smack: label /etc/passwd and friends as '_' smack label when --with-smack-run-label...

systemd-sysusers.service unit creates system users and groups and it
could update /etc/passwd, /etc/group, /etc/shadow and /etc/gshadow.
Those files should have '_' smack label because of accessibility.

However, if systemd has its own smack label using '--with-smack-run-label'
configuration, systemd-sysusers process spawned by systemd(pid:1) has
its parent smack label and eventually updated files also is set as its
parent smack label.

This patch fixes that bug by labeling updated files as '_' smack label
when --with-smack-run-label' is enabled.

diff --git a/src/basic/smack-util.c b/src/basic/smack-util.c
index 9e221d6eab3879eb40c07e404a4932141fab6f02..5f570ff02ae11c27fa620f05ab519230d86c6296 100644 (file)
--- a/src/basic/smack-util.c
+++ b/src/basic/smack-util.c
@@ -29,9 +29,6 @@
 #include "fileio.h"
 #include "smack-util.h"
 
-#define SMACK_FLOOR_LABEL "_"
-#define SMACK_STAR_LABEL  "*"
-
 #ifdef HAVE_SMACK
 bool mac_smack_use(void) {
         static int cached_use = -1;

diff --git a/src/basic/smack-util.h b/src/basic/smack-util.h
index b3aa55eb8a1fdc0dbef27c3ccb4c436479c2e2bf..e756dc8c2896f7f0bd06453b95f9f52c8289b7ce 100644 (file)
--- a/src/basic/smack-util.h
+++ b/src/basic/smack-util.h
@@ -27,6 +27,9 @@
 
 #include "macro.h"
 
+#define SMACK_FLOOR_LABEL "_"
+#define SMACK_STAR_LABEL  "*"
+
 typedef enum SmackAttr {
         SMACK_ATTR_ACCESS = 0,
         SMACK_ATTR_EXEC = 1,

diff --git a/src/sysusers/sysusers.c b/src/sysusers/sysusers.c
index 07494e764bd61a1586066e3abf3d2f2037961622..ba09727080ac8cd0e873c67888af6c378dff4e6c 100644 (file)
--- a/src/sysusers/sysusers.c
+++ b/src/sysusers/sysusers.c
@@ -38,6 +38,7 @@
 #include "uid-range.h"
 #include "utf8.h"
 #include "util.h"
+#include "smack-util.h"
 
 typedef enum ItemType {
         ADD_USER = 'u',
@@ -352,6 +353,19 @@ static int sync_rights(FILE *from, FILE *to) {
         return 0;
 }
 
+static int rename_and_apply_smack(const char *temp_path, const char *dest_path) {
+        int r = 0;
+        if (rename(temp_path, dest_path) < 0)
+                return -errno;
+
+#ifdef SMACK_RUN_LABEL
+        r = mac_smack_apply(dest_path, SMACK_ATTR_ACCESS, SMACK_FLOOR_LABEL);
+        if (r < 0)
+                return r;
+#endif
+        return r;
+}
+
 static int write_files(void) {
 
         _cleanup_fclose_ FILE *passwd = NULL, *group = NULL, *shadow = NULL, *gshadow = NULL;
@@ -698,36 +712,32 @@ static int write_files(void) {
         /* And make the new files count */
         if (group_changed) {
                 if (group) {
-                        if (rename(group_tmp, group_path) < 0) {
-                                r = -errno;
+                        r = rename_and_apply_smack(group_tmp, group_path);
+                        if (r < 0)
                                 goto finish;
-                        }
 
                         group_tmp = mfree(group_tmp);
                 }
                 if (gshadow) {
-                        if (rename(gshadow_tmp, gshadow_path) < 0) {
-                                r = -errno;
+                        r = rename_and_apply_smack(gshadow_tmp, gshadow_path);
+                        if (r < 0)
                                 goto finish;
-                        }
 
                         gshadow_tmp = mfree(gshadow_tmp);
                 }
         }
 
         if (passwd) {
-                if (rename(passwd_tmp, passwd_path) < 0) {
-                        r = -errno;
+                r = rename_and_apply_smack(passwd_tmp, passwd_path);
+                if (r < 0)
                         goto finish;
-                }
 
                 passwd_tmp = mfree(passwd_tmp);
         }
         if (shadow) {
-                if (rename(shadow_tmp, shadow_path) < 0) {
-                        r = -errno;
+                r = rename_and_apply_smack(shadow_tmp, shadow_path);
+                if (r < 0)
                         goto finish;
-                }
 
                 shadow_tmp = mfree(shadow_tmp);
         }