add selinux patch, and missing IUSE

4 files changed, 298 insertions, 6 deletions

diff --git a/sys-apps/pam-login/ChangeLog b/sys-apps/pam-login/ChangeLog
index 0a53f3def2cf..1d122c30a4c0 100644
--- a/sys-apps/pam-login/ChangeLog
+++ b/sys-apps/pam-login/ChangeLog
@@ -1,6 +1,10 @@
 # ChangeLog for sys-apps/pam-login
 # Copyright 2002-2003 Gentoo Technologies, Inc.; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-apps/pam-login/ChangeLog,v 1.18 2003/06/24 14:31:13 agriffis Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-apps/pam-login/ChangeLog,v 1.19 2003/06/29 00:38:16 pebenito Exp $
+
+  28 Jun 2003; Chris PeBenito <pebenito@gentoo.org> pam-login-3.11.ebuild,
+  files/pam-login-3.11-selinux.diff:
+  Added patch for selinux.  Added missing IUSE.
 
   24 Jun 2003; Aron Griffis <agriffis@gentoo.org> pam-login-3.11.ebuild:
   Mark stable on alpha
diff --git a/sys-apps/pam-login/Manifest b/sys-apps/pam-login/Manifest
index bf98a1588a09..adcffc87922b 100644
--- a/sys-apps/pam-login/Manifest
+++ b/sys-apps/pam-login/Manifest
@@ -1,13 +1,14 @@
-MD5 3445f28fb00ef4a57ce4d5d5a907b73a ChangeLog 2349
+MD5 dee397a9cea8d0a03744544a4913c774 ChangeLog 2510
+MD5 80ca224367493f43b14bdf6a6087ec0c pam-login-3.10.ebuild 1993
 MD5 cad011cbd985a979f997fcc4d8bd304c pam-login-3.6-r1.ebuild 1833
 MD5 b04418a06d1f88d40e33887a0a19ba82 pam-login-3.6-r2.ebuild 1939
 MD5 5739c21cb2f366c515850e7ee5b97eb8 pam-login-3.7.ebuild 1985
-MD5 80ca224367493f43b14bdf6a6087ec0c pam-login-3.10.ebuild 1993
-MD5 5b8a39fd2058f688c3f4b2a0c497b731 pam-login-3.11.ebuild 2130
+MD5 325f34482aa3c3dc2a0cd96709136980 pam-login-3.11.ebuild 2244
+MD5 a5e9be8a38e1b8f784d3cf558cff7a6b files/digest-pam-login-3.10 67
 MD5 918ba376dc33a5a1c9f9b0bd048b484b files/digest-pam-login-3.6-r1 66
 MD5 918ba376dc33a5a1c9f9b0bd048b484b files/digest-pam-login-3.6-r2 66
 MD5 7febd6315d85fcd5196b602732789573 files/digest-pam-login-3.7 66
 MD5 21df4caf263fa2ed75e574f9a067b72e files/login.defs 3229
 MD5 b3602716045d7154356137da6f5dcbad files/pam-login-3.6-SUPATH.patch 438
-MD5 a5e9be8a38e1b8f784d3cf558cff7a6b files/digest-pam-login-3.10 67
 MD5 387e811b73906d5f0e5d4417cccfed0e files/digest-pam-login-3.11 67
+MD5 bcf75778be1a620e99fcaf5d2c55a504 files/pam-login-3.11-selinux.diff 8237
diff --git a/sys-apps/pam-login/files/pam-login-3.11-selinux.diff b/sys-apps/pam-login/files/pam-login-3.11-selinux.diff
new file mode 100644
index 000000000000..342a29b94671
--- /dev/null
+++ b/sys-apps/pam-login/files/pam-login-3.11-selinux.diff
@@ -0,0 +1,278 @@
+diff -urN pam_login-3.11.orig/configure pam_login-3.11/configure
+--- pam_login-3.11.orig/configure	2003-05-12 08:07:51.000000000 -0500
++++ pam_login-3.11/configure	2003-06-19 12:41:13.000000000 -0500
+@@ -1689,7 +1689,7 @@
+ fi
+ 
+ 
+-EXTRA_CFLAGS="-W -Wall -Wbad-function-cast -Wcast-align -Wcast-qual -Winline -Wmissing-declarations -Wmissing-prototypes -Wnested-externs -Wshadow -Wstrict-prototypes -Wundef -Werror"
++EXTRA_CFLAGS="-W -Wall -Wbad-function-cast -Wcast-align -Wcast-qual -Winline -Wmissing-declarations -Wmissing-prototypes -Wnested-externs -Wshadow -Wstrict-prototypes -Wundef "
+ # -Wpointer-arith
+ 
+ ac_ext=c
+diff -urN pam_login-3.11.orig/src/Makefile.in pam_login-3.11/src/Makefile.in
+--- pam_login-3.11.orig/src/Makefile.in	2003-05-12 08:08:24.000000000 -0500
++++ pam_login-3.11/src/Makefile.in	2003-06-19 14:11:33.000000000 -0500
+@@ -70,7 +70,7 @@
+ LIBICONV = @LIBICONV@
+ LIBINTL = @LIBINTL@
+ LIBOBJS = @LIBOBJS@
+-LIBS = @LIBS@
++LIBS = @LIBS@ -lsecure
+ LTLIBICONV = @LTLIBICONV@
+ LTLIBINTL = @LTLIBINTL@
+ LTLIBOBJS = @LTLIBOBJS@
+diff -urN pam_login-3.11.orig/src/login.c pam_login-3.11/src/login.c
+--- pam_login-3.11.orig/src/login.c	2003-05-12 08:44:45.000000000 -0500
++++ pam_login-3.11/src/login.c	2003-06-19 14:57:57.000000000 -0500
+@@ -67,6 +67,13 @@
+ #include <sys/sysmacros.h>
+ #include <linux/major.h>
+ #include <utmp.h>
++
++#include <linux/flask/flask_types.h>
++#include <flask_util.h>
++#include <fs_secure.h>
++#include <ss.h>
++#include <get_sid_list.h>
++
+ #include <security/pam_appl.h>
+ #include <security/pam_misc.h>
+ 
+@@ -470,6 +477,23 @@
+   struct passwd resultbuf;
+   struct passwd *pwd;
+ 
++#define CONTEXTLEN 255
++  security_context_t user_context = NULL;
++  int user_context_len = CONTEXTLEN;
++  security_id_t user_sid;
++  security_id_t* sidlist;
++#define SIDLISTLEN 10
++  int sidlistlen = SIDLISTLEN;
++  int num_sids = 0;
++  security_id_t ttyn_sid;  /* The current sid of ttyn device */
++  security_id_t vcsn_sid;  /* The current sid of vcsn device */
++  security_id_t vcsan_sid;  /* The current sid of vcsan device */
++  security_id_t newdev_sid;   /* The new sid of a device */
++  struct stat statbuf;
++  int flask_enabled;
++  int rc;
++  char vcsn[20], vcsan[20];
++
+   init_sighandler ();
+ 
+   setlocale (LC_ALL, "");
+@@ -858,6 +882,67 @@
+   retcode = pam_setcred (pamh, PAM_ESTABLISH_CRED);
+   PAM_FAIL_CHECK;
+ 
++  /* Make sure SELINUX is really running on this system */
++  if ( (flask_enabled = is_flask_enabled()) )
++  {
++      /* Get security context and SID for user */
++      sidlistlen = SIDLISTLEN;
++      sidlist = malloc (sidlistlen*sizeof(security_id_t));
++      if (sidlist == 0) {
++	 fprintf(stderr, "login: no memory for SID list.\n");
++         exit (0);
++      }
++
++      num_sids = get_ordered_sid_list (username, 0, sidlist, &sidlistlen);
++      if (num_sids <= 0 && sidlistlen > SIDLISTLEN) {
++	security_id_t *tmplist;
++        tmplist = realloc (sidlist, sidlistlen*sizeof(security_id_t));
++        if (tmplist) {
++		sidlist = tmplist;
++		num_sids = get_ordered_sid_list (username, 0, sidlist,
++							 &sidlistlen);
++	}
++      }
++
++      if (num_sids <= 0)  {
++	  fprintf(stderr, "login: unable to obtain SIDs for %s.\n", username);
++          if (manual_user_enter_sid (username, &user_sid))
++          {
++              syslog (LOG_ERR, "UNABLE TO GET VALID SID FOR %s", username);
++              exit(0);
++          }
