- fixing Linux login <-> SELinux login mapping

(#639900), (#639975), (#639976)
2011-06-28 16:32:18 +02:00 · 2011-06-28 16:32:18 +02:00 · 46dd21926b
commit 46dd21926b
parent f7bb2ec63f
3 changed files with 308 additions and 24 deletions
--- a/shadow-4.1.4.2-semange.patch
+++ b/shadow-4.1.4.2-semange.patch
@ -1,22 +0,0 @@
 diff -up shadow-4.1.4.2/src/userdel.c.semanage shadow-4.1.4.2/src/userdel.c
 --- shadow-4.1.4.2/src/userdel.c.semanage	2010-04-28 14:47:25.581366330 +0200
 +++ shadow-4.1.4.2/src/userdel.c	2010-04-28 14:48:08.736376028 +0200
@@ -974,18 +974,6 @@ int main (int argc, char **argv)
 	}
 #endif
 -#ifdef WITH_SELINUX
 -	if (is_selinux_enabled () > 0) {
 -		const char *args[5];
 -		args[0] = "/usr/sbin/semanage";
 -		args[1] = "login";
 -		args[2] = "-d";
 -		args[3] = user_name;
 -		args[4] = NULL;
 -		safe_system (args[0], args, NULL, 1);
 -	}
 -#endif
 -
 	/*
 	 * Cancel any crontabs or at jobs. Have to do this before we remove
 	 * the entry from /etc/passwd.
--- a/shadow-4.1.4.3-semange.patch
+++ b/shadow-4.1.4.3-semange.patch
@ -0,0 +1,301 @@
 diff -up shadow-4.1.4.3/man/useradd.8.semange shadow-4.1.4.3/man/useradd.8
 --- shadow-4.1.4.3/man/useradd.8.semange	2011-06-28 16:17:06.385374734 +0200
 +++ shadow-4.1.4.3/man/useradd.8	2011-06-28 16:18:19.657899439 +0200
@@ -640,6 +640,11 @@ can\*(Aqt create home directory
 .RS 4
 can\*(Aqt create mail spool
 .RE
 +.PP
 +\fI14\fR
 +.RS 4
 +can\'t update SELinux user mapping
 +.RE
 .SH "SEE ALSO"
 .PP
 diff -up shadow-4.1.4.3/man/userdel.8.semange shadow-4.1.4.3/man/userdel.8
 --- shadow-4.1.4.3/man/userdel.8.semange	2011-02-16 00:14:13.000000000 +0100
 +++ shadow-4.1.4.3/man/userdel.8	2011-06-28 16:18:19.657899439 +0200
@@ -76,6 +76,11 @@ variable in the
 login\&.defs
 file\&.
 .RE
 +.PP
 +\fB\-Z\fR, \fB\-\-selinux-user\fR
 +.RS 4
 +Remove SELinux user assigned to the user´s login from SELinux login mapping. Use with caution, all the occurrences of the SELinux user will be removed.
 +.RE
 .SH "CONFIGURATION"
 .PP
 The following configuration variables in
 diff -up shadow-4.1.4.3/src/useradd.c.semange shadow-4.1.4.3/src/useradd.c
 --- shadow-4.1.4.3/src/useradd.c.semange	2011-06-28 16:17:06.381374760 +0200
 +++ shadow-4.1.4.3/src/useradd.c	2011-06-28 16:18:19.658899432 +0200
@@ -164,6 +164,7 @@ static bool home_added = false;
 #define E_GRP_UPDATE	10	/* can't update group file */
 #define E_HOMEDIR	12	/* can't create home directory */
 #define	E_MAIL_SPOOL	13	/* can't create mail spool */
 +#define	E_SE_UPDATE	14	/* can't update SELinux user mapping */
 #define DGROUP			"GROUP="
 #define HOME			"HOME="
@@ -181,9 +182,6 @@ static int set_defaults (void);
 static int get_groups (char *);
 static void usage (void);
 static void new_pwent (struct passwd *);
 -#ifdef WITH_SELINUX
 -static void selinux_update_mapping (void);
 -#endif
 static long scale_age (long);
 static void new_spent (struct spwd *);
@@ -1710,32 +1708,6 @@ static void usr_update (void)
 	}
 }
 -#ifdef WITH_SELINUX
 -static void selinux_update_mapping (void) {
 -	if (is_selinux_enabled () <= 0) return;
 -
 -	if (*user_selinux) { /* must be done after passwd write() */
 -		const char *argv[7];
 -		argv[0] = "/usr/sbin/semanage";
 -		argv[1] = "login";
 -		argv[2] = "-a";
 -		argv[3] = "-s";
 -		argv[4] = user_selinux;
 -		argv[5] = user_name;
 -		argv[6] = NULL;
 -		if (safe_system (argv[0], argv, NULL, 0)) {
 -			fprintf (stderr,
 -			         _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
 -			         Prog, user_name, user_selinux);
 -#ifdef WITH_AUDIT
 -			audit_logger (AUDIT_ADD_USER, Prog,
 -			              "adding SELinux user mapping",
 -			              user_name, (unsigned int) user_id, 0);
 -#endif
 -		}
 -	}
 -}
 -#endif
 /*
  * create_home - create the user's home directory
  *
