chpasswd, chgpasswd: Run SELinux checks before chroot()
libselinux checks the state of SELinux only in the library constructor and then uses a cached value. It can be a problem for processes which do chroot() as there's usually no SELinux interface (/sys/fs/selinux) in the chroot. For chpasswd/chgpasswd is enough to do SELinux checks before processes are chroot()ed. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1747215
This commit is contained in:
parent
6065752fdc
commit
3e9ca2fc33
@ -98,7 +98,17 @@ Index: shadow-4.5/src/chgpasswd.c
|
||||
int errors = 0;
|
||||
int line = 0;
|
||||
|
||||
@@ -408,8 +476,33 @@ int main (int argc, char **argv)
|
||||
@@ -402,12 +470,37 @@ int main (int argc, char **argv)
|
||||
(void) bindtextdomain (PACKAGE, LOCALEDIR);
|
||||
(void) textdomain (PACKAGE);
|
||||
|
||||
+#ifdef WITH_SELINUX
|
||||
+ selinux_check_root ();
|
||||
+#endif
|
||||
+
|
||||
process_root_flag ("-R", argc, argv);
|
||||
|
||||
process_flags (argc, argv);
|
||||
|
||||
OPENLOG ("chgpasswd");
|
||||
|
||||
@ -125,10 +135,6 @@ Index: shadow-4.5/src/chgpasswd.c
|
||||
+
|
||||
check_perms ();
|
||||
|
||||
+#ifdef WITH_SELINUX
|
||||
+ selinux_check_root ();
|
||||
+#endif
|
||||
+
|
||||
#ifdef SHADOWGRP
|
||||
is_shadow_grp = sgr_file_present ();
|
||||
#endif
|
||||
@ -230,7 +236,18 @@ Index: shadow-4.5/src/chpasswd.c
|
||||
/*
|
||||
* open_files - lock and open the password databases
|
||||
*/
|
||||
@@ -405,8 +469,16 @@ int main (int argc, char **argv)
|
||||
@@ -393,6 +457,10 @@ int main (int argc, char **argv)
|
||||
(void) bindtextdomain (PACKAGE, LOCALEDIR);
|
||||
(void) textdomain (PACKAGE);
|
||||
|
||||
+#ifdef WITH_SELINUX
|
||||
+ selinux_check_root ();
|
||||
+#endif
|
||||
+
|
||||
process_root_flag ("-R", argc, argv);
|
||||
|
||||
process_flags (argc, argv);
|
||||
@@ -405,6 +473,10 @@ int main (int argc, char **argv)
|
||||
|
||||
OPENLOG ("chpasswd");
|
||||
|
||||
@ -240,10 +257,6 @@ Index: shadow-4.5/src/chpasswd.c
|
||||
+
|
||||
check_perms ();
|
||||
|
||||
+#ifdef WITH_SELINUX
|
||||
+ selinux_check_root ();
|
||||
+#endif
|
||||
+
|
||||
#ifdef USE_PAM
|
||||
if (!use_pam)
|
||||
#endif /* USE_PAM */
|
||||
|
Loading…
Reference in New Issue
Block a user