[packages/nss_db.git] / nss_db-selinux.patch

Set the SELinux file creation context when opening databases for write access.
Note that this does *not* change the context of existing files.

--- nss_db-2.2/configure.in	2004-10-20 13:41:04.301436568 -0400
+++ nss_db-2.2/configure.in	2004-10-20 13:51:52.913832496 -0400
@@ -73,6 +73,43 @@
 *** Unsupported Berkeley DB version detected.])
 fi
 
+AC_ARG_WITH(selinux,AC_HELP_STRING(--with-selinux,[enable SELinux support [[default=auto]]]),
+selinux=$withval,
+selinux=auto)
+
+libsave="$LIBS"
+if test x$selinux != xno ; then
+  AC_CHECK_HEADERS(selinux/selinux.h)
+  if test x$ac_cv_header_selinux_selinux_h = xno ; then
+    if test x$selinux = xyes ; then
+      AC_MSG_ERROR([SELinux not detected])
+    else
+      AC_MSG_WARN([SELinux not detected])
+      selinux=no
+    fi
+  fi
+fi
+
+if test x$selinux != xno ; then
+  AC_CHECK_FUNC(setfscreatecon,,[AC_CHECK_LIB(selinux,setfscreatecon)])
+  if test x$ac_cv_func_setfscreatecon = xno ; then
+    if test x$ac_cv_lib_selinux_setfscreatecon = xno ; then
+      if test x$selinux = xyes ; then
+        AC_MSG_ERROR([SELinux not detected])
+      else
+        AC_MSG_WARN([SELinux not detected])
+        selinux=no
+      fi
+    fi
+  fi
+fi
+if test x$selinux != xno ; then
+  AC_DEFINE(SELINUX,1,[Define to have makedb set SELinux file contexts on created files.])
+fi
+
+SELINUX_LIBS="$LIBS"
+LIBS="$libsave"
+
 AC_CANONICAL_HOST
 slibdir=NONE
 case "$host" in
@@ -100,6 +137,7 @@
 
 AC_SUBST(DB_CFLAGS)
 AC_SUBST(DB_LIBS)
+AC_SUBST(SELINUX_LIBS)
 AC_SUBST(slibdir)
 
 dnl Internationalization macros.
--- nss_db-2.2.3pre1/Makefile.am~	2010-02-22 19:20:49.000000000 +0200
+++ nss_db-2.2.3pre1/Makefile.am	2010-02-22 19:22:25.691737306 +0200
@@ -30,7 +30,7 @@
 
 bin_PROGRAMS = makedb
 makedb_SOURCES = makedb.c
-makedb_LDADD = db-compat.lo @DB_LIBS@ @INTLLIBS@
+makedb_LDADD = db-compat.lo @DB_LIBS@ @SELINUX_LIBS@ @INTLLIBS@
 
 # To mimmick the old glibc installation as closely as possible, we
 # shuffle the installed library and the links to it around a bit,
--- nss_db-2.2.3/makedb.c	2004-10-20 13:52:02.814327392 -0400
+++ nss_db-2.2.3/makedb.c	2004-10-20 14:06:07.605899552 -0400
@@ -32,6 +32,10 @@
 #include <string.h>
 #include <sys/stat.h>
 
+#ifdef SELINUX
+#include <selinux/selinux.h>
+#endif
+
 #include "db-compat.h"
 
 #define N_(Text) Text
@@ -95,6 +99,12 @@
 			  int to_lowercase, int be_quiet);
 static int print_database (DB *db);
 
+#ifdef SELINUX
+/* Set the SELinux file creation context for the given file. */
+static void set_file_creation_context (const char *outname, mode_t mode);
+#else
+#define set_file_creation_context(_outname,_mode)
+#endif
 
 int
 main (int argc, char *argv[])
@@ -176,8 +186,10 @@
 
   /* Open output file.  This must not be standard output so we don't
      handle "-" and "/dev/stdout" special.  */
+  set_file_creation_context (output_name, mode);
   status = db_open (output_name, DB_BTREE, DB_CREATE | DB_TRUNCATE, mode,
 		    NULL, NULL, &db_file);
+  set_file_creation_context (NULL, 0);
   if (status)
     error (EXIT_FAILURE, 0, gettext ("cannot open output file `%s': %s"),
 	   output_name, db_strerror (status));
@@ -388,3 +400,55 @@
 
