update auditing to cover more events and fix some incorrect audit records

(auditing patch by Steve Grubb (#1151580))
- apply the same new allocation algorithm to uids as for gids
This commit is contained in:
Tomas Mraz 2014-10-17 17:03:29 +02:00
parent af13db915f
commit e1ce821d45
3 changed files with 2861 additions and 27 deletions

File diff suppressed because it is too large Load diff

View file

@ -1,8 +1,3 @@
From e551be23be24508ecf5c8afdf74fd69b88832ecd Mon Sep 17 00:00:00 2001
From: Stephen Gallagher <sgallagh@redhat.com>
Date: Mon, 9 Jun 2014 10:34:02 -0400
Subject: [PATCH] Redesign automatic GID allocation
Previously, this allocation was optimized for an outdated
deployment style (that of /etc/group alongside nss_db). The issue
here is that this results in extremely poor performance when using
@ -44,14 +39,13 @@ we come to the first unused GID. We then select that and return it.
If we make it through all the remaining IDs without finding a free
one, we start over from the beginning of the range and try to find
room in one of the gaps in the range.
---
libmisc/find_new_gid.c | 533 +++++++++++++++++++++++++++++++++++++------------
1 file changed, 407 insertions(+), 126 deletions(-)
diff --git a/libmisc/find_new_gid.c b/libmisc/find_new_gid.c
index 05f5622edb79069d9a43d3f9c69a463b6b71141a..25900dd12874e46e5efdfcf7c895f6b814763a16 100644
--- a/libmisc/find_new_gid.c
+++ b/libmisc/find_new_gid.c
The patch was originally written by Stephen Gallagher and applied
identically also to the user allocation by Tomáš Mráz.
diff -up shadow-4.1.5.1/libmisc/find_new_gid.c.id-alloc shadow-4.1.5.1/libmisc/find_new_gid.c
--- shadow-4.1.5.1/libmisc/find_new_gid.c.id-alloc 2014-09-10 10:25:41.165524986 +0200
+++ shadow-4.1.5.1/libmisc/find_new_gid.c 2014-09-10 10:25:41.195525677 +0200
@@ -39,6 +39,118 @@
#include "getdef.h"
@ -302,6 +296,11 @@ index 05f5622edb79069d9a43d3f9c69a463b6b71141a..25900dd12874e46e5efdfcf7c895f6b8
- free (used_gids);
- return 0;
- }
-
- /* if we did not find free preffered system gid, we start to look for
- * one in the range assigned to dynamic system IDs */
- if (sys_group)
- gid_min = (gid_t) getdef_ulong ("SYS_GID_MIN", 101UL);
+ /* First look for the lowest and highest value in the local database */
+ (void) gr_rewind ();
+ highest_found = gid_min;
@ -326,11 +325,7 @@ index 05f5622edb79069d9a43d3f9c69a463b6b71141a..25900dd12874e46e5efdfcf7c895f6b8
+ /* create index of used GIDs */
+ if (grp->gr_gid >= gid_min
+ && grp->gr_gid <= gid_max) {
- /* if we did not find free preffered system gid, we start to look for
- * one in the range assigned to dynamic system IDs */
- if (sys_group)
- gid_min = (gid_t) getdef_ulong ("SYS_GID_MIN", 101UL);
+
+ used_gids[grp->gr_gid] = true;
+ }
+ }
@ -350,16 +345,17 @@ index 05f5622edb79069d9a43d3f9c69a463b6b71141a..25900dd12874e46e5efdfcf7c895f6b8
- * Since there is a limited amount of IDs to be tested
- * for system accounts, we just check the existence
- * of IDs with getgrgid.
+ /*
+ * For system groups, we want to start from the
+ * top of the range and work downwards.
*/
- */
- group_id = gid_max;
- for (id = gid_max; id >= gid_min; id--) {
- if (getgrgid (id) != NULL) {
- group_id = id - 1;
- used_gids[id] = true;
- }
+ /*
+ * For system groups, we want to start from the
+ * top of the range and work downwards.
