--- Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c.range	2007-01-04 23:29:04.000000000 +0100
+++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.c	2007-01-05 13:30:31.000000000 +0100
@@ -435,6 +435,7 @@
   int i, debug = 0, ttys=1, has_tty=isatty(0);
   int verbose=0, close_session=0;
   int select_context = 0;
+  int use_current_range = 0;
   int ret = 0;
   security_context_t* contextlist = NULL;
   int num_contexts = 0;
@@ -461,11 +462,19 @@
     if (strcmp(argv[i], "select_context") == 0) {
       select_context = 1;
     }
+    if (strcmp(argv[i], "use_current_range") == 0) {
+      use_current_range = 1;
+    }
   }
-
+  
   if (debug)
     pam_syslog(pamh, LOG_NOTICE, "Open Session");
 
+  if (select_context && use_current_range) {
+    pam_syslog(pamh, LOG_ERR, "select_context cannot be used with use_current_range");
+    select_context = 0;
+  }
+
   /* this module is only supposed to execute close_session */
   if (close_session)
       return PAM_SUCCESS;
@@ -532,6 +541,51 @@
           return PAM_SUCCESS;
     }
   }
+
+  if (use_current_range && is_selinux_mls_enabled()) {
+    security_context_t process_context=NULL;    
+    if (getcon(&process_context) == 0) {
+      context_t pcon, ucon;
+      char *process_level=NULL;
+      security_context_t orig_context;
+      
+      if (user_context)
+        orig_context = user_context;
+      else
+        orig_context = default_user_context;
+
+      pcon = context_new(process_context);
+      freecon(process_context);
+      process_level = strdup(context_range_get(pcon));
+      context_free(pcon);
+
+      if (debug)
+        pam_syslog (pamh, LOG_DEBUG, "process level=%s", process_level);
+
+      ucon = context_new(orig_context);
+
+      context_range_set(ucon, process_level);
+      free(process_level);
+
+      if (!mls_range_allowed(pamh, orig_context, context_str(ucon), debug)) {
+	send_text(pamh, _("Requested MLS level not in permitted range"), debug);
+	/* even if default_user_context is NULL audit that anyway */
+	send_audit_message(pamh, 0, default_user_context, context_str(ucon));
+	context_free(ucon);
+	return PAM_AUTH_ERR;
+      }
+
+      if (debug)
+        pam_syslog (pamh, LOG_DEBUG, "adjusted context=%s", context_str(ucon));
+
+      /* replace the user context with the level adjusted one */
+      freecon(user_context);
+      user_context = strdup(context_str(ucon));
+
+      context_free(ucon);
+    }
+  }
+
   if (getexeccon(&prev_user_context)<0) {
     prev_user_context=NULL;
   }
--- Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.8.xml.range	2007-01-04 23:29:04.000000000 +0100
+++ Linux-PAM-0.99.6.2/modules/pam_selinux/pam_selinux.8.xml	2007-01-04 23:35:03.000000000 +0100
@@ -36,6 +36,9 @@
       <arg choice="opt">
 	select_context
       </arg>
+      <arg choice="opt">
+	use_current_range
+      </arg>
     </cmdsynopsis>
   </refsynopsisdiv>
 
@@ -132,6 +135,17 @@
           </para>
         </listitem>
       </varlistentry>
+      <varlistentry>
+        <term>
+          <option>use_current_range</option>
+        </term>
+        <listitem>
+          <para>
+            Use the sensitivity range of the process for the user context.
+            This option and the select_context option are mutually exclusive.
+          </para>
+        </listitem>
+      </varlistentry>
     </variablelist>
   </refsect1>