pam: use /proc/self/sessionid only if CAP_AUDIT_CONTROL is set

src/pam-module.c

@@ -221,6 +221,7 @@ static uint64_t get_session_id(int *mode) {
 
         /* First attempt: let's use the session ID of the audit
          * system, if it is available. */
+        if (have_effective_cap(CAP_AUDIT_CONTROL) > 0)
                 if (read_one_line_file("/proc/self/sessionid", &s) >= 0) {
                         uint32_t u;
                         int r;
@@ -289,7 +290,7 @@ static int get_user_data(
         assert(ret_username);
         assert(ret_pw);
 
-        if (have_effective_cap(CAP_AUDIT_CONTROL)) {
+        if (have_effective_cap(CAP_AUDIT_CONTROL) > 0) {
                 /* Only use audit login uid if we are executed with
                  * sufficient capabilities so that pam_loginuid could
                  * do its job. If we are lacking the CAP_AUDIT_CONTROL