--- Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.c.level 2007-01-19 08:33:11.000000000 -0500 +++ Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.c 2007-01-19 08:33:11.000000000 -0500 @@ -244,23 +244,29 @@ } strcpy(poly.dir, dir); strcpy(poly.instance_prefix, instance_prefix); - if (strcmp(method, "user") == 0) - poly.method = USER; + + poly.method = NONE; + if (strcmp(method, "user") == 0) + poly.method = USER; + #ifdef WITH_SELINUX - else if (strcmp(method, "context") == 0) { + if (strcmp(method, "level") == 0) { if (idata->flags & PAMNS_CTXT_BASED_INST) - poly.method = CONTEXT; + poly.method = LEVEL; else poly.method = USER; - } else if (strcmp(method, "both") == 0) { + } + + if (strcmp(method, "context") == 0) { if (idata->flags & PAMNS_CTXT_BASED_INST) - poly.method = BOTH; + poly.method = CONTEXT; else poly.method = USER; } #endif - else { + + if ( poly.method == NONE) { pam_syslog(idata->pamh, LOG_NOTICE, "Illegal method"); goto skipping; } @@ -448,19 +454,23 @@ return PAM_SESSION_ERR; } + if (polyptr->method == USER) return PAM_SUCCESS; + + rc = getexeccon(&scon); + if (rc < 0 || scon == NULL) { + pam_syslog(idata->pamh, LOG_ERR, + "Error getting exec context, %m"); + return PAM_SESSION_ERR; + } + /* * If polyinstantiating based on security context, get current * process security context, get security class for directories, * and ask the policy to provide security context of the * polyinstantiated instance directory. */ - if ((polyptr->method == CONTEXT) || (polyptr->method == BOTH)) { - rc = getexeccon(&scon); - if (rc < 0 || scon == NULL) { - pam_syslog(idata->pamh, LOG_ERR, - "Error getting exec context, %m"); - return PAM_SESSION_ERR; - } + + if (polyptr->method == CONTEXT) { tclass = string_to_security_class("dir"); if (security_compute_member(scon, *origcon, tclass, @@ -473,7 +483,48 @@ pam_syslog(idata->pamh, LOG_DEBUG, "member context returned by policy %s", *i_context); freecon(scon); + return PAM_SUCCESS; } + + /* + * If polyinstantiating based on security level, get current + * process security context, get security class for directories, + * and change the directories MLS Level to match process. + */ + + if (polyptr->method == LEVEL) { + context_t scontext = NULL; + context_t fcontext = NULL; + rc = PAM_SESSION_ERR; + + scontext = context_new(scon); + if (! scontext) { + pam_syslog(idata->pamh, LOG_ERR, "out of memory"); + goto fail; + } + fcontext = context_new(*origcon); + if (! fcontext) { + pam_syslog(idata->pamh, LOG_ERR, "out of memory"); + goto fail; + } + if (context_range_set(fcontext, context_range_get(scontext)) != 0) { + pam_syslog(idata->pamh, LOG_ERR, "Unable to set MLS Componant of context"); + goto fail; + } + *i_context=strdup(context_str(fcontext)); + if (! *i_context) { + pam_syslog(idata->pamh, LOG_ERR, "out of memory"); + goto fail; + } + + rc = PAM_SUCCESS; + fail: + context_free(scontext); + context_free(fcontext); + freecon(scon); + return rc; + } + /* Should never get here */ return PAM_SUCCESS; } #endif @@ -514,19 +565,14 @@ break; #ifdef WITH_SELINUX + case LEVEL: case CONTEXT: - if (asprintf(i_name, "%s", *i_context) < 0) { - *i_name = NULL; - rc = PAM_SESSION_ERR; - } - break; - - case BOTH: if (asprintf(i_name, "%s_%s", *i_context, idata->user) < 0) { *i_name = NULL; rc = PAM_SESSION_ERR; } break; + #endif /* WITH_SELINUX */ default: @@ -1158,7 +1204,7 @@ #ifdef WITH_SELINUX if (is_selinux_enabled()) idata.flags |= PAMNS_SELINUX_ENABLED; - if (ctxt_based_inst_needed()) + if (ctxt_based_inst_needed()) idata.flags |= PAMNS_CTXT_BASED_INST; #endif --- Linux-PAM-0.99.7.0/modules/pam_namespace/namespace.conf.level 2006-06-27 09:07:43.000000000 -0400 +++ Linux-PAM-0.99.7.0/modules/pam_namespace/namespace.conf 2007-01-19 08:33:11.000000000 -0500 @@ -4,12 +4,10 @@ # # Uncommenting the following three lines will polyinstantiate # /tmp, /var/tmp and user's home directories. /tmp and /var/tmp will -# be polyinstantiated based on both security context as well as user -# name, whereas home directory will be polyinstantiated based on -# security context only. Polyinstantion will not be performed for -# user root and adm for directories /tmp and /var/tmp, whereas home -# directories will be polyinstantiated for all users. The user name -# and/or context is appended to the instance prefix. +# be polyinstantiated based on the MLS level part of the security context as well as user +# name, Polyinstantion will not be performed for user root and adm for directories +# /tmp and /var/tmp, whereas home directories will be polyinstantiated for all users. +# The user name and context is appended to the instance prefix. # # Note that instance directories do not have to reside inside the # polyinstantiated directory. In the examples below, instances of /tmp @@ -25,6 +23,6 @@ # caution, as it will reduce security and isolation achieved by # polyinstantiation. # -#/tmp /tmp-inst/ both root,adm -#/var/tmp /var/tmp/tmp-inst/ both root,adm -#$HOME $HOME/$USER.inst/inst- context +#/tmp /tmp-inst/ level root,adm +#/var/tmp /var/tmp/tmp-inst/ level root,adm +#$HOME $HOME/$USER.inst/ level --- Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.h.level 2007-01-19 08:33:11.000000000 -0500 +++ Linux-PAM-0.99.7.0/modules/pam_namespace/pam_namespace.h 2007-01-19 08:33:11.000000000 -0500 @@ -63,6 +63,7 @@ #ifdef WITH_SELINUX #include +#include #endif #ifndef CLONE_NEWNS @@ -93,9 +94,10 @@ * or both */ enum polymethod { + NONE, USER, CONTEXT, - BOTH, + LEVEL, }; /* --- Linux-PAM-0.99.7.0/modules/pam_namespace/namespace.conf.5.xml.level 2006-06-27 09:07:43.000000000 -0400 +++ Linux-PAM-0.99.7.0/modules/pam_namespace/namespace.conf.5.xml 2007-01-19 08:33:11.000000000 -0500 @@ -22,7 +22,7 @@ This module allows setup of private namespaces with polyinstantiated directories. Directories can be polyinstantiated based on user name - or, in the case of SELinux, user name, security context or both. If an + or, in the case of SELinux, user name, sensitivity level or complete security context. If an executable script /etc/security/namespace.init exists, it is used to initialize the namespace every time a new instance directory is setup. The script receives the polyinstantiated @@ -72,10 +72,10 @@ The third field, method, is the method used for polyinstantiation. It can take 3 different values; "user" - for polyinstantiation based on user name, "context" for - polyinstantiation based on process security context, and "both" - for polyinstantiation based on both user name and security context. - Methods "context" and "both" are only available with SELinux. This + for polyinstantiation based on user name, "level" for + polyinstantiation based on process MLS level and user name, and "context" for + polyinstantiation based on process security context and user name + Methods "context" and "level" are only available with SELinux. This field cannot be blank. @@ -98,9 +98,9 @@ # The following three lines will polyinstantiate /tmp, # /var/tmp and user's home directories. /tmp and /var/tmp - # will be polyinstantiated based on both security context + # will be polyinstantiated based on the security level # as well as user name, whereas home directory will be - # polyinstantiated based on security context only. + # polyinstantiated based on the full security context and user name. # Polyinstantiation will not be performed for user root # and adm for directories /tmp and /var/tmp, whereas home # directories will be polyinstantiated for all users. @@ -112,8 +112,8 @@ # will reside within the directories that are being # polyinstantiated. # - /tmp /tmp-inst/ both root,adm - /var/tmp /var/tmp/tmp-inst/ both root,adm + /tmp /tmp-inst/ level root,adm + /var/tmp /var/tmp/tmp-inst/ level root,adm $HOME $HOME/$USER.inst/inst- context