On St, 2015-08-12 at 09:58 -0400, Christopher J. PeBenito wrote: > Working an issue here, we uncovered that PAM is checking the wrong > SELinux permission in the pam_rootok module; it checks the passwd > permission instead of the rootok permission. This issue was reported > earlier this year[1] but no action has been taken. > > This has been around since early 2013, when the code was changed from > the old checkPasswdAccess() to selinux_check_access(), but an impact to > users would be rare since most domains that have the rootok permission > also have the passwd permission. > > [1] https://fedorahosted.org/linux-pam/ticket/37 > > diff --git a/modules/pam_rootok/pam_rootok.c > b/modules/pam_rootok/pam_rootok.c > index 70579e5..88bed0c 100644 > --- a/modules/pam_rootok/pam_rootok.c > +++ b/modules/pam_rootok/pam_rootok.c > @@ -106,7 +106,7 @@ selinux_check_root (void) > return status; > } > > - status = selinux_check_access(user_context, user_context, "passwd", > "passwd", NULL); > + status = selinux_check_access(user_context, user_context, "passwd", > "rootok", NULL); > > selinux_set_callback(SELINUX_CB_LOG, old_callback); > freecon(user_context); > Thank you for the heads-up. I committed the fix into the upstream git master branch. -- Tomas Mraz No matter how far down the wrong road you've gone, turn back. Turkish proverb (You'll never know whether the road is wrong though.) _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
