|
|
194c2d |
--- ypserv-2.31/rpc.yppasswdd/Makefile.am.selinux-context 2016-01-25 15:39:35.038050672 +0100
|
|
|
194c2d |
+++ ypserv-2.31/rpc.yppasswdd/Makefile.am 2016-01-25 15:39:56.203036632 +0100
|
|
|
194c2d |
@@ -26,7 +26,7 @@
|
|
|
194c2d |
|
|
|
194c2d |
rpc_yppasswdd_LDFLAGS = -Wl,-z,relro,-z,now
|
|
|
194c2d |
|
|
|
194c2d |
-rpc_yppasswdd_LDADD = @PIE_LDFLAGS@ $(top_builddir)/lib/libyp.a $(LIBDBM) $(LIBCRYPT) $(LIBSYSTEMD_DAEMON)
|
|
|
194c2d |
+rpc_yppasswdd_LDADD = @PIE_LDFLAGS@ $(top_builddir)/lib/libyp.a $(LIBDBM) $(LIBCRYPT) $(LIBSYSTEMD_DAEMON) $(LIBSELINUX)
|
|
|
194c2d |
rpc_yppasswdd_CFLAGS = @PIE_CFLAGS@
|
|
|
194c2d |
|
|
|
194c2d |
if ENABLE_REGENERATE_MAN
|
|
|
194c2d |
--- ypserv-2.31/configure.in.selinux-context.patch 2016-01-25 16:07:01.662180676 +0100
|
|
|
194c2d |
+++ ypserv-2.31/configure.in 2016-01-25 16:07:57.116157640 +0100
|
|
|
194c2d |
@@ -243,6 +243,26 @@
|
|
|
194c2d |
echo ""
|
|
|
194c2d |
exit
|
|
|
194c2d |
fi
|
|
|
194c2d |
+AC_ARG_WITH(selinux,
|
|
|
194c2d |
+ [AC_HELP_STRING([--with-selinux@<:@=yes|no@:>@],[Enables SELinux support [no]])],
|
|
|
194c2d |
+
|
|
|
194c2d |
+ [ if test "$withval" = "yes"; then
|
|
|
194c2d |
+ AC_CHECK_HEADERS([selinux/selinux.h], [],
|
|
|
194c2d |
+ [AC_MSG_ERROR([Missing SELinux header files])])
|
|
|
194c2d |
+ AC_CHECK_LIB(selinux, setfilecon_raw, [],
|
|
|
194c2d |
+ [AC_MSG_ERROR([Missing or incorrect SELinux library])])
|
|
|
194c2d |
+ AC_CHECK_LIB(selinux, getfilecon_raw, [],
|
|
|
194c2d |
+ [AC_MSG_ERROR([Missing or incorrect SELinux library])])
|
|
|
194c2d |
+ AC_CHECK_LIB(selinux, freecon, [],
|
|
|
194c2d |
+ [AC_MSG_ERROR([Missing or incorrect SELinux library])])
|
|
|
194c2d |
+ fi
|
|
|
194c2d |
+ ],[])
|
|
|
194c2d |
+
|
|
|
194c2d |
+AC_SUBST(with_selinux)
|
|
|
194c2d |
+if test "$with_selinux" = "yes"; then
|
|
|
194c2d |
+ AC_DEFINE(WITH_SELINUX, 1, [Define to 1 if SELinux support is enabled])
|
|
|
194c2d |
+fi
|
|
|
194c2d |
+
|
|
|
194c2d |
|
|
|
194c2d |
AC_CHECK_LIB(xcrypt,crypt,LIBCRYPT="-lxcrypt",LIBCRYPT="")
|
|
|
194c2d |
if test -z "$LIBCRYPT" ; then
|
|
|
650ab0 |
--- ypserv-2.31/rpc.yppasswdd/update.c.selinux-context 2013-04-10 16:42:51.000000000 +0200
|
|
|
650ab0 |
+++ ypserv-2.31/rpc.yppasswdd/update.c 2018-01-09 08:49:08.165461843 +0100
|
|
|
194c2d |
@@ -42,6 +42,9 @@
|
|
|
194c2d |
#ifdef HAVE_SHADOW_H
|
|
|
194c2d |
#include <shadow.h>
|
|
|
194c2d |
#endif
|
|
|
194c2d |
+#ifdef WITH_SELINUX
|
|
|
194c2d |
+#include <selinux/selinux.h>
|
|
|
194c2d |
+#endif /* WITH_SELINUX */
|
|
|
194c2d |
#include "compat.h"
|
|
|
194c2d |
|
|
|
194c2d |
#ifndef CHECKROOT
|
|
|
650ab0 |
@@ -448,6 +451,9 @@
|
|
|
194c2d |
FILE *oldpf = NULL, *newpf = NULL, *oldsf = NULL, *newsf = NULL;
|
|
|
194c2d |
