F_OK access checks only work properly as long as all directories along the path are accessible to real user running the program. Replace F_OK access checks by testing return value of open, write, etc. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1186431 --- libsemanage/src/direct_api.c | 40 +++++++++++++++------------------------- 1 file changed, 15 insertions(+), 25 deletions(-) diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c index dc46f8f..508277d 100644 --- a/libsemanage/src/direct_api.c +++ b/libsemanage/src/direct_api.c @@ -342,10 +342,6 @@ static int semanage_direct_disconnect(semanage_handle_t * sh) static int semanage_direct_begintrans(semanage_handle_t * sh) { - - if (semanage_access_check(sh) != SEMANAGE_CAN_WRITE) { - return -1; - } if (semanage_get_trans_lock(sh) < 0) { return -1; } @@ -1491,33 +1487,27 @@ rebuild: } path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_LOCAL); - if (access(path, F_OK) == 0) { - retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_LOCAL), - semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC_LOCAL), - sh->conf->file_mode); - if (retval < 0) { - goto cleanup; - } + retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC_LOCAL), + semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC_LOCAL), + sh->conf->file_mode); + if (retval < 0 && errno != ENOENT) { + goto cleanup; } path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC); - if (access(path, F_OK) == 0) { - retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC), - semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC), - sh->conf->file_mode); - if (retval < 0) { - goto cleanup; - } + retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_FC), + semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_FC), + sh->conf->file_mode); + if (retval < 0 && errno != ENOENT) { + goto cleanup; } path = semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_SEUSERS); - if (access(path, F_OK) == 0) { - retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_SEUSERS), - semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_SEUSERS), - sh->conf->file_mode); - if (retval < 0) { - goto cleanup; - } + retval = semanage_copy_file(semanage_path(SEMANAGE_TMP, SEMANAGE_STORE_SEUSERS), + semanage_final_path(SEMANAGE_FINAL_TMP, SEMANAGE_SEUSERS), + sh->conf->file_mode); + if (retval < 0 && errno != ENOENT) { + goto cleanup; } /* run genhomedircon if its enabled, this should be the last operation -- 2.9.3
