diff --git a/shadow-4.1.4.2-semange.patch b/shadow-4.1.4.2-semange.patch
deleted file mode 100644
index d4427e6..0000000
--- a/shadow-4.1.4.2-semange.patch
+++ /dev/null
@@ -1,22 +0,0 @@
-diff -up shadow-4.1.4.2/src/userdel.c.semanage shadow-4.1.4.2/src/userdel.c
---- shadow-4.1.4.2/src/userdel.c.semanage	2010-04-28 14:47:25.581366330 +0200
-+++ shadow-4.1.4.2/src/userdel.c	2010-04-28 14:48:08.736376028 +0200
-@@ -974,18 +974,6 @@ int main (int argc, char **argv)
- 	}
- #endif
- 
--#ifdef WITH_SELINUX
--	if (is_selinux_enabled () > 0) {
--		const char *args[5];
--		args[0] = "/usr/sbin/semanage";
--		args[1] = "login";
--		args[2] = "-d";
--		args[3] = user_name;
--		args[4] = NULL;
--		safe_system (args[0], args, NULL, 1);
--	}
--#endif
--
- 	/*
- 	 * Cancel any crontabs or at jobs. Have to do this before we remove
- 	 * the entry from /etc/passwd.
diff --git a/shadow-4.1.4.3-semange.patch b/shadow-4.1.4.3-semange.patch
new file mode 100644
index 0000000..6a8a4f6
--- /dev/null
+++ b/shadow-4.1.4.3-semange.patch
@@ -0,0 +1,301 @@
+diff -up shadow-4.1.4.3/man/useradd.8.semange shadow-4.1.4.3/man/useradd.8
+--- shadow-4.1.4.3/man/useradd.8.semange	2011-06-28 16:17:06.385374734 +0200
++++ shadow-4.1.4.3/man/useradd.8	2011-06-28 16:18:19.657899439 +0200
+@@ -640,6 +640,11 @@ can\*(Aqt create home directory
+ .RS 4
+ can\*(Aqt create mail spool
+ .RE
++.PP
++\fI14\fR
++.RS 4
++can\'t update SELinux user mapping
++.RE
+ .SH "SEE ALSO"
+ .PP
+ 
+diff -up shadow-4.1.4.3/man/userdel.8.semange shadow-4.1.4.3/man/userdel.8
+--- shadow-4.1.4.3/man/userdel.8.semange	2011-02-16 00:14:13.000000000 +0100
++++ shadow-4.1.4.3/man/userdel.8	2011-06-28 16:18:19.657899439 +0200
+@@ -76,6 +76,11 @@ variable in the
+ login\&.defs
+ file\&.
+ .RE
++.PP
++\fB\-Z\fR, \fB\-\-selinux-user\fR
++.RS 4
++Remove SELinux user assigned to the user´s login from SELinux login mapping. Use with caution, all the occurrences of the SELinux user will be removed.
++.RE
+ .SH "CONFIGURATION"
+ .PP
+ The following configuration variables in
+diff -up shadow-4.1.4.3/src/useradd.c.semange shadow-4.1.4.3/src/useradd.c
+--- shadow-4.1.4.3/src/useradd.c.semange	2011-06-28 16:17:06.381374760 +0200
++++ shadow-4.1.4.3/src/useradd.c	2011-06-28 16:18:19.658899432 +0200
+@@ -164,6 +164,7 @@ static bool home_added = false;
+ #define E_GRP_UPDATE	10	/* can't update group file */
+ #define E_HOMEDIR	12	/* can't create home directory */
+ #define	E_MAIL_SPOOL	13	/* can't create mail spool */
++#define	E_SE_UPDATE	14	/* can't update SELinux user mapping */
+ 
+ #define DGROUP			"GROUP="
+ #define HOME			"HOME="
+@@ -181,9 +182,6 @@ static int set_defaults (void);
+ static int get_groups (char *);
+ static void usage (void);
+ static void new_pwent (struct passwd *);
+-#ifdef WITH_SELINUX
+-static void selinux_update_mapping (void);
+-#endif
+ 
+ static long scale_age (long);
+ static void new_spent (struct spwd *);
+@@ -1710,32 +1708,6 @@ static void usr_update (void)
+ 	}
+ }
+ 
+-#ifdef WITH_SELINUX
+-static void selinux_update_mapping (void) {
+-	if (is_selinux_enabled () <= 0) return;
+-
+-	if (*user_selinux) { /* must be done after passwd write() */
+-		const char *argv[7];
+-		argv[0] = "/usr/sbin/semanage";
+-		argv[1] = "login";
+-		argv[2] = "-a";
+-		argv[3] = "-s";
+-		argv[4] = user_selinux;
+-		argv[5] = user_name;
+-		argv[6] = NULL;
+-		if (safe_system (argv[0], argv, NULL, 0)) {
+-			fprintf (stderr,
+-			         _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
+-			         Prog, user_name, user_selinux);
+-#ifdef WITH_AUDIT
+-			audit_logger (AUDIT_ADD_USER, Prog,
+-			              "adding SELinux user mapping",
+-			              user_name, (unsigned int) user_id, 0);
+-#endif
+-		}
+-	}
+-}
+-#endif
+ /*
+  * create_home - create the user's home directory
+  *
+@@ -2022,12 +1994,35 @@ int main (int argc, char **argv)
