diff options
| author | Christian Göttsche <cgzones@googlemail.com> | 2023-01-16 20:58:26 +0100 |
|---|---|---|
| committer | Christian Göttsche <cgzones@googlemail.com> | 2023-01-24 16:55:53 +0100 |
| commit | f98a070c8d163b39c1d170166a0d5cb35b74445d (patch) | |
| tree | 571ae400a969f0da5eb3d597e9d8bbafcacce57d | |
| parent | 9ae4fb5436eb25771be0330eed996951de96fa79 (diff) | |
| download | linux-pam-git-f98a070c8d163b39c1d170166a0d5cb35b74445d.tar.gz | |
pam_selinux: treat getenforce failures as enforcing
security_getenforce(3) can return -1 on error; either because the
selinuxfs is not mounted or reading from /sys/fs/selinux/enforce failed.
Since security_getenforce(3) is either called after an approving call to
is_selinux_enabled(3) in create_context() or with populated module
data in restore_context(), which requires a previous pass of
create_context(), the selinuxfs should be mounted.
Reading from /sys/fs/selinux/enforce should never fail (except being
prohibited by the SElinux policy itself) since it is a public interface.
In the unlikely case of security_getenforce(3) nevertheless failing
continue execution as if the result was enforcing (likewise to
pam_sepermit and pam_rootok).
| -rw-r--r-- | modules/pam_selinux/pam_selinux.c | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/modules/pam_selinux/pam_selinux.c b/modules/pam_selinux/pam_selinux.c index d8e10d8e..bf605c8b 100644 --- a/modules/pam_selinux/pam_selinux.c +++ b/modules/pam_selinux/pam_selinux.c @@ -553,7 +553,7 @@ compute_tty_context(const pam_handle_t *pamh, module_data_t *data) } pam_syslog(pamh, LOG_ERR, "Failed to get current context for %s: %m", data->tty_path); - return (security_getenforce() == 1) ? PAM_SESSION_ERR : PAM_SUCCESS; + return (security_getenforce() != 0) ? PAM_SESSION_ERR : PAM_SUCCESS; } tclass = string_to_security_class("chr_file"); @@ -563,7 +563,7 @@ compute_tty_context(const pam_handle_t *pamh, module_data_t *data) data->prev_tty_context = NULL; free(data->tty_path); data->tty_path = NULL; - return (security_getenforce() == 1) ? PAM_SESSION_ERR : PAM_SUCCESS; + return (security_getenforce() != 0) ? PAM_SESSION_ERR : PAM_SUCCESS; } if (security_compute_relabel(data->exec_context, data->prev_tty_context, @@ -575,7 +575,7 @@ compute_tty_context(const pam_handle_t *pamh, module_data_t *data) data->prev_tty_context = NULL; free(data->tty_path); data->tty_path = NULL; - return (security_getenforce() == 1) ? PAM_SESSION_ERR : PAM_SUCCESS; + return (security_getenforce() != 0) ? PAM_SESSION_ERR : PAM_SUCCESS; } return PAM_SUCCESS; @@ -606,7 +606,7 @@ restore_context(const pam_handle_t *pamh, const module_data_t *data, int debug) data->prev_exec_context ? data->prev_exec_context : ""); err |= set_exec_context(pamh, data->prev_exec_context); - if (err && security_getenforce() == 1) + if (err && security_getenforce() != 0) return PAM_SESSION_ERR; return PAM_SUCCESS; @@ -658,7 +658,7 @@ set_context(pam_handle_t *pamh, const module_data_t *data, } #endif - if (err && security_getenforce() == 1) + if (err && security_getenforce() != 0) return PAM_SESSION_ERR; return PAM_SUCCESS; @@ -717,7 +717,7 @@ create_context(pam_handle_t *pamh, int argc, const char **argv, if (!data->exec_context) { free_module_data(data); - return (security_getenforce() == 1) ? PAM_SESSION_ERR : PAM_SUCCESS; + return (security_getenforce() != 0) ? PAM_SESSION_ERR : PAM_SUCCESS; } if (ttys && (i = compute_tty_context(pamh, data)) != PAM_SUCCESS) { |