+ */
+
+ /*
+ * At the conclusion of the gr_next() search, we will either
@ -637,6 +633,587 @@ index 05f5622edb79069d9a43d3f9c69a463b6b71141a..25900dd12874e46e5efdfcf7c895f6b8
+ return -1;
}
--
1.9.3
diff -up shadow-4.1.5.1/libmisc/find_new_uid.c.id-alloc shadow-4.1.5.1/libmisc/find_new_uid.c
--- shadow-4.1.5.1/libmisc/find_new_uid.c.id-alloc 2011-07-29 17:39:16.000000000 +0200
+++ shadow-4.1.5.1/libmisc/find_new_uid.c 2014-10-17 16:52:30.481217270 +0200
@@ -39,6 +39,118 @@
#include "getdef.h"
/*
+ * get_ranges - Get the minimum and maximum ID ranges for the search
+ *
+ * This function will return the minimum and maximum ranges for IDs
+ *
+ * 0: The function completed successfully
+ * EINVAL: The provided ranges are impossible (such as maximum < minimum)
+ *
+ * preferred_min: The special-case minimum value for a specifically-
+ * requested ID, which may be lower than the standard min_id
+ */
+static int get_ranges(bool sys_user, uid_t *min_id, uid_t *max_id,
+ uid_t *preferred_min)
+{
+ uid_t uid_def_max = 0;
+
+ if (sys_user) {
+ /* System users */
+
+ /* A requested ID is allowed to be below the autoselect range */
+ *preferred_min = (uid_t) 1;
+
+ /* Get the minimum ID range from login.defs or default to 101 */
+ *min_id = (uid_t) getdef_ulong("SYS_UID_MIN", 101UL);
+
+ /*
+ * If SYS_UID_MAX is unspecified, we should assume it to be one
+ * less than the UID_MIN (which is reserved for non-system accounts)
+ */
+ uid_def_max = (uid_t) getdef_ulong("UID_MIN", 1000UL) - 1;
+ *max_id = (uid_t) getdef_ulong("SYS_UID_MAX",
+ (unsigned long) uid_def_max);
+
+ /* Check that the ranges make sense */
+ if (*max_id < *min_id) {
+ (void) fprintf (stderr,
+ _("%s: Invalid configuration: SYS_UID_MIN (%lu), "
+ "UID_MIN (%lu), SYS_UID_MAX (%lu)\n"),
+ Prog, (unsigned long) *min_id,
+ getdef_ulong ("UID_MIN", 1000UL),
+ (unsigned long) *max_id);
+ return EINVAL;
+ }
+ } else {
+ /* Non-system users */
+
+ /* Get the values from login.defs or use reasonable defaults */
+ *min_id = (uid_t) getdef_ulong("UID_MIN", 1000UL);
+ *max_id = (uid_t) getdef_ulong("UID_MAX", 60000UL);
+
+ /*
+ * The preferred minimum should match the standard ID minimum
+ * for non-system users.
+ */
+ *preferred_min = *min_id;
+
+ /* Check that the ranges make sense */
+ if (*max_id < *min_id) {
+ (void) fprintf(stderr,
+ _("%s: Invalid configuration: UID_MIN (%lu), "
+ "UID_MAX (%lu)\n"),
+ Prog, (unsigned long) *min_id,
+ (unsigned long) *max_id);
+ return EINVAL;
+ }
+ }
+
+ return 0;
+}
+
+/*
+ * check_uid - See if the requested UID is available
+ *
+ * On success, return 0
+ * If the ID is in use, return EEXIST
+ * If the ID is outside the range, return ERANGE
+ * In other cases, return errno from getpwuid()
+ */
+static int check_uid(const uid_t uid,
+ const uid_t uid_min,
+ const uid_t uid_max,
+ bool *used_uids)
+{
+ /* First test that the preferred ID is in the range */
+ if (uid < uid_min || uid > uid_max) {
+ return ERANGE;
+ }
+
+ /*
+ * Check whether we already detected this UID
+ * using the pw_next() loop
+ */
+ if (used_uids != NULL && used_uids[uid]) {
+ return EEXIST;
+ }
+ /* Check if the UID exists according to NSS */
+ errno = 0;
+ if (getpwuid(uid) != NULL) {
+ return EEXIST;
+ } else {
+ /* getpwuid() was NULL, check whether this was
+ * due to an error, so we can report it.
+ */
+ /* ignore errors for now * if (errno != 0) {
+ return errno;
+ } */
+ }
+
+ /* If we've made it here, the UID must be available */
+ return 0;
+}
+
+/*
* find_new_uid - Find a new unused UID.
*
* If successful, find_new_uid provides an unused user ID in the
@@ -48,162 +160,339 @@
*
* Return 0 on success, -1 if no unused UIDs are available.
*/
-int find_new_uid (bool sys_user,
- uid_t *uid,
- /*@null@*/uid_t const *preferred_uid)
+int find_new_uid(bool sys_user,
+ uid_t *uid,
+ /*@null@*/uid_t const *preferred_uid)
{
- const struct passwd *pwd;
- uid_t uid_min, uid_max, user_id;
bool *used_uids;
+ const struct passwd *pwd;
+ uid_t uid_min, uid_max, preferred_min;
+ uid_t user_id, id;
+ uid_t lowest_found, highest_found;
+ int result;
+ int nospam = 0;
assert (uid != NULL);
- if (!sys_user) {
- uid_min = (uid_t) getdef_ulong ("UID_MIN", 1000UL);
- uid_max = (uid_t) getdef_ulong ("UID_MAX", 60000UL);
- if (uid_max < uid_min) {
- (void) fprintf (stderr,
- _("%s: Invalid configuration: UID_MIN (%lu), UID_MAX (%lu)\n"),
- Prog, (unsigned long) uid_min, (unsigned long) uid_max);
- return -1;
- }
- } else {
- uid_min = (uid_t) getdef_ulong ("SYS_UID_MIN", 101UL);
- uid_max = (uid_t) getdef_ulong ("UID_MIN", 1000UL) - 1;
- uid_max = (uid_t) getdef_ulong ("SYS_UID_MAX", (unsigned long) uid_max);
- if (uid_max < uid_min) {
- (void) fprintf (stderr,
- _("%s: Invalid configuration: SYS_UID_MIN (%lu), UID_MIN (%lu), SYS_UID_MAX (%lu)\n"),
- Prog, (unsigned long) uid_min, getdef_ulong ("UID_MIN", 1000UL), (unsigned long) uid_max);
+ /*
+ * First, figure out what ID range is appropriate for
+ * automatic assignment
+ */
+ result = get_ranges(sys_user, &uid_min, &uid_max, &preferred_min);
+ if (result == EINVAL) {
+ return -1;
+ }
+
+ /* Check if the preferred UID is available */
+ if (preferred_uid) {
+ result = check_uid(*preferred_uid, preferred_min, uid_max, NULL);
+ if (result == 0) {
+ /*
+ * Make sure the UID isn't queued for use already
+ */
+ if (pw_locate_uid (*preferred_uid) == NULL) {
+ *uid = *preferred_uid;
+ return 0;
+ }
+ /*
+ * pw_locate_uid() found the UID in an as-yet uncommitted
+ * entry. We'll proceed below and auto-set an UID.
+ */
+ } else if (result == EEXIST || result == ERANGE) {
+ /*
+ * Continue on below. At this time, we won't
+ * treat these two cases differently.
+ */
+ } else {
+ /*
+ * An unexpected error occurred. We should report
+ * this and fail the user creation.
+ * This differs from the automatic creation
+ * behavior below, since if a specific UID was
+ * requested and generated an error, the user is
+ * more likely to want to stop and address the
+ * issue.
+ */
+ fprintf(stderr,
+ _("%s: Encountered error attempting to use "
+ "preferred UID: %s\n"),
+ Prog, strerror(result));
return -1;
}
}
+
+ /*
+ * Search the entire passwd file,
+ * looking for the next unused value.
+ *
+ * We first check the local database with pw_rewind/pw_next to find
+ * all local values that are in use.
+ *
+ * We then compare the next free value to all databases (local and
+ * remote) and iterate until we find a free one. If there are free
+ * values beyond the lowest (system users) or highest (non-system
+ * users), we will prefer those and avoid potentially reclaiming a
+ * deleted user (which can be a security issue, since it may grant
+ * access to files belonging to that former user).
+ *
+ * If there are no UIDs available at the end of the search, we will
+ * have no choice but to iterate through the range looking for gaps.
+ *
+ */
+
+ /* Create an array to hold all of the discovered UIDs */
used_uids = malloc (sizeof (bool) * (uid_max +1));
if (NULL == used_uids) {
fprintf (stderr,
- _("%s: failed to allocate memory: %s\n"),
- Prog, strerror (errno));
+ _("%s: failed to allocate memory: %s\n"),
+ Prog, strerror (errno));
return -1;
}
memset (used_uids, false, sizeof (bool) * (uid_max + 1));
- if ( (NULL != preferred_uid)
- && (*preferred_uid >= uid_min)
- && (*preferred_uid <= uid_max)
- /* Check if the user exists according to NSS */
- && (getpwuid (*preferred_uid) == NULL)
- /* Check also the local database in case of uncommitted
- * changes */
- && (pw_locate_uid (*preferred_uid) == NULL)) {
- *uid = *preferred_uid;
- free (used_uids);
- return 0;
- }
+ /* First look for the lowest and highest value in the local database */
+ (void) pw_rewind ();
+ highest_found = uid_min;
+ lowest_found = uid_max;
+ while ((pwd = pw_next ()) != NULL) {
+ /*
+ * Does this entry have a lower UID than the lowest we've found
+ * so far?