+ 		create_mail ();
+ 	}
+ 
+-	close_files ();
+-
+ #ifdef WITH_SELINUX
+-	selinux_update_mapping ();
++	if (Zflg && *user_selinux) {
++		if (is_selinux_enabled () > 0) {
++			const char *argv[7];
++
++			argv[0] = "/usr/sbin/semanage";
++			argv[1] = "login";
++			argv[2] = "-a";
++			argv[3] = "-s";
++			argv[4] = user_selinux;
++			argv[5] = user_name;
++			argv[6] = NULL;
++			if (safe_system (argv[0], argv, NULL, 0)) {
++				fprintf (stderr,
++					 _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
++					 Prog, user_name, user_selinux);
++	#ifdef WITH_AUDIT
++				audit_logger (AUDIT_ADD_USER, Prog,
++					      "adding SELinux user mapping",
++					      user_name, (unsigned int) user_id, 0);
++	#endif
++				fail_exit (E_SE_UPDATE);
++			}
++		}
++	}
+ #endif
+ 
++	close_files ();
++
+ 	nscd_flush_cache ("passwd");
+ 	nscd_flush_cache ("group");
+ 
+diff -up shadow-4.1.4.3/src/userdel.c.semange shadow-4.1.4.3/src/userdel.c
+--- shadow-4.1.4.3/src/userdel.c.semange	2011-02-13 18:58:16.000000000 +0100
++++ shadow-4.1.4.3/src/userdel.c	2011-06-28 16:18:19.659899426 +0200
+@@ -82,6 +82,7 @@ static char *user_home;
+ 
+ static bool fflg = false;
+ static bool rflg = false;
++static bool Zflg = false;
+ 
+ static bool is_shadow_pwd;
+ 
+@@ -120,6 +121,9 @@ static void usage (void)
+ 	         "                                even if not owned by user\n"
+ 	         "  -h, --help                    display this help message and exit\n"
+ 	         "  -r, --remove                  remove home directory and mail spool\n"
++#ifdef WITH_SELINUX
++	         "  -Z, --selinux-user            remove SELinux user from SELinux user mapping\n"
++#endif
+ 	         "\n"), stderr);
+ 	exit (E_USAGE);
+ }
+@@ -766,9 +770,17 @@ int main (int argc, char **argv)
+ 			{"force", no_argument, NULL, 'f'},
+ 			{"help", no_argument, NULL, 'h'},
+ 			{"remove", no_argument, NULL, 'r'},
++#ifdef WITH_SELINUX
++			{"selinux-user", required_argument, NULL, 'Z'},
++#endif
+ 			{NULL, 0, NULL, '\0'}
+ 		};
+-		while ((c = getopt_long (argc, argv, "fhr",
++		while ((c = getopt_long (argc, argv, 
++#ifdef WITH_SELINUX             
++					 "fhrZ",
++#else
++					 "fhr",
++#endif
+ 		                         long_options, NULL)) != -1) {
+ 			switch (c) {
+ 			case 'f':	/* force remove even if not owned by user */
+@@ -777,6 +789,19 @@ int main (int argc, char **argv)
+ 			case 'r':	/* remove home dir and mailbox */
+ 				rflg = true;
+ 				break;
++#ifdef WITH_SELINUX             
++                        case 'Z':
++                                if (is_selinux_enabled () > 0) {
++                                        Zflg = true;
++                                } else {
++                                        fprintf (stderr,
++                                                 _("%s: -Z requires SELinux enabled kernel\n"),
++                                                 Prog);
++
++                                        exit (E_BAD_ARG);
++                                }
++                                break;
++#endif
+ 			default:
+ 				usage ();
+ 			}
+@@ -975,14 +1000,16 @@ int main (int argc, char **argv)
+ #endif
+ 
+ #ifdef WITH_SELINUX
+-	if (is_selinux_enabled () > 0) {
+-		const char *args[5];
+-		args[0] = "/usr/sbin/semanage";
+-		args[1] = "login";
+-		args[2] = "-d";
+-		args[3] = user_name;
+-		args[4] = NULL;
+-		safe_system (args[0], args, NULL, 1);
++	if (Zflg) {
++		if (is_selinux_enabled () > 0) {
++			const char *args[5];
++			args[0] = "/usr/sbin/semanage";
++			args[1] = "login";
++			args[2] = "-d";
++			args[3] = user_name;
++			args[4] = NULL;
++			safe_system (args[0], args, NULL, 1);
++		}
+ 	}
+ #endif
+ 
+diff -up shadow-4.1.4.3/src/usermod.c.semange shadow-4.1.4.3/src/usermod.c
+--- shadow-4.1.4.3/src/usermod.c.semange	2011-02-13 18:58:16.000000000 +0100
