pam_selinux: treat getenforce failures as enforcing - pam.git - Unnamed repository; edit this file 'description' to name the repository.

diff options

author	Christian Göttsche <cgzones@googlemail.com>	2023-01-16 20:58:26 +0100
committer	Christian Göttsche <cgzones@googlemail.com>	2023-01-24 16:55:53 +0100
commit	f98a070c8d163b39c1d170166a0d5cb35b74445d (patch)
tree	571ae400a969f0da5eb3d597e9d8bbafcacce57d /examples
parent	9ae4fb5436eb25771be0330eed996951de96fa79 (diff)
download	pam-f98a070c8d163b39c1d170166a0d5cb35b74445d.tar.gz pam-f98a070c8d163b39c1d170166a0d5cb35b74445d.tar.bz2 pam-f98a070c8d163b39c1d170166a0d5cb35b74445d.zip

pam_selinux: treat getenforce failures as enforcing

security_getenforce(3) can return -1 on error; either because the selinuxfs is not mounted or reading from /sys/fs/selinux/enforce failed. Since security_getenforce(3) is either called after an approving call to is_selinux_enabled(3) in create_context() or with populated module data in restore_context(), which requires a previous pass of create_context(), the selinuxfs should be mounted. Reading from /sys/fs/selinux/enforce should never fail (except being prohibited by the SElinux policy itself) since it is a public interface. In the unlikely case of security_getenforce(3) nevertheless failing continue execution as if the result was enforcing (likewise to pam_sepermit and pam_rootok).

Diffstat (limited to 'examples')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: