'Re: newrole using SELinux user identity for password lookups'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       fedora-selinux-list
Subject:    Re: newrole using SELinux user identity for password lookups
From:       Colin Walters <walters () redhat ! com>
Date:       2004-04-21 20:15:04
Message-ID: 1082578504.4826.76.camel () nexus ! verbum ! private
[Download RAW message or body]

[Attachment #2 (multipart/mixed)]


On Wed, 2004-04-21 at 15:56, Stephen Smalley wrote:

> In the short term, if you want to have it fall back to the Linux uid for
> authentication purposes if the SELinux user identity is
> SELINUX_DEFAULTUSER (defined in include/selinux/get_context_list.h),
> then that is fine.  Just don't use the Linux uid as the user identity
> for the new context.

Ah, I didn't know about SELINUX_DEFAULTUSER.  Cool.  Patch attached
then.  Tested in both the explicit user identity and default cases.


["policycoreutils-1.10-getuid-fallback.patch" (policycoreutils-1.10-getuid-fallback.patch)]

--- /tmp/policycoreutils-1.10/newrole/newrole.c	2003-08-27 12:07:12.000000000 -0400
+++ policycoreutils-1.10/newrole/newrole.c	2004-04-21 16:08:11.200684456 -0400
@@ -62,6 +62,7 @@
 #include <selinux/flask.h>        /* for SECCLASS_CHR_FILE */
 #include <selinux/context.h>      /* for context-mangling functions */
 #include <selinux/get_default_type.h>
+#include <selinux/get_context_list.h> /* for SELINUX_DEFAULTUSER */
 #include <signal.h>
 #include <locale.h>			    /* for setlocale() */
 #include <libintl.h>			    /* for gettext() */
@@ -244,6 +245,7 @@
   context_t context;		 	   /* manipulatable form of new_context */
 
 
+  const char *se_username;  /* SELinux user identity */
   struct passwd *pw;                 /* struct derived from passwd file line */
   struct passwd pw_copy;
 
@@ -360,8 +362,17 @@
 
   freecon(old_context);
   /* Make `pw' point to a structure containing the data              *
-   * from our user's line in the passwd file.                        */
-  if( !(pw=getpwnam(context_user_get(context))) ) {
+   * from our user's line in the passwd file.  If the current user's
+   * SELinux user identity is the default (SELINUX_DEFAULTUSER), then
+   * we authenticate using the user's UID.  Otherwise we use the SELinux
+   * user identity.
+   */
+  se_username = context_user_get(context);
+  if (!strcmp (se_username, SELINUX_DEFAULTUSER))
+    pw = getpwuid(getuid());
+  else
+    pw=getpwnam(se_username);
+  if( !pw ) {
     fprintf(stderr,_("cannot find your entry in the passwd file.\n"));
     exit(-1);
   }

["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic