commit da695db7a453b1e2a5ef63fcca21d59a2ed75dda
Author: Tomas Mraz <tmraz(a)fedoraproject.org>
Date: Tue Mar 11 09:59:12 2014 +0100
pam_selinux: canonicalize user name
SELinux expects canonical user name for example without domain component.
* modules/pam_selinux/pam_selinux.c (compute_exec_context): Canonicalize user name
with pam_modutil_getpwnam().
modules/pam_selinux/pam_selinux.c | 5 +++++
1 files changed, 5 insertions(+), 0 deletions(-)
---
diff --git a/modules/pam_selinux/pam_selinux.c b/modules/pam_selinux/pam_selinux.c
index b96cc23..b2a75e0 100644
--- a/modules/pam_selinux/pam_selinux.c
+++ b/modules/pam_selinux/pam_selinux.c
@@ -491,12 +491,17 @@ compute_exec_context(pam_handle_t *pamh, module_data_t *data,
char *level = NULL;
security_context_t *contextlist = NULL;
int num_contexts = 0;
+ const struct passwd *pwd;
if (!(username = get_item(pamh, PAM_USER))) {
pam_syslog(pamh, LOG_ERR, "Cannot obtain the user name");
return PAM_USER_UNKNOWN;
}
+ if ((pwd = pam_modutil_getpwnam(pamh, username)) != NULL) {
+ username = pwd->pw_name;
+ } /* ignore error and keep using original username */
+
/* compute execute context */
#ifdef HAVE_GETSEUSER
if (!(service = get_item(pamh, PAM_SERVICE))) {
Show replies by date