From fe710b2a147fb4fffb0408899a344cef3cf69b1f Mon Sep 17 00:00:00 2001 From: Matej Muzila Date: Fri, 20 Jul 2018 12:36:41 +0200 Subject: [PATCH] rpc.yppasswd: presserve selinux context of shadow and passwd Resolves: #1255583 --- ypserv-4.0-selinux-context.patch | 144 +++++++++++++++++++++++++++++++ ypserv.spec | 12 ++- 2 files changed, 154 insertions(+), 2 deletions(-) create mode 100644 ypserv-4.0-selinux-context.patch diff --git a/ypserv-4.0-selinux-context.patch b/ypserv-4.0-selinux-context.patch new file mode 100644 index 0000000..2591d4e --- /dev/null +++ b/ypserv-4.0-selinux-context.patch @@ -0,0 +1,144 @@ +diff -up ypserv-5bfba760283060087aefeb417342bcc66d349b2e/configure.ac.selinux-context ypserv-5bfba760283060087aefeb417342bcc66d349b2e/configure.ac +--- ypserv-5bfba760283060087aefeb417342bcc66d349b2e/configure.ac.selinux-context 2018-06-13 15:08:56.011432773 +0200 ++++ ypserv-5bfba760283060087aefeb417342bcc66d349b2e/configure.ac 2018-06-13 15:08:56.017432861 +0200 +@@ -240,6 +240,26 @@ then + exit + fi + ++AC_ARG_WITH(selinux, ++ [AC_HELP_STRING([--with-selinux@<:@=yes|no@:>@],[Enables SELinux support [no]])], ++ ++ [ if test "$withval" = "yes"; then ++ AC_CHECK_HEADERS([selinux/selinux.h], [], ++ [AC_MSG_ERROR([Missing SELinux header files])]) ++ AC_CHECK_LIB(selinux, setfilecon_raw, [], ++ [AC_MSG_ERROR([Missing or incorrect SELinux library])]) ++ AC_CHECK_LIB(selinux, getfilecon_raw, [], ++ [AC_MSG_ERROR([Missing or incorrect SELinux library])]) ++ AC_CHECK_LIB(selinux, freecon, [], ++ [AC_MSG_ERROR([Missing or incorrect SELinux library])]) ++ fi ++ ],[]) ++ ++AC_SUBST(with_selinux) ++if test "$with_selinux" = "yes"; then ++ AC_DEFINE(WITH_SELINUX, 1, [Define to 1 if SELinux support is enabled]) ++fi ++ + AC_CHECK_LIB(crypt,crypt,LIBCRYPT="-lcrypt",LIBCRYPT="") + AC_CHECK_HEADERS(crypt.h) + AC_SUBST(LIBCRYPT) +diff -up ypserv-5bfba760283060087aefeb417342bcc66d349b2e/rpc.yppasswdd/Makefile.am.selinux-context ypserv-5bfba760283060087aefeb417342bcc66d349b2e/rpc.yppasswdd/Makefile.am +--- ypserv-5bfba760283060087aefeb417342bcc66d349b2e/rpc.yppasswdd/Makefile.am.selinux-context 2016-11-22 16:40:13.000000000 +0100 ++++ ypserv-5bfba760283060087aefeb417342bcc66d349b2e/rpc.yppasswdd/Makefile.am 2018-06-13 15:08:56.017432861 +0200 +@@ -24,7 +24,7 @@ sbin_PROGRAMS = rpc.yppasswdd + + rpc_yppasswdd_SOURCES = update.c yppasswd_xdr.c yppasswdd.c + +-rpc_yppasswdd_LDADD = @PIE_LDFLAGS@ $(top_builddir)/lib/libyp.a $(LIBDBM) $(LIBCRYPT) @SYSTEMD_LIBS@ @NSL_LIBS@ @TIRPC_LIBS@ ++rpc_yppasswdd_LDADD = @PIE_LDFLAGS@ $(top_builddir)/lib/libyp.a $(LIBDBM) $(LIBCRYPT) @SYSTEMD_LIBS@ @NSL_LIBS@ @TIRPC_LIBS@ $(LIBSELINUX) + rpc_yppasswdd_CFLAGS = @PIE_CFLAGS@ @SYSTEMD_CFLAGS@ @NSL_CFLAGS@ @TIRPC_CFLAGS@ + + if ENABLE_REGENERATE_MAN +diff -up ypserv-5bfba760283060087aefeb417342bcc66d349b2e/rpc.yppasswdd/update.c.selinux-context ypserv-5bfba760283060087aefeb417342bcc66d349b2e/rpc.yppasswdd/update.c +--- ypserv-5bfba760283060087aefeb417342bcc66d349b2e/rpc.yppasswdd/update.c.selinux-context 2016-11-22 16:40:13.000000000 +0100 ++++ ypserv-5bfba760283060087aefeb417342bcc66d349b2e/rpc.yppasswdd/update.c 2018-07-20 12:01:14.874866767 +0200 +@@ -41,6 +41,10 @@ + #include "yppwd_local.h" + #include "log_msg.h" + ++#ifdef WITH_SELINUX ++#include ++#endif /* WITH_SELINUX */ ++ + #ifndef CHECKROOT + /* Set to 0 if you don't want to check against the root password + of the NIS master server. */ +@@ -460,6 +464,9 @@ update_files (yppasswd *yppw, int *shado + FILE *oldpf = NULL, *newpf = NULL, *oldsf = NULL, *newsf = NULL; + struct stat passwd_stat, shadow_stat; + char *rootpass = "x"; ++#ifdef WITH_SELINUX ++ char *pSelCon = NULL; ++#endif /* WITH_SELINUX */ + + #if CHECKROOT + if ((pw = getpwnam ("root")) != NULL) +@@ -520,6 +527,39 @@ update_files (yppasswd *yppw, int *shado + return 1; + } + ++#ifdef WITH_SELINUX ++ if (is_selinux_enabled() == 1) ++ { ++ /* Get selinux context of the original file */ ++ if (getfilecon_raw(path_passwd, &pSelCon) < 0) ++ { ++ log_msg ("update %.12s (uid=%d) failed", ++ yppw->newpw.pw_name, yppw->newpw.pw_uid); ++ log_msg ("Can't get selinux context %s: %m", path_passwd); ++ freecon(pSelCon); ++ fclose (oldpf); ++ fclose (newpf); ++ unlink (path_passwd_tmp); ++ return 1; ++ } ++ ++ /* Set selinux context for tmp file */ ++ if (setfilecon_raw(path_passwd_tmp, pSelCon)) ++ { ++ log_msg ("update %.12s (uid=%d) failed", ++ yppw->newpw.pw_name, yppw->newpw.pw_uid); ++ log_msg ("Can't set selinux context %s: %m", path_passwd_tmp); ++ freecon(pSelCon); ++ fclose (oldpf); ++ fclose (newpf); ++ unlink (path_passwd_tmp); ++ return 1; ++ } ++ freecon(pSelCon); ++ pSelCon=NULL; ++ } ++# endif /* WITH_SELINUX */ ++ + /* Open the shadow file for reading. */ + if ((oldsf = fopen (path_shadow, "r")) != NULL) + { +@@ -558,6 +598,37 @@ update_files (yppasswd *yppw, int *shado + fclose (oldpf); + return 1; + } ++#ifdef WITH_SELINUX ++ if (is_selinux_enabled() == 1) ++ { ++ if (getfilecon_raw(path_shadow, &pSelCon) < 0) ++ { ++ log_msg ("update %.12s (uid=%d) failed", ++ yppw->newpw.pw_name, yppw->newpw.pw_uid); ++ log_msg ("Can't get selinux context %s: %m", path_shadow); ++ freecon(pSelCon); ++ fclose (newsf); ++ fclose (oldsf); ++ fclose (newpf); ++ fclose (oldpf); ++ return 1; ++ } ++ if (setfilecon_raw(path_shadow_tmp, pSelCon)) ++ { ++ log_msg ("update %.12s (uid=%d) failed", ++ yppw->newpw.pw_name, yppw->newpw.pw_uid); ++ log_msg ("Can't set selinux context %s: %m", path_shadow_tmp); ++ freecon(pSelCon); ++ fclose (newsf); ++ fclose (oldsf); ++ fclose (newpf); ++ fclose (oldpf); ++ return 1; ++ } ++ freecon(pSelCon); ++ pSelCon=NULL; ++ } ++#endif /* WITH_SELINUX */ + } + + /* Loop over all passwd entries */ diff --git a/ypserv.spec b/ypserv.spec index 7346fbc..34d1b13 100644 --- a/ypserv.spec +++ b/ypserv.spec @@ -5,7 +5,7 @@ Summary: The NIS (Network Information Service) server Url: http://www.linux-nis.org/nis/ypserv/index.html Name: ypserv Version: 4.0 -Release: 11.20170331git%{shortcommit0}%{?dist} +Release: 12.20170331git%{shortcommit0}%{?dist} License: GPLv2 Group: System Environment/Daemons Source0: https://github.com/thkukuk/%{name}/archive/%{commit0}.tar.gz#/%{name}-%{shortcommit0}.tar.gz @@ -34,6 +34,7 @@ Patch8: ypserv-2.27-confpost.patch Patch10: ypserv-2.31-netgrprecur.patch Patch12: ypserv-4.0-headers.patch Patch13: ypserv-4.0-oldaddr.patch +Patch14: ypserv-4.0-selinux-context.patch BuildRequires: gcc BuildRequires: tokyocabinet-devel @@ -44,6 +45,7 @@ BuildRequires: libnsl2-devel BuildRequires: libtirpc-devel BuildRequires: docbook-style-xsl BuildRequires: libxslt +BuildRequires: libselinux-devel %description The Network Information Service (NIS) is a system that provides @@ -76,6 +78,7 @@ machines. %patch10 -p1 -b .netgrprecur %patch12 -b .headers %patch13 -p1 -b .oldaddr +%patch14 -p1 -b .selinux-context # Delete generated man pages. They will be generated later from source. rm makedbm/makedbm.8 @@ -99,7 +102,8 @@ export CFLAGS="$RPM_OPT_FLAGS -fpic" --enable-fqdn \ --libexecdir=%{_libdir}/yp \ --with-dbmliborder=tokyocabinet \ - -localstatedir=%{_localstatedir} + --localstatedir=%{_localstatedir} \ + --with-selinux make @@ -174,6 +178,10 @@ install -m 755 %{SOURCE4} $RPM_BUILD_ROOT%{_libexecdir}/rpc.yppasswdd.env %{_includedir}/rpcsvc %changelog +* Fri Jul 20 2018 Matej Mužila - 4.0-12.20170331git5bfba76 +- rpc.yppasswd: presserve selinux context of shadow and passwd +- Resolves: #1255583 + * Sat Jul 14 2018 Fedora Release Engineering - 4.0-11.20170331git5bfba76 - Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild