useradd: generate /var/spool/mail/$USER with the proper SELinux user identity

Explanation: use set_selinux_file_context() and reset_selinux_file_context() for create_mail() just as is done for create_home()

Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1690527
This commit is contained in:
ikerexxe 2020-02-05 15:04:39 +01:00
parent 2cc7da6058
commit 8a1e92aff1

View File

@ -190,6 +190,7 @@ static bool home_added = false;
#define E_NAME_IN_USE 9 /* username already in use */ #define E_NAME_IN_USE 9 /* username already in use */
#define E_GRP_UPDATE 10 /* can't update group file */ #define E_GRP_UPDATE 10 /* can't update group file */
#define E_HOMEDIR 12 /* can't create home directory */ #define E_HOMEDIR 12 /* can't create home directory */
#define E_MAILBOXFILE 13 /* can't create mailbox file */
#define E_SE_UPDATE 14 /* can't update SELinux user mapping */ #define E_SE_UPDATE 14 /* can't update SELinux user mapping */
#ifdef ENABLE_SUBIDS #ifdef ENABLE_SUBIDS
#define E_SUB_UID_UPDATE 16 /* can't update the subordinate uid file */ #define E_SUB_UID_UPDATE 16 /* can't update the subordinate uid file */
@ -2210,6 +2211,16 @@ static void create_mail (void)
sprintf (file, "%s/%s/%s", prefix, spool, user_name); sprintf (file, "%s/%s/%s", prefix, spool, user_name);
else else
sprintf (file, "%s/%s", spool, user_name); sprintf (file, "%s/%s", spool, user_name);
#ifdef WITH_SELINUX
if (set_selinux_file_context (file) != 0) {
fprintf (stderr,
_("%s: cannot set SELinux context for mailbox file %s\n"),
Prog, file);
fail_exit (E_MAILBOXFILE);
}
#endif
fd = open (file, O_CREAT | O_WRONLY | O_TRUNC | O_EXCL, 0); fd = open (file, O_CREAT | O_WRONLY | O_TRUNC | O_EXCL, 0);
if (fd < 0) { if (fd < 0) {
perror (_("Creating mailbox file")); perror (_("Creating mailbox file"));
@ -2234,6 +2245,15 @@ static void create_mail (void)
fsync (fd); fsync (fd);
close (fd); close (fd);
#ifdef WITH_SELINUX
/* Reset SELinux to create files with default contexts */
if (reset_selinux_file_context () != 0) {
fprintf (stderr,
_("%s: cannot reset SELinux file creation context\n"),
Prog);
fail_exit (E_MAILBOXFILE);
}
#endif
} }
} }