@@ -2022,12 +1994,35 @@ int main (int argc, char **argv)
 		create_mail ();
 	}
 -	close_files ();
 -
 #ifdef WITH_SELINUX
 -	selinux_update_mapping ();
 +	if (Zflg && *user_selinux) {
 +		if (is_selinux_enabled () > 0) {
 +			const char *argv[7];
 +
 +			argv[0] = "/usr/sbin/semanage";
 +			argv[1] = "login";
 +			argv[2] = "-a";
 +			argv[3] = "-s";
 +			argv[4] = user_selinux;
 +			argv[5] = user_name;
 +			argv[6] = NULL;
 +			if (safe_system (argv[0], argv, NULL, 0)) {
 +				fprintf (stderr,
 +					 _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
 +					 Prog, user_name, user_selinux);
 +	#ifdef WITH_AUDIT
 +				audit_logger (AUDIT_ADD_USER, Prog,
 +					      "adding SELinux user mapping",
 +					      user_name, (unsigned int) user_id, 0);
 +	#endif
 +				fail_exit (E_SE_UPDATE);
 +			}
 +		}
 +	}
 #endif
 +	close_files ();
 +
 	nscd_flush_cache ("passwd");
 	nscd_flush_cache ("group");
 diff -up shadow-4.1.4.3/src/userdel.c.semange shadow-4.1.4.3/src/userdel.c
 --- shadow-4.1.4.3/src/userdel.c.semange	2011-02-13 18:58:16.000000000 +0100
 +++ shadow-4.1.4.3/src/userdel.c	2011-06-28 16:18:19.659899426 +0200
@@ -82,6 +82,7 @@ static char *user_home;
 static bool fflg = false;
 static bool rflg = false;
 +static bool Zflg = false;
 static bool is_shadow_pwd;
@@ -120,6 +121,9 @@ static void usage (void)
 	         "                                even if not owned by user\n"
 	         "  -h, --help                    display this help message and exit\n"
 	         "  -r, --remove                  remove home directory and mail spool\n"
 +#ifdef WITH_SELINUX
 +	         "  -Z, --selinux-user            remove SELinux user from SELinux user mapping\n"
 +#endif
 	         "\n"), stderr);
 	exit (E_USAGE);
 }
@@ -766,9 +770,17 @@ int main (int argc, char **argv)
 			{"force", no_argument, NULL, 'f'},
 			{"help", no_argument, NULL, 'h'},
 			{"remove", no_argument, NULL, 'r'},
 +#ifdef WITH_SELINUX
 +			{"selinux-user", required_argument, NULL, 'Z'},
 +#endif
 			{NULL, 0, NULL, '\0'}
 		};
 -		while ((c = getopt_long (argc, argv, "fhr",
 +		while ((c = getopt_long (argc, argv, 
 +#ifdef WITH_SELINUX             
 +					 "fhrZ",
 +#else
 +					 "fhr",
 +#endif
 		                         long_options, NULL)) != -1) {
 			switch (c) {
 			case 'f':	/* force remove even if not owned by user */
@@ -777,6 +789,19 @@ int main (int argc, char **argv)
 			case 'r':	/* remove home dir and mailbox */
 				rflg = true;
 				break;
 +#ifdef WITH_SELINUX             
 +                        case 'Z':
 +                                if (is_selinux_enabled () > 0) {
 +                                        Zflg = true;
 +                                } else {
 +                                        fprintf (stderr,
 +                                                 _("%s: -Z requires SELinux enabled kernel\n"),
 +                                                 Prog);
 +
 +                                        exit (E_BAD_ARG);
 +                                }
 +                                break;
 +#endif
 			default:
 				usage ();
 			}
@@ -975,14 +1000,16 @@ int main (int argc, char **argv)
 #endif
 #ifdef WITH_SELINUX
 -	if (is_selinux_enabled () > 0) {
 -		const char *args[5];
 -		args[0] = "/usr/sbin/semanage";
 -		args[1] = "login";
 -		args[2] = "-d";
 -		args[3] = user_name;
 -		args[4] = NULL;
 -		safe_system (args[0], args, NULL, 1);
 +	if (Zflg) {
 +		if (is_selinux_enabled () > 0) {
 +			const char *args[5];
 +			args[0] = "/usr/sbin/semanage";
 +			args[1] = "login";
 +			args[2] = "-d";
 +			args[3] = user_name;
 +			args[4] = NULL;
 +			safe_system (args[0], args, NULL, 1);
 +		}
 	}
 #endif
 diff -up shadow-4.1.4.3/src/usermod.c.semange shadow-4.1.4.3/src/usermod.c
 --- shadow-4.1.4.3/src/usermod.c.semange	2011-02-13 18:58:16.000000000 +0100
