Avoiding getpwnam() by default
Aleksander Morgado
aleksander at aleksander.es
Tue Dec 30 01:08:39 PST 2014
Hey Roshan,
The recently introduced check for MBIM username ends up using
getpwnam() by default always (same in libqmi). This method triggers a
read in the /etc/passwd file, which gets detected by SELinux enabled
systems:
SELinux is preventing /usr/bin/bash from read access on the file /etc/passwd.
***** Plugin catchall
(100. confidence) suggests **************************
If you believe that bash
should be allowed read access on the passwd file by default.
Then you should report this as a bug.
You can generate a local
policy module to allow this access.
Do
allow this access for now
by executing:
# grep mbim-proxy
/var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
What do you think of updating the logic in the __mbim_user_allowed()
method to not call getpwnam() if the user didn't use the
--enable-mbim-username option?
Instead of defining MBIM_USERNAME to "root" when the
--enable-mbim-username isn't used, I would leave it undefined
completely, so that we can do #ifndef MBIM_USERNAME in the code, and
just check for uid==0 in that case.
Most distributions will not use the new option, so we shouldn't add
unnecessary stuff like the getpwnam() call.
--
Aleksander
https://aleksander.es
More information about the libmbim-devel
mailing list