20110128

 - (djm) [openbsd-compat/port-linux.c] Check whether SELinux is enabled
   before attempting setfscreatecon(). Check whether matchpathcon()
   succeeded before using its result. Patch from cjwatson AT debian.org;
   bz#1851

2 files changed, 15 insertions, 7 deletions

diff --git a/ChangeLog b/ChangeLog
index 6d2375a33..d0a3aa3c8 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+20110128
+ - (djm) [openbsd-compat/port-linux.c] Check whether SELinux is enabled
+   before attempting setfscreatecon(). Check whether matchpathcon()
+   succeeded before using its result. Patch from cjwatson AT debian.org;
+   bz#1851
+
 20110125
  - (djm) [configure.ac Makefile.in ssh.c openbsd-compat/port-linux.c
    openbsd-compat/port-linux.h] Move SELinux-specific code from ssh.c to
diff --git a/openbsd-compat/port-linux.c b/openbsd-compat/port-linux.c
index ee4290b98..ede533fdd 100644
--- a/openbsd-compat/port-linux.c
+++ b/openbsd-compat/port-linux.c
@@ -1,4 +1,4 @@
-/* $Id: port-linux.c,v 1.11.4.1 2011/02/04 00:42:21 djm Exp $ */
+/* $Id: port-linux.c,v 1.11.4.2 2011/02/04 00:43:08 djm Exp $ */
 
 /*
  * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com>
@@ -209,13 +209,15 @@ ssh_selinux_change_context(const char *newname)
 void
 ssh_selinux_setfscreatecon(const char *path)
 {
-                security_context_t context;
+        security_context_t context;
 
-                if (path == NULL) {
-                        setfscreatecon(NULL);
-                        return;
-                }
-                matchpathcon(path, 0700, &context);
+        if (!ssh_selinux_enabled())
+                return;
+        if (path == NULL)
+                setfscreatecon(NULL);
+                return;
+        }
+        if (matchpathcon(path, 0700, &context) == 0)
                 setfscreatecon(context);
 }