shadow-utils/shadow-4.1.4.3-semange.patch
2011-06-28 16:32:18 +02:00

302 lines
8.8 KiB
Diff
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

diff -up shadow-4.1.4.3/man/useradd.8.semange shadow-4.1.4.3/man/useradd.8
--- shadow-4.1.4.3/man/useradd.8.semange 2011-06-28 16:17:06.385374734 +0200
+++ shadow-4.1.4.3/man/useradd.8 2011-06-28 16:18:19.657899439 +0200
@@ -640,6 +640,11 @@ can\*(Aqt create home directory
.RS 4
can\*(Aqt create mail spool
.RE
+.PP
+\fI14\fR
+.RS 4
+can\'t update SELinux user mapping
+.RE
.SH "SEE ALSO"
.PP
diff -up shadow-4.1.4.3/man/userdel.8.semange shadow-4.1.4.3/man/userdel.8
--- shadow-4.1.4.3/man/userdel.8.semange 2011-02-16 00:14:13.000000000 +0100
+++ shadow-4.1.4.3/man/userdel.8 2011-06-28 16:18:19.657899439 +0200
@@ -76,6 +76,11 @@ variable in the
login\&.defs
file\&.
.RE
+.PP
+\fB\-Z\fR, \fB\-\-selinux-user\fR
+.RS 4
+Remove SELinux user assigned to the user´s login from SELinux login mapping. Use with caution, all the occurrences of the SELinux user will be removed.
+.RE
.SH "CONFIGURATION"
.PP
The following configuration variables in
diff -up shadow-4.1.4.3/src/useradd.c.semange shadow-4.1.4.3/src/useradd.c
--- shadow-4.1.4.3/src/useradd.c.semange 2011-06-28 16:17:06.381374760 +0200
+++ shadow-4.1.4.3/src/useradd.c 2011-06-28 16:18:19.658899432 +0200
@@ -164,6 +164,7 @@ static bool home_added = false;
#define E_GRP_UPDATE 10 /* can't update group file */
#define E_HOMEDIR 12 /* can't create home directory */
#define E_MAIL_SPOOL 13 /* can't create mail spool */
+#define E_SE_UPDATE 14 /* can't update SELinux user mapping */
#define DGROUP "GROUP="
#define HOME "HOME="
@@ -181,9 +182,6 @@ static int set_defaults (void);
static int get_groups (char *);
static void usage (void);
static void new_pwent (struct passwd *);
-#ifdef WITH_SELINUX
-static void selinux_update_mapping (void);
-#endif
static long scale_age (long);
static void new_spent (struct spwd *);
@@ -1710,32 +1708,6 @@ static void usr_update (void)
}
}
-#ifdef WITH_SELINUX
-static void selinux_update_mapping (void) {
- if (is_selinux_enabled () <= 0) return;
-
- if (*user_selinux) { /* must be done after passwd write() */
- const char *argv[7];
- argv[0] = "/usr/sbin/semanage";
- argv[1] = "login";
- argv[2] = "-a";
- argv[3] = "-s";
- argv[4] = user_selinux;
- argv[5] = user_name;
- argv[6] = NULL;
- if (safe_system (argv[0], argv, NULL, 0)) {
- fprintf (stderr,
- _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
- Prog, user_name, user_selinux);
-#ifdef WITH_AUDIT
- audit_logger (AUDIT_ADD_USER, Prog,
- "adding SELinux user mapping",
- user_name, (unsigned int) user_id, 0);
-#endif
- }
- }
-}
-#endif
/*
* create_home - create the user's home directory
*
@@ -2022,12 +1994,35 @@ int main (int argc, char **argv)
create_mail ();
}
- close_files ();
-
#ifdef WITH_SELINUX
- selinux_update_mapping ();
+ if (Zflg && *user_selinux) {
+ if (is_selinux_enabled () > 0) {
+ const char *argv[7];
+
+ argv[0] = "/usr/sbin/semanage";
+ argv[1] = "login";
+ argv[2] = "-a";
+ argv[3] = "-s";
+ argv[4] = user_selinux;
+ argv[5] = user_name;
+ argv[6] = NULL;
+ if (safe_system (argv[0], argv, NULL, 0)) {
+ fprintf (stderr,
+ _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
+ Prog, user_name, user_selinux);
+ #ifdef WITH_AUDIT
+ audit_logger (AUDIT_ADD_USER, Prog,
+ "adding SELinux user mapping",
+ user_name, (unsigned int) user_id, 0);
+ #endif
+ fail_exit (E_SE_UPDATE);
+ }
+ }
+ }
#endif
+ close_files ();
+
nscd_flush_cache ("passwd");
nscd_flush_cache ("group");
diff -up shadow-4.1.4.3/src/userdel.c.semange shadow-4.1.4.3/src/userdel.c
--- shadow-4.1.4.3/src/userdel.c.semange 2011-02-13 18:58:16.000000000 +0100
+++ shadow-4.1.4.3/src/userdel.c 2011-06-28 16:18:19.659899426 +0200
@@ -82,6 +82,7 @@ static char *user_home;
static bool fflg = false;
static bool rflg = false;
+static bool Zflg = false;
static bool is_shadow_pwd;
@@ -120,6 +121,9 @@ static void usage (void)
" even if not owned by user\n"
" -h, --help display this help message and exit\n"
" -r, --remove remove home directory and mail spool\n"
+#ifdef WITH_SELINUX
+ " -Z, --selinux-user remove SELinux user from SELinux user mapping\n"
+#endif
"\n"), stderr);
exit (E_USAGE);
}
@@ -766,9 +770,17 @@ int main (int argc, char **argv)
{"force", no_argument, NULL, 'f'},
{"help", no_argument, NULL, 'h'},
{"remove", no_argument, NULL, 'r'},
+#ifdef WITH_SELINUX
+ {"selinux-user", required_argument, NULL, 'Z'},
+#endif
{NULL, 0, NULL, '\0'}
};
- while ((c = getopt_long (argc, argv, "fhr",
+ while ((c = getopt_long (argc, argv,
+#ifdef WITH_SELINUX
+ "fhrZ",
+#else
+ "fhr",
+#endif
long_options, NULL)) != -1) {
switch (c) {
case 'f': /* force remove even if not owned by user */
@@ -777,6 +789,19 @@ int main (int argc, char **argv)
case 'r': /* remove home dir and mailbox */
rflg = true;
break;
+#ifdef WITH_SELINUX
+ case 'Z':
+ if (is_selinux_enabled () > 0) {
+ Zflg = true;
+ } else {
+ fprintf (stderr,
+ _("%s: -Z requires SELinux enabled kernel\n"),
+ Prog);
+
+ exit (E_BAD_ARG);
+ }
+ break;
+#endif
default:
usage ();
}
@@ -975,14 +1000,16 @@ int main (int argc, char **argv)
#endif
#ifdef WITH_SELINUX
- if (is_selinux_enabled () > 0) {
- const char *args[5];
- args[0] = "/usr/sbin/semanage";
- args[1] = "login";
- args[2] = "-d";
- args[3] = user_name;
- args[4] = NULL;
- safe_system (args[0], args, NULL, 1);
+ if (Zflg) {
+ if (is_selinux_enabled () > 0) {
+ const char *args[5];
+ args[0] = "/usr/sbin/semanage";
+ args[1] = "login";
+ args[2] = "-d";
+ args[3] = user_name;
+ args[4] = NULL;
+ safe_system (args[0], args, NULL, 1);
+ }
}
#endif
diff -up shadow-4.1.4.3/src/usermod.c.semange shadow-4.1.4.3/src/usermod.c
--- shadow-4.1.4.3/src/usermod.c.semange 2011-02-13 18:58:16.000000000 +0100
+++ shadow-4.1.4.3/src/usermod.c 2011-06-28 16:18:19.661899414 +0200
@@ -82,6 +82,9 @@
#define E_GRP_UPDATE 10 /* can't update group file */
/* #define E_NOSPACE 11 insufficient space to move home dir */
#define E_HOMEDIR 12 /* unable to complete home dir move */
+#define E_SE_UPDATE 13 /* can't update SELinux user mapping */
+
+
#define VALID(s) (strcspn (s, ":\n") == strlen (s))
/*
* Global variables
@@ -151,9 +154,6 @@ static void date_to_str (char *buf, size
static int get_groups (char *);
static void usage (void);
static void new_pwent (struct passwd *);
-#ifdef WITH_SELINUX
-static void selinux_update_mapping (void);
-#endif
static void new_spent (struct spwd *);
static void fail_exit (int);
@@ -1785,8 +1785,32 @@ int main (int argc, char **argv)
nscd_flush_cache ("group");
#ifdef WITH_SELINUX
- if (Zflg) {
- selinux_update_mapping ();
+ if (Zflg && *user_selinux) {
+ if (is_selinux_enabled () > 0) {
+ const char *argv[7];
+
+ argv[0] = "/usr/sbin/semanage";
+ argv[1] = "login";
+ argv[2] = "-m";
+ argv[3] = "-s";
+ argv[4] = user_selinux;
+ argv[5] = user_name;
+ argv[6] = NULL;
+ if (safe_system (argv[0], argv, NULL, 1)) {
+ argv[2] = "-a";
+ if (safe_system (argv[0], argv, NULL, 0)) {
+ fprintf (stderr,
+ _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
+ Prog, user_name, user_selinux);
+ #ifdef WITH_AUDIT
+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+ "modifying User mapping ",
+ user_name, (unsigned int) user_id, 0);
+ #endif
+ fail_exit (E_SE_UPDATE);
+ }
+ }
+ }
}
#endif
@@ -1816,34 +1840,3 @@ int main (int argc, char **argv)
return E_SUCCESS;
}
-#ifdef WITH_SELINUX
-static void selinux_update_mapping (void) {
- const char *argv[7];
-
- if (is_selinux_enabled () <= 0) return;
-
- if (*user_selinux) {
- argv[0] = "/usr/sbin/semanage";
- argv[1] = "login";
- argv[2] = "-m";
- argv[3] = "-s";
- argv[4] = user_selinux;
- argv[5] = user_name;
- argv[6] = NULL;
- if (safe_system (argv[0], argv, NULL, 1)) {
- argv[2] = "-a";
- if (safe_system (argv[0], argv, NULL, 0)) {
- fprintf (stderr,
- _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
- Prog, user_name, user_selinux);
-#ifdef WITH_AUDIT
- audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
- "modifying User mapping ",
- user_name, (unsigned int) user_id, 0);
-#endif
- }
- }
- }
-}
-#endif
-