libselinux: selinux_check_passwd_access_internal(): respect deny_unknown

`selinux_check_passwd_access_internal()`, and thereby `checkPasswdAccess(3)` and `selinux_check_passwd_access(3)`, does not respect the policy defined setting of `deny_unknown`, like `selinux_check_access(3)` does. This means in case the security class `passwd` is not defined, success is returned instead of failure, i.e. permission denied. Most policies should define the `passwd` class and the two affected public functions are marked deprecated. Align the behavior with `selinux_check_access(3)` and respect the deny_unknown setting in case the security class is not defined. Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
sailfishos-mirror · May 12, 2021 · a88d245 · a88d245
1 parent d943369
commit a88d245
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/libselinux/src/checkAccess.c b/libselinux/src/checkAccess.c
@@ -78,7 +78,9 @@ static int selinux_check_passwd_access_internal(access_vector_t requested)
 		passwd_class = string_to_security_class("passwd");
 		if (passwd_class == 0) {
 			freecon(user_context);
-			return 0;
+			if (security_deny_unknown() == 0)
+				return 0;
+			return -1;
 		}
 
 		retval = security_compute_av_raw(user_context,