diff options
author | Timo Aaltonen <timo.aaltonen@canonical.com> | 2012-08-28 16:14:22 +0300 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2012-09-07 14:39:23 +0200 |
commit | 24989e604037d780b6f523f1880596ee917c1468 (patch) | |
tree | f17f04cf49d3b8b4a47aaae46cfb1ba7f5a540a9 | |
parent | d6721b3d75135cc5444b0a415a1710501630ea2a (diff) | |
download | sssd-24989e604037d780b6f523f1880596ee917c1468.tar.gz sssd-24989e604037d780b6f523f1880596ee917c1468.tar.xz sssd-24989e604037d780b6f523f1880596ee917c1468.zip |
Move SELinux processing from session to account PAM stack
Stops the session stack from returning an error when SELinux is not
used.
Partial backport from commit 7016947229edcaa268a82bf69fde37e521b13233
-rw-r--r-- | src/sss_client/pam_sss.c | 132 |
1 files changed, 66 insertions, 66 deletions
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c index 74a4efb34..69a72ca46 100644 --- a/src/sss_client/pam_sss.c +++ b/src/sss_client/pam_sss.c @@ -1183,76 +1183,76 @@ static int send_and_receive(pam_handle_t *pamh, struct pam_items *pi, pi->pam_user, pam_status, pam_strerror(pamh,pam_status)); } - } - break; - case SSS_PAM_OPEN_SESSION: - if (pi->selinux_user == NULL) { - pam_status = PAM_SUCCESS; - break; - } + } else { + if (pi->selinux_user == NULL) { + pam_status = PAM_SUCCESS; + break; + } #ifdef HAVE_SELINUX - if (asprintf(&path, "%s/logins/%s", selinux_policy_root(), - pi->pam_user) < 0 || - asprintf(&tmp_path, "%sXXXXXX", path) < 0) { - pam_status = PAM_SYSTEM_ERR; - goto done; - } - - oldmask = umask(022); - fd = mkstemp(tmp_path); - umask(oldmask); - if (fd < 0) { - logger(pamh, LOG_ERR, "creating the temp file for SELinux " - "data failed. %s", tmp_path); - pam_status = PAM_SYSTEM_ERR; - goto done; - } - - /* First write filter for all services */ - services = strdup(ALL_SERVICES); - if (services == NULL) { - pam_status = PAM_SYSTEM_ERR; - goto done; - } - - pos = 0; - len = ALL_SERVICES_LEN; - while (pos < len) { - errno = 0; - ret = write(fd, services + pos, len-pos); - if (ret < 0) { - if (errno != EINTR) { - logger(pamh, LOG_ERR, "writing to SELinux data file " - "failed. %s", tmp_path); - pam_status = PAM_SYSTEM_ERR; - goto done; - } - continue; - } - pos += ret; - } - - pos = 0; - len = strlen(pi->selinux_user); - while (pos < len) { - ret = write(fd, pi->selinux_user + pos, len-pos); - if (ret < 0) { - if (errno != EINTR) { - logger(pamh, LOG_ERR, "writing to SELinux data file " - "failed. %s", tmp_path); - pam_status = PAM_SYSTEM_ERR; - goto done; - } - continue; - } - pos += ret; - } - close(fd); - - rename(tmp_path, path); + if (asprintf(&path, "%s/logins/%s", selinux_policy_root(), + pi->pam_user) < 0 || + asprintf(&tmp_path, "%sXXXXXX", path) < 0) { + pam_status = PAM_SYSTEM_ERR; + goto done; + } + + oldmask = umask(022); + fd = mkstemp(tmp_path); + umask(oldmask); + if (fd < 0) { + logger(pamh, LOG_ERR, "creating the temp file for SELinux " + "data failed. %s", tmp_path); + pam_status = PAM_SYSTEM_ERR; + goto done; + } + + /* First write filter for all services */ + services = strdup(ALL_SERVICES); + if (services == NULL) { + pam_status = PAM_SYSTEM_ERR; + goto done; + } + + pos = 0; + len = ALL_SERVICES_LEN; + while (pos < len) { + errno = 0; + ret = write(fd, services + pos, len-pos); + if (ret < 0) { + if (errno != EINTR) { + logger(pamh, LOG_ERR, "writing to SELinux data file " + "failed. %s", tmp_path); + pam_status = PAM_SYSTEM_ERR; + goto done; + } + continue; + } + pos += ret; + } + + pos = 0; + len = strlen(pi->selinux_user); + while (pos < len) { + ret = write(fd, pi->selinux_user + pos, len-pos); + if (ret < 0) { + if (errno != EINTR) { + logger(pamh, LOG_ERR, "writing to SELinux data file " + "failed. %s", tmp_path); + pam_status = PAM_SYSTEM_ERR; + goto done; + } + continue; + } + pos += ret; + } + close(fd); + + rename(tmp_path, path); #endif /* HAVE_SELINUX */ + } break; + case SSS_PAM_OPEN_SESSION: case SSS_PAM_SETCRED: case SSS_PAM_CLOSE_SESSION: break; |