1 --- util-linux-2.12pre/login-utils/Makefile.selinux 2001-09-29 14:11:24.000000000 -0400
2 +++ util-linux-2.12pre/login-utils/Makefile 2004-01-26 08:07:45.156687235 -0500
7 +ifeq "$(HAVE_SELINUX)" "yes"
8 +CFLAGS += -DWITH_SELINUX=1 -g
10 +SELINUXOBJS=selinux_utils.o
13 ifeq "$(HAVE_SHADOW)" "no"
14 ifeq "$(HAVE_PAM)" "no"
15 ifeq "$(HAVE_PASSWD)" "no"
17 wall.o: ttymsg.h $(LIB)/carefulputc.h
19 agetty: agetty.o $(LIB)/xstrncpy.o
20 -chfn: chfn.o islocal.o setpwnam.o $(LIB)/env.o $(LIB)/xstrncpy.o
21 - $(CC) $(LDFLAGS) -o $@ $^ $(CRYPT) $(PAM)
22 -chsh: chsh.o islocal.o setpwnam.o $(LIB)/env.o
23 - $(CC) $(LDFLAGS) -o $@ $^ $(CRYPT) $(PAM)
24 +chfn: chfn.o islocal.o setpwnam.o $(SELINUXOBJS) $(LIB)/env.o $(LIB)/xstrncpy.o
25 + $(CC) $(LDFLAGS) -o $@ $^ $(CRYPT) $(PAM) $(SELINUXLLIB)
26 +chsh: chsh.o islocal.o setpwnam.o $(SELINUXOBJS) $(LIB)/env.o
27 + $(CC) $(LDFLAGS) -o $@ $^ $(CRYPT) $(PAM) $(SELINUXLLIB)
30 ifeq "$(HAVE_PAM)" "yes"
31 login: login.o $(LIB)/setproctitle.o $(LIB)/xstrncpy.o
32 - $(CC) $(LDFLAGS) -o $@ $^ $(CRYPT) $(PAM)
33 + $(CC) $(LDFLAGS) -o $@ $^ $(CRYPT) $(PAM) $(SELINUXLLIB)
35 login: login.o $(LIB)/xstrncpy.o $(LIB)/setproctitle.o checktty.o
36 - $(CC) $(LDFLAGS) -o $@ $^ $(CRYPT)
37 + $(CC) $(LDFLAGS) -o $@ $^ $(CRYPT) $(SELINUXLLIB)
42 $(CC) $(LDFLAGS) -o $@ $^
44 vipw: vipw.o $(LIB)/xstrncpy.o
45 + $(CC) $(LDFLAGS) -o $@ $^ $(SELINUXLLIB)
47 newgrp.o: $(LIB)/pathnames.h
48 $(CC) -c $(CFLAGS) $(PAMFL) newgrp.c
49 --- util-linux-2.12pre/login-utils/chfn.c.selinux 2004-01-26 08:07:43.716619491 -0500
50 +++ util-linux-2.12pre/login-utils/chfn.c 2004-01-26 08:08:31.588874751 -0500
56 +#include <selinux/selinux.h>
57 +#include <selinux/av_permissions.h>
58 +#include "selinux_utils.h"
61 #if REQUIRE_PASSWORD && USE_PAM
62 #include <security/pam_appl.h>
63 #include <security/pam_misc.h>
69 + if (is_selinux_enabled()>0) {
71 + if (checkAccess(oldf.username,PASSWD__CHFN)!=0) {
72 + security_context_t user_context;
73 + if (getprevcon(&user_context) < 0)
74 + user_context=(security_context_t) strdup(_("Unknown user context"));
75 + fprintf(stderr, _("%s: %s is not authorized to change the finger info of %s\n"),
76 + whoami, user_context, oldf.username);
77 + freecon(user_context);
81 + if (setupDefaultContext("/etc/passwd") != 0) {
82 + fprintf(stderr,_("%s: Can't set default context for /etc/passwd"),
90 if (uid != 0 && uid != oldf.pw->pw_uid) {
92 --- util-linux-2.12pre/login-utils/vipw.c.selinux 2001-10-20 03:23:57.000000000 -0400
93 +++ util-linux-2.12pre/login-utils/vipw.c 2004-01-26 08:08:46.459576650 -0500
99 +#include <selinux/selinux.h>
102 #define FILENAMELEN 67
106 sprintf(tmp, "%s%s", orig_file, ".OLD");
108 link(orig_file, tmp);
111 + if (is_selinux_enabled()>0) {
112 + security_context_t passwd_context=NULL;
114 + if (getfilecon(orig_file,&passwd_context) < 0) {
115 + (void) fprintf(stderr,_("%s: Can't get context for %s"),progname,orig_file);
116 + pw_error(orig_file, 1, 1);
118 + ret=setfilecon(tmp_file,passwd_context);
119 + freecon(passwd_context);
