rpms
/
shadow-utils
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

- fixing Linux login <-> SELinux login mapping 

(#639900), (#639975), (#639976)
This commit is contained in:
Peter Vrabec 2011-06-28 16:32:18 +02:00
parent f7bb2ec63f
commit 46dd21926b
3 changed files with 308 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
shadow-4.1.4.2-semange.patch
View File

@ -1,22 +0,0 @@
diff -up shadow-4.1.4.2/src/userdel.c.semanage shadow-4.1.4.2/src/userdel.c
--- shadow-4.1.4.2/src/userdel.c.semanage 2010-04-28 14:47:25.581366330 +0200
+++ shadow-4.1.4.2/src/userdel.c 2010-04-28 14:48:08.736376028 +0200
@@ -974,18 +974,6 @@ int main (int argc, char **argv)
}
#endif
-#ifdef WITH_SELINUX
- if (is_selinux_enabled () > 0) {
- const char *args[5];
- args[0] = "/usr/sbin/semanage";
- args[1] = "login";
- args[2] = "-d";
- args[3] = user_name;
- args[4] = NULL;
- safe_system (args[0], args, NULL, 1);
- }
-#endif
-
/*
* Cancel any crontabs or at jobs. Have to do this before we remove
* the entry from /etc/passwd.

301
shadow-4.1.4.3-semange.patch Normal file
View File

@ -0,0 +1,301 @@
diff -up shadow-4.1.4.3/man/useradd.8.semange shadow-4.1.4.3/man/useradd.8
--- shadow-4.1.4.3/man/useradd.8.semange 2011-06-28 16:17:06.385374734 +0200
+++ shadow-4.1.4.3/man/useradd.8 2011-06-28 16:18:19.657899439 +0200
@@ -640,6 +640,11 @@ can\*(Aqt create home directory
.RS 4
can\*(Aqt create mail spool
.RE
+.PP
+\fI14\fR
+.RS 4
+can\'t update SELinux user mapping
+.RE
.SH "SEE ALSO"
.PP
diff -up shadow-4.1.4.3/man/userdel.8.semange shadow-4.1.4.3/man/userdel.8
--- shadow-4.1.4.3/man/userdel.8.semange 2011-02-16 00:14:13.000000000 +0100
+++ shadow-4.1.4.3/man/userdel.8 2011-06-28 16:18:19.657899439 +0200
@@ -76,6 +76,11 @@ variable in the
login\&.defs
file\&.
.RE
+.PP
+\fB\-Z\fR, \fB\-\-selinux-user\fR
+.RS 4
+Remove SELinux user assigned to the user´s login from SELinux login mapping. Use with caution, all the occurrences of the SELinux user will be removed.
+.RE
.SH "CONFIGURATION"
.PP
The following configuration variables in
diff -up shadow-4.1.4.3/src/useradd.c.semange shadow-4.1.4.3/src/useradd.c
--- shadow-4.1.4.3/src/useradd.c.semange 2011-06-28 16:17:06.381374760 +0200
+++ shadow-4.1.4.3/src/useradd.c 2011-06-28 16:18:19.658899432 +0200
@@ -164,6 +164,7 @@ static bool home_added = false;
#define E_GRP_UPDATE 10 /* can't update group file */
#define E_HOMEDIR 12 /* can't create home directory */
#define E_MAIL_SPOOL 13 /* can't create mail spool */
+#define E_SE_UPDATE 14 /* can't update SELinux user mapping */
#define DGROUP "GROUP="
#define HOME "HOME="
@@ -181,9 +182,6 @@ static int set_defaults (void);
static int get_groups (char *);
static void usage (void);
static void new_pwent (struct passwd *);
-#ifdef WITH_SELINUX
-static void selinux_update_mapping (void);
-#endif
static long scale_age (long);
static void new_spent (struct spwd *);
@@ -1710,32 +1708,6 @@ static void usr_update (void)
}
}
-#ifdef WITH_SELINUX
-static void selinux_update_mapping (void) {
- if (is_selinux_enabled () <= 0) return;
-
- if (*user_selinux) { /* must be done after passwd write() */
- const char *argv[7];
- argv[0] = "/usr/sbin/semanage";
- argv[1] = "login";
- argv[2] = "-a";
- argv[3] = "-s";
- argv[4] = user_selinux;
- argv[5] = user_name;
- argv[6] = NULL;
- if (safe_system (argv[0], argv, NULL, 0)) {
- fprintf (stderr,
- _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
- Prog, user_name, user_selinux);
-#ifdef WITH_AUDIT
- audit_logger (AUDIT_ADD_USER, Prog,
- "adding SELinux user mapping",
- user_name, (unsigned int) user_id, 0);
-#endif
- }
- }
-}
-#endif
/*
* create_home - create the user's home directory
*
@@ -2022,12 +1994,35 @@ int main (int argc, char **argv)
create_mail ();
}
- close_files ();
-
#ifdef WITH_SELINUX
- selinux_update_mapping ();
+ if (Zflg && *user_selinux) {
+ if (is_selinux_enabled () > 0) {
+ const char *argv[7];
+
+ argv[0] = "/usr/sbin/semanage";
+ argv[1] = "login";
+ argv[2] = "-a";
+ argv[3] = "-s";
+ argv[4] = user_selinux;
+ argv[5] = user_name;
+ argv[6] = NULL;
+ if (safe_system (argv[0], argv, NULL, 0)) {
+ fprintf (stderr,
+ _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
+ Prog, user_name, user_selinux);
+ #ifdef WITH_AUDIT
+ audit_logger (AUDIT_ADD_USER, Prog,
+ "adding SELinux user mapping",
+ user_name, (unsigned int) user_id, 0);
+ #endif
+ fail_exit (E_SE_UPDATE);
+ }
+ }
+ }
#endif
+ close_files ();
+
nscd_flush_cache ("passwd");
nscd_flush_cache ("group");
