rpms/pam/devel pam-0.99.10.0-namespace-level.patch, NONE, 1.1 pam-0.99.10.0-namespace-umount.patch, NONE, 1.1 pam-0.99.10.0-selinux-prev-context.patch, NONE, 1.1 pam.spec, 1.173, 1.174

Thu Mar 20 16:50:49 UTC 2008

Author: tmraz

Update of /cvs/pkgs/rpms/pam/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv21790

Modified Files:
	pam.spec 
Added Files:
	pam-0.99.10.0-namespace-level.patch 
	pam-0.99.10.0-namespace-umount.patch 
	pam-0.99.10.0-selinux-prev-context.patch 
Log Message:
* Thu Mar 20 2008 Tomas Mraz <tmraz at redhat.com> 0.99.10.0-4
- pam_namespace: fix problem with level polyinst (#438264)
- pam_namespace: improve override checking for umount
- pam_selinux: fix syslogging a context after free() (#438338)


pam-0.99.10.0-namespace-level.patch:

--- NEW FILE pam-0.99.10.0-namespace-level.patch ---
diff -up Linux-PAM-0.99.10.0/modules/pam_namespace/pam_namespace.c.umount Linux-PAM-0.99.10.0/modules/pam_namespace/pam_namespace.c
--- Linux-PAM-0.99.10.0/modules/pam_namespace/pam_namespace.c.umount	2008-02-13 14:52:13.000000000 +0100
+++ Linux-PAM-0.99.10.0/modules/pam_namespace/pam_namespace.c	2008-03-20 15:29:11.000000000 +0100
@@ -822,10 +822,11 @@ static int poly_name(const struct polydi
      */
 
     pm = polyptr->method;
-    if (pm == LEVEL || pm == USER) {
+    if (pm == LEVEL || pm == CONTEXT)
 #ifdef WITH_SELINUX
-        if (!(idata->flags & PAMNS_CTXT_BASED_INST))
+        if (!(idata->flags & PAMNS_CTXT_BASED_INST)) {
 #else
+    {
 	pam_syslog(idata->pamh, LOG_NOTICE,
 		"Context and level methods not available, using user method");
 #endif

pam-0.99.10.0-namespace-umount.patch:

--- NEW FILE pam-0.99.10.0-namespace-umount.patch ---
diff -up Linux-PAM-0.99.10.0/modules/pam_namespace/pam_namespace.c.umount Linux-PAM-0.99.10.0/modules/pam_namespace/pam_namespace.c
--- Linux-PAM-0.99.10.0/modules/pam_namespace/pam_namespace.c.umount	2008-02-13 14:52:13.000000000 +0100
+++ Linux-PAM-0.99.10.0/modules/pam_namespace/pam_namespace.c	2008-03-17 11:40:02.000000000 +0100
@@ -1528,8 +1528,11 @@ static int setup_namespace(struct instan
      */
     for (pptr = idata->polydirs_ptr; pptr; pptr = pptr->next) {
 	enum unmnt_op dir_unmnt = unmnt;
+	if (ns_override(pptr, idata, idata->ruid)) {
+	    dir_unmnt = NO_UNMNT;
+	}
         if (ns_override(pptr, idata, idata->uid)) {
-    	    if (unmnt == NO_UNMNT || ns_override(pptr, idata, idata->ruid)) {
+    	    if (dir_unmnt == NO_UNMNT) {
     		continue;
 	    } else {
 		dir_unmnt = UNMNT_ONLY;

pam-0.99.10.0-selinux-prev-context.patch:

--- NEW FILE pam-0.99.10.0-selinux-prev-context.patch ---
diff -up Linux-PAM-0.99.10.0/modules/pam_selinux/pam_selinux.c.prev-context Linux-PAM-0.99.10.0/modules/pam_selinux/pam_selinux.c
--- Linux-PAM-0.99.10.0/modules/pam_selinux/pam_selinux.c.prev-context	2007-06-18 12:46:48.000000000 +0200
+++ Linux-PAM-0.99.10.0/modules/pam_selinux/pam_selinux.c	2008-03-20 17:38:41.000000000 +0100
@@ -672,7 +672,7 @@ PAM_EXTERN int
 pam_sm_close_session(pam_handle_t *pamh, int flags UNUSED,
 		     int argc, const char **argv)
 {
-  int i, debug = 0,status=0, open_session=0;
+  int i, debug = 0, status = PAM_SUCCESS, open_session = 0;
   if (! (selinux_enabled ))
       return PAM_SUCCESS;
 
@@ -702,19 +702,21 @@ pam_sm_close_session(pam_handle_t *pamh,
     free(ttyn);
     ttyn=NULL;
   }
-  status=setexeccon(prev_user_context);
-  freecon(prev_user_context);
-  if (status) {
-    pam_syslog(pamh, LOG_ERR, "Error!  Unable to set executable context %s.",
+  if (prev_user_context) {
+    if (setexeccon(prev_user_context)) {
+      pam_syslog(pamh, LOG_ERR, "Unable to restore executable context %s.",
 	       prev_user_context);
-    if (security_getenforce() == 1)
-       return PAM_AUTH_ERR;
-    else
-       return PAM_SUCCESS;
+      if (security_getenforce() == 1)
+         status = PAM_AUTH_ERR;
+      else
+         status = PAM_SUCCESS;
+    }
+    freecon(prev_user_context);
+    prev_user_context = NULL;
   }
 
   if (debug)
     pam_syslog(pamh, LOG_NOTICE, "setcontext back to orginal");
 
-  return PAM_SUCCESS;
+  return status;
 }


Index: pam.spec
===================================================================
RCS file: /cvs/pkgs/rpms/pam/devel/pam.spec,v
retrieving revision 1.173
retrieving revision 1.174
diff -u -r1.173 -r1.174
--- pam.spec	28 Feb 2008 22:44:06 -0000	1.173
+++ pam.spec	20 Mar 2008 16:50:13 -0000	1.174
@@ -5,7 +5,7 @@
 Summary: A security tool which provides authentication for applications
 Name: pam
 Version: 0.99.10.0
-Release: 3%{?dist}
+Release: 4%{?dist}
 # The library is BSD licensed with option to relicense as GPLv2+ - this option is redundant
 # as the BSD license allows that anyway. pam_timestamp and pam_console modules are GPLv2+,
 # pam_rhosts_auth module is BSD with advertising
@@ -30,6 +30,9 @@
 Patch21: pam-0.99.10.0-unix-audit-failed.patch
 Patch31: pam-0.99.3.0-cracklib-try-first-pass.patch
 Patch32: pam-0.99.3.0-tally-fail-close.patch
+Patch33: pam-0.99.10.0-namespace-umount.patch
+Patch34: pam-0.99.10.0-namespace-level.patch
+Patch35: pam-0.99.10.0-selinux-prev-context.patch
 
 %define _sbindir /sbin
 %define _moduledir /%{_lib}/security
@@ -107,6 +110,9 @@
 %patch21 -p1 -b .audit-failed
 %patch31 -p1 -b .try-first-pass
 %patch32 -p1 -b .fail-close
+%patch33 -p1 -b .umount
+%patch34 -p1 -b .level
+%patch35 -p1 -b .prev-context
 
 autoreconf
 
@@ -376,6 +382,11 @@
 %doc doc/adg/*.txt doc/adg/html
 
 %changelog
+* Thu Mar 20 2008 Tomas Mraz <tmraz at redhat.com> 0.99.10.0-4
+- pam_namespace: fix problem with level polyinst (#438264)
+- pam_namespace: improve override checking for umount
+- pam_selinux: fix syslogging a context after free() (#438338)
+
 * Thu Feb 28 2008 Tomas Mraz <tmraz at redhat.com> 0.99.10.0-3
 - update pam-redhat module tarball
 - update internal db4


