userdel option to remove Linux login <-> SELinux login mapping (#639900)

useradd special exit value if SELinux user mapping is invalid  (#639975)
usermod special exit value if SELinux user mapping is invalid  (#639976)
Resolves: #701355
This commit is contained in:
Peter Vrabec 2011-06-29 16:43:23 +02:00
parent e997448056
commit b0df019716
2 changed files with 294 additions and 9 deletions

View file

@ -1,11 +1,190 @@
diff -up shadow-4.1.4.2/src/userdel.c.semanage shadow-4.1.4.2/src/userdel.c diff -up shadow-4.1.4.2/man/useradd.8.semange shadow-4.1.4.2/man/useradd.8
--- shadow-4.1.4.2/src/userdel.c.semanage 2010-04-28 14:47:25.581366330 +0200 --- shadow-4.1.4.2/man/useradd.8.semange 2011-06-28 15:08:46.583254750 +0200
+++ shadow-4.1.4.2/src/userdel.c 2010-04-28 14:48:08.736376028 +0200 +++ shadow-4.1.4.2/man/useradd.8 2011-06-28 15:08:46.600282568 +0200
@@ -974,18 +974,6 @@ int main (int argc, char **argv) @@ -631,6 +631,11 @@ can\'t create home directory
.RS 4
can\'t create mail spool
.RE
+.PP
+\fI14\fR
+.RS 4
+can\'t update SELinux user mapping
+.RE
.SH "SEE ALSO"
.PP
diff -up shadow-4.1.4.2/man/userdel.8.semange shadow-4.1.4.2/man/userdel.8
--- shadow-4.1.4.2/man/userdel.8.semange 2009-07-24 03:16:45.000000000 +0200
+++ shadow-4.1.4.2/man/userdel.8 2011-06-28 15:08:46.601278956 +0200
@@ -67,6 +67,11 @@ variable in the
login\&.defs
file\&.
.RE
+.PP
+\fB\-Z\fR, \fB\-\-selinux-user\fR
+.RS 4
+Remove SELinux user assigned to the user´s login from SELinux login mapping. Use with caution, all the occurrences of the SELinux user will be removed.
+.RE
.SH "CONFIGURATION"
.PP
The following configuration variables in
diff -up shadow-4.1.4.2/src/useradd.c.semange shadow-4.1.4.2/src/useradd.c
--- shadow-4.1.4.2/src/useradd.c.semange 2011-06-28 15:08:46.577257401 +0200
+++ shadow-4.1.4.2/src/useradd.c 2011-06-28 15:54:22.430084199 +0200
@@ -164,6 +164,7 @@ static bool home_added = false;
#define E_GRP_UPDATE 10 /* can't update group file */
#define E_HOMEDIR 12 /* can't create home directory */
#define E_MAIL_SPOOL 13 /* can't create mail spool */
+#define E_SE_UPDATE 14 /* can't update SELinux user mapping */
#define DGROUP "GROUP="
#define HOME "HOME="
@@ -181,9 +182,6 @@ static int set_defaults (void);
static int get_groups (char *);
static void usage (void);
static void new_pwent (struct passwd *);
-#ifdef WITH_SELINUX
-static void selinux_update_mapping (void);
-#endif
static long scale_age (long);
static void new_spent (struct spwd *);
@@ -1710,32 +1708,6 @@ static void usr_update (void)
} }
#endif }
-#ifdef WITH_SELINUX -#ifdef WITH_SELINUX
-static void selinux_update_mapping (void) {
- if (is_selinux_enabled () <= 0) return;
-
- if (*user_selinux) { /* must be done after passwd write() */
- const char *argv[7];
- argv[0] = "/usr/sbin/semanage";
- argv[1] = "login";
- argv[2] = "-a";
- argv[3] = "-s";
- argv[4] = user_selinux;
- argv[5] = user_name;
- argv[6] = NULL;
- if (safe_system (argv[0], argv, NULL, 0)) {
- fprintf (stderr,
- _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
- Prog, user_name, user_selinux);
-#ifdef WITH_AUDIT
- audit_logger (AUDIT_ADD_USER, Prog,
- "adding SELinux user mapping",
- user_name, (unsigned int) user_id, 0);
-#endif
- }
- }
-}
-#endif
/*
* create_home - create the user's home directory
*
@@ -2022,12 +1994,35 @@ int main (int argc, char **argv)
create_mail ();
}
- close_files ();
-
#ifdef WITH_SELINUX
- selinux_update_mapping ();
+ if (Zflg && *user_selinux) {
+ if (is_selinux_enabled () > 0) {
+ const char *argv[7];
+
+ argv[0] = "/usr/sbin/semanage";
+ argv[1] = "login";
+ argv[2] = "-a";
+ argv[3] = "-s";
+ argv[4] = user_selinux;
+ argv[5] = user_name;
+ argv[6] = NULL;
+ if (safe_system (argv[0], argv, NULL, 0)) {
+ fprintf (stderr,
+ _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
+ Prog, user_name, user_selinux);
+ #ifdef WITH_AUDIT
+ audit_logger (AUDIT_ADD_USER, Prog,
+ "adding SELinux user mapping",
+ user_name, (unsigned int) user_id, 0);
+ #endif
+ fail_exit (E_SE_UPDATE);
+ }
+ }
+ }
#endif
+ close_files ();
+
nscd_flush_cache ("passwd");
nscd_flush_cache ("group");
diff -up shadow-4.1.4.2/src/userdel.c.semange shadow-4.1.4.2/src/userdel.c
--- shadow-4.1.4.2/src/userdel.c.semange 2009-05-22 12:41:12.000000000 +0200
+++ shadow-4.1.4.2/src/userdel.c 2011-06-28 15:08:46.604254774 +0200
@@ -82,6 +82,7 @@ static char *user_home;
static bool fflg = false;
static bool rflg = false;
+static bool Zflg = false;
static bool is_shadow_pwd;
@@ -120,6 +121,9 @@ static void usage (void)
