From 2abb3dfa9a3ec4934217c594b7d3edcb43716a16 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Thu, 29 Oct 2009 15:26:50 +0000 Subject: [PATCH] Relevant BUGIDs: rhbz#531530 Purpose of commit: bugfix Commit summary: --------------- 2009-10-29 Tomas Mraz * modules/pam_xauth/Makefile.am: Link with libselinux. * modules/pam_xauth/pam_xauth.c(pam_sm_open_session): Call setfscreatecon() if selinux is enabled to create the .xauth file with the right label. Original idea by Dan Walsh. --- ChangeLog | 7 ++++++ modules/pam_xauth/Makefile.am | 2 +- modules/pam_xauth/pam_xauth.c | 45 ++++++++++++++++++++++++++++++++--- 3 files changed, 50 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 86d033ad..80308260 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +2009-10-29 Tomas Mraz + + * modules/pam_xauth/Makefile.am: Link with libselinux. + * modules/pam_xauth/pam_xauth.c(pam_sm_open_session): Call + setfscreatecon() if selinux is enabled to create the .xauth file + with the right label. Original idea by Dan Walsh. + 2009-10-08 Tomas Mraz * modules/pam_tty_audit/pam_tty_audit.8.xml: Add notice about aureport diff --git a/modules/pam_xauth/Makefile.am b/modules/pam_xauth/Makefile.am index 816d50e9..db089adb 100644 --- a/modules/pam_xauth/Makefile.am +++ b/modules/pam_xauth/Makefile.am @@ -17,7 +17,7 @@ secureconfdir = $(SCONFIGDIR) AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include AM_LDFLAGS = -no-undefined -avoid-version -module \ - -L$(top_builddir)/libpam -lpam + -L$(top_builddir)/libpam -lpam @LIBSELINUX@ if HAVE_VERSIONING AM_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map endif diff --git a/modules/pam_xauth/pam_xauth.c b/modules/pam_xauth/pam_xauth.c index bc72a8c1..0a94db4f 100644 --- a/modules/pam_xauth/pam_xauth.c +++ b/modules/pam_xauth/pam_xauth.c @@ -57,6 +57,12 @@ #include #include +#ifdef WITH_SELINUX +#include +#include +#include +#endif + #define DATANAME "pam_xauth_cookie_file" #define XAUTHENV "XAUTHORITY" #define HOMEENV "HOME" @@ -461,6 +467,10 @@ pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED, getuid(), getgid(), xauth, "-f", cookiefile, "nlist", display, NULL) == 0) { + int save_errno; +#ifdef WITH_SELINUX + security_context_t context = NULL; +#endif /* Check that we got a cookie. If not, we get creative. */ if (((cookie == NULL) || (strlen(cookie) == 0)) && ((strncmp(display, "localhost:", 10) == 0) || @@ -545,12 +555,41 @@ pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED, /* Generate a new file to hold the data. */ euid = geteuid(); setfsuid(tpwd->pw_uid); - fd = mkstemp(xauthority + strlen(XAUTHENV) + 1); + +#ifdef WITH_SELINUX + if (is_selinux_enabled() > 0) { + struct selabel_handle *ctx = selabel_open(SELABEL_CTX_FILE, NULL, 0); + if (ctx != NULL) { + if (selabel_lookup(ctx, &context, + xauthority + sizeof(XAUTHENV), S_IFREG) != 0) { + pam_syslog(pamh, LOG_WARNING, + "could not get SELinux label for '%s'", + xauthority + sizeof(XAUTHENV)); + } + selabel_close(ctx); + if (setfscreatecon(context)) { + pam_syslog(pamh, LOG_WARNING, + "setfscreatecon(%s) failed: %m", context); + } + } + } + fd = mkstemp(xauthority + sizeof(XAUTHENV)); + save_errno = errno; + if (context != NULL) { + free(context); + setfscreatecon(NULL); + } +#else + fd = mkstemp(xauthority + sizeof(XAUTHENV)); + save_errno = errno; +#endif + setfsuid(euid); if (fd == -1) { + errno = save_errno; pam_syslog(pamh, LOG_ERR, "error creating temporary file `%s': %m", - xauthority + strlen(XAUTHENV) + 1); + xauthority + sizeof(XAUTHENV)); retval = PAM_SESSION_ERR; goto cleanup; } @@ -563,7 +602,7 @@ pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED, /* Get a copy of the filename to save as a data item for * removal at session-close time. */ free(cookiefile); - cookiefile = strdup(xauthority + strlen(XAUTHENV) + 1); + cookiefile = strdup(xauthority + sizeof(XAUTHENV)); /* Save the filename. */ if (pam_set_data(pamh, DATANAME, cookiefile, cleanup) != PAM_SUCCESS) { -- 2.40.0