From 5bd6274e97f14bb531e04d581c6169bc94afaa43 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Mon, 3 Aug 2020 20:25:23 +0200
Subject: pam_namespace: skip context translation

These retrieved contexts are just passed to libselinux functions and not
printed or otherwise made available to the outside, so a context
translation to human readable MCS/MLS labels is not needed.
(see man:setrans.conf(5))
---
 modules/pam_namespace/pam_namespace.c | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/modules/pam_namespace/pam_namespace.c b/modules/pam_namespace/pam_namespace.c
index 94a2223a..f8ced1c3 100644
--- a/modules/pam_namespace/pam_namespace.c
+++ b/modules/pam_namespace/pam_namespace.c
@@ -1318,7 +1318,7 @@ static int create_polydir(struct polydir_s *polyptr,
     mode_t mode;
     int rc;
 #ifdef WITH_SELINUX
-    char *dircon, *oldcon = NULL;
+    char *dircon_raw, *oldcon_raw = NULL;
     struct selabel_handle *label_handle;
 #endif
     const char *dir = polyptr->dir;
@@ -1332,25 +1332,25 @@ static int create_polydir(struct polydir_s *polyptr,
 
 #ifdef WITH_SELINUX
     if (idata->flags & PAMNS_SELINUX_ENABLED) {
-	getfscreatecon(&oldcon);
+	getfscreatecon_raw(&oldcon_raw);
 
 	label_handle = selabel_open(SELABEL_CTX_FILE, NULL, 0);
 	if (!label_handle) {
 	    pam_syslog(idata->pamh, LOG_NOTICE,
                        "Unable to initialize SELinux labeling handle: %m");
 	} else {
-	    rc = selabel_lookup_raw(label_handle, &dircon, dir, S_IFDIR);
+	    rc = selabel_lookup_raw(label_handle, &dircon_raw, dir, S_IFDIR);
 	    if (rc) {
 		pam_syslog(idata->pamh, LOG_NOTICE,
                        "Unable to get default context for directory %s, check your policy: %m", dir);
 	    } else {
 		if (idata->flags & PAMNS_DEBUG)
 		    pam_syslog(idata->pamh, LOG_DEBUG,
-                               "Polydir %s context: %s", dir, dircon);
-		if (setfscreatecon_raw(dircon) != 0)
+                               "Polydir %s context: %s", dir, dircon_raw);
+		if (setfscreatecon_raw(dircon_raw) != 0)
 		    pam_syslog(idata->pamh, LOG_NOTICE,
                                "Error setting context for directory %s: %m", dir);
-		freecon(dircon);
+		freecon(dircon_raw);
 	    }
 	    selabel_close(label_handle);
 	}
@@ -1366,10 +1366,10 @@ static int create_polydir(struct polydir_s *polyptr,
 
 #ifdef WITH_SELINUX
     if (idata->flags & PAMNS_SELINUX_ENABLED) {
-        if (setfscreatecon(oldcon) != 0)
+        if (setfscreatecon_raw(oldcon_raw) != 0)
 		pam_syslog(idata->pamh, LOG_NOTICE,
                        "Error resetting fs create context: %m");
-        freecon(oldcon);
+        freecon(oldcon_raw);
     }
 #endif
 
-- 
cgit v1.2.3