[patch] Make pam_namespace working w/o SElinux

Jan Kasprzak <kas@xxxxxxxxxx> · Wed, 26 Sep 2007 15:25:19 +0200

Hi all,

pam_namespace.so fails when compiled WITH_SELINUX and no SELinux is
present (even when the 'require_selinux' parameter is not set in
/etc/pam.d/*). With 'debug' parameter is in use, the error message
is:

Sep 26 14:48:19 calypso su: pam_namespace(su-l:session): Error getting poly dir 
context, Operation not supported

I would expect at least the "user" polyinstantiation method working
even without selinux.

I have opened this problem as a Fedora bug:
https://bugzilla.redhat.com/show_bug.cgi?id=306901

I have written the following patch, which fixes the problem for me.
Please consider including this patch in mainstream sources.

	Thanks,

-Yenya

--- Linux-PAM-0.99.7.1/modules/pam_namespace/pam_namespace.c.nofail-without-selinux	2007-09-26 14:44:02.000000000 +0200
+++ Linux-PAM-0.99.7.1/modules/pam_namespace/pam_namespace.c	2007-09-26 15:20:47.000000000 +0200
@@ -592,9 +592,6 @@
 #ifdef WITH_SELINUX
     *i_context = NULL;
     *origcon = NULL;
-    if ((rc=form_context(polyptr, i_context, origcon, idata)) != PAM_SUCCESS) {
-	return rc;
-    }
 #endif
 
     rc = PAM_SESSION_ERR;
@@ -617,6 +614,13 @@
 #ifdef WITH_SELINUX
     	case LEVEL:
         case CONTEXT:
+	    {
+		int rc1;
+		if ((rc1=form_context(polyptr, i_context, origcon, idata))
+				!= PAM_SUCCESS)
+			return rc1;
+	    }
+
 	    if (selinux_trans_to_raw_context(*i_context, &rawcon) < 0) {
 		pam_syslog(idata->pamh, LOG_ERR, "Error translating directory context");
 		goto fail;
@@ -666,10 +670,14 @@
 #endif
     if (rc != PAM_SUCCESS) {
 #ifdef WITH_SELINUX
-	freecon(*i_context);
-	*i_context = NULL;
-	freecon(*origcon);
-	*origcon = NULL;
+	if (*i_context) {
+		freecon(*i_context);
+		*i_context = NULL;
+	}
+	if (*origcon) {
+		freecon(*origcon);
+		*origcon = NULL;
+	}
 #endif
 	free(*i_name);
 	*i_name = NULL;
-- 
| Jan "Yenya" Kasprzak  <kas at {fi.muni.cz - work | yenya.net - private}> |
| GPG: ID 1024/D3498839      Fingerprint 0D99A7FB206605D7 8B35FCDE05B18A5E |
| http://www.fi.muni.cz/~kas/    Journal: http://www.fi.muni.cz/~kas/blog/ |
>     So at least in some cases, I think we should "default to stupid,     <
>     but give users rope".                           --Linus Torvalds     <

_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list




