From 7016947229edcaa268a82bf69fde37e521b13233 Mon Sep 17 00:00:00 2001 From: Jan Zeleny Date: Tue, 24 Jul 2012 15:36:10 -0400 Subject: Move SELinux processing from session to account PAM stack The idea is to rename session provider to selinux provider. Processing of SELinux rules has to be performed in account stack in order to ensure that pam_selinux (which is the first module in PAM session stack) will get the correct input from SSSD. Processing of account PAM stack is bound to access provider. That means we need to have two providers executed when SSS_PAM_ACCT_MGMT message is received from PAM responder. Change in data_provider_be.c ensures just that - after access provider finishes its actions, the control is given to selinux provider and only after this provider finishes is the result returned to PAM responder. --- src/responder/pam/pamsrv_cmd.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'src/responder/pam') diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c index 006edcd3..9c4c7706 100644 --- a/src/responder/pam/pamsrv_cmd.c +++ b/src/responder/pam/pamsrv_cmd.c @@ -582,6 +582,7 @@ static void pam_reply_delay(struct tevent_context *ev, struct tevent_timer *te, pam_reply(preq); } +static int pam_forwarder(struct cli_ctx *cctx, int pam_cmd); static void pam_cache_auth_done(struct pam_auth_req *preq, int ret, time_t expire_date, time_t delayed_until); @@ -700,7 +701,7 @@ static void pam_reply(struct pam_auth_req *preq) return; } - if (pd->cmd == SSS_PAM_OPEN_SESSION && + if (pd->cmd == SSS_PAM_ACCT_MGMT && pd->pam_status == PAM_SUCCESS) { /* Try to fetch data from sysdb * (auth already passed -> we should have them) */ -- cgit