summaryrefslogtreecommitdiffstats
path: root/debian/patches/cppw-add-selinux-support.patch
blob: 0e0566db8e7301f8f71f936073e31fdcc83be459 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
From: Shadow package maintainers <pkg-shadow-devel@lists.alioth.debian.org>
Date: Sat, 22 Jun 2024 17:39:41 +0200
Subject: cppw: add selinux support

Status wrt upstream: cppw is not available upstream.
Needs to be reviewed by an SE-Linux aware person.

Gbp-Topic: debian
---
 src/cppw.c | 28 ++++++++++++++++++++++++++++
 1 file changed, 28 insertions(+)

diff --git a/src/cppw.c b/src/cppw.c
index beb4c36..2cbbbc0 100644
--- a/src/cppw.c
+++ b/src/cppw.c
@@ -34,6 +34,9 @@
 #include <sys/types.h>
 #include <signal.h>
 #include <utime.h>
+#ifdef WITH_SELINUX
+#include <selinux/selinux.h>
+#endif				/* WITH_SELINUX */
 #include "exitcodes.h"
 #include "prototypes.h"
 #include "pwio.h"
@@ -139,6 +142,22 @@ static void cppwcopy (const char *file,
 	if (access (file, F_OK) != 0) {
 		cppwexit (file, 1, 1);
 	}
+#ifdef WITH_SELINUX
+	/* if SE Linux is enabled then set the context of all new files
+	 * to be the context of the file we are editing */
+	if (is_selinux_enabled () > 0) {
+		security_context_t passwd_context=NULL;
+		int ret = 0;
+		if (getfilecon (file, &passwd_context) < 0) {
+			cppwexit (_("Couldn't get file context"), errno, 1);
+		}
+		ret = setfscreatecon (passwd_context);
+		freecon (passwd_context);
+		if (0 != ret) {
+			cppwexit (_("setfscreatecon () failed"), errno, 1);
+		}
+	}
+#endif				/* WITH_SELINUX */
 	if (file_lock () == 0) {
 		cppwexit (_("Couldn't lock file"), 0, 5);
 	}
@@ -167,6 +186,15 @@ static void cppwcopy (const char *file,
 		cppwexit (NULL,0,1);
 	}
 
+#ifdef WITH_SELINUX
+	/* unset the fscreatecon */
+	if (is_selinux_enabled () > 0) {
+		if (setfscreatecon (NULL)) {
+		cppwexit (_("setfscreatecon() failed"), errno, 1);
+		}
+	}
+#endif				/* WITH_SELINUX */
+
 	(*file_unlock) ();
 }