[shadow-utils] report error to stdout when SELinux context for home directory

Tomáš Mráz tmraz at fedoraproject.org
Fri Jun 14 13:27:33 UTC 2013 

commit 32f6a7815739e283e02319ff3ce2e8c0d16e7697
Author: Tomas Mraz <tmraz at fedoraproject.org>
Date:   Fri Jun 14 15:27:20 2013 +0200

    report error to stdout when SELinux context for home directory
    
      cannot be determined (#973647)
    - audit the changing home directory owner (#885797)
    - do not set the default SELinux MLS range (#852676)

 shadow-4.1.5.1-audit-owner.patch   |   32 ++++++++++++++++++++++++++++++++
 shadow-4.1.5.1-default-range.patch |   35 +++++++++++++++++++++++++++++++++++
 shadow-4.1.5.1-errmsg.patch        |   23 +++++++++++++++++++++++
 shadow-utils.spec                  |   15 ++++++++++++++-
 4 files changed, 104 insertions(+), 1 deletions(-)
---
diff --git a/shadow-4.1.5.1-audit-owner.patch b/shadow-4.1.5.1-audit-owner.patch
new file mode 100644
index 0000000..6fbbdbf
--- /dev/null
+++ b/shadow-4.1.5.1-audit-owner.patch
@@ -0,0 +1,32 @@
+diff -up shadow-4.1.5.1/src/usermod.c.audit shadow-4.1.5.1/src/usermod.c
+--- shadow-4.1.5.1/src/usermod.c.audit	2011-11-21 23:02:16.000000000 +0100
++++ shadow-4.1.5.1/src/usermod.c	2013-06-14 14:54:20.237026550 +0200
+@@ -1513,6 +1513,14 @@ static void move_home (void)
+ 			fail_exit (E_HOMEDIR);
+ 		}
+ 
++#ifdef WITH_AUDIT
++		if (uflg || gflg) {
++			audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
++				      "changing home directory owner",
++				      user_newname, (unsigned int) user_newid, 1);
++		}
++#endif
++
+ 		if (rename (user_home, user_newhome) == 0) {
+ 			/* FIXME: rename above may have broken symlinks
+ 			 *        pointing to the user's home directory
+@@ -1947,6 +1955,13 @@ int main (int argc, char **argv)
+ 			 * ownership.
+ 			 *
+ 			 */
++#ifdef WITH_AUDIT
++			if (uflg || gflg) {
++				audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
++					      "changing home directory owner",
++					      user_newname, (unsigned int) user_newid, 1);
++			}
++#endif
+ 			if (chown_tree (dflg ? user_newhome : user_home,
+ 			                user_id,
+ 			                uflg ? user_newid  : (uid_t)-1,
diff --git a/shadow-4.1.5.1-default-range.patch b/shadow-4.1.5.1-default-range.patch
new file mode 100644
index 0000000..45c677a
--- /dev/null
+++ b/shadow-4.1.5.1-default-range.patch
@@ -0,0 +1,35 @@
+diff -up shadow-4.1.5.1/lib/semanage.c.default-range shadow-4.1.5.1/lib/semanage.c
+--- shadow-4.1.5.1/lib/semanage.c.default-range	2012-01-08 17:35:44.000000000 +0100
++++ shadow-4.1.5.1/lib/semanage.c	2013-06-14 15:14:51.970237594 +0200
+@@ -143,6 +143,7 @@ static int semanage_user_mod (semanage_h
+ 		goto done;
+ 	}
+ 
++#if 0
+ 	ret = semanage_seuser_set_mlsrange (handle, seuser, DEFAULT_SERANGE);
+ 	if (ret != 0) {
+ 		fprintf (stderr,
+@@ -150,6 +151,7 @@ static int semanage_user_mod (semanage_h
+ 		ret = 1;
+ 		goto done;
+ 	}
++#endif
+ 
+ 	ret = semanage_seuser_set_sename (handle, seuser, seuser_name);
+ 	if (ret != 0) {
+@@ -200,6 +202,7 @@ static int semanage_user_add (semanage_h
+ 		goto done;
