From: Iker Pedrosa <ipedrosa@redhat.com>
Date: Tue, 1 Jul 2025 14:30:47 +0000 (+0200)
Subject: src/grpunconv.c: chroot or prefix SELinux file context
X-Git-Tag: 4.19.0-rc1~128^2~19
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=27289401619195c598699861c2590916cc032759;p=thirdparty%2Fshadow.git

src/grpunconv.c: chroot or prefix SELinux file context

Do not process SELinux file context during file closure when chroot or
prefix options are selected.

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
---

diff --git a/src/grpunconv.c b/src/grpunconv.c
index 545474f6d..a73a08f59 100644
--- a/src/grpunconv.c
+++ b/src/grpunconv.c
@@ -39,6 +39,12 @@
 #include "shadow/gshadow/sgrp.h"
 #include "shadowlog.h"
 
+/*
+ * Structures
+ */
+struct option_flags {
+	bool chroot;
+};
 
 /*
  * Global variables
@@ -51,7 +57,7 @@ static bool sgr_locked = false;
 /* local function prototypes */
 static void fail_exit (int status);
 static void usage (int status);
-static void process_flags (int argc, char **argv);
+static void process_flags (int argc, char **argv, struct option_flags *flags);
 
 static void fail_exit (int status)
 {
@@ -93,7 +99,7 @@ static void usage (int status)
  *
  *	It will not return if an error is encountered.
  */
-static void process_flags (int argc, char **argv)
+static void process_flags (int argc, char **argv, struct option_flags *flags)
 {
 	/*
 	 * Parse the command line options.
@@ -112,6 +118,7 @@ static void process_flags (int argc, char **argv)
 			usage (E_SUCCESS);
 			/*@notreached@*/break;
 		case 'R': /* no-op, handled in process_root_flag () */
+			flags->chroot = true;
 			break;
 		default:
 			usage (E_USAGE);
@@ -128,6 +135,8 @@ int main (int argc, char **argv)
 	const struct group *gr;
 	struct group grent;
 	const struct sgrp *sg;
+	struct option_flags  flags;
+	bool process_selinux;
 
 	log_set_progname(Prog);
 	log_set_logfd(stderr);
@@ -140,7 +149,8 @@ int main (int argc, char **argv)
 
 	OPENLOG (Prog);
 
-	process_flags (argc, argv);
+	process_flags (argc, argv, &flags);
+	process_selinux = !flags.chroot;
 
 	if (sgr_file_present () == 0) {
 		exit (0);	/* no /etc/gshadow, nothing to do */
@@ -192,9 +202,9 @@ int main (int argc, char **argv)
 		}
 	}
 
-	(void) sgr_close (true); /* was only open O_RDONLY */
+	(void) sgr_close (process_selinux); /* was only open O_RDONLY */
 
-	if (gr_close (true) == 0) {
+	if (gr_close (process_selinux) == 0) {
 		fprintf (stderr,
 		         _("%s: failure while writing changes to %s\n"),
 		         Prog, gr_dbname ());
@@ -210,13 +220,13 @@ int main (int argc, char **argv)
 		fail_exit (3);
 	}
 
-	if (gr_unlock (true) == 0) {
+	if (gr_unlock (process_selinux) == 0) {
 		fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, gr_dbname ());
 		SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ()));
 		/* continue */
 	}
 
-	if (sgr_unlock (true) == 0) {
+	if (sgr_unlock (process_selinux) == 0) {
 		fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sgr_dbname ());
 		SYSLOG ((LOG_ERR, "failed to unlock %s", sgr_dbname ()));
 		/* continue */