diff --git a/generate-mail-USER-with-the-proper-selinux-identity.patch b/generate-mail-USER-with-the-proper-selinux-identity.patch new file mode 100644 index 0000000..d36dce0 --- /dev/null +++ b/generate-mail-USER-with-the-proper-selinux-identity.patch @@ -0,0 +1,61 @@ +From 8a1e92aff17be6266d0dc89321082e062af05832 Mon Sep 17 00:00:00 2001 +From: ikerexxe +Date: Wed, 5 Feb 2020 15:04:39 +0100 +Subject: [PATCH] useradd: generate /var/spool/mail/$USER with the proper + SELinux user identity + +Explanation: use set_selinux_file_context() and reset_selinux_file_context() for create_mail() just as is done for create_home() + +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1690527 +--- + src/useradd.c | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + +diff --git a/src/useradd.c b/src/useradd.c +index a679392d..645d4a40 100644 +--- a/src/useradd.c ++++ b/src/useradd.c +@@ -190,6 +190,7 @@ static bool home_added = false; + #define E_NAME_IN_USE 9 /* username already in use */ + #define E_GRP_UPDATE 10 /* can't update group file */ + #define E_HOMEDIR 12 /* can't create home directory */ ++#define E_MAILBOXFILE 13 /* can't create mailbox file */ + #define E_SE_UPDATE 14 /* can't update SELinux user mapping */ + #ifdef ENABLE_SUBIDS + #define E_SUB_UID_UPDATE 16 /* can't update the subordinate uid file */ +@@ -2210,6 +2211,16 @@ static void create_mail (void) + sprintf (file, "%s/%s/%s", prefix, spool, user_name); + else + sprintf (file, "%s/%s", spool, user_name); ++ ++#ifdef WITH_SELINUX ++ if (set_selinux_file_context (file) != 0) { ++ fprintf (stderr, ++ _("%s: cannot set SELinux context for mailbox file %s\n"), ++ Prog, file); ++ fail_exit (E_MAILBOXFILE); ++ } ++#endif ++ + fd = open (file, O_CREAT | O_WRONLY | O_TRUNC | O_EXCL, 0); + if (fd < 0) { + perror (_("Creating mailbox file")); +@@ -2234,6 +2245,15 @@ static void create_mail (void) + + fsync (fd); + close (fd); ++#ifdef WITH_SELINUX ++ /* Reset SELinux to create files with default contexts */ ++ if (reset_selinux_file_context () != 0) { ++ fprintf (stderr, ++ _("%s: cannot reset SELinux file creation context\n"), ++ Prog); ++ fail_exit (E_MAILBOXFILE); ++ } ++#endif + } + } + +-- +2.24.1 + diff --git a/shadow.spec b/shadow.spec index 729c8f8..7d6e4d8 100644 --- a/shadow.spec +++ b/shadow.spec @@ -1,6 +1,6 @@ Name: shadow Version: 4.8.1 -Release: 2 +Release: 3 Epoch: 2 License: BSD and GPLv2+ Summary: Tools for managing accounts and shadow password files @@ -22,6 +22,7 @@ Patch5: selinux-flag.patch Patch6: add-home_mode-xml-file.patch Patch7: shadow-4.1.5.1-var-lock.patch Patch8: shadow-utils-fix-lock-file-residue.patch +Patch9: generate-mail-USER-with-the-proper-selinux-identity.patch BuildRequires: gcc, libselinux-devel, audit-libs-devel, libsemanage-devel BuildRequires: libacl-devel, libattr-devel gdb @@ -168,6 +169,9 @@ done %{_mandir}/*/* %changelog +* Sun Jun 28 2020 Anakin Zhang - 2:4.8.1-3 +- generate /var/spool/mail/$USER with the proper SELinux user identity + * Tue May 12 2020 steven - 2:4.8.1-2 - Enable --with-libpam config during compiling