chpasswd, chgpasswd: open audit when starting

2016-05-30 11:59:54 +02:00 · 2016-05-30 11:59:54 +02:00 · abed79ee4e
commit abed79ee4e
parent f884cd4c94
2 changed files with 33 additions and 18 deletions
--- a/shadow-4.2.1-selinux-perms.patch
+++ b/shadow-4.2.1-selinux-perms.patch
@ -1,6 +1,6 @@
 diff -up shadow-4.2.1/src/chgpasswd.c.selinux-perms shadow-4.2.1/src/chgpasswd.c
 --- shadow-4.2.1/src/chgpasswd.c.selinux-perms	2014-03-01 19:59:51.000000000 +0100
-+++ shadow-4.2.1/src/chgpasswd.c	2016-05-26 20:56:56.723676087 +0200
+++ shadow-4.2.1/src/chgpasswd.c	2016-05-30 11:57:53.635841186 +0200
@@ -39,6 +39,13 @@
 #include <pwd.h>
 #include <stdio.h>
@ -25,7 +25,7 @@ diff -up shadow-4.2.1/src/chgpasswd.c.selinux-perms shadow-4.2.1/src/chgpasswd.c
 /* local function prototypes */
 static void fail_exit (int code);
 static /*@noreturn@*/void usage (int status);
-@@ -300,6 +310,62 @@ static void check_perms (void)
+@@ -300,6 +310,63 @@ static void check_perms (void)
 #endif				/* ACCT_TOOLS_SETUID */
 }
 
@ -44,16 +44,17 @@ diff -up shadow-4.2.1/src/chgpasswd.c.selinux-perms shadow-4.2.1/src/chgpasswd.c
 +	char *buf;
 +
 +	if (vasprintf (&buf, fmt, ap) < 0)
-+		return 0;
+		goto ret;
 +	audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL,
 +				   NULL, 0);
 +	audit_close(audit_fd);
 +	free(buf);
-+	return 0;
+	goto ret;
 +    }
 +
 +#endif
 +    vsyslog (LOG_USER | LOG_INFO, fmt, ap);
+ret:
 +    va_end(ap);
 +    return 0;
 +}
@ -88,7 +89,7 @@ diff -up shadow-4.2.1/src/chgpasswd.c.selinux-perms shadow-4.2.1/src/chgpasswd.c
 /*
  * open_files - lock and open the group databases
  */
-@@ -393,6 +459,7 @@ int main (int argc, char **argv)
+@@ -393,6 +460,7 @@ int main (int argc, char **argv)
 
 	const struct group *gr;
 	struct group newgr;
@ -96,10 +97,14 @@ diff -up shadow-4.2.1/src/chgpasswd.c.selinux-perms shadow-4.2.1/src/chgpasswd.c
 	int errors = 0;
 	int line = 0;
 
-@@ -408,8 +475,29 @@ int main (int argc, char **argv)
+@@ -408,8 +476,33 @@ int main (int argc, char **argv)
 
 	OPENLOG ("chgpasswd");
 
+#ifdef WITH_AUDIT
+	audit_help_open ();
+#endif
+
 +	/*
 +	 * Determine the name of the user that invoked this command. This
 +	 * is really hit or miss because there are so many ways that command
@ -126,7 +131,7 @@ diff -up shadow-4.2.1/src/chgpasswd.c.selinux-perms shadow-4.2.1/src/chgpasswd.c
 #ifdef SHADOWGRP
 	is_shadow_grp = sgr_file_present ();
 #endif
-@@ -536,6 +624,15 @@ int main (int argc, char **argv)
+@@ -536,6 +629,15 @@ int main (int argc, char **argv)
 			newgr.gr_passwd = cp;
 		}
 
@ -144,7 +149,7 @@ diff -up shadow-4.2.1/src/chgpasswd.c.selinux-perms shadow-4.2.1/src/chgpasswd.c
 		 * be written to the group file later, after all the
 diff -up shadow-4.2.1/src/chpasswd.c.selinux-perms shadow-4.2.1/src/chpasswd.c
 --- shadow-4.2.1/src/chpasswd.c.selinux-perms	2014-03-01 19:59:51.000000000 +0100
-+++ shadow-4.2.1/src/chpasswd.c	2016-05-26 20:40:56.190224029 +0200
+++ shadow-4.2.1/src/chpasswd.c	2016-05-30 11:58:23.034484807 +0200
@@ -39,6 +39,13 @@
 #include <pwd.h>
 #include <stdio.h>
@ -159,7 +164,7 @@ diff -up shadow-4.2.1/src/chpasswd.c.selinux-perms shadow-4.2.1/src/chpasswd.c
 #ifdef USE_PAM
 #include "pam_defs.h"
 #endif				/* USE_PAM */
-@@ -297,6 +304,62 @@ static void check_perms (void)
+@@ -297,6 +304,63 @@ static void check_perms (void)
 #endif				/* USE_PAM */
 }
 
