Relevant BUGIDs:

Purpose of commit: new feature

Commit summary:
---------------
2009-11-02  Tomas Mraz  <t8m@centrum.cz>

        * modules/pam_sepermit/Makefile.am: Add sepermit.conf(5) manual page.
        * modules/pam_sepermit/pam_sepermit.8.xml: Add reference to
        sepermit.conf(5). Drop some redundant text.
        * modules/pam_sepermit/sepermit.conf.5.xml: New file.

        * modules/pam_sepermit/pam_sepermit.c(sepermit_match): Implement the ignore
        option in sepermit.conf.

4 files changed, 141 insertions, 20 deletions

diff --git a/modules/pam_sepermit/Makefile.am b/modules/pam_sepermit/Makefile.am
index 579e142f..9211a938 100644
--- a/modules/pam_sepermit/Makefile.am
+++ b/modules/pam_sepermit/Makefile.am
@@ -1,19 +1,19 @@
 #
 # Copyright (c) 2005, 2006, 2007 Thorsten Kukuk <kukuk@thkukuk.de>
-# Copyright (c) 2008 Red Hat, Inc.
+# Copyright (c) 2008, 2009 Red Hat, Inc.
 #
 
 CLEANFILES = *~
 MAINTAINERCLEANFILES = $(MANS) README
 
-EXTRA_DIST = README $(XMLS) pam_sepermit.8 sepermit.conf tst-pam_sepermit
+EXTRA_DIST = README $(XMLS) pam_sepermit.8 sepermit.conf sepermit.conf.5 tst-pam_sepermit
 
 if HAVE_LIBSELINUX
   TESTS = tst-pam_sepermit
-  man_MANS = pam_sepermit.8
+  man_MANS = pam_sepermit.8 sepermit.conf.5
 endif
 
-XMLS = README.xml pam_sepermit.8.xml
+XMLS = README.xml pam_sepermit.8.xml sepermit.conf.5.xml
 
 securelibdir = $(SECUREDIR)
 secureconfdir = $(SCONFIGDIR)
@@ -37,7 +37,7 @@ if HAVE_LIBSELINUX
   securelib_LTLIBRARIES = pam_sepermit.la
 endif
 if ENABLE_REGENERATE_MAN
-noinst_DATA = README pam_sepermit.8
+noinst_DATA = README pam_sepermit.8 sepermit.conf.5
 README: pam_sepermit.8.xml
 -include $(top_srcdir)/Make.xml.rules
 endif
diff --git a/modules/pam_sepermit/pam_sepermit.8.xml b/modules/pam_sepermit/pam_sepermit.8.xml
index 36730721..30d9cc54 100644
--- a/modules/pam_sepermit/pam_sepermit.8.xml
+++ b/modules/pam_sepermit/pam_sepermit.8.xml
@@ -40,7 +40,7 @@
       the pam_sepermit module returns PAM_IGNORE return value.
     </para>
     <para>
-      The config file contains a simple list of user names one per line. If the
+      The config file contains a list of user names one per line with optional arguments. If the
       <replaceable>name</replaceable> is prefixed with <emphasis>@</emphasis> character it means that all
       users in the group <replaceable>name</replaceable> match. If it is prefixed
       with a <emphasis>%</emphasis> character the SELinux user is used to match against the <replaceable>name</replaceable>
@@ -50,12 +50,11 @@
       will return PAM_IGNORE.
     </para>
     <para>
-      Each user name in the configuration file can have optional arguments separated
-      by <emphasis>:</emphasis> character. The only currently recognized argument is <emphasis>exclusive</emphasis>.
-      The pam_sepermit module will allow only single concurrent user session for
-      the user with this argument specified and it will attempt to kill all processes
-      of the user after logout.
+      See <citerefentry>
+      <refentrytitle>sepermit.conf</refentrytitle><manvolnum>5</manvolnum>
+      </citerefentry> for details.
     </para>
+
   </refsect1>
 
   <refsect1 id="pam_sepermit-options">
@@ -168,6 +167,9 @@ session  required  pam_permit.so
     <title>SEE ALSO</title>
     <para>
       <citerefentry>
+	<refentrytitle>sepermit.conf</refentrytitle><manvolnum>5</manvolnum>
+      </citerefentry>,
+      <citerefentry>
 	<refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
       </citerefentry>,
       <citerefentry>
@@ -176,13 +178,16 @@ session  required  pam_permit.so
       <citerefentry>
 	<refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
       </citerefentry>
+      <citerefentry>
+	<refentrytitle>selinux</refentrytitle><manvolnum>8</manvolnum>
+      </citerefentry>
     </para>
   </refsect1>
 
   <refsect1 id='pam_sepermit-author'>
     <title>AUTHOR</title>
       <para>
-        pam_sepermit was written by Tomas Mraz &lt;tmraz@redhat.com&gt;.
+        pam_sepermit and this manual page were written by Tomas Mraz &lt;tmraz@redhat.com&gt;.
       </para>
   </refsect1>
 
diff --git a/modules/pam_sepermit/pam_sepermit.c b/modules/pam_sepermit/pam_sepermit.c
index 0fd95619..df0a2b1c 100644
--- a/modules/pam_sepermit/pam_sepermit.c
+++ b/modules/pam_sepermit/pam_sepermit.c
@@ -1,7 +1,7 @@
 /******************************************************************************
  * A module for Linux-PAM that allows/denies acces based on SELinux state.
  *
- * Copyright (c) 2007, 2008 Red Hat, Inc.
+ * Copyright (c) 2007, 2008, 2009 Red Hat, Inc.
  * Originally written by Tomas Mraz <tmraz@redhat.com>
  * Contributions by Dan Walsh <dwalsh@redhat.com>
  *
@@ -231,7 +231,7 @@ sepermit_lock(pam_handle_t *pamh, const char *user, int debug)
 /* return 0 when matched, -1 when unmatched, pam error otherwise */
 static int
 sepermit_match(pam_handle_t *pamh, const char *cfgfile, const char *user,
-	       const char *seuser, int debug, int sense)
+	       const char *seuser, int debug, int *sense)
 {
 	FILE *f;
 	char *line = NULL;
@@ -239,6 +239,7 @@ sepermit_match(pam_handle_t *pamh, const char *cfgfile, const char *user,
 	size_t len = 0;
 	int matched = 0;
 	int exclusive = 0;
+	int ignore = 0;
 	
 	f = fopen(cfgfile, "r");
 	
@@ -284,7 +285,7 @@ sepermit_match(pam_handle_t *pamh, const char *cfgfile, const char *user,
 				if (debug)
 					pam_syslog(pamh, LOG_NOTICE, "Matching seuser %s against seuser %s", seuser, start);
 				if (strcmp(seuser, start) == 0) {
-					matched = 1;					
+					matched = 1;
 				}
 				break;
 			default:
@@ -298,6 +299,8 @@ sepermit_match(pam_handle_t *pamh, const char *cfgfile, const char *user,
 			while ((opt=strtok_r(NULL, OPT_DELIM, &sptr)) != NULL) {
 				if (strcmp(opt, "exclusive") == 0)
 					exclusive = 1;
+				else if (strcmp(opt, "ignore") == 0)
+					ignore = 1;
 				else if (debug) {
 					pam_syslog(pamh, LOG_NOTICE, "Unknown user option: %s", opt);
 				}
@@ -307,10 +310,13 @@ sepermit_match(pam_handle_t *pamh, const char *cfgfile, const char *user,
 	free(line);
 	fclose(f);
 	if (matched) {
-		if (sense == PAM_SUCCESS && geteuid() == 0 && exclusive)
-			return sepermit_lock(pamh, user, debug);
-		else
-			return 0;
+		if (*sense == PAM_SUCCESS) {
+			if (ignore)
+				*sense = PAM_IGNORE;
+			if (geteuid() == 0 && exclusive)
+				return sepermit_lock(pamh, user, debug);
+		}
+		return 0;
 	}
 	else
 		return -1;
@@ -365,7 +371,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED,
 	if (debug && sense != PAM_SUCCESS)
 		pam_syslog(pamh, LOG_NOTICE, "Access will not be allowed on match");
 
-	rv = sepermit_match(pamh, cfgfile, user, seuser, debug, sense);
+	rv = sepermit_match(pamh, cfgfile, user, seuser, debug, &sense);
 
 	if (debug)
 		pam_syslog(pamh, LOG_NOTICE, "sepermit_match returned: %d", rv);
diff --git a/modules/pam_sepermit/sepermit.conf.5.xml b/modules/pam_sepermit/sepermit.conf.5.xml
new file mode 100644
index 00000000..511480f6
--- /dev/null
+++ b/modules/pam_sepermit/sepermit.conf.5.xml
@@ -0,0 +1,110 @@
+<?xml version="1.0" encoding='UTF-8'?>
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
+        "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
+
+<refentry id="sepermit.conf">
+
+  <refmeta>
+    <refentrytitle>sepermit.conf</refentrytitle>
+    <manvolnum>5</manvolnum>
+    <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
+  </refmeta>
+
+  <refnamediv>
+    <refname>sepermit.conf</refname>
+    <refpurpose>configuration file for the pam_sepermit module</refpurpose>
+  </refnamediv>
+
+  <refsect1 id='sepermit.conf-description'>
+    <title>DESCRIPTION</title>
+    <para>
+      The lines of the configuration file have the following syntax:
+    </para>
+    <para>
+      <replaceable>&lt;user&gt;</replaceable>[:<replaceable>&lt;option&gt;</replaceable>:<replaceable>&lt;option&gt;</replaceable>...]
+    </para>
+    <para>
+      The <emphasis remap='B'>user</emphasis> can be specified in the following manner:
+    </para>
+    <itemizedlist>
+        <listitem>
+              <para>
+                a username
+              </para>
+        </listitem>
+        <listitem>
+              <para>
+                a groupname, with <emphasis remap='B'>@group</emphasis> syntax.
+                This should not be confused with netgroups.
+              </para>
+        </listitem>
+        <listitem>
+              <para>
+                a SELinux user name with <emphasis remap='B'>%seuser</emphasis> syntax.
+              </para>
+        </listitem>
+    </itemizedlist>
+
+    <para>
+      The recognized options are:
+    </para>
+
+    <variablelist>
+        <varlistentry>
+              <term><option>exclusive</option></term>
+              <listitem>
+                <para>
+                  Only single login session will be allowed for the user
+                  and the user's processes will be killed on logout.
+                </para>
+              </listitem>
+        </varlistentry>
+        <varlistentry>
+              <term><option>ignore</option></term>
+              <listitem>
+                <para>
+                  The module will never return PAM_SUCCESS status for the user.
+                  It will return PAM_IGNORE if SELinux is in the enforcing mode,
+                  and PAM_AUTH_ERR otherwise. It is useful if you want to support
+                  passwordless guest users and other confined users with passwords
+                  simultaneously.
+                </para>
+              </listitem>
+        </varlistentry>
+    </variablelist>
+
+    <para>
+      The lines which start with # character are comments and are ignored.
+    </para>
+  </refsect1>
+
+  <refsect1 id="sepermit.conf-examples">
+    <title>EXAMPLES</title>
+    <para>
+      These are some example lines which might be specified in
+      <filename>/etc/security/sepermit.conf</filename>.
+    </para>
+    <programlisting>
+%guest_u:exclusive
+%staff_u:ignore
+%user_u:ignore
+    </programlisting>
+  </refsect1>
+
+  <refsect1 id="sepermit.conf-see_also">
+    <title>SEE ALSO</title>
+    <para>
+      <citerefentry><refentrytitle>pam_sepermit</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+      <citerefentry><refentrytitle>pam.d</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+      <citerefentry><refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+      <citerefentry><refentrytitle>selinux</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+    </para>
+  </refsect1>
+
+  <refsect1 id="sepermit.conf-author">
+    <title>AUTHOR</title>
+    <para>
+      pam_sepermit and this manual page were written by Tomas Mraz &lt;tmraz@redhat.com&gt;
+    </para>
+  </refsect1>
+</refentry>