From: Shadow package maintainers Date: Sat, 22 Jun 2024 17:39:41 +0200 Subject: cppw: add selinux support Status wrt upstream: cppw is not available upstream. Needs to be reviewed by an SE-Linux aware person. Gbp-Topic: debian --- src/cppw.c | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/src/cppw.c b/src/cppw.c index beb4c36..2cbbbc0 100644 --- a/src/cppw.c +++ b/src/cppw.c @@ -34,6 +34,9 @@ #include #include #include +#ifdef WITH_SELINUX +#include +#endif /* WITH_SELINUX */ #include "exitcodes.h" #include "prototypes.h" #include "pwio.h" @@ -139,6 +142,22 @@ static void cppwcopy (const char *file, if (access (file, F_OK) != 0) { cppwexit (file, 1, 1); } +#ifdef WITH_SELINUX + /* if SE Linux is enabled then set the context of all new files + * to be the context of the file we are editing */ + if (is_selinux_enabled () > 0) { + security_context_t passwd_context=NULL; + int ret = 0; + if (getfilecon (file, &passwd_context) < 0) { + cppwexit (_("Couldn't get file context"), errno, 1); + } + ret = setfscreatecon (passwd_context); + freecon (passwd_context); + if (0 != ret) { + cppwexit (_("setfscreatecon () failed"), errno, 1); + } + } +#endif /* WITH_SELINUX */ if (file_lock () == 0) { cppwexit (_("Couldn't lock file"), 0, 5); } @@ -167,6 +186,15 @@ static void cppwcopy (const char *file, cppwexit (NULL,0,1); } +#ifdef WITH_SELINUX + /* unset the fscreatecon */ + if (is_selinux_enabled () > 0) { + if (setfscreatecon (NULL)) { + cppwexit (_("setfscreatecon() failed"), errno, 1); + } + } +#endif /* WITH_SELINUX */ + (*file_unlock) (); }