1 Written-by: Tomas Mraz <tmraz@redhat.com>
2 Reviewed-by: Karel Zak <kzak@redhat.com>
4 diff -up /dev/null Linux-PAM-0.99.8.1/modules/pam_selinux/pam_selinux_permit.8.xml
5 --- /dev/null 2007-09-17 08:57:19.474470099 +0200
6 +++ Linux-PAM-0.99.8.1/modules/pam_selinux/pam_selinux_permit.8.xml 2007-09-19 19:37:26.000000000 +0200
8 +<?xml version="1.0" encoding='UTF-8'?>
9 +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
10 + "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd">
12 +<refentry id="pam_selinux_permit">
15 + <refentrytitle>pam_selinux_permit</refentrytitle>
16 + <manvolnum>8</manvolnum>
17 + <refmiscinfo class="sectdesc">Linux-PAM Manual</refmiscinfo>
20 + <refnamediv id="pam_selinux_permit-name">
21 + <refname>pam_selinux_permit</refname>
22 + <refpurpose>PAM module to allow/deny login depending on SELinux enforcement state</refpurpose>
26 + <cmdsynopsis id="pam_selinux_permit-cmdsynopsis">
27 + <command>pam_selinux_permit.so</command>
32 + conf=<replaceable>/path/to/config/file</replaceable>
37 + <refsect1 id="pam_selinux_permit-description">
38 + <title>DESCRIPTION</title>
40 + The pam_selinux module allows or denies login depending on SELinux enforcement
44 + When the user which is logging in matches an entry in the config file
45 + he is allowed access only when the SELinux is in enforcing mode. Otherwise
46 + he is denied access. For users not matching any entry in the config file
47 + the pam_selinux_permit module returns PAM_IGNORE return value.
50 + The config file contains a simple list of user names one per line. If the
51 + <replaceable>name</replaceable> is prefixed with @ character it means that all
52 + users in the group <replaceable>name</replaceable> match. If it is prefixed
53 + with a % character the SELinux user is used to match against the <replaceable>name</replaceable>
54 + instead of the account name. Note that when SELinux is disabled the
55 + SELinux user assigned to the account cannot be determined. This means that
56 + such entries are never matched when SELinux is disabled and pam_selinux_permit
57 + will return PAM_IGNORE.
61 + <refsect1 id="pam_selinux_permit-options">
62 + <title>OPTIONS</title>
66 + <option>debug</option>
70 + Turns on debugging via
72 + <refentrytitle>syslog</refentrytitle><manvolnum>3</manvolnum>
79 + <option>conf=<replaceable>/path/to/config/file</replaceable></option>
83 + Path to alternative config file overriding the default.
90 + <refsect1 id="pam_selinux_permit-services">
91 + <title>MODULE SERVICES PROVIDED</title>
93 + Only the <option>auth</option> and <option>account</option>
94 + services are supported.
98 + <refsect1 id='pam_selinux_permit-return_values'>
99 + <title>RETURN VALUES</title>
102 + <term>PAM_AUTH_ERR</term>
105 + SELinux is disabled or in the permissive mode and the user
111 + <term>PAM_SUCCESS</term>
114 + SELinux is in the enforcing mode and the user matches.
119 + <term>PAM_IGNORE</term>
122 + The user does not match any entry in the config file.
127 + <term>PAM_USER_UNKNOWN</term>
130 + The module was unable to determine the user's name.
135 + <term>PAM_SERVICE_ERR</term>
138 + Error during reading or parsing the config file.
145 + <refsect1 id="pam_selinux_permit-files">
146 + <title>FILES</title>
149 + <term><filename>/etc/security/sepermit.conf</filename></term>
151 + <para>Default configuration file</para>
157 + <refsect1 id='pam_selinux_permit-examples'>
158 + <title>EXAMPLES</title>
160 +auth [success=done ignore=ignore default=bad] pam_selinux_permit.so
161 +auth required pam_unix.so
162 +account required pam_unix.so
163 +session required pam_permit.so
167 + <refsect1 id='pam_selinux_permit-see_also'>
168 + <title>SEE ALSO</title>
171 + <refentrytitle>pam.conf</refentrytitle><manvolnum>5</manvolnum>
174 + <refentrytitle>pam.d</refentrytitle><manvolnum>8</manvolnum>
177 + <refentrytitle>pam</refentrytitle><manvolnum>8</manvolnum>
182 + <refsect1 id='pam_selinux_permit-author'>
183 + <title>AUTHOR</title>
185 + pam_selinux_permit was written by Tomas Mraz <tmraz@redhat.com>.
