From b0df019716a364553fa103c137ed90add9cf6fd0 Mon Sep 17 00:00:00 2001 From: Peter Vrabec Date: Wed, 29 Jun 2011 16:43:23 +0200 Subject: [PATCH] userdel option to remove Linux login <-> SELinux login mapping (#639900) useradd special exit value if SELinux user mapping is invalid (#639975) usermod special exit value if SELinux user mapping is invalid (#639976) Resolves: #701355 --- shadow-4.1.4.2-semange.patch | 295 ++++++++++++++++++++++++++++++++++- shadow-utils.spec | 8 +- 2 files changed, 294 insertions(+), 9 deletions(-) diff --git a/shadow-4.1.4.2-semange.patch b/shadow-4.1.4.2-semange.patch index d4427e6..fcd30d1 100644 --- a/shadow-4.1.4.2-semange.patch +++ b/shadow-4.1.4.2-semange.patch @@ -1,11 +1,190 @@ -diff -up shadow-4.1.4.2/src/userdel.c.semanage shadow-4.1.4.2/src/userdel.c ---- shadow-4.1.4.2/src/userdel.c.semanage 2010-04-28 14:47:25.581366330 +0200 -+++ shadow-4.1.4.2/src/userdel.c 2010-04-28 14:48:08.736376028 +0200 -@@ -974,18 +974,6 @@ int main (int argc, char **argv) +diff -up shadow-4.1.4.2/man/useradd.8.semange shadow-4.1.4.2/man/useradd.8 +--- shadow-4.1.4.2/man/useradd.8.semange 2011-06-28 15:08:46.583254750 +0200 ++++ shadow-4.1.4.2/man/useradd.8 2011-06-28 15:08:46.600282568 +0200 +@@ -631,6 +631,11 @@ can\'t create home directory + .RS 4 + can\'t create mail spool + .RE ++.PP ++\fI14\fR ++.RS 4 ++can\'t update SELinux user mapping ++.RE + .SH "SEE ALSO" + .PP + +diff -up shadow-4.1.4.2/man/userdel.8.semange shadow-4.1.4.2/man/userdel.8 +--- shadow-4.1.4.2/man/userdel.8.semange 2009-07-24 03:16:45.000000000 +0200 ++++ shadow-4.1.4.2/man/userdel.8 2011-06-28 15:08:46.601278956 +0200 +@@ -67,6 +67,11 @@ variable in the + login\&.defs + file\&. + .RE ++.PP ++\fB\-Z\fR, \fB\-\-selinux-user\fR ++.RS 4 ++Remove SELinux user assigned to the userĀ“s login from SELinux login mapping. Use with caution, all the occurrences of the SELinux user will be removed. ++.RE + .SH "CONFIGURATION" + .PP + The following configuration variables in +diff -up shadow-4.1.4.2/src/useradd.c.semange shadow-4.1.4.2/src/useradd.c +--- shadow-4.1.4.2/src/useradd.c.semange 2011-06-28 15:08:46.577257401 +0200 ++++ shadow-4.1.4.2/src/useradd.c 2011-06-28 15:54:22.430084199 +0200 +@@ -164,6 +164,7 @@ static bool home_added = false; + #define E_GRP_UPDATE 10 /* can't update group file */ + #define E_HOMEDIR 12 /* can't create home directory */ + #define E_MAIL_SPOOL 13 /* can't create mail spool */ ++#define E_SE_UPDATE 14 /* can't update SELinux user mapping */ + + #define DGROUP "GROUP=" + #define HOME "HOME=" +@@ -181,9 +182,6 @@ static int set_defaults (void); + static int get_groups (char *); + static void usage (void); + static void new_pwent (struct passwd *); +-#ifdef WITH_SELINUX +-static void selinux_update_mapping (void); +-#endif + + static long scale_age (long); + static void new_spent (struct spwd *); +@@ -1710,32 +1708,6 @@ static void usr_update (void) } - #endif + } -#ifdef WITH_SELINUX +-static void selinux_update_mapping (void) { +- if (is_selinux_enabled () <= 0) return; +- +- if (*user_selinux) { /* must be done after passwd write() */ +- const char *argv[7]; +- argv[0] = "/usr/sbin/semanage"; +- argv[1] = "login"; +- argv[2] = "-a"; +- argv[3] = "-s"; +- argv[4] = user_selinux; +- argv[5] = user_name; +- argv[6] = NULL; +- if (safe_system (argv[0], argv, NULL, 0)) { +- fprintf (stderr, +- _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), +- Prog, user_name, user_selinux); +-#ifdef WITH_AUDIT +- audit_logger (AUDIT_ADD_USER, Prog, +- "adding SELinux user mapping", +- user_name, (unsigned int) user_id, 0); +-#endif +- } +- } +-} +-#endif + /* + * create_home - create the user's home directory + * +@@ -2022,12 +1994,35 @@ int main (int argc, char **argv) + create_mail (); + } + +- close_files (); +- + #ifdef WITH_SELINUX +- selinux_update_mapping (); ++ if (Zflg && *user_selinux) { ++ if (is_selinux_enabled () > 0) { ++ const char *argv[7]; ++ ++ argv[0] = "/usr/sbin/semanage"; ++ argv[1] = "login"; ++ argv[2] = "-a"; ++ argv[3] = "-s"; ++ argv[4] = user_selinux; ++ argv[5] = user_name; ++ argv[6] = NULL; ++ if (safe_system (argv[0], argv, NULL, 0)) { ++ fprintf (stderr, ++ _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), ++ Prog, user_name, user_selinux); ++ #ifdef WITH_AUDIT ++ audit_logger (AUDIT_ADD_USER, Prog, ++ "adding SELinux user mapping", ++ user_name, (unsigned int) user_id, 0); ++ #endif ++ fail_exit (E_SE_UPDATE); ++ } ++ } ++ } + #endif + ++ close_files (); ++ + nscd_flush_cache ("passwd"); + nscd_flush_cache ("group"); + +diff -up shadow-4.1.4.2/src/userdel.c.semange shadow-4.1.4.2/src/userdel.c +--- shadow-4.1.4.2/src/userdel.c.semange 2009-05-22 12:41:12.000000000 +0200 ++++ shadow-4.1.4.2/src/userdel.c 2011-06-28 15:08:46.604254774 +0200 +@@ -82,6 +82,7 @@ static char *user_home; + + static bool fflg = false; + static bool rflg = false; ++static bool Zflg = false; + + static bool is_shadow_pwd; + +@@ -120,6 +121,9 @@ static void usage (void) + " even if not owned by user\n" + " -h, --help display this help message and exit\n" + " -r, --remove remove home directory and mail spool\n" ++#ifdef WITH_SELINUX ++ " -Z, --selinux-user remove SELinux user from SELinux user mapping\n" ++#endif + "\n"), stderr); + exit (E_USAGE); + } +@@ -766,9 +770,17 @@ int main (int argc, char **argv) + {"force", no_argument, NULL, 'f'}, + {"help", no_argument, NULL, 'h'}, + {"remove", no_argument, NULL, 'r'}, ++#ifdef WITH_SELINUX ++ {"selinux-user", required_argument, NULL, 'Z'}, ++#endif + {NULL, 0, NULL, '\0'} + }; +- while ((c = getopt_long (argc, argv, "fhr", ++ while ((c = getopt_long (argc, argv, ++#ifdef WITH_SELINUX ++ "fhrZ", ++#else ++ "fhr", ++#endif + long_options, NULL)) != -1) { + switch (c) { + case 'f': /* force remove even if not owned by user */ +@@ -777,6 +789,19 @@ int main (int argc, char **argv) + case 'r': /* remove home dir and mailbox */ + rflg = true; + break; ++#ifdef WITH_SELINUX ++ case 'Z': ++ if (is_selinux_enabled () > 0) { ++ Zflg = true; ++ } else { ++ fprintf (stderr, ++ _("%s: -Z requires SELinux enabled kernel\n"), ++ Prog); ++ ++ exit (E_BAD_ARG); ++ } ++ break; ++#endif + default: + usage (); + } +@@ -975,14 +1000,16 @@ int main (int argc, char **argv) + #endif + + #ifdef WITH_SELINUX - if (is_selinux_enabled () > 0) { - const char *args[5]; - args[0] = "/usr/sbin/semanage"; @@ -14,9 +193,109 @@ diff -up shadow-4.1.4.2/src/userdel.c.semanage shadow-4.1.4.2/src/userdel.c - args[3] = user_name; - args[4] = NULL; - safe_system (args[0], args, NULL, 1); ++ if (Zflg) { ++ if (is_selinux_enabled () > 0) { ++ const char *args[5]; ++ args[0] = "/usr/sbin/semanage"; ++ args[1] = "login"; ++ args[2] = "-d"; ++ args[3] = user_name; ++ args[4] = NULL; ++ safe_system (args[0], args, NULL, 1); ++ } + } + #endif + +diff -up shadow-4.1.4.2/src/usermod.c.semange shadow-4.1.4.2/src/usermod.c +--- shadow-4.1.4.2/src/usermod.c.semange 2011-06-28 15:49:22.897129091 +0200 ++++ shadow-4.1.4.2/src/usermod.c 2011-06-28 15:57:56.509845476 +0200 +@@ -82,6 +82,9 @@ + #define E_GRP_UPDATE 10 /* can't update group file */ + /* #define E_NOSPACE 11 insufficient space to move home dir */ + #define E_HOMEDIR 12 /* unable to complete home dir move */ ++#define E_SE_UPDATE 13 /* can't update SELinux user mapping */ ++ ++ + #define VALID(s) (strcspn (s, ":\n") == strlen (s)) + /* + * Global variables +@@ -151,9 +154,6 @@ static void date_to_str (char *buf, size + static int get_groups (char *); + static void usage (void); + static void new_pwent (struct passwd *); +-#ifdef WITH_SELINUX +-static void selinux_update_mapping (void); +-#endif + + static void new_spent (struct spwd *); + static void fail_exit (int); +@@ -1785,8 +1785,32 @@ int main (int argc, char **argv) + nscd_flush_cache ("group"); + + #ifdef WITH_SELINUX +- if (Zflg) { +- selinux_update_mapping (); ++ if (Zflg && *user_selinux) { ++ if (is_selinux_enabled () > 0) { ++ const char *argv[7]; ++ ++ argv[0] = "/usr/sbin/semanage"; ++ argv[1] = "login"; ++ argv[2] = "-m"; ++ argv[3] = "-s"; ++ argv[4] = user_selinux; ++ argv[5] = user_name; ++ argv[6] = NULL; ++ if (safe_system (argv[0], argv, NULL, 1)) { ++ argv[2] = "-a"; ++ if (safe_system (argv[0], argv, NULL, 0)) { ++ fprintf (stderr, ++ _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), ++ Prog, user_name, user_selinux); ++ #ifdef WITH_AUDIT ++ audit_logger (AUDIT_USER_CHAUTHTOK, Prog, ++ "modifying User mapping ", ++ user_name, (unsigned int) user_id, 0); ++ #endif ++ fail_exit (E_SE_UPDATE); ++ } ++ } ++ } + } + #endif + +@@ -1816,34 +1840,3 @@ int main (int argc, char **argv) + return E_SUCCESS; + } + +-#ifdef WITH_SELINUX +-static void selinux_update_mapping (void) { +- const char *argv[7]; +- +- if (is_selinux_enabled () <= 0) return; +- +- if (*user_selinux) { +- argv[0] = "/usr/sbin/semanage"; +- argv[1] = "login"; +- argv[2] = "-m"; +- argv[3] = "-s"; +- argv[4] = user_selinux; +- argv[5] = user_name; +- argv[6] = NULL; +- if (safe_system (argv[0], argv, NULL, 1)) { +- argv[2] = "-a"; +- if (safe_system (argv[0], argv, NULL, 0)) { +- fprintf (stderr, +- _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), +- Prog, user_name, user_selinux); +-#ifdef WITH_AUDIT +- audit_logger (AUDIT_USER_CHAUTHTOK, Prog, +- "modifying User mapping ", +- user_name, (unsigned int) user_id, 0); +-#endif +- } +- } - } +-} -#endif - - /* - * Cancel any crontabs or at jobs. Have to do this before we remove - * the entry from /etc/passwd. diff --git a/shadow-utils.spec b/shadow-utils.spec index a797592..0761e82 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.4.2 -Release: 11%{?dist} +Release: 12%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-%{version}.tar.bz2 @@ -196,6 +196,12 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Wed Jun 29 2011 Peter Vrabec - 2:4.1.4.2-12 +- userdel option to remove Linux login <-> SELinux login mapping (#639900) +- useradd special exit value if SELinux user mapping is invalid (#639975) +- usermod special exit value if SELinux user mapping is invalid (#639976) + Resolves: #701355 + * Wed Feb 09 2011 Peter Vrabec - 2:4.1.4.2-11 - useradd man page (-m option) - create home directory on fs with noacl