Re: [systemd-devel] [PATCH] sysusers: Preserve label of /etc/{passwd, group}

Sun, 13 Jul 2014 13:43:20 -0700 

On Sat, Jul 12, 2014, at 06:48 AM, Zbigniew Jędrzejewski-Szmek wrote:
> 
> please excuse my possibly ignorant questions, selinux is not my forte.
> If the files are nonexistent, will this fail? But sysusers should be
> able to create /etc from scratch.

True, fixed.

> Why cannot the same code as in write_string_file_atomic_label be used
> instead?

We're writing more than one line, and in addition we need to look up the
label for /etc/passwd even if we're operating on a chroot.
 
> BTW, you're returning -1 here, but should be -errno.

This code is gone now; new patch attached.


From b1113ed91ebdcf7ac2546a2618fe83751edfbaa0 Mon Sep 17 00:00:00 2001
From: Colin Walters <walt...@verbum.org>
Date: Fri, 11 Jul 2014 15:03:29 -0400
Subject: [PATCH] sysusers: Ensure /etc/{passwd,group} are labeled correctly

These files are specially labeled on SELinux systems, and we need to
preserve that label.
---
 src/sysusers/sysusers.c | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/src/sysusers/sysusers.c b/src/sysusers/sysusers.c
index 68c552d..e086c72 100644
--- a/src/sysusers/sysusers.c
+++ b/src/sysusers/sysusers.c
@@ -312,7 +312,11 @@ static int write_files(void) {
                 _cleanup_fclose_ FILE *original = NULL;
 
                 group_path = fix_root("/etc/group");
+                r = label_context_set("/etc/group", S_IFREG);
+                if (r < 0)
+                        goto finish;
                 r = fopen_temporary(group_path, &group, &group_tmp);
+                label_context_clear();
                 if (r < 0)
                         goto finish;
 
@@ -388,9 +392,14 @@ static int write_files(void) {
                 _cleanup_fclose_ FILE *original = NULL;
 
                 passwd_path = fix_root("/etc/passwd");
-                r = fopen_temporary(passwd_path, &passwd, &passwd_tmp);
+                r = label_context_set("/etc/passwd", S_IFREG);
                 if (r < 0)
                         goto finish;
+                r = fopen_temporary(passwd_path, &passwd, &passwd_tmp);
+                label_context_clear();
+                if (r < 0) {
+                        goto finish;
+                }
 
                 if (fchmod(fileno(passwd), 0644) < 0) {
                         r = -errno;
@@ -1491,6 +1500,8 @@ int main(int argc, char *argv[]) {
 
         umask(0022);
 
+        label_init(NULL);
+
         r = 0;
 
         if (optind < argc) {
-- 
1.8.3.1


_______________________________________________
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Reply via email to