- fixing Linux login <-> SELinux login mapping
(#639900), (#639975), (#639976)
This commit is contained in:
parent
f7bb2ec63f
commit
46dd21926b
3 changed files with 308 additions and 24 deletions
|
@ -1,22 +0,0 @@
|
|||
diff -up shadow-4.1.4.2/src/userdel.c.semanage shadow-4.1.4.2/src/userdel.c
|
||||
--- shadow-4.1.4.2/src/userdel.c.semanage 2010-04-28 14:47:25.581366330 +0200
|
||||
+++ shadow-4.1.4.2/src/userdel.c 2010-04-28 14:48:08.736376028 +0200
|
||||
@@ -974,18 +974,6 @@ int main (int argc, char **argv)
|
||||
}
|
||||
#endif
|
||||
|
||||
-#ifdef WITH_SELINUX
|
||||
- if (is_selinux_enabled () > 0) {
|
||||
- const char *args[5];
|
||||
- args[0] = "/usr/sbin/semanage";
|
||||
- args[1] = "login";
|
||||
- args[2] = "-d";
|
||||
- args[3] = user_name;
|
||||
- args[4] = NULL;
|
||||
- safe_system (args[0], args, NULL, 1);
|
||||
- }
|
||||
-#endif
|
||||
-
|
||||
/*
|
||||
* Cancel any crontabs or at jobs. Have to do this before we remove
|
||||
* the entry from /etc/passwd.
|
301
shadow-4.1.4.3-semange.patch
Normal file
301
shadow-4.1.4.3-semange.patch
Normal file
|
@ -0,0 +1,301 @@
|
|||
diff -up shadow-4.1.4.3/man/useradd.8.semange shadow-4.1.4.3/man/useradd.8
|
||||
--- shadow-4.1.4.3/man/useradd.8.semange 2011-06-28 16:17:06.385374734 +0200
|
||||
+++ shadow-4.1.4.3/man/useradd.8 2011-06-28 16:18:19.657899439 +0200
|
||||
@@ -640,6 +640,11 @@ can\*(Aqt create home directory
|
||||
.RS 4
|
||||
can\*(Aqt create mail spool
|
||||
.RE
|
||||
+.PP
|
||||
+\fI14\fR
|
||||
+.RS 4
|
||||
+can\'t update SELinux user mapping
|
||||
+.RE
|
||||
.SH "SEE ALSO"
|
||||
.PP
|
||||
|
||||
diff -up shadow-4.1.4.3/man/userdel.8.semange shadow-4.1.4.3/man/userdel.8
|
||||
--- shadow-4.1.4.3/man/userdel.8.semange 2011-02-16 00:14:13.000000000 +0100
|
||||
+++ shadow-4.1.4.3/man/userdel.8 2011-06-28 16:18:19.657899439 +0200
|
||||
@@ -76,6 +76,11 @@ variable in the
|
||||
login\&.defs
|
||||
file\&.
|
||||
.RE
|
||||
+.PP
|
||||
+\fB\-Z\fR, \fB\-\-selinux-user\fR
|
||||
+.RS 4
|
||||
+Remove SELinux user assigned to the user´s login from SELinux login mapping. Use with caution, all the occurrences of the SELinux user will be removed.
|
||||
+.RE
|
||||
.SH "CONFIGURATION"
|
||||
.PP
|
||||
The following configuration variables in
|
||||
diff -up shadow-4.1.4.3/src/useradd.c.semange shadow-4.1.4.3/src/useradd.c
|
||||
--- shadow-4.1.4.3/src/useradd.c.semange 2011-06-28 16:17:06.381374760 +0200
|
||||
+++ shadow-4.1.4.3/src/useradd.c 2011-06-28 16:18:19.658899432 +0200
|
||||
@@ -164,6 +164,7 @@ static bool home_added = false;
|
||||
#define E_GRP_UPDATE 10 /* can't update group file */
|
||||
#define E_HOMEDIR 12 /* can't create home directory */
|
||||
#define E_MAIL_SPOOL 13 /* can't create mail spool */
|
||||
+#define E_SE_UPDATE 14 /* can't update SELinux user mapping */
|
||||
|
||||
#define DGROUP "GROUP="
|
||||
#define HOME "HOME="
|
||||
@@ -181,9 +182,6 @@ static int set_defaults (void);
|
||||
static int get_groups (char *);
|
||||
static void usage (void);
|
||||
static void new_pwent (struct passwd *);
|
||||
-#ifdef WITH_SELINUX
|
||||
-static void selinux_update_mapping (void);
|
||||
-#endif
|
||||
|
||||
static long scale_age (long);
|
||||
static void new_spent (struct spwd *);
|
||||
@@ -1710,32 +1708,6 @@ static void usr_update (void)
|
||||
}
|
||||
}
|
||||
|
||||
-#ifdef WITH_SELINUX
|
||||
-static void selinux_update_mapping (void) {
|
||||
- if (is_selinux_enabled () <= 0) return;
|
||||
-
|
||||
- if (*user_selinux) { /* must be done after passwd write() */
|
||||
- const char *argv[7];
|
||||
- argv[0] = "/usr/sbin/semanage";
|
||||
- argv[1] = "login";
|
||||
- argv[2] = "-a";
|
||||
- argv[3] = "-s";
|
||||
- argv[4] = user_selinux;
|
||||
- argv[5] = user_name;
|
||||
- argv[6] = NULL;
|
||||
- if (safe_system (argv[0], argv, NULL, 0)) {
|
||||
- fprintf (stderr,
|
||||
- _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
|
||||
- Prog, user_name, user_selinux);
|
||||
-#ifdef WITH_AUDIT
|
||||
- audit_logger (AUDIT_ADD_USER, Prog,
|
||||
- "adding SELinux user mapping",
|
||||
- user_name, (unsigned int) user_id, 0);
|
||||
-#endif
|
||||
- }
|
||||
- }
|
||||
-}
|
||||
-#endif
|
||||
/*
|
||||
* create_home - create the user's home directory
|
||||
*
|
||||
@@ -2022,12 +1994,35 @@ int main (int argc, char **argv)
|
||||
create_mail ();
|
||||
}
|
||||
|
||||
- close_files ();
|
||||
-
|
||||
#ifdef WITH_SELINUX
|
||||
- selinux_update_mapping ();
|
||||
+ if (Zflg && *user_selinux) {
|
||||
+ if (is_selinux_enabled () > 0) {
|
||||
+ const char *argv[7];
|
||||
+
|
||||
+ argv[0] = "/usr/sbin/semanage";
|
||||
+ argv[1] = "login";
|
||||
+ argv[2] = "-a";
|
||||
+ argv[3] = "-s";
|
||||
+ argv[4] = user_selinux;
|
||||
+ argv[5] = user_name;
|
||||
+ argv[6] = NULL;
|
||||
+ if (safe_system (argv[0], argv, NULL, 0)) {
|
||||
+ fprintf (stderr,
|
||||
+ _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
|
||||
+ Prog, user_name, user_selinux);
|
||||
+ #ifdef WITH_AUDIT
|
||||
+ audit_logger (AUDIT_ADD_USER, Prog,
|
||||
+ "adding SELinux user mapping",
|
||||
+ user_name, (unsigned int) user_id, 0);
|
||||
+ #endif
|
||||
+ fail_exit (E_SE_UPDATE);
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
#endif
|
||||
|
||||
+ close_files ();
|
||||
+
|
||||
nscd_flush_cache ("passwd");
|
||||
nscd_flush_cache ("group");
|
||||
|
||||
diff -up shadow-4.1.4.3/src/userdel.c.semange shadow-4.1.4.3/src/userdel.c
|
||||
--- shadow-4.1.4.3/src/userdel.c.semange 2011-02-13 18:58:16.000000000 +0100
|
||||
+++ shadow-4.1.4.3/src/userdel.c 2011-06-28 16:18:19.659899426 +0200
|
||||
@@ -82,6 +82,7 @@ static char *user_home;
|
||||
|
||||
static bool fflg = false;
|
||||
static bool rflg = false;
|
||||
+static bool Zflg = false;
|
||||
|
||||
static bool is_shadow_pwd;
|
||||
|
||||
@@ -120,6 +121,9 @@ static void usage (void)
|
||||
" even if not owned by user\n"
|
||||
" -h, --help display this help message and exit\n"
|
||||
" -r, --remove remove home directory and mail spool\n"
|
||||
+#ifdef WITH_SELINUX
|
||||
+ " -Z, --selinux-user remove SELinux user from SELinux user mapping\n"
|
||||
+#endif
|
||||
"\n"), stderr);
|
||||
exit (E_USAGE);
|
||||
}
|
||||
@@ -766,9 +770,17 @@ int main (int argc, char **argv)
|
||||
{"force", no_argument, NULL, 'f'},
|
||||
{"help", no_argument, NULL, 'h'},
|
||||
{"remove", no_argument, NULL, 'r'},
|
||||
+#ifdef WITH_SELINUX
|
||||
+ {"selinux-user", required_argument, NULL, 'Z'},
|
||||
+#endif
|
||||
{NULL, 0, NULL, '\0'}
|
||||
};
|
||||
- while ((c = getopt_long (argc, argv, "fhr",
|
||||
+ while ((c = getopt_long (argc, argv,
|
||||
+#ifdef WITH_SELINUX
|
||||
+ "fhrZ",
|
||||
+#else
|
||||
+ "fhr",
|
||||
+#endif
|
||||
long_options, NULL)) != -1) {
|
||||
switch (c) {
|
||||
case 'f': /* force remove even if not owned by user */
|
||||
@@ -777,6 +789,19 @@ int main (int argc, char **argv)
|
||||
case 'r': /* remove home dir and mailbox */
|
||||
rflg = true;
|
||||
break;
|
||||
+#ifdef WITH_SELINUX
|
||||
+ case 'Z':
|
||||
+ if (is_selinux_enabled () > 0) {
|
||||
+ Zflg = true;
|
||||
+ } else {
|
||||
+ fprintf (stderr,
|
||||
+ _("%s: -Z requires SELinux enabled kernel\n"),
|
||||
+ Prog);
|
||||
+
|
||||
+ exit (E_BAD_ARG);
|
||||
+ }
|
||||
+ break;
|
||||
+#endif
|
||||
default:
|
||||
usage ();
|
||||
}
|
||||
@@ -975,14 +1000,16 @@ int main (int argc, char **argv)
|
||||
#endif
|
||||
|
||||
#ifdef WITH_SELINUX
|
||||
- if (is_selinux_enabled () > 0) {
|
||||
- const char *args[5];
|
||||
- args[0] = "/usr/sbin/semanage";
|
||||
- args[1] = "login";
|
||||
- args[2] = "-d";
|
||||
- args[3] = user_name;
|
||||
- args[4] = NULL;
|
||||
- safe_system (args[0], args, NULL, 1);
|
||||
+ if (Zflg) {
|
||||
+ if (is_selinux_enabled () > 0) {
|
||||
+ const char *args[5];
|
||||
+ args[0] = "/usr/sbin/semanage";
|
||||
+ args[1] = "login";
|
||||
+ args[2] = "-d";
|
||||
+ args[3] = user_name;
|
||||
+ args[4] = NULL;
|
||||
+ safe_system (args[0], args, NULL, 1);
|
||||
+ }
|
||||
}
|
||||
#endif
|
||||
|
||||
diff -up shadow-4.1.4.3/src/usermod.c.semange shadow-4.1.4.3/src/usermod.c
|
||||
--- shadow-4.1.4.3/src/usermod.c.semange 2011-02-13 18:58:16.000000000 +0100
|
||||
+++ shadow-4.1.4.3/src/usermod.c 2011-06-28 16:18:19.661899414 +0200
|
||||
@@ -82,6 +82,9 @@
|
||||
#define E_GRP_UPDATE 10 /* can't update group file */
|
||||
/* #define E_NOSPACE 11 insufficient space to move home dir */
|
||||
#define E_HOMEDIR 12 /* unable to complete home dir move */
|
||||
+#define E_SE_UPDATE 13 /* can't update SELinux user mapping */
|
||||
+
|
||||
+
|
||||
#define VALID(s) (strcspn (s, ":\n") == strlen (s))
|
||||
/*
|
||||
* Global variables
|
||||
@@ -151,9 +154,6 @@ static void date_to_str (char *buf, size
|
||||
static int get_groups (char *);
|
||||
static void usage (void);
|
||||
static void new_pwent (struct passwd *);
|
||||
-#ifdef WITH_SELINUX
|
||||
-static void selinux_update_mapping (void);
|
||||
-#endif
|
||||
|
||||
static void new_spent (struct spwd *);
|
||||
static void fail_exit (int);
|
||||
@@ -1785,8 +1785,32 @@ int main (int argc, char **argv)
|
||||
nscd_flush_cache ("group");
|
||||
|
||||
#ifdef WITH_SELINUX
|
||||
- if (Zflg) {
|
||||
- selinux_update_mapping ();
|
||||
+ if (Zflg && *user_selinux) {
|
||||
+ if (is_selinux_enabled () > 0) {
|
||||
+ const char *argv[7];
|
||||
+
|
||||
+ argv[0] = "/usr/sbin/semanage";
|
||||
+ argv[1] = "login";
|
||||
+ argv[2] = "-m";
|
||||
+ argv[3] = "-s";
|
||||
+ argv[4] = user_selinux;
|
||||
+ argv[5] = user_name;
|
||||
+ argv[6] = NULL;
|
||||
+ if (safe_system (argv[0], argv, NULL, 1)) {
|
||||
+ argv[2] = "-a";
|
||||
+ if (safe_system (argv[0], argv, NULL, 0)) {
|
||||
+ fprintf (stderr,
|
||||
+ _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
|
||||
+ Prog, user_name, user_selinux);
|
||||
+ #ifdef WITH_AUDIT
|
||||
+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
|
||||
+ "modifying User mapping ",
|
||||
+ user_name, (unsigned int) user_id, 0);
|
||||
+ #endif
|
||||
+ fail_exit (E_SE_UPDATE);
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
}
|
||||
#endif
|
||||
|
||||
@@ -1816,34 +1840,3 @@ int main (int argc, char **argv)
|
||||
return E_SUCCESS;
|
||||
}
|
||||
|
||||
-#ifdef WITH_SELINUX
|
||||
-static void selinux_update_mapping (void) {
|
||||
- const char *argv[7];
|
||||
-
|
||||
- if (is_selinux_enabled () <= 0) return;
|
||||
-
|
||||
- if (*user_selinux) {
|
||||
- argv[0] = "/usr/sbin/semanage";
|
||||
- argv[1] = "login";
|
||||
- argv[2] = "-m";
|
||||
- argv[3] = "-s";
|
||||
- argv[4] = user_selinux;
|
||||
- argv[5] = user_name;
|
||||
- argv[6] = NULL;
|
||||
- if (safe_system (argv[0], argv, NULL, 1)) {
|
||||
- argv[2] = "-a";
|
||||
- if (safe_system (argv[0], argv, NULL, 0)) {
|
||||
- fprintf (stderr,
|
||||
- _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
|
||||
- Prog, user_name, user_selinux);
|
||||
-#ifdef WITH_AUDIT
|
||||
- audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
|
||||
- "modifying User mapping ",
|
||||
- user_name, (unsigned int) user_id, 0);
|
||||
-#endif
|
||||
- }
|
||||
- }
|
||||
- }
|
||||
-}
|
||||
-#endif
|
||||
-
|
|
@ -1,7 +1,7 @@
|
|||
Summary: Utilities for managing accounts and shadow password files
|
||||
Name: shadow-utils
|
||||
Version: 4.1.4.3
|
||||
Release: 4%{?dist}
|
||||
Release: 5%{?dist}
|
||||
Epoch: 2
|
||||
URL: http://pkg-shadow.alioth.debian.org/
|
||||
Source0: ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-%{version}.tar.bz2
|
||||
|
@ -12,7 +12,7 @@ Patch1: shadow-4.1.4.3-goodname.patch
|
|||
Patch2: shadow-4.1.4.2-leak.patch
|
||||
Patch3: shadow-4.1.4.2-fixes.patch
|
||||
Patch4: shadow-4.1.4.2-infoParentDir.patch
|
||||
Patch5: shadow-4.1.4.2-semange.patch
|
||||
Patch5: shadow-4.1.4.3-semange.patch
|
||||
Patch6: shadow-4.1.4.2-acl.patch
|
||||
Patch7: shadow-4.1.4.2-underflow.patch
|
||||
Patch8: shadow-4.1.4.3-uflg.patch
|
||||
|
@ -200,6 +200,11 @@ rm -rf $RPM_BUILD_ROOT
|
|||
%{_mandir}/man8/vigr.8*
|
||||
|
||||
%changelog
|
||||
* Tue Jun 28 2011 Peter Vrabec <pvrabec@redhat.com> - 2:4.1.4.3-5
|
||||
- userdel option to remove Linux login <-> SELinux login mapping (#639900)
|
||||
- useradd special exit value if SELinux user mapping is invalid (#639975)
|
||||
- usermod special exit value if SELinux user mapping is invalid (#639976)
|
||||
|
||||
* Mon Jun 27 2011 Peter Vrabec <pvrabec@redhat.com> - 2:4.1.4.3-4
|
||||
- refer to PAM in /etc/login.defs (#629277)
|
||||
|
||||
|
|
Loading…
Reference in a new issue