From bc3ff95282cef80507e6bfc3c54d1411228d8190 Mon Sep 17 00:00:00 2001 From: kzak Date: Aug 21 2006 16:24:02 +0000 Subject: fc6/rhel5 fixes --- diff --git a/util-linux-2.13-mount-context.patch b/util-linux-2.13-mount-context.patch index 6542b6a..9bf90f7 100644 --- a/util-linux-2.13-mount-context.patch +++ b/util-linux-2.13-mount-context.patch @@ -1,63 +1,10 @@ This patch adds to the mount man page docs about context, fscontext and -defcontext mount options and translate context options from human to raw -selinux context format. -- 03/30/2006 Karel Zak + defcontext mount options and translate context options from human to raw + selinux context format. -- 03/30/2006 Karel Zak ---- util-linux-2.13-pre7/mount/mount.8.cxt 2006-03-30 17:15:06.000000000 +0200 -+++ util-linux-2.13-pre7/mount/mount.8 2006-03-30 17:15:06.000000000 +0200 -@@ -661,6 +661,50 @@ - .BR noexec ", " nosuid ", and " nodev - (unless overridden by subsequent options, as in the option line - .BR users,exec,dev,suid ). -+.TP -+\fBcontext=\fP\fIcontext\fP, \fBfscontext=\fP\fIcontext\fP and \fBdefcontext=\fP\fIcontext\fP -+The -+.BR context= -+option is useful when mounting filesystems that do not support -+extended attributes, such as a floppy or hard disk formatted with VFAT, or -+systems that are not normally running under SELinux, such as an ext3 formatted -+disk from a non-SELinux workstation. You can also use -+.BR context= -+on filesystems you do not trust, such as a floppy. It also helps in compatibility with -+xattr-supporting filesystems on earlier 2.4. kernel versions. Even where -+xattrs are supported, you can save time not having to label every file by -+assigning the entire disk one security context. -+ -+A commonly used option for removable media is -+.BR context=system_u:object_r:removable_t . -+ -+Two other options are -+.BR fscontext= -+and -+.BR defcontext= , -+both of which are mutually exclusive of the context option. This means you -+can use fscontext and defcontext with each other, but neither can be used with -+context. -+ -+The -+.BR fscontext= -+option works for all filesystems, regardless of their xattr -+support. The fscontext option sets the overarching filesystem label to a -+specific security context. This filesystem label is separate from the -+individual labels on the files. It represents the entire filesystem for -+certain kinds of permission checks, such as during mount or file creation. -+Individual file labels are still obtained from the xattrs on the files -+themselves. The context option actually sets the aggregate context that -+fscontext provides, in addition to supplying the same label for individual -+files. -+ -+You can set the default security context for unlabeled files using -+.BR defcontext= -+option. This overrides the value set for unlabeled files in the policy and requires a -+file system that supports xattr labeling. -+ -+For more details see -+.BR selinux (8) - .RE - .TP - .B \-\-bind ---- util-linux-2.13-pre7/mount/mount.c.cxt 2006-03-30 17:15:06.000000000 +0200 -+++ util-linux-2.13-pre7/mount/mount.c 2006-03-30 20:16:57.000000000 +0200 +--- util-linux-2.13-pre6/mount/mount.c.kzak 2006-08-21 11:51:50.000000000 +0200 ++++ util-linux-2.13-pre6/mount/mount.c 2006-08-21 11:51:50.000000000 +0200 @@ -21,6 +21,11 @@ #include #include @@ -151,3 +98,68 @@ selinux context format. -- 03/30/2006 Karel Zak *extra_opts = xmalloc(len); **extra_opts = '\0'; +--- util-linux-2.13-pre6/mount/mount.8.kzak 2006-08-21 11:51:50.000000000 +0200 ++++ util-linux-2.13-pre6/mount/mount.8 2006-08-21 11:51:50.000000000 +0200 +@@ -660,6 +660,50 @@ + .BR noexec ", " nosuid ", and " nodev + (unless overridden by subsequent options, as in the option line + .BR users,exec,dev,suid ). ++.TP ++\fBcontext=\fP\fIcontext\fP, \fBfscontext=\fP\fIcontext\fP and \fBdefcontext=\fP\fIcontext\fP ++The ++.BR context= ++option is useful when mounting filesystems that do not support ++extended attributes, such as a floppy or hard disk formatted with VFAT, or ++systems that are not normally running under SELinux, such as an ext3 formatted ++disk from a non-SELinux workstation. You can also use ++.BR context= ++on filesystems you do not trust, such as a floppy. It also helps in compatibility with ++xattr-supporting filesystems on earlier 2.4. kernel versions. Even where ++xattrs are supported, you can save time not having to label every file by ++assigning the entire disk one security context. ++ ++A commonly used option for removable media is ++.BR context=system_u:object_r:removable_t . ++ ++Two other options are ++.BR fscontext= ++and ++.BR defcontext= , ++both of which are mutually exclusive of the context option. This means you ++can use fscontext and defcontext with each other, but neither can be used with ++context. ++ ++The ++.BR