struct stat passwd_stat, shadow_stat;
|
|
|
194c2d |
char *rootpass = "x";
|
|
|
194c2d |
+#ifdef WITH_SELINUX
|
|
|
194c2d |
+ char *pSelCon = NULL;
|
|
|
194c2d |
+#endif /* WITH_SELINUX */
|
|
|
194c2d |
|
|
|
194c2d |
#if CHECKROOT
|
|
|
194c2d |
if ((pw = getpwnam ("root")) != NULL)
|
|
|
650ab0 |
@@ -489,6 +495,7 @@
|
|
|
194c2d |
return 1;
|
|
|
194c2d |
}
|
|
|
194c2d |
|
|
|
194c2d |
+
|
|
|
194c2d |
/* Open a temp passwd file */
|
|
|
194c2d |
if ((newpf = fopen (path_passwd_tmp, "w+")) == NULL)
|
|
|
194c2d |
{
|
|
|
650ab0 |
@@ -497,6 +504,7 @@
|
|
|
194c2d |
fclose (oldpf);
|
|
|
194c2d |
return 1;
|
|
|
194c2d |
}
|
|
|
194c2d |
+
|
|
|
194c2d |
chmod (path_passwd_tmp, passwd_stat.st_mode);
|
|
|
194c2d |
if (chown (path_passwd_tmp, passwd_stat.st_uid, passwd_stat.st_gid) == -1)
|
|
|
194c2d |
{
|
|
|
650ab0 |
@@ -507,42 +515,104 @@
|
|
|
194c2d |
return 1;
|
|
|
194c2d |
}
|
|
|
194c2d |
|
|
|
194c2d |
+#ifdef WITH_SELINUX
|
|
|
650ab0 |
+ if (is_selinux_enabled() == 1)
|
|
|
194c2d |
+ {
|
|
|
650ab0 |
+ /* Get selinux context of the original file */
|
|
|
650ab0 |
+ if (getfilecon_raw(path_passwd, &pSelCon) < 0)
|
|
|
650ab0 |
+ {
|
|
|
650ab0 |
+ log_msg ("%s failed", logbuf);
|
|
|
650ab0 |
+ log_msg ("Can't get selinux context %s: %m", path_passwd);
|
|
|
650ab0 |
+ freecon(pSelCon);
|
|
|
650ab0 |
+ fclose (oldpf);
|
|
|
650ab0 |
+ fclose (newpf);
|
|
|
650ab0 |
+ unlink (path_passwd_tmp);
|
|
|
650ab0 |
+ return 1;
|
|
|
650ab0 |
+ }
|
|
|
194c2d |
+
|
|
|
650ab0 |
+ /* Set selinux context for tmp file */
|
|
|
650ab0 |
+ if (setfilecon_raw(path_passwd_tmp, pSelCon))
|
|
|
650ab0 |
+ {
|
|
|
650ab0 |
+ log_msg ("%s failed", logbuf);
|
|
|
650ab0 |
+ log_msg ("Can't set selinux context %s: %m", path_passwd_tmp);
|
|
|
650ab0 |
+ freecon(pSelCon);
|
|
|
650ab0 |
+ fclose (oldpf);
|
|
|
650ab0 |
+ fclose (newpf);
|
|
|
650ab0 |
+ unlink (path_passwd_tmp);
|
|
|
650ab0 |
+ return 1;
|
|
|
650ab0 |
+ }
|
|
|
194c2d |
+ freecon(pSelCon);
|
|
|
650ab0 |
+ pSelCon=NULL;
|
|
|
194c2d |
+ }
|
|
|
650ab0 |
+# endif /* WITH_SELINUX */
|
|
|
194c2d |
+
|
|
|
194c2d |
#ifdef HAVE_GETSPNAM
|
|
|
194c2d |
/* Open the shadow file for reading. */
|
|
|
194c2d |
if ((oldsf = fopen (path_shadow, "r")) != NULL)
|
|
|
194c2d |
{
|
|
|
194c2d |
if (fstat (fileno (oldsf), &shadow_stat) < 0)
|
|
|
194c2d |
- {
|
|
|
194c2d |
- log_msg ("%s failed", logbuf);
|
|
|
194c2d |
- log_msg ("Can't stat %s: %m", path_shadow);
|
|
|
194c2d |
- fclose (oldpf);
|
|
|
194c2d |
- fclose (newpf);
|
|
|
194c2d |
- fclose (oldsf);
|
|
|
194c2d |
- return 1;
|
|
|
194c2d |
- }
|
|
|
194c2d |
+ {
|
|
|
194c2d |
+ log_msg ("%s failed", logbuf);
|
|
|
194c2d |
+ log_msg ("Can't stat %s: %m", path_shadow);
|
|
|
194c2d |
+ fclose (oldpf);
|
|
|
194c2d |
