aboutsummaryrefslogtreecommitdiff
path: root/modules/pam_selinux
diff options
context:
space:
mode:
Diffstat (limited to 'modules/pam_selinux')
-rw-r--r--modules/pam_selinux/Makefile.am27
-rw-r--r--modules/pam_selinux/Makefile.in144
-rw-r--r--modules/pam_selinux/pam_selinux.86
-rw-r--r--modules/pam_selinux/pam_selinux.c164
4 files changed, 166 insertions, 175 deletions
diff --git a/modules/pam_selinux/Makefile.am b/modules/pam_selinux/Makefile.am
index 28c60d84..9476ab33 100644
--- a/modules/pam_selinux/Makefile.am
+++ b/modules/pam_selinux/Makefile.am
@@ -5,21 +5,20 @@
CLEANFILES = *~
MAINTAINERCLEANFILES = $(MANS) README
-EXTRA_DIST = README $(XMLS) pam_selinux.8 pam_selinux_check.8 \
- tst-pam_selinux
+EXTRA_DIST = $(XMLS) pam_selinux_check.8
-if HAVE_LIBSELINUX
- TESTS = tst-pam_selinux
- man_MANS = pam_selinux.8
+if HAVE_DOC
+dist_man_MANS = pam_selinux.8
endif
-
XMLS = README.xml pam_selinux.8.xml
+dist_check_SCRIPTS = tst-pam_selinux
+TESTS = $(dist_check_SCRIPTS)
securelibdir = $(SECUREDIR)
secureconfdir = $(SCONFIGDIR)
AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \
- -I$(top_srcdir)/libpam_misc/include
+ -I$(top_srcdir)/libpam_misc/include $(WARN_CFLAGS)
pam_selinux_la_LDFLAGS = -no-undefined -avoid-version -module
pam_selinux_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBSELINUX@ @LIBAUDIT@
@@ -27,14 +26,12 @@ if HAVE_VERSIONING
pam_selinux_la_LDFLAGS += -Wl,--version-script=$(srcdir)/../modules.map
endif
-if HAVE_LIBSELINUX
- securelib_LTLIBRARIES = pam_selinux.la
- noinst_PROGRAMS = pam_selinux_check
- pam_selinux_check_LDADD = $(top_builddir)/libpam/libpam.la \
- $(top_builddir)/libpam_misc/libpam_misc.la
-endif
+securelib_LTLIBRARIES = pam_selinux.la
+noinst_PROGRAMS = pam_selinux_check
+pam_selinux_check_LDADD = $(top_builddir)/libpam/libpam.la \
+ $(top_builddir)/libpam_misc/libpam_misc.la
+
if ENABLE_REGENERATE_MAN
-noinst_DATA = README pam_selinux.8
-README: pam_selinux.8.xml
+dist_noinst_DATA = README
-include $(top_srcdir)/Make.xml.rules
endif
diff --git a/modules/pam_selinux/Makefile.in b/modules/pam_selinux/Makefile.in
index 6c39eefd..8d047146 100644
--- a/modules/pam_selinux/Makefile.in
+++ b/modules/pam_selinux/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.13.4 from Makefile.am.
+# Makefile.in generated by automake 1.16.1 from Makefile.am.
# @configure_input@
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2018 Free Software Foundation, Inc.
# This Makefile.in is free software; the Free Software Foundation
# gives unlimited permission to copy and/or distribute it,
@@ -21,7 +21,17 @@
VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+ if test -z '$(MAKELEVEL)'; then \
+ false; \
+ elif test -n '$(MAKE_HOST)'; then \
+ true; \
+ elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+ true; \
+ else \
+ false; \
+ fi; \
+}
am__make_running_with_option = \
case $${target_option-} in \
?) ;; \
@@ -85,11 +95,8 @@ POST_UNINSTALL = :
build_triplet = @build@
host_triplet = @host@
@HAVE_VERSIONING_TRUE@am__append_1 = -Wl,--version-script=$(srcdir)/../modules.map
-@HAVE_LIBSELINUX_TRUE@noinst_PROGRAMS = pam_selinux_check$(EXEEXT)
+noinst_PROGRAMS = pam_selinux_check$(EXEEXT)
subdir = modules/pam_selinux
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
- $(top_srcdir)/build-aux/depcomp \
- $(top_srcdir)/build-aux/test-driver README
ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \
$(top_srcdir)/m4/iconv.m4 $(top_srcdir)/m4/intlmacosx.m4 \
@@ -105,10 +112,13 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/gettext.m4 \
$(top_srcdir)/m4/progtest.m4 $(top_srcdir)/configure.ac
am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(dist_check_SCRIPTS) \
+ $(am__dist_noinst_DATA_DIST) $(am__DIST_COMMON)
mkinstalldirs = $(install_sh) -d
