From 5fa86c2b427f35da94aaff889a7cfe2730f78015 Mon Sep 17 00:00:00 2001 From: nekral-guest Date: Wed, 15 Apr 2009 17:42:27 +0000 Subject: [PATCH] * NEW, src/vipw.c: SE Linux: Set the default context to the context of the file being edited. This ensures that the backup file inherit from the file's context. --- ChangeLog | 6 ++++++ NEWS | 7 +++++++ src/vipw.c | 28 ++++++++++++++++++++++++++++ 3 files changed, 41 insertions(+) diff --git a/ChangeLog b/ChangeLog index 4e010501..7abd8cf1 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +2009-04-15 Nicolas François + + * NEW, src/vipw.c: SE Linux: Set the default context to the + context of the file being edited. This ensures that the backup + file inherit from the file's context. + 2009-04-14 Nicolas François * man/usermod.8.xml: There are no default values for --inactive diff --git a/NEWS b/NEWS index 1a1ea3fd..8f96308d 100644 --- a/NEWS +++ b/NEWS @@ -1,5 +1,12 @@ $Id$ +shadow-4.1.3 -> shadow-4.1.3.1 UNRELEASED + +- vipw + * SE Linux: Set the default context to the context of the file being + edited. This ensures that the backup file inherit from the file's + context. + shadow-4.1.2.2 -> shadow-4.1.3 2009-04-12 *** general: diff --git a/src/vipw.c b/src/vipw.c index f7d0e63f..116a199c 100644 --- a/src/vipw.c +++ b/src/vipw.c @@ -45,6 +45,10 @@ #include "sgroupio.h" #include "shadowio.h" +#ifdef WITH_SELINUX +#include +#endif + #define MSG_WARN_EDIT_OTHER_FILE _( \ "You have modified %s.\n"\ "You may need to modify %s for consistency.\n"\ @@ -189,6 +193,22 @@ vipwedit (const char *file, int (*file_lock) (void), int (*file_unlock) (void)) if (access (file, F_OK) != 0) { vipwexit (file, 1, 1); } +#ifdef WITH_SELINUX + /* if SE Linux is enabled then set the context of all new files + to be the context of the file we are editing */ + if (is_selinux_enabled ()) { + security_context_t passwd_context=NULL; + int ret = 0; + if (getfilecon (file, &passwd_context) < 0) { + vipwexit (_("Couldn't get file context"), errno, 1); + } + ret = setfscreatecon (passwd_context); + freecon (passwd_context); + if (0 != ret) { + vipwexit (_("setfscreatecon () failed"), errno, 1); + } + } +#endif if (file_lock () == 0) { vipwexit (_("Couldn't lock file"), errno, 5); } @@ -260,6 +280,14 @@ vipwedit (const char *file, int (*file_lock) (void), int (*file_unlock) (void)) if (st1.st_mtime == st2.st_mtime) { vipwexit (0, 0, 0); } +#ifdef WITH_SELINUX + /* unset the fscreatecon */ + if (is_selinux_enabled ()) { + if (setfscreatecon (NULL)) { + vipwexit (_("setfscreatecon() failed"), errno, 1); + } + } +#endif /* * XXX - here we should check fileedit for errors; if there are any, -- 2.40.0