Set the SELinux file creation context when opening databases for write access. Note that this does *not* change the context of existing files. --- nss_db-2.2/configure.in 2004-10-20 13:41:04.301436568 -0400 +++ nss_db-2.2/configure.in 2004-10-20 13:51:52.913832496 -0400 @@ -73,6 +73,43 @@ *** Unsupported Berkeley DB version detected.]) fi +AC_ARG_WITH(selinux,AC_HELP_STRING(--with-selinux,[enable SELinux support [[default=auto]]]), +selinux=$withval, +selinux=auto) + +libsave="$LIBS" +if test x$selinux != no ; then + AC_CHECK_HEADERS(selinux/selinux.h) + if test x$ac_cv_header_selinux_selinux_h = xno ; then + if test x$selinux = xyes ; then + AC_MSG_ERROR([SELinux not detected]) + else + AC_MSG_WARN([SELinux not detected]) + selinux=no + fi + fi +fi + +if test x$selinux != no ; then + AC_CHECK_FUNC(setfscreatecon,,[AC_CHECK_LIB(selinux,setfscreatecon)]) + if test x$ac_cv_func_setfscreatecon = xno ; then + if test x$ac_cv_lib_selinux_setfscreatecon = xno ; then + if test x$selinux = xyes ; then + AC_MSG_ERROR([SELinux not detected]) + else + AC_MSG_WARN([SELinux not detected]) + selinux=no + fi + fi + fi +fi +if test x$selinux != no ; then + AC_DEFINE(SELINUX,1,[Define to have makedb set SELinux file contexts on created files.]) +fi + +SELINUX_LIBS="$LIBS" +LIBS="$libsave" + AC_CANONICAL_HOST slibdir=NONE case "$host" in @@ -100,5 +137,6 @@ AC_SUBST(DB_CFLAGS) AC_SUBST(DB_LIBS) +AC_SUBST(SELINUX_LIBS) AC_SUBST(slibdir) AC_OUTPUT(Makefile) --- nss_db-2.2/src/Makefile.am 2004-10-20 13:47:22.207986040 -0400 +++ nss_db-2.2/src/Makefile.am 2004-10-20 13:48:46.242210896 -0400 @@ -28,7 +28,7 @@ bin_PROGRAMS = makedb makedb_SOURCES = makedb.c -makedb_LDADD = db-compat.lo @DB_LIBS@ @INTLLIBS@ +makedb_LDADD = db-compat.lo @DB_LIBS@ @INTLLIBS@ @SELINUX_LIBS@ # To mimmick the old glibc installation as closely as possible, we # shuffle the installed library and the links to it around a bit, --- nss_db-2.2/src/makedb.c 2004-10-20 13:52:02.814327392 -0400 +++ nss_db-2.2/src/makedb.c 2004-10-20 14:06:07.605899552 -0400 @@ -32,6 +32,10 @@ #include #include +#ifdef SELINUX +#include +#endif + #include "db-compat.h" #define N_(Text) Text @@ -95,6 +99,12 @@ int to_lowercase, int be_quiet); static int print_database (DB *db); +#ifdef SELINUX +/* Set the SELinux file creation context for the given file. */ +static void set_file_creation_context (const char *outname, mode_t mode); +#else +#define set_file_creation_context(_outname,_mode) +#endif int main (int argc, char *argv[]) @@ -176,8 +186,10 @@ /* Open output file. This must not be standard output so we don't handle "-" and "/dev/stdout" special. */ + set_file_creation_context (output_name, mode); status = db_open (output_name, DB_BTREE, DB_CREATE | DB_TRUNCATE, mode, NULL, NULL, &db_file); + set_file_creation_context (NULL, 0); if (status) error (EXIT_FAILURE, 0, gettext ("cannot open output file `%s': %s"), output_name, db_strerror (status)); @@ -388,3 +400,44 @@ return EXIT_SUCCESS; } + + +#ifdef SELINUX +static void +set_file_creation_context (const char *outname, mode_t mode) +{ + static int enabled = -1; + security_context_t ctx; + /* Handle the "reset the context" case. */ + if (outname == NULL) + { + setfscreatecon (NULL); + return; + } + /* Check if SELinux is enabled, and remember. */ + if (enabled == -1) + { + enabled = is_selinux_enabled (); + } + if (enabled == 0) + { + return; + } + /* Determine the context which the file should have. */ + ctx = NULL; + if (matchpathcon (outname, S_IFREG | mode, &ctx) != 0) + { + error (EXIT_FAILURE, 0, + gettext ("cannot determine file context for `%s'"), outname); + } + if (ctx != NULL) + { + if (setfscreatecon (ctx) != 0) + { + error (EXIT_FAILURE, 0, + gettext ("cannot set file creation context for `%s'"), outname); + } + freecon (ctx); + } +} +#endif