+ */
+ if ((pwd->pw_uid <= lowest_found) && (pwd->pw_uid >= uid_min)) {
+ lowest_found = pwd->pw_uid - 1;
+ }
+ /*
+ * Does this entry have a higher UID than the highest we've found
+ * so far?
+ */
+ if ((pwd->pw_uid >= highest_found) && (pwd->pw_uid <= uid_max)) {
+ highest_found = pwd->pw_uid + 1;
+ }
+
+ /* create index of used UIDs */
+ if (pwd->pw_uid >= uid_min
+ && pwd->pw_uid <= uid_max) {
+
+ used_uids[pwd->pw_uid] = true;
+ }
+ }
- /*
- * Search the entire password file,
- * looking for the largest unused value.
- *
- * We check the list of users according to NSS (setpwent/getpwent),
- * but we also check the local database (pw_rewind/pw_next) in case
- * some users were created but the changes were not committed yet.
- */
if (sys_user) {
- uid_t id;
- /* setpwent / getpwent / endpwent can be very slow with
- * LDAP configurations (and many accounts).
- * Since there is a limited amount of IDs to be tested
- * for system accounts, we just check the existence
- * of IDs with getpwuid.
- */
- user_id = uid_max;
- for (id = uid_max; id >= uid_min; id--) {
- if (getpwuid (id) != NULL) {
- user_id = id - 1;
- used_uids[id] = true;
- }
+ /*
+ * For system users, we want to start from the
+ * top of the range and work downwards.
+ */
+
+ /*
+ * At the conclusion of the pw_next() search, we will either
+ * have a presumed-free UID or we will be at UID_MIN - 1.
+ */
+ if (lowest_found < uid_min) {
+ /*
+ * In this case, an UID is in use at UID_MIN.
+ *
+ * We will reset the search to UID_MAX and proceed down
+ * through all the UIDs (skipping those we detected with
+ * used_uids) for a free one. It is a known issue that
+ * this may result in reusing a previously-deleted UID,
+ * so administrators should be instructed to use this
+ * auto-detection with care (and prefer to assign UIDs
+ * explicitly).
+ */
+ lowest_found = uid_max;
}
- (void) pw_rewind ();
- while ((pwd = pw_next ()) != NULL) {
- if ((pwd->pw_uid <= user_id) && (pwd->pw_uid >= uid_min)) {
- user_id = pwd->pw_uid - 1;
- }
- /* create index of used UIDs */
- if (pwd->pw_uid <= uid_max) {
- used_uids[pwd->pw_uid] = true;
+ /* Search through all of the IDs in the range */
+ for (id = lowest_found; id >= uid_min; id--) {
+ result = check_uid(id, uid_min, uid_max, used_uids);
+ if (result == 0) {
+ /* This UID is available. Return it. */
+ *uid = id;
+ free(used_uids);
+ return 0;
+ } else if (result == EEXIST) {
+ /* This UID is in use, we'll continue to the next */
+ } else {
+ /*
+ * An unexpected error occurred.
+ *
+ * Only report it the first time to avoid spamming
+ * the logs
+ *
+ */
+ if (!nospam) {
+ fprintf(stderr,
+ _("%s: Can't get unique system UID (%s). "
+ "Suppressing additional messages.\n"),
+ Prog, strerror(result));
+ SYSLOG((LOG_ERR,
+ "Error checking available UIDs: %s",
+ strerror(result)));
+ nospam = 1;
+ }
+ /*
+ * We will continue anyway. Hopefully a later UID
+ * will work properly.