190 diff -up /dev/null Linux-PAM-0.99.8.1/modules/pam_selinux/pam_selinux_permit.c
191 --- /dev/null 2007-09-17 08:57:19.474470099 +0200
192 +++ Linux-PAM-0.99.8.1/modules/pam_selinux/pam_selinux_permit.c 2007-09-19 20:29:47.000000000 +0200
194 +/******************************************************************************
195 + * A module for Linux-PAM that allows/denies acces based on SELinux state.
197 + * Copyright (c) 2007 Red Hat, Inc.
198 + * Written by Tomas Mraz <tmraz@redhat.com>
200 + * Redistribution and use in source and binary forms, with or without
201 + * modification, are permitted provided that the following conditions
203 + * 1. Redistributions of source code must retain the above copyright
204 + * notice, and the entire permission notice in its entirety,
205 + * including the disclaimer of warranties.
206 + * 2. Redistributions in binary form must reproduce the above copyright
207 + * notice, this list of conditions and the following disclaimer in the
208 + * documentation and/or other materials provided with the distribution.
209 + * 3. The name of the author may not be used to endorse or promote
210 + * products derived from this software without specific prior
211 + * written permission.
213 + * ALTERNATIVELY, this product may be distributed under the terms of
214 + * the GNU Public License, in which case the provisions of the GPL are
215 + * required INSTEAD OF the above restrictions. (This clause is
216 + * necessary due to a potential bad interaction between the GPL and
217 + * the restrictions contained in a BSD-style copyright.)
219 + * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
220 + * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
221 + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
222 + * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
223 + * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
224 + * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
225 + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
226 + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
227 + * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
228 + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
229 + * OF THE POSSIBILITY OF SUCH DAMAGE.
244 +#define PAM_SM_ACCOUNT
246 +#include <security/pam_modules.h>
247 +#include <security/_pam_macros.h>
248 +#include <security/pam_modutil.h>
249 +#include <security/pam_ext.h>
251 +#include <selinux/selinux.h>
253 +/* return 0 when matched, -1 when unmatched, pam error otherwise */
255 +sepermit_match(pam_handle_t *pamh, const char *cfgfile, const char *user,
256 + const char *seuser, int debug)
264 + f = fopen(cfgfile, "r");
267 + pam_syslog(pamh, LOG_ERR, "Failed to open config file %s: %m", cfgfile);
268 + return PAM_SERVICE_ERR;
271 + while (!matched && getline(&line, &len, f) != -1) {
274 + if (line[0] == '#')
278 + while (isspace(*start))
281 + while (n > 0 && isspace(start[n-1])) {
289 + switch (start[0]) {
293 + pam_syslog(pamh, LOG_NOTICE, "Matching user %s against group %s", user, start);
294 + if (pam_modutil_user_in_group_nam_nam(pamh, user, start)) {
301 + pam_syslog(pamh, LOG_NOTICE, "Matching seuser %s against seuser %s", seuser, start);
302 + if (strcmp(seuser, start) == 0) {
308 + pam_syslog(pamh, LOG_NOTICE, "Matching user %s against user %s", user, start);
309 + if (strcmp(user, start) == 0) {
317 + return matched ? 0 : -1;
321 +pam_sm_authenticate(pam_handle_t *pamh, int flags UNUSED,
322 + int argc, const char **argv)
327 + int sense = PAM_AUTH_ERR;