CONFIG_HEADER = $(top_builddir)/config.h
CONFIG_CLEAN_FILES =
CONFIG_CLEAN_VPATH_FILES =
+PROGRAMS = $(noinst_PROGRAMS)
am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
am__vpath_adj = case $$p in \
$(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
@@ -149,13 +159,10 @@ pam_selinux_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC \
$(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=link $(CCLD) \
$(AM_CFLAGS) $(CFLAGS) $(pam_selinux_la_LDFLAGS) $(LDFLAGS) -o \
$@
-@HAVE_LIBSELINUX_TRUE@am_pam_selinux_la_rpath = -rpath $(securelibdir)
-PROGRAMS = $(noinst_PROGRAMS)
pam_selinux_check_SOURCES = pam_selinux_check.c
pam_selinux_check_OBJECTS = pam_selinux_check.$(OBJEXT)
-@HAVE_LIBSELINUX_TRUE@pam_selinux_check_DEPENDENCIES = \
-@HAVE_LIBSELINUX_TRUE@ $(top_builddir)/libpam/libpam.la \
-@HAVE_LIBSELINUX_TRUE@ $(top_builddir)/libpam_misc/libpam_misc.la
+pam_selinux_check_DEPENDENCIES = $(top_builddir)/libpam/libpam.la \
+ $(top_builddir)/libpam_misc/libpam_misc.la
AM_V_P = $(am__v_P_@AM_V@)
am__v_P_ = $(am__v_P_@AM_DEFAULT_V@)
am__v_P_0 = false
@@ -170,7 +177,9 @@ am__v_at_0 = @
am__v_at_1 =
DEFAULT_INCLUDES = -I.@am__isrc@ -I$(top_builddir)
depcomp = $(SHELL) $(top_srcdir)/build-aux/depcomp
-am__depfiles_maybe = depfiles
+am__maybe_remake_depfiles = depfiles
+am__depfiles_remade = ./$(DEPDIR)/pam_selinux.Plo \
+ ./$(DEPDIR)/pam_selinux_check.Po
am__mv = mv -f
COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \
$(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS)
@@ -199,8 +208,9 @@ am__can_run_installinfo = \
esac
man8dir = $(mandir)/man8
NROFF = nroff
-MANS = $(man_MANS)
-DATA = $(noinst_DATA)
+MANS = $(dist_man_MANS)
+am__dist_noinst_DATA_DIST = README
+DATA = $(dist_noinst_DATA)
am__tagged_files = $(HEADERS) $(SOURCES) $(TAGS_FILES) $(LISP)
# Read a list of newline-separated strings from the standard input,
# and print each of them once, without duplicates. Input order is
@@ -397,6 +407,9 @@ TEST_LOGS = $(am__test_logs2:.test.log=.log)
TEST_LOG_DRIVER = $(SHELL) $(top_srcdir)/build-aux/test-driver
TEST_LOG_COMPILE = $(TEST_LOG_COMPILER) $(AM_TEST_LOG_FLAGS) \
$(TEST_LOG_FLAGS)
+am__DIST_COMMON = $(dist_man_MANS) $(srcdir)/Makefile.in \
+ $(top_srcdir)/build-aux/depcomp \
+ $(top_srcdir)/build-aux/test-driver
DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
ACLOCAL = @ACLOCAL@
AMTAR = @AMTAR@
@@ -425,6 +438,8 @@ DUMPBIN = @DUMPBIN@
ECHO_C = @ECHO_C@
ECHO_N = @ECHO_N@
ECHO_T = @ECHO_T@
+ECONF_CFLAGS = @ECONF_CFLAGS@
+ECONF_LIBS = @ECONF_LIBS@
EGREP = @EGREP@
EXEEXT = @EXEEXT@
FGREP = @FGREP@
@@ -433,7 +448,6 @@ GETTEXT_MACRO_VERSION = @GETTEXT_MACRO_VERSION@
GMSGFMT = @GMSGFMT@
GMSGFMT_015 = @GMSGFMT_015@
GREP = @GREP@
-HAVE_KEY_MANAGEMENT = @HAVE_KEY_MANAGEMENT@
INSTALL = @INSTALL@
INSTALL_DATA = @INSTALL_DATA@
INSTALL_PROGRAM = @INSTALL_PROGRAM@
@@ -469,6 +483,7 @@ LN_S = @LN_S@
LTLIBICONV = @LTLIBICONV@
LTLIBINTL = @LTLIBINTL@
LTLIBOBJS = @LTLIBOBJS@
+LT_SYS_LIBRARY_PATH = @LT_SYS_LIBRARY_PATH@
MAKEINFO = @MAKEINFO@
MANIFEST_TOOL = @MANIFEST_TOOL@
MKDIR_P = @MKDIR_P@
@@ -505,11 +520,13 @@ SECUREDIR = @SECUREDIR@
SED = @SED@
SET_MAKE = @SET_MAKE@
SHELL = @SHELL@
+STRINGPARAM_VENDORDIR = @STRINGPARAM_VENDORDIR@
STRIP = @STRIP@
TIRPC_CFLAGS = @TIRPC_CFLAGS@
TIRPC_LIBS = @TIRPC_LIBS@
USE_NLS = @USE_NLS@
VERSION = @VERSION@
+WARN_CFLAGS = @WARN_CFLAGS@
XGETTEXT = @XGETTEXT@
XGETTEXT_015 = @XGETTEXT_015@
XGETTEXT_EXTRA_OPTIONS = @XGETTEXT_EXTRA_OPTIONS@
@@ -578,25 +595,24 @@ top_builddir = @top_builddir@
top_srcdir = @top_srcdir@
CLEANFILES = *~
MAINTAINERCLEANFILES = $(MANS) README
-EXTRA_DIST = README $(XMLS) pam_selinux.8 pam_selinux_check.8 \
- tst-pam_selinux
-
-@HAVE_LIBSELINUX_TRUE@TESTS = tst-pam_selinux
-@HAVE_LIBSELINUX_TRUE@man_MANS = pam_selinux.8
+EXTRA_DIST = $(XMLS) pam_selinux_check.8
+@HAVE_DOC_TRUE@dist_man_MANS = pam_selinux.8
XMLS = README.xml pam_selinux.8.xml
+dist_check_SCRIPTS = tst-pam_selinux
+TESTS = $(dist_check_SCRIPTS)
securelibdir = $(SECUREDIR)
secureconfdir = $(SCONFIGDIR)
AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \
- -I$(top_srcdir)/libpam_misc/include
+ -I$(top_srcdir)/libpam_misc/include $(WARN_CFLAGS)
pam_selinux_la_LDFLAGS = -no-undefined -avoid-version -module \
$(am__append_1)
pam_selinux_la_LIBADD = $(top_builddir)/libpam/libpam.la @LIBSELINUX@ @LIBAUDIT@
-@HAVE_LIBSELINUX_TRUE@securelib_LTLIBRARIES = pam_selinux.la
-@HAVE_LIBSELINUX_TRUE@pam_selinux_check_LDADD = $(top_builddir)/libpam/libpam.la \
-@HAVE_LIBSELINUX_TRUE@ $(top_builddir)/libpam_misc/libpam_misc.la
+securelib_LTLIBRARIES = pam_selinux.la
+pam_selinux_check_LDADD = $(top_builddir)/libpam/libpam.la \
+ $(top_builddir)/libpam_misc/libpam_misc.la
-@ENABLE_REGENERATE_MAN_TRUE@noinst_DATA = README pam_selinux.8
+@ENABLE_REGENERATE_MAN_TRUE@dist_noinst_DATA = README
all: all-am
.SUFFIXES:
@@ -613,14 +629,13 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps)
echo ' cd $(top_srcdir) && $(AUTOMAKE) --gnu modules/pam_selinux/Makefile'; \
$(am__cd) $(top_srcdir) && \
$(AUTOMAKE) --gnu modules/pam_selinux/Makefile
-.PRECIOUS: Makefile
Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
@case '$?' in \
*config.status*) \
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \
*) \
- echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \
- cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \
+ echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles)'; \
+ cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__maybe_remake_depfiles);; \
esac;
$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES)
@@ -632,6 +647,15 @@ $(ACLOCAL_M4): $(am__aclocal_m4_deps)
cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh
$(am__aclocal_m4_deps):
+clean-noinstPROGRAMS:
+ @list='$(noinst_PROGRAMS)'; test -n "$$list" || exit 0; \
+ echo " rm -f" $$list; \
+ rm -f $$list || exit $$?; \
+ test -n "$(EXEEXT)" || exit 0; \
+ list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
+ echo " rm -f" $$list; \
+ rm -f $$list
+
install-securelibLTLIBRARIES: $(securelib_LTLIBRARIES)
@$(NORMAL_INSTALL)
@list='$(securelib_LTLIBRARIES)'; test -n "$(securelibdir)" || list=; \
@@ -668,16 +692,7 @@ clean-securelibLTLIBRARIES:
}
pam_selinux.la: $(pam_selinux_la_OBJECTS) $(pam_selinux_la_DEPENDENCIES) $(EXTRA_pam_selinux_la_DEPENDENCIES)
- $(AM_V_CCLD)$(pam_selinux_la_LINK) $(am_pam_selinux_la_rpath) $(pam_selinux_la_OBJECTS) $(pam_selinux_la_LIBADD) $(LIBS)
-
-clean-noinstPROGRAMS:
- @list='$(noinst_PROGRAMS)'; test -n "$$list" || exit 0; \
- echo " rm -f" $$list; \
- rm -f $$list || exit $$?; \
- test -n "$(EXEEXT)" || exit 0; \
- list=`for p in $$list; do echo "$$p"; done | sed 's/$(EXEEXT)$$//'`; \
- echo " rm -f" $$list; \
- rm -f $$list
+ $(AM_V_CCLD)$(pam_selinux_la_LINK) -rpath $(securelibdir) $(pam_selinux_la_OBJECTS) $(pam_selinux_la_LIBADD) $(LIBS)
pam_selinux_check$(EXEEXT): $(pam_selinux_check_OBJECTS) $(pam_selinux_check_DEPENDENCIES) $(EXTRA_pam_selinux_check_DEPENDENCIES)
@rm -f pam_selinux_check$(EXEEXT)
@@ -689,22 +704,28 @@ mostlyclean-compile:
distclean-compile:
-rm -f *.tab.c
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_selinux.Plo@am__quote@
-@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_selinux_check.Po@am__quote@
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_selinux.Plo@am__quote@ # am--include-marker
+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pam_selinux_check.Po@am__quote@ # am--include-marker
+
+$(am__depfiles_remade):
+ @$(MKDIR_P) $(@D)
+ @echo '# dummy' >$@-t && $(am__mv) $@-t $@
+
