diff -up shadow-4.1.4.3/lib/Makefile.in.libsemanage shadow-4.1.4.3/lib/Makefile.in --- shadow-4.1.4.3/lib/Makefile.in.libsemanage 2011-02-15 23:18:15.000000000 +0100 +++ shadow-4.1.4.3/lib/Makefile.in 2011-11-09 14:11:26.455362101 +0100 @@ -52,7 +52,7 @@ am_libshadow_la_OBJECTS = commonio.lo en groupio.lo groupmem.lo gshadow.lo lockpw.lo nscd.lo port.lo \ pwauth.lo pwio.lo pwmem.lo sgetgrent.lo sgetpwent.lo \ sgetspent.lo sgroupio.lo shadow.lo shadowio.lo shadowmem.lo \ - utent.lo + utent.lo selinux.lo libshadow_la_OBJECTS = $(am_libshadow_la_OBJECTS) libshadow_la_LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ @@ -202,7 +202,6 @@ libdir = @libdir@ libexecdir = @libexecdir@ localedir = @localedir@ localstatedir = @localstatedir@ -lt_ECHO = @lt_ECHO@ mandir = @mandir@ mkdir_p = @mkdir_p@ oldincludedir = @oldincludedir@ @@ -261,7 +260,8 @@ libshadow_la_SOURCES = \ shadowio.c \ shadowio.h \ shadowmem.c \ - utent.c + utent.c \ + selinux.c # These files are unneeded for some reason, listed in @@ -349,6 +349,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/shadow.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/shadowio.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/shadowmem.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/selinux.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/utent.Plo@am__quote@ .c.o: diff -up shadow-4.1.4.3/libmisc/Makefile.in.libsemanage shadow-4.1.4.3/libmisc/Makefile.in --- shadow-4.1.4.3/libmisc/Makefile.in.libsemanage 2011-02-15 23:18:16.000000000 +0100 +++ shadow-4.1.4.3/libmisc/Makefile.in 2011-11-09 14:11:26.456362098 +0100 @@ -64,7 +64,7 @@ am_libmisc_a_OBJECTS = addgrps.$(OBJEXT) pam_pass_non_interractive.$(OBJEXT) pwd2spwd.$(OBJEXT) \ pwdcheck.$(OBJEXT) pwd_init.$(OBJEXT) rlogin.$(OBJEXT) \ salt.$(OBJEXT) setugid.$(OBJEXT) setupenv.$(OBJEXT) \ - shell.$(OBJEXT) system.$(OBJEXT) strtoday.$(OBJEXT) \ + shell.$(OBJEXT) strtoday.$(OBJEXT) \ sub.$(OBJEXT) sulog.$(OBJEXT) ttytype.$(OBJEXT) tz.$(OBJEXT) \ ulimit.$(OBJEXT) user_busy.$(OBJEXT) utmp.$(OBJEXT) \ valid.$(OBJEXT) xgetpwnam.$(OBJEXT) xgetpwuid.$(OBJEXT) \ @@ -284,7 +284,6 @@ libmisc_a_SOURCES = \ setugid.c \ setupenv.c \ shell.c \ - system.c \ strtoday.c \ sub.c \ sulog.c \ @@ -394,7 +393,6 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/strtoday.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sub.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/sulog.Po@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/system.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ttytype.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/tz.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/ulimit.Po@am__quote@ diff -up shadow-4.1.4.3/libmisc/system.c.libsemanage shadow-4.1.4.3/libmisc/system.c --- shadow-4.1.4.3/libmisc/system.c.libsemanage 2011-02-13 18:58:11.000000000 +0100 +++ shadow-4.1.4.3/libmisc/system.c 2011-11-09 14:11:26.457362095 +0100 @@ -1,72 +0,0 @@ -/* - * Copyright (c) 2009 , Dan Walsh - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. The name of the copyright holders or contributors may not be used to - * endorse or promote products derived from this software without - * specific prior written permission. - * - * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS - * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT - * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A - * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT - * HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT - * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, - * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY - * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT - * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE - * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. - */ -#include - -#ident "$Id: system.c 2849 2009-04-30 21:08:49Z nekral-guest $" - -#include -#include -#include -#include "prototypes.h" -#include "defines.h" - -int safe_system (const char *command, - const char *argv[], - const char *env[], