src/grpck.c: SELinux file context for fail_exit()

Do not process SELinux file context when running fail_exit() when chroot
or prefix options are selected.

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>

diff --git a/src/grpck.c b/src/grpck.c
index bc58c1e06c15d2efaa39692258b1f507b9c72feb..fa4d91203774569c5b376609a585afba9d181a83 100644 (file)
--- a/src/grpck.c
+++ b/src/grpck.c
@@ -75,11 +75,11 @@ static bool sort_mode = false;
 static bool silence_warnings = false;
 
 /* local function prototypes */
-static void fail_exit (int status);
+static void fail_exit (int status, bool process_selinux);
 NORETURN static void usage (int status);
 static void delete_member (char **, const char *);
 static void process_flags (int argc, char **argv, struct option_flags *flags);
-static void open_files (void);
+static void open_files (bool process_selinux);
 static void close_files (bool changed, struct option_flags *flags);
 static int check_members (const char *groupname,
                           char **members,
@@ -87,7 +87,8 @@ static int check_members (const char *groupname,
                           const char *fmt_prompt,
                           const char *fmt_syslog,
                           bool *errors);
-static void check_grp_file (bool *errors, bool *changed);
+static void check_grp_file (bool *errors, bool *changed,
+                            struct option_flags *flags);
 #ifdef SHADOWGRP
 static void compare_members_lists (const char *groupname,
                                    char **members,
@@ -100,10 +101,10 @@ static void check_sgr_file (bool *errors, bool *changed);
 /*
  * fail_exit - exit with an error code after unlocking files
  */
-static void fail_exit (int status)
+static void fail_exit (int status, bool process_selinux)
 {
        if (gr_locked) {
-               if (gr_unlock (true) == 0) {
+               if (gr_unlock (process_selinux) == 0) {
                        fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, gr_dbname ());
                        SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ()));
                        /* continue */
@@ -112,7 +113,7 @@ static void fail_exit (int status)
 
 #ifdef SHADOWGRP
        if (sgr_locked) {
-               if (sgr_unlock (true) == 0) {
+               if (sgr_unlock (process_selinux) == 0) {
                        fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sgr_dbname ());
                        SYSLOG ((LOG_ERR, "failed to unlock %s", sgr_dbname ()));
                        /* continue */
@@ -269,7 +270,7 @@ static void process_flags (int argc, char **argv, struct option_flags *flags)
  *     In read-only mode, the databases are not locked and are opened
  *     only for reading.
  */
-static void open_files (void)
+static void open_files (bool process_selinux)
 {
        /*
         * Lock the files if we aren't in "read-only" mode
@@ -279,7 +280,7 @@ static void open_files (void)
                        fprintf (stderr,
                                 _("%s: cannot lock %s; try again later.\n"),
                                 Prog, grp_file);
-                       fail_exit (E_CANT_LOCK);
+                       fail_exit (E_CANT_LOCK, process_selinux);
                }
                gr_locked = true;
 #ifdef SHADOWGRP
@@ -288,7 +289,7 @@ static void open_files (void)
                                fprintf (stderr,
                                         _("%s: cannot lock %s; try again later.\n"),
                                         Prog, sgr_file);
-                               fail_exit (E_CANT_LOCK);
+                               fail_exit (E_CANT_LOCK, process_selinux);
                        }
                        sgr_locked = true;
                }
@@ -305,7 +306,7 @@ static void open_files (void)
                if (use_system_grp_file) {
                        SYSLOG ((LOG_WARN, "cannot open %s", grp_file));
                }
-               fail_exit (E_CANT_OPEN);
+               fail_exit (E_CANT_OPEN, process_selinux);
        }
 #ifdef SHADOWGRP
        if (is_shadow && (sgr_open (read_only ? O_RDONLY : O_CREAT | O_RDWR) == 0)) {
@@ -314,7 +315,7 @@ static void open_files (void)
                if (use_system_sgr_file) {
                        SYSLOG ((LOG_WARN, "cannot open %s", sgr_file));
                }
-               fail_exit (E_CANT_OPEN);
+               fail_exit (E_CANT_OPEN, process_selinux);
        }
 #endif
 }
@@ -340,13 +341,13 @@ static void close_files (bool changed, struct option_flags *flags)
                if (gr_close (process_selinux) == 0) {
                        fprintf (stderr, _("%s: failure while writing changes to %s\n"),
                                 Prog, grp_file);
-                       fail_exit (E_CANT_UPDATE);
+                       fail_exit (E_CANT_UPDATE, process_selinux);
                }
 #ifdef SHADOWGRP
                if (is_shadow && (sgr_close (process_selinux) == 0)) {
                        fprintf (stderr, _("%s: failure while writing changes to %s\n"),
                                 Prog, sgr_file);
-                       fail_exit (E_CANT_UPDATE);
+                       fail_exit (E_CANT_UPDATE, process_selinux);
                }
 #endif
        }
@@ -471,13 +472,16 @@ static void compare_members_lists (const char *groupname,
 /*
  * check_grp_file - check the content of the group file
  */
-static void check_grp_file (bool *errors, bool *changed)
+static void check_grp_file (bool *errors, bool *changed, struct option_flags *flags)
 {
        struct commonio_entry *gre, *tgre;
        struct group *grp;
 #ifdef SHADOWGRP
        const struct sgrp *sgr;
 #endif
+       bool process_selinux;
+
+       process_selinux = !flags->chroot;
 
        /*
         * Loop through the entire group file.
@@ -643,7 +647,7 @@ static void check_grp_file (bool *errors, bool *changed)
                                                fprintf (stderr,
                                                         _("%s: failed to prepare the new %s entry '%s'\n"),
                                                         Prog, sgr_dbname (), sg.sg_namp);
-                                               fail_exit (E_CANT_UPDATE);
+                                               fail_exit (E_CANT_UPDATE, process_selinux);
                                        }
                                        /* remove password from /etc/group */
                                        gr = *grp;
@@ -652,7 +656,7 @@ static void check_grp_file (bool *errors, bool *changed)
                                                fprintf (stderr,
                                                         _("%s: failed to prepare the new %s entry '%s'\n"),
                                                         Prog, gr_dbname (), gr.gr_name);
-                                               fail_exit (E_CANT_UPDATE);
+                                               fail_exit (E_CANT_UPDATE, process_selinux);
                                        }
                                }
                        } else {
@@ -836,6 +840,7 @@ int main (int argc, char **argv)
        bool errors = false;
        bool changed = false;
        struct option_flags  flags;
+       bool process_selinux;
 
        log_set_progname(Prog);
        log_set_logfd(stderr);
@@ -850,8 +855,9 @@ int main (int argc, char **argv)
 
        /* Parse the command line arguments */
        process_flags (argc, argv, &flags);
+       process_selinux = !flags.chroot;
 
-       open_files ();
+       open_files (process_selinux);
 
        if (sort_mode) {
                gr_sort ();
@@ -862,7 +868,7 @@ int main (int argc, char **argv)
                changed = true;
 #endif
        } else {
-               check_grp_file (&errors, &changed);
+               check_grp_file (&errors, &changed, &flags);
 #ifdef SHADOWGRP
                if (is_shadow) {
                        check_sgr_file (&errors, &changed);