From 1268a628a26a21efabeb97d2619933d1c1b2d979 Mon Sep 17 00:00:00 2001
From: Jan Zeleny <jzeleny@redhat.com>
Date: Thu, 31 May 2012 18:08:30 -0400
Subject: Provide "service filter" for SELinux context

At this moment we will support only asterisk, designating "all
services".

https://fedorahosted.org/sssd/ticket/1360
---
 src/sss_client/pam_sss.c | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index 9dca7e3c7..3cffbb2e7 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -57,6 +57,8 @@
 #define FLAGS_USE_AUTHTOK    (1 << 2)
 
 #define PWEXP_FLAG "pam_sss:password_expired_flag"
+#define ALL_SERVICES "*:"
+#define ALL_SERVICES_LEN 2
 
 #define PW_RESET_MSG_FILENAME_TEMPLATE SSSD_CONF_DIR"/customize/%s/pam_sss_pw_reset_message.%s"
 #define PW_RESET_MSG_MAX_SIZE 4096
@@ -1084,6 +1086,7 @@ static int send_and_receive(pam_handle_t *pamh, struct pam_items *pi,
 #ifdef HAVE_SELINUX
     char *path = NULL;
     char *tmp_path = NULL;
+    char *services;
     ssize_t written;
     int len;
     int fd;
@@ -1203,6 +1206,22 @@ static int send_and_receive(pam_handle_t *pamh, struct pam_items *pi,
                 goto done;
             }
 
+            /* First write filter for all services */
+            services = strdup(ALL_SERVICES);
+            if (services == NULL) {
+                pam_status = PAM_SYSTEM_ERR;
+                goto done;
+            }
+
+            errno = 0;
+            written = sss_atomic_write_s(fd, (void *)services, ALL_SERVICES_LEN);
+            if (written == -1) {
+                ret = errno;
+                logger(pamh, LOG_ERR, "writing to SELinux data file %s"
+                        "failed [%d]: %s", tmp_path, ret, strerror(ret));
+                pam_status = PAM_SYSTEM_ERR;
+                goto done;
+            }
             len = strlen(pi->selinux_user);
 
             errno = 0;
@@ -1243,6 +1262,7 @@ done:
 #ifdef HAVE_SELINUX
     free(path);
     free(tmp_path);
+    free(services);
 #endif /* HAVE_SELINUX */
 
     return pam_status;
-- 
cgit