Relevant BUGIDs: none

Purpose of commit: new feature

Commit summary:
---------------

Add SELinux support, based on Patch from Red Hat

2 files changed, 14 insertions, 0 deletions

diff --git a/modules/pam_rootok/Makefile b/modules/pam_rootok/Makefile
index 3460c2a2..0c868c91 100644
--- a/modules/pam_rootok/Makefile
+++ b/modules/pam_rootok/Makefile
@@ -13,3 +13,9 @@ include ../../Make.Rules
 TITLE=pam_rootok
 
 include ../Simple.Rules
+
+ifeq ($(HAVE_LIBSELINUX),yes)
+CFLAGS += -DWITH_SELINUX
+LINK_PAMMODUTILS += -lselinux
+endif
+
diff --git a/modules/pam_rootok/pam_rootok.c b/modules/pam_rootok/pam_rootok.c
index a7342104..93e31691 100644
--- a/modules/pam_rootok/pam_rootok.c
+++ b/modules/pam_rootok/pam_rootok.c
@@ -39,6 +39,11 @@ static void _pam_log(int err, const char *format, ...)
 }
 
 
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>
+#include <selinux/av_permissions.h>
+#endif
+
 /* argument parsing */
 
 #define PAM_DEBUG_ARG       01
@@ -73,6 +78,9 @@ int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc
 
     ctrl = _pam_parse(argc, argv);
     if (getuid() == 0)
+#ifdef WITH_SELINUX
+      if (is_selinux_enabled()<1 || checkPasswdAccess(PASSWD__ROOTOK)==0)
+#endif
 	retval = PAM_SUCCESS;
 
     if (ctrl & PAM_DEBUG_ARG) {