From 3e9ca2fc3346ff6b5cbdf4a3a2c21828dfafc8bd Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Mon, 2 Sep 2019 14:37:23 +0200 Subject: [PATCH] chpasswd, chgpasswd: Run SELinux checks before chroot() libselinux checks the state of SELinux only in the library constructor and then uses a cached value. It can be a problem for processes which do chroot() as there's usually no SELinux interface (/sys/fs/selinux) in the chroot. For chpasswd/chgpasswd is enough to do SELinux checks before processes are chroot()ed. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1747215 --- shadow-4.3.1-selinux-perms.patch | 33 ++++++++++++++++++++++---------- 1 file changed, 23 insertions(+), 10 deletions(-) diff --git a/shadow-4.3.1-selinux-perms.patch b/shadow-4.3.1-selinux-perms.patch index 8550150..a08660f 100644 --- a/shadow-4.3.1-selinux-perms.patch +++ b/shadow-4.3.1-selinux-perms.patch @@ -98,7 +98,17 @@ Index: shadow-4.5/src/chgpasswd.c int errors = 0; int line = 0; -@@ -408,8 +476,33 @@ int main (int argc, char **argv) +@@ -402,12 +470,37 @@ int main (int argc, char **argv) + (void) bindtextdomain (PACKAGE, LOCALEDIR); + (void) textdomain (PACKAGE); + ++#ifdef WITH_SELINUX ++ selinux_check_root (); ++#endif ++ + process_root_flag ("-R", argc, argv); + + process_flags (argc, argv); OPENLOG ("chgpasswd"); @@ -125,10 +135,6 @@ Index: shadow-4.5/src/chgpasswd.c + check_perms (); -+#ifdef WITH_SELINUX -+ selinux_check_root (); -+#endif -+ #ifdef SHADOWGRP is_shadow_grp = sgr_file_present (); #endif @@ -230,7 +236,18 @@ Index: shadow-4.5/src/chpasswd.c /* * open_files - lock and open the password databases */ -@@ -405,8 +469,16 @@ int main (int argc, char **argv) +@@ -393,6 +457,10 @@ int main (int argc, char **argv) + (void) bindtextdomain (PACKAGE, LOCALEDIR); + (void) textdomain (PACKAGE); + ++#ifdef WITH_SELINUX ++ selinux_check_root (); ++#endif ++ + process_root_flag ("-R", argc, argv); + + process_flags (argc, argv); +@@ -405,6 +473,10 @@ int main (int argc, char **argv) OPENLOG ("chpasswd"); @@ -240,10 +257,6 @@ Index: shadow-4.5/src/chpasswd.c + check_perms (); -+#ifdef WITH_SELINUX -+ selinux_check_root (); -+#endif -+ #ifdef USE_PAM if (!use_pam) #endif /* USE_PAM */