Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package google-authenticator-libpam for
openSUSE:Factory checked in at 2025-11-11 19:21:16
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/google-authenticator-libpam (Old)
and /work/SRC/openSUSE:Factory/.google-authenticator-libpam.new.1980 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "google-authenticator-libpam"
Tue Nov 11 19:21:16 2025 rev:9 rq:1317055 version:1.10
Changes:
--------
---
/work/SRC/openSUSE:Factory/google-authenticator-libpam/google-authenticator-libpam.changes
2024-08-01 22:04:58.605821161 +0200
+++
/work/SRC/openSUSE:Factory/.google-authenticator-libpam.new.1980/google-authenticator-libpam.changes
2025-11-11 19:21:52.940844112 +0100
@@ -1,0 +2,15 @@
+Tue Nov 11 09:26:21 UTC 2025 - Johannes Segitz <[email protected]>
+
+- Added
+ * 267cbfa31bc17805c4850afd39788d97a7b5374c.patch
+ * 2a1f725e83d3ffc11d229543c4c2980dffd637b9.patch
+ * 6313ae4c2b475e1b73fd272434089cfc4631e14d.patch
+ * 665012cf90acadac882db4738b21b7246965ee2a.patch
+ * 75151df21a19e7182c09ae0118379fae890bdf5b.patch
+ * a0b6cf1f022f987d21d3d9c597e9f7f9759968ba.patch
+ to get proper SELinux type on secrets file (bsc#1252092)
+ Already upstream via
+ https://github.com/google/google-authenticator-libpam/pull/280
+ can be dropped with the next release
+
+-------------------------------------------------------------------
New:
----
267cbfa31bc17805c4850afd39788d97a7b5374c.patch
2a1f725e83d3ffc11d229543c4c2980dffd637b9.patch
6313ae4c2b475e1b73fd272434089cfc4631e14d.patch
665012cf90acadac882db4738b21b7246965ee2a.patch
75151df21a19e7182c09ae0118379fae890bdf5b.patch
a0b6cf1f022f987d21d3d9c597e9f7f9759968ba.patch
----------(New B)----------
New:- Added
* 267cbfa31bc17805c4850afd39788d97a7b5374c.patch
* 2a1f725e83d3ffc11d229543c4c2980dffd637b9.patch
New: * 267cbfa31bc17805c4850afd39788d97a7b5374c.patch
* 2a1f725e83d3ffc11d229543c4c2980dffd637b9.patch
* 6313ae4c2b475e1b73fd272434089cfc4631e14d.patch
New: * 2a1f725e83d3ffc11d229543c4c2980dffd637b9.patch
* 6313ae4c2b475e1b73fd272434089cfc4631e14d.patch
* 665012cf90acadac882db4738b21b7246965ee2a.patch
New: * 6313ae4c2b475e1b73fd272434089cfc4631e14d.patch
* 665012cf90acadac882db4738b21b7246965ee2a.patch
* 75151df21a19e7182c09ae0118379fae890bdf5b.patch
New: * 665012cf90acadac882db4738b21b7246965ee2a.patch
* 75151df21a19e7182c09ae0118379fae890bdf5b.patch
* a0b6cf1f022f987d21d3d9c597e9f7f9759968ba.patch
New: * 75151df21a19e7182c09ae0118379fae890bdf5b.patch
* a0b6cf1f022f987d21d3d9c597e9f7f9759968ba.patch
to get proper SELinux type on secrets file (bsc#1252092)
----------(New E)----------
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ google-authenticator-libpam.spec ++++++
--- /var/tmp/diff_new_pack.4JsMsi/_old 2025-11-11 19:21:53.560870080 +0100
+++ /var/tmp/diff_new_pack.4JsMsi/_new 2025-11-11 19:21:53.564870249 +0100
@@ -1,7 +1,7 @@
#
# spec file for package google-authenticator-libpam
#
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC and contributors
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -25,6 +25,13 @@
URL: https://github.com/google/google-authenticator-libpam
Source: %{name}-%{version}.tar.xz
Source99: baselibs.conf
+Patch0: a0b6cf1f022f987d21d3d9c597e9f7f9759968ba.patch
+Patch1: 2a1f725e83d3ffc11d229543c4c2980dffd637b9.patch
+Patch2: 75151df21a19e7182c09ae0118379fae890bdf5b.patch
+Patch3: 267cbfa31bc17805c4850afd39788d97a7b5374c.patch
+Patch4: 6313ae4c2b475e1b73fd272434089cfc4631e14d.patch
+Patch5: 665012cf90acadac882db4738b21b7246965ee2a.patch
+BuildRequires: libselinux-devel
BuildRequires: libtool
BuildRequires: pam-devel
# libqrencode.so.[234] are dynamically loaded if present in order to show a QR
code
@@ -41,6 +48,12 @@
%prep
%setup -q
+%patch -P0 -p1
+%patch -P1 -p1
+%patch -P2 -p1
+%patch -P3 -p1
+%patch -P4 -p1
+%patch -P5 -p1
%build
./bootstrap.sh
++++++ 267cbfa31bc17805c4850afd39788d97a7b5374c.patch ++++++
commit 267cbfa31bc17805c4850afd39788d97a7b5374c
Author: Thomas Habets <[email protected]>
Date: Mon Nov 10 18:09:12 2025 +0000
SELinux: conditionally link demo to SELinux
diff --git a/Makefile.am b/Makefile.am
index db3412e..cd49517 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -43,7 +43,7 @@ EXTRA_DIST = tests/base32_test.sh
libpam_google_authenticator_testing_la_SOURCES = \
src/pam_google_authenticator.c \
$(CORE_SRC)
-libpam_google_authenticator_testing_la_CFLAGS = $(AM_CFLAGS) -DTESTING=1
+libpam_google_authenticator_testing_la_CFLAGS = $(AM_CFLAGS) -DTESTING=1
$(SELINUX_CFLAGS)
libpam_google_authenticator_testing_la_LDFLAGS = $(AM_LDFLAGS)
$(MODULES_LDFLAGS) -rpath $(abs_top_builddir) -lpam
tests_pam_google_authenticator_unittest_SOURCES = \
@@ -59,7 +59,7 @@ examples_demo_SOURCES = \
src/pam_google_authenticator.c \
$(CORE_SRC) \
examples/demo.c
-examples_demo_LDADD = -lpam -lselinux
+examples_demo_LDADD = -lpam $(SELINUX_LIBS)
examples_demo_CFLAGS = $(AM_CFLAGS) -DDEMO=1
++++++ 2a1f725e83d3ffc11d229543c4c2980dffd637b9.patch ++++++
commit 2a1f725e83d3ffc11d229543c4c2980dffd637b9
Author: Johannes Segitz <[email protected]>
Date: Mon Nov 10 17:09:42 2025 +0100
Log filure to set SELinux type on secret file at LOG_DEBUG
diff --git a/src/pam_google_authenticator.c b/src/pam_google_authenticator.c
index ee65e66..c9fa68a 100644
--- a/src/pam_google_authenticator.c
+++ b/src/pam_google_authenticator.c
@@ -698,10 +698,9 @@ static int write_file_contents(pam_handle_t *pamh,
log_message(LOG_ERR, pamh, "write(): %s", strerror(err));
goto cleanup;
}
- // adjust SELinux context. No error handling here as this can fail if SELinux
- // is not enable, which is fine in this case. If it fails when SELinux is
- // available this will result in AVCs that can be debugged
- set_selinux_context(fd);
+ if (set_selinux_context(fd)) {
+ log_message(LOG_DEBUG, pamh, "setting SELinux type \"%s\" on file \"%s\"
