[packages/pam.git] / pam-selinux-nofail.patch

--- Linux-PAM-0.99.2.1/modules/pam_selinux/pam_selinux.c.nofail	2005-11-29 10:22:05.000000000 +0100
+++ Linux-PAM-0.99.2.1/modules/pam_selinux/pam_selinux.c	2005-12-15 14:12:54.000000000 +0100
@@ -327,6 +327,8 @@
   int num_contexts = 0;
   const void *username = NULL;
   const void *tty = NULL;
+  char *seuser=NULL;
+  char *level=NULL;
 
   /* Parse arguments. */
   for (i = 0; i < argc; i++) {
@@ -361,7 +363,18 @@
                    username == NULL) {
     return PAM_AUTH_ERR;
   }
-  num_contexts = get_ordered_context_list(username, 0, &contextlist);
+
+  if (getseuserbyname(username, &seuser, &level)==0) {
+	  num_contexts = get_ordered_context_list_with_level(seuser, 
+							     level,
+							     NULL, 
+							     &contextlist);
+	  if (debug)
+		  pam_syslog(pamh, LOG_DEBUG, "Username= %s SELinux User = %s Level= %s",
+			 (const char *)username, seuser, level);
+	  free(seuser);
+	  free(level);
+  }
   if (num_contexts > 0) {
     if (multiple && (num_contexts > 1) && has_tty) {
       user_context = select_context(pamh,contextlist, debug);
@@ -376,13 +389,19 @@
       if (user_context == NULL) {
 	pam_syslog (pamh, LOG_ERR, "Unable to get valid context for %s",
 		    (const char *)username);
-	return PAM_AUTH_ERR;
+        if (security_getenforce() == 1)
+          return PAM_AUTH_ERR;
+        else
+          return PAM_SUCCESS;
       }
     } else {
         pam_syslog (pamh, LOG_ERR,
 		    "Unable to get valid context for %s, No valid tty",
 		    (const char *)username);
-	return PAM_AUTH_ERR;
+        if (security_getenforce() == 1)
+          return PAM_AUTH_ERR;
+        else
+          return PAM_SUCCESS;
     }
   }
   if (getexeccon(&prev_user_context)<0) {
@@ -420,8 +439,10 @@
     pam_syslog(pamh, LOG_ERR,
 	       "Error!  Unable to set %s executable context %s.",
 	       (const char *)username, user_context);
-    freecon(user_context);
-    return PAM_AUTH_ERR;
+    if (security_getenforce() == 1) {
+       freecon(user_context);
+       return PAM_AUTH_ERR;
+    }
   } else {
     if (debug)
       pam_syslog(pamh, LOG_NOTICE, "set %s security context to %s",
@@ -471,7 +492,10 @@
   if (status) {
     pam_syslog(pamh, LOG_ERR, "Error!  Unable to set executable context %s.",
 	       prev_user_context);
-    return PAM_AUTH_ERR;
+    if (security_getenforce() == 1)
+       return PAM_AUTH_ERR;
+    else
+       return PAM_SUCCESS;
   }
 
   if (debug)
Commit	Line	Data
83f626c2 JR	1	--- Linux-PAM-0.99.2.1/modules/pam_selinux/pam_selinux.c.nofail 2005-11-29 10:22:05.000000000 +0100
	2	+++ Linux-PAM-0.99.2.1/modules/pam_selinux/pam_selinux.c 2005-12-15 14:12:54.000000000 +0100
	3	@@ -327,6 +327,8 @@
	4	int num_contexts = 0;
	5	const void *username = NULL;
	6	const void *tty = NULL;
	7	+ char *seuser=NULL;
	8	+ char *level=NULL;
	9
	10	/* Parse arguments. */
	11	for (i = 0; i < argc; i++) {
	12	@@ -361,7 +363,18 @@
	13	username == NULL) {
	14	return PAM_AUTH_ERR;
	15	}
	16	- num_contexts = get_ordered_context_list(username, 0, &contextlist);
	17	+
	18	+ if (getseuserbyname(username, &seuser, &level)==0) {
	19	+ num_contexts = get_ordered_context_list_with_level(seuser,
	20	+ level,
	21	+ NULL,
	22	+ &contextlist);
	23	+ if (debug)
	24	+ pam_syslog(pamh, LOG_DEBUG, "Username= %s SELinux User = %s Level= %s",
	25	+ (const char *)username, seuser, level);
	26	+ free(seuser);
	27	+ free(level);
	28	+ }
	29	if (num_contexts > 0) {
	30	if (multiple && (num_contexts > 1) && has_tty) {
	31	user_context = select_context(pamh,contextlist, debug);
	32	@@ -376,13 +389,19 @@
	33	if (user_context == NULL) {
	34	pam_syslog (pamh, LOG_ERR, "Unable to get valid context for %s",
	35	(const char *)username);
	36	- return PAM_AUTH_ERR;
	37	+ if (security_getenforce() == 1)
	38	+ return PAM_AUTH_ERR;
	39	+ else
	40	+ return PAM_SUCCESS;
	41	}
	42	} else {
	43	pam_syslog (pamh, LOG_ERR,
	44	"Unable to get valid context for %s, No valid tty",
	45	(const char *)username);
	46	- return PAM_AUTH_ERR;
	47	+ if (security_getenforce() == 1)
	48	+ return PAM_AUTH_ERR;
	49	+ else
	50	+ return PAM_SUCCESS;
	51	}
	52	}
	53	if (getexeccon(&prev_user_context)<0) {
	54	@@ -420,8 +439,10 @@
	55	pam_syslog(pamh, LOG_ERR,
	56	"Error! Unable to set %s executable context %s.",
	57	(const char *)username, user_context);
	58	- freecon(user_context);
	59	- return PAM_AUTH_ERR;
	60	+ if (security_getenforce() == 1) {
	61	+ freecon(user_context);
	62	+ return PAM_AUTH_ERR;
	63	+ }
	64	} else {
65	if (debug)
66	pam_syslog(pamh, LOG_NOTICE, "set %s security context to %s",
67	@@ -471,7 +492,10 @@
68	if (status) {
69	pam_syslog(pamh, LOG_ERR, "Error! Unable to set executable context %s.",
70	prev_user_context);
71	- return PAM_AUTH_ERR;
72	+ if (security_getenforce() == 1)
73	+ return PAM_AUTH_ERR;
74	+ else
75	+ return PAM_SUCCESS;
76	}
77
78	if (debug)