+ fclose (newpf);
|
|
|
194c2d |
+ fclose (oldsf);
|
|
|
194c2d |
+ return 1;
|
|
|
194c2d |
+ }
|
|
|
194c2d |
+
|
|
|
194c2d |
|
|
|
194c2d |
if ((newsf = fopen (path_shadow_tmp, "w+")) == NULL)
|
|
|
194c2d |
- {
|
|
|
194c2d |
- int err = errno;
|
|
|
194c2d |
- log_msg ("%s failed", logbuf);
|
|
|
194c2d |
- log_msg ("Can't open %s.tmp: %s",
|
|
|
194c2d |
- path_passwd, strerror (err));
|
|
|
194c2d |
- fclose (oldsf);
|
|
|
194c2d |
- fclose (newpf);
|
|
|
194c2d |
- fclose (oldpf);
|
|
|
194c2d |
- return 1;
|
|
|
194c2d |
- }
|
|
|
194c2d |
+ {
|
|
|
194c2d |
+ int err = errno;
|
|
|
194c2d |
+ log_msg ("%s failed", logbuf);
|
|
|
194c2d |
+ log_msg ("Can't open %s.tmp: %s",
|
|
|
194c2d |
+ path_passwd, strerror (err));
|
|
|
194c2d |
+ fclose (oldsf);
|
|
|
194c2d |
+ fclose (newpf);
|
|
|
194c2d |
+ fclose (oldpf);
|
|
|
194c2d |
+ return 1;
|
|
|
194c2d |
+ }
|
|
|
194c2d |
chmod (path_shadow_tmp, shadow_stat.st_mode);
|
|
|
194c2d |
if (chown (path_shadow_tmp, shadow_stat.st_uid,
|
|
|
194c2d |
- shadow_stat.st_gid) == -1)
|
|
|
194c2d |
- {
|
|
|
194c2d |
- log_msg ("chown failed", strerror (errno));
|
|
|
194c2d |
- fclose (newsf);
|
|
|
194c2d |
- fclose (oldsf);
|
|
|
194c2d |
- fclose (newpf);
|
|
|
194c2d |
- fclose (oldpf);
|
|
|
194c2d |
- return 1;
|
|
|
194c2d |
- }
|
|
|
194c2d |
+ shadow_stat.st_gid) == -1)
|
|
|
194c2d |
+ {
|
|
|
194c2d |
+ log_msg ("chown failed", strerror (errno));
|
|
|
194c2d |
+ fclose (newsf);
|
|
|
194c2d |
+ fclose (oldsf);
|
|
|
194c2d |
+ fclose (newpf);
|
|
|
194c2d |
+ fclose (oldpf);
|
|
|
194c2d |
+ return 1;
|
|
|
194c2d |
+ }
|
|
|
194c2d |
+#ifdef WITH_SELINUX
|
|
|
650ab0 |
+ if (is_selinux_enabled() == 1)
|
|
|
650ab0 |
+ {
|
|
|
650ab0 |
+ if (getfilecon_raw(path_shadow, &pSelCon) < 0)
|
|
|
650ab0 |
+ {
|
|
|
650ab0 |
+ log_msg ("%s failed", logbuf);
|
|
|
650ab0 |
+ log_msg ("Can't get selinux context %s: %m", path_shadow);
|
|
|
650ab0 |
+ freecon(pSelCon);
|
|
|
650ab0 |
+ fclose (newsf);
|
|
|
650ab0 |
+ fclose (oldsf);
|
|
|
650ab0 |
+ fclose (newpf);
|
|
|
650ab0 |
+ fclose (oldpf);
|
|
|
650ab0 |
+ return 1;
|
|
|
650ab0 |
+ }
|
|
|
650ab0 |
+ if (setfilecon_raw(path_shadow_tmp, pSelCon))
|
|
|
650ab0 |
+ {
|
|
|
650ab0 |
+ log_msg ("%s failed", logbuf);
|
|
|
650ab0 |
+ log_msg ("Can't set selinux context %s: %m", path_shadow_tmp);
|
|
|
650ab0 |
+ freecon(pSelCon);
|
|
|
650ab0 |
+ fclose (newsf);
|
|
|
650ab0 |
+ fclose (oldsf);
|
|
|
650ab0 |
+ fclose (newpf);
|
|
|
650ab0 |
+ fclose (oldpf);
|
|
|
650ab0 |
+ return 1;
|
|
|
650ab0 |
+ }
|
|
|
194c2d |
+ freecon(pSelCon);
|
|
|
650ab0 |
+ pSelCon=NULL;
|
|
|
650ab0 |
+ }
|
|
|
194c2d |
+#endif /* WITH_SELINUX */
|
|
|
194c2d |
+
|
|
|
194c2d |
}
|
|
|
194c2d |
#endif /* HAVE_GETSPNAM */
|
|
|
194c2d |
|