@
 #include <security/pam_modutil.h>
 #include <security/pam_ext.h>
 
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>
+#include <selinux/label.h>
+#include <sys/stat.h>
+#endif
+
 #define DATANAME "pam_xauth_cookie_file"
 #define XAUTHENV "XAUTHORITY"
 #define HOMEENV  "HOME"
@@ -461,6 +467,10 @@ pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED,
                          getuid(), getgid(),
                          xauth, "-f", cookiefile, "nlist", display,
                          NULL) == 0) {
+               int save_errno;
+#ifdef WITH_SELINUX
+               security_context_t context = NULL;
+#endif
                /* Check that we got a cookie.  If not, we get creative. */
                if (((cookie == NULL) || (strlen(cookie) == 0)) &&
                    ((strncmp(display, "localhost:", 10) == 0) ||
@@ -545,12 +555,41 @@ pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED,
                /* Generate a new file to hold the data. */
                euid = geteuid();
                setfsuid(tpwd->pw_uid);
-               fd = mkstemp(xauthority + strlen(XAUTHENV) + 1);
+               
+#ifdef WITH_SELINUX
+               if (is_selinux_enabled() > 0) {
+                       struct selabel_handle *ctx = selabel_open(SELABEL_CTX_FILE, NULL, 0);
+                       if (ctx != NULL) {
+                               if (selabel_lookup(ctx, &context,
+                                                  xauthority + sizeof(XAUTHENV), S_IFREG) != 0) {
+                                       pam_syslog(pamh, LOG_WARNING,
+                                                  "could not get SELinux label for '%s'",
+                                                  xauthority + sizeof(XAUTHENV));
+                               }
+                               selabel_close(ctx);
+                               if (setfscreatecon(context)) {
+                                       pam_syslog(pamh, LOG_WARNING,
+                                                  "setfscreatecon(%s) failed: %m", context);
+                               }
+                       }
+               }
+               fd = mkstemp(xauthority + sizeof(XAUTHENV));
+               save_errno = errno;
+               if (context != NULL) {
+                       free(context);
+                       setfscreatecon(NULL);
+               }
+#else
+               fd = mkstemp(xauthority + sizeof(XAUTHENV));
+               save_errno = errno;
+#endif
+
                setfsuid(euid);
                if (fd == -1) {
+                       errno = save_errno;
                        pam_syslog(pamh, LOG_ERR,
                                   "error creating temporary file `%s': %m",
-                                  xauthority + strlen(XAUTHENV) + 1);
+                                  xauthority + sizeof(XAUTHENV));
                        retval = PAM_SESSION_ERR;
                        goto cleanup;
                }
@@ -563,7 +602,7 @@ pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED,
                /* Get a copy of the filename to save as a data item for
                 * removal at session-close time. */
                free(cookiefile);
-               cookiefile = strdup(xauthority + strlen(XAUTHENV) + 1);
+               cookiefile = strdup(xauthority + sizeof(XAUTHENV));
 
                /* Save the filename. */
                if (pam_set_data(pamh, DATANAME, cookiefile, cleanup) != PAM_SUCCESS) {