Re: newrole using SELinux user identity for password lookups

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, 2004-04-21 at 15:56, Stephen Smalley wrote:

> In the short term, if you want to have it fall back to the Linux uid for
> authentication purposes if the SELinux user identity is
> SELINUX_DEFAULTUSER (defined in include/selinux/get_context_list.h),
> then that is fine.  Just don't use the Linux uid as the user identity
> for the new context.

Ah, I didn't know about SELINUX_DEFAULTUSER.  Cool.  Patch attached
then.  Tested in both the explicit user identity and default cases.

--- /tmp/policycoreutils-1.10/newrole/newrole.c	2003-08-27 12:07:12.000000000 -0400
+++ policycoreutils-1.10/newrole/newrole.c	2004-04-21 16:08:11.200684456 -0400
@@ -62,6 +62,7 @@
 #include <selinux/flask.h>        /* for SECCLASS_CHR_FILE */
 #include <selinux/context.h>      /* for context-mangling functions */
 #include <selinux/get_default_type.h>
+#include <selinux/get_context_list.h> /* for SELINUX_DEFAULTUSER */
 #include <signal.h>
 #include <locale.h>			    /* for setlocale() */
 #include <libintl.h>			    /* for gettext() */
@@ -244,6 +245,7 @@
   context_t context;		 	   /* manipulatable form of new_context */
 
 
+  const char *se_username;  /* SELinux user identity */
   struct passwd *pw;                 /* struct derived from passwd file line */
   struct passwd pw_copy;
 
@@ -360,8 +362,17 @@
 
   freecon(old_context);
   /* Make `pw' point to a structure containing the data              *
-   * from our user's line in the passwd file.                        */
-  if( !(pw=getpwnam(context_user_get(context))) ) {
+   * from our user's line in the passwd file.  If the current user's
+   * SELinux user identity is the default (SELINUX_DEFAULTUSER), then
+   * we authenticate using the user's UID.  Otherwise we use the SELinux
+   * user identity.
+   */
+  se_username = context_user_get(context);
+  if (!strcmp (se_username, SELINUX_DEFAULTUSER))
+    pw = getpwuid(getuid());
+  else
+    pw=getpwnam(se_username);
+  if( !pw ) {
     fprintf(stderr,_("cannot find your entry in the passwd file.\n"));
     exit(-1);
   }

Attachment: signature.asc
Description: This is a digitally signed message part


[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux