From 5353db6897e3561c2682ee43e32e9ae9cecae7bb Mon Sep 17 00:00:00 2001
From: Iker Pedrosa <ipedrosa@redhat.com>
Date: Thu, 3 Jul 2025 13:04:26 +0200
Subject: [PATCH] src/pwconv.c: chroot or prefix SELinux file context

Do not process SELinux file context during file closure when chroot or
prefix options are selected.

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
---
 src/pwconv.c | 23 ++++++++++++++++-------
 1 file changed, 16 insertions(+), 7 deletions(-)

diff --git a/src/pwconv.c b/src/pwconv.c
index acefb0e27..523b92b8d 100644
--- a/src/pwconv.c
+++ b/src/pwconv.c
@@ -67,6 +67,11 @@
 #define E_MISSING	4	/* unexpected failure, passwd file missing */
 #define E_PWDBUSY	5	/* passwd file(s) busy */
 #define E_BADENTRY	6	/* bad shadow entry */
+
+struct option_flags {
+	bool chroot;
+};
+
 /*
  * Global variables
  */
@@ -78,7 +83,7 @@ static bool pw_locked = false;
 /* local function prototypes */
 static void fail_exit (int status);
 static void usage (int status);
-static void process_flags (int argc, char **argv);
+static void process_flags (int argc, char **argv, struct option_flags *flags);
 
 static void fail_exit (int status)
 {
@@ -120,7 +125,7 @@ static void usage (int status)
  *
  *	It will not return if an error is encountered.
  */
-static void process_flags (int argc, char **argv)
+static void process_flags (int argc, char **argv, struct option_flags *flags)
 {
 	/*
 	 * Parse the command line options.
@@ -139,6 +144,7 @@ static void process_flags (int argc, char **argv)
 			usage (E_SUCCESS);
 			/*@notreached@*/break;
 		case 'R': /* no-op, handled in process_root_flag () */
+			flags->chroot = true;
 			break;
 		default:
 			usage (E_USAGE);
@@ -156,6 +162,8 @@ int main (int argc, char **argv)
 	struct passwd pwent;
 	const struct spwd *sp;
 	struct spwd spent;
+	struct option_flags  flags;
+	bool process_selinux;
 
 	log_set_progname(Prog);
 	log_set_logfd(stderr);
@@ -168,7 +176,8 @@ int main (int argc, char **argv)
 
 	OPENLOG (Prog);
 
-	process_flags (argc, argv);
+	process_flags (argc, argv, &flags);
+	process_selinux = !flags.chroot;
 
 #ifdef WITH_TCB
 	if (getdef_bool("USE_TCB")) {
@@ -274,14 +283,14 @@ int main (int argc, char **argv)
 		}
 	}
 
-	if (spw_close (true) == 0) {
+	if (spw_close (process_selinux) == 0) {
 		fprintf (stderr,
 		         _("%s: failure while writing changes to %s\n"),
 		         Prog, spw_dbname ());
 		SYSLOG ((LOG_ERR, "failure while writing changes to %s", spw_dbname ()));
 		fail_exit (E_FAILURE);
 	}
-	if (pw_close (true) == 0) {
+	if (pw_close (process_selinux) == 0) {
 		fprintf (stderr,
 		         _("%s: failure while writing changes to %s\n"),
 		         Prog, pw_dbname ());
@@ -299,13 +308,13 @@ int main (int argc, char **argv)
 		/* continue */
 	}
 
-	if (pw_unlock (true) == 0) {
+	if (pw_unlock (process_selinux) == 0) {
 		fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, pw_dbname ());
 		SYSLOG ((LOG_ERR, "failed to unlock %s", pw_dbname ()));
 		/* continue */
 	}
 
-	if (spw_unlock (true) == 0) {
+	if (spw_unlock (process_selinux) == 0) {
 		fprintf (stderr, _("%s: failed to unlock %s\n"), Prog, spw_dbname ());
 		SYSLOG ((LOG_ERR, "failed to unlock %s", spw_dbname ()));
 		/* continue */
-- 
2.47.3