migrate to new SELinux api
Using hard-coded access vector ids is deprecated and can lead to issues with custom SELinux policies. Switch to `selinux_check_access()`. Also use the libselinux log callback and log if available to audit. This makes it easier for users to catch SELinux denials. Drop legacy shortcut logic for passwd, which avoided a SELinux check if uid 0 changes a password of a user which username equals the current SELinux user identifier. Nowadays usernames rarely match SELinux user identifiers and the benefit of skipping a SELinux check is negligible. Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
This commit is contained in:
Christian Göttsche
@ -336,6 +336,7 @@ extern /*@observer@*/const char *crypt_make_salt (/*@null@*//*@observer@*/const
|
||||
#ifdef WITH_SELINUX
|
||||
extern int set_selinux_file_context (const char *dst_name);
|
||||
extern int reset_selinux_file_context (void);
|
||||
extern int check_selinux_permit (const char *perm_name);
|
||||
#endif
|
||||
|
||||
/* semanage.c */
|
||||
|
||||
Reference in New Issue
Block a user