[PATCH] default_contexts: introduce PAM stacks

[PATCH] default_contexts: introduce PAM stacks

[Rahul Sandhu]

This allows a default_contexts entry to only be matched for a given PAM
stack. This feature isn't implemented by us in this commit, though it
may be in the future should it prove useful for `pam_selinux`.

Signed-off-by: Rahul Sandhu <nvraxn@gmail.com>
---
 libselinux/man/man5/default_contexts.5 | 8 +++++++-
 libselinux/src/get_context_list.c      | 6 ++++++
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/libselinux/man/man5/default_contexts.5 b/libselinux/man/man5/default_contexts.5
index f63d24a0..49ebbd25 100644
--- a/libselinux/man/man5/default_contexts.5
+++ b/libselinux/man/man5/default_contexts.5
@@ -35,7 +35,7 @@ Where \fI{SELINUXTYPE}\fR is the entry from the selinux configuration file \fIco
 .SH "FILE FORMAT"
 Each line in the default configuration file consists of the following:
 .RS
-.I login_process user_login_process [user_login_process] ...
+.I login_process user_login_process [user_login_process] ... <pam_stack>
 .RE
 .sp
 Where:
@@ -48,6 +48,10 @@ This consists of a \fIrole\fB:\fItype\fR[\fB:\fIrange\fR] entry that represents
 .RS
 This consists of one or more \fIrole\fB:\fItype\fR[\fB:\fIrange\fR] entries that represent the user login process context defined in the policy.
 .RE
+.I pam_stack
+.RS
+This consists of a name for a PAM stack required for a match.  All PAM stacks must be enclosed in quotes, else they will be treated as a \fIuser_login_process\fR.
+.RE
 .RE
 .
 .SH "EXAMPLE"
@@ -64,6 +68,8 @@ system_r:sshd_t:s0			 user_r:user_t:s0
 system_r:sulogin_t:s0		 sysadm_r:sysadm_t:s0
 .br
 system_r:xdm_t:s0			 user_r:user_t:s0
+.br
+system_r:xdm_t:s0			 user_r:user_t:s0 "login"
 .
 .SH "SEE ALSO"
 .ad l
diff --git a/libselinux/src/get_context_list.c b/libselinux/src/get_context_list.c
index 0f3bdc5c..8e9c5bc2 100644
--- a/libselinux/src/get_context_list.c
+++ b/libselinux/src/get_context_list.c
@@ -165,6 +165,12 @@ static int get_context_user(FILE * fp,
 		if (line[len - 1] == '\n')
 			line[len - 1] = 0;
 
+		/* This line requires a pam stack to be matched, which we don't handle. */
+		if (strchr(line, '"')) {
+			found = 0;
+			continue;
+		}
+
 		/* Skip leading whitespace. */
 		start = line;
 		while (*start && isspace((unsigned char)*start))
-- 
2.50.1

[PATCH v2] default_contexts: introduce PAM stacks

[Rahul Sandhu]

This allows a default_contexts entry to only be matched for a given PAM
stack. This feature isn't implemented by us in this commit, though it
may be in the future should it prove useful for `pam_selinux`.

Signed-off-by: Rahul Sandhu <nvraxn@gmail.com>
---
 libselinux/man/man5/default_contexts.5 | 8 +++++++-
 libselinux/src/get_context_list.c      | 4 ++++
 2 files changed, 11 insertions(+), 1 deletion(-)

v2: no need to set found to 0, it's already initalised as that. not
    sure what I was thinking...

diff --git a/libselinux/man/man5/default_contexts.5 b/libselinux/man/man5/default_contexts.5
index f63d24a0..49ebbd25 100644
--- a/libselinux/man/man5/default_contexts.5
+++ b/libselinux/man/man5/default_contexts.5
@@ -35,7 +35,7 @@ Where \fI{SELINUXTYPE}\fR is the entry from the selinux configuration file \fIco
 .SH "FILE FORMAT"
 Each line in the default configuration file consists of the following:
 .RS
-.I login_process user_login_process [user_login_process] ...
+.I login_process user_login_process [user_login_process] ... <pam_stack>
 .RE
 .sp
 Where:
@@ -48,6 +48,10 @@ This consists of a \fIrole\fB:\fItype\fR[\fB:\fIrange\fR] entry that represents
 .RS
 This consists of one or more \fIrole\fB:\fItype\fR[\fB:\fIrange\fR] entries that represent the user login process context defined in the policy.
 .RE
+.I pam_stack
+.RS
+This consists of a name for a PAM stack required for a match.  All PAM stacks must be enclosed in quotes, else they will be treated as a \fIuser_login_process\fR.
+.RE
 .RE
 .
 .SH "EXAMPLE"
@@ -64,6 +68,8 @@ system_r:sshd_t:s0			 user_r:user_t:s0
 system_r:sulogin_t:s0		 sysadm_r:sysadm_t:s0
 .br
 system_r:xdm_t:s0			 user_r:user_t:s0
+.br
+system_r:xdm_t:s0			 user_r:user_t:s0 "login"
 .
 .SH "SEE ALSO"
 .ad l
diff --git a/libselinux/src/get_context_list.c b/libselinux/src/get_context_list.c
index 0f3bdc5c..331a26d8 100644
--- a/libselinux/src/get_context_list.c
+++ b/libselinux/src/get_context_list.c
@@ -165,6 +165,10 @@ static int get_context_user(FILE * fp,
 		if (line[len - 1] == '\n')
 			line[len - 1] = 0;
 