@ -178,16 +183,17 @@ diff -up shadow-4.2.1/src/chpasswd.c.selinux-perms shadow-4.2.1/src/chpasswd.c
 +	char *buf;
 +
 +	if (vasprintf (&buf, fmt, ap) < 0)
-+		return 0;
+		goto ret;
 +	audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL,
 +				   NULL, 0);
 +	audit_close(audit_fd);
 +	free(buf);
-+	return 0;
+	goto ret;
 +    }
 +
 +#endif
 +    vsyslog (LOG_USER | LOG_INFO, fmt, ap);
+ret:
 +    va_end(ap);
 +    return 0;
 +}
@ -222,8 +228,14 @@ diff -up shadow-4.2.1/src/chpasswd.c.selinux-perms shadow-4.2.1/src/chpasswd.c
 /*
  * open_files - lock and open the password databases
  */
-@@ -407,6 +470,10 @@ int main (int argc, char **argv)
+@@ -405,8 +469,16 @@ int main (int argc, char **argv)
 
+ 	OPENLOG ("chpasswd");
+ 
+#ifdef WITH_AUDIT
+	audit_help_open ();
+#endif
+
 	check_perms ();
 
 +#ifdef WITH_SELINUX
@ -233,7 +245,7 @@ diff -up shadow-4.2.1/src/chpasswd.c.selinux-perms shadow-4.2.1/src/chpasswd.c
 #ifdef USE_PAM
 	if (!use_pam)
 #endif				/* USE_PAM */
-@@ -566,6 +633,11 @@ int main (int argc, char **argv)
+@@ -566,6 +638,11 @@ int main (int argc, char **argv)
 			newpw.pw_passwd = cp;
 		}
 
@ -246,8 +258,8 @@ diff -up shadow-4.2.1/src/chpasswd.c.selinux-perms shadow-4.2.1/src/chpasswd.c
 		 * The updated password file entry is then put back and will
 		 * be written to the password file later, after all the
 diff -up shadow-4.2.1/src/Makefile.am.selinux-perms shadow-4.2.1/src/Makefile.am
--- shadow-4.2.1/src/Makefile.am.selinux-perms	2016-05-26 19:02:07.000000000 +0200
-+++ shadow-4.2.1/src/Makefile.am	2016-05-26 20:38:52.738468738 +0200
+--- shadow-4.2.1/src/Makefile.am.selinux-perms	2016-05-27 16:04:00.896475284 +0200
+++ shadow-4.2.1/src/Makefile.am	2016-05-27 16:04:00.899475353 +0200
@@ -84,9 +84,9 @@ chage_LDADD    = $(LDADD) $(LIBPAM_SUID)
 newuidmap_LDADD    = $(LDADD) $(LIBSELINUX)
 newgidmap_LDADD    = $(LDADD) $(LIBSELINUX)
@ -261,8 +273,8 @@ diff -up shadow-4.2.1/src/Makefile.am.selinux-perms shadow-4.2.1/src/Makefile.am
 groupadd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
 groupdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX)
 diff -up shadow-4.2.1/src/Makefile.in.selinux-perms shadow-4.2.1/src/Makefile.in
--- shadow-4.2.1/src/Makefile.in.selinux-perms	2016-05-26 19:02:07.000000000 +0200
-+++ shadow-4.2.1/src/Makefile.in	2016-05-26 20:40:03.547049098 +0200
+--- shadow-4.2.1/src/Makefile.in.selinux-perms	2016-05-27 16:04:00.896475284 +0200
+++ shadow-4.2.1/src/Makefile.in	2016-05-27 16:04:00.899475353 +0200
@@ -521,9 +521,9 @@ chage_LDADD = $(LDADD) $(LIBPAM_SUID) $(
 newuidmap_LDADD = $(LDADD) $(LIBSELINUX)
 newgidmap_LDADD = $(LDADD) $(LIBSELINUX)
--- a/shadow-utils.spec
+++ b/shadow-utils.spec
@ -1,7 +1,7 @@
 Summary: Utilities for managing accounts and shadow password files
 Name: shadow-utils
 Version: 4.2.1
-Release: 9%{?dist}
+Release: 10%{?dist}
 Epoch: 2
 URL: http://pkg-shadow.alioth.debian.org/
 Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.xz
@ -257,6 +257,9 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/man8/vigr.8*

 %changelog
+* Mon May 30 2016 Tomáš Mráz <tmraz@redhat.com> - 2:4.2.1-10
+- chpasswd, chgpasswd: open audit when starting
+
 * Thu May 26 2016 Tomáš Mráz <tmraz@redhat.com> - 2:4.2.1-9
 - chgpasswd: do not remove it
 - chpasswd, chgpasswd: add selinux_check_access call (#1336902)