From d2963e8b9c48800afe965e310dba8b5652b7b15b Mon Sep 17 00:00:00 2001 From: Jan Zeleny Date: Thu, 31 May 2012 18:08:30 -0400 Subject: Provide "service filter" for SELinux context At this moment we will support only asterisk, designating "all services". https://fedorahosted.org/sssd/ticket/1360 --- src/sss_client/pam_sss.c | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c index 8778fe19e..74a4efb34 100644 --- a/src/sss_client/pam_sss.c +++ b/src/sss_client/pam_sss.c @@ -56,6 +56,8 @@ #define FLAGS_USE_AUTHTOK (1 << 2) #define PWEXP_FLAG "pam_sss:password_expired_flag" +#define ALL_SERVICES "*:" +#define ALL_SERVICES_LEN 2 #define PW_RESET_MSG_FILENAME_TEMPLATE SSSD_CONF_DIR"/customize/%s/pam_sss_pw_reset_message.%s" #define PW_RESET_MSG_MAX_SIZE 4096 @@ -1089,6 +1091,7 @@ static int send_and_receive(pam_handle_t *pamh, struct pam_items *pi, char *path = NULL; char *tmp_path = NULL; int pos, len; + char *services = NULL; int fd; mode_t oldmask; #endif /* HAVE_SELINUX */ @@ -1206,6 +1209,30 @@ static int send_and_receive(pam_handle_t *pamh, struct pam_items *pi, goto done; } + /* First write filter for all services */ + services = strdup(ALL_SERVICES); + if (services == NULL) { + pam_status = PAM_SYSTEM_ERR; + goto done; + } + + pos = 0; + len = ALL_SERVICES_LEN; + while (pos < len) { + errno = 0; + ret = write(fd, services + pos, len-pos); + if (ret < 0) { + if (errno != EINTR) { + logger(pamh, LOG_ERR, "writing to SELinux data file " + "failed. %s", tmp_path); + pam_status = PAM_SYSTEM_ERR; + goto done; + } + continue; + } + pos += ret; + } + pos = 0; len = strlen(pi->selinux_user); while (pos < len) { @@ -1243,6 +1270,7 @@ done: #ifdef HAVE_SELINUX free(path); free(tmp_path); + free(services); #endif /* HAVE_SELINUX */ return pam_status; -- cgit