set_selinux_file_context(): prepare context for actual file type

Search the SELinux selabel database for the file type to be created. Not specifying the file mode can cause an incorrect file context to be returned. Also prepare contexts in commonio_close() for the generic database filename, not with the backup suffix appended, to ensure the desired file context after the final rename. Closes: #322 Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Acked-by: James Carter <jwcart2@gmail.com>
2021-04-09 18:21:00 +02:00
parent 5f7649fb37
commit eb1d2de0e9
5 changed files with 11 additions and 11 deletions
--- a/lib/selinux.c
+++ b/lib/selinux.c
@ -51,7 +51,7 @@ static bool selinux_enabled;
 *	Callers may have to Reset SELinux to create files with default
 *	contexts with reset_selinux_file_context
 */
-int set_selinux_file_context (const char *dst_name)
+int set_selinux_file_context (const char *dst_name, mode_t mode)
 {
 	if (!selinux_checked) {
 		selinux_enabled = is_selinux_enabled () > 0;
@ -70,7 +70,7 @@ int set_selinux_file_context (const char *dst_name)
 			return security_getenforce () != 0;
 		}

-		r = selabel_lookup_raw(hnd, &fcontext_raw, dst_name, 0);
+		r = selabel_lookup_raw(hnd, &fcontext_raw, dst_name, mode);
 		selabel_close(hnd);
 		if (r < 0) {
 			/* No context specified for the searched path */