set_selinux_file_context(): prepare context for actual file type

Search the SELinux selabel database for the file type to be created.
Not specifying the file mode can cause an incorrect file context to be
returned.

Also prepare contexts in commonio_close() for the generic database
filename, not with the backup suffix appended, to ensure the desired
file context after the final rename.

Closes: #322
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>

diff --git a/lib/commonio.c b/lib/commonio.c
index c5b3d104011e9fc721c1e3b0c3c80a0492317602..3c81c796f0ea44847619e6b4c167dc99e3daa482 100644 (file)
--- a/lib/commonio.c
+++ b/lib/commonio.c
@@ -974,7 +974,7 @@ int commonio_close (struct commonio_db *db)
                snprintf (buf, sizeof buf, "%s-", db->filename);
 
 #ifdef WITH_SELINUX
-               if (set_selinux_file_context (buf) != 0) {
+               if (set_selinux_file_context (db->filename, S_IFREG) != 0) {
                        errors++;
                }
 #endif
@@ -1007,7 +1007,7 @@ int commonio_close (struct commonio_db *db)
        snprintf (buf, sizeof buf, "%s+", db->filename);
 
 #ifdef WITH_SELINUX
-       if (set_selinux_file_context (buf) != 0) {
+       if (set_selinux_file_context (db->filename, S_IFREG) != 0) {
                errors++;
        }
 #endif

diff --git a/lib/prototypes.h b/lib/prototypes.h
index 0c42bcc2b92b8d7c16ae61259908dc932a61eb2d..d187660e304428b5c8706949fac68883522608ef 100644 (file)
--- a/lib/prototypes.h
+++ b/lib/prototypes.h
@@ -403,7 +403,7 @@ extern /*@observer@*/const char *crypt_make_salt (/*@null@*//*@observer@*/const
 
 /* selinux.c */
 #ifdef WITH_SELINUX
-extern int set_selinux_file_context (const char *dst_name);
+extern int set_selinux_file_context (const char *dst_name, mode_t mode);
 extern int reset_selinux_file_context (void);
 extern int check_selinux_permit (const char *perm_name);
 #endif

diff --git a/lib/selinux.c b/lib/selinux.c
index 41f4371dd77a0dc4be62e750f96714d350305f74..719acda31f37d910c08479a56b0f4d51e9ca9aab 100644 (file)
--- a/lib/selinux.c
+++ b/lib/selinux.c
@@ -51,7 +51,7 @@ static bool selinux_enabled;
  *     Callers may have to Reset SELinux to create files with default
  *     contexts with reset_selinux_file_context
  */
-int set_selinux_file_context (const char *dst_name)
+int set_selinux_file_context (const char *dst_name, mode_t mode)
 {
        if (!selinux_checked) {
                selinux_enabled = is_selinux_enabled () > 0;
@@ -70,7 +70,7 @@ int set_selinux_file_context (const char *dst_name)
                        return security_getenforce () != 0;
                }
 
-               r = selabel_lookup_raw(hnd, &fcontext_raw, dst_name, 0);
+               r = selabel_lookup_raw(hnd, &fcontext_raw, dst_name, mode);
                selabel_close(hnd);
                if (r < 0) {
                        /* No context specified for the searched path */

diff --git a/libmisc/copydir.c b/libmisc/copydir.c
index e6aac6ecf7186a408931cf3f8a7b756d92216bab..1ca98b67c408a9356f6559596b96b21918b85896 100644 (file)
--- a/libmisc/copydir.c
+++ b/libmisc/copydir.c
@@ -484,7 +484,7 @@ static int copy_dir (const char *src, const char *dst,
         */
 
 #ifdef WITH_SELINUX
-       if (set_selinux_file_context (dst) != 0) {
+       if (set_selinux_file_context (dst, S_IFDIR) != 0) {
                return -1;
        }
 #endif                         /* WITH_SELINUX */
@@ -605,7 +605,7 @@ static int copy_symlink (const char *src, const char *dst,
        }
 
 #ifdef WITH_SELINUX
-       if (set_selinux_file_context (dst) != 0) {
+       if (set_selinux_file_context (dst, S_IFLNK) != 0) {
                free (oldlink);
                return -1;
        }
@@ -684,7 +684,7 @@ static int copy_special (const char *src, const char *dst,
        int err = 0;
 
 #ifdef WITH_SELINUX
-       if (set_selinux_file_context (dst) != 0) {
+       if (set_selinux_file_context (dst, statp->st_mode & S_IFMT) != 0) {
                return -1;
        }
 #endif                         /* WITH_SELINUX */
@@ -744,7 +744,7 @@ static int copy_file (const char *src, const char *dst,
                return -1;
        }
 #ifdef WITH_SELINUX
-       if (set_selinux_file_context (dst) != 0) {
+       if (set_selinux_file_context (dst, S_IFREG) != 0) {
                return -1;
        }
 #endif                         /* WITH_SELINUX */

diff --git a/src/useradd.c b/src/useradd.c
index dcda31960534aaebf2638751ae62b0190dac154c..b3fff8951959ae70fee93de47d01dc800837a9fb 100644 (file)
--- a/src/useradd.c
+++ b/src/useradd.c
@@ -2177,7 +2177,7 @@ static void create_home (void)
                ++bhome;
 
 #ifdef WITH_SELINUX
-               if (set_selinux_file_context (prefix_user_home) != 0) {
+               if (set_selinux_file_context (prefix_user_home, S_IFDIR) != 0) {
                        fprintf (stderr,
                                 _("%s: cannot set SELinux context for home directory %s\n"),
                                 Prog, user_home);
@@ -2305,7 +2305,7 @@ static void create_mail (void)
                        sprintf (file, "%s/%s", spool, user_name);
 
 #ifdef WITH_SELINUX
-               if (set_selinux_file_context (file) != 0) {
+               if (set_selinux_file_context (file, S_IFREG) != 0) {
                        fprintf (stderr,
                                 _("%s: cannot set SELinux context for mailbox file %s\n"),
                                 Prog, file);