Provide "service filter" for SELinux context

At this moment we will support only asterisk, designating "all services". https://fedorahosted.org/sssd/ticket/1360
author: Jan Zeleny <jzeleny@redhat.com> 2012-05-31 18:08:30 -0400
committer: Stephen Gallagher <sgallagh@redhat.com> 2012-06-14 15:54:23 -0400
commit: d2963e8b9c48800afe965e310dba8b5652b7b15b (patch)
tree: c785b6509da0d9635a6a6056ad751069db5c8268
parent: 3cf3c12dd440ea3b9b7994131d713ae69e10d4a6 (diff)
download: sssd-d2963e8b9c48800afe965e310dba8b5652b7b15b.tar.gz
sssd-d2963e8b9c48800afe965e310dba8b5652b7b15b.tar.xz
sssd-d2963e8b9c48800afe965e310dba8b5652b7b15b.zip
1 files changed, 28 insertions, 0 deletions
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index 8778fe19e..74a4efb34 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -56,6 +56,8 @@
 #define FLAGS_USE_AUTHTOK    (1 << 2)
 
 #define PWEXP_FLAG "pam_sss:password_expired_flag"
+#define ALL_SERVICES "*:"
+#define ALL_SERVICES_LEN 2
 
 #define PW_RESET_MSG_FILENAME_TEMPLATE SSSD_CONF_DIR"/customize/%s/pam_sss_pw_reset_message.%s"
 #define PW_RESET_MSG_MAX_SIZE 4096
@@ -1089,6 +1091,7 @@ static int send_and_receive(pam_handle_t *pamh, struct pam_items *pi,
     char *path = NULL;
     char *tmp_path = NULL;
     int pos, len;
+    char *services = NULL;
     int fd;
     mode_t oldmask;
 #endif /* HAVE_SELINUX */
@@ -1206,6 +1209,30 @@ static int send_and_receive(pam_handle_t *pamh, struct pam_items *pi,
                 goto done;
             }
 
+            /* First write filter for all services */
+            services = strdup(ALL_SERVICES);
+            if (services == NULL) {
+                pam_status = PAM_SYSTEM_ERR;
+                goto done;
+            }
+
+            pos = 0;
+            len = ALL_SERVICES_LEN;
+            while (pos < len) {
+                errno = 0;
+                ret = write(fd, services + pos, len-pos);
+                if (ret < 0) {
+                    if (errno != EINTR) {
+                        logger(pamh, LOG_ERR, "writing to SELinux data file "
+                               "failed. %s", tmp_path);
+                        pam_status = PAM_SYSTEM_ERR;
+                        goto done;
+                    }
+                    continue;
+                }
+                pos += ret;
+            }
+
             pos = 0;
             len = strlen(pi->selinux_user);
             while (pos < len) {
@@ -1243,6 +1270,7 @@ done:
 #ifdef HAVE_SELINUX
     free(path);
     free(tmp_path);
+    free(services);
 #endif /* HAVE_SELINUX */
 
     return pam_status;
author	Jan Zeleny <jzeleny@redhat.com>	2012-05-31 18:08:30 -0400
committer	Stephen Gallagher <sgallagh@redhat.com>	2012-06-14 15:54:23 -0400
commit	d2963e8b9c48800afe965e310dba8b5652b7b15b (patch)
tree	c785b6509da0d9635a6a6056ad751069db5c8268
parent	3cf3c12dd440ea3b9b7994131d713ae69e10d4a6 (diff)
download	sssd-d2963e8b9c48800afe965e310dba8b5652b7b15b.tar.gz sssd-d2963e8b9c48800afe965e310dba8b5652b7b15b.tar.xz sssd-d2963e8b9c48800afe965e310dba8b5652b7b15b.zip