diff options
author | Jan Zeleny <jzeleny@redhat.com> | 2012-05-31 18:08:30 -0400 |
---|---|---|
committer | Stephen Gallagher <sgallagh@redhat.com> | 2012-06-14 15:54:14 -0400 |
commit | 1268a628a26a21efabeb97d2619933d1c1b2d979 (patch) | |
tree | 09c043dacab309caa7c0b683134f22ed89c830a3 /src | |
parent | bc9235cfb80bd64a3bfa959e8d26d5ad1be0bdf4 (diff) | |
download | sssd-1268a628a26a21efabeb97d2619933d1c1b2d979.tar.gz sssd-1268a628a26a21efabeb97d2619933d1c1b2d979.tar.bz2 sssd-1268a628a26a21efabeb97d2619933d1c1b2d979.zip |
Provide "service filter" for SELinux context
At this moment we will support only asterisk, designating "all
services".
https://fedorahosted.org/sssd/ticket/1360
Diffstat (limited to 'src')
-rw-r--r-- | src/sss_client/pam_sss.c | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c index 9dca7e3c..3cffbb2e 100644 --- a/src/sss_client/pam_sss.c +++ b/src/sss_client/pam_sss.c @@ -57,6 +57,8 @@ #define FLAGS_USE_AUTHTOK (1 << 2) #define PWEXP_FLAG "pam_sss:password_expired_flag" +#define ALL_SERVICES "*:" +#define ALL_SERVICES_LEN 2 #define PW_RESET_MSG_FILENAME_TEMPLATE SSSD_CONF_DIR"/customize/%s/pam_sss_pw_reset_message.%s" #define PW_RESET_MSG_MAX_SIZE 4096 @@ -1084,6 +1086,7 @@ static int send_and_receive(pam_handle_t *pamh, struct pam_items *pi, #ifdef HAVE_SELINUX char *path = NULL; char *tmp_path = NULL; + char *services; ssize_t written; int len; int fd; @@ -1203,6 +1206,22 @@ static int send_and_receive(pam_handle_t *pamh, struct pam_items *pi, goto done; } + /* First write filter for all services */ + services = strdup(ALL_SERVICES); + if (services == NULL) { + pam_status = PAM_SYSTEM_ERR; + goto done; + } + + errno = 0; + written = sss_atomic_write_s(fd, (void *)services, ALL_SERVICES_LEN); + if (written == -1) { + ret = errno; + logger(pamh, LOG_ERR, "writing to SELinux data file %s" + "failed [%d]: %s", tmp_path, ret, strerror(ret)); + pam_status = PAM_SYSTEM_ERR; + goto done; + } len = strlen(pi->selinux_user); errno = 0; @@ -1243,6 +1262,7 @@ done: #ifdef HAVE_SELINUX free(path); free(tmp_path); + free(services); #endif /* HAVE_SELINUX */ return pam_status; |