[SSSD] [PATCH] Provide service filter for SELinux context

[Jan Zeleny]

At this moment we will support only asterisk, designating "all
services".

https://fedorahosted.org/sssd/ticket/1360

Thanks
Jan

From 8448d3336ad18f5f16d234b31f6fa73787f16701 Mon Sep 17 00:00:00 2001
From: Jan Zeleny <jzel...@redhat.com>
Date: Thu, 31 May 2012 18:08:30 -0400
Subject: [PATCH] Provide "service filter" for SELinux context

At this moment we will support only asterisk, designating "all
services".

https://fedorahosted.org/sssd/ticket/1360
---
 src/sss_client/pam_sss.c |   20 ++++++++++++++++++++
 1 files changed, 20 insertions(+), 0 deletions(-)

diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index 9dca7e3c7b2f773abf08d5127d63b0bfc52ed06e..f7acb0191be915c3a671e42b80720faacc74f10d 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -57,6 +57,8 @@
 #define FLAGS_USE_AUTHTOK    (1 << 2)
 
 #define PWEXP_FLAG "pam_sss:password_expired_flag"
+#define ALL_SERVICES "*:"
+#define ALL_SERVICES_LEN 2
 
 #define PW_RESET_MSG_FILENAME_TEMPLATE SSSD_CONF_DIR"/customize/%s/pam_sss_pw_reset_message.%s"
 #define PW_RESET_MSG_MAX_SIZE 4096
@@ -1084,6 +1086,7 @@ static int send_and_receive(pam_handle_t *pamh, struct pam_items *pi,
 #ifdef HAVE_SELINUX
     char *path = NULL;
     char *tmp_path = NULL;
+    char *services;
     ssize_t written;
     int len;
     int fd;
@@ -1203,6 +1206,22 @@ static int send_and_receive(pam_handle_t *pamh, struct pam_items *pi,
                 goto done;
             }
 
+            /* First write filter for all services */
+            errno = 0;
+            services = strdup(ALL_SERVICES);
+            if (services == NULL) {
+                pam_status = PAM_SYSTEM_ERR;
+                goto done;
+            }
+
+            written = sss_atomic_write_s(fd, (void *)services, ALL_SERVICES_LEN);
+            if (written == -1) {
+                ret = errno;
+                logger(pamh, LOG_ERR, "writing to SELinux data file %s"
+                        "failed [%d]: %s", tmp_path, ret, strerror(ret));
+                pam_status = PAM_SYSTEM_ERR;
+                goto done;
+            }
             len = strlen(pi->selinux_user);
 
             errno = 0;
@@ -1243,6 +1262,7 @@ done:
 #ifdef HAVE_SELINUX
     free(path);
     free(tmp_path);
+    free(services);
 #endif /* HAVE_SELINUX */
 
     return pam_status;
-- 
1.7.7.6

signature.asc
Description: This is a digitally signed message part.

_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://fedorahosted.org/mailman/listinfo/sssd-devel