From 6fc8482e1f59c70ff11cbe2e5ad1101996c41f00 Mon Sep 17 00:00:00 2001 From: Christian Göttsche Date: Mon, 3 Aug 2020 19:56:37 +0200 Subject: pam_rootok: skip context translation The retrieved context is just passed to the libselinux function 'selinux_check_access()', so a context translation to human readable MCS/MLS labels is not needed. (see man:setrans.conf(5)) --- modules/pam_rootok/pam_rootok.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'modules/pam_rootok') diff --git a/modules/pam_rootok/pam_rootok.c b/modules/pam_rootok/pam_rootok.c index 97296458..eb9c5eee 100644 --- a/modules/pam_rootok/pam_rootok.c +++ b/modules/pam_rootok/pam_rootok.c @@ -87,7 +87,7 @@ static int selinux_check_root (void) { int status = -1; - char *user_context; + char *user_context_raw; union selinux_callback old_callback; if (is_selinux_enabled() < 1) @@ -96,15 +96,15 @@ selinux_check_root (void) old_callback = selinux_get_callback(SELINUX_CB_LOG); /* setup callbacks */ selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) &log_callback); - if ((status = getprevcon(&user_context)) < 0) { + if ((status = getprevcon_raw(&user_context_raw)) < 0) { selinux_set_callback(SELINUX_CB_LOG, old_callback); return status; } - status = selinux_check_access(user_context, user_context, "passwd", "rootok", NULL); + status = selinux_check_access(user_context_raw, user_context_raw, "passwd", "rootok", NULL); selinux_set_callback(SELINUX_CB_LOG, old_callback); - freecon(user_context); + freecon(user_context_raw); return status; } #endif -- cgit v1.2.3