From 3e8645b164e2205193ddb75c7c2df0393518cea7 Mon Sep 17 00:00:00 2001
From: Iker Pedrosa <ipedrosa@redhat.com>
Date: Thu, 3 Jul 2025 13:08:10 +0200
Subject: [PATCH] src/pwunconv.c: chroot or prefix SELinux file context

Do not process SELinux file context during file closure when chroot or
prefix options are selected.

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
---
 src/pwunconv.c | 21 ++++++++++++++-------
 1 file changed, 14 insertions(+), 7 deletions(-)

diff --git a/src/pwunconv.c b/src/pwunconv.c
index ddbc81052..ae396e6d8 100644
--- a/src/pwunconv.c
+++ b/src/pwunconv.c
@@ -30,6 +30,9 @@
 #include "sssd.h"
 #include "string/strcmp/streq.h"
 
+struct option_flags {
+	bool chroot;
+};
 
 /*
  * Global variables
@@ -42,7 +45,7 @@ static bool pw_locked = false;
 /* local function prototypes */
 static void fail_exit (int status);
 static void usage (int status);
-static void process_flags (int argc, char **argv);
+static void process_flags (int argc, char **argv, struct option_flags *flags);
 
 static void fail_exit (int status)
 {
@@ -82,7 +85,7 @@ static void usage (int status)
  *
  *	It will not return if an error is encountered.
  */
-static void process_flags (int argc, char **argv)
+static void process_flags (int argc, char **argv, struct option_flags *flags)
 {
 	/*
 	 * Parse the command line options.
@@ -101,6 +104,7 @@ static void process_flags (int argc, char **argv)
 			usage (E_SUCCESS);
 			/*@notreached@*/break;
 		case 'R': /* no-op, handled in process_root_flag () */
+			flags->chroot = true;
 			break;
 		default:
 			usage (E_USAGE);
@@ -117,6 +121,8 @@ int main (int argc, char **argv)
 	const struct passwd *pw;
 	struct passwd pwent;
 	const struct spwd *spwd;
+	struct option_flags  flags;
+	bool process_selinux;
 
 	log_set_progname(Prog);
 	log_set_logfd(stderr);
@@ -129,7 +135,8 @@ int main (int argc, char **argv)
 
 	OPENLOG (Prog);
 
-	process_flags (argc, argv);
+	process_flags (argc, argv, &flags);
+	process_selinux = !flags.chroot;
 
 #ifdef WITH_TCB
 	if (getdef_bool("USE_TCB")) {
@@ -205,9 +212,9 @@ int main (int argc, char **argv)
 		}
 	}
 
-	(void) spw_close (true); /* was only open O_RDONLY */
+	(void) spw_close (process_selinux); /* was only open O_RDONLY */
 
-	if (pw_close (true) == 0) {
+	if (pw_close (process_selinux) == 0) {
 		fprintf (stderr,
 		         _("%s: failure while writing changes to %s\n"),
 		         Prog, pw_dbname ());
@@ -222,12 +229,12 @@ int main (int argc, char **argv)
 		fail_exit (3);
 	}
 
-	if (spw_unlock (true) == 0) {
+	if (spw_unlock (process_selinux) == 0) {
 		fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, spw_dbname ());
 		SYSLOG ((LOG_ERR, "failed to unlock %s", spw_dbname ()));
 		/* continue */
 	}
-	if (pw_unlock (true) == 0) {
+	if (pw_unlock (process_selinux) == 0) {
 		fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, pw_dbname ());
 		SYSLOG ((LOG_ERR, "failed to unlock %s", pw_dbname ()));
 		/* continue */
-- 
2.47.3