[patch] Make pam_namespace working w/o SElinux
Jan Kasprzak
kas at fi.muni.cz
Wed Sep 26 13:25:19 UTC 2007
Hi all,
pam_namespace.so fails when compiled WITH_SELINUX and no SELinux is
present (even when the 'require_selinux' parameter is not set in
/etc/pam.d/*). With 'debug' parameter is in use, the error message
is:
Sep 26 14:48:19 calypso su: pam_namespace(su-l:session): Error getting poly dir
context, Operation not supported
I would expect at least the "user" polyinstantiation method working
even without selinux.
I have opened this problem as a Fedora bug:
https://bugzilla.redhat.com/show_bug.cgi?id=306901
I have written the following patch, which fixes the problem for me.
Please consider including this patch in mainstream sources.
Thanks,
-Yenya
--- Linux-PAM-0.99.7.1/modules/pam_namespace/pam_namespace.c.nofail-without-selinux 2007-09-26 14:44:02.000000000 +0200
+++ Linux-PAM-0.99.7.1/modules/pam_namespace/pam_namespace.c 2007-09-26 15:20:47.000000000 +0200
@@ -592,9 +592,6 @@
#ifdef WITH_SELINUX
*i_context = NULL;
*origcon = NULL;
- if ((rc=form_context(polyptr, i_context, origcon, idata)) != PAM_SUCCESS) {
- return rc;
- }
#endif
rc = PAM_SESSION_ERR;
@@ -617,6 +614,13 @@
#ifdef WITH_SELINUX
case LEVEL:
case CONTEXT:
+ {
+ int rc1;
+ if ((rc1=form_context(polyptr, i_context, origcon, idata))
+ != PAM_SUCCESS)
+ return rc1;
+ }
+
if (selinux_trans_to_raw_context(*i_context, &rawcon) < 0) {
pam_syslog(idata->pamh, LOG_ERR, "Error translating directory context");
goto fail;
@@ -666,10 +670,14 @@
#endif
if (rc != PAM_SUCCESS) {
#ifdef WITH_SELINUX
- freecon(*i_context);
- *i_context = NULL;
- freecon(*origcon);
- *origcon = NULL;
+ if (*i_context) {
+ freecon(*i_context);
+ *i_context = NULL;
+ }
+ if (*origcon) {
+ freecon(*origcon);
+ *origcon = NULL;
+ }
#endif
free(*i_name);
*i_name = NULL;
--
| Jan "Yenya" Kasprzak <kas at {fi.muni.cz - work | yenya.net - private}> |
| GPG: ID 1024/D3498839 Fingerprint 0D99A7FB206605D7 8B35FCDE05B18A5E |
| http://www.fi.muni.cz/~kas/ Journal: http://www.fi.muni.cz/~kas/blog/ |
> So at least in some cases, I think we should "default to stupid, <
> but give users rope". --Linus Torvalds <
More information about the Pam-list
mailing list