[shadow-utils] - fixing Linux login <-> SELinux login mapping
Peter Vrabec
pvrabec at fedoraproject.org
Tue Jun 28 14:33:43 UTC 2011
commit 46dd21926b32abe38fc25a303d5dacd4418ca030
Author: Peter Vrabec <pvrabec at redhat.com>
Date: Tue Jun 28 16:32:18 2011 +0200
- fixing Linux login <-> SELinux login mapping
(#639900), (#639975), (#639976)
shadow-4.1.4.2-semange.patch | 22 ---
shadow-4.1.4.3-semange.patch | 301 ++++++++++++++++++++++++++++++++++++++++++
shadow-utils.spec | 9 +-
3 files changed, 308 insertions(+), 24 deletions(-)
---
diff --git a/shadow-4.1.4.3-semange.patch b/shadow-4.1.4.3-semange.patch
new file mode 100644
index 0000000..6a8a4f6
--- /dev/null
+++ b/shadow-4.1.4.3-semange.patch
@@ -0,0 +1,301 @@
+diff -up shadow-4.1.4.3/man/useradd.8.semange shadow-4.1.4.3/man/useradd.8
+--- shadow-4.1.4.3/man/useradd.8.semange 2011-06-28 16:17:06.385374734 +0200
++++ shadow-4.1.4.3/man/useradd.8 2011-06-28 16:18:19.657899439 +0200
+@@ -640,6 +640,11 @@ can\*(Aqt create home directory
+ .RS 4
+ can\*(Aqt create mail spool
+ .RE
++.PP
++\fI14\fR
++.RS 4
++can\'t update SELinux user mapping
++.RE
+ .SH "SEE ALSO"
+ .PP
+
+diff -up shadow-4.1.4.3/man/userdel.8.semange shadow-4.1.4.3/man/userdel.8
+--- shadow-4.1.4.3/man/userdel.8.semange 2011-02-16 00:14:13.000000000 +0100
++++ shadow-4.1.4.3/man/userdel.8 2011-06-28 16:18:19.657899439 +0200
+@@ -76,6 +76,11 @@ variable in the
+ login\&.defs
+ file\&.
+ .RE
++.PP
++\fB\-Z\fR, \fB\-\-selinux-user\fR
++.RS 4
++Remove SELinux user assigned to the user´s login from SELinux login mapping. Use with caution, all the occurrences of the SELinux user will be removed.
++.RE
+ .SH "CONFIGURATION"
+ .PP
+ The following configuration variables in
+diff -up shadow-4.1.4.3/src/useradd.c.semange shadow-4.1.4.3/src/useradd.c
+--- shadow-4.1.4.3/src/useradd.c.semange 2011-06-28 16:17:06.381374760 +0200
++++ shadow-4.1.4.3/src/useradd.c 2011-06-28 16:18:19.658899432 +0200
+@@ -164,6 +164,7 @@ static bool home_added = false;
+ #define E_GRP_UPDATE 10 /* can't update group file */
+ #define E_HOMEDIR 12 /* can't create home directory */
+ #define E_MAIL_SPOOL 13 /* can't create mail spool */
++#define E_SE_UPDATE 14 /* can't update SELinux user mapping */
+
+ #define DGROUP "GROUP="
+ #define HOME "HOME="
+@@ -181,9 +182,6 @@ static int set_defaults (void);
+ static int get_groups (char *);
+ static void usage (void);
+ static void new_pwent (struct passwd *);
+-#ifdef WITH_SELINUX
+-static void selinux_update_mapping (void);
+-#endif
+
+ static long scale_age (long);
+ static void new_spent (struct spwd *);
+@@ -1710,32 +1708,6 @@ static void usr_update (void)
+ }
+ }
+
+-#ifdef WITH_SELINUX
+-static void selinux_update_mapping (void) {
+- if (is_selinux_enabled () <= 0) return;
+-
+- if (*user_selinux) { /* must be done after passwd write() */
+- const char *argv[7];
+- argv[0] = "/usr/sbin/semanage";
+- argv[1] = "login";
+- argv[2] = "-a";
+- argv[3] = "-s";
+- argv[4] = user_selinux;
+- argv[5] = user_name;
+- argv[6] = NULL;
+- if (safe_system (argv[0], argv, NULL, 0)) {
+- fprintf (stderr,
+- _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
+- Prog, user_name, user_selinux);
+-#ifdef WITH_AUDIT
+- audit_logger (AUDIT_ADD_USER, Prog,
+- "adding SELinux user mapping",
+- user_name, (unsigned int) user_id, 0);
+-#endif
+- }
+- }
+-}
+-#endif
+ /*
+ * create_home - create the user's home directory
+ *
+@@ -2022,12 +1994,35 @@ int main (int argc, char **argv)
+ create_mail ();
+ }
+
+- close_files ();
+-
+ #ifdef WITH_SELINUX
+- selinux_update_mapping ();
++ if (Zflg && *user_selinux) {
++ if (is_selinux_enabled () > 0) {
++ const char *argv[7];
++
++ argv[0] = "/usr/sbin/semanage";
++ argv[1] = "login";
++ argv[2] = "-a";
++ argv[3] = "-s";
++ argv[4] = user_selinux;
++ argv[5] = user_name;
++ argv[6] = NULL;
++ if (safe_system (argv[0], argv, NULL, 0)) {
++ fprintf (stderr,
++ _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
++ Prog, user_name, user_selinux);
++ #ifdef WITH_AUDIT
++ audit_logger (AUDIT_ADD_USER, Prog,
++ "adding SELinux user mapping",
++ user_name, (unsigned int) user_id, 0);
++ #endif
++ fail_exit (E_SE_UPDATE);
++ }
++ }
++ }
+ #endif
+
++ close_files ();
++
+ nscd_flush_cache ("passwd");
+ nscd_flush_cache ("group");
+
+diff -up shadow-4.1.4.3/src/userdel.c.semange shadow-4.1.4.3/src/userdel.c
+--- shadow-4.1.4.3/src/userdel.c.semange 2011-02-13 18:58:16.000000000 +0100
++++ shadow-4.1.4.3/src/userdel.c 2011-06-28 16:18:19.659899426 +0200
+@@ -82,6 +82,7 @@ static char *user_home;
+
+ static bool fflg = false;
+ static bool rflg = false;
++static bool Zflg = false;
+
+ static bool is_shadow_pwd;
+
+@@ -120,6 +121,9 @@ static void usage (void)
+ " even if not owned by user\n"
+ " -h, --help display this help message and exit\n"
+ " -r, --remove remove home directory and mail spool\n"
++#ifdef WITH_SELINUX
++ " -Z, --selinux-user remove SELinux user from SELinux user mapping\n"
++#endif
+ "\n"), stderr);
+ exit (E_USAGE);
+ }
+@@ -766,9 +770,17 @@ int main (int argc, char **argv)
+ {"force", no_argument, NULL, 'f'},
+ {"help", no_argument, NULL, 'h'},
+ {"remove", no_argument, NULL, 'r'},
++#ifdef WITH_SELINUX
++ {"selinux-user", required_argument, NULL, 'Z'},
++#endif
+ {NULL, 0, NULL, '\0'}
+ };
+- while ((c = getopt_long (argc, argv, "fhr",
++ while ((c = getopt_long (argc, argv,
++#ifdef WITH_SELINUX
++ "fhrZ",
++#else
++ "fhr",
++#endif
+ long_options, NULL)) != -1) {
+ switch (c) {
+ case 'f': /* force remove even if not owned by user */
+@@ -777,6 +789,19 @@ int main (int argc, char **argv)
+ case 'r': /* remove home dir and mailbox */
+ rflg = true;
+ break;
++#ifdef WITH_SELINUX
++ case 'Z':
++ if (is_selinux_enabled () > 0) {
++ Zflg = true;
++ } else {
++ fprintf (stderr,
++ _("%s: -Z requires SELinux enabled kernel\n"),
++ Prog);
++
++ exit (E_BAD_ARG);
++ }
++ break;
++#endif
+ default:
+ usage ();
+ }
+@@ -975,14 +1000,16 @@ int main (int argc, char **argv)
+ #endif
+
+ #ifdef WITH_SELINUX
+- if (is_selinux_enabled () > 0) {
+- const char *args[5];
+- args[0] = "/usr/sbin/semanage";
+- args[1] = "login";
+- args[2] = "-d";
+- args[3] = user_name;
+- args[4] = NULL;
+- safe_system (args[0], args, NULL, 1);
++ if (Zflg) {
++ if (is_selinux_enabled () > 0) {
++ const char *args[5];
++ args[0] = "/usr/sbin/semanage";
++ args[1] = "login";
++ args[2] = "-d";
++ args[3] = user_name;
++ args[4] = NULL;
++ safe_system (args[0], args, NULL, 1);
++ }
+ }
+ #endif
+
+diff -up shadow-4.1.4.3/src/usermod.c.semange shadow-4.1.4.3/src/usermod.c
+--- shadow-4.1.4.3/src/usermod.c.semange 2011-02-13 18:58:16.000000000 +0100
++++ shadow-4.1.4.3/src/usermod.c 2011-06-28 16:18:19.661899414 +0200
+@@ -82,6 +82,9 @@
+ #define E_GRP_UPDATE 10 /* can't update group file */
+ /* #define E_NOSPACE 11 insufficient space to move home dir */
+ #define E_HOMEDIR 12 /* unable to complete home dir move */
++#define E_SE_UPDATE 13 /* can't update SELinux user mapping */
++
++
+ #define VALID(s) (strcspn (s, ":\n") == strlen (s))
+ /*
+ * Global variables
+@@ -151,9 +154,6 @@ static void date_to_str (char *buf, size
+ static int get_groups (char *);
+ static void usage (void);
+ static void new_pwent (struct passwd *);
+-#ifdef WITH_SELINUX
+-static void selinux_update_mapping (void);
+-#endif
+
+ static void new_spent (struct spwd *);
+ static void fail_exit (int);
+@@ -1785,8 +1785,32 @@ int main (int argc, char **argv)
+ nscd_flush_cache ("group");
+
+ #ifdef WITH_SELINUX
+- if (Zflg) {
+- selinux_update_mapping ();
++ if (Zflg && *user_selinux) {
++ if (is_selinux_enabled () > 0) {
++ const char *argv[7];
++
++ argv[0] = "/usr/sbin/semanage";
++ argv[1] = "login";
++ argv[2] = "-m";
++ argv[3] = "-s";
++ argv[4] = user_selinux;
++ argv[5] = user_name;
++ argv[6] = NULL;
++ if (safe_system (argv[0], argv, NULL, 1)) {
++ argv[2] = "-a";
++ if (safe_system (argv[0], argv, NULL, 0)) {
++ fprintf (stderr,
++ _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
++ Prog, user_name, user_selinux);
++ #ifdef WITH_AUDIT
++ audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
++ "modifying User mapping ",
++ user_name, (unsigned int) user_id, 0);
++ #endif
++ fail_exit (E_SE_UPDATE);
++ }
++ }
++ }
+ }
+ #endif
+
+@@ -1816,34 +1840,3 @@ int main (int argc, char **argv)
+ return E_SUCCESS;
+ }
+
+-#ifdef WITH_SELINUX
+-static void selinux_update_mapping (void) {
+- const char *argv[7];
+-
+- if (is_selinux_enabled () <= 0) return;
+-
+- if (*user_selinux) {
+- argv[0] = "/usr/sbin/semanage";
+- argv[1] = "login";
+- argv[2] = "-m";
+- argv[3] = "-s";
+- argv[4] = user_selinux;
+- argv[5] = user_name;
+- argv[6] = NULL;
+- if (safe_system (argv[0], argv, NULL, 1)) {
+- argv[2] = "-a";
+- if (safe_system (argv[0], argv, NULL, 0)) {
+- fprintf (stderr,
+- _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
+- Prog, user_name, user_selinux);
+-#ifdef WITH_AUDIT
+- audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+- "modifying User mapping ",
+- user_name, (unsigned int) user_id, 0);
+-#endif
+- }
+- }
+- }
+-}
+-#endif
+-
diff --git a/shadow-utils.spec b/shadow-utils.spec
index 704eddc..58c0069 100644
--- a/shadow-utils.spec
+++ b/shadow-utils.spec
@@ -1,7 +1,7 @@
Summary: Utilities for managing accounts and shadow password files
Name: shadow-utils
Version: 4.1.4.3
-Release: 4%{?dist}
+Release: 5%{?dist}
Epoch: 2
URL: http://pkg-shadow.alioth.debian.org/
Source0: ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-%{version}.tar.bz2
@@ -12,7 +12,7 @@ Patch1: shadow-4.1.4.3-goodname.patch
Patch2: shadow-4.1.4.2-leak.patch
Patch3: shadow-4.1.4.2-fixes.patch
Patch4: shadow-4.1.4.2-infoParentDir.patch
-Patch5: shadow-4.1.4.2-semange.patch
+Patch5: shadow-4.1.4.3-semange.patch
Patch6: shadow-4.1.4.2-acl.patch
Patch7: shadow-4.1.4.2-underflow.patch
Patch8: shadow-4.1.4.3-uflg.patch
@@ -200,6 +200,11 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man8/vigr.8*
%changelog
+* Tue Jun 28 2011 Peter Vrabec <pvrabec at redhat.com> - 2:4.1.4.3-5
+- userdel option to remove Linux login <-> SELinux login mapping (#639900)
+- useradd special exit value if SELinux user mapping is invalid (#639975)
+- usermod special exit value if SELinux user mapping is invalid (#639976)
+
* Mon Jun 27 2011 Peter Vrabec <pvrabec at redhat.com> - 2:4.1.4.3-4
- refer to PAM in /etc/login.defs (#629277)
More information about the scm-commits
mailing list