diff options
| author | Tomas Mraz <tm@t8m.info> | 2008-03-20 17:06:32 +0000 |
|---|---|---|
| committer | Tomas Mraz <tm@t8m.info> | 2008-03-20 17:06:32 +0000 |
| commit | ffe3830f997b26538dabbac0c7cbc359e71a3c34 (patch) | |
| tree | 6127f3df609fbd0e4c8c367231bc35904ead8251 /modules | |
| parent | 50ae95ca4091b682fdb154e5aaa63879ba1c6cdc (diff) | |
| download | pam-ffe3830f997b26538dabbac0c7cbc359e71a3c34.tar.gz pam-ffe3830f997b26538dabbac0c7cbc359e71a3c34.tar.bz2 pam-ffe3830f997b26538dabbac0c7cbc359e71a3c34.zip | |
Relevant BUGIDs: rhbz#438338, rhbz#438264
Purpose of commit: bugfix
Commit summary:
---------------
2008-03-20 Tomas Mraz <t8m@centrum.cz>
* modules/pam_namespace/pam_namespace.c(poly_name): Switch to USER
method only when appropriate.
(setup_namespace): Do not umount when not mounted with RUSER.
* modules/pam_selinux/pam_selinux.c(pam_sm_close_session): Call
freecontext() after the context is logged not before.
Diffstat (limited to 'modules')
| -rw-r--r-- | modules/pam_namespace/pam_namespace.c | 16 | ||||
| -rw-r--r-- | modules/pam_selinux/pam_selinux.c | 22 |
2 files changed, 23 insertions, 15 deletions
diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c index d0741fd2..80c51443 100644 --- a/modules/pam_namespace/pam_namespace.c +++ b/modules/pam_namespace/pam_namespace.c @@ -822,10 +822,11 @@ static int poly_name(const struct polydir_s *polyptr, char **i_name, */ pm = polyptr->method; - if (pm == LEVEL || pm == USER) { + if (pm == LEVEL || pm == CONTEXT) #ifdef WITH_SELINUX - if (!(idata->flags & PAMNS_CTXT_BASED_INST)) + if (!(idata->flags & PAMNS_CTXT_BASED_INST)) { #else + { pam_syslog(idata->pamh, LOG_NOTICE, "Context and level methods not available, using user method"); #endif @@ -1528,13 +1529,18 @@ static int setup_namespace(struct instance_data *idata, enum unmnt_op unmnt) */ for (pptr = idata->polydirs_ptr; pptr; pptr = pptr->next) { enum unmnt_op dir_unmnt = unmnt; - if (ns_override(pptr, idata, idata->uid)) { - if (unmnt == NO_UNMNT || ns_override(pptr, idata, idata->ruid)) { - continue; + + if (ns_override(pptr, idata, idata->ruid)) { + dir_unmnt = NO_UNMNT; + } + if (ns_override(pptr, idata, idata->uid)) { + if (dir_unmnt == NO_UNMNT) { + continue; } else { dir_unmnt = UNMNT_ONLY; } } + if (idata->flags & PAMNS_DEBUG) pam_syslog(idata->pamh, LOG_DEBUG, "Setting poly ns for user %d for dir %s", diff --git a/modules/pam_selinux/pam_selinux.c b/modules/pam_selinux/pam_selinux.c index 8959c8cf..f679e33d 100644 --- a/modules/pam_selinux/pam_selinux.c +++ b/modules/pam_selinux/pam_selinux.c @@ -672,7 +672,7 @@ PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh, int flags UNUSED, int argc, const char **argv) { - int i, debug = 0,status=0, open_session=0; + int i, debug = 0, status = PAM_SUCCESS, open_session = 0; if (! (selinux_enabled )) return PAM_SUCCESS; @@ -702,19 +702,21 @@ pam_sm_close_session(pam_handle_t *pamh, int flags UNUSED, free(ttyn); ttyn=NULL; } - status=setexeccon(prev_user_context); - freecon(prev_user_context); - if (status) { - pam_syslog(pamh, LOG_ERR, "Error! Unable to set executable context %s.", + if (prev_user_context) { + if (setexeccon(prev_user_context)) { + pam_syslog(pamh, LOG_ERR, "Unable to restore executable context %s.", prev_user_context); - if (security_getenforce() == 1) - return PAM_AUTH_ERR; - else - return PAM_SUCCESS; + if (security_getenforce() == 1) + status = PAM_AUTH_ERR; + else + status = PAM_SUCCESS; + } + freecon(prev_user_context); + prev_user_context = NULL; } if (debug) pam_syslog(pamh, LOG_NOTICE, "setcontext back to orginal"); - return PAM_SUCCESS; + return status; } |