diff -up shadow-4.6/lib/commonio.c.orig-context shadow-4.6/lib/commonio.c --- shadow-4.6/lib/commonio.c.orig-context 2018-04-29 18:42:37.000000000 +0200 +++ shadow-4.6/lib/commonio.c 2018-05-28 14:56:37.287929667 +0200 @@ -961,7 +961,7 @@ int commonio_close (struct commonio_db * snprintf (buf, sizeof buf, "%s-", db->filename); #ifdef WITH_SELINUX - if (set_selinux_file_context (buf) != 0) { + if (set_selinux_file_context (buf, db->filename) != 0) { errors++; } #endif @@ -994,7 +994,7 @@ int commonio_close (struct commonio_db * snprintf (buf, sizeof buf, "%s+", db->filename); #ifdef WITH_SELINUX - if (set_selinux_file_context (buf) != 0) { + if (set_selinux_file_context (buf, db->filename) != 0) { errors++; } #endif diff -up shadow-4.6/libmisc/copydir.c.orig-context shadow-4.6/libmisc/copydir.c --- shadow-4.6/libmisc/copydir.c.orig-context 2018-04-29 18:42:37.000000000 +0200 +++ shadow-4.6/libmisc/copydir.c 2018-05-28 14:56:37.287929667 +0200 @@ -484,7 +484,7 @@ static int copy_dir (const char *src, co */ #ifdef WITH_SELINUX - if (set_selinux_file_context (dst) != 0) { + if (set_selinux_file_context (dst, NULL) != 0) { return -1; } #endif /* WITH_SELINUX */ @@ -605,7 +605,7 @@ static int copy_symlink (const char *src } #ifdef WITH_SELINUX - if (set_selinux_file_context (dst) != 0) { + if (set_selinux_file_context (dst, NULL) != 0) { free (oldlink); return -1; } @@ -684,7 +684,7 @@ static int copy_special (const char *src int err = 0; #ifdef WITH_SELINUX - if (set_selinux_file_context (dst) != 0) { + if (set_selinux_file_context (dst, NULL) != 0) { return -1; } #endif /* WITH_SELINUX */ @@ -744,7 +744,7 @@ static int copy_file (const char *src, c return -1; } #ifdef WITH_SELINUX - if (set_selinux_file_context (dst) != 0) { + if (set_selinux_file_context (dst, NULL) != 0) { return -1; } #endif /* WITH_SELINUX */ diff -up shadow-4.6/lib/prototypes.h.orig-context shadow-4.6/lib/prototypes.h --- shadow-4.6/lib/prototypes.h.orig-context 2018-04-29 18:42:37.000000000 +0200 +++ shadow-4.6/lib/prototypes.h 2018-05-28 14:56:37.287929667 +0200 @@ -326,7 +326,7 @@ extern /*@observer@*/const char *crypt_m /* selinux.c */ #ifdef WITH_SELINUX -extern int set_selinux_file_context (const char *dst_name); +extern int set_selinux_file_context (const char *dst_name, const char *orig_name); extern int reset_selinux_file_context (void); #endif diff -up shadow-4.6/lib/selinux.c.orig-context shadow-4.6/lib/selinux.c --- shadow-4.6/lib/selinux.c.orig-context 2018-04-29 18:42:37.000000000 +0200 +++ shadow-4.6/lib/selinux.c 2018-05-28 14:56:37.287929667 +0200 @@ -50,7 +50,7 @@ static bool selinux_enabled; * Callers may have to Reset SELinux to create files with default * contexts with reset_selinux_file_context */ -int set_selinux_file_context (const char *dst_name) +int set_selinux_file_context (const char *dst_name, const char *orig_name) { /*@null@*/security_context_t scontext = NULL; @@ -62,19 +62,23 @@ int set_selinux_file_context (const char if (selinux_enabled) { /* Get the default security context for this file */ if (matchpathcon (dst_name, 0, &scontext) < 0) { - if (security_getenforce () != 0) { - return 1; - } + /* We could not get the default, copy the original */ + if (orig_name == NULL) + goto error; + if (getfilecon (orig_name, &scontext) < 0) + goto error; } /* Set the security context for the next created file */ - if (setfscreatecon (scontext) < 0) { - if (security_getenforce () != 0) { - return 1; - } - } + if (setfscreatecon (scontext) < 0) + goto error; freecon (scontext); } return 0; + error: + if (security_getenforce () != 0) { + return 1; + } + return 0; } /* diff -up shadow-4.6/src/useradd.c.orig-context shadow-4.6/src/useradd.c --- shadow-4.6/src/useradd.c.orig-context 2018-05-28 14:56:37.288929688 +0200 +++ shadow-4.6/src/useradd.c 2018-05-28 14:58:02.242730903 +0200 @@ -2020,7 +2020,7 @@ static void create_home (void) { if (access (prefix_user_home, F_OK) != 0) { #ifdef WITH_SELINUX - if (set_selinux_file_context (prefix_user_home) != 0) { + if (set_selinux_file_context (prefix_user_home, NULL) != 0) { fprintf (stderr, _("%s: cannot set SELinux context for home directory %s\n"), Prog, user_home);