[Pkg-shadow-devel] Bug#491907: passwd: patch needed for SE Linux support in vipw/vigr

[Russell Coker]

Package: passwd
Version: 1:4.1.1-2
Severity: important

Currently vipw and vigr will set the wrong SE Linux security context on
/etc/passwd and /etc/group respectively.  The following patch fixes this:


--- /tmp/vipw.c	2008-07-22 20:15:12.000000000 +1000
+++ ./vipw.c	2008-07-22 20:38:20.000000000 +1000
@@ -42,6 +42,10 @@
 #include "sgroupio.h"
 #include "shadowio.h"
 
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>
+#endif
+
 #define MSG_WARN_EDIT_OTHER_FILE _( \
 	"You have modified %s.\n"\
 	"You may need to modify %s for consistency.\n"\
@@ -167,6 +171,20 @@
 
 	if (access (file, F_OK))
 		vipwexit (file, 1, 1);
+#ifdef WITH_SELINUX
+	/* if SE Linux is enabled then set the context of all new files
+	   to be the context of the file we are editing */
+	if (is_selinux_enabled()) {
+		security_context_t passwd_context=NULL;
+		int ret=0;
+		if (getfilecon(file,&passwd_context) < 0)
+			vipwexit (_("Couldn't get file context"), errno, 1);
+		ret = setfscreatecon(passwd_context);
+		freecon(passwd_context);
+		if (ret != 0)
+			vipwexit (_("setfscreatecon() failed"), errno, 1);
+	}
+#endif
 	if (!file_lock ())
 		vipwexit (_("Couldn't lock file"), errno, 5);
 	filelocked = 1;
@@ -236,6 +254,12 @@
 			 progname, file, strerror (errno), fileedit);
 		vipwexit (0, 0, 1);
 	}
+#ifdef WITH_SELINUX
+	/* unset the fscreatecon */
+	if (is_selinux_enabled())
+		if(setfscreatecon(NULL))
+			vipwexit (_("setfscreatecon() failed"), errno, 1);
+#endif
 
 	(*file_unlock) ();
 }