diff options
author | Karel Zak | 2016-06-14 13:15:44 +0200 |
---|---|---|
committer | Karel Zak | 2016-06-14 13:38:13 +0200 |
commit | dd5ef107adfe2c05f7d2e3e3543d3c042868b6fb (patch) | |
tree | dede936a90a0ad071a24783c7ec4a77db8041116 /login-utils | |
parent | build-sys: remove global dependence between widechar and ncursesw (diff) | |
download | kernel-qcow2-util-linux-dd5ef107adfe2c05f7d2e3e3543d3c042868b6fb.tar.gz kernel-qcow2-util-linux-dd5ef107adfe2c05f7d2e3e3543d3c042868b6fb.tar.xz kernel-qcow2-util-linux-dd5ef107adfe2c05f7d2e3e3543d3c042868b6fb.zip |
chfn: chsh: use selinux_check_passwd_access()
* selinux/av_permissions.h and magic constants are deprecated, the
recommended solution is to use string_to_security_class() and
string_to_av_perm() to get access vector
* it also seems that selinux_check_passwd_access() does exactly the
same as our checkAccess(), let's use it.
Signed-off-by: Karel Zak <kzak@redhat.com>
Diffstat (limited to 'login-utils')
-rw-r--r-- | login-utils/chfn.c | 5 | ||||
-rw-r--r-- | login-utils/chsh.c | 5 | ||||
-rw-r--r-- | login-utils/selinux_utils.c | 30 | ||||
-rw-r--r-- | login-utils/selinux_utils.h | 7 |
4 files changed, 16 insertions, 31 deletions
diff --git a/login-utils/chfn.c b/login-utils/chfn.c index b1c7ea25a..89e6bd7ec 100644 --- a/login-utils/chfn.c +++ b/login-utils/chfn.c @@ -46,7 +46,6 @@ #ifdef HAVE_LIBSELINUX # include <selinux/selinux.h> -# include <selinux/av_permissions.h> # include "selinux_utils.h" #endif @@ -424,7 +423,9 @@ int main(int argc, char **argv) #ifdef HAVE_LIBSELINUX if (is_selinux_enabled() > 0) { if (uid == 0) { - if (checkAccess(ctl.username, PASSWD__CHFN) != 0) { + access_vector_t av = get_access_vector("passwd", "chfn"); + + if (selinux_check_passwd_access(av) != 0) { security_context_t user_context; if (getprevcon(&user_context) < 0) user_context = NULL; diff --git a/login-utils/chsh.c b/login-utils/chsh.c index d74a1f0f1..e9e51832d 100644 --- a/login-utils/chsh.c +++ b/login-utils/chsh.c @@ -46,7 +46,6 @@ #ifdef HAVE_LIBSELINUX # include <selinux/selinux.h> -# include <selinux/av_permissions.h> # include "selinux_utils.h" #endif @@ -257,7 +256,9 @@ int main(int argc, char **argv) #ifdef HAVE_LIBSELINUX if (is_selinux_enabled() > 0) { if (uid == 0) { - if (checkAccess(pw->pw_name, PASSWD__CHSH) != 0) { + access_vector_t av = get_access_vector("passwd", "chsh"); + + if (selinux_check_passwd_access(av) != 0) { security_context_t user_context; if (getprevcon(&user_context) < 0) user_context = diff --git a/login-utils/selinux_utils.c b/login-utils/selinux_utils.c index e709d0030..dfd696f3e 100644 --- a/login-utils/selinux_utils.c +++ b/login-utils/selinux_utils.c @@ -1,6 +1,4 @@ -#include <selinux/av_permissions.h> #include <selinux/context.h> -#include <selinux/flask.h> #include <selinux/selinux.h> #include <stdio.h> #include <string.h> @@ -8,31 +6,11 @@ #include "selinux_utils.h" -int checkAccess(char *chuser, int access) +access_vector_t get_access_vector(const char *tclass, const char *op) { - int status = -1; - security_context_t user_context; - const char *user = NULL; - if (getprevcon(&user_context) == 0) { - context_t c = context_new(user_context); - user = context_user_get(c); - if (strcmp(chuser, user) == 0) { - status = 0; - } else { - struct av_decision avd; - int retval = security_compute_av(user_context, - user_context, - SECCLASS_PASSWD, - access, - &avd); - if ((retval == 0) && - ((access & avd.allowed) == (unsigned)access)) - status = 0; - } - context_free(c); - freecon(user_context); - } - return status; + security_class_t tc = string_to_security_class(tclass); + + return tc ? string_to_av_perm(tc, op) : 0; } int setupDefaultContext(char *orig_file) diff --git a/login-utils/selinux_utils.h b/login-utils/selinux_utils.h index 5bf393c17..cf0ed662b 100644 --- a/login-utils/selinux_utils.h +++ b/login-utils/selinux_utils.h @@ -1,2 +1,7 @@ -extern int checkAccess(char *name,int access); +#ifndef UTIL_LINUX_SELINUX_UTILS_H +#define UTIL_LINUX_SELINUX_UTILS_H + +extern access_vector_t get_access_vector(const char *tclass, const char *op); extern int setupDefaultContext(char *orig_file); + +#endif |