Avoiding getpwnam() by default

Aleksander Morgado aleksander at aleksander.es
Tue Dec 30 01:08:39 PST 2014

Hey Roshan,

The recently introduced check for MBIM username ends up using
getpwnam() by default always (same in libqmi). This method triggers a
read in the /etc/passwd file, which gets detected by SELinux enabled

SELinux is preventing /usr/bin/bash from read access on the file /etc/passwd.

                                           *****  Plugin catchall
(100. confidence) suggests   **************************

                                           If you believe that bash
should be allowed read access on the passwd file by default.
                                           Then you should report this as a bug.
                                           You can generate a local
policy module to allow this access.
                                           allow this access for now
by executing:
                                           # grep mbim-proxy
/var/log/audit/audit.log | audit2allow -M mypol
                                           # semodule -i mypol.pp

What do you think of updating the logic in the __mbim_user_allowed()
method to not call getpwnam() if the user didn't use the
--enable-mbim-username option?

Instead of defining MBIM_USERNAME to "root" when the
--enable-mbim-username isn't used, I would leave it undefined
completely, so that we can do #ifndef MBIM_USERNAME in the code, and
just check for uid==0 in that case.

Most distributions will not use the new option, so we shouldn't add
unnecessary stuff like the getpwnam() call.


More information about the libmbim-devel mailing list