- selinux: set the user part of creation context to match the current

context instead of what we looked up
2009-12-03 23:17:28 +00:00 · 2009-12-03 23:17:28 +00:00 · 61f3185f70
commit 61f3185f70
parent b4c720591d
1 changed files with 36 additions and 10 deletions
--- a/krb5-1.7-selinux-label.patch
+++ b/krb5-1.7-selinux-label.patch
@ -541,7 +541,7 @@ diff -up krb5-1.7/src/util/support/Makefile.in krb5-1.7/src/util/support/Makefil
 diff -up /dev/null krb5-1.7/src/util/support/selinux.c
 --- /dev/null	2009-06-04 10:34:55.169007373 -0400
 +++ krb5-1.7/src/util/support/selinux.c	2009-06-04 13:47:20.000000000 -0400
-@@ -0,0 +1,314 @@
+@@ -0,0 +1,340 @@
 +/*
 + * Copyright 2007,2008,2009 Red Hat, Inc.  All Rights Reserved.
 + *
@ -593,6 +593,7 @@ diff -up /dev/null krb5-1.7/src/util/support/selinux.c
 +#include <string.h>
 +#include <unistd.h>
 +#include <selinux/selinux.h>
 +#include <selinux/context.h>
 +#ifdef HAVE_SELINUX_LABEL_H
 +#include <selinux/label.h>
 +#endif
@ -613,8 +614,9 @@ diff -up /dev/null krb5-1.7/src/util/support/selinux.c
 +static security_context_t
 +push_fscreatecon(const char *pathname, mode_t mode)
 +{
-+	security_context_t previous, next;
+	security_context_t previous, configuredsc, currentsc, derivedsc;
-+	const char *fullpath;
+	context_t current, derived;
 +	const char *fullpath, *currentuser;
 +#ifdef HAVE_SELINUX_LABEL_H
 +	struct selabel_handle *ctx;
 +#endif
@ -650,17 +652,17 @@ diff -up /dev/null krb5-1.7/src/util/support/selinux.c
 +			} else {
 +				fullpath = pathname;
 +			}
 +			next = NULL;
 +#ifdef DEBUG
 +			if (isatty(fileno(stderr))) {
 +				fprintf(stderr, "Looking up context for "
 +					"\"%s\"(%05o).\n", fullpath, mode);
 +			}
 +#endif
 +			configuredsc = NULL;
 +#ifdef HAVE_SELINUX_LABEL_H
 +			ctx = selabel_open(SELABEL_CTX_FILE, NULL, 0);
 +			if (ctx != NULL) {
-+				if (selabel_lookup(ctx, &next,
+				if (selabel_lookup(ctx, &configuredsc,
 +						   fullpath, mode) != 0) {
 +					selabel_close(ctx);
 +					free(genpath);
@ -672,7 +674,7 @@ diff -up /dev/null krb5-1.7/src/util/support/selinux.c
 +				selabel_close(ctx);
 +			}
 +#else
-+			if (matchpathcon(fullpath, mode, &next) != 0) {
+			if (matchpathcon(fullpath, mode, &configuredsc) != 0) {
 +				free(genpath);
 +				if (previous != NULL) {
 +					freecon(previous);
@ -681,20 +683,44 @@ diff -up /dev/null krb5-1.7/src/util/support/selinux.c
 +			}
 +#endif
 +			free(genpath);
 +			currentsc = NULL;
 +			getcon(&currentsc);
 +			if (currentsc != NULL) {
 +				derived = context_new(configuredsc);
 +				if (derived != NULL) {
 +					current = context_new(currentsc);
 +					if (current != NULL) {
 +						currentuser = context_user_get(current);
 +						if (currentuser != NULL) {
 +							if (context_user_set(derived,
 +									     currentuser) == 0) {
 +								derivedsc = context_str(derived);
 +								if (derivedsc != NULL) {
 +									freecon(configuredsc);
 +									configuredsc = strdup(derivedsc);
 +								}
 +							}
 +						}
 +						context_free(current);
 +					}
 +					context_free(derived);
 +				}
 +				freecon(currentsc);
 +			}
 +#ifdef DEBUG
 +			if (isatty(fileno(stderr))) {
 +				fprintf(stderr, "Setting file creation context "
-+					"to \"%s\".\n", next);
+					"to \"%s\".\n", configured);
 +			}
 +#endif
-+			if (setfscreatecon(next) != 0) {
+			if (setfscreatecon(configuredsc) != 0) {
-+				freecon(next);
+				freecon(configuredsc);
 +				if (previous != NULL) {
 +					freecon(previous);
 +				}
 +				return NULL;
 +			}
-+			freecon(next);
+			freecon(configuredsc);
 +#ifdef DEBUG
 +		} else {
 +			if (isatty(fileno(stderr))) {