libselinux: selinux_check_passwd_access_internal(): respect deny_unknown

`selinux_check_passwd_access_internal()`, and thereby
`checkPasswdAccess(3)` and `selinux_check_passwd_access(3)`, does not
respect the policy defined setting of `deny_unknown`, like
`selinux_check_access(3)` does.
This means in case the security class `passwd` is not defined, success
is returned instead of failure, i.e. permission denied.

Most policies should define the `passwd` class and the two affected
public functions are marked deprecated.

Align the behavior with `selinux_check_access(3)` and respect
the deny_unknown setting in case the security class is not defined.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
This commit is contained in:
Christian Göttsche 2021-05-10 12:12:38 +02:00 committed by Petr Lautrbach
parent d9433692c7
commit a88d24522f
1 changed files with 3 additions and 1 deletions

View File

@ -78,7 +78,9 @@ static int selinux_check_passwd_access_internal(access_vector_t requested)
passwd_class = string_to_security_class("passwd");
if (passwd_class == 0) {
freecon(user_context);
if (security_deny_unknown() == 0)
return 0;
return -1;
}
retval = security_compute_av_raw(user_context,