Avoiding getpwnam() by default

Aleksander Morgado aleksander at aleksander.es
Tue Dec 30 04:53:22 PST 2014

On Tue, Dec 30, 2014 at 10:08 AM, Aleksander Morgado
<aleksander at aleksander.es> wrote:
> The recently introduced check for MBIM username ends up using
> getpwnam() by default always (same in libqmi). This method triggers a
> read in the /etc/passwd file, which gets detected by SELinux enabled
> systems:
> SELinux is preventing /usr/bin/bash from read access on the file /etc/passwd.
>                                            *****  Plugin catchall
> (100. confidence) suggests   **************************
>                                            If you believe that bash
> should be allowed read access on the passwd file by default.
>                                            Then you should report this as a bug.
>                                            You can generate a local
> policy module to allow this access.
>                                            Do
>                                            allow this access for now
> by executing:
>                                            # grep mbim-proxy
> /var/log/audit/audit.log | audit2allow -M mypol
>                                            # semodule -i mypol.pp
> What do you think of updating the logic in the __mbim_user_allowed()
> method to not call getpwnam() if the user didn't use the
> --enable-mbim-username option?
> Instead of defining MBIM_USERNAME to "root" when the
> --enable-mbim-username isn't used, I would leave it undefined
> completely, so that we can do #ifndef MBIM_USERNAME in the code, and
> just check for uid==0 in that case.
> Most distributions will not use the new option, so we shouldn't add
> unnecessary stuff like the getpwnam() call.

Roshan, this is what I mean:


If --enable-mbim-username is not used we just don't install the udev
rules and the proxy will only check for UID == 0 to allow the incoming


More information about the libmbim-devel mailing list