diff options
author | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2014-07-21 20:41:19 -0400 |
---|---|---|
committer | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2014-07-21 20:53:05 -0400 |
commit | 9f1c19405a1ccaf59dcc8c32c13a1619541189ad (patch) | |
tree | 7ab90a2c1c2ed3283db4ef69ecc847d6304aaf0d /src | |
parent | c9e738b91199475c88a2f89da448a026e9186058 (diff) |
sysusers: fix selinux context of backup files
Also, fix fopen_temporary_label to set proper context. By chance,
all users so far used the same context, so the error didn't matter.
Also, check return value from label_init().
https://bugzilla.redhat.com/show_bug.cgi?id=1121806
Diffstat (limited to 'src')
-rw-r--r-- | src/shared/fileio-label.c | 2 | ||||
-rw-r--r-- | src/sysusers/sysusers.c | 45 |
2 files changed, 25 insertions, 22 deletions
diff --git a/src/shared/fileio-label.c b/src/shared/fileio-label.c index 417ca5695a..c3def3c568 100644 --- a/src/shared/fileio-label.c +++ b/src/shared/fileio-label.c @@ -59,7 +59,7 @@ int fopen_temporary_label(const char *target, const char *path, FILE **f, char **temp_path) { int r; - r = label_context_set("/etc/passwd", S_IFREG); + r = label_context_set(target, S_IFREG); if (r < 0) return r; diff --git a/src/sysusers/sysusers.c b/src/sysusers/sysusers.c index d679394dfa..b7c1609242 100644 --- a/src/sysusers/sysusers.c +++ b/src/sysusers/sysusers.c @@ -195,8 +195,9 @@ static int load_group_database(void) { return 0; } -static int make_backup(const char *x) { - _cleanup_close_ int src = -1, dst = -1; +static int make_backup(const char *target, const char *x) { + _cleanup_close_ int src = -1; + _cleanup_fclose_ FILE *dst = NULL; char *backup, *temp; struct timespec ts[2]; struct stat st; @@ -213,30 +214,30 @@ static int make_backup(const char *x) { if (fstat(src, &st) < 0) return -errno; - temp = strappenda(x, ".XXXXXX"); - dst = mkostemp_safe(temp, O_WRONLY|O_CLOEXEC|O_NOCTTY); - if (dst < 0) - return dst; + r = fopen_temporary_label(target, x, &dst, &temp); + if (r < 0) + return r; - r = copy_bytes(src, dst, (off_t) -1); + r = copy_bytes(src, fileno(dst), (off_t) -1); if (r < 0) goto fail; + /* Don't fail on chmod() or chown(). If it stays owned by us + * and/or unreadable by others, then it isn't too bad... */ + + backup = strappenda(x, "-"); + /* Copy over the access mask */ - if (fchmod(dst, st.st_mode & 07777) < 0) { - r = -errno; - goto fail; - } + if (fchmod(fileno(dst), st.st_mode & 07777) < 0) + log_warning("Failed to change mode on %s: %m", backup); - /* Don't fail on chmod(). If it stays owned by us, then it - * isn't too bad... */ - fchown(dst, st.st_uid, st.st_gid); + if (fchown(fileno(dst), st.st_uid, st.st_gid)< 0) + log_warning("Failed to change ownership of %s: %m", backup); ts[0] = st.st_atim; ts[1] = st.st_mtim; - futimens(dst, ts); + futimens(fileno(dst), ts); - backup = strappenda(x, "-"); if (rename(temp, backup) < 0) goto fail; @@ -469,13 +470,13 @@ static int write_files(void) { /* Make a backup of the old files */ if (group && group_changed) { - r = make_backup(group_path); + r = make_backup("/etc/group", group_path); if (r < 0) goto finish; } if (passwd) { - r = make_backup(passwd_path); + r = make_backup("/etc/passwd", passwd_path); if (r < 0) goto finish; } @@ -1493,9 +1494,11 @@ int main(int argc, char *argv[]) { umask(0022); - label_init(NULL); - - r = 0; + r = label_init(NULL); + if (r < 0) { + log_error("SELinux setup failed: %s", strerror(-r)); + goto finish; + } if (optind < argc) { int j; |