diff options
author | Timo Aaltonen <timo.aaltonen@canonical.com> | 2012-08-28 16:14:22 +0300 |
---|---|---|
committer | Jakub Hrozek <jhrozek@redhat.com> | 2012-09-07 14:39:23 +0200 |
commit | 24989e604037d780b6f523f1880596ee917c1468 (patch) | |
tree | f17f04cf49d3b8b4a47aaae46cfb1ba7f5a540a9 /src | |
parent | d6721b3d75135cc5444b0a415a1710501630ea2a (diff) | |
download | sssd-24989e604037d780b6f523f1880596ee917c1468.tar.gz sssd-24989e604037d780b6f523f1880596ee917c1468.tar.xz sssd-24989e604037d780b6f523f1880596ee917c1468.zip |
Move SELinux processing from session to account PAM stack
Stops the session stack from returning an error when SELinux is not
used.
Partial backport from commit 7016947229edcaa268a82bf69fde37e521b13233
Diffstat (limited to 'src')
-rw-r--r-- | src/sss_client/pam_sss.c | 132 |
1 files changed, 66 insertions, 66 deletions
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c index 74a4efb34..69a72ca46 100644 --- a/src/sss_client/pam_sss.c +++ b/src/sss_client/pam_sss.c @@ -1183,76 +1183,76 @@ static int send_and_receive(pam_handle_t *pamh, struct pam_items *pi, pi->pam_user, pam_status, pam_strerror(pamh,pam_status)); } - } - break; - case SSS_PAM_OPEN_SESSION: - if (pi->selinux_user == NULL) { - pam_status = PAM_SUCCESS; - break; - } + } else { + if (pi->selinux_user == NULL) { + pam_status = PAM_SUCCESS; + break; + } #ifdef HAVE_SELINUX - if (asprintf(&path, "%s/logins/%s", selinux_policy_root(), - pi->pam_user) < 0 || - asprintf(&tmp_path, "%sXXXXXX", path) < 0) { - pam_status = PAM_SYSTEM_ERR; - goto done; - } - - oldmask = umask(022); - fd = mkstemp(tmp_path); - umask(oldmask); - if (fd < 0) { - logger(pamh, LOG_ERR, "creating the temp file for SELinux " - "data failed. %s", tmp_path); - pam_status = PAM_SYSTEM_ERR; - goto done; - } - - /* First write filter for all services */ - services = strdup(ALL_SERVICES); - if (services == NULL) { - pam_status = PAM_SYSTEM_ERR; - goto done; - } - - pos = 0; - len = ALL_SERVICES_LEN; - while (pos < len) { - errno = 0; - ret = write(fd, services + pos, len-pos); - if (ret < 0) { - if (errno != EINTR) { - logger(pamh, LOG_ERR, "writing to SELinux data file " - "failed. %s", tmp_path); - pam_status = PAM_SYSTEM_ERR; - goto done; - } - continue; - } - pos += ret; - } - - pos = 0; - len = strlen(pi->selinux_user); - while (pos < len) { - ret = write(fd, pi->selinux_user + pos, len-pos); - if (ret < 0) { - if (errno != EINTR) { - logger(pamh, LOG_ERR, "writing to SELinux data file " - "failed. %s", tmp_path); - pam_status = PAM_SYSTEM_ERR; - goto done; - } - continue; - } - pos += ret; - } - close(fd); - - rename(tmp_path, path); + if (asprintf(&path, "%s/logins/%s", selinux_policy_root(), + pi->pam_user) < 0 || + asprintf(&tmp_path, "%sXXXXXX", path) < 0) { + pam_status = PAM_SYSTEM_ERR; + goto done; + } + + oldmask = umask(022); + fd = mkstemp(tmp_path); + umask(oldmask); + if (fd < 0) { + logger(pamh, LOG_ERR, "creating the temp file for SELinux " + "data failed. %s", tmp_path); + pam_status = PAM_SYSTEM_ERR; + goto done; + } + + /* First write filter for all services */ + services = strdup(ALL_SERVICES); + if (services == NULL) { + pam_status = PAM_SYSTEM_ERR; + goto done; + } + + pos = 0; + len = ALL_SERVICES_LEN; + while (pos < len) { + errno = 0; + ret = write(fd, services + pos, len-pos); + if (ret < 0) { + if (errno != EINTR) { + logger(pamh, LOG_ERR, "writing to SELinux data file " + "failed. %s", tmp_path); + pam_status = PAM_SYSTEM_ERR; + goto done; + } + continue; + } + pos += ret; + } + + pos = 0; + len = strlen(pi->selinux_user); + while (pos < len) { + ret = write(fd, pi->selinux_user + pos, len-pos); + if (ret < 0) { + if (errno != EINTR) { + logger(pamh, LOG_ERR, "writing to SELinux data file " + "failed. %s", tmp_path); + pam_status = PAM_SYSTEM_ERR; + goto done; + } + continue; + } + pos += ret; + } + close(fd); + + rename(tmp_path, path); #endif /* HAVE_SELINUX */ + } break; + case SSS_PAM_OPEN_SESSION: case SSS_PAM_SETCRED: case SSS_PAM_CLOSE_SESSION: break; |