git.ipfire.org Git - thirdparty/shadow.git/commit

author	Christian Göttsche <cgzones@googlemail.com>
	Tue, 15 Oct 2019 21:33:54 +0000 (23:33 +0200)
committer	Christian Göttsche <cgzones@googlemail.com>
	Tue, 22 Oct 2019 12:56:31 +0000 (14:56 +0200)
commit	cbd2472b7cfe927b6e74aececcb60f0f9de4925a
tree	22ca80632b6bf487a06da0a8bf8baa48508d0138	tree
parent	a0efca4581b3542ca4ac6311784a886272ea8481	commit \| diff

migrate to new SELinux api

Using hard-coded access vector ids is deprecated and can lead to issues with custom SELinux policies.
Switch to `selinux_check_access()`.

Also use the libselinux log callback and log if available to audit.
This makes it easier for users to catch SELinux denials.

Drop legacy shortcut logic for passwd, which avoided a SELinux check if uid 0 changes a password of a user which username equals the current SELinux user identifier.
Nowadays usernames rarely match SELinux user identifiers and the benefit of skipping a SELinux check is negligible.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>

lib/prototypes.h		diff \| blob \| blame \| history
lib/selinux.c		diff \| blob \| blame \| history
src/Makefile.am		diff \| blob \| blame \| history
src/chage.c		diff \| blob \| blame \| history
src/chfn.c		diff \| blob \| blame \| history
src/chsh.c		diff \| blob \| blame \| history
src/passwd.c		diff \| blob \| blame \| history