From d519580bd638ceb48829ae66557ca3c5941b4a5f Mon Sep 17 00:00:00 2001
From: Florian Festi <ffesti@redhat.com>
Date: Wed, 4 May 2016 14:05:06 +0200
Subject: [PATCH] Set permissions before moving new files to their final place

---
 lib/fsm.c | 37 ++++++++++++++++++++-----------------
 1 file changed, 20 insertions(+), 17 deletions(-)

diff --git a/lib/fsm.c b/lib/fsm.c
index 1ee7e67..3bb23a4 100644
--- a/lib/fsm.c
+++ b/lib/fsm.c
@@ -621,14 +621,15 @@ static FSM_t fsmFree(FSM_t fsm)
 
 /* Find and set file security context */
 static int fsmSetSELabel(struct selabel_handle *sehandle,
-			 const char *path, mode_t mode)
+			 const char *path, const char * nominalpath,
+			 mode_t mode)
 {
     int rc = 0;
 #if WITH_SELINUX
     if (sehandle) {
 	security_context_t scon = NULL;
 
-	if (selabel_lookup_raw(sehandle, &scon, path, mode) == 0) {
+	if (selabel_lookup_raw(sehandle, &scon, nominalpath, mode) == 0) {
 	    rc = lsetfilecon(path, scon);
 
 	    if (_fsm_debug) {
@@ -1215,7 +1216,7 @@ static int fsmMkdirs(rpmfi fi, rpmfs fs, struct selabel_handle *sehandle)
 		mode_t mode = S_IFDIR | (_dirPerms & 07777);
 		rc = fsmMkdir(dn, mode);
 		if (!rc) {
-		    rc = fsmSetSELabel(sehandle, dn, mode);
+		    rc = fsmSetSELabel(sehandle, dn, dn, mode);
 
 		    rpmlog(RPMLOG_DEBUG,
 			    "%s directory created with perms %04o\n",
@@ -1534,22 +1535,11 @@ static int fsmCommit(FSM_t fsm, int ix)
 	/* Backup on-disk file if needed. Directories are handled earlier */
 	if (!S_ISDIR(st->st_mode))
 	    rc = fsmBackup(fsm);
-        /* Rename temporary to final file name. */
-        if (!S_ISDIR(st->st_mode) && (fsm->suffix || fsm->nsuffix)) {
-            char *npath = fsmFsPath(fsm, 0, fsm->nsuffix);
-            rc = fsmRename(fsm->path, npath, fsm->mapFlags);
-            if (!rc && fsm->nsuffix) {
-                char * opath = fsmFsPath(fsm, 0, NULL);
-                rpmlog(RPMLOG_WARNING, _("%s created as %s\n"),
-                       opath, npath);
-                free(opath);
-            }
-            free(fsm->path);
-            fsm->path = npath;
-        }
         /* Set file security context (if enabled) */
         if (!rc && !getuid()) {
-            rc = fsmSetSELabel(fsm->sehandle, fsm->path, fsm->sb.st_mode);
+	    char * opath = fsmFsPath(fsm, 0, NULL);
+	    rc = fsmSetSELabel(fsm->sehandle, fsm->path, opath, fsm->sb.st_mode);
+	    opath = _free(opath);
         }
         if (S_ISLNK(st->st_mode)) {
             if (!rc && !getuid())
@@ -1571,6 +1561,19 @@ static int fsmCommit(FSM_t fsm, int ix)
                 rc = fsmSetFCaps(fsm->path, rpmfiFCapsIndex(fi, ix));
             }
         }
+        /* Rename temporary to final file name. */
+        if (!rc && !S_ISDIR(st->st_mode) && (fsm->suffix || fsm->nsuffix)) {
+            char *npath = fsmFsPath(fsm, 0, fsm->nsuffix);
+            rc = fsmRename(fsm->path, npath, fsm->mapFlags);
+            if (!rc && fsm->nsuffix) {
+                char * opath = fsmFsPath(fsm, 0, NULL);
+                rpmlog(RPMLOG_WARNING, _("%s created as %s\n"),
+                       opath, npath);
+                free(opath);
+            }
+            free(fsm->path);
+            fsm->path = npath;
+        }
     }
 
     if (rc && fsm->failedFile && *fsm->failedFile == NULL) {
-- 
2.5.5