" even if not owned by user\n"
" -h, --help display this help message and exit\n"
" -r, --remove remove home directory and mail spool\n"
+#ifdef WITH_SELINUX
+ " -Z, --selinux-user remove SELinux user from SELinux user mapping\n"
+#endif
"\n"), stderr);
exit (E_USAGE);
}
@@ -766,9 +770,17 @@ int main (int argc, char **argv)
{"force", no_argument, NULL, 'f'},
{"help", no_argument, NULL, 'h'},
{"remove", no_argument, NULL, 'r'},
+#ifdef WITH_SELINUX
+ {"selinux-user", required_argument, NULL, 'Z'},
+#endif
{NULL, 0, NULL, '\0'}
};
- while ((c = getopt_long (argc, argv, "fhr",
+ while ((c = getopt_long (argc, argv,
+#ifdef WITH_SELINUX
+ "fhrZ",
+#else
+ "fhr",
+#endif
long_options, NULL)) != -1) {
switch (c) {
case 'f': /* force remove even if not owned by user */
@@ -777,6 +789,19 @@ int main (int argc, char **argv)
case 'r': /* remove home dir and mailbox */
rflg = true;
break;
+#ifdef WITH_SELINUX
+ case 'Z':
+ if (is_selinux_enabled () > 0) {
+ Zflg = true;
+ } else {
+ fprintf (stderr,
+ _("%s: -Z requires SELinux enabled kernel\n"),
+ Prog);
+
+ exit (E_BAD_ARG);
+ }
+ break;
+#endif
default:
usage ();
}
@@ -975,14 +1000,16 @@ int main (int argc, char **argv)
#endif
#ifdef WITH_SELINUX
- if (is_selinux_enabled () > 0) { - if (is_selinux_enabled () > 0) {
- const char *args[5]; - const char *args[5];
- args[0] = "/usr/sbin/semanage"; - args[0] = "/usr/sbin/semanage";
@ -14,9 +193,109 @@ diff -up shadow-4.1.4.2/src/userdel.c.semanage shadow-4.1.4.2/src/userdel.c
- args[3] = user_name; - args[3] = user_name;
- args[4] = NULL; - args[4] = NULL;
- safe_system (args[0], args, NULL, 1); - safe_system (args[0], args, NULL, 1);
+ if (Zflg) {
+ if (is_selinux_enabled () > 0) {
+ const char *args[5];
+ args[0] = "/usr/sbin/semanage";
+ args[1] = "login";
+ args[2] = "-d";
+ args[3] = user_name;
+ args[4] = NULL;
+ safe_system (args[0], args, NULL, 1);
+ }
}
#endif
diff -up shadow-4.1.4.2/src/usermod.c.semange shadow-4.1.4.2/src/usermod.c
--- shadow-4.1.4.2/src/usermod.c.semange 2011-06-28 15:49:22.897129091 +0200
+++ shadow-4.1.4.2/src/usermod.c 2011-06-28 15:57:56.509845476 +0200
@@ -82,6 +82,9 @@
#define E_GRP_UPDATE 10 /* can't update group file */
/* #define E_NOSPACE 11 insufficient space to move home dir */
#define E_HOMEDIR 12 /* unable to complete home dir move */
+#define E_SE_UPDATE 13 /* can't update SELinux user mapping */
+
+
#define VALID(s) (strcspn (s, ":\n") == strlen (s))
/*
* Global variables
@@ -151,9 +154,6 @@ static void date_to_str (char *buf, size
static int get_groups (char *);
static void usage (void);
static void new_pwent (struct passwd *);
-#ifdef WITH_SELINUX
-static void selinux_update_mapping (void);
-#endif
static void new_spent (struct spwd *);
static void fail_exit (int);
@@ -1785,8 +1785,32 @@ int main (int argc, char **argv)
nscd_flush_cache ("group");
#ifdef WITH_SELINUX
- if (Zflg) {
- selinux_update_mapping ();
+ if (Zflg && *user_selinux) {
+ if (is_selinux_enabled () > 0) {
+ const char *argv[7];
+
+ argv[0] = "/usr/sbin/semanage";
+ argv[1] = "login";
+ argv[2] = "-m";
+ argv[3] = "-s";
+ argv[4] = user_selinux;
+ argv[5] = user_name;
+ argv[6] = NULL;
+ if (safe_system (argv[0], argv, NULL, 1)) {
+ argv[2] = "-a";
+ if (safe_system (argv[0], argv, NULL, 0)) {
+ fprintf (stderr,
+ _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
+ Prog, user_name, user_selinux);
+ #ifdef WITH_AUDIT
+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+ "modifying User mapping ",
+ user_name, (unsigned int) user_id, 0);
+ #endif
+ fail_exit (E_SE_UPDATE);
+ }
+ }
+ }
}
#endif
@@ -1816,34 +1840,3 @@ int main (int argc, char **argv)
return E_SUCCESS;
}
-#ifdef WITH_SELINUX
-static void selinux_update_mapping (void) {
- const char *argv[7];
-
- if (is_selinux_enabled () <= 0) return;
-
- if (*user_selinux) {
- argv[0] = "/usr/sbin/semanage";
- argv[1] = "login";
- argv[2] = "-m";
- argv[3] = "-s";
- argv[4] = user_selinux;
- argv[5] = user_name;
- argv[6] = NULL;
- if (safe_system (argv[0], argv, NULL, 1)) {
- argv[2] = "-a";
- if (safe_system (argv[0], argv, NULL, 0)) {
- fprintf (stderr,
- _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
- Prog, user_name, user_selinux);
-#ifdef WITH_AUDIT
- audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
- "modifying User mapping ",
- user_name, (unsigned int) user_id, 0);
-#endif
- }
- }
- } - }
-}
-#endif -#endif
- -
/*
* Cancel any crontabs or at jobs. Have to do this before we remove
* the entry from /etc/passwd.