++      }
++      else
++      {
++          query_user_sid (sidlist, num_sids, &user_sid);
++      }
++
++      free (sidlist);
++
++      user_context_len = CONTEXTLEN;
++      user_context = malloc(user_context_len);
++      if (!user_context) {
++	    fprintf(stderr, "login: no memory for security context.\n");
++            exit (0);
++      }
++      rc = security_sid_to_context(user_sid,user_context,&user_context_len);
++      if (rc < 0 && user_context_len > CONTEXTLEN)
++      {
++		security_context_t tmpcon;
++		tmpcon = realloc (user_context, user_context_len);
++		if (tmpcon) {
++			user_context = tmpcon;
++			rc = security_sid_to_context (user_sid, user_context,
++						      &user_context_len);
++		}
++      }
++      if (rc < 0) {
++                free (user_context);
++                syslog (LOG_ERR, "PROBLEM OBTAINING CONTEXT FOR %s", username);
++                exit (0);
++      }
++  }
++
+   /* committed to login -- turn off timeout */
+   alarm ((unsigned int) 0);
+ 
+@@ -1013,13 +1098,25 @@
+   chown (ttyn, pwd->pw_uid, gid);
+   chmod (ttyn,  getdef_num ("TTYPERM", 0600));
+ 
++  if (flask_enabled) {
++    if (stat_secure(ttyn, &statbuf, &ttyn_sid) != 0) {
++	    perror("stat_secure");
++	    exit (0); 
++    }
++    if (security_change_sid (user_sid, ttyn_sid, SECCLASS_CHR_FILE, &newdev_sid) != 0) {
++	    perror("security_change_sid");
++	    exit (0); 
++    }
++    if (chsid (ttyn, newdev_sid) != 0) {
++	    perror("chsid");
++	    exit (0); 
++    }
++  }
++
+   /* if tty is one of the VC's then change owner and mode of the
+      special /dev/vcs devices as well */
+   if (consoletty (0))
+     {
+-#if 0
+-      char vcsn[20], vcsan[20];
+-
+       /* find names of Virtual Console devices */
+       char *p = ttyn;
+       /* find number of tty */
+@@ -1030,7 +1127,7 @@
+       strcat (vcsn, p);
+       strcpy (vcsan, "/dev/vcsa");
+       strcat (vcsan, p);
+-
++#if 0
+       /*
+        * Please don't add code to chown /dev/vcs* to the user logging in -
+        * it's a potential security hole.  I wouldn't like the previous user
+@@ -1043,6 +1140,42 @@
+       chmod (vcsn, getdef_num ("TTYPERM", 0600));
+       chmod (vcsan, getdef_num ("TTYPERM", 0600));
+ #endif
++
++      if (flask_enabled)
++      {
++            if (stat_secure(vcsn, &statbuf, &vcsn_sid) != 0)
++            {
++                perror("stat_secure");
++                exit (0); 
++            }
++            if (security_change_sid (user_sid, vcsn_sid, SECCLASS_CHR_FILE, &newdev_sid) != 0)
++            {
++                perror ("security_change_sid");
++                exit (0);
++            }
++            if (chsid (vcsn, newdev_sid) != 0)
++            {
++                perror("chsid");
++                exit (0);
++            }
++            if (stat_secure(vcsan, &statbuf, &vcsan_sid) != 0)
++            {
++                perror("stat_secure");
++                exit (0);
++            }
