Christian Göttsche <cgzones@xxxxxxxxxxxxxx> writes:
> `selinux_check_passwd_access_internal()`, and thereby
> `checkPasswdAccess(3)` and `selinux_check_passwd_access(3)`, does not
> respect the policy defined setting of `deny_unknown`, like
> `selinux_check_access(3)` does.
> This means in case the security class `passwd` is not defined, success
> is returned instead of failure, i.e. permission denied.
>
> Most policies should define the `passwd` class and the two affected
> public functions are marked deprecated.
>
> Align the behavior with `selinux_check_passwd_access(3)` and respect
Should it be "Align the behavior with `selinux_check_access(3)`" ?
> the deny_unknown setting in case the security class is not defined.
>
> Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
Acked-by: Petr Lautrbach <plautrba@xxxxxxxxxx>
> ---
> libselinux/src/checkAccess.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/libselinux/src/checkAccess.c b/libselinux/src/checkAccess.c
> index b337ea64..022cd6b5 100644
> --- a/libselinux/src/checkAccess.c
> +++ b/libselinux/src/checkAccess.c
> @@ -78,7 +78,9 @@ static int selinux_check_passwd_access_internal(access_vector_t requested)
> passwd_class = string_to_security_class("passwd");
> if (passwd_class == 0) {
> freecon(user_context);
> - return 0;
> + if (security_deny_unknown() == 0)
> + return 0;
> + return -1;
> }
>
> retval = security_compute_av_raw(user_context,
> --
> 2.31.1
