generate mail USER with proper selinux identity

2020-06-28 10:59:56 +08:00 · 2020-06-28 10:59:56 +08:00 · 30f4f6d7f5
commit 30f4f6d7f5
parent 14deac09ac
2 changed files with 66 additions and 1 deletions
--- a/generate-mail-USER-with-the-proper-selinux-identity.patch
+++ b/generate-mail-USER-with-the-proper-selinux-identity.patch
@ -0,0 +1,61 @@
+From 8a1e92aff17be6266d0dc89321082e062af05832 Mon Sep 17 00:00:00 2001
+From: ikerexxe <ipedrosa@redhat.com>
+Date: Wed, 5 Feb 2020 15:04:39 +0100
+Subject: [PATCH] useradd: generate /var/spool/mail/$USER with the proper
+ SELinux user identity
+
+Explanation: use set_selinux_file_context() and reset_selinux_file_context() for create_mail() just as is done for create_home()
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1690527
+---
+ src/useradd.c | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+diff --git a/src/useradd.c b/src/useradd.c
+index a679392d..645d4a40 100644
+--- a/src/useradd.c
+++ b/src/useradd.c
+@@ -190,6 +190,7 @@ static bool home_added = false;
+ #define E_NAME_IN_USE	9	/* username already in use */
+ #define E_GRP_UPDATE	10	/* can't update group file */
+ #define E_HOMEDIR	12	/* can't create home directory */
+#define E_MAILBOXFILE	13	/* can't create mailbox file */
+ #define E_SE_UPDATE	14	/* can't update SELinux user mapping */
+ #ifdef ENABLE_SUBIDS
+ #define E_SUB_UID_UPDATE 16	/* can't update the subordinate uid file */
+@@ -2210,6 +2211,16 @@ static void create_mail (void)
+ 			sprintf (file, "%s/%s/%s", prefix, spool, user_name);
+ 		else
+ 			sprintf (file, "%s/%s", spool, user_name);
+
+#ifdef WITH_SELINUX
+		if (set_selinux_file_context (file) != 0) {
+			fprintf (stderr,
+			         _("%s: cannot set SELinux context for mailbox file %s\n"),
+			         Prog, file);
+			fail_exit (E_MAILBOXFILE);
+		}
+#endif
+
+ 		fd = open (file, O_CREAT | O_WRONLY | O_TRUNC | O_EXCL, 0);
+ 		if (fd < 0) {
+ 			perror (_("Creating mailbox file"));
+@@ -2234,6 +2245,15 @@ static void create_mail (void)
+ 
+ 		fsync (fd);
+ 		close (fd);
+#ifdef WITH_SELINUX
+		/* Reset SELinux to create files with default contexts */
+		if (reset_selinux_file_context () != 0) {
+			fprintf (stderr,
+			         _("%s: cannot reset SELinux file creation context\n"),
+			         Prog);
+			fail_exit (E_MAILBOXFILE);
+		}
+#endif
+ 	}
+ }
+ 
+-- 
+2.24.1
+
--- a/shadow.spec
+++ b/shadow.spec
@ -1,6 +1,6 @@
 Name: shadow
 Version: 4.8.1
-Release: 2
+Release: 3
 Epoch: 2
 License: BSD and GPLv2+
 Summary: Tools for managing accounts and shadow password files
@ -22,6 +22,7 @@ Patch5:  selinux-flag.patch
 Patch6:  add-home_mode-xml-file.patch
 Patch7:  shadow-4.1.5.1-var-lock.patch
 Patch8:  shadow-utils-fix-lock-file-residue.patch
+Patch9:  generate-mail-USER-with-the-proper-selinux-identity.patch

 BuildRequires: gcc, libselinux-devel, audit-libs-devel, libsemanage-devel
 BuildRequires: libacl-devel, libattr-devel gdb
@ -168,6 +169,9 @@ done
 %{_mandir}/*/*

 %changelog
+* Sun Jun 28 2020 Anakin Zhang<benjamin93@163.com> - 2:4.8.1-3
+- generate /var/spool/mail/$USER with the proper SELinux user identity
+
 * Tue May 12 2020 steven<steven_ygui@163.com> - 2:4.8.1-2
 - Enable --with-libpam config during compiling