+am--depfiles: $(am__depfiles_remade)
.c.o:
@am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c $<
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ $<
.c.obj:
@am__fastdepCC_TRUE@ $(AM_V_CC)$(COMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ `$(CYGPATH_W) '$<'`
@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) $(DEPDIR)/$*.Tpo $(DEPDIR)/$*.Po
@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='$<' object='$@' libtool=no @AMDEPBACKSLASH@
@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c `$(CYGPATH_W) '$<'`
+@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(COMPILE) -c -o $@ `$(CYGPATH_W) '$<'`
.c.lo:
@am__fastdepCC_TRUE@ $(AM_V_CC)$(LTCOMPILE) -MT $@ -MD -MP -MF $(DEPDIR)/$*.Tpo -c -o $@ $<
@@ -718,10 +739,10 @@ mostlyclean-libtool:
clean-libtool:
-rm -rf .libs _libs
-install-man8: $(man_MANS)
+install-man8: $(dist_man_MANS)
@$(NORMAL_INSTALL)
@list1=''; \
- list2='$(man_MANS)'; \
+ list2='$(dist_man_MANS)'; \
test -n "$(man8dir)" \
&& test -n "`echo $$list1$$list2`" \
|| exit 0; \
@@ -756,7 +777,7 @@ uninstall-man8:
@$(NORMAL_UNINSTALL)
@list=''; test -n "$(man8dir)" || exit 0; \
files=`{ for i in $$list; do echo "$$i"; done; \
- l2='$(man_MANS)'; for i in $$l2; do echo "$$i"; done | \
+ l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \
sed -n '/\.8[a-z]*$$/p'; \
} | sed -e 's,.*/,,;h;s,.*\.,,;s,^[^8][0-9a-z]*$$,8,;x' \
-e 's,\.[0-9a-z]*$$,,;$(transform);G;s,\n,.,'`; \
@@ -844,7 +865,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS)
if test -n "$$am__remaking_logs"; then \
echo "fatal: making $(TEST_SUITE_LOG): possible infinite" \
"recursion detected" >&2; \
- else \
+ elif test -n "$$redo_logs"; then \
am__remaking_logs=yes $(MAKE) $(AM_MAKEFLAGS) $$redo_logs; \
fi; \
if $(am__make_dryrun); then :; else \
@@ -934,7 +955,7 @@ $(TEST_SUITE_LOG): $(TEST_LOGS)
fi; \
$$success || exit 1
-check-TESTS:
+check-TESTS: $(dist_check_SCRIPTS)
@list='$(RECHECK_LOGS)'; test -z "$$list" || rm -f $$list
@list='$(RECHECK_LOGS:.log=.trs)'; test -z "$$list" || rm -f $$list
@test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG)
@@ -944,7 +965,7 @@ check-TESTS:
log_list=`echo $$log_list`; trs_list=`echo $$trs_list`; \
$(MAKE) $(AM_MAKEFLAGS) $(TEST_SUITE_LOG) TEST_LOGS="$$log_list"; \
exit $$?;
-recheck: all
+recheck: all $(dist_check_SCRIPTS)
@test -z "$(TEST_SUITE_LOG)" || rm -f $(TEST_SUITE_LOG)
@set +e; $(am__set_TESTS_bases); \
bases=`for i in $$bases; do echo $$i; done \
@@ -977,7 +998,10 @@ tst-pam_selinux.log: tst-pam_selinux
@am__EXEEXT_TRUE@ $(am__common_driver_flags) $(AM_TEST_LOG_DRIVER_FLAGS) $(TEST_LOG_DRIVER_FLAGS) -- $(TEST_LOG_COMPILE) \
@am__EXEEXT_TRUE@ "$$tst" $(AM_TESTS_FD_REDIRECT)
-distdir: $(DISTFILES)
+distdir: $(BUILT_SOURCES)
+ $(MAKE) $(AM_MAKEFLAGS) distdir-am
+
+distdir-am: $(DISTFILES)
@srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \
list='$(DISTFILES)'; \
@@ -1008,9 +1032,10 @@ distdir: $(DISTFILES)
fi; \
done
check-am: all-am
+ $(MAKE) $(AM_MAKEFLAGS) $(dist_check_SCRIPTS)
$(MAKE) $(AM_MAKEFLAGS) check-TESTS
check: check-am
-all-am: Makefile $(LTLIBRARIES) $(PROGRAMS) $(MANS) $(DATA)
+all-am: Makefile $(PROGRAMS) $(LTLIBRARIES) $(MANS) $(DATA)
installdirs:
for dir in "$(DESTDIR)$(securelibdir)" "$(DESTDIR)$(man8dir)"; do \
test -z "$$dir" || $(MKDIR_P) "$$dir"; \
@@ -1056,7 +1081,8 @@ clean-am: clean-generic clean-libtool clean-noinstPROGRAMS \
clean-securelibLTLIBRARIES mostlyclean-am
distclean: distclean-am
- -rm -rf ./$(DEPDIR)
+ -rm -f ./$(DEPDIR)/pam_selinux.Plo
+ -rm -f ./$(DEPDIR)/pam_selinux_check.Po
-rm -f Makefile
distclean-am: clean-am distclean-compile distclean-generic \
distclean-tags
@@ -1102,7 +1128,8 @@ install-ps-am:
installcheck-am:
maintainer-clean: maintainer-clean-am
- -rm -rf ./$(DEPDIR)
+ -rm -f ./$(DEPDIR)/pam_selinux.Plo
+ -rm -f ./$(DEPDIR)/pam_selinux_check.Po
-rm -f Makefile
maintainer-clean-am: distclean-am maintainer-clean-generic
@@ -1125,10 +1152,10 @@ uninstall-man: uninstall-man8
.MAKE: check-am install-am install-strip
-.PHONY: CTAGS GTAGS TAGS all all-am check check-TESTS check-am clean \
- clean-generic clean-libtool clean-noinstPROGRAMS \
- clean-securelibLTLIBRARIES cscopelist-am ctags ctags-am \
- distclean distclean-compile distclean-generic \
+.PHONY: CTAGS GTAGS TAGS all all-am am--depfiles check check-TESTS \
+ check-am clean clean-generic clean-libtool \
+ clean-noinstPROGRAMS clean-securelibLTLIBRARIES cscopelist-am \
+ ctags ctags-am distclean distclean-compile distclean-generic \
distclean-libtool distclean-tags distdir dvi dvi-am html \
html-am info info-am install install-am install-data \
install-data-am install-dvi install-dvi-am install-exec \
@@ -1142,7 +1169,8 @@ uninstall-man: uninstall-man8
recheck tags tags-am uninstall uninstall-am uninstall-man \
uninstall-man8 uninstall-securelibLTLIBRARIES
-@ENABLE_REGENERATE_MAN_TRUE@README: pam_selinux.8.xml
+.PRECIOUS: Makefile
+
@ENABLE_REGENERATE_MAN_TRUE@-include $(top_srcdir)/Make.xml.rules
# Tell versions [3.59,3.63) of GNU make to not export all variables.
diff --git a/modules/pam_selinux/pam_selinux.8 b/modules/pam_selinux/pam_selinux.8
index 5822cc13..2745a478 100644
--- a/modules/pam_selinux/pam_selinux.8
+++ b/modules/pam_selinux/pam_selinux.8
@@ -1,13 +1,13 @@
'\" t
.\" Title: pam_selinux
.\" Author: [see the "AUTHOR" section]
-.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
-.\" Date: 05/18/2017
+.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
+.\" Date: 06/08/2020
.\" Manual: Linux-PAM Manual
.\" Source: Linux-PAM Manual
.\" Language: English
.\"
-.TH "PAM_SELINUX" "8" "05/18/2017" "Linux-PAM Manual" "Linux\-PAM Manual"
+.TH "PAM_SELINUX" "8" "06/08/2020" "Linux-PAM Manual" "Linux\-PAM Manual"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
diff --git a/modules/pam_selinux/pam_selinux.c b/modules/pam_selinux/pam_selinux.c
index 348cdd40..06c3ce65 100644
--- a/modules/pam_selinux/pam_selinux.c
+++ b/modules/pam_selinux/pam_selinux.c
@@ -36,7 +36,6 @@
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
- *
*/
#include "config.h"
@@ -53,81 +52,80 @@
#include <fcntl.h>
#include <syslog.h>
-#define PAM_SM_AUTH
-#define PAM_SM_SESSION
-
#include <security/pam_modules.h>
#include <security/_pam_macros.h>
#include <security/pam_modutil.h>
#include <security/pam_ext.h>
+#include "pam_inline.h"
#include <selinux/selinux.h>
#include <selinux/get_context_list.h>
-#include <selinux/flask.h>
-#include <selinux/av_permissions.h>
-#include <selinux/selinux.h>
#include <selinux/context.h>
#include <selinux/get_default_type.h>
#ifdef HAVE_LIBAUDIT
#include <libaudit.h>
#include <sys/select.h>
-#include <errno.h>
#endif
/* Send audit message */
-static
-
-int send_audit_message(pam_handle_t *pamh, int success, security_context_t default_context,
- security_context_t selected_context)
+static void
+send_audit_message(const pam_handle_t *pamh, int success, const char *default_context,
+ const char *selected_context)
{
- int rc=0;
#ifdef HAVE_LIBAUDIT
char *msg = NULL;
int audit_fd = audit_open();
- security_context_t default_raw=NULL;
- security_context_t selected_raw=NULL;
+ char *default_raw = NULL;
+ char *selected_raw = NULL;
const void *tty = NULL, *rhost = NULL;
- rc = -1;
if (audit_fd < 0) {
if (errno == EINVAL || errno == EPROTONOSUPPORT ||