+ 	}
+ 
++#if 0
+ 	ret = semanage_seuser_set_mlsrange (handle, seuser, DEFAULT_SERANGE);
+ 	if (ret != 0) {
+ 		fprintf (stderr,
+@@ -208,6 +211,7 @@ static int semanage_user_add (semanage_h
+ 		ret = 1;
+ 		goto done;
+ 	}
++#endif
+ 
+ 	ret = semanage_seuser_set_sename (handle, seuser, seuser_name);
+ 	if (ret != 0) {
diff --git a/shadow-4.1.5.1-errmsg.patch b/shadow-4.1.5.1-errmsg.patch
new file mode 100644
index 0000000..6f3a1d2
--- /dev/null
+++ b/shadow-4.1.5.1-errmsg.patch
@@ -0,0 +1,23 @@
+diff -up shadow-4.1.5.1/src/useradd.c.logmsg shadow-4.1.5.1/src/useradd.c
+--- shadow-4.1.5.1/src/useradd.c.logmsg	2013-02-20 15:41:44.000000000 +0100
++++ shadow-4.1.5.1/src/useradd.c	2013-06-14 14:22:59.529661095 +0200
+@@ -1760,6 +1760,9 @@ static void create_home (void)
+ 	if (access (user_home, F_OK) != 0) {
+ #ifdef WITH_SELINUX
+ 		if (set_selinux_file_context (user_home, NULL) != 0) {
++			fprintf (stderr,
++			         _("%s: cannot set SELinux context for home directory %s\n"),
++			         Prog, user_home);
+ 			fail_exit (E_HOMEDIR);
+ 		}
+ #endif
+@@ -1789,6 +1792,9 @@ static void create_home (void)
+ #ifdef WITH_SELINUX
+ 		/* Reset SELinux to create files with default contexts */
+ 		if (reset_selinux_file_context () != 0) {
++			fprintf (stderr,
++			         _("%s: cannot reset SELinux file creation context\n"),
++			         Prog);
+ 			fail_exit (E_HOMEDIR);
+ 		}
+ #endif
diff --git a/shadow-utils.spec b/shadow-utils.spec
index 2b214d3..a7b86c6 100644
--- a/shadow-utils.spec
+++ b/shadow-utils.spec
@@ -1,7 +1,7 @@
 Summary: Utilities for managing accounts and shadow password files
 Name: shadow-utils
 Version: 4.1.5.1
-Release: 5%{?dist}
+Release: 6%{?dist}
 Epoch: 2
 URL: http://pkg-shadow.alioth.debian.org/
 Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.bz2
@@ -18,6 +18,10 @@ Patch8: shadow-4.1.5.1-backup-mode.patch
 Patch9: shadow-4.1.5.1-merge-group.patch
 Patch10: shadow-4.1.5.1-orig-context.patch
 Patch11: shadow-4.1.5.1-logmsg.patch
+Patch12: shadow-4.1.5.1-errmsg.patch
+Patch13: shadow-4.1.5.1-audit-owner.patch
+Patch14: shadow-4.1.5.1-default-range.patch
+
 License: BSD and GPLv2+
 Group: System Environment/Base
 BuildRequires: libselinux-devel >= 1.25.2-1
@@ -56,6 +60,9 @@ are used for managing group accounts.
 %patch9 -p1 -b .merge-group
 %patch10 -p1 -b .orig-context
 %patch11 -p1 -b .logmsg
+%patch12 -p1 -b .errmsg
+%patch13 -p1 -b .audit-owner
+%patch14 -p1 -b .default-range
 
 iconv -f ISO88591 -t utf-8  doc/HOWTO > doc/HOWTO.utf8
 cp -f doc/HOWTO.utf8 doc/HOWTO
@@ -209,6 +216,12 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/man8/vigr.8*
 
 %changelog
+* Fri Jun 14 2013 Tomas Mraz <tmraz at redhat.com> - 2:4.1.5.1-6
+- report error to stdout when SELinux context for home directory
+  cannot be determined (#973647)
+- audit the changing home directory owner (#885797)
+- do not set the default SELinux MLS range (#852676)
+
 * Tue Mar 19 2013 Tomas Mraz <tmraz at redhat.com> - 2:4.1.5.1-5
 - improve the failure syslog message in useradd (#830617)

More information about the scm-commits mailing list