++++ shadow-4.1.4.3/src/usermod.c	2011-06-28 16:18:19.661899414 +0200
+@@ -82,6 +82,9 @@
+ #define E_GRP_UPDATE	10	/* can't update group file */
+ /* #define E_NOSPACE	11	   insufficient space to move home dir */
+ #define E_HOMEDIR	12	/* unable to complete home dir move */
++#define	E_SE_UPDATE	13	/* can't update SELinux user mapping */
++
++
+ #define	VALID(s)	(strcspn (s, ":\n") == strlen (s))
+ /*
+  * Global variables
+@@ -151,9 +154,6 @@ static void date_to_str (char *buf, size
+ static int get_groups (char *);
+ static void usage (void);
+ static void new_pwent (struct passwd *);
+-#ifdef WITH_SELINUX
+-static void selinux_update_mapping (void);
+-#endif
+ 
+ static void new_spent (struct spwd *);
+ static void fail_exit (int);
+@@ -1785,8 +1785,32 @@ int main (int argc, char **argv)
+ 	nscd_flush_cache ("group");
+ 
+ #ifdef WITH_SELINUX
+-	if (Zflg) {
+-		selinux_update_mapping ();
++	if (Zflg && *user_selinux) {
++		if (is_selinux_enabled () > 0) {
++			const char *argv[7];
++
++			argv[0] = "/usr/sbin/semanage";
++			argv[1] = "login";
++			argv[2] = "-m";
++			argv[3] = "-s";
++			argv[4] = user_selinux;
++			argv[5] = user_name;
++			argv[6] = NULL;
++			if (safe_system (argv[0], argv, NULL, 1)) {
++				argv[2] = "-a";
++				if (safe_system (argv[0], argv, NULL, 0)) {
++					fprintf (stderr,
++						 _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
++						 Prog, user_name, user_selinux);
++	#ifdef WITH_AUDIT
++					audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
++						      "modifying User mapping ",
++						      user_name, (unsigned int) user_id, 0);
++	#endif
++					fail_exit (E_SE_UPDATE);
++				}
++			}
++		}
+ 	}
+ #endif
+ 
+@@ -1816,34 +1840,3 @@ int main (int argc, char **argv)
+ 	return E_SUCCESS;
+ }
+ 
+-#ifdef WITH_SELINUX
+-static void selinux_update_mapping (void) {
+-	const char *argv[7];
+-
+-	if (is_selinux_enabled () <= 0) return;
+-
+-	if (*user_selinux) {
+-		argv[0] = "/usr/sbin/semanage";
+-		argv[1] = "login";
+-		argv[2] = "-m";
+-		argv[3] = "-s";
+-		argv[4] = user_selinux;
+-		argv[5] = user_name;
+-		argv[6] = NULL;
+-		if (safe_system (argv[0], argv, NULL, 1)) {
+-			argv[2] = "-a";
+-			if (safe_system (argv[0], argv, NULL, 0)) {
+-				fprintf (stderr,
+-				         _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
+-				         Prog, user_name, user_selinux);
+-#ifdef WITH_AUDIT
+-				audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+-				              "modifying User mapping ",
+-				              user_name, (unsigned int) user_id, 0);
+-#endif
+-			}
+-		}
+-	}
+-}
+-#endif
+-
diff --git a/shadow-utils.spec b/shadow-utils.spec
index 704eddc..58c0069 100644
--- a/shadow-utils.spec
+++ b/shadow-utils.spec
@@ -1,7 +1,7 @@
 Summary: Utilities for managing accounts and shadow password files
 Name: shadow-utils
 Version: 4.1.4.3
-Release: 4%{?dist}
+Release: 5%{?dist}
 Epoch: 2
 URL: http://pkg-shadow.alioth.debian.org/
 Source0: ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-%{version}.tar.bz2
@@ -12,7 +12,7 @@ Patch1: shadow-4.1.4.3-goodname.patch
 Patch2: shadow-4.1.4.2-leak.patch
 Patch3: shadow-4.1.4.2-fixes.patch
 Patch4: shadow-4.1.4.2-infoParentDir.patch
-Patch5: shadow-4.1.4.2-semange.patch
+Patch5: shadow-4.1.4.3-semange.patch
 Patch6: shadow-4.1.4.2-acl.patch
 Patch7: shadow-4.1.4.2-underflow.patch
 Patch8: shadow-4.1.4.3-uflg.patch
@@ -200,6 +200,11 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/man8/vigr.8*
 
 %changelog
+* Tue Jun 28 2011 Peter Vrabec <pvrabec@redhat.com> - 2:4.1.4.3-5
+- userdel option to remove Linux login <-> SELinux login mapping (#639900)
+- useradd special exit value if SELinux user mapping is invalid (#639975)
+- usermod special exit value if SELinux user mapping is invalid (#639976)
+
 * Mon Jun 27 2011 Peter Vrabec <pvrabec@redhat.com> - 2:4.1.4.3-4
 - refer to PAM in /etc/login.defs (#629277)