From da695db7a453b1e2a5ef63fcca21d59a2ed75dda Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tmraz@fedoraproject.org>
Date: Tue, 11 Mar 2014 09:59:12 +0100
Subject: pam_selinux: canonicalize user name

SELinux expects canonical user name for example without domain component.

* modules/pam_selinux/pam_selinux.c (compute_exec_context): Canonicalize user name with pam_modutil_getpwnam().
---
 modules/pam_selinux/pam_selinux.c | 5 +++++
 1 file changed, 5 insertions(+)

(limited to 'modules/pam_selinux/pam_selinux.c')

diff --git a/modules/pam_selinux/pam_selinux.c b/modules/pam_selinux/pam_selinux.c
index b96cc236..b2a75e02 100644
--- a/modules/pam_selinux/pam_selinux.c
+++ b/modules/pam_selinux/pam_selinux.c
@@ -491,12 +491,17 @@ compute_exec_context(pam_handle_t *pamh, module_data_t *data,
   char *level = NULL;
   security_context_t *contextlist = NULL;
   int num_contexts = 0;
+  const struct passwd *pwd;
 
   if (!(username = get_item(pamh, PAM_USER))) {
     pam_syslog(pamh, LOG_ERR, "Cannot obtain the user name");
     return PAM_USER_UNKNOWN;
   }
 
+  if ((pwd = pam_modutil_getpwnam(pamh, username)) != NULL) {
+    username = pwd->pw_name;
+  } /* ignore error and keep using original username */
+
   /* compute execute context */
 #ifdef HAVE_GETSEUSER
   if (!(service = get_item(pamh, PAM_SERVICE))) {
-- 
cgit v1.2.3