[shadow-utils/f15] userdel option to remove Linux login <-> SELinux login mapping (#639900) useradd special exit value
Peter Vrabec
pvrabec at fedoraproject.org
Wed Jun 29 14:44:05 UTC 2011
commit b0df019716a364553fa103c137ed90add9cf6fd0
Author: Peter Vrabec <pvrabec at redhat.com>
Date: Wed Jun 29 16:43:23 2011 +0200
userdel option to remove Linux login <-> SELinux login mapping (#639900)
useradd special exit value if SELinux user mapping is invalid (#639975)
usermod special exit value if SELinux user mapping is invalid (#639976)
Resolves: #701355
shadow-4.1.4.2-semange.patch | 295 ++++++++++++++++++++++++++++++++++++++++-
shadow-utils.spec | 8 +-
2 files changed, 294 insertions(+), 9 deletions(-)
---
diff --git a/shadow-4.1.4.2-semange.patch b/shadow-4.1.4.2-semange.patch
index d4427e6..fcd30d1 100644
--- a/shadow-4.1.4.2-semange.patch
+++ b/shadow-4.1.4.2-semange.patch
@@ -1,11 +1,190 @@
-diff -up shadow-4.1.4.2/src/userdel.c.semanage shadow-4.1.4.2/src/userdel.c
---- shadow-4.1.4.2/src/userdel.c.semanage 2010-04-28 14:47:25.581366330 +0200
-+++ shadow-4.1.4.2/src/userdel.c 2010-04-28 14:48:08.736376028 +0200
-@@ -974,18 +974,6 @@ int main (int argc, char **argv)
+diff -up shadow-4.1.4.2/man/useradd.8.semange shadow-4.1.4.2/man/useradd.8
+--- shadow-4.1.4.2/man/useradd.8.semange 2011-06-28 15:08:46.583254750 +0200
++++ shadow-4.1.4.2/man/useradd.8 2011-06-28 15:08:46.600282568 +0200
+@@ -631,6 +631,11 @@ can\'t create home directory
+ .RS 4
+ can\'t create mail spool
+ .RE
++.PP
++\fI14\fR
++.RS 4
++can\'t update SELinux user mapping
++.RE
+ .SH "SEE ALSO"
+ .PP
+
+diff -up shadow-4.1.4.2/man/userdel.8.semange shadow-4.1.4.2/man/userdel.8
+--- shadow-4.1.4.2/man/userdel.8.semange 2009-07-24 03:16:45.000000000 +0200
++++ shadow-4.1.4.2/man/userdel.8 2011-06-28 15:08:46.601278956 +0200
+@@ -67,6 +67,11 @@ variable in the
+ login\&.defs
+ file\&.
+ .RE
++.PP
++\fB\-Z\fR, \fB\-\-selinux-user\fR
++.RS 4
++Remove SELinux user assigned to the user´s login from SELinux login mapping. Use with caution, all the occurrences of the SELinux user will be removed.
++.RE
+ .SH "CONFIGURATION"
+ .PP
+ The following configuration variables in
+diff -up shadow-4.1.4.2/src/useradd.c.semange shadow-4.1.4.2/src/useradd.c
+--- shadow-4.1.4.2/src/useradd.c.semange 2011-06-28 15:08:46.577257401 +0200
++++ shadow-4.1.4.2/src/useradd.c 2011-06-28 15:54:22.430084199 +0200
+@@ -164,6 +164,7 @@ static bool home_added = false;
+ #define E_GRP_UPDATE 10 /* can't update group file */
+ #define E_HOMEDIR 12 /* can't create home directory */
+ #define E_MAIL_SPOOL 13 /* can't create mail spool */
++#define E_SE_UPDATE 14 /* can't update SELinux user mapping */
+
+ #define DGROUP "GROUP="
+ #define HOME "HOME="
+@@ -181,9 +182,6 @@ static int set_defaults (void);
+ static int get_groups (char *);
+ static void usage (void);
+ static void new_pwent (struct passwd *);
+-#ifdef WITH_SELINUX
+-static void selinux_update_mapping (void);
+-#endif
+
+ static long scale_age (long);
+ static void new_spent (struct spwd *);
+@@ -1710,32 +1708,6 @@ static void usr_update (void)
}
- #endif
+ }
-#ifdef WITH_SELINUX
+-static void selinux_update_mapping (void) {
+- if (is_selinux_enabled () <= 0) return;
+-
+- if (*user_selinux) { /* must be done after passwd write() */
+- const char *argv[7];
+- argv[0] = "/usr/sbin/semanage";
+- argv[1] = "login";
+- argv[2] = "-a";
+- argv[3] = "-s";
+- argv[4] = user_selinux;
+- argv[5] = user_name;
+- argv[6] = NULL;
+- if (safe_system (argv[0], argv, NULL, 0)) {
+- fprintf (stderr,
+- _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
+- Prog, user_name, user_selinux);
+-#ifdef WITH_AUDIT
+- audit_logger (AUDIT_ADD_USER, Prog,
+- "adding SELinux user mapping",
+- user_name, (unsigned int) user_id, 0);
+-#endif
+- }
+- }
+-}
+-#endif
+ /*
+ * create_home - create the user's home directory
+ *
+@@ -2022,12 +1994,35 @@ int main (int argc, char **argv)
+ create_mail ();
+ }
+
+- close_files ();
+-
+ #ifdef WITH_SELINUX
+- selinux_update_mapping ();
++ if (Zflg && *user_selinux) {
++ if (is_selinux_enabled () > 0) {
++ const char *argv[7];
++
++ argv[0] = "/usr/sbin/semanage";
++ argv[1] = "login";
++ argv[2] = "-a";
++ argv[3] = "-s";
++ argv[4] = user_selinux;
++ argv[5] = user_name;
++ argv[6] = NULL;
++ if (safe_system (argv[0], argv, NULL, 0)) {
++ fprintf (stderr,
++ _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
++ Prog, user_name, user_selinux);
++ #ifdef WITH_AUDIT
++ audit_logger (AUDIT_ADD_USER, Prog,
++ "adding SELinux user mapping",
++ user_name, (unsigned int) user_id, 0);
++ #endif
++ fail_exit (E_SE_UPDATE);
++ }
++ }
++ }
+ #endif
+
++ close_files ();
++
+ nscd_flush_cache ("passwd");
+ nscd_flush_cache ("group");
+
+diff -up shadow-4.1.4.2/src/userdel.c.semange shadow-4.1.4.2/src/userdel.c
+--- shadow-4.1.4.2/src/userdel.c.semange 2009-05-22 12:41:12.000000000 +0200
++++ shadow-4.1.4.2/src/userdel.c 2011-06-28 15:08:46.604254774 +0200
+@@ -82,6 +82,7 @@ static char *user_home;
+
+ static bool fflg = false;
+ static bool rflg = false;
++static bool Zflg = false;
+
+ static bool is_shadow_pwd;
+
+@@ -120,6 +121,9 @@ static void usage (void)
+ " even if not owned by user\n"
+ " -h, --help display this help message and exit\n"
+ " -r, --remove remove home directory and mail spool\n"
++#ifdef WITH_SELINUX
++ " -Z, --selinux-user remove SELinux user from SELinux user mapping\n"
++#endif
+ "\n"), stderr);
+ exit (E_USAGE);
+ }
+@@ -766,9 +770,17 @@ int main (int argc, char **argv)
+ {"force", no_argument, NULL, 'f'},
+ {"help", no_argument, NULL, 'h'},
+ {"remove", no_argument, NULL, 'r'},
++#ifdef WITH_SELINUX
++ {"selinux-user", required_argument, NULL, 'Z'},
++#endif
+ {NULL, 0, NULL, '\0'}
+ };
+- while ((c = getopt_long (argc, argv, "fhr",
++ while ((c = getopt_long (argc, argv,
++#ifdef WITH_SELINUX
++ "fhrZ",
++#else
++ "fhr",
++#endif
+ long_options, NULL)) != -1) {
+ switch (c) {
+ case 'f': /* force remove even if not owned by user */
+@@ -777,6 +789,19 @@ int main (int argc, char **argv)
+ case 'r': /* remove home dir and mailbox */
+ rflg = true;
+ break;
++#ifdef WITH_SELINUX
++ case 'Z':
++ if (is_selinux_enabled () > 0) {
++ Zflg = true;
++ } else {
++ fprintf (stderr,
++ _("%s: -Z requires SELinux enabled kernel\n"),
++ Prog);
++
++ exit (E_BAD_ARG);
++ }
++ break;
++#endif
+ default:
+ usage ();
+ }
+@@ -975,14 +1000,16 @@ int main (int argc, char **argv)
+ #endif
+
+ #ifdef WITH_SELINUX
- if (is_selinux_enabled () > 0) {
- const char *args[5];
- args[0] = "/usr/sbin/semanage";
@@ -14,9 +193,109 @@ diff -up shadow-4.1.4.2/src/userdel.c.semanage shadow-4.1.4.2/src/userdel.c
- args[3] = user_name;
- args[4] = NULL;
- safe_system (args[0], args, NULL, 1);
++ if (Zflg) {
++ if (is_selinux_enabled () > 0) {
++ const char *args[5];
++ args[0] = "/usr/sbin/semanage";
++ args[1] = "login";
++ args[2] = "-d";
++ args[3] = user_name;
++ args[4] = NULL;
++ safe_system (args[0], args, NULL, 1);
++ }
+ }
+ #endif
+
+diff -up shadow-4.1.4.2/src/usermod.c.semange shadow-4.1.4.2/src/usermod.c
+--- shadow-4.1.4.2/src/usermod.c.semange 2011-06-28 15:49:22.897129091 +0200