failed. Okay if SELinux is disabled", SECRET_SELINUX_TYPE, secret_filename);
+ }
if (fsync(fd)) {
err = errno;
++++++ 6313ae4c2b475e1b73fd272434089cfc4631e14d.patch ++++++
commit 6313ae4c2b475e1b73fd272434089cfc4631e14d
Author: Thomas Habets <[email protected]>
Date: Mon Nov 10 17:57:39 2025 +0000
SELinux: fix build when SELinux is not present
diff --git a/Makefile.am b/Makefile.am
index 911d146..db3412e 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -31,7 +31,7 @@ pam_google_authenticator_la_SOURCES = \
src/pam_google_authenticator.c \
$(CORE_SRC)
pam_google_authenticator_la_LIBADD = -lpam
-pam_google_authenticator_la_CFLAGS = $(AM_CFLAGS)
+pam_google_authenticator_la_CFLAGS = $(AM_CFLAGS) $(SELINUX_CFLAGS)
pam_google_authenticator_la_LDFLAGS = $(AM_LDFLAGS) $(MODULES_LDFLAGS)
-export-symbols-regex "pam_sm_(setcred|open_session|authenticate)"
diff --git a/configure.ac b/configure.ac
index e4b2839..e3bce7b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -17,7 +17,11 @@ LT_INIT
AC_PROG_CC
AC_PROG_CC_STDC
-AC_CHECK_HEADERS([sys/fsuid.h])
+AC_CHECK_HEADERS([
+ sys/fsuid.h
+ selinux/selinux.h
+ selinux/context.h
+])
AC_CHECK_FUNCS([ \
explicit_bzero \
setfsuid \
@@ -84,7 +88,6 @@ have_selinux=no
if test "x$enable_selinux" != "xno"; then
PKG_CHECK_MODULES([SELINUX], [libselinux], [
have_selinux=yes
- SELINUX_LIBS="-lselinux"
AC_DEFINE([HAVE_SELINUX], [1], [Define if SELinux is available])
], [
if test "x$enable_selinux" = "xyes"; then
@@ -94,6 +97,7 @@ if test "x$enable_selinux" != "xno"; then
])
fi
+AC_SUBST([SELINUX_CFLAGS])
AC_SUBST([SELINUX_LIBS])
AM_CONDITIONAL([HAVE_SELINUX], [test "x$have_selinux" = "xyes"])
@@ -110,4 +114,6 @@ echo "
Debug Build....: $debug
C Compiler.....: $CC $CFLAGS $CPPFLAGS
Linker.........: $LD $LDFLAGS $LIBS
+ SELinux CFlags.: $SELINUX_CFLAGS
+ SELinux libs...: $SELINUX_LIBS
"
diff --git a/src/pam_google_authenticator.c b/src/pam_google_authenticator.c
index c9fa68a..d37374b 100644
--- a/src/pam_google_authenticator.c
+++ b/src/pam_google_authenticator.c
@@ -30,8 +30,14 @@
#include <time.h>
#include <unistd.h>
+#ifdef HAVE_SELINUX
+#ifdef HAVE_SELINUX_SELINUX_H
#include <selinux/selinux.h>
+#endif
+#ifdef HAVE_SELINUX_CONTEXT_H
#include <selinux/context.h>
+#endif
+#endif
#ifdef HAVE_SYS_FSUID_H
// We much rather prefer to use setfsuid(), but this function is unfortunately
@@ -579,8 +585,9 @@ full_write(int fd, const char* buf, size_t len) {
}
static int set_selinux_context(int fd) {
- char *old_context = NULL;
int err = 0;
+#ifdef HAVE_SELINUX
+ char *old_context = NULL;
// skip if SELinux is not enabled
if (!is_selinux_enabled()) {
@@ -624,7 +631,7 @@ cleanup:
if (old_context) {
freecon(old_context);
}
-
+#endif
return err;
}
++++++ 665012cf90acadac882db4738b21b7246965ee2a.patch ++++++
commit 665012cf90acadac882db4738b21b7246965ee2a
Author: Thomas Habets <[email protected]>
Date: Mon Nov 10 18:05:22 2025 +0000
SELinux: don't jump past variable initialization
diff --git a/src/pam_google_authenticator.c b/src/pam_google_authenticator.c
index d37374b..d991839 100644
--- a/src/pam_google_authenticator.c
+++ b/src/pam_google_authenticator.c
@@ -588,17 +588,16 @@ static int set_selinux_context(int fd) {
int err = 0;
#ifdef HAVE_SELINUX
char *old_context = NULL;
+ const char *new_context = NULL;
// skip if SELinux is not enabled
if (!is_selinux_enabled()) {
- err = 1;
- goto cleanup;
+ return 1;
}
// Get the current context
if (fgetfilecon(fd, &old_context) < 0) {
- err = errno;
- goto cleanup;
+ return errno;
}
// Create a new context with the type changed
@@ -613,7 +612,7 @@ static int set_selinux_context(int fd) {
}
// Get the SC as string
- const char *new_context = context_str(ctx);
+ new_context = context_str(ctx);
if (!new_context) {
err = errno;
goto cleanup;
++++++ 75151df21a19e7182c09ae0118379fae890bdf5b.patch ++++++
commit 75151df21a19e7182c09ae0118379fae890bdf5b
Author: Johannes Segitz <[email protected]>
Date: Mon Nov 10 17:34:57 2025 +0100
Detect and use libselinux if available
diff --git a/Makefile.am b/Makefile.am
index 18359f7..911d146 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -12,7 +12,7 @@ pam_LTLIBRARIES = pam_google_authenticator.la
dist_doc_DATA = FILEFORMAT README.md
dist_html_DATA = totp.html
-MODULES_LDFLAGS = -avoid-version -module -shared -export-dynamic -lselinux
+MODULES_LDFLAGS = -avoid-version -module -shared -export-dynamic
$(SELINUX_LIBS)
CORE_SRC = src/util.h src/util.c
CORE_SRC += src/base32.h src/base32.c
diff --git a/configure.ac b/configure.ac
index 881b00b..e4b2839 100644
--- a/configure.ac
+++ b/configure.ac
@@ -72,6 +72,30 @@ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
AC_LANG_POP(C)
+# SELinux support (optional)
+AC_ARG_ENABLE([selinux],
+ AS_HELP_STRING([--disable-selinux], [Disable SELinux support]),
+ [enable_selinux=$enableval],
+ [enable_selinux=auto])
+
+SELINUX_LIBS=""
+have_selinux=no
+
+if test "x$enable_selinux" != "xno"; then
+ PKG_CHECK_MODULES([SELINUX], [libselinux], [
+ have_selinux=yes
+ SELINUX_LIBS="-lselinux"
+ AC_DEFINE([HAVE_SELINUX], [1], [Define if SELinux is available])
+ ], [
+ if test "x$enable_selinux" = "xyes"; then
+ AC_MSG_ERROR([SELinux support requested but libselinux not found])
+ fi
+ have_selinux=no
+ ])
+fi
+
+AC_SUBST([SELINUX_LIBS])
+AM_CONDITIONAL([HAVE_SELINUX], [test "x$have_selinux" = "xyes"])
AC_SEARCH_LIBS([dlopen], [dl])
++++++ a0b6cf1f022f987d21d3d9c597e9f7f9759968ba.patch ++++++
commit a0b6cf1f022f987d21d3d9c597e9f7f9759968ba
Author: Johannes Segitz <[email protected]>
Date: Mon Nov 3 13:20:54 2025 +0100
Set SELinux type for secret file explicitly
Since the file is changed by creating a temporary file and then
atomically renaming it the normal file handling rules of SELinux
don't work properly. Therefor set the SELinux type explicitly on
the temporary file.
