libuser do not use deprecated flask.h and av_permissions.h

2020-07-30 18:27:34 +08:00 · 2020-07-30 18:27:34 +08:00 · 3ddadb8a12
commit 3ddadb8a12
parent 2443783e18
2 changed files with 100 additions and 18 deletions
--- a/libuser-do-not-use-deprecated-flask.h-and-av_permissions.patch
+++ b/libuser-do-not-use-deprecated-flask.h-and-av_permissions.patch
@ -0,0 +1,78 @@
+From 29d9996dd200916db888d41196f87609bce329ff Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Apr 07 2020 11:55:38 +0000
+Subject: Do not use deprecated flask.h and av_permissions.h
+
+
+selinux/flask.h and selinux/av_permissions.h will be completely dropped in the
+next SELinux release.
+
+Use string_to_security_class() and string_to_av_perm() to get class and
+permission values. The original hardcoded values could be invalid and are
+deprecated as the whole flask.h and av_permissions.h header files.
+
+Fixes: https://pagure.io/libuser/issue/44
+
+---
+
+diff --git a/apps/apputil.c b/apps/apputil.c
+index 1937645..7413ab5 100644
+--- a/apps/apputil.c
+++ b/apps/apputil.c
+@@ -26,8 +26,6 @@
+ #include <unistd.h>
+ #ifdef WITH_SELINUX
+ #include <selinux/selinux.h>
+-#include <selinux/av_permissions.h>
+-#include <selinux/flask.h>
+ #include <selinux/context.h>
+ #endif
+ #include "../lib/error.h"
+@@ -57,7 +55,7 @@ check_access(const char *chuser, access_vector_t access)
+ 
+ 			retval = security_compute_av(user_context,
+ 						     user_context,
+-						     SECCLASS_PASSWD,
+						     string_to_security_class("passwd"),
+  						     access, &avd);
+ 
+ 			if (retval == 0 && (avd.allowed & access) == access)
+@@ -221,19 +219,25 @@ lu_authenticate_unprivileged(struct lu_context *ctx, const char *user,
+ #ifdef WITH_SELINUX
+ 	if (is_selinux_enabled() > 0) {
+ 		/* FIXME: PASSWD_CHSH, PASSWD_PASSWD ? */
+-		if (getuid() == 0 && check_access(user, PASSWD__CHFN) != 0) {
+-			security_context_t user_context;
+		if (getuid() == 0) {
+			security_class_t class;
+			access_vector_t perm;
+			class = string_to_security_class("passwd");
+			perm = string_to_av_perm(class, "chfn");
+			if (check_access(user, perm) != 0) {
+				security_context_t user_context;
+ 
+-			if (getprevcon(&user_context) < 0)
+-				user_context = NULL;
+-			/* FIXME: "change the finger info?" */
+-			fprintf(stderr,
+-				_("%s is not authorized to change the finger "
+-				  "info of %s\n"), user_context ? user_context
+-				: _("Unknown user context"), user);
+-			if (user_context != NULL)
+-				freecon(user_context);
+-			goto err;
+				if (getprevcon(&user_context) < 0)
+					user_context = NULL;
+				/* FIXME: "change the finger info?" */
+				fprintf(stderr,
+					_("%s is not authorized to change the finger "
+					  "info of %s\n"), user_context ? user_context
+					: _("Unknown user context"), user);
+				if (user_context != NULL)
+					freecon(user_context);
+				goto err;
+			}
+ 		}
+ 		/* FIXME: is this right for lpasswd? */
+ 		if (!lu_util_fscreate_from_file("/etc/passwd", NULL)) {
+
--- a/libuser.spec
+++ b/libuser.spec
@ -1,18 +1,18 @@
-Name    : libuser
-Version : 0.62
-Release : 20
-Summary : A user and group account administration library
-License : LGPLv2+
-URL     : https://pagure.io/libuser
-Source  : http://releases.pagure.org/libuser/libuser-%{version}.tar.xz
+Name:    libuser
+Version: 0.62
+Release: 21
+Summary: A user and group account administration library
+License: LGPLv2+
+URL:     https://pagure.io/libuser
+Source:  http://releases.pagure.org/libuser/libuser-%{version}.tar.xz

-# Patch1 : this patch is from fedora.
-Patch1   :    0001-Fix-errors-with-Werror-format-security.patch
-
-Patch9000:    0009-Check-negative-return-of-PyList_Size.patch
-Patch9001:    0010-files.c-Init-char-name-to-NULL.patch
-Patch9002:    0011-merge_ent_array_duplicates-Only-use-values-if-valid.patch
-Patch9003:    0012-editing_open-close-fd-after-we-ve-established-its-va.patch
+# Patch0 : this patch is from fedora.
+Patch0:    0001-Fix-errors-with-Werror-format-security.patch
+Patch1:    0009-Check-negative-return-of-PyList_Size.patch
+Patch2:    0010-files.c-Init-char-name-to-NULL.patch
+Patch3:    0011-merge_ent_array_duplicates-Only-use-values-if-valid.patch
+Patch4:    0012-editing_open-close-fd-after-we-ve-established-its-va.patch
+Patch5:    libuser-do-not-use-deprecated-flask.h-and-av_permissions.patch

 BuildRequires: cyrus-sasl-devel, nscd, linuxdoc-tools, pam-devel, popt-devel, gcc
 BuildRequires: libselinux-devel, openldap-devel, python3-devel, glib2-devel, gdb
@ -65,11 +65,12 @@ Man pages and other related documents for %{name}
 %setup -qc

 pushd libuser-%{version}
+%patch0 -p1
 %patch1 -p1
-%patch9000 -p1
-%patch9001 -p1
-%patch9002 -p1
-%patch9003 -p1
+%patch2 -p1
+%patch3 -p1
+%patch4 -p1
+%patch5 -p1
 popd

 cp -dpR libuser-%{version} python2 || :
@ -151,6 +152,9 @@ make -C python2 install DESTDIR=$RPM_BUILD_ROOT INSTALL='install -p' || :
 %{_mandir}/man5/*

 %changelog
+* Thu Jul 30 2020 zhangxingliang <zhangxingliang3@huawei.com> - 0.62-21
+- do not use deprecated flask.h and av_permissions.h
+
 * Sat Mar 21 2020 chengquan<chengquan3@huawei.com> - 0.62-20
 - add necessary BuildRequires