From: Karel Zak Date: Wed, 13 Jan 2021 13:25:12 +0000 (+0100) Subject: chfs-chfn: remove deprecated selinux_check_passwd_access() X-Git-Tag: v2.37-rc1~182 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e1de70b3c3f6b5e26709f02197b406e2ece4ae41;p=thirdparty%2Futil-linux.git chfs-chfn: remove deprecated selinux_check_passwd_access() Signed-off-by: Karel Zak --- diff --git a/include/selinux-utils.h b/include/selinux-utils.h index adb09de3dd..20054f6a52 100644 --- a/include/selinux-utils.h +++ b/include/selinux-utils.h @@ -1,7 +1,7 @@ #ifndef UTIL_LINUX_SELINUX_UTILS_H #define UTIL_LINUX_SELINUX_UTILS_H -extern access_vector_t get_access_vector(const char *tclass, const char *op); extern int ul_setfscreatecon_from_file(char *orig_file); +extern int ul_selinux_has_access(const char *classstr, const char *perm, char **user_cxt); #endif diff --git a/lib/selinux-utils.c b/lib/selinux-utils.c index 8ce1249ad5..bd14d489ac 100644 --- a/lib/selinux-utils.c +++ b/lib/selinux-utils.c @@ -6,13 +6,6 @@ #include "selinux-utils.h" -access_vector_t get_access_vector(const char *tclass, const char *op) -{ - security_class_t tc = string_to_security_class(tclass); - - return tc ? string_to_av_perm(tc, op) : 0; -} - int ul_setfscreatecon_from_file(char *orig_file) { if (is_selinux_enabled() > 0) { @@ -28,3 +21,28 @@ int ul_setfscreatecon_from_file(char *orig_file) } return 0; } + +/* returns 1 if user has access to @class and @perm ("passwd", "chfn") + * or 0 on error, + * or 0 if has no access -- in this case sets @user_cxt to user-context + */ +int ul_selinux_has_access(const char *classstr, const char *perm, char **user_cxt) +{ + char *user; + int rc; + + if (user_cxt) + *user_cxt = NULL; + + if (getprevcon(&user) != 0) + return 0; + + rc = selinux_check_access(user, user, classstr, perm, NULL); + if (rc != 0 && user_cxt) + *user_cxt = user; + else + freecon(user); + + return rc == 0 ? 1 : 0; +} + diff --git a/login-utils/chfn.c b/login-utils/chfn.c index f094cdeb7e..80ee7f9eb9 100644 --- a/login-utils/chfn.c +++ b/login-utils/chfn.c @@ -438,22 +438,15 @@ int main(int argc, char **argv) #ifdef HAVE_LIBSELINUX if (is_selinux_enabled() > 0) { - if (uid == 0) { - access_vector_t av = get_access_vector("passwd", "chfn"); + char *user_cxt = NULL; - if (selinux_check_passwd_access(av) != 0) { - char *user_context; - - if (getprevcon(&user_context) < 0) - user_context = NULL; + if (uid == 0 && !ul_selinux_has_access("passwd", "chfn", &user_cxt)) + errx(EXIT_FAILURE, + _("%s is not authorized to change " + "the finger info of %s"), + user_cxt ? : _("Unknown user context"), + ctl.username); - errx(EXIT_FAILURE, - _("%s is not authorized to change " - "the finger info of %s"), - user_context ? : _("Unknown user context"), - ctl.username); - } - } if (ul_setfscreatecon_from_file(_PATH_PASSWD)) errx(EXIT_FAILURE, _("can't set default context for %s"), _PATH_PASSWD); diff --git a/login-utils/chsh.c b/login-utils/chsh.c index 2c1efb1175..3497120725 100644 --- a/login-utils/chsh.c +++ b/login-utils/chsh.c @@ -287,21 +287,14 @@ int main(int argc, char **argv) #ifdef HAVE_LIBSELINUX if (is_selinux_enabled() > 0) { - if (uid == 0) { - access_vector_t av = get_access_vector("passwd", "chsh"); + char *user_cxt = NULL; - if (selinux_check_passwd_access(av) != 0) { - char *user_context; - - if (getprevcon(&user_context) < 0) - user_context = NULL; + if (uid == 0 && !ul_selinux_has_access("passwd", "chsh", &user_cxt)) + errx(EXIT_FAILURE, + _("%s is not authorized to change the shell of %s"), + user_cxt ? : _("Unknown user context"), + pw->pw_name); - errx(EXIT_FAILURE, - _("%s is not authorized to change the shell of %s"), - user_context ? : _("Unknown user context"), - pw->pw_name); - } - } if (ul_setfscreatecon_from_file(_PATH_PASSWD) != 0) errx(EXIT_FAILURE, _("can't set default context for %s"), _PATH_PASSWD);