summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJan Zeleny <jzeleny@redhat.com>2012-05-31 18:08:30 -0400
committerStephen Gallagher <sgallagh@redhat.com>2012-06-14 15:54:14 -0400
commit1268a628a26a21efabeb97d2619933d1c1b2d979 (patch)
tree09c043dacab309caa7c0b683134f22ed89c830a3
parentbc9235cfb80bd64a3bfa959e8d26d5ad1be0bdf4 (diff)
downloadsssd-1268a628a26a21efabeb97d2619933d1c1b2d979.tar.gz
sssd-1268a628a26a21efabeb97d2619933d1c1b2d979.tar.bz2
sssd-1268a628a26a21efabeb97d2619933d1c1b2d979.zip
Provide "service filter" for SELinux context
At this moment we will support only asterisk, designating "all services". https://fedorahosted.org/sssd/ticket/1360
-rw-r--r--src/sss_client/pam_sss.c20
1 files changed, 20 insertions, 0 deletions
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index 9dca7e3c..3cffbb2e 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -57,6 +57,8 @@
#define FLAGS_USE_AUTHTOK (1 << 2)
#define PWEXP_FLAG "pam_sss:password_expired_flag"
+#define ALL_SERVICES "*:"
+#define ALL_SERVICES_LEN 2
#define PW_RESET_MSG_FILENAME_TEMPLATE SSSD_CONF_DIR"/customize/%s/pam_sss_pw_reset_message.%s"
#define PW_RESET_MSG_MAX_SIZE 4096
@@ -1084,6 +1086,7 @@ static int send_and_receive(pam_handle_t *pamh, struct pam_items *pi,
#ifdef HAVE_SELINUX
char *path = NULL;
char *tmp_path = NULL;
+ char *services;
ssize_t written;
int len;
int fd;
@@ -1203,6 +1206,22 @@ static int send_and_receive(pam_handle_t *pamh, struct pam_items *pi,
goto done;
}
+ /* First write filter for all services */
+ services = strdup(ALL_SERVICES);
+ if (services == NULL) {
+ pam_status = PAM_SYSTEM_ERR;
+ goto done;
+ }
+
+ errno = 0;
+ written = sss_atomic_write_s(fd, (void *)services, ALL_SERVICES_LEN);
+ if (written == -1) {
+ ret = errno;
+ logger(pamh, LOG_ERR, "writing to SELinux data file %s"
+ "failed [%d]: %s", tmp_path, ret, strerror(ret));
+ pam_status = PAM_SYSTEM_ERR;
+ goto done;
+ }
len = strlen(pi->selinux_user);
errno = 0;
@@ -1243,6 +1262,7 @@ done:
#ifdef HAVE_SELINUX
free(path);
free(tmp_path);
+ free(services);
#endif /* HAVE_SELINUX */
return pam_status;