From: Iker Pedrosa <ipedrosa@redhat.com>
Date: Tue, 1 Jul 2025 14:04:07 +0000 (+0200)
Subject: src/chgpasswd.c: SELinux file context for fail_exit()
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3d4a4233ffc6e54f0b33c4831007855b83ae76bc;p=thirdparty%2Fshadow.git

src/chgpasswd.c: SELinux file context for fail_exit()

Do not process SELinux file context when running fail_exit() when chroot
or prefix options are selected.

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
---

diff --git a/src/chgpasswd.c b/src/chgpasswd.c
index 27338561f..52345d39c 100644
--- a/src/chgpasswd.c
+++ b/src/chgpasswd.c
@@ -75,21 +75,21 @@ static bool sgr_locked = false;
 static bool gr_locked = false;
 
 /* local function prototypes */
-NORETURN static void fail_exit (int code);
+NORETURN static void fail_exit (int code, bool process_selinux);
 NORETURN static void usage (int status);
 static void process_flags (int argc, char **argv, struct option_flags *flags);
 static void check_flags (void);
 static void check_perms (void);
-static void open_files (void);
+static void open_files (bool process_selinux);
 static void close_files (struct option_flags *flags);
 
 /*
  * fail_exit - exit with a failure code after unlocking the files
  */
-static void fail_exit (int code)
+static void fail_exit (int code, bool process_selinux)
 {
 	if (gr_locked) {
-		if (gr_unlock (true) == 0) {
+		if (gr_unlock (process_selinux) == 0) {
 			fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, gr_dbname ());
 			SYSLOG ((LOG_ERR, "failed to unlock %s", gr_dbname ()));
 			/* continue */
@@ -98,7 +98,7 @@ static void fail_exit (int code)
 
 #ifdef	SHADOWGRP
 	if (sgr_locked) {
-		if (sgr_unlock (true) == 0) {
+		if (sgr_unlock (process_selinux) == 0) {
 			fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sgr_dbname ());
 			SYSLOG ((LOG_ERR, "failed to unlock %s", sgr_dbname ()));
 			/* continue */
@@ -344,7 +344,7 @@ static void check_perms (void)
 /*
  * open_files - lock and open the group databases
  */
-static void open_files (void)
+static void open_files (bool process_selinux)
 {
 	/*
 	 * Lock the group file and open it for reading and writing. This will
@@ -354,13 +354,13 @@ static void open_files (void)
 		fprintf (stderr,
 		         _("%s: cannot lock %s; try again later.\n"),
 		         Prog, gr_dbname ());
-		fail_exit (1);
+		fail_exit (1, process_selinux);
 	}
 	gr_locked = true;
 	if (gr_open (O_CREAT | O_RDWR) == 0) {
 		fprintf (stderr,
 		         _("%s: cannot open %s\n"), Prog, gr_dbname ());
-		fail_exit (1);
+		fail_exit (1, process_selinux);
 	}
 
 #ifdef SHADOWGRP
@@ -370,13 +370,13 @@ static void open_files (void)
 			fprintf (stderr,
 			         _("%s: cannot lock %s; try again later.\n"),
 			         Prog, sgr_dbname ());
-			fail_exit (1);
+			fail_exit (1, process_selinux);
 		}
 		sgr_locked = true;
 		if (sgr_open (O_CREAT | O_RDWR) == 0) {
 			fprintf (stderr, _("%s: cannot open %s\n"),
 			         Prog, sgr_dbname ());
-			fail_exit (1);
+			fail_exit (1, process_selinux);
 		}
 	}
 #endif
@@ -397,7 +397,7 @@ static void close_files (struct option_flags *flags)
 			         _("%s: failure while writing changes to %s\n"),
 			         Prog, sgr_dbname ());
 			SYSLOG ((LOG_ERR, "failure while writing changes to %s", sgr_dbname ()));
-			fail_exit (1);
+			fail_exit (1, process_selinux);
 		}
 		if (sgr_unlock (process_selinux) == 0) {
 			fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, sgr_dbname ());
@@ -413,7 +413,7 @@ static void close_files (struct option_flags *flags)
 		         _("%s: failure while writing changes to %s\n"),
 		         Prog, gr_dbname ());
 		SYSLOG ((LOG_ERR, "failure while writing changes to %s", gr_dbname ()));
-		fail_exit (1);
+		fail_exit (1, process_selinux);
 	}
 	if (gr_unlock (process_selinux) == 0) {
 		fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, gr_dbname ());
@@ -440,6 +440,7 @@ int main (int argc, char **argv)
 	bool errors = false;
 	intmax_t line = 0;
 	struct option_flags  flags;
+	bool process_selinux;
 
 	log_set_progname(Prog);
 	log_set_logfd(stderr);
@@ -457,6 +458,7 @@ int main (int argc, char **argv)
 	process_root_flag ("-R", argc, argv);
 
 	process_flags (argc, argv, &flags);
+	process_selinux = !flags.chroot;
 
 	OPENLOG (Prog);
 
@@ -466,7 +468,7 @@ int main (int argc, char **argv)
 	is_shadow_grp = sgr_file_present ();
 #endif
 
-	open_files ();
+	open_files (process_selinux);
 
 	/*
 	 * Read each line, separating the group name from the password. The
@@ -535,7 +537,7 @@ int main (int argc, char **argv)
 				fprintf (stderr,
 				         _("%s: failed to crypt password with salt '%s': %s\n"),
 				         Prog, salt, strerror (errno));
-				fail_exit (1);
+				fail_exit (1, process_selinux);
 			}
 		}
 
@@ -636,7 +638,7 @@ int main (int argc, char **argv)
 	if (errors) {
 		fprintf (stderr,
 		         _("%s: error detected, changes ignored\n"), Prog);
-		fail_exit (1);
+		fail_exit (1, process_selinux);
 	}
 
 	close_files (&flags);