[prev in list] [next in list] [prev in thread] [next in thread]
List: fedora-selinux-list
Subject: Re: newrole using SELinux user identity for password lookups
From: Colin Walters <walters () redhat ! com>
Date: 2004-04-21 20:15:04
Message-ID: 1082578504.4826.76.camel () nexus ! verbum ! private
[Download RAW message or body]
[Attachment #2 (multipart/mixed)]
On Wed, 2004-04-21 at 15:56, Stephen Smalley wrote:
> In the short term, if you want to have it fall back to the Linux uid for
> authentication purposes if the SELinux user identity is
> SELINUX_DEFAULTUSER (defined in include/selinux/get_context_list.h),
> then that is fine. Just don't use the Linux uid as the user identity
> for the new context.
Ah, I didn't know about SELINUX_DEFAULTUSER. Cool. Patch attached
then. Tested in both the explicit user identity and default cases.
["policycoreutils-1.10-getuid-fallback.patch" (policycoreutils-1.10-getuid-fallback.patch)]
--- /tmp/policycoreutils-1.10/newrole/newrole.c 2003-08-27 12:07:12.000000000 -0400
+++ policycoreutils-1.10/newrole/newrole.c 2004-04-21 16:08:11.200684456 -0400
@@ -62,6 +62,7 @@
#include <selinux/flask.h> /* for SECCLASS_CHR_FILE */
#include <selinux/context.h> /* for context-mangling functions */
#include <selinux/get_default_type.h>
+#include <selinux/get_context_list.h> /* for SELINUX_DEFAULTUSER */
#include <signal.h>
#include <locale.h> /* for setlocale() */
#include <libintl.h> /* for gettext() */
@@ -244,6 +245,7 @@
context_t context; /* manipulatable form of new_context */
+ const char *se_username; /* SELinux user identity */
struct passwd *pw; /* struct derived from passwd file line */
struct passwd pw_copy;
@@ -360,8 +362,17 @@
freecon(old_context);
/* Make `pw' point to a structure containing the data *
- * from our user's line in the passwd file. */
- if( !(pw=getpwnam(context_user_get(context))) ) {
+ * from our user's line in the passwd file. If the current user's
+ * SELinux user identity is the default (SELINUX_DEFAULTUSER), then
+ * we authenticate using the user's UID. Otherwise we use the SELinux
+ * user identity.
+ */
+ se_username = context_user_get(context);
+ if (!strcmp (se_username, SELINUX_DEFAULTUSER))
+ pw = getpwuid(getuid());
+ else
+ pw=getpwnam(se_username);
+ if( !pw ) {
fprintf(stderr,_("cannot find your entry in the passwd file.\n"));
exit(-1);
}
["signature.asc" (application/pgp-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic