From 651c1fdee084cbf9a25d5131ebe367d6d1473ca5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= Date: Mon, 10 May 2021 12:12:38 +0200 Subject: [PATCH] libselinux: selinux_check_passwd_access_internal(): respect deny_unknown MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit `selinux_check_passwd_access_internal()`, and thereby `checkPasswdAccess(3)` and `selinux_check_passwd_access(3)`, does not respect the policy defined setting of `deny_unknown`, like `selinux_check_access(3)` does. This means in case the security class `passwd` is not defined, success is returned instead of failure, i.e. permission denied. Most policies should define the `passwd` class and the two affected public functions are marked deprecated. Align the behavior with `selinux_check_access(3)` and respect the deny_unknown setting in case the security class is not defined. Signed-off-by: Christian Göttsche --- libselinux/src/checkAccess.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/libselinux/src/checkAccess.c b/libselinux/src/checkAccess.c index b337ea64f977..022cd6b5ecab 100644 --- a/libselinux/src/checkAccess.c +++ b/libselinux/src/checkAccess.c @@ -78,7 +78,9 @@ static int selinux_check_passwd_access_internal(access_vector_t requested) passwd_class = string_to_security_class("passwd"); if (passwd_class == 0) { freecon(user_context); - return 0; + if (security_deny_unknown() == 0) + return 0; + return -1; } retval = security_compute_av_raw(user_context, -- 2.32.0.rc1