From 8562cb1b951e7bd807af6b43d85c71cedd7b10d7 Mon Sep 17 00:00:00 2001
From: Christian Göttsche <cgzones@googlemail.com>
Date: Fri, 24 May 2024 17:39:21 +0200
Subject: pam_xauth: improve error logging on selabel lookup

Log in case the database could not be initialized.

Include the errno on lookup failure.
---
 modules/pam_xauth/pam_xauth.c | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

(limited to 'modules')

diff --git a/modules/pam_xauth/pam_xauth.c b/modules/pam_xauth/pam_xauth.c
index 52229968..5e80b312 100644
--- a/modules/pam_xauth/pam_xauth.c
+++ b/modules/pam_xauth/pam_xauth.c
@@ -613,11 +613,14 @@ pam_sm_open_session (pam_handle_t *pamh, int flags UNUSED,
 #ifdef WITH_SELINUX
 		if (is_selinux_enabled() > 0) {
 			struct selabel_handle *ctx = selabel_open(SELABEL_CTX_FILE, NULL, 0);
-			if (ctx != NULL) {
+			if (!ctx) {
+				pam_syslog(pamh, LOG_WARNING,
+					   "could not initialize SELinux labeling handle: %m");
+			} else {
 				if (selabel_lookup_raw(ctx, &context_raw,
 						       xauthority + sizeof(XAUTHENV), S_IFREG) != 0) {
 					pam_syslog(pamh, LOG_WARNING,
-						   "could not get SELinux label for '%s'",
+						   "could not get SELinux label for '%s': %m",
 						   xauthority + sizeof(XAUTHENV));
 				}
 				selabel_close(ctx);
-- 
cgit v1.2.3