See https://bugzilla.suse.com/show_bug.cgi?id=1252092 for more details
diff --git a/Makefile.am b/Makefile.am
index 6be2379..18359f7 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -12,7 +12,7 @@ pam_LTLIBRARIES = pam_google_authenticator.la
dist_doc_DATA = FILEFORMAT README.md
dist_html_DATA = totp.html
-MODULES_LDFLAGS = -avoid-version -module -shared -export-dynamic
+MODULES_LDFLAGS = -avoid-version -module -shared -export-dynamic -lselinux
CORE_SRC = src/util.h src/util.c
CORE_SRC += src/base32.h src/base32.c
@@ -59,7 +59,7 @@ examples_demo_SOURCES = \
src/pam_google_authenticator.c \
$(CORE_SRC) \
examples/demo.c
-examples_demo_LDADD = -lpam
+examples_demo_LDADD = -lpam -lselinux
examples_demo_CFLAGS = $(AM_CFLAGS) -DDEMO=1
diff --git a/src/pam_google_authenticator.c b/src/pam_google_authenticator.c
index b6fdef0..ee65e66 100644
--- a/src/pam_google_authenticator.c
+++ b/src/pam_google_authenticator.c
@@ -30,6 +30,9 @@
#include <time.h>
#include <unistd.h>
+#include <selinux/selinux.h>
+#include <selinux/context.h>
+
#ifdef HAVE_SYS_FSUID_H
// We much rather prefer to use setfsuid(), but this function is unfortunately
// not available on all systems.
@@ -55,11 +58,12 @@
// Module name shortened to work with rsyslog.
// See https://github.com/google/google-authenticator-libpam/issues/172
-#define MODULE_NAME "pam_google_auth"
+#define MODULE_NAME "pam_google_auth"
-#define SECRET "~/.google_authenticator"
-#define CODE_PROMPT "Verification code: "
-#define PWCODE_PROMPT "Password & verification code: "
+#define SECRET "~/.google_authenticator"
+#define SECRET_SELINUX_TYPE "auth_home_t"
+#define CODE_PROMPT "Verification code: "
+#define PWCODE_PROMPT "Password & verification code: "
typedef struct Params {
const char *secret_filename_spec;
@@ -574,6 +578,56 @@ full_write(int fd, const char* buf, size_t len) {
}
}
+static int set_selinux_context(int fd) {
+ char *old_context = NULL;
+ int err = 0;
+
+ // skip if SELinux is not enabled
+ if (!is_selinux_enabled()) {
+ err = 1;
+ goto cleanup;
+ }
+
+ // Get the current context
+ if (fgetfilecon(fd, &old_context) < 0) {
+ err = errno;
+ goto cleanup;
+ }
+
+ // Create a new context with the type changed
+ context_t ctx = context_new(old_context);
+ if (!ctx) {
+ err = errno;
+ goto cleanup;
+ }
+ if (context_type_set(ctx, SECRET_SELINUX_TYPE) < 0) {
+ err = errno;
+ goto cleanup;
+ }
+
+ // Get the SC as string
+ const char *new_context = context_str(ctx);
+ if (!new_context) {
+ err = errno;
+ goto cleanup;
+ }
+
+ if (fsetfilecon(fd, new_context) < 0) {
+ err = errno;
+ goto cleanup;
+ }
+
+cleanup:
+ if (ctx) {
+ context_free(ctx);
+ }
+ if (old_context) {
+ freecon(old_context);
+ }
+
+ return err;
+}
+
// Safely overwrite the old secret file.
// Return 0 on success, errno otherwise.
static int write_file_contents(pam_handle_t *pamh,
@@ -644,6 +698,11 @@ static int write_file_contents(pam_handle_t *pamh,
log_message(LOG_ERR, pamh, "write(): %s", strerror(err));
goto cleanup;
}
+ // adjust SELinux context. No error handling here as this can fail if SELinux
+ // is not enable, which is fine in this case. If it fails when SELinux is
+ // available this will result in AVCs that can be debugged
+ set_selinux_context(fd);
+
if (fsync(fd)) {
err = errno;
log_message(LOG_ERR, pamh, "fsync(): %s", strerror(err));
