From: Iker Pedrosa Date: Tue, 1 Jul 2025 14:23:42 +0000 (+0200) Subject: src/grpck.c: SELinux file context for fail_exit() X-Git-Tag: 4.19.0-rc1~128^2~22 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7af581cc86e50226d2d5c72ba0207db3792709b1;p=thirdparty%2Fshadow.git src/grpck.c: SELinux file context for fail_exit() Do not process SELinux file context when running fail_exit() when chroot or prefix options are selected. Signed-off-by: Iker Pedrosa --- diff --git a/src/grpck.c b/src/grpck.c index bc58c1e06..fa4d91203 100644 --- a/src/grpck.c +++ b/src/grpck.c @@ -75,11 +75,11 @@ static bool sort_mode = false; static bool silence_warnings = false; /* local function prototypes */ -static void fail_exit (int status); +static void fail_exit (int status, bool process_selinux); NORETURN static void usage (int status); static void delete_member (char **, const char *); static void process_flags (int argc, char **argv, struct option_flags *flags); -static void open_files (void); +static void open_files (bool process_selinux); static void close_files (bool changed, struct option_flags *flags); static int check_members (const char *groupname, char **members, @@ -87,7 +87,8 @@ static int check_members (const char *groupname, const char *fmt_prompt, const char *fmt_syslog, bool *errors); -static void check_grp_file (bool *errors, bool *changed); +static void check_grp_file (bool *errors, bool *changed, + struct option_flags *flags); #ifdef SHADOWGRP static void compare_members_lists (const char *groupname, char **members, @@ -100,10 +101,10 @@ static void check_sgr_file (bool *errors, bool *changed); /* * fail_exit - exit with an error code after unlocking files */ -static void fail_exit (int status) +static void fail_exit (int status, bool process_selinux) { if (gr_locked) { - if (gr_unlock (true) == 0) { + if (gr_unlock (process_selinux) == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, gr_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ())); /* continue */ @@ -112,7 +113,7 @@ static void fail_exit (int status) #ifdef SHADOWGRP if (sgr_locked) { - if (sgr_unlock (true) == 0) { + if (sgr_unlock (process_selinux) == 0) { fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sgr_dbname ()); SYSLOG ((LOG_ERR, "failed to unlock %s", sgr_dbname ())); /* continue */ @@ -269,7 +270,7 @@ static void process_flags (int argc, char **argv, struct option_flags *flags) * In read-only mode, the databases are not locked and are opened * only for reading. */ -static void open_files (void) +static void open_files (bool process_selinux) { /* * Lock the files if we aren't in "read-only" mode @@ -279,7 +280,7 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, grp_file); - fail_exit (E_CANT_LOCK); + fail_exit (E_CANT_LOCK, process_selinux); } gr_locked = true; #ifdef SHADOWGRP @@ -288,7 +289,7 @@ static void open_files (void) fprintf (stderr, _("%s: cannot lock %s; try again later.\n"), Prog, sgr_file); - fail_exit (E_CANT_LOCK); + fail_exit (E_CANT_LOCK, process_selinux); } sgr_locked = true; } @@ -305,7 +306,7 @@ static void open_files (void) if (use_system_grp_file) { SYSLOG ((LOG_WARN, "cannot open %s", grp_file)); } - fail_exit (E_CANT_OPEN); + fail_exit (E_CANT_OPEN, process_selinux); } #ifdef SHADOWGRP if (is_shadow && (sgr_open (read_only ? O_RDONLY : O_CREAT | O_RDWR) == 0)) { @@ -314,7 +315,7 @@ static void open_files (void) if (use_system_sgr_file) { SYSLOG ((LOG_WARN, "cannot open %s", sgr_file)); } - fail_exit (E_CANT_OPEN); + fail_exit (E_CANT_OPEN, process_selinux); } #endif } @@ -340,13 +341,13 @@ static void close_files (bool changed, struct option_flags *flags) if (gr_close (process_selinux) == 0) { fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, grp_file); - fail_exit (E_CANT_UPDATE); + fail_exit (E_CANT_UPDATE, process_selinux); } #ifdef SHADOWGRP if (is_shadow && (sgr_close (process_selinux) == 0)) { fprintf (stderr, _("%s: failure while writing changes to %s\n"), Prog, sgr_file); - fail_exit (E_CANT_UPDATE); + fail_exit (E_CANT_UPDATE, process_selinux); } #endif } @@ -471,13 +472,16 @@ static void compare_members_lists (const char *groupname, /* * check_grp_file - check the content of the group file */ -static void check_grp_file (bool *errors, bool *changed) +static void check_grp_file (bool *errors, bool *changed, struct option_flags *flags) { struct commonio_entry *gre, *tgre; struct group *grp; #ifdef SHADOWGRP const struct sgrp *sgr; #endif + bool process_selinux; + + process_selinux = !flags->chroot; /* * Loop through the entire group file. @@ -643,7 +647,7 @@ static void check_grp_file (bool *errors, bool *changed) fprintf (stderr, _("%s: failed to prepare the new %s entry '%s'\n"), Prog, sgr_dbname (), sg.sg_namp); - fail_exit (E_CANT_UPDATE); + fail_exit (E_CANT_UPDATE, process_selinux); } /* remove password from /etc/group */ gr = *grp; @@ -652,7 +656,7 @@ static void check_grp_file (bool *errors, bool *changed) fprintf (stderr, _("%s: failed to prepare the new %s entry '%s'\n"), Prog, gr_dbname (), gr.gr_name); - fail_exit (E_CANT_UPDATE); + fail_exit (E_CANT_UPDATE, process_selinux); } } } else { @@ -836,6 +840,7 @@ int main (int argc, char **argv) bool errors = false; bool changed = false; struct option_flags flags; + bool process_selinux; log_set_progname(Prog); log_set_logfd(stderr); @@ -850,8 +855,9 @@ int main (int argc, char **argv) /* Parse the command line arguments */ process_flags (argc, argv, &flags); + process_selinux = !flags.chroot; - open_files (); + open_files (process_selinux); if (sort_mode) { gr_sort (); @@ -862,7 +868,7 @@ int main (int argc, char **argv) changed = true; #endif } else { - check_grp_file (&errors, &changed); + check_grp_file (&errors, &changed, &flags); #ifdef SHADOWGRP if (is_shadow) { check_sgr_file (&errors, &changed);