+		/* This line requires a pam stack to be matched, which we don't handle. */
+		if (strchr(line, '"'))
+			continue;
+
 		/* Skip leading whitespace. */
 		start = line;
 		while (*start && isspace((unsigned char)*start))
-- 
2.50.1

Re: [PATCH v2] default_contexts: introduce PAM stacks

[Stephen Smalley]

On Tue, Oct 7, 2025 at 8:06 PM Rahul Sandhu <nvraxn@gmail.com> wrote:
>
> This allows a default_contexts entry to only be matched for a given PAM
> stack. This feature isn't implemented by us in this commit, though it
> may be in the future should it prove useful for `pam_selinux`.
>
> Signed-off-by: Rahul Sandhu <nvraxn@gmail.com>
> ---
>  libselinux/man/man5/default_contexts.5 | 8 +++++++-
>  libselinux/src/get_context_list.c      | 4 ++++
>  2 files changed, 11 insertions(+), 1 deletion(-)
>
> v2: no need to set found to 0, it's already initalised as that. not
>     sure what I was thinking...

I'd like to see an actual implementation of how this will be used
before we add it to libselinux.
Also looking for input from the distro package maintainers.

>
> diff --git a/libselinux/man/man5/default_contexts.5 b/libselinux/man/man5/default_contexts.5
> index f63d24a0..49ebbd25 100644
> --- a/libselinux/man/man5/default_contexts.5
> +++ b/libselinux/man/man5/default_contexts.5
> @@ -35,7 +35,7 @@ Where \fI{SELINUXTYPE}\fR is the entry from the selinux configuration file \fIco
>  .SH "FILE FORMAT"
>  Each line in the default configuration file consists of the following:
>  .RS
> -.I login_process user_login_process [user_login_process] ...
> +.I login_process user_login_process [user_login_process] ... <pam_stack>
>  .RE
>  .sp
>  Where:
> @@ -48,6 +48,10 @@ This consists of a \fIrole\fB:\fItype\fR[\fB:\fIrange\fR] entry that represents
>  .RS
>  This consists of one or more \fIrole\fB:\fItype\fR[\fB:\fIrange\fR] entries that represent the user login process context defined in the policy.
>  .RE
> +.I pam_stack
> +.RS
> +This consists of a name for a PAM stack required for a match.  All PAM stacks must be enclosed in quotes, else they will be treated as a \fIuser_login_process\fR.
> +.RE
>  .RE
>  .
>  .SH "EXAMPLE"
> @@ -64,6 +68,8 @@ system_r:sshd_t:s0                     user_r:user_t:s0
>  system_r:sulogin_t:s0           sysadm_r:sysadm_t:s0
>  .br
>  system_r:xdm_t:s0                       user_r:user_t:s0
> +.br
> +system_r:xdm_t:s0                       user_r:user_t:s0 "login"
>  .
>  .SH "SEE ALSO"
>  .ad l
> diff --git a/libselinux/src/get_context_list.c b/libselinux/src/get_context_list.c
> index 0f3bdc5c..331a26d8 100644
> --- a/libselinux/src/get_context_list.c
> +++ b/libselinux/src/get_context_list.c
> @@ -165,6 +165,10 @@ static int get_context_user(FILE * fp,
>                 if (line[len - 1] == '\n')
>                         line[len - 1] = 0;
>
> +               /* This line requires a pam stack to be matched, which we don't handle. */
> +               if (strchr(line, '"'))
> +                       continue;
> +
>                 /* Skip leading whitespace. */
>                 start = line;
>                 while (*start && isspace((unsigned char)*start))
> --
> 2.50.1
>
>

Re: [PATCH v2] default_contexts: introduce PAM stacks

[Rahul Sandhu]

> I'd like to see an actual implementation of how this will be used
> before we add it to libselinux.
> Also looking for input from the distro package maintainers.

Sure, no problem. I'll have a patch for pam_selinux(8) ready soon as
well. This patch goes back to the systemd-run0 discussion we had. I
just realised that if we're adding this to default_contexts, then we
also want to probably add the same functionality to contexts/users, so
I'll send another (RFC?) patch to document that too.

Would you like me to ping your github account (@stephensmalley) on the
PR I send to pam?

Regards,
Rahul

Re: [PATCH v2] default_contexts: introduce PAM stacks

[Stephen Smalley]

On Tue, Oct 14, 2025 at 4:44 AM Rahul Sandhu <nvraxn@gmail.com> wrote:
>
> > I'd like to see an actual implementation of how this will be used
> > before we add it to libselinux.
> > Also looking for input from the distro package maintainers.
>
> Sure, no problem. I'll have a patch for pam_selinux(8) ready soon as
> well. This patch goes back to the systemd-run0 discussion we had. I
> just realised that if we're adding this to default_contexts, then we
> also want to probably add the same functionality to contexts/users, so
> I'll send another (RFC?) patch to document that too.

I think ideally we'd provide an extended libselinux function for
reading these values for use by the pam modules to avoid exposing the
file format directly to the pam modules, unless that has already
happened.

>
> Would you like me to ping your github account (@stephensmalley) on the
> PR I send to pam?

Sure.