diff options
author | Martin Kletzander <mkletzan@redhat.com> | 2023-03-03 11:46:33 +0100 |
---|---|---|
committer | Iker Pedrosa <ikerpedrosam@gmail.com> | 2023-05-31 09:44:25 +0200 |
commit | 3c7327842cdcebe15caecb84a14c2b6b6eb10560 (patch) | |
tree | 14d9a4dee2c051b9a831c9ff2efaa668113937d7 | |
parent | b422e3c31691412f0a5404d09f7b328477e23c48 (diff) |
ch(g)passwd: Check selinux permissions upon startup
The permission also need to be checked before process_root_flag() since
that can chroot into non-selinux environment (unavailable selinux mount
point for example).
Signed-off-by: Martin Kletzander <mkletzan@redhat.com>
-rw-r--r-- | src/chgpasswd.c | 6 | ||||
-rw-r--r-- | src/chpasswd.c | 6 |
2 files changed, 12 insertions, 0 deletions
diff --git a/src/chgpasswd.c b/src/chgpasswd.c index b750994e..fe4055d8 100644 --- a/src/chgpasswd.c +++ b/src/chgpasswd.c @@ -424,6 +424,12 @@ int main (int argc, char **argv) (void) bindtextdomain (PACKAGE, LOCALEDIR); (void) textdomain (PACKAGE); +#ifdef WITH_SELINUX + if (check_selinux_permit ("passwd") != 0) { + return (E_NOPERM); + } +#endif /* WITH_SELINUX */ + process_root_flag ("-R", argc, argv); process_flags (argc, argv); diff --git a/src/chpasswd.c b/src/chpasswd.c index 4a04c4f4..3cfd611e 100644 --- a/src/chpasswd.c +++ b/src/chpasswd.c @@ -452,6 +452,12 @@ int main (int argc, char **argv) (void) bindtextdomain (PACKAGE, LOCALEDIR); (void) textdomain (PACKAGE); +#ifdef WITH_SELINUX + if (check_selinux_permit ("passwd") != 0) { + return (E_NOPERM); + } +#endif /* WITH_SELINUX */ + process_flags (argc, argv); salt = get_salt(); |