On Wed, 2004-04-21 at 15:56, Stephen Smalley wrote: > In the short term, if you want to have it fall back to the Linux uid for > authentication purposes if the SELinux user identity is > SELINUX_DEFAULTUSER (defined in include/selinux/get_context_list.h), > then that is fine. Just don't use the Linux uid as the user identity > for the new context. Ah, I didn't know about SELINUX_DEFAULTUSER. Cool. Patch attached then. Tested in both the explicit user identity and default cases.
--- /tmp/policycoreutils-1.10/newrole/newrole.c 2003-08-27 12:07:12.000000000 -0400
+++ policycoreutils-1.10/newrole/newrole.c 2004-04-21 16:08:11.200684456 -0400
@@ -62,6 +62,7 @@
#include <selinux/flask.h> /* for SECCLASS_CHR_FILE */
#include <selinux/context.h> /* for context-mangling functions */
#include <selinux/get_default_type.h>
+#include <selinux/get_context_list.h> /* for SELINUX_DEFAULTUSER */
#include <signal.h>
#include <locale.h> /* for setlocale() */
#include <libintl.h> /* for gettext() */
@@ -244,6 +245,7 @@
context_t context; /* manipulatable form of new_context */
+ const char *se_username; /* SELinux user identity */
struct passwd *pw; /* struct derived from passwd file line */
struct passwd pw_copy;
@@ -360,8 +362,17 @@
freecon(old_context);
/* Make `pw' point to a structure containing the data *
- * from our user's line in the passwd file. */
- if( !(pw=getpwnam(context_user_get(context))) ) {
+ * from our user's line in the passwd file. If the current user's
+ * SELinux user identity is the default (SELINUX_DEFAULTUSER), then
+ * we authenticate using the user's UID. Otherwise we use the SELinux
+ * user identity.
+ */
+ se_username = context_user_get(context);
+ if (!strcmp (se_username, SELINUX_DEFAULTUSER))
+ pw = getpwuid(getuid());
+ else
+ pw=getpwnam(se_username);
+ if( !pw ) {
fprintf(stderr,_("cannot find your entry in the passwd file.\n"));
exit(-1);
}
Attachment:
signature.asc
Description: This is a digitally signed message part
