diff options
author | Jan Zeleny <jzeleny@redhat.com> | 2012-05-31 18:08:30 -0400 |
---|---|---|
committer | Stephen Gallagher <sgallagh@redhat.com> | 2012-06-14 15:54:23 -0400 |
commit | d2963e8b9c48800afe965e310dba8b5652b7b15b (patch) | |
tree | c785b6509da0d9635a6a6056ad751069db5c8268 | |
parent | 3cf3c12dd440ea3b9b7994131d713ae69e10d4a6 (diff) | |
download | sssd-d2963e8b9c48800afe965e310dba8b5652b7b15b.tar.gz sssd-d2963e8b9c48800afe965e310dba8b5652b7b15b.tar.xz sssd-d2963e8b9c48800afe965e310dba8b5652b7b15b.zip |
Provide "service filter" for SELinux context
At this moment we will support only asterisk, designating "all
services".
https://fedorahosted.org/sssd/ticket/1360
-rw-r--r-- | src/sss_client/pam_sss.c | 28 |
1 files changed, 28 insertions, 0 deletions
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c index 8778fe19e..74a4efb34 100644 --- a/src/sss_client/pam_sss.c +++ b/src/sss_client/pam_sss.c @@ -56,6 +56,8 @@ #define FLAGS_USE_AUTHTOK (1 << 2) #define PWEXP_FLAG "pam_sss:password_expired_flag" +#define ALL_SERVICES "*:" +#define ALL_SERVICES_LEN 2 #define PW_RESET_MSG_FILENAME_TEMPLATE SSSD_CONF_DIR"/customize/%s/pam_sss_pw_reset_message.%s" #define PW_RESET_MSG_MAX_SIZE 4096 @@ -1089,6 +1091,7 @@ static int send_and_receive(pam_handle_t *pamh, struct pam_items *pi, char *path = NULL; char *tmp_path = NULL; int pos, len; + char *services = NULL; int fd; mode_t oldmask; #endif /* HAVE_SELINUX */ @@ -1206,6 +1209,30 @@ static int send_and_receive(pam_handle_t *pamh, struct pam_items *pi, goto done; } + /* First write filter for all services */ + services = strdup(ALL_SERVICES); + if (services == NULL) { + pam_status = PAM_SYSTEM_ERR; + goto done; + } + + pos = 0; + len = ALL_SERVICES_LEN; + while (pos < len) { + errno = 0; + ret = write(fd, services + pos, len-pos); + if (ret < 0) { + if (errno != EINTR) { + logger(pamh, LOG_ERR, "writing to SELinux data file " + "failed. %s", tmp_path); + pam_status = PAM_SYSTEM_ERR; + goto done; + } + continue; + } + pos += ret; + } + pos = 0; len = strlen(pi->selinux_user); while (pos < len) { @@ -1243,6 +1270,7 @@ done: #ifdef HAVE_SELINUX free(path); free(tmp_path); + free(services); #endif /* HAVE_SELINUX */ return pam_status; |