src/useradd.c: chroot or prefix SELinux file context

lib/cleanup_group.c

@@ -179,9 +179,11 @@ void cleanup_report_del_group_gshadow (void *group_name)
  *
  * It should be registered after the group file is successfully locked.
  */
-void cleanup_unlock_group (MAYBE_UNUSED void *arg)
+void cleanup_unlock_group (void *process_selinux)
 {
-	if (gr_unlock () == 0) {
+	bool process = *((bool *) process_selinux);
+
+	if (gr_unlock (process) == 0) {
 		fprintf (log_get_logfd(),
 		         _("%s: failed to unlock %s\n"),
 		         log_get_progname(), gr_dbname ());
@@ -199,9 +201,11 @@ void cleanup_unlock_group (MAYBE_UNUSED void *arg)
  *
  * It should be registered after the gshadow file is successfully locked.
  */
-void cleanup_unlock_gshadow (MAYBE_UNUSED void *arg)
+void cleanup_unlock_gshadow (void *process_selinux)
 {
-	if (sgr_unlock () == 0) {
+	bool process = *((bool *) process_selinux);
+
+	if (sgr_unlock (process) == 0) {
 		fprintf (log_get_logfd(),
 		         _("%s: failed to unlock %s\n"),
 		         log_get_progname(), sgr_dbname ());

lib/cleanup_user.c

@@ -96,9 +96,11 @@ void cleanup_report_add_user_shadow (void *user_name)
  *
  * It should be registered after the passwd database is successfully locked.
  */
-void cleanup_unlock_passwd (MAYBE_UNUSED void *arg)
+void cleanup_unlock_passwd (void *process_selinux)
 {
-	if (pw_unlock () == 0) {
+	bool process = *((bool *) process_selinux);
+
+	if (pw_unlock (process) == 0) {
 		fprintf (log_get_logfd(),
 		         _("%s: failed to unlock %s\n"),
 		         log_get_progname(), pw_dbname ());
@@ -115,9 +117,11 @@ void cleanup_unlock_passwd (MAYBE_UNUSED void *arg)
  *
  * It should be registered after the shadow database is successfully locked.
  */
-void cleanup_unlock_shadow (MAYBE_UNUSED void *arg)
+void cleanup_unlock_shadow (void *process_selinux)
 {
-	if (spw_unlock () == 0) {
+	bool process = *((bool *) process_selinux);
+
+	if (spw_unlock (process) == 0) {
 		fprintf (log_get_logfd(),
 		         _("%s: failed to unlock %s\n"),
 		         log_get_progname(), spw_dbname ());

lib/commonio.c

@@ -467,13 +467,13 @@ static void dec_lock_count (void)
 }
 
 
-int commonio_unlock (struct commonio_db *db)
+int commonio_unlock (struct commonio_db *db, bool process_selinux)
 {
 	char  lock[1029];
 
 	if (db->isopen) {
 		db->readonly = true;
-		if (commonio_close (db) == 0) {
+		if (commonio_close (db, process_selinux) == 0) {
 			if (db->locked) {
 				dec_lock_count ();
 			}
@@ -885,7 +885,7 @@ static int write_all (const struct commonio_db *db)
 }
 
 
-int commonio_close (struct commonio_db *db)
+int commonio_close (struct commonio_db *db, bool process_selinux)
 {
 	bool         errors = false;
 	char         buf[1024];
@@ -927,7 +927,8 @@ int commonio_close (struct commonio_db *db)
 		}
 
 #ifdef WITH_SELINUX
-		if (set_selinux_file_context (db->filename, S_IFREG) != 0) {
+		if (process_selinux
+		    && set_selinux_file_context (db->filename, S_IFREG) != 0) {
 			errors = true;
 		}
 #endif
@@ -942,7 +943,8 @@ int commonio_close (struct commonio_db *db)
 		db->fp = NULL;
 
 #ifdef WITH_SELINUX
-		if (reset_selinux_file_context () != 0) {
+		if (process_selinux
+		    && reset_selinux_file_context () != 0) {
 			errors = true;
 		}
 #endif
@@ -961,7 +963,8 @@ int commonio_close (struct commonio_db *db)
 		goto fail;
 
 #ifdef WITH_SELINUX
-	if (set_selinux_file_context (db->filename, S_IFREG) != 0) {
+	if (process_selinux
+	    && set_selinux_file_context (db->filename, S_IFREG) != 0) {
 		errors = true;
 	}
 #endif
@@ -999,7 +1002,8 @@ int commonio_close (struct commonio_db *db)
 	}
 
 #ifdef WITH_SELINUX
-	if (reset_selinux_file_context () != 0) {
+	if (process_selinux
+	    && reset_selinux_file_context () != 0) {
 		goto fail;
 	}
 #endif

lib/commonio.h

@@ -138,8 +138,8 @@ extern int commonio_append (struct commonio_db *, const void *);
 extern int commonio_remove (struct commonio_db *, const char *);
 extern int commonio_rewind (struct commonio_db *);
 extern /*@observer@*/ /*@null@*/const void *commonio_next (struct commonio_db *);
-extern int commonio_close (struct commonio_db *);
-extern int commonio_unlock (struct commonio_db *);
+extern int commonio_close (struct commonio_db *, bool);
+extern int commonio_unlock (struct commonio_db *, bool);
 extern void commonio_del_entry (struct commonio_db *,
                                 const struct commonio_entry *);
 extern int commonio_sort_wrt (struct commonio_db *shadow,

lib/groupio.c

@@ -185,14 +185,14 @@ int gr_rewind (void)
 	return commonio_next (&group_db);
 }
 
-int gr_close (void)
+int gr_close (bool process_selinux)
 {
-	return commonio_close (&group_db);
+	return commonio_close (&group_db, process_selinux);
 }
 
-int gr_unlock (void)
+int gr_unlock (bool process_selinux)
 {
-	return commonio_unlock (&group_db);
+	return commonio_unlock (&group_db, process_selinux);
 }
 
 void __gr_set_changed (void)

lib/groupio.h

@@ -14,8 +14,9 @@
 
 #include <sys/types.h>
 #include <grp.h>
+#include <stdbool.h>
 
-extern int gr_close (void);
+extern int gr_close (bool process_selinux);
 extern /*@observer@*/ /*@null@*/const struct group *gr_locate (const char *name);
 extern /*@observer@*/ /*@null@*/const struct group *gr_locate_gid (gid_t gid);
 extern int gr_lock (void);
@@ -25,7 +26,7 @@ extern /*@observer@*/ /*@null@*/const struct group *gr_next (void);
 extern int gr_open (int mode);
 extern int gr_remove (const char *name);
 extern int gr_rewind (void);
-extern int gr_unlock (void);
+extern int gr_unlock (bool process_selinux);
 extern int gr_update (const struct group *gr);
 extern int gr_sort (void);
 

lib/lockpw.c

@@ -56,7 +56,7 @@ int lckpwdf (void)
 	 */
 
 	if (i == 15) {
-		pw_unlock ();
+		pw_unlock (true);
 		return -1;
 	}
 
@@ -78,7 +78,7 @@ int ulckpwdf (void)
 	 * Unlock both files.
 	 */
 
-	return (pw_unlock () && spw_unlock ())? 0 : -1;
+	return (pw_unlock (true) && spw_unlock (true))? 0 : -1;
 }
 #else
 extern int ISO_C_forbids_an_empty_translation_unit;

lib/prototypes.h

@@ -94,11 +94,11 @@ void cleanup_report_del_group_gshadow (void *group_name);
 void cleanup_report_mod_passwd (void *cleanup_info);
 void cleanup_report_mod_group (void *cleanup_info);
 void cleanup_report_mod_gshadow (void *cleanup_info);
-void cleanup_unlock_group (/*@null@*/void *MAYBE_UNUSED);
+void cleanup_unlock_group (void *process_selinux);
 #ifdef SHADOWGRP
-void cleanup_unlock_gshadow (/*@null@*/void *MAYBE_UNUSED);
+void cleanup_unlock_gshadow (void *process_selinux);
 #endif
-void cleanup_unlock_passwd (/*@null@*/void *MAYBE_UNUSED);
+void cleanup_unlock_passwd (void *process_selinux);
 
 /* console.c */
 extern bool console (const char *);

lib/pwio.c

@@ -158,14 +158,14 @@ int pw_rewind (void)
 	return commonio_next (&passwd_db);
 }
 
-int pw_close (void)
+int pw_close (bool process_selinux)
 {
-	return commonio_close (&passwd_db);
+	return commonio_close (&passwd_db, process_selinux);
 }
 
-int pw_unlock (void)
+int pw_unlock (bool process_selinux)
 {
-	return commonio_unlock (&passwd_db);
+	return commonio_unlock (&passwd_db, process_selinux);
 }
 
