chfn: chsh: use selinux_check_passwd_access()
* selinux/av_permissions.h and magic constants are deprecated, the recommended solution is to use string_to_security_class() and string_to_av_perm() to get access vector * it also seems that selinux_check_passwd_access() does exactly the same as our checkAccess(), let's use it. Signed-off-by: Karel Zak <kzak@redhat.com>
This commit is contained in:
parent
3d7cad18e7
commit
dd5ef107ad
|
@ -46,7 +46,6 @@
|
|||
|
||||
#ifdef HAVE_LIBSELINUX
|
||||
# include <selinux/selinux.h>
|
||||
# include <selinux/av_permissions.h>
|
||||
# include "selinux_utils.h"
|
||||
#endif
|
||||
|
||||
|
@ -424,7 +423,9 @@ int main(int argc, char **argv)
|
|||
#ifdef HAVE_LIBSELINUX
|
||||
if (is_selinux_enabled() > 0) {
|
||||
if (uid == 0) {
|
||||
if (checkAccess(ctl.username, PASSWD__CHFN) != 0) {
|
||||
access_vector_t av = get_access_vector("passwd", "chfn");
|
||||
|
||||
if (selinux_check_passwd_access(av) != 0) {
|
||||
security_context_t user_context;
|
||||
if (getprevcon(&user_context) < 0)
|
||||
user_context = NULL;
|
||||
|
|
|
@ -46,7 +46,6 @@
|
|||
|
||||
#ifdef HAVE_LIBSELINUX
|
||||
# include <selinux/selinux.h>
|
||||
# include <selinux/av_permissions.h>
|
||||
# include "selinux_utils.h"
|
||||
#endif
|
||||
|
||||
|
@ -257,7 +256,9 @@ int main(int argc, char **argv)
|
|||
#ifdef HAVE_LIBSELINUX
|
||||
if (is_selinux_enabled() > 0) {
|
||||
if (uid == 0) {
|
||||
if (checkAccess(pw->pw_name, PASSWD__CHSH) != 0) {
|
||||
access_vector_t av = get_access_vector("passwd", "chsh");
|
||||
|
||||
if (selinux_check_passwd_access(av) != 0) {
|
||||
security_context_t user_context;
|
||||
if (getprevcon(&user_context) < 0)
|
||||
user_context =
|
||||
|
|
|
@ -1,6 +1,4 @@
|
|||
#include <selinux/av_permissions.h>
|
||||
#include <selinux/context.h>
|
||||
#include <selinux/flask.h>
|
||||
#include <selinux/selinux.h>
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
|
@ -8,31 +6,11 @@
|
|||
|
||||
#include "selinux_utils.h"
|
||||
|
||||
int checkAccess(char *chuser, int access)
|
||||
access_vector_t get_access_vector(const char *tclass, const char *op)
|
||||
{
|
||||
int status = -1;
|
||||
security_context_t user_context;
|
||||
const char *user = NULL;
|
||||
if (getprevcon(&user_context) == 0) {
|
||||
context_t c = context_new(user_context);
|
||||
user = context_user_get(c);
|
||||
if (strcmp(chuser, user) == 0) {
|
||||
status = 0;
|
||||
} else {
|
||||
struct av_decision avd;
|
||||
int retval = security_compute_av(user_context,
|
||||
user_context,
|
||||
SECCLASS_PASSWD,
|
||||
access,
|
||||
&avd);
|
||||
if ((retval == 0) &&
|
||||
((access & avd.allowed) == (unsigned)access))
|
||||
status = 0;
|
||||
}
|
||||
context_free(c);
|
||||
freecon(user_context);
|
||||
}
|
||||
return status;
|
||||
security_class_t tc = string_to_security_class(tclass);
|
||||
|
||||
return tc ? string_to_av_perm(tc, op) : 0;
|
||||
}
|
||||
|
||||
int setupDefaultContext(char *orig_file)
|
||||
|
|
|
@ -1,2 +1,7 @@
|
|||
extern int checkAccess(char *name,int access);
|
||||
#ifndef UTIL_LINUX_SELINUX_UTILS_H
|
||||
#define UTIL_LINUX_SELINUX_UTILS_H
|
||||
|
||||
extern access_vector_t get_access_vector(const char *tclass, const char *op);
|
||||
extern int setupDefaultContext(char *orig_file);
|
||||
|
||||
#endif
|
||||
|
|
Loading…
Reference in New Issue