useradd: generate /var/spool/mail/$USER with the proper SELinux user identity
Explanation: use set_selinux_file_context() and reset_selinux_file_context() for create_mail() just as is done for create_home() Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1690527
This commit is contained in:
parent
c44360b6f9
commit
cc498c8d12
61
shadow-4.8-useradd-selinux-mail.patch
Normal file
61
shadow-4.8-useradd-selinux-mail.patch
Normal file
@ -0,0 +1,61 @@
|
|||||||
|
From 4dc62ebcf37d7568be1d4ca54367215eba8b8a28 Mon Sep 17 00:00:00 2001
|
||||||
|
From: ikerexxe <ipedrosa@redhat.com>
|
||||||
|
Date: Wed, 5 Feb 2020 15:04:39 +0100
|
||||||
|
Subject: [PATCH] useradd: doesn't generate /var/spool/mail/$USER with the
|
||||||
|
proper SELinux user identity
|
||||||
|
|
||||||
|
Explanation: use set_selinux_file_context() and reset_selinux_file_context() for create_mail() just as is done for create_home()
|
||||||
|
|
||||||
|
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1690527
|
||||||
|
---
|
||||||
|
src/useradd.c | 20 ++++++++++++++++++++
|
||||||
|
1 file changed, 20 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/src/useradd.c b/src/useradd.c
|
||||||
|
index a679392d..645d4a40 100644
|
||||||
|
--- a/src/useradd.c
|
||||||
|
+++ b/src/useradd.c
|
||||||
|
@@ -190,6 +190,7 @@ static bool home_added = false;
|
||||||
|
#define E_NAME_IN_USE 9 /* username already in use */
|
||||||
|
#define E_GRP_UPDATE 10 /* can't update group file */
|
||||||
|
#define E_HOMEDIR 12 /* can't create home directory */
|
||||||
|
+#define E_MAILBOXFILE 13 /* can't create mailbox file */
|
||||||
|
#define E_SE_UPDATE 14 /* can't update SELinux user mapping */
|
||||||
|
#ifdef ENABLE_SUBIDS
|
||||||
|
#define E_SUB_UID_UPDATE 16 /* can't update the subordinate uid file */
|
||||||
|
@@ -2210,6 +2211,16 @@ static void create_mail (void)
|
||||||
|
sprintf (file, "%s/%s/%s", prefix, spool, user_name);
|
||||||
|
else
|
||||||
|
sprintf (file, "%s/%s", spool, user_name);
|
||||||
|
+
|
||||||
|
+#ifdef WITH_SELINUX
|
||||||
|
+ if (set_selinux_file_context (file, NULL) != 0) {
|
||||||
|
+ fprintf (stderr,
|
||||||
|
+ _("%s: cannot set SELinux context for mailbox file %s\n"),
|
||||||
|
+ Prog, file);
|
||||||
|
+ fail_exit (E_MAILBOXFILE);
|
||||||
|
+ }
|
||||||
|
+#endif
|
||||||
|
+
|
||||||
|
fd = open (file, O_CREAT | O_WRONLY | O_TRUNC | O_EXCL, 0);
|
||||||
|
if (fd < 0) {
|
||||||
|
perror (_("Creating mailbox file"));
|
||||||
|
@@ -2234,6 +2245,15 @@ static void create_mail (void)
|
||||||
|
|
||||||
|
fsync (fd);
|
||||||
|
close (fd);
|
||||||
|
+#ifdef WITH_SELINUX
|
||||||
|
+ /* Reset SELinux to create files with default contexts */
|
||||||
|
+ if (reset_selinux_file_context () != 0) {
|
||||||
|
+ fprintf (stderr,
|
||||||
|
+ _("%s: cannot reset SELinux file creation context\n"),
|
||||||
|
+ Prog);
|
||||||
|
+ fail_exit (E_MAILBOXFILE);
|
||||||
|
+ }
|
||||||
|
+#endif
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.24.1
|
||||||
|
|
@ -1,7 +1,7 @@
|
|||||||
Summary: Utilities for managing accounts and shadow password files
|
Summary: Utilities for managing accounts and shadow password files
|
||||||
Name: shadow-utils
|
Name: shadow-utils
|
||||||
Version: 4.8
|
Version: 4.8
|
||||||
Release: 3%{?dist}
|
Release: 4%{?dist}
|
||||||
Epoch: 2
|
Epoch: 2
|
||||||
URL: http://pkg-shadow.alioth.debian.org/
|
URL: http://pkg-shadow.alioth.debian.org/
|
||||||
Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz
|
Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz
|
||||||
@ -50,6 +50,8 @@ Patch38: shadow-4.6-sysugid-min-limit.patch
|
|||||||
Patch40: shadow-4.8-ignore-login-prompt.patch
|
Patch40: shadow-4.8-ignore-login-prompt.patch
|
||||||
# Make the missing shell check into warning - could be upstreamed
|
# Make the missing shell check into warning - could be upstreamed
|
||||||
Patch41: shadow-4.8-invalid-shell-check.patch
|
Patch41: shadow-4.8-invalid-shell-check.patch
|
||||||
|
# Generate /var/spool/mail/$USER with the proper SELinux user identity - already upstreamed
|
||||||
|
Patch42: shadow-4.8-useradd-selinux-mail.patch
|
||||||
|
|
||||||
License: BSD and GPLv2+
|
License: BSD and GPLv2+
|
||||||
BuildRequires: gcc
|
BuildRequires: gcc
|
||||||
@ -98,6 +100,7 @@ are used for managing group accounts.
|
|||||||
%patch38 -p1 -b .sysugid-min-limit
|
%patch38 -p1 -b .sysugid-min-limit
|
||||||
%patch40 -p1 -b .login-prompt
|
%patch40 -p1 -b .login-prompt
|
||||||
%patch41 -p1 -b .invalid-shell
|
%patch41 -p1 -b .invalid-shell
|
||||||
|
%patch42 -p1 -b .useradd-selinux-mail
|
||||||
|
|
||||||
iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8
|
iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8
|
||||||
cp -f doc/HOWTO.utf8 doc/HOWTO
|
cp -f doc/HOWTO.utf8 doc/HOWTO
|
||||||
@ -252,6 +255,10 @@ done
|
|||||||
%{_mandir}/man8/vigr.8*
|
%{_mandir}/man8/vigr.8*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Feb 24 2020 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.8-4
|
||||||
|
- fix useradd: doesn't generate spool mail with the proper SELinux user identity
|
||||||
|
(#1690527)
|
||||||
|
|
||||||
* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.8-3
|
* Thu Jan 30 2020 Fedora Release Engineering <releng@fedoraproject.org> - 2:4.8-3
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user