fscontext= ++option works for all filesystems, regardless of their xattr ++support. The fscontext option sets the overarching filesystem label to a ++specific security context. This filesystem label is separate from the ++individual labels on the files. It represents the entire filesystem for ++certain kinds of permission checks, such as during mount or file creation. ++Individual file labels are still obtained from the xattrs on the files ++themselves. The context option actually sets the aggregate context that ++fscontext provides, in addition to supplying the same label for individual ++files. ++ ++You can set the default security context for unlabeled files using ++.BR defcontext= ++option. This overrides the value set for unlabeled files in the policy and requires a ++file system that supports xattr labeling. ++ ++For more details see ++.BR selinux (8) + .RE + .TP + .B \-\-bind +--- util-linux-2.13-pre6/mount/Makefile.am.kzak 2006-08-21 12:13:10.000000000 +0200 ++++ util-linux-2.13-pre6/mount/Makefile.am 2006-08-21 12:13:03.000000000 +0200 +@@ -37,6 +37,9 @@ + man_MANS += pivot_root.8 + endif + ++if HAVE_SELINUX ++mount_LDADD += -lselinux ++endif + + swapon.c: swapargs.h + diff --git a/util-linux-login.pamd b/util-linux-login.pamd new file mode 100644 index 0000000..1515a27 --- /dev/null +++ b/util-linux-login.pamd @@ -0,0 +1,14 @@ +#%PAM-1.0 +auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so +auth include system-auth +account required pam_nologin.so +account include system-auth +password include system-auth +# pam_selinux.so close should be the first session rule +session required pam_selinux.so close +session include system-auth +session required pam_loginuid.so +session optional pam_console.so +# pam_selinux.so open should only be followed by sessions to be executed in the user context +session required pam_selinux.so open +session optional pam_keyinit.so force revoke diff --git a/util-linux-remote.pamd b/util-linux-remote.pamd new file mode 100644 index 0000000..4cf49ea --- /dev/null +++ b/util-linux-remote.pamd @@ -0,0 +1,14 @@ +#%PAM-1.0 +auth required pam_securetty.so +auth include system-auth +account required pam_nologin.so +account include system-auth +password include system-auth +# pam_selinux.so close should be the first session rule +session required pam_selinux.so close +session include system-auth +session required pam_loginuid.so +session optional pam_console.so +# pam_selinux.so open should only be followed by sessions to be executed in the user context +session required pam_selinux.so open +session optional pam_keyinit.so force revoke diff --git a/util-linux.spec b/util-linux.spec index d05adb3..6074b51 100644 --- a/util-linux.spec +++ b/util-linux.spec @@ -9,7 +9,7 @@ Summary: A collection of basic system utilities. Name: util-linux Version: 2.13 -Release: 0.39 +Release: 0.40 License: distributable Group: System Environment/Base @@ -47,8 +47,9 @@ BuildRequires: zlib-devel ### Sources # TODO [stable]: s/2.13-pre6/%{version}/ Source0: ftp://ftp.win.tue.nl/pub/linux-local/utils/util-linux/util-linux-2.13-pre6.tar.bz2 -Source1: util-linux-selinux.pamd -Source2: util-linux-chsh-chfn.pamd +Source1: util-linux-login.pamd +Source2: util-linux-remote.pamd +Source3: util-linux-chsh-chfn.pamd Source8: nologin.c Source9: nologin.8 Source11: http://download.sourceforge.net/floppyutil/floppy-%{floppyver}.tar.gz @@ -441,9 +442,9 @@ gzip -9nf ${RPM_BUILD_ROOT}%{_infodir}/ipc.info { pushd ${RPM_BUILD_ROOT}%{_sysconfdir}/pam.d install -m 644 %{SOURCE1} ./login - install -m 644 %{SOURCE1} ./remote - install -m 644 %{SOURCE2} ./chsh - install -m 644 %{SOURCE2} ./chfn + install -m 644 %{SOURCE2} ./remote + install -m 644 %{SOURCE3} ./chsh + install -m 644 %{SOURCE3} ./chfn popd } @@ -502,6 +503,13 @@ for I in addpart delpart partx; do fi done +# /usr/bin -> /bin +for I in taskset; do + if [ -e $RPM_BUILD_ROOT/usr/bin/$I ]; then + mv $RPM_BUILD_ROOT/usr/bin/$I $RPM_BUILD_ROOT/bin/$I + fi +done + # omit info/dir file rm -f ${RPM_BUILD_ROOT}%{_infodir}/dir @@ -545,6 +553,7 @@ exit 0 %attr(755,root,root) /bin/login /bin/more /bin/kill +/bin/taskset %config %{_sysconfdir}/pam.d/chfn %config %{_sysconfdir}/pam.d/chsh @@ -580,7 +589,6 @@ exit 0 %{_bindir}/chrt %{_bindir}/ionice -%{_bindir}/taskset %{_bindir}/cal %attr(4711,root,root) %{_bindir}/chfn @@ -722,6 +730,12 @@ exit 0 /sbin/losetup %changelog +* Mon Aug 21 2006 Karel Zak 2.13-0.40 +- fix Makefile.am in util-linux-2.13-mount-context.patch +- fix #201343 - pam_securetty requires known user to work + (split PAM login configuration to two files) +- fix #203358 - change location of taskset binary to allow for early affinity work + * Fri Aug 11 2006 Karel Zak 2.13-0.39 - fix #199745 - non-existant simpleinit(8) mentioned in ctrlaltdel(8)