 /*@null@*/struct commonio_entry *__pw_get_head (void)

lib/pwio.h

@@ -14,8 +14,9 @@
 
 #include <sys/types.h>
 #include <pwd.h>
+#include <stdbool.h>
 
-extern int pw_close (void);
+extern int pw_close (bool process_selinux);
 extern /*@observer@*/ /*@null@*/const struct passwd *pw_locate (const char *name);
 extern /*@observer@*/ /*@null@*/const struct passwd *pw_locate_uid (uid_t uid);
 extern int pw_lock (void);
@@ -25,7 +26,7 @@ extern /*@observer@*/ /*@null@*/const struct passwd *pw_next (void);
 extern int pw_open (int mode);
 extern int pw_remove (const char *name);
 extern int pw_rewind (void);
-extern int pw_unlock (void);
+extern int pw_unlock (bool process_selinux);
 extern int pw_update (const struct passwd *pw);
 extern int pw_sort (void);
 

lib/sgroupio.c

@@ -280,14 +280,14 @@ int sgr_rewind (void)
 	return commonio_next (&gshadow_db);
 }
 
-int sgr_close (void)
+int sgr_close (bool process_selinux)
 {
-	return commonio_close (&gshadow_db);
+	return commonio_close (&gshadow_db, process_selinux);
 }
 
-int sgr_unlock (void)
+int sgr_unlock (bool process_selinux)
 {
-	return commonio_unlock (&gshadow_db);
+	return commonio_unlock (&gshadow_db, process_selinux);
 }
 
 void __sgr_set_changed (void)

lib/sgroupio.h

@@ -18,7 +18,7 @@
 #include "shadow/gshadow/sgrp.h"
 
 
-extern int sgr_close (void);
+extern int sgr_close (bool process_selinux);
 extern bool sgr_file_present (void);
 extern /*@observer@*/ /*@null@*/const struct sgrp *sgr_locate (const char *name);
 extern int sgr_lock (void);
@@ -28,7 +28,7 @@ extern /*@null@*/const struct sgrp *sgr_next (void);
 extern int sgr_open (int mode);
 extern int sgr_remove (const char *name);
 extern int sgr_rewind (void);
-extern int sgr_unlock (void);
+extern int sgr_unlock (bool process_selinux);
 extern int sgr_update (const struct sgrp *sg);
 extern int sgr_sort (void);
 

lib/shadowio.c

@@ -187,7 +187,7 @@ int spw_rewind (void)
 	return commonio_next (&shadow_db);
 }
 
-int spw_close (void)
+int spw_close (bool process_selinux)
 {
 	int retval = 0;
 #ifdef WITH_TCB
@@ -197,7 +197,7 @@ int spw_close (void)
 		return 0;
 	}
 #endif				/* WITH_TCB */
-	retval = commonio_close (&shadow_db);
+	retval = commonio_close (&shadow_db, process_selinux);
 #ifdef WITH_TCB
 	if (use_tcb && (shadowtcb_gain_priv () == SHADOWTCB_FAILURE)) {
 		return 0;
@@ -206,14 +206,14 @@ int spw_close (void)
 	return retval;
 }
 
-int spw_unlock (void)
+int spw_unlock (bool process_selinux)
 {
 #ifdef WITH_TCB
 	int retval = 0;
 
 	if (!getdef_bool ("USE_TCB")) {
 #endif				/* WITH_TCB */
-		return commonio_unlock (&shadow_db);
+		return commonio_unlock (&shadow_db, process_selinux);
 #ifdef WITH_TCB
 	}
 	if (shadowtcb_drop_priv () == SHADOWTCB_FAILURE) {

lib/shadowio.h

@@ -13,7 +13,7 @@
 
 #include "defines.h"
 
-extern int spw_close (void);
+extern int spw_close (bool process_selinux);
 extern bool spw_file_present (void);
 extern /*@observer@*/ /*@null@*/const struct spwd *spw_locate (const char *name);
 extern int spw_lock (void);
@@ -23,7 +23,7 @@ extern /*@observer@*/ /*@null@*/const struct spwd *spw_next (void);
 extern int spw_open (int mode);
 extern int spw_remove (const char *name);
 extern int spw_rewind (void);
-extern int spw_unlock (void);
+extern int spw_unlock (bool process_selinux);
 extern int spw_update (const struct spwd *sp);
 extern int spw_sort (void);