|
 |
4fb1b2 |
diff -up shadow-4.6/lib/commonio.c.orig-context shadow-4.6/lib/commonio.c
|
|
|
4fb1b2 |
--- shadow-4.6/lib/commonio.c.orig-context 2018-04-29 18:42:37.000000000 +0200
|
|
|
4fb1b2 |
+++ shadow-4.6/lib/commonio.c 2018-05-28 14:56:37.287929667 +0200
|
|
|
4fb1b2 |
@@ -961,7 +961,7 @@ int commonio_close (struct commonio_db *
|
|
|
4fb1b2 |
snprintf (buf, sizeof buf, "%s-", db->filename);
|
|
|
4fb1b2 |
|
|
|
4fb1b2 |
#ifdef WITH_SELINUX
|
|
|
4fb1b2 |
- if (set_selinux_file_context (buf) != 0) {
|
|
|
4fb1b2 |
+ if (set_selinux_file_context (buf, db->filename) != 0) {
|
|
|
4fb1b2 |
errors++;
|
|
|
4fb1b2 |
}
|
|
|
4fb1b2 |
#endif
|
|
|
4fb1b2 |
@@ -994,7 +994,7 @@ int commonio_close (struct commonio_db *
|
|
|
4fb1b2 |
snprintf (buf, sizeof buf, "%s+", db->filename);
|
|
|
4fb1b2 |
|
|
|
4fb1b2 |
#ifdef WITH_SELINUX
|
|
|
4fb1b2 |
- if (set_selinux_file_context (buf) != 0) {
|
|
|
4fb1b2 |
+ if (set_selinux_file_context (buf, db->filename) != 0) {
|
|
|
4fb1b2 |
errors++;
|
|
|
4fb1b2 |
}
|
|
|
4fb1b2 |
#endif
|
|
|
4fb1b2 |
diff -up shadow-4.6/libmisc/copydir.c.orig-context shadow-4.6/libmisc/copydir.c
|
|
|
4fb1b2 |
--- shadow-4.6/libmisc/copydir.c.orig-context 2018-04-29 18:42:37.000000000 +0200
|
|
|
4fb1b2 |
+++ shadow-4.6/libmisc/copydir.c 2018-05-28 14:56:37.287929667 +0200
|
|
|
4fb1b2 |
@@ -484,7 +484,7 @@ static int copy_dir (const char *src, co
|
|
|
4fb1b2 |
*/
|
|
|
4fb1b2 |
|
|
|
4fb1b2 |
#ifdef WITH_SELINUX
|
|
|
4fb1b2 |
- if (set_selinux_file_context (dst) != 0) {
|
|
|
4fb1b2 |
+ if (set_selinux_file_context (dst, NULL) != 0) {
|
|
|
4fb1b2 |
return -1;
|
|
|
4fb1b2 |
}
|
|
|
4fb1b2 |
#endif /* WITH_SELINUX */
|
|
|
4fb1b2 |
@@ -605,7 +605,7 @@ static int copy_symlink (const char *src
|
|
|
4fb1b2 |
}
|
|
|
4fb1b2 |
|
|
|
4fb1b2 |
#ifdef WITH_SELINUX
|
|
|
4fb1b2 |
- if (set_selinux_file_context (dst) != 0) {
|
|
|
4fb1b2 |
+ if (set_selinux_file_context (dst, NULL) != 0) {
|
|
|
4fb1b2 |
free (oldlink);
|
|
|
4fb1b2 |
return -1;
|
|
|
4fb1b2 |
}
|
|
|
4fb1b2 |
@@ -684,7 +684,7 @@ static int copy_special (const char *src
|
|
|
4fb1b2 |
int err = 0;
|
|
|
4fb1b2 |
|
|
|
4fb1b2 |
#ifdef WITH_SELINUX
|
|
|
4fb1b2 |
- if (set_selinux_file_context (dst) != 0) {
|
|
|
4fb1b2 |
+ if (set_selinux_file_context (dst, NULL) != 0) {
|
|
|
4fb1b2 |
return -1;
|
|
|
4fb1b2 |
}
|
|
|
4fb1b2 |
#endif /* WITH_SELINUX */
|
|
|
4fb1b2 |
@@ -744,7 +744,7 @@ static int copy_file (const char *src, c
|
|
|
4fb1b2 |
return -1;
|
|
|
4fb1b2 |
}
|
|
|
4fb1b2 |
#ifdef WITH_SELINUX
|
|
|
4fb1b2 |
- if (set_selinux_file_context (dst) != 0) {
|
|
|
4fb1b2 |
+ if (set_selinux_file_context (dst, NULL) != 0) {
|
|
|
4fb1b2 |
return -1;
|
|
|
4fb1b2 |
}
|
|
|
4fb1b2 |
#endif /* WITH_SELINUX */
|
|
|
4fb1b2 |
diff -up shadow-4.6/lib/prototypes.h.orig-context shadow-4.6/lib/prototypes.h
|
|
|
4fb1b2 |
--- shadow-4.6/lib/prototypes.h.orig-context 2018-04-29 18:42:37.000000000 +0200
|
|
|
4fb1b2 |
+++ shadow-4.6/lib/prototypes.h 2018-05-28 14:56:37.287929667 +0200
|
|
|
4fb1b2 |