   return EXIT_SUCCESS;
 }
+
+
+#ifdef SELINUX
+static void
+set_file_creation_context (const char *outname, mode_t mode)
+{
+  static int enabled = -1, enforcing = -1;
+  security_context_t ctx;
+  /* Handle the "reset the context" case. */
+  if (outname == NULL)
+    {
+      setfscreatecon (NULL);
+      return;
+    }
+  /* Check if SELinux is enabled, and remember. */
+  if (enabled == -1)
+    {
+      enabled = is_selinux_enabled ();
+    }
+  if (enabled == 0)
+    {
+      return;
+    }
+  /* Check if SELinux is enforcing, and remember. */
+  if (enforcing == -1)
+    {
+      enforcing = security_getenforce();
+    }
+  /* Determine the context which the file should have. */
+  ctx = NULL;
+  if ((matchpathcon (outname, S_IFREG | mode, &ctx) == 0) &&
+      (ctx != NULL))
+    {
+      if (setfscreatecon (ctx) != 0)
+        {
+          if (enforcing)
+            {
+              error (EXIT_FAILURE, 0,
+                     gettext ("cannot set file creation context for `%s'"),
+                     outname);
+            }
+          else
+            {
+              error (0, 0,
+                     gettext ("cannot set file creation context for `%s'"),
+                     outname);
+            }
+        }
+      freecon (ctx);
+    }
+}
+#endif
Commit	Line	Data
14a3d93c JR	1	Set the SELinux file creation context when opening databases for write access.
	2	Note that this does not change the context of existing files.
	3
	4	--- nss_db-2.2/configure.in 2004-10-20 13:41:04.301436568 -0400
	5	+++ nss_db-2.2/configure.in 2004-10-20 13:51:52.913832496 -0400
	6	@@ -73,6 +73,43 @@
	7	*** Unsupported Berkeley DB version detected.])
	8	fi
	9
	10	+AC_ARG_WITH(selinux,AC_HELP_STRING(--with-selinux,[enable SELinux support [[default=auto]]]),
	11	+selinux=$withval,
	12	+selinux=auto)
	13	+
	14	+libsave="$LIBS"
0367a2ed	15	+if test x$selinux != xno ; then
14a3d93c JR	16	+ AC_CHECK_HEADERS(selinux/selinux.h)
	17	+ if test x$ac_cv_header_selinux_selinux_h = xno ; then
	18	+ if test x$selinux = xyes ; then
	19	+ AC_MSG_ERROR([SELinux not detected])
	20	+ else
	21	+ AC_MSG_WARN([SELinux not detected])
	22	+ selinux=no
	23	+ fi
	24	+ fi
	25	+fi
	26	+
0367a2ed	27	+if test x$selinux != xno ; then
14a3d93c JR	28	+ AC_CHECK_FUNC(setfscreatecon,,[AC_CHECK_LIB(selinux,setfscreatecon)])
	29	+ if test x$ac_cv_func_setfscreatecon = xno ; then
	30	+ if test x$ac_cv_lib_selinux_setfscreatecon = xno ; then
	31	+ if test x$selinux = xyes ; then
	32	+ AC_MSG_ERROR([SELinux not detected])
	33	+ else
	34	+ AC_MSG_WARN([SELinux not detected])
	35	+ selinux=no
	36	+ fi
	37	+ fi
	38	+ fi
	39	+fi
0367a2ed	40	+if test x$selinux != xno ; then
14a3d93c JR	41	+ AC_DEFINE(SELINUX,1,[Define to have makedb set SELinux file contexts on created files.])
	42	+fi
	43	+
	44	+SELINUX_LIBS="$LIBS"
	45	+LIBS="$libsave"
	46	+
	47	AC_CANONICAL_HOST
	48	slibdir=NONE
	49	case "$host" in
0367a2ed	50	@@ -100,6 +137,7 @@
14a3d93c JR	51
	52	AC_SUBST(DB_CFLAGS)
	53	AC_SUBST(DB_LIBS)
	54	+AC_SUBST(SELINUX_LIBS)
	55	AC_SUBST(slibdir)
0367a2ed ER	56
0367a2ed ER	57	dnl Internationalization macros.
97e01337 ER	58	--- nss_db-2.2.3pre1/Makefile.am~ 2010-02-22 19:20:49.000000000 +0200
97e01337 ER	59	+++ nss_db-2.2.3pre1/Makefile.am 2010-02-22 19:22:25.691737306 +0200
0367a2ed	60	@@ -30,7 +30,7 @@
14a3d93c JR	61
	62	bin_PROGRAMS = makedb
	63	makedb_SOURCES = makedb.c
	64	-makedb_LDADD = db-compat.lo @DB_LIBS@ @INTLLIBS@
0367a2ed	65	+makedb_LDADD = db-compat.lo @DB_LIBS@ @SELINUX_LIBS@ @INTLLIBS@
14a3d93c JR	66
	67	# To mimmick the old glibc installation as closely as possible, we
	68	# shuffle the installed library and the links to it around a bit,
97e01337 ER	69	--- nss_db-2.2.3/makedb.c 2004-10-20 13:52:02.814327392 -0400
97e01337 ER	70	+++ nss_db-2.2.3/makedb.c 2004-10-20 14:06:07.605899552 -0400
14a3d93c JR	71	@@ -32,6 +32,10 @@
	72	#include <string.h>
	73	#include <sys/stat.h>
	74
	75	+#ifdef SELINUX
	76	+#include <selinux/selinux.h>
	77	+#endif
	78	+
	79	#include "db-compat.h"
	80
	81	#define N_(Text) Text
	82	@@ -95,6 +99,12 @@
	83	int to_lowercase, int be_quiet);
	84	static int print_database (DB *db);
	85
	86	+#ifdef SELINUX
	87	+/* Set the SELinux file creation context for the given file. */
	88	+static void set_file_creation_context (const char *outname, mode_t mode);
	89	+#else
	90	+#define set_file_creation_context(_outname,_mode)
	91	+#endif
	92
	93	int
	94	main (int argc, char *argv[])
	95	@@ -176,8 +186,10 @@
	96
	97	/* Open output file. This must not be standard output so we don't
	98	handle "-" and "/dev/stdout" special. */
	99	+ set_file_creation_context (output_name, mode);
	100	status = db_open (output_name, DB_BTREE, DB_CREATE \| DB_TRUNCATE, mode,
	101	NULL, NULL, &db_file);
	102	+ set_file_creation_context (NULL, 0);
	103	if (status)
	104	error (EXIT_FAILURE, 0, gettext ("cannot open output file `%s': %s"),
	105	output_name, db_strerror (status));
0367a2ed	106	@@ -388,3 +400,55 @@
14a3d93c JR	107
	108	return EXIT_SUCCESS;
	109	}
	110	+
	111	+
	112	+#ifdef SELINUX
	113	+static void
	114	+set_file_creation_context (const char *outname, mode_t mode)
	115	+{
0367a2ed	116	+ static int enabled = -1, enforcing = -1;
14a3d93c JR	117	+ security_context_t ctx;
	118	+ /* Handle the "reset the context" case. */
	119	+ if (outname == NULL)
	120	+ {
	121	+ setfscreatecon (NULL);
	122	+ return;
	123	+ }
	124	+ /* Check if SELinux is enabled, and remember. */
	125	+ if (enabled == -1)
	126	+ {
	127	+ enabled = is_selinux_enabled ();
	128	+ }
	129	+ if (enabled == 0)
	130	+ {
	131	+ return;
	132	+ }
0367a2ed ER	133	+ /* Check if SELinux is enforcing, and remember. */
0367a2ed ER	134	+ if (enforcing == -1)
14a3d93c	135	+ {
0367a2ed	136	+ enforcing = security_getenforce();
14a3d93c	137	+ }
0367a2ed ER	138	+ /* Determine the context which the file should have. */
	139	+ ctx = NULL;
	140	+ if ((matchpathcon (outname, S_IFREG \| mode, &ctx) == 0) &&
	141	+ (ctx != NULL))
14a3d93c JR	142	+ {
	143	+ if (setfscreatecon (ctx) != 0)
	144	+ {
0367a2ed ER	145	+ if (enforcing)
	146	+ {
	147	+ error (EXIT_FAILURE, 0,
	148	+ gettext ("cannot set file creation context for `%s'"),
	149	+ outname);
	150	+ }
	151	+ else
	152	+ {
	153	+ error (0, 0,
	154	+ gettext ("cannot set file creation context for `%s'"),
	155	+ outname);
	156	+ }
14a3d93c JR	157	+ }
	158	+ freecon (ctx);
	159	+ }
	160	+}
	161	+#endif