328 + const char *user = NULL;
329 + char *seuser = NULL;
330 + char *level = NULL;
331 + const char *cfgfile = SEPERMIT_CONF_FILE;
333 + /* Parse arguments. */
334 + for (i = 0; i < argc; i++) {
335 + if (strcmp(argv[i], "debug") == 0) {
338 + if (strcmp(argv[i], "conf=") == 0) {
339 + cfgfile = argv[i] + 5;
344 + pam_syslog(pamh, LOG_NOTICE, "Parsing config file: %s", cfgfile);
346 + if (pam_get_user(pamh, &user, NULL) != PAM_SUCCESS || user == NULL
347 + || *user == '\0') {
348 + pam_syslog(pamh, LOG_ERR, "Cannot determine the user's name");
349 + return PAM_USER_UNKNOWN;
352 + if (is_selinux_enabled() > 0) {
353 + if (security_getenforce() == 1) {
355 + pam_syslog(pamh, LOG_NOTICE, "Enforcing mode, access will be allowed on match");
356 + sense = PAM_SUCCESS;
359 + if (getseuserbyname(user, &seuser, &level) != 0) {
362 + pam_syslog(pamh, LOG_ERR, "getseuserbyname failed: %m");
366 + if (debug && sense != PAM_SUCCESS)
367 + pam_syslog(pamh, LOG_NOTICE, "Access will not be allowed on match");
369 + rv = sepermit_match(pamh, cfgfile, user, seuser, debug);
372 + pam_syslog(pamh, LOG_NOTICE, "sepermit_match returned: %d", rv);
388 +pam_sm_setcred (pam_handle_t *pamh UNUSED, int flags UNUSED,
389 + int argc UNUSED, const char **argv UNUSED)
395 +pam_sm_acct_mgmt(pam_handle_t *pamh, int flags,
396 + int argc, const char **argv)
398 + return pam_sm_authenticate(pamh, flags, argc, argv);
403 +/* static module data */
405 +struct pam_module _pam_access_modstruct = {
407 + pam_sm_authenticate,
416 diff -up /dev/null Linux-PAM-0.99.8.1/modules/pam_selinux/sepermit.conf
417 --- /dev/null 2007-09-17 08:57:19.474470099 +0200
418 +++ Linux-PAM-0.99.8.1/modules/pam_selinux/sepermit.conf 2007-09-19 19:37:26.000000000 +0200
420 +# /etc/security/sepermit.conf
422 +# Each line contains either:
424 +# - a group name, with @group syntax
425 +# - a SELinux user name, with %seuser syntax
426 diff -up Linux-PAM-0.99.8.1/modules/pam_selinux/Makefile.am.permit Linux-PAM-0.99.8.1/modules/pam_selinux/Makefile.am
427 --- Linux-PAM-0.99.8.1/modules/pam_selinux/Makefile.am.permit 2007-01-23 11:09:25.000000000 +0100
428 +++ Linux-PAM-0.99.8.1/modules/pam_selinux/Makefile.am 2007-09-19 19:37:26.000000000 +0200
432 EXTRA_DIST = README $(XMLS) pam_selinux.8 pam_selinux_check.8 \
434 + pam_seliux_permit.8 sepermit.conf tst-pam_selinux
437 TESTS = tst-pam_selinux
438 - man_MANS = pam_selinux.8
439 + man_MANS = pam_selinux.8 pam_selinux_permit.8
442 -XMLS = README.xml pam_selinux.8.xml
443 +XMLS = README.xml pam_selinux.8.xml pam_selinux_permit.8.xml
445 securelibdir = $(SECUREDIR)
446 secureconfdir = $(SCONFIGDIR)
448 AM_CFLAGS = -I$(top_srcdir)/libpam/include -I$(top_srcdir)/libpamc/include \
449 - -I$(top_srcdir)/libpam_misc/include
450 + -I$(top_srcdir)/libpam_misc/include \
451 + -DSEPERMIT_CONF_FILE=\"$(SCONFIGDIR)/sepermit.conf\"
453 pam_selinux_check_LDFLAGS = $(AM_LDFLAGS) \
454 -L$(top_builddir)/libpam -lpam \
455 @@ -30,12 +31,17 @@ if HAVE_VERSIONING
456 -Wl,--version-script=$(srcdir)/../modules.map
459 +pam_selinux_permit_la_LIBADD= $(pam_selinux_la_LIBADD)
460 +pam_selinux_permit_la_LDFLAGS= $(pam_selinux_la_LDFLAGS)
462 +secureconf_DATA = sepermit.conf
465 - securelib_LTLIBRARIES = pam_selinux.la
466 + securelib_LTLIBRARIES = pam_selinux.la pam_selinux_permit.la
467 noinst_PROGRAMS = pam_selinux_check
469 if ENABLE_REGENERATE_MAN
470 -noinst_DATA = README pam_selinux.8
471 +noinst_DATA = README pam_selinux.8 pam_selinux_permit.8
472 README: pam_selinux.8.xml
473 -include $(top_srcdir)/Make.xml.rules