keep the original context if matchpathcon() fails (#912399)

shadow-4.1.5.1-orig-context.patch

@@ -0,0 +1,128 @@
+diff -up shadow-4.1.5.1/lib/commonio.c.orig-context shadow-4.1.5.1/lib/commonio.c
+--- shadow-4.1.5.1/lib/commonio.c.orig-context	2012-09-19 20:27:16.000000000 +0200
++++ shadow-4.1.5.1/lib/commonio.c	2013-02-20 15:20:55.064962324 +0100
+@@ -941,7 +941,7 @@ int commonio_close (struct commonio_db *
+ 		snprintf (buf, sizeof buf, "%s-", db->filename);
+ 
+ #ifdef WITH_SELINUX
+-		if (set_selinux_file_context (buf) != 0) {
++		if (set_selinux_file_context (buf, db->filename) != 0) {
+ 			errors++;
+ 		}
+ #endif
+@@ -975,7 +975,7 @@ int commonio_close (struct commonio_db *
+ 	snprintf (buf, sizeof buf, "%s+", db->filename);
+ 
+ #ifdef WITH_SELINUX
+-	if (set_selinux_file_context (buf) != 0) {
++	if (set_selinux_file_context (buf, db->filename) != 0) {
+ 		errors++;
+ 	}
+ #endif
+diff -up shadow-4.1.5.1/libmisc/copydir.c.orig-context shadow-4.1.5.1/libmisc/copydir.c
+--- shadow-4.1.5.1/libmisc/copydir.c.orig-context	2012-02-13 20:16:32.000000000 +0100
++++ shadow-4.1.5.1/libmisc/copydir.c	2013-02-20 15:19:01.495623232 +0100
+@@ -484,7 +484,7 @@ static int copy_dir (const char *src, co
+ 	 */
+ 
+ #ifdef WITH_SELINUX
+-	if (set_selinux_file_context (dst) != 0) {
++	if (set_selinux_file_context (dst, NULL) != 0) {
+ 		return -1;
+ 	}
+ #endif				/* WITH_SELINUX */
+@@ -605,7 +605,7 @@ static int copy_symlink (const char *src
+ 	}
+ 
+ #ifdef WITH_SELINUX
+-	if (set_selinux_file_context (dst) != 0) {
++	if (set_selinux_file_context (dst, NULL) != 0) {
+ 		free (oldlink);
+ 		return -1;
+ 	}
+@@ -684,7 +684,7 @@ static int copy_special (const char *src
+ 	int err = 0;
+ 
+ #ifdef WITH_SELINUX
+-	if (set_selinux_file_context (dst) != 0) {
++	if (set_selinux_file_context (dst, NULL) != 0) {
+ 		return -1;
+ 	}
+ #endif				/* WITH_SELINUX */
+@@ -744,7 +744,7 @@ static int copy_file (const char *src, c
+ 		return -1;
+ 	}
+ #ifdef WITH_SELINUX
+-	if (set_selinux_file_context (dst) != 0) {
++	if (set_selinux_file_context (dst, NULL) != 0) {
+ 		return -1;
+ 	}
+ #endif				/* WITH_SELINUX */
+diff -up shadow-4.1.5.1/lib/prototypes.h.orig-context shadow-4.1.5.1/lib/prototypes.h
+--- shadow-4.1.5.1/lib/prototypes.h.orig-context	2012-01-08 17:04:29.000000000 +0100
++++ shadow-4.1.5.1/lib/prototypes.h	2013-02-20 15:24:17.251126575 +0100
+@@ -295,7 +295,7 @@ extern /*@observer@*/const char *crypt_m
+ 
+ /* selinux.c */
+ #ifdef WITH_SELINUX
+-extern int set_selinux_file_context (const char *dst_name);
++extern int set_selinux_file_context (const char *dst_name, const char *orig_name);
+ extern int reset_selinux_file_context (void);
+ #endif
+ 
+diff -up shadow-4.1.5.1/lib/selinux.c.orig-context shadow-4.1.5.1/lib/selinux.c
+--- shadow-4.1.5.1/lib/selinux.c.orig-context	2012-01-08 17:35:44.000000000 +0100
++++ shadow-4.1.5.1/lib/selinux.c	2013-02-20 15:16:40.383716877 +0100
+@@ -50,7 +50,7 @@ static bool selinux_enabled;
+  *	Callers may have to Reset SELinux to create files with default
+  *	contexts with reset_selinux_file_context
+  */
+-int set_selinux_file_context (const char *dst_name)
++int set_selinux_file_context (const char *dst_name, const char *orig_name)
+ {
+ 	/*@null@*/security_context_t scontext = NULL;
+ 
+@@ -62,19 +62,23 @@ int set_selinux_file_context (const char
+ 	if (selinux_enabled) {
+ 		/* Get the default security context for this file */
+ 		if (matchpathcon (dst_name, 0, &scontext) < 0) {
+-			if (security_getenforce () != 0) {
+-				return 1;
+-			}
++			/* We could not get the default, copy the original */
++			if (orig_name == NULL)
++				goto error;
++			if (getfilecon (orig_name, &scontext) < 0)
++				goto error;
+ 		}
+ 		/* Set the security context for the next created file */
+-		if (setfscreatecon (scontext) < 0) {
+-			if (security_getenforce () != 0) {
+-				return 1;
+-			}
+-		}
++		if (setfscreatecon (scontext) < 0)
++			goto errror;
+ 		freecon (scontext);
+ 	}
+ 	return 0;
++    error:
++	if (security_getenforce () != 0) {
++		return 1;
++	}
++	return 0;
+ }
+ 
+ /*
+diff -up shadow-4.1.5.1/src/useradd.c.orig-context shadow-4.1.5.1/src/useradd.c
+--- shadow-4.1.5.1/src/useradd.c.orig-context	2012-09-19 20:23:33.000000000 +0200
++++ shadow-4.1.5.1/src/useradd.c	2013-02-20 15:19:31.221235459 +0100
+@@ -1759,7 +1759,7 @@ static void create_home (void)
+ {
+ 	if (access (user_home, F_OK) != 0) {
+ #ifdef WITH_SELINUX
+-		if (set_selinux_file_context (user_home) != 0) {
++		if (set_selinux_file_context (user_home, NULL) != 0) {
+ 			fail_exit (E_HOMEDIR);
+ 		}
+ #endif

shadow-utils.spec

@@ -1,7 +1,7 @@
 Summary: Utilities for managing accounts and shadow password files
 Name: shadow-utils
 Version: 4.1.5.1
-Release: 3%{?dist}
+Release: 4%{?dist}
 Epoch: 2
 URL: http://pkg-shadow.alioth.debian.org/
 Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.bz2
@@ -16,6 +16,7 @@ Patch6: shadow-4.1.5.1-selinux.patch
 Patch7: shadow-4.1.5-2ndskip.patch
 Patch8: shadow-4.1.5.1-backup-mode.patch
 Patch9: shadow-4.1.5.1-merge-group.patch
+Patch10: shadow-4.1.5.1-orig-context.patch
 License: BSD and GPLv2+
 Group: System Environment/Base
 BuildRequires: libselinux-devel >= 1.25.2-1
@@ -52,6 +53,7 @@ are used for managing group accounts.
 %patch7 -p1 -b .2ndskip
 %patch8 -p1 -b .backup-mode
 %patch9 -p1 -b .merge-group
+%patch10 -p1 -b .orig-context
 
 iconv -f ISO88591 -t utf-8  doc/HOWTO > doc/HOWTO.utf8
 cp -f doc/HOWTO.utf8 doc/HOWTO
@@ -205,6 +207,9 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/man8/vigr.8*
 
 %changelog
+* Wed Feb 20 2013 Tomas Mraz <tmraz@redhat.com> - 2:4.1.5.1-4
+- keep the original context if matchpathcon() fails (#912399)
+
 * Tue Jan 29 2013 Tomas Mraz <tmraz@redhat.com> - 2:4.1.5.1-3
 - fix bugs in merge_group_entries()