- errno == EAFNOSUPPORT)
- return 0; /* No audit support in kernel */
- pam_syslog(pamh, LOG_ERR, "Error connecting to audit system.");
- return rc;
+ errno == EAFNOSUPPORT) {
+ goto fallback; /* No audit support in kernel */
+ }
+ pam_syslog(pamh, LOG_ERR, "Error connecting to audit system: %m");
+ goto fallback;
}
(void)pam_get_item(pamh, PAM_TTY, &tty);
(void)pam_get_item(pamh, PAM_RHOST, &rhost);
if (selinux_trans_to_raw_context(default_context, &default_raw) < 0) {
- pam_syslog(pamh, LOG_ERR, "Error translating default context.");
+ pam_syslog(pamh, LOG_ERR, "Error translating default context '%s'.", default_context);
default_raw = NULL;
}
if (selinux_trans_to_raw_context(selected_context, &selected_raw) < 0) {
- pam_syslog(pamh, LOG_ERR, "Error translating selected context.");
+ pam_syslog(pamh, LOG_ERR, "Error translating selected context '%s'.", selected_context);
selected_raw = NULL;
}
if (asprintf(&msg, "pam: default-context=%s selected-context=%s",
default_raw ? default_raw : (default_context ? default_context : "?"),
selected_raw ? selected_raw : (selected_context ? selected_context : "?")) < 0) {
+ msg = NULL; /* asprintf leaves msg in undefined state on failure */
pam_syslog(pamh, LOG_ERR, "Error allocating memory.");
- goto out;
+ goto fallback;
}
if (audit_log_user_message(audit_fd, AUDIT_USER_ROLE_CHANGE,
msg, rhost, NULL, tty, success) <= 0) {
- pam_syslog(pamh, LOG_ERR, "Error sending audit message.");
- goto out;
+ pam_syslog(pamh, LOG_ERR, "Error sending audit message: %m");
+ goto fallback;
}
- rc = 0;
- out:
+ goto cleanup;
+
+ fallback:
+#endif /* HAVE_LIBAUDIT */
+ pam_syslog(pamh, LOG_NOTICE, "pam: default-context=%s selected-context=%s success %d",
+ default_context, selected_context, success);
+
+#ifdef HAVE_LIBAUDIT
+ cleanup:
free(msg);
freecon(default_raw);
freecon(selected_raw);
- close(audit_fd);
-#else
- pam_syslog(pamh, LOG_NOTICE, "pam: default-context=%s selected-context=%s success %d", default_context, selected_context, success);
-#endif
- return rc;
+ if (audit_fd >= 0)
+ close(audit_fd);
+#endif /* HAVE_LIBAUDIT */
}
+
static int
send_text (pam_handle_t *pamh, const char *text, int debug)
{
@@ -161,53 +159,17 @@ query_response (pam_handle_t *pamh, const char *text, const char *def,
return rc;
}
-static int mls_range_allowed(pam_handle_t *pamh, security_context_t src, security_context_t dst, int debug)
-{
- struct av_decision avd;
- int retval;
- security_class_t class;
- access_vector_t bit;
- context_t src_context;
- context_t dst_context;
-
- class = string_to_security_class("context");
- if (!class) {
- pam_syslog(pamh, LOG_ERR, "Failed to translate security class context. %m");
- return 0;
- }
-
- bit = string_to_av_perm(class, "contains");
- if (!bit) {
- pam_syslog(pamh, LOG_ERR, "Failed to translate av perm contains. %m");
- return 0;
- }
-
- src_context = context_new (src);
- dst_context = context_new (dst);
- context_range_set(dst_context, context_range_get(src_context));
- if (debug)
- pam_syslog(pamh, LOG_NOTICE, "Checking if %s mls range valid for %s", dst, context_str(dst_context));
-
- retval = security_compute_av(context_str(dst_context), dst, class, bit, &avd);
- context_free(src_context);
- context_free(dst_context);
- if (retval || ((bit & avd.allowed) != bit))
- return 0;
-
- return 1;
-}
-
-static security_context_t
-config_context (pam_handle_t *pamh, security_context_t defaultcon, int use_current_range, int debug)
+static char *
+config_context (pam_handle_t *pamh, const char *defaultcon, int use_current_range, int debug)