View file

@ -1,7 +1,7 @@
Summary: Utilities for managing accounts and shadow password files Summary: Utilities for managing accounts and shadow password files
Name: shadow-utils Name: shadow-utils
Version: 4.1.4.2 Version: 4.1.4.2
Release: 11%{?dist} Release: 12%{?dist}
Epoch: 2 Epoch: 2
URL: http://pkg-shadow.alioth.debian.org/ URL: http://pkg-shadow.alioth.debian.org/
Source0: ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-%{version}.tar.bz2 Source0: ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-%{version}.tar.bz2
@ -196,6 +196,12 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man8/vigr.8* %{_mandir}/man8/vigr.8*
%changelog %changelog
* Wed Jun 29 2011 Peter Vrabec <pvrabec@redhat.com> - 2:4.1.4.2-12
- userdel option to remove Linux login <-> SELinux login mapping (#639900)
- useradd special exit value if SELinux user mapping is invalid (#639975)
- usermod special exit value if SELinux user mapping is invalid (#639976)
Resolves: #701355
* Wed Feb 09 2011 Peter Vrabec <pvrabec@redhat.com> - 2:4.1.4.2-11 * Wed Feb 09 2011 Peter Vrabec <pvrabec@redhat.com> - 2:4.1.4.2-11
- useradd man page (-m option) - useradd man page (-m option)
- create home directory on fs with noacl - create home directory on fs with noacl