1 |
diff -up ypserv-5bfba760283060087aefeb417342bcc66d349b2e/configure.ac.selinux-context ypserv-5bfba760283060087aefeb417342bcc66d349b2e/configure.ac |
2 |
--- ypserv-5bfba760283060087aefeb417342bcc66d349b2e/configure.ac.selinux-context 2018-06-13 15:08:56.011432773 +0200 |
3 |
+++ ypserv-5bfba760283060087aefeb417342bcc66d349b2e/configure.ac 2018-06-13 15:08:56.017432861 +0200 |
4 |
@@ -240,6 +240,26 @@ then |
5 |
exit |
6 |
fi |
7 |
|
8 |
+AC_ARG_WITH(selinux, |
9 |
+ [AC_HELP_STRING([--with-selinux@<:@=yes|no@:>@],[Enables SELinux support [no]])], |
10 |
+ |
11 |
+ [ if test "$withval" = "yes"; then |
12 |
+ AC_CHECK_HEADERS([selinux/selinux.h], [], |
13 |
+ [AC_MSG_ERROR([Missing SELinux header files])]) |
14 |
+ AC_CHECK_LIB(selinux, setfilecon_raw, [], |
15 |
+ [AC_MSG_ERROR([Missing or incorrect SELinux library])]) |
16 |
+ AC_CHECK_LIB(selinux, getfilecon_raw, [], |
17 |
+ [AC_MSG_ERROR([Missing or incorrect SELinux library])]) |
18 |
+ AC_CHECK_LIB(selinux, freecon, [], |
19 |
+ [AC_MSG_ERROR([Missing or incorrect SELinux library])]) |
20 |
+ fi |
21 |
+ ],[]) |
22 |
+ |
23 |
+AC_SUBST(with_selinux) |
24 |
+if test "$with_selinux" = "yes"; then |
25 |
+ AC_DEFINE(WITH_SELINUX, 1, [Define to 1 if SELinux support is enabled]) |
26 |
+fi |
27 |
+ |
28 |
AC_CHECK_LIB(crypt,crypt,LIBCRYPT="-lcrypt",LIBCRYPT="") |
29 |
AC_CHECK_HEADERS(crypt.h) |
30 |
AC_SUBST(LIBCRYPT) |
31 |
diff -up ypserv-5bfba760283060087aefeb417342bcc66d349b2e/rpc.yppasswdd/Makefile.am.selinux-context ypserv-5bfba760283060087aefeb417342bcc66d349b2e/rpc.yppasswdd/Makefile.am |
32 |
--- ypserv-5bfba760283060087aefeb417342bcc66d349b2e/rpc.yppasswdd/Makefile.am.selinux-context 2016-11-22 16:40:13.000000000 +0100 |
33 |
+++ ypserv-5bfba760283060087aefeb417342bcc66d349b2e/rpc.yppasswdd/Makefile.am 2018-06-13 15:08:56.017432861 +0200 |
34 |
@@ -24,7 +24,7 @@ sbin_PROGRAMS = rpc.yppasswdd |
35 |
|
36 |
rpc_yppasswdd_SOURCES = update.c yppasswd_xdr.c yppasswdd.c |
37 |
|
38 |
-rpc_yppasswdd_LDADD = @PIE_LDFLAGS@ $(top_builddir)/lib/libyp.a $(LIBDBM) $(LIBCRYPT) @SYSTEMD_LIBS@ @NSL_LIBS@ @TIRPC_LIBS@ |
39 |
+rpc_yppasswdd_LDADD = @PIE_LDFLAGS@ $(top_builddir)/lib/libyp.a $(LIBDBM) $(LIBCRYPT) @SYSTEMD_LIBS@ @NSL_LIBS@ @TIRPC_LIBS@ $(LIBSELINUX) |
40 |
rpc_yppasswdd_CFLAGS = @PIE_CFLAGS@ @SYSTEMD_CFLAGS@ @NSL_CFLAGS@ @TIRPC_CFLAGS@ |
41 |
|
42 |
if ENABLE_REGENERATE_MAN |
43 |
diff -up ypserv-5bfba760283060087aefeb417342bcc66d349b2e/rpc.yppasswdd/update.c.selinux-context ypserv-5bfba760283060087aefeb417342bcc66d349b2e/rpc.yppasswdd/update.c |
44 |
--- ypserv-5bfba760283060087aefeb417342bcc66d349b2e/rpc.yppasswdd/update.c.selinux-context 2016-11-22 16:40:13.000000000 +0100 |
45 |
+++ ypserv-5bfba760283060087aefeb417342bcc66d349b2e/rpc.yppasswdd/update.c 2018-07-20 12:01:14.874866767 +0200 |
46 |
@@ -41,6 +41,10 @@ |
47 |
#include "yppwd_local.h" |
48 |
#include "log_msg.h" |
49 |
|
50 |
+#ifdef WITH_SELINUX |
51 |
+#include <selinux/selinux.h> |
52 |
+#endif /* WITH_SELINUX */ |
53 |
+ |
54 |
#ifndef CHECKROOT |
55 |
/* Set to 0 if you don't want to check against the root password |
56 |
of the NIS master server. */ |
57 |
@@ -460,6 +464,9 @@ update_files (yppasswd *yppw, int *shado |
58 |
FILE *oldpf = NULL, *newpf = NULL, *oldsf = NULL, *newsf = NULL; |
59 |
struct stat passwd_stat, shadow_stat; |
60 |
char *rootpass = "x"; |
61 |
+#ifdef WITH_SELINUX |
62 |
+ char *pSelCon = NULL; |
63 |
+#endif /* WITH_SELINUX */ |
64 |
|
65 |
#if CHECKROOT |
66 |
if ((pw = getpwnam ("root")) != NULL) |
67 |
@@ -520,6 +527,39 @@ update_files (yppasswd *yppw, int *shado |
68 |
return 1; |
69 |
} |
70 |
|
71 |
+#ifdef WITH_SELINUX |
72 |
+ if (is_selinux_enabled() == 1) |
73 |
+ { |
74 |
+ /* Get selinux context of the original file */ |
75 |
+ if (getfilecon_raw(path_passwd, &pSelCon) < 0) |
76 |
+ { |
77 |
+ log_msg ("update %.12s (uid=%d) failed", |
78 |
+ yppw->newpw.pw_name, yppw->newpw.pw_uid); |
79 |
+ log_msg ("Can't get selinux context %s: %m", path_passwd); |
80 |
+ freecon(pSelCon); |
81 |
+ fclose (oldpf); |
82 |
+ fclose (newpf); |
83 |
+ unlink (path_passwd_tmp); |
84 |
+ return 1; |
85 |
+ } |
86 |
+ |
87 |
+ /* Set selinux context for tmp file */ |
88 |
+ if (setfilecon_raw(path_passwd_tmp, pSelCon)) |
89 |
+ { |
90 |
+ log_msg ("update %.12s (uid=%d) failed", |
91 |
+ yppw->newpw.pw_name, yppw->newpw.pw_uid); |
92 |
+ log_msg ("Can't set selinux context %s: %m", path_passwd_tmp); |
93 |
+ freecon(pSelCon); |
94 |
+ fclose (oldpf); |
95 |
+ fclose (newpf); |
96 |
+ unlink (path_passwd_tmp); |
97 |
+ return 1; |
98 |
+ } |
99 |
+ freecon(pSelCon); |
100 |
+ pSelCon=NULL; |
101 |
+ } |
102 |
+# endif /* WITH_SELINUX */ |
103 |
+ |
104 |
/* Open the shadow file for reading. */ |
105 |
if ((oldsf = fopen (path_shadow, "r")) != NULL) |
106 |
{ |
107 |
@@ -558,6 +598,37 @@ update_files (yppasswd *yppw, int *shado |
108 |
fclose (oldpf); |
109 |
return 1; |
110 |
} |
111 |
+#ifdef WITH_SELINUX |
112 |
+ if (is_selinux_enabled() == 1) |
113 |
+ { |
114 |
+ if (getfilecon_raw(path_shadow, &pSelCon) < 0) |
115 |
+ { |
116 |
+ log_msg ("update %.12s (uid=%d) failed", |
117 |
+ yppw->newpw.pw_name, yppw->newpw.pw_uid); |
118 |
+ log_msg ("Can't get selinux context %s: %m", path_shadow); |
119 |
+ freecon(pSelCon); |
120 |
+ fclose (newsf); |
121 |
+ fclose (oldsf); |
122 |
+ fclose (newpf); |
123 |
+ fclose (oldpf); |
124 |
+ return 1; |
125 |
+ } |
126 |
+ if (setfilecon_raw(path_shadow_tmp, pSelCon)) |
127 |
+ { |
128 |
+ log_msg ("update %.12s (uid=%d) failed", |
129 |
+ yppw->newpw.pw_name, yppw->newpw.pw_uid); |
130 |
+ log_msg ("Can't set selinux context %s: %m", path_shadow_tmp); |
131 |
+ freecon(pSelCon); |
132 |
+ fclose (newsf); |
133 |
+ fclose (oldsf); |
134 |
+ fclose (newpf); |
135 |
+ fclose (oldpf); |
136 |
+ return 1; |
137 |
+ } |
138 |
+ freecon(pSelCon); |
139 |
+ pSelCon=NULL; |
140 |
+ } |
141 |
+#endif /* WITH_SELINUX */ |
142 |
} |
143 |
|
144 |
/* Loop over all passwd entries */ |