{
- security_context_t newcon=NULL;
+ char *newcon = NULL;
context_t new_context;
int mls_enabled = is_selinux_mls_enabled();
char *response=NULL;
char *type=NULL;
char resp_val = 0;
- pam_prompt (pamh, PAM_TEXT_INFO, NULL, _("Default Security Context %s\n"), defaultcon);
+ pam_prompt (pamh, PAM_TEXT_INFO, NULL, _("The default security context is %s."), defaultcon);
while (1) {
if (query_response(pamh,
@@ -227,7 +189,8 @@ config_context (pam_handle_t *pamh, security_context_t defaultcon, int use_curre
if (query_response(pamh, _("role:"), context_role_get(new_context),
&response, debug) == PAM_SUCCESS && response[0]) {
if (get_default_type(response, &type)) {
- pam_prompt (pamh, PAM_ERROR_MSG, NULL, _("No default type for role %s\n"), response);
+ pam_prompt(pamh, PAM_ERROR_MSG, NULL,
+ _("There is no default type for role %s."), response);
_pam_drop(response);
continue;
} else {
@@ -243,7 +206,7 @@ config_context (pam_handle_t *pamh, security_context_t defaultcon, int use_curre
if (mls_enabled)
{
if (use_current_range) {
- security_context_t mycon = NULL;
+ char *mycon = NULL;
context_t my_context;
if (getcon(&mycon) != 0)
@@ -277,22 +240,23 @@ config_context (pam_handle_t *pamh, security_context_t defaultcon, int use_curre
goto fail_set;
context_free(new_context);
- /* we have to check that this user is allowed to go into the
- range they have specified ... role is tied to an seuser, so that'll
- be checked at setexeccon time */
- if (mls_enabled && !mls_range_allowed(pamh, defaultcon, newcon, debug)) {
+ /* we have to check that this user is allowed to go into the
+ range they have specified ... role is tied to an seuser, so that'll
+ be checked at setexeccon time */
+ if (mls_enabled &&
+ selinux_check_access(defaultcon, newcon, "context", "contains", NULL) != 0) {
pam_syslog(pamh, LOG_NOTICE, "Security context %s is not allowed for %s", defaultcon, newcon);
send_audit_message(pamh, 0, defaultcon, newcon);
free(newcon);
- goto fail_range;
+ goto fail_range;
}
return newcon;
}
else {
send_audit_message(pamh, 0, defaultcon, context_str(new_context));
- send_text(pamh,_("Not a valid security context"),debug);
+ send_text(pamh,_("This is not a valid security context."),debug);
}
context_free(new_context); /* next time around allocates another */
}
@@ -311,10 +275,10 @@ config_context (pam_handle_t *pamh, security_context_t defaultcon, int use_curre
return NULL;
}
-static security_context_t
-context_from_env (pam_handle_t *pamh, security_context_t defaultcon, int env_params, int use_current_range, int debug)
+static char *
+context_from_env (pam_handle_t *pamh, const char *defaultcon, int env_params, int use_current_range, int debug)
{
- security_context_t newcon = NULL;
+ char *newcon = NULL;
context_t new_context;
context_t my_context = NULL;
int mls_enabled = is_selinux_mls_enabled();
@@ -348,7 +312,7 @@ context_from_env (pam_handle_t *pamh, security_context_t defaultcon, int env_par
}
if (use_current_range) {
- security_context_t mycon = NULL;
+ char *mycon = NULL;
if (getcon(&mycon) != 0)
goto fail_set;
@@ -388,7 +352,8 @@ context_from_env (pam_handle_t *pamh, security_context_t defaultcon, int env_par
/* we have to check that this user is allowed to go into the
range they have specified ... role is tied to an seuser, so that'll
be checked at setexeccon time */
- if (mls_enabled && !mls_range_allowed(pamh, defaultcon, newcon, debug)) {
+ if (mls_enabled &&
+ selinux_check_access(defaultcon, newcon, "context", "contains", NULL) != 0) {