@@ -326,7 +326,7 @@ extern /*@observer@*/const char *crypt_m
|
|
|
4fb1b2 |
|
|
|
4fb1b2 |
/* selinux.c */
|
|
|
4fb1b2 |
#ifdef WITH_SELINUX
|
|
|
4fb1b2 |
-extern int set_selinux_file_context (const char *dst_name);
|
|
|
4fb1b2 |
+extern int set_selinux_file_context (const char *dst_name, const char *orig_name);
|
|
|
4fb1b2 |
extern int reset_selinux_file_context (void);
|
|
|
4fb1b2 |
#endif
|
|
|
4fb1b2 |
|
|
|
4fb1b2 |
diff -up shadow-4.6/lib/selinux.c.orig-context shadow-4.6/lib/selinux.c
|
|
|
4fb1b2 |
--- shadow-4.6/lib/selinux.c.orig-context 2018-04-29 18:42:37.000000000 +0200
|
|
|
4fb1b2 |
+++ shadow-4.6/lib/selinux.c 2018-05-28 14:56:37.287929667 +0200
|
|
|
4fb1b2 |
@@ -50,7 +50,7 @@ static bool selinux_enabled;
|
|
|
4fb1b2 |
* Callers may have to Reset SELinux to create files with default
|
|
|
4fb1b2 |
* contexts with reset_selinux_file_context
|
|
|
4fb1b2 |
*/
|
|
|
4fb1b2 |
-int set_selinux_file_context (const char *dst_name)
|
|
|
4fb1b2 |
+int set_selinux_file_context (const char *dst_name, const char *orig_name)
|
|
|
4fb1b2 |
{
|
|
|
4fb1b2 |
/*@null@*/security_context_t scontext = NULL;
|
|
|
4fb1b2 |
|
|
|
4fb1b2 |
@@ -62,19 +62,23 @@ int set_selinux_file_context (const char
|
|
|
4fb1b2 |
if (selinux_enabled) {
|
|
|
4fb1b2 |
/* Get the default security context for this file */
|
|
|
4fb1b2 |
if (matchpathcon (dst_name, 0, &scontext) < 0) {
|
|
|
4fb1b2 |
- if (security_getenforce () != 0) {
|
|
|
4fb1b2 |
- return 1;
|
|
|
4fb1b2 |
- }
|
|
|
4fb1b2 |
+ /* We could not get the default, copy the original */
|
|
|
4fb1b2 |
+ if (orig_name == NULL)
|
|
|
4fb1b2 |
+ goto error;
|
|
|
4fb1b2 |
+ if (getfilecon (orig_name, &scontext) < 0)
|
|
|
4fb1b2 |
+ goto error;
|
|
|
4fb1b2 |
}
|
|
|
4fb1b2 |
/* Set the security context for the next created file */
|
|
|
4fb1b2 |
- if (setfscreatecon (scontext) < 0) {
|
|
|
4fb1b2 |
- if (security_getenforce () != 0) {
|
|
|
4fb1b2 |
- return 1;
|
|
|
4fb1b2 |
- }
|
|
|
4fb1b2 |
- }
|
|
|
4fb1b2 |
+ if (setfscreatecon (scontext) < 0)
|
|
|
4fb1b2 |
+ goto error;
|
|
|
4fb1b2 |
freecon (scontext);
|
|
|
4fb1b2 |
}
|
|
|
4fb1b2 |
return 0;
|
|
|
4fb1b2 |
+ error:
|
|
|
4fb1b2 |
+ if (security_getenforce () != 0) {
|
|
|
4fb1b2 |
+ return 1;
|
|
|
4fb1b2 |
+ }
|
|
|
4fb1b2 |
+ return 0;
|
|
|
4fb1b2 |
}
|
|
|
4fb1b2 |
|
|
|
4fb1b2 |
/*
|
|
|
4fb1b2 |
diff -up shadow-4.6/src/useradd.c.orig-context shadow-4.6/src/useradd.c
|
|
|
4fb1b2 |
--- shadow-4.6/src/useradd.c.orig-context 2018-05-28 14:56:37.288929688 +0200
|
|
|
4fb1b2 |
+++ shadow-4.6/src/useradd.c 2018-05-28 14:58:02.242730903 +0200
|
|
|
4fb1b2 |
@@ -2020,7 +2020,7 @@ static void create_home (void)
|
|
|
4fb1b2 |
{
|
|
|
4fb1b2 |
if (access (prefix_user_home, F_OK) != 0) {
|
|
|
4fb1b2 |
#ifdef WITH_SELINUX
|
|
|
4fb1b2 |
- if (set_selinux_file_context (prefix_user_home) != 0) {
|
|
|
4fb1b2 |
+ if (set_selinux_file_context (prefix_user_home, NULL) != 0) {
|
|
|
4fb1b2 |
fprintf (stderr,
|
|
|
4fb1b2 |
_("%s: cannot set SELinux context for home directory %s\n"),
|
|
|
4fb1b2 |
Prog, user_home);
|