diff options
| -rw-r--r-- | ChangeLog | 9 | ||||
| -rw-r--r-- | modules/pam_namespace/pam_namespace.c | 16 | ||||
| -rw-r--r-- | modules/pam_selinux/pam_selinux.c | 22 |
3 files changed, 32 insertions, 15 deletions
@@ -1,3 +1,12 @@ +2008-03-20 Tomas Mraz <t8m@centrum.cz> + + * modules/pam_namespace/pam_namespace.c(poly_name): Switch to USER + method only when appropriate. + (setup_namespace): Do not umount when not mounted with RUSER. + + * modules/pam_selinux/pam_selinux.c(pam_sm_close_session): Call + freecontext() after the context is logged not before. + 2008-03-18 Canniot Thomas <thomas.canniot@mrtomlinux.org> * po/fr.po: Updated translation. diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c index d0741fd2..80c51443 100644 --- a/modules/pam_namespace/pam_namespace.c +++ b/modules/pam_namespace/pam_namespace.c @@ -822,10 +822,11 @@ static int poly_name(const struct polydir_s *polyptr, char **i_name, */ pm = polyptr->method; - if (pm == LEVEL || pm == USER) { + if (pm == LEVEL || pm == CONTEXT) #ifdef WITH_SELINUX - if (!(idata->flags & PAMNS_CTXT_BASED_INST)) + if (!(idata->flags & PAMNS_CTXT_BASED_INST)) { #else + { pam_syslog(idata->pamh, LOG_NOTICE, "Context and level methods not available, using user method"); #endif @@ -1528,13 +1529,18 @@ static int setup_namespace(struct instance_data *idata, enum unmnt_op unmnt) */ for (pptr = idata->polydirs_ptr; pptr; pptr = pptr->next) { enum unmnt_op dir_unmnt = unmnt; - if (ns_override(pptr, idata, idata->uid)) { - if (unmnt == NO_UNMNT || ns_override(pptr, idata, idata->ruid)) { - continue; + + if (ns_override(pptr, idata, idata->ruid)) { + dir_unmnt = NO_UNMNT; + } + if (ns_override(pptr, idata, idata->uid)) { + if (dir_unmnt == NO_UNMNT) { + continue; } else { dir_unmnt = UNMNT_ONLY; } } + if (idata->flags & PAMNS_DEBUG) pam_syslog(idata->pamh, LOG_DEBUG, "Setting poly ns for user %d for dir %s", diff --git a/modules/pam_selinux/pam_selinux.c b/modules/pam_selinux/pam_selinux.c index 8959c8cf..f679e33d 100644 --- a/modules/pam_selinux/pam_selinux.c +++ b/modules/pam_selinux/pam_selinux.c @@ -672,7 +672,7 @@ PAM_EXTERN int pam_sm_close_session(pam_handle_t *pamh, int flags UNUSED, int argc, const char **argv) { - int i, debug = 0,status=0, open_session=0; + int i, debug = 0, status = PAM_SUCCESS, open_session = 0; if (! (selinux_enabled )) return PAM_SUCCESS; @@ -702,19 +702,21 @@ pam_sm_close_session(pam_handle_t *pamh, int flags UNUSED, free(ttyn); ttyn=NULL; } - status=setexeccon(prev_user_context); - freecon(prev_user_context); - if (status) { - pam_syslog(pamh, LOG_ERR, "Error! Unable to set executable context %s.", + if (prev_user_context) { + if (setexeccon(prev_user_context)) { + pam_syslog(pamh, LOG_ERR, "Unable to restore executable context %s.", prev_user_context); - if (security_getenforce() == 1) - return PAM_AUTH_ERR; - else - return PAM_SUCCESS; + if (security_getenforce() == 1) + status = PAM_AUTH_ERR; + else + status = PAM_SUCCESS; + } + freecon(prev_user_context); + prev_user_context = NULL; } if (debug) pam_syslog(pamh, LOG_NOTICE, "setcontext back to orginal"); - return PAM_SUCCESS; + return status; } |