+ */
}
}
- } else {
- user_id = uid_min;
- setpwent ();
- while ((pwd = getpwent ()) != NULL) {
- if ((pwd->pw_uid >= user_id) && (pwd->pw_uid <= uid_max)) {
- user_id = pwd->pw_uid + 1;
- }
- /* create index of used UIDs */
- if (pwd->pw_uid <= uid_max) {
- used_uids[pwd->pw_uid] = true;
+
+ /*
+ * If we get all the way through the loop, try again from UID_MAX,
+ * unless that was where we previously started. (NOTE: the worst-case
+ * scenario here is that we will run through (UID_MAX - UID_MIN - 1)
+ * cycles *again* if we fall into this case with lowest_found as
+ * UID_MAX - 1, all users in the range in use and maintained by
+ * network services such as LDAP.)
+ */
+ if (lowest_found != uid_max) {
+ for (id = uid_max; id >= uid_min; id--) {
+ result = check_uid(id, uid_min, uid_max, used_uids);
+ if (result == 0) {
+ /* This UID is available. Return it. */
+ *uid = id;
+ free(used_uids);
+ return 0;
+ } else if (result == EEXIST) {
+ /* This UID is in use, we'll continue to the next */
+ } else {
+ /*
+ * An unexpected error occurred.
+ *
+ * Only report it the first time to avoid spamming
+ * the logs
+ *
+ */
+ if (!nospam) {
+ fprintf(stderr,
+ _("%s: Can't get unique system UID (%s). "
+ "Suppressing additional messages.\n"),
+ Prog, strerror(result));
+ SYSLOG((LOG_ERR,
+ "Error checking available UIDs: %s",
+ strerror(result)));
+ nospam = 1;
+ }
+ /*
+ * We will continue anyway. Hopefully a later UID
+ * will work properly.
+ */
+ }
}
}
- endpwent ();
+ } else { /* !sys_user */
+ /*
+ * For non-system users, we want to start from the
+ * bottom of the range and work upwards.
+ */
- (void) pw_rewind ();
- while ((pwd = pw_next ()) != NULL) {
- if ((pwd->pw_uid >= user_id) && (pwd->pw_uid <= uid_max)) {
- user_id = pwd->pw_uid + 1;
- }
- /* create index of used UIDs */
- if (pwd->pw_uid <= uid_max) {
- used_uids[pwd->pw_uid] = true;
- }
+ /*
+ * At the conclusion of the pw_next() search, we will either
+ * have a presumed-free UID or we will be at UID_MAX + 1.
+ */
+ if (highest_found > uid_max) {
+ /*
+ * In this case, a UID is in use at UID_MAX.
+ *
+ * We will reset the search to UID_MIN and proceed up
+ * through all the UIDs (skipping those we detected with
+ * used_uids) for a free one. It is a known issue that
+ * this may result in reusing a previously-deleted UID,
+ * so administrators should be instructed to use this
+ * auto-detection with care (and prefer to assign UIDs
+ * explicitly).
+ */
+ highest_found = uid_min;
}
- }
- /*
- * If a user (resp. system user) with UID equal to UID_MAX (resp.
- * UID_MIN) exists, the above algorithm will give us UID_MAX+1
- * (resp. UID_MIN-1) even if not unique. Search for the first free
- * UID starting with UID_MIN (resp. UID_MAX).
- */
- if (sys_user) {
- if (user_id < uid_min) {
- for (user_id = uid_max; user_id >= uid_min; user_id--) {
- if (false == used_uids[user_id]) {
- break;
+ /* Search through all of the IDs in the range */
+ for (id = highest_found; id <= uid_max; id++) {
+ result = check_uid(id, uid_min, uid_max, used_uids);
+ if (result == 0) {
+ /* This UID is available. Return it. */
+ *uid = id;
+ free(used_uids);
+ return 0;
+ } else if (result == EEXIST) {
+ /* This UID is in use, we'll continue to the next */
+ } else {
+ /*
+ * An unexpected error occurred.
+ *
+ * Only report it the first time to avoid spamming
+ * the logs
+ *
+ */
+ if (!nospam) {
+ fprintf(stderr,
+ _("%s: Can't get unique UID (%s). "
+ "Suppressing additional messages.\n"),
+ Prog, strerror(result));
+ SYSLOG((LOG_ERR,
+ "Error checking available UIDs: %s",
+ strerror(result)));
+ nospam = 1;
}
- }
- if (user_id < uid_min ) {
- fprintf (stderr,
- _("%s: Can't get unique system UID (no more available UIDs)\n"),
- Prog);
- SYSLOG ((LOG_WARN,
- "no more available UID on the system"));
- free (used_uids);
- return -1;
+ /*
+ * We will continue anyway. Hopefully a later UID
+ * will work properly.
+ */
}
}
- } else {
- if (user_id > uid_max) {
- for (user_id = uid_min; user_id <= uid_max; user_id++) {
- if (false == used_uids[user_id]) {
- break;
+
+ /*
+ * If we get all the way through the loop, try again from UID_MIN,
+ * unless that was where we previously started. (NOTE: the worst-case
+ * scenario here is that we will run through (UID_MAX - UID_MIN - 1)
+ * cycles *again* if we fall into this case with highest_found as
+ * UID_MIN + 1, all users in the range in use and maintained by
+ * network services such as LDAP.)
+ */
+ if (highest_found != uid_min) {
+ for (id = uid_min; id <= uid_max; id++) {
+ result = check_uid(id, uid_min, uid_max, used_uids);
+ if (result == 0) {
+ /* This UID is available. Return it. */
+ *uid = id;
+ free(used_uids);
+ return 0;
+ } else if (result == EEXIST) {
+ /* This UID is in use, we'll continue to the next */
+ } else {
+ /*
+ * An unexpected error occurred.
+ *
+ * Only report it the first time to avoid spamming
+ * the logs
+ *
+ */
+ if (!nospam) {
+ fprintf(stderr,
+ _("%s: Can't get unique UID (%s). "
+ "Suppressing additional messages.\n"),
+ Prog, strerror(result));
+ SYSLOG((LOG_ERR,
+ "Error checking available UIDs: %s",
+ strerror(result)));
+ nospam = 1;
+ }
+ /*
+ * We will continue anyway. Hopefully a later UID
+ * will work properly.
+ */
}
}
- if (user_id > uid_max) {
- fprintf (stderr,
- _("%s: Can't get unique UID (no more available UIDs)\n"),
- Prog);
- SYSLOG ((LOG_WARN, "no more available UID on the system"));
- free (used_uids);
- return -1;
- }
}
}
- free (used_uids);
- *uid = user_id;
- return 0;
+ /* The code reached here and found no available IDs in the range */
+ fprintf(stderr,
+ _("%s: Can't get unique UID (no more available UIDs)\n"),
+ Prog);
+ SYSLOG((LOG_WARN, "no more available UIDs on the system"));
+ free(used_uids);
+ return -1;
}

View file

@ -1,7 +1,7 @@
Summary: Utilities for managing accounts and shadow password files
Name: shadow-utils
Version: 4.1.5.1
Release: 20%{?dist}
Release: 21%{?dist}
Epoch: 2
URL: http://pkg-shadow.alioth.debian.org/
Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.bz2
@ -26,10 +26,11 @@ Patch14: shadow-4.1.5.1-default-range.patch
Patch15: shadow-4.1.5.1-manfix.patch
Patch16: shadow-4.1.5.1-crypt-null.patch
Patch17: shadow-4.1.5.1-userdel-helpfix.patch
Patch18: shadow-4.1.5.1-group-alloc.patch
Patch18: shadow-4.1.5.1-id-alloc.patch
Patch19: shadow-4.1.5.1-date-parsing.patch
Patch20: shadow-4.1.5.1-ingroup.patch
Patch21: shadow-4.1.5.1-move-home.patch
Patch22: shadow-4.1.5.1-audit-update.patch
License: BSD and GPLv2+
Group: System Environment/Base
@ -75,10 +76,11 @@ are used for managing group accounts.
%patch15 -p1 -b .manfix
%patch16 -p1 -b .crypt-null
%patch17 -p1 -b .userdel
%patch18 -p1 -b .group-alloc
%patch18 -p1 -b .id-alloc
%patch19 -p1 -b .date-parsing
%patch20 -p1 -b .ingroup
%patch21 -p1 -b .move-home
%patch22 -p1 -b .audit-update
iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8
cp -f doc/HOWTO.utf8 doc/HOWTO
@ -236,6 +238,11 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man8/vigr.8*
%changelog
* Fri Oct 17 2014 Tomáš Mráz <tmraz@redhat.com> - 2:4.1.5.1-21
- update auditing to cover more events and fix some incorrect audit
records - patch by Steve Grubb (#1151580)
- apply the same new allocation algorithm to uids as for gids
* Wed Sep 10 2014 Tomas Mraz <tmraz@redhat.com> - 2:4.1.5.1-20
- discard obsolete matchpathcon cache after semanage_commit()