diff -up shadow-4.1.4.3/src/userdel.c.semange shadow-4.1.4.3/src/userdel.c
--- shadow-4.1.4.3/src/userdel.c.semange 2011-02-13 18:58:16.000000000 +0100
+++ shadow-4.1.4.3/src/userdel.c 2011-06-28 16:18:19.659899426 +0200
@@ -82,6 +82,7 @@ static char *user_home;
static bool fflg = false;
static bool rflg = false;
+static bool Zflg = false;
static bool is_shadow_pwd;
@@ -120,6 +121,9 @@ static void usage (void)
" even if not owned by user\n"
" -h, --help display this help message and exit\n"
" -r, --remove remove home directory and mail spool\n"
+#ifdef WITH_SELINUX
+ " -Z, --selinux-user remove SELinux user from SELinux user mapping\n"
+#endif
"\n"), stderr);
exit (E_USAGE);
}
@@ -766,9 +770,17 @@ int main (int argc, char **argv)
{"force", no_argument, NULL, 'f'},
{"help", no_argument, NULL, 'h'},
{"remove", no_argument, NULL, 'r'},
+#ifdef WITH_SELINUX
+ {"selinux-user", required_argument, NULL, 'Z'},
+#endif
{NULL, 0, NULL, '\0'}
};
- while ((c = getopt_long (argc, argv, "fhr",
+ while ((c = getopt_long (argc, argv,
+#ifdef WITH_SELINUX
+ "fhrZ",
+#else
+ "fhr",
+#endif
long_options, NULL)) != -1) {
switch (c) {
case 'f': /* force remove even if not owned by user */
@@ -777,6 +789,19 @@ int main (int argc, char **argv)
case 'r': /* remove home dir and mailbox */
rflg = true;
break;
+#ifdef WITH_SELINUX
+ case 'Z':
+ if (is_selinux_enabled () > 0) {
+ Zflg = true;
+ } else {
+ fprintf (stderr,
+ _("%s: -Z requires SELinux enabled kernel\n"),
+ Prog);
+
+ exit (E_BAD_ARG);
+ }
+ break;
+#endif
default:
usage ();
}
@@ -975,14 +1000,16 @@ int main (int argc, char **argv)
#endif
#ifdef WITH_SELINUX
- if (is_selinux_enabled () > 0) {
- const char *args[5];
- args[0] = "/usr/sbin/semanage";
- args[1] = "login";
- args[2] = "-d";
- args[3] = user_name;
- args[4] = NULL;
- safe_system (args[0], args, NULL, 1);
+ if (Zflg) {
+ if (is_selinux_enabled () > 0) {
+ const char *args[5];
+ args[0] = "/usr/sbin/semanage";
+ args[1] = "login";
+ args[2] = "-d";
+ args[3] = user_name;
+ args[4] = NULL;
+ safe_system (args[0], args, NULL, 1);
+ }
}
#endif
diff -up shadow-4.1.4.3/src/usermod.c.semange shadow-4.1.4.3/src/usermod.c
--- shadow-4.1.4.3/src/usermod.c.semange 2011-02-13 18:58:16.000000000 +0100
+++ shadow-4.1.4.3/src/usermod.c 2011-06-28 16:18:19.661899414 +0200
@@ -82,6 +82,9 @@
#define E_GRP_UPDATE 10 /* can't update group file */
/* #define E_NOSPACE 11 insufficient space to move home dir */
#define E_HOMEDIR 12 /* unable to complete home dir move */
+#define E_SE_UPDATE 13 /* can't update SELinux user mapping */
+
+
#define VALID(s) (strcspn (s, ":\n") == strlen (s))
/*
* Global variables
@@ -151,9 +154,6 @@ static void date_to_str (char *buf, size
static int get_groups (char *);
static void usage (void);
static void new_pwent (struct passwd *);
-#ifdef WITH_SELINUX
-static void selinux_update_mapping (void);
-#endif
static void new_spent (struct spwd *);
static void fail_exit (int);
@@ -1785,8 +1785,32 @@ int main (int argc, char **argv)
nscd_flush_cache ("group");
#ifdef WITH_SELINUX
- if (Zflg) {
- selinux_update_mapping ();
+ if (Zflg && *user_selinux) {
+ if (is_selinux_enabled () > 0) {
+ const char *argv[7];
+
+ argv[0] = "/usr/sbin/semanage";
+ argv[1] = "login";
+ argv[2] = "-m";
+ argv[3] = "-s";
+ argv[4] = user_selinux;
+ argv[5] = user_name;
+ argv[6] = NULL;
+ if (safe_system (argv[0], argv, NULL, 1)) {
+ argv[2] = "-a";
+ if (safe_system (argv[0], argv, NULL, 0)) {
+ fprintf (stderr,
+ _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
+ Prog, user_name, user_selinux);
+ #ifdef WITH_AUDIT
+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+ "modifying User mapping ",
+ user_name, (unsigned int) user_id, 0);
+ #endif
+ fail_exit (E_SE_UPDATE);
+ }
+ }
+ }
}
#endif
@@ -1816,34 +1840,3 @@ int main (int argc, char **argv)
return E_SUCCESS;
}
-#ifdef WITH_SELINUX
-static void selinux_update_mapping (void) {
- const char *argv[7];
-
- if (is_selinux_enabled () <= 0) return;
-
- if (*user_selinux) {
- argv[0] = "/usr/sbin/semanage";
- argv[1] = "login";
- argv[2] = "-m";
- argv[3] = "-s";
- argv[4] = user_selinux;
- argv[5] = user_name;
- argv[6] = NULL;
- if (safe_system (argv[0], argv, NULL, 1)) {
- argv[2] = "-a";
- if (safe_system (argv[0], argv, NULL, 0)) {
- fprintf (stderr,
- _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
- Prog, user_name, user_selinux);
-#ifdef WITH_AUDIT
- audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
- "modifying User mapping ",
- user_name, (unsigned int) user_id, 0);
-#endif
- }
- }
- }
-}
-#endif
-

9
shadow-utils.spec
View File

@ -1,7 +1,7 @@
Summary: Utilities for managing accounts and shadow password files
Name: shadow-utils
Version: 4.1.4.3
Release: 4%{?dist}
Release: 5%{?dist}
Epoch: 2
URL: http://pkg-shadow.alioth.debian.org/
Source0: ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-%{version}.tar.bz2
@ -12,7 +12,7 @@ Patch1: shadow-4.1.4.3-goodname.patch
Patch2: shadow-4.1.4.2-leak.patch
Patch3: shadow-4.1.4.2-fixes.patch
Patch4: shadow-4.1.4.2-infoParentDir.patch
Patch5: shadow-4.1.4.2-semange.patch
Patch5: shadow-4.1.4.3-semange.patch
Patch6: shadow-4.1.4.2-acl.patch
Patch7: shadow-4.1.4.2-underflow.patch
Patch8: shadow-4.1.4.3-uflg.patch
@ -200,6 +200,11 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man8/vigr.8*
%changelog
* Tue Jun 28 2011 Peter Vrabec <pvrabec@redhat.com> - 2:4.1.4.3-5
- userdel option to remove Linux login <-> SELinux login mapping (#639900)
- useradd special exit value if SELinux user mapping is invalid (#639975)
- usermod special exit value if SELinux user mapping is invalid (#639976)
* Mon Jun 27 2011 Peter Vrabec <pvrabec@redhat.com> - 2:4.1.4.3-4
- refer to PAM in /etc/login.defs (#629277)