pam/pam-0.99.2.1-selinux-nofail.patch

79 lines
2.4 KiB
Diff
Raw Normal View History

--- Linux-PAM-0.99.2.1/modules/pam_selinux/pam_selinux.c.nofail 2005-11-29 10:22:05.000000000 +0100
+++ Linux-PAM-0.99.2.1/modules/pam_selinux/pam_selinux.c 2005-12-15 14:12:54.000000000 +0100
@@ -327,6 +327,8 @@
int num_contexts = 0;
const void *username = NULL;
const void *tty = NULL;
+ char *seuser=NULL;
+ char *level=NULL;
/* Parse arguments. */
for (i = 0; i < argc; i++) {
@@ -361,7 +363,18 @@
username == NULL) {
return PAM_AUTH_ERR;
}
- num_contexts = get_ordered_context_list(username, 0, &contextlist);
+
+ if (getseuserbyname(username, &seuser, &level)==0) {
+ num_contexts = get_ordered_context_list_with_level(seuser,
+ level,
+ NULL,
+ &contextlist);
+ if (debug)
+ pam_syslog(pamh, LOG_DEBUG, "Username= %s SELinux User = %s Level= %s",
+ (const char *)username, seuser, level);
+ free(seuser);
+ free(level);
+ }
if (num_contexts > 0) {
if (multiple && (num_contexts > 1) && has_tty) {
user_context = select_context(pamh,contextlist, debug);
@@ -376,13 +389,19 @@
if (user_context == NULL) {
pam_syslog (pamh, LOG_ERR, "Unable to get valid context for %s",
(const char *)username);
- return PAM_AUTH_ERR;
+ if (security_getenforce() == 1)
+ return PAM_AUTH_ERR;
+ else
+ return PAM_SUCCESS;
}
} else {
pam_syslog (pamh, LOG_ERR,
"Unable to get valid context for %s, No valid tty",
(const char *)username);
- return PAM_AUTH_ERR;
+ if (security_getenforce() == 1)
+ return PAM_AUTH_ERR;
+ else
+ return PAM_SUCCESS;
}
}
if (getexeccon(&prev_user_context)<0) {
@@ -420,8 +439,10 @@
pam_syslog(pamh, LOG_ERR,
"Error! Unable to set %s executable context %s.",
(const char *)username, user_context);
- freecon(user_context);
- return PAM_AUTH_ERR;
+ if (security_getenforce() == 1) {
+ freecon(user_context);
+ return PAM_AUTH_ERR;
+ }
} else {
if (debug)
pam_syslog(pamh, LOG_NOTICE, "set %s security context to %s",
@@ -471,7 +492,10 @@
if (status) {
pam_syslog(pamh, LOG_ERR, "Error! Unable to set executable context %s.",
prev_user_context);
- return PAM_AUTH_ERR;
+ if (security_getenforce() == 1)
+ return PAM_AUTH_ERR;
+ else
+ return PAM_SUCCESS;
}
if (debug)