1 Set the SELinux file creation context when opening databases for write access.
2 Note that this does *not* change the context of existing files.
4 --- nss_db-2.2/configure.in 2004-10-20 13:41:04.301436568 -0400
5 +++ nss_db-2.2/configure.in 2004-10-20 13:51:52.913832496 -0400
7 *** Unsupported Berkeley DB version detected.])
10 +AC_ARG_WITH(selinux,AC_HELP_STRING(--with-selinux,[enable SELinux support [[default=auto]]]),
15 +if test x$selinux != xno ; then
16 + AC_CHECK_HEADERS(selinux/selinux.h)
17 + if test x$ac_cv_header_selinux_selinux_h = xno ; then
18 + if test x$selinux = xyes ; then
19 + AC_MSG_ERROR([SELinux not detected])
21 + AC_MSG_WARN([SELinux not detected])
27 +if test x$selinux != xno ; then
28 + AC_CHECK_FUNC(setfscreatecon,,[AC_CHECK_LIB(selinux,setfscreatecon)])
29 + if test x$ac_cv_func_setfscreatecon = xno ; then
30 + if test x$ac_cv_lib_selinux_setfscreatecon = xno ; then
31 + if test x$selinux = xyes ; then
32 + AC_MSG_ERROR([SELinux not detected])
34 + AC_MSG_WARN([SELinux not detected])
40 +if test x$selinux != xno ; then
41 + AC_DEFINE(SELINUX,1,[Define to have makedb set SELinux file contexts on created files.])
54 +AC_SUBST(SELINUX_LIBS)
57 dnl Internationalization macros.
58 --- nss_db-2.2.3pre1/src/Makefile.am~ 2010-02-22 19:20:49.000000000 +0200
59 +++ nss_db-2.2.3pre1/src/Makefile.am 2010-02-22 19:22:25.691737306 +0200
63 makedb_SOURCES = makedb.c
64 -makedb_LDADD = db-compat.lo @DB_LIBS@ @INTLLIBS@
65 +makedb_LDADD = db-compat.lo @DB_LIBS@ @SELINUX_LIBS@ @INTLLIBS@
67 # To mimmick the old glibc installation as closely as possible, we
68 # shuffle the installed library and the links to it around a bit,
69 --- nss_db-2.2.3/src/makedb.c 2004-10-20 13:52:02.814327392 -0400
70 +++ nss_db-2.2.3/src/makedb.c 2004-10-20 14:06:07.605899552 -0400
76 +#include <selinux/selinux.h>
79 #include "db-compat.h"
83 int to_lowercase, int be_quiet);
84 static int print_database (DB *db);
87 +/* Set the SELinux file creation context for the given file. */
88 +static void set_file_creation_context (const char *outname, mode_t mode);
90 +#define set_file_creation_context(_outname,_mode)
94 main (int argc, char *argv[])
97 /* Open output file. This must not be standard output so we don't
98 handle "-" and "/dev/stdout" special. */
99 + set_file_creation_context (output_name, mode);
100 status = db_open (output_name, DB_BTREE, DB_CREATE | DB_TRUNCATE, mode,
101 NULL, NULL, &db_file);
102 + set_file_creation_context (NULL, 0);
104 error (EXIT_FAILURE, 0, gettext ("cannot open output file `%s': %s"),
105 output_name, db_strerror (status));
114 +set_file_creation_context (const char *outname, mode_t mode)
116 + static int enabled = -1, enforcing = -1;
117 + security_context_t ctx;
118 + /* Handle the "reset the context" case. */
119 + if (outname == NULL)
121 + setfscreatecon (NULL);
124 + /* Check if SELinux is enabled, and remember. */
127 + enabled = is_selinux_enabled ();
133 + /* Check if SELinux is enforcing, and remember. */
134 + if (enforcing == -1)
136 + enforcing = security_getenforce();
138 + /* Determine the context which the file should have. */
140 + if ((matchpathcon (outname, S_IFREG | mode, &ctx) == 0) &&
143 + if (setfscreatecon (ctx) != 0)
147 + error (EXIT_FAILURE, 0,
148 + gettext ("cannot set file creation context for `%s'"),
154 + gettext ("cannot set file creation context for `%s'"),