From f5a51331feea44ad95392e4672f2e4671ff531ab Mon Sep 17 00:00:00 2001 From: ikerexxe Date: Mon, 24 Feb 2020 16:36:57 +0100 Subject: [PATCH] useradd: generate /var/spool/mail/$USER with the proper SELinux user identity Explanation: use set_selinux_file_context() and reset_selinux_file_context() for create_mail() just as is done for create_home() Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1690527 --- shadow-4.8-useradd-selinux-mail.patch | 61 +++++++++++++++++++++++++++ shadow-utils.spec | 9 +++- 2 files changed, 69 insertions(+), 1 deletion(-) create mode 100644 shadow-4.8-useradd-selinux-mail.patch diff --git a/shadow-4.8-useradd-selinux-mail.patch b/shadow-4.8-useradd-selinux-mail.patch new file mode 100644 index 0000000..1777f2d --- /dev/null +++ b/shadow-4.8-useradd-selinux-mail.patch @@ -0,0 +1,61 @@ +From 4dc62ebcf37d7568be1d4ca54367215eba8b8a28 Mon Sep 17 00:00:00 2001 +From: ikerexxe +Date: Wed, 5 Feb 2020 15:04:39 +0100 +Subject: [PATCH] useradd: doesn't generate /var/spool/mail/$USER with the + proper SELinux user identity + +Explanation: use set_selinux_file_context() and reset_selinux_file_context() for create_mail() just as is done for create_home() + +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1690527 +--- + src/useradd.c | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + +diff --git a/src/useradd.c b/src/useradd.c +index a679392d..645d4a40 100644 +--- a/src/useradd.c ++++ b/src/useradd.c +@@ -190,6 +190,7 @@ static bool home_added = false; + #define E_NAME_IN_USE 9 /* username already in use */ + #define E_GRP_UPDATE 10 /* can't update group file */ + #define E_HOMEDIR 12 /* can't create home directory */ ++#define E_MAILBOXFILE 13 /* can't create mailbox file */ + #define E_SE_UPDATE 14 /* can't update SELinux user mapping */ + #ifdef ENABLE_SUBIDS + #define E_SUB_UID_UPDATE 16 /* can't update the subordinate uid file */ +@@ -2210,6 +2211,16 @@ static void create_mail (void) + sprintf (file, "%s/%s/%s", prefix, spool, user_name); + else + sprintf (file, "%s/%s", spool, user_name); ++ ++#ifdef WITH_SELINUX ++ if (set_selinux_file_context (file, NULL) != 0) { ++ fprintf (stderr, ++ _("%s: cannot set SELinux context for mailbox file %s\n"), ++ Prog, file); ++ fail_exit (E_MAILBOXFILE); ++ } ++#endif ++ + fd = open (file, O_CREAT | O_WRONLY | O_TRUNC | O_EXCL, 0); + if (fd < 0) { + perror (_("Creating mailbox file")); +@@ -2234,6 +2245,15 @@ static void create_mail (void) + + fsync (fd); + close (fd); ++#ifdef WITH_SELINUX ++ /* Reset SELinux to create files with default contexts */ ++ if (reset_selinux_file_context () != 0) { ++ fprintf (stderr, ++ _("%s: cannot reset SELinux file creation context\n"), ++ Prog); ++ fail_exit (E_MAILBOXFILE); ++ } ++#endif + } + } + +-- +2.24.1 + diff --git a/shadow-utils.spec b/shadow-utils.spec index 485ef25..dd1b37b 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.8 -Release: 3%{?dist} +Release: 4%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: https://github.com/shadow-maint/shadow/releases/download/%{version}/shadow-%{version}.tar.xz @@ -50,6 +50,8 @@ Patch38: shadow-4.6-sysugid-min-limit.patch Patch40: shadow-4.8-ignore-login-prompt.patch # Make the missing shell check into warning - could be upstreamed Patch41: shadow-4.8-invalid-shell-check.patch +# Generate /var/spool/mail/$USER with the proper SELinux user identity - already upstreamed +Patch42: shadow-4.8-useradd-selinux-mail.patch License: BSD and GPLv2+ BuildRequires: gcc @@ -98,6 +100,7 @@ are used for managing group accounts. %patch38 -p1 -b .sysugid-min-limit %patch40 -p1 -b .login-prompt %patch41 -p1 -b .invalid-shell +%patch42 -p1 -b .useradd-selinux-mail iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -252,6 +255,10 @@ done %{_mandir}/man8/vigr.8* %changelog +* Mon Feb 24 2020 Iker Pedrosa - 2:4.8-4 +- fix useradd: doesn't generate spool mail with the proper SELinux user identity + (#1690527) + * Thu Jan 30 2020 Fedora Release Engineering - 2:4.8-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild