* NEW, src/vipw.c: SE Linux: Set the default context to the

context of the file being edited. This ensures that the backup file inherit from the file's context.
2009-04-15 17:42:27 +00:00
parent a8586cbce7
commit 5fa86c2b42
3 changed files with 41 additions and 0 deletions
--- a/6
+++ b/6
@@ -1,3 +1,9 @@
+2009-04-15  Nicolas François  <nicolas.francois@centraliens.net>
+
+	* NEW, src/vipw.c: SE Linux: Set the default context to the
+	context of the file being edited. This ensures that the backup
+	file inherit from the file's context.
+
 2009-04-14  Nicolas François  <nicolas.francois@centraliens.net>

 	* man/usermod.8.xml: There are no default values for --inactive
--- a/7
+++ b/7
@@ -1,5 +1,12 @@
 $Id$

+shadow-4.1.3 -> shadow-4.1.3.1						UNRELEASED
+
+- vipw
+  * SE Linux: Set the default context to the context of the file being
+    edited. This ensures that the backup file inherit from the file's
+    context.
+
 shadow-4.1.2.2 -> shadow-4.1.3						2009-04-12

 *** general:
--- a/src/vipw.c
+++ b/src/vipw.c
@@ -45,6 +45,10 @@
 #include "sgroupio.h"
 #include "shadowio.h"

+#ifdef WITH_SELINUX                                                            
+#include <selinux/selinux.h>                                                   
+#endif
+
 #define MSG_WARN_EDIT_OTHER_FILE _( \
 	"You have modified %s.\n"\
 	"You may need to modify %s for consistency.\n"\
@@ -189,6 +193,22 @@ vipwedit (const char *file, int (*file_lock) (void), int (*file_unlock) (void))
 	if (access (file, F_OK) != 0) {
 		vipwexit (file, 1, 1);
 	}
+#ifdef WITH_SELINUX
+	/* if SE Linux is enabled then set the context of all new files
+	   to be the context of the file we are editing */
+	if (is_selinux_enabled ()) {
+		security_context_t passwd_context=NULL;
+		int ret = 0;
+		if (getfilecon (file, &passwd_context) < 0) {
+			vipwexit (_("Couldn't get file context"), errno, 1);
+		}
+		ret = setfscreatecon (passwd_context);
+		freecon (passwd_context);
+		if (0 != ret) {
+			vipwexit (_("setfscreatecon () failed"), errno, 1);
+		}
+	}
+#endif
 	if (file_lock () == 0) {
 		vipwexit (_("Couldn't lock file"), errno, 5);
 	}
@@ -260,6 +280,14 @@ vipwedit (const char *file, int (*file_lock) (void), int (*file_unlock) (void))
 	if (st1.st_mtime == st2.st_mtime) {
 		vipwexit (0, 0, 0);
 	}
+#ifdef WITH_SELINUX                                                            
+	/* unset the fscreatecon */                                             
+	if (is_selinux_enabled ()) {
+		if (setfscreatecon (NULL)) {
+			vipwexit (_("setfscreatecon() failed"), errno, 1);
+		}
+	}
+#endif

 	/*
 	 * XXX - here we should check fileedit for errors; if there are any,