 +++ shadow-4.1.4.3/src/usermod.c	2011-06-28 16:18:19.661899414 +0200
@@ -82,6 +82,9 @@
 #define E_GRP_UPDATE	10	/* can't update group file */
 /* #define E_NOSPACE	11	   insufficient space to move home dir */
 #define E_HOMEDIR	12	/* unable to complete home dir move */
 +#define	E_SE_UPDATE	13	/* can't update SELinux user mapping */
 +
 +
 #define	VALID(s)	(strcspn (s, ":\n") == strlen (s))
 /*
  * Global variables
@@ -151,9 +154,6 @@ static void date_to_str (char *buf, size
 static int get_groups (char *);
 static void usage (void);
 static void new_pwent (struct passwd *);
 -#ifdef WITH_SELINUX
 -static void selinux_update_mapping (void);
 -#endif
 static void new_spent (struct spwd *);
 static void fail_exit (int);
@@ -1785,8 +1785,32 @@ int main (int argc, char **argv)
 	nscd_flush_cache ("group");
 #ifdef WITH_SELINUX
 -	if (Zflg) {
 -		selinux_update_mapping ();
 +	if (Zflg && *user_selinux) {
 +		if (is_selinux_enabled () > 0) {
 +			const char *argv[7];
 +
 +			argv[0] = "/usr/sbin/semanage";
 +			argv[1] = "login";
 +			argv[2] = "-m";
 +			argv[3] = "-s";
 +			argv[4] = user_selinux;
 +			argv[5] = user_name;
 +			argv[6] = NULL;
 +			if (safe_system (argv[0], argv, NULL, 1)) {
 +				argv[2] = "-a";
 +				if (safe_system (argv[0], argv, NULL, 0)) {
 +					fprintf (stderr,
 +						 _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
 +						 Prog, user_name, user_selinux);
 +	#ifdef WITH_AUDIT
 +					audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
 +						      "modifying User mapping ",
 +						      user_name, (unsigned int) user_id, 0);
 +	#endif
 +					fail_exit (E_SE_UPDATE);
 +				}
 +			}
 +		}
 	}
 #endif
@@ -1816,34 +1840,3 @@ int main (int argc, char **argv)
 	return E_SUCCESS;
 }
 -#ifdef WITH_SELINUX
 -static void selinux_update_mapping (void) {
 -	const char *argv[7];
 -
 -	if (is_selinux_enabled () <= 0) return;
 -
 -	if (*user_selinux) {
 -		argv[0] = "/usr/sbin/semanage";
 -		argv[1] = "login";
 -		argv[2] = "-m";
 -		argv[3] = "-s";
 -		argv[4] = user_selinux;
 -		argv[5] = user_name;
 -		argv[6] = NULL;
 -		if (safe_system (argv[0], argv, NULL, 1)) {
 -			argv[2] = "-a";
 -			if (safe_system (argv[0], argv, NULL, 0)) {
 -				fprintf (stderr,
 -				         _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
 -				         Prog, user_name, user_selinux);
 -#ifdef WITH_AUDIT
 -				audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
 -				              "modifying User mapping ",
 -				              user_name, (unsigned int) user_id, 0);
 -#endif
 -			}
 -		}
 -	}
 -}
 -#endif
 -
--- a/shadow-utils.spec
+++ b/shadow-utils.spec
@ -1,7 +1,7 @@
 Summary: Utilities for managing accounts and shadow password files
 Name: shadow-utils
 Version: 4.1.4.3
-Release: 4%{?dist}
+Release: 5%{?dist}
 Epoch: 2
 URL: http://pkg-shadow.alioth.debian.org/
 Source0: ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-%{version}.tar.bz2
@ -12,7 +12,7 @@ Patch1: shadow-4.1.4.3-goodname.patch
 Patch2: shadow-4.1.4.2-leak.patch
 Patch3: shadow-4.1.4.2-fixes.patch
 Patch4: shadow-4.1.4.2-infoParentDir.patch
-Patch5: shadow-4.1.4.2-semange.patch
+Patch5: shadow-4.1.4.3-semange.patch
 Patch6: shadow-4.1.4.2-acl.patch
 Patch7: shadow-4.1.4.2-underflow.patch
 Patch8: shadow-4.1.4.3-uflg.patch
@ -200,6 +200,11 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/man8/vigr.8*
 %changelog
 * Tue Jun 28 2011 Peter Vrabec <pvrabec@redhat.com> - 2:4.1.4.3-5
 - userdel option to remove Linux login <-> SELinux login mapping (#639900)
 - useradd special exit value if SELinux user mapping is invalid (#639975)
 - usermod special exit value if SELinux user mapping is invalid (#639976)
 * Mon Jun 27 2011 Peter Vrabec <pvrabec@redhat.com> - 2:4.1.4.3-4
 - refer to PAM in /etc/login.defs (#629277)