pam_syslog(pamh, LOG_NOTICE, "Security context %s is not allowed for %s", defaultcon, newcon);
goto fail_set;
@@ -410,11 +375,11 @@ context_from_env (pam_handle_t *pamh, security_context_t defaultcon, int env_par
#define DATANAME "pam_selinux_context"
typedef struct {
- security_context_t exec_context;
- security_context_t prev_exec_context;
- security_context_t default_user_context;
- security_context_t tty_context;
- security_context_t prev_tty_context;
+ char *exec_context;
+ char *prev_exec_context;
+ char *default_user_context;
+ char *tty_context;
+ char *prev_tty_context;
char *tty_path;
} module_data_t;
@@ -455,7 +420,7 @@ get_item(const pam_handle_t *pamh, int item_type)
}
static int
-set_exec_context(const pam_handle_t *pamh, security_context_t context)
+set_exec_context(const pam_handle_t *pamh, const char *context)
{
if (setexeccon(context) == 0)
return 0;
@@ -465,7 +430,7 @@ set_exec_context(const pam_handle_t *pamh, security_context_t context)
}
static int
-set_file_context(const pam_handle_t *pamh, security_context_t context,
+set_file_context(const pam_handle_t *pamh, const char *context,
const char *file)
{
if (!file)
@@ -489,7 +454,7 @@ compute_exec_context(pam_handle_t *pamh, module_data_t *data,
#endif
char *seuser = NULL;
char *level = NULL;
- security_context_t *contextlist = NULL;
+ char **contextlist = NULL;
int num_contexts = 0;
const struct passwd *pwd;
@@ -541,7 +506,7 @@ compute_exec_context(pam_handle_t *pamh, module_data_t *data,
if (!data->exec_context) {
pam_syslog(pamh, LOG_ERR, "Unable to get valid context for %s", username);
pam_prompt(pamh, PAM_ERROR_MSG, NULL,
- _("Unable to get valid context for %s"), username);
+ _("A valid context for %s could not be obtained."), username);
}
if (getexeccon(&data->prev_exec_context) < 0)
@@ -555,7 +520,8 @@ compute_tty_context(const pam_handle_t *pamh, module_data_t *data)
{
const char *tty = get_item(pamh, PAM_TTY);
- if (!tty || !*tty || !strcmp(tty, "ssh") || !strncmp(tty, "NODEV", 5)) {
+ if (!tty || !*tty || !strcmp(tty, "ssh")
+ || pam_str_skip_prefix(tty, "NODEV") != NULL) {
tty = ttyname(STDIN_FILENO);
if (!tty || !*tty)
tty = ttyname(STDOUT_FILENO);
@@ -565,7 +531,7 @@ compute_tty_context(const pam_handle_t *pamh, module_data_t *data)
return PAM_SUCCESS;
}
- if (strncmp("/dev/", tty, 5)) {
+ if (pam_str_skip_prefix(tty, "/dev/") == NULL) {
if (asprintf(&data->tty_path, "%s%s", "/dev/", tty) < 0)
data->tty_path = NULL;
} else {
@@ -590,7 +556,7 @@ compute_tty_context(const pam_handle_t *pamh, module_data_t *data)
}
if (security_compute_relabel(data->exec_context, data->prev_tty_context,
- SECCLASS_CHR_FILE, &data->tty_context)) {
+ string_to_security_class("chr_file"), &data->tty_context)) {
data->tty_context = NULL;
pam_syslog(pamh, LOG_ERR, "Failed to compute new context for %s: %m",
data->tty_path);
@@ -660,7 +626,7 @@ set_context(pam_handle_t *pamh, const module_data_t *data,
char msg[PATH_MAX];
snprintf(msg, sizeof(msg),
- _("Security Context %s Assigned"), data->exec_context);
+ _("Security context %s has been assigned."), data->exec_context);
send_text(pamh, msg, debug);
}
#ifdef HAVE_SETKEYCREATECON
@@ -676,7 +642,7 @@ set_context(pam_handle_t *pamh, const module_data_t *data,
char msg[PATH_MAX];
snprintf(msg, sizeof(msg),
- _("Key Creation Context %s Assigned"), data->exec_context);
+ _("Key creation context %s has been assigned."), data->exec_context);
send_text(pamh, msg, debug);
}
#endif
generated by cgit v1.2.3 (git 2.39.1) at 2025-04-30 15:09:41 +0000