summaryrefslogtreecommitdiff
path: root/src/sysusers/sysusers.c
diff options
context:
space:
mode:
authorSangjung Woo <sangjung.woo@samsung.com>2015-10-06 19:08:16 +0900
committerSangjung Woo <sangjung.woo@samsung.com>2015-10-07 16:37:25 +0900
commitc02e7b1ecc7d88f6529ca3d1d231536300991a02 (patch)
tree3ea3e71cbc54949ebec3b9f59bd0b2803ad51931 /src/sysusers/sysusers.c
parent69b8a8ebaeaae13e82d44b386555921877bc0309 (diff)
smack: label /etc/passwd and friends as '_' smack label when --with-smack-run-label' is enabled
systemd-sysusers.service unit creates system users and groups and it could update /etc/passwd, /etc/group, /etc/shadow and /etc/gshadow. Those files should have '_' smack label because of accessibility. However, if systemd has its own smack label using '--with-smack-run-label' configuration, systemd-sysusers process spawned by systemd(pid:1) has its parent smack label and eventually updated files also is set as its parent smack label. This patch fixes that bug by labeling updated files as '_' smack label when --with-smack-run-label' is enabled.
Diffstat (limited to 'src/sysusers/sysusers.c')
-rw-r--r--src/sysusers/sysusers.c34
1 files changed, 22 insertions, 12 deletions
diff --git a/src/sysusers/sysusers.c b/src/sysusers/sysusers.c
index 07494e764b..ba09727080 100644
--- a/src/sysusers/sysusers.c
+++ b/src/sysusers/sysusers.c
@@ -38,6 +38,7 @@
#include "uid-range.h"
#include "utf8.h"
#include "util.h"
+#include "smack-util.h"
typedef enum ItemType {
ADD_USER = 'u',
@@ -352,6 +353,19 @@ static int sync_rights(FILE *from, FILE *to) {
return 0;
}
+static int rename_and_apply_smack(const char *temp_path, const char *dest_path) {
+ int r = 0;
+ if (rename(temp_path, dest_path) < 0)
+ return -errno;
+
+#ifdef SMACK_RUN_LABEL
+ r = mac_smack_apply(dest_path, SMACK_ATTR_ACCESS, SMACK_FLOOR_LABEL);
+ if (r < 0)
+ return r;
+#endif
+ return r;
+}
+
static int write_files(void) {
_cleanup_fclose_ FILE *passwd = NULL, *group = NULL, *shadow = NULL, *gshadow = NULL;
@@ -698,36 +712,32 @@ static int write_files(void) {
/* And make the new files count */
if (group_changed) {
if (group) {
- if (rename(group_tmp, group_path) < 0) {
- r = -errno;
+ r = rename_and_apply_smack(group_tmp, group_path);
+ if (r < 0)
goto finish;
- }
group_tmp = mfree(group_tmp);
}
if (gshadow) {
- if (rename(gshadow_tmp, gshadow_path) < 0) {
- r = -errno;
+ r = rename_and_apply_smack(gshadow_tmp, gshadow_path);
+ if (r < 0)
goto finish;
- }
gshadow_tmp = mfree(gshadow_tmp);
}
}
if (passwd) {
- if (rename(passwd_tmp, passwd_path) < 0) {
- r = -errno;
+ r = rename_and_apply_smack(passwd_tmp, passwd_path);
+ if (r < 0)
goto finish;
- }
passwd_tmp = mfree(passwd_tmp);
}
if (shadow) {
- if (rename(shadow_tmp, shadow_path) < 0) {
- r = -errno;
+ r = rename_and_apply_smack(shadow_tmp, shadow_path);
+ if (r < 0)
goto finish;
- }
shadow_tmp = mfree(shadow_tmp);
}