chfs-chfn: remove deprecated selinux_check_passwd_access()

Signed-off-by: Karel Zak <kzak@redhat.com>
2021-01-13 14:25:12 +01:00 · 2021-01-13 14:25:12 +01:00 · e1de70b3c3
parent b5debf7105
commit e1de70b3c3
4 changed files with 39 additions and 35 deletions
--- a/include/selinux-utils.h
+++ b/include/selinux-utils.h
@ -1,7 +1,7 @@
 #ifndef UTIL_LINUX_SELINUX_UTILS_H
 #define UTIL_LINUX_SELINUX_UTILS_H

-extern access_vector_t get_access_vector(const char *tclass, const char *op);
 extern int ul_setfscreatecon_from_file(char *orig_file);
+extern int ul_selinux_has_access(const char *classstr, const char *perm, char **user_cxt);

 #endif
--- a/lib/selinux-utils.c
+++ b/lib/selinux-utils.c
@ -6,13 +6,6 @@

 #include "selinux-utils.h"

-access_vector_t get_access_vector(const char *tclass, const char *op)
-{
-	security_class_t tc = string_to_security_class(tclass);
-
-	return tc ? string_to_av_perm(tc, op) : 0;
-}
-
 int ul_setfscreatecon_from_file(char *orig_file)
 {
 	if (is_selinux_enabled() > 0) {
@ -28,3 +21,28 @@ int ul_setfscreatecon_from_file(char *orig_file)
 	}
 	return 0;
 }
+
+/* returns 1 if user has access to @class and @perm ("passwd", "chfn")
+ *	or 0 on error,
+ *	or 0 if has no access -- in this case sets @user_cxt to user-context
+ */
+int ul_selinux_has_access(const char *classstr, const char *perm, char **user_cxt)
+{
+	char *user;
+	int rc;
+
+	if (user_cxt)
+		*user_cxt = NULL;
+
+	if (getprevcon(&user) != 0)
+		return 0;
+
+	rc = selinux_check_access(user, user, classstr, perm, NULL);
+	if (rc != 0 && user_cxt)
+		*user_cxt = user;
+	else
+		freecon(user);
+
+	return rc == 0 ? 1 : 0;
+}
+
--- a/login-utils/chfn.c
+++ b/login-utils/chfn.c
@ -438,22 +438,15 @@ int main(int argc, char **argv)

 #ifdef HAVE_LIBSELINUX
 	if (is_selinux_enabled() > 0) {
-		if (uid == 0) {
-			access_vector_t av = get_access_vector("passwd", "chfn");
+		char *user_cxt = NULL;

-			if (selinux_check_passwd_access(av) != 0) {
-				char *user_context;
+		if (uid == 0 && !ul_selinux_has_access("passwd", "chfn", &user_cxt))
+			errx(EXIT_FAILURE,
+			     _("%s is not authorized to change "
+			       "the finger info of %s"),
+			     user_cxt ? : _("Unknown user context"),
+			     ctl.username);

-				if (getprevcon(&user_context) < 0)
-					user_context = NULL;
-
-				errx(EXIT_FAILURE,
-				     _("%s is not authorized to change "
-				       "the finger info of %s"),
-				     user_context ? : _("Unknown user context"),
-				     ctl.username);
-			}
-		}
 		if (ul_setfscreatecon_from_file(_PATH_PASSWD))
 			errx(EXIT_FAILURE,
 			     _("can't set default context for %s"), _PATH_PASSWD);
--- a/login-utils/chsh.c
+++ b/login-utils/chsh.c
@ -287,21 +287,14 @@ int main(int argc, char **argv)

 #ifdef HAVE_LIBSELINUX
 	if (is_selinux_enabled() > 0) {
-		if (uid == 0) {
-			access_vector_t av = get_access_vector("passwd", "chsh");
+		char *user_cxt = NULL;

-			if (selinux_check_passwd_access(av) != 0) {
-				char *user_context;
+		if (uid == 0 && !ul_selinux_has_access("passwd", "chsh", &user_cxt))
+			errx(EXIT_FAILURE,
+			     _("%s is not authorized to change the shell of %s"),
+			     user_cxt ? : _("Unknown user context"),
+			     pw->pw_name);

-				if (getprevcon(&user_context) < 0)
-					user_context = NULL;
-
-				errx(EXIT_FAILURE,
-				     _("%s is not authorized to change the shell of %s"),
-				     user_context ? : _("Unknown user context"),
-				     pw->pw_name);
-			}
-		}
 		if (ul_setfscreatecon_from_file(_PATH_PASSWD) != 0)
 			errx(EXIT_FAILURE,
 			     _("can't set default context for %s"), _PATH_PASSWD);