121 + (void) fprintf(stderr,_("%s: Can't set context for %s"),progname,tmp_file);
122 + pw_error(tmp_file, 1, 1);
127 if (rename(tmp_file, orig_file) == -1) {
132 if (stat(tmp_file, &begin))
133 pw_error(tmp_file, 1, 1);
137 if (stat(tmp_file, &end))
138 pw_error(tmp_file, 1, 1);
139 if (begin.st_mtime == end.st_mtime) {
141 chmod(tmp_file, 0400);
147 int main(int argc, char *argv[]) {
148 --- util-linux-2.12pre/login-utils/chsh.c.selinux 2004-01-26 08:07:45.016680649 -0500
149 +++ util-linux-2.12pre/login-utils/chsh.c 2004-01-26 08:08:56.480049975 -0500
151 #include <security/pam_misc.h>
155 +#include <selinux/selinux.h>
156 +#include <selinux/av_permissions.h>
157 +#include "selinux_utils.h"
160 typedef unsigned char boolean;
168 + if (is_selinux_enabled()>0) {
170 + if (checkAccess(pw->pw_name,PASSWD__CHSH)!=0) {
171 + security_context_t user_context;
172 + if (getprevcon(&user_context) < 0)
173 + user_context=(security_context_t) strdup(_("Unknown user context"));
174 + fprintf(stderr, _("%s: %s is not authorized to change the shell of %s\n"),
175 + whoami, user_context, pw->pw_name);
176 + freecon(user_context);
180 + if (setupDefaultContext("/etc/passwd") != 0) {
181 + fprintf(stderr,_("%s: Can't set default context for /etc/passwd"),
188 oldshell = pw->pw_shell;
189 if (!oldshell[0]) oldshell = "/bin/sh";
191 --- /dev/null 2004-01-20 06:10:08.000000000 -0500
192 +++ util-linux-2.12pre/login-utils/selinux_utils.h 2004-01-26 08:07:45.156687235 -0500
194 +extern int checkAccess(char *name,int access);
195 +extern int setupDefaultContext(char *orig_file);
196 --- /dev/null 2004-01-20 06:10:08.000000000 -0500
197 +++ util-linux-2.12pre/login-utils/selinux_utils.c 2004-01-26 08:09:11.190745364 -0500
200 +#include <sys/types.h>
202 +#include <selinux/selinux.h>
203 +#include <selinux/flask.h>
204 +#include <selinux/av_permissions.h>
205 +#include <selinux/context.h>
206 +#include "selinux_utils.h"
208 +int checkAccess(char *chuser, int access) {
210 + security_context_t user_context;
212 + if( getprevcon(&user_context)==0 ) {
213 + context_t c=context_new(user_context);
214 + user=context_user_get(c);
215 + if (strcmp(chuser, user) == 0) {
218 + struct av_decision avd;
219 + int retval = security_compute_av(user_context,
225 + if ((retval == 0) &&
226 + ((access & avd.allowed) == access)) {
231 + freecon(user_context);
236 +int setupDefaultContext(char *orig_file) {
237 + if (is_selinux_enabled()>0) {
238 + security_context_t scontext;
240 + if (getfilecon(orig_file,&scontext)<0) {
244 + if (setfscreatecon(scontext) < 0)
254 --- util-linux-2.12pre/MCONFIG.selinux 2004-01-26 08:07:44.006633133 -0500
255 +++ util-linux-2.12pre/MCONFIG 2004-01-26 08:07:45.156687235 -0500
257 # installed as it is not PAM aware.
260 +# If HAVE_SELINUX is set to "yes", the login will make sure the user is
261 +# logged into an appropriate security context
264 # If HAVE_SHADOW is set to "yes", then login, chfn, chsh, newgrp, passwd,
265 # and vipw will not be built or installed from the login-utils