++++ shadow-4.1.4.2/src/usermod.c 2011-06-28 15:57:56.509845476 +0200
+@@ -82,6 +82,9 @@
+ #define E_GRP_UPDATE 10 /* can't update group file */
+ /* #define E_NOSPACE 11 insufficient space to move home dir */
+ #define E_HOMEDIR 12 /* unable to complete home dir move */
++#define E_SE_UPDATE 13 /* can't update SELinux user mapping */
++
++
+ #define VALID(s) (strcspn (s, ":\n") == strlen (s))
+ /*
+ * Global variables
+@@ -151,9 +154,6 @@ static void date_to_str (char *buf, size
+ static int get_groups (char *);
+ static void usage (void);
+ static void new_pwent (struct passwd *);
+-#ifdef WITH_SELINUX
+-static void selinux_update_mapping (void);
+-#endif
+
+ static void new_spent (struct spwd *);
+ static void fail_exit (int);
+@@ -1785,8 +1785,32 @@ int main (int argc, char **argv)
+ nscd_flush_cache ("group");
+
+ #ifdef WITH_SELINUX
+- if (Zflg) {
+- selinux_update_mapping ();
++ if (Zflg && *user_selinux) {
++ if (is_selinux_enabled () > 0) {
++ const char *argv[7];
++
++ argv[0] = "/usr/sbin/semanage";
++ argv[1] = "login";
++ argv[2] = "-m";
++ argv[3] = "-s";
++ argv[4] = user_selinux;
++ argv[5] = user_name;
++ argv[6] = NULL;
++ if (safe_system (argv[0], argv, NULL, 1)) {
++ argv[2] = "-a";
++ if (safe_system (argv[0], argv, NULL, 0)) {
++ fprintf (stderr,
++ _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
++ Prog, user_name, user_selinux);
++ #ifdef WITH_AUDIT
++ audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
++ "modifying User mapping ",
++ user_name, (unsigned int) user_id, 0);
++ #endif
++ fail_exit (E_SE_UPDATE);
++ }
++ }
++ }
+ }
+ #endif
+
+@@ -1816,34 +1840,3 @@ int main (int argc, char **argv)
+ return E_SUCCESS;
+ }
+
+-#ifdef WITH_SELINUX
+-static void selinux_update_mapping (void) {
+- const char *argv[7];
+-
+- if (is_selinux_enabled () <= 0) return;
+-
+- if (*user_selinux) {
+- argv[0] = "/usr/sbin/semanage";
+- argv[1] = "login";
+- argv[2] = "-m";
+- argv[3] = "-s";
+- argv[4] = user_selinux;
+- argv[5] = user_name;
+- argv[6] = NULL;
+- if (safe_system (argv[0], argv, NULL, 1)) {
+- argv[2] = "-a";
+- if (safe_system (argv[0], argv, NULL, 0)) {
+- fprintf (stderr,
+- _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
+- Prog, user_name, user_selinux);
+-#ifdef WITH_AUDIT
+- audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+- "modifying User mapping ",
+- user_name, (unsigned int) user_id, 0);
+-#endif
+- }
+- }
- }
+-}
-#endif
-
- /*
- * Cancel any crontabs or at jobs. Have to do this before we remove
- * the entry from /etc/passwd.
diff --git a/shadow-utils.spec b/shadow-utils.spec
index a797592..0761e82 100644
--- a/shadow-utils.spec
+++ b/shadow-utils.spec
@@ -1,7 +1,7 @@
Summary: Utilities for managing accounts and shadow password files
Name: shadow-utils
Version: 4.1.4.2
-Release: 11%{?dist}
+Release: 12%{?dist}
Epoch: 2
URL: http://pkg-shadow.alioth.debian.org/
Source0: ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-%{version}.tar.bz2
@@ -196,6 +196,12 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man8/vigr.8*
%changelog
+* Wed Jun 29 2011 Peter Vrabec <pvrabec at redhat.com> - 2:4.1.4.2-12
+- userdel option to remove Linux login <-> SELinux login mapping (#639900)
+- useradd special exit value if SELinux user mapping is invalid (#639975)
+- usermod special exit value if SELinux user mapping is invalid (#639976)
+ Resolves: #701355
+
* Wed Feb 09 2011 Peter Vrabec <pvrabec at redhat.com> - 2:4.1.4.2-11
- useradd man page (-m option)
- create home directory on fs with noacl
More information about the scm-commits
mailing list