++            if (security_change_sid (user_sid, vcsan_sid, SECCLASS_CHR_FILE, &newdev_sid) != 0)
++            {
++                perror("security_change_sid");
++                exit (0);
++            }
++            if (chsid (vcsan, newdev_sid) != 0)
++            {
++                perror("chsid");
++                exit (0);
++            }
++
++       }
++
+     }
+ 
+   setgid (pwd->pw_gid);
+@@ -1123,6 +1256,23 @@
+ 
+   setproctitle ("login", username);
+ 
++  if (flask_enabled) {
++	/* note the SELinux login context */
++	if (pwd->pw_uid == 0) {
++		if (hostname)
++			syslog(LOG_NOTICE, _("ROOT LOGIN ON %s FROM %s USING %s"), ttyn, hostname, user_context);
++		else
++	  		syslog(LOG_NOTICE, _("ROOT LOGIN ON %s USING %s"), ttyn, user_context);
++	} else {
++		if (hostname) 
++			syslog(LOG_INFO, _("LOGIN ON %s BY %s FROM %s USING %s"), ttyn, pwd->pw_name, hostname, user_context);
++		else 
++			syslog(LOG_INFO, _("LOGIN ON %s BY %s USING %s"), ttyn, pwd->pw_name, user_context);
++	}
++
++	free(user_context);
++  }
++
+   if (!quietlog)
+     motd ();
+ 
+@@ -1170,6 +1320,27 @@
+ 	    fprintf (stderr, _("login: waitpid (%d, NULL, 0) failed: %s\n"),
+ 		     childPid, strerror (errsv));
+ 	}
++
++     if (flask_enabled)
++     {
++        /* We need to change the contexts of the terminal devices back to
++           the system when the user's session ends.  */
++        if (chsid (ttyn, ttyn_sid) != 0)
++        {
++             perror("chsid");
++        }
++        if (consoletty(0)) {
++          if (chsid (vcsn, vcsn_sid) != 0)
++          {
++             perror("chsid");
++          }
++          if (chsid (vcsan, vcsan_sid) != 0)
++          {
++             perror("chsid");
++          }
++        }
++      }
++
+       PAM_END;
+       exit (0);
+     }
+@@ -1241,7 +1412,10 @@
+ 
+   childArgv[childArgc++] = NULL;
+ 
+-  execvp (childArgv[0], childArgv + 1);
++  if (flask_enabled)
++       execvp_secure (childArgv[0], user_sid, childArgv + 1);
++  else
++       execvp(childArgv[0], childArgv + 1);
+ 
+   errsv = errno;
+ 
diff --git a/sys-apps/pam-login/pam-login-3.11.ebuild b/sys-apps/pam-login/pam-login-3.11.ebuild
index 512a1a285b9e..5a19a66e9d3e 100644
--- a/sys-apps/pam-login/pam-login-3.11.ebuild
+++ b/sys-apps/pam-login/pam-login-3.11.ebuild
@@ -1,10 +1,12 @@
 # Copyright 1999-2003 Gentoo Technologies, Inc.
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-apps/pam-login/pam-login-3.11.ebuild,v 1.5 2003/06/24 14:31:13 agriffis Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-apps/pam-login/pam-login-3.11.ebuild,v 1.6 2003/06/29 00:38:16 pebenito Exp $
 
 
 inherit gnuconfig
 
+IUSE="nls selinux"
+
 # Do we want to backup an old login.defs, and forcefully
 # install a new version?
 FORCE_LOGIN_DEFS="no"
@@ -23,6 +25,13 @@ DEPEND="virtual/glibc
 	sys-libs/pam
 	>=sys-apps/shadow-4.0.2-r5"
 
+src_unpack() {
+	unpack ${A}
+
+	cd ${S}
+	use selinux && epatch ${FILESDIR}/${P}-selinux.diff
+}
+
 src_compile() {
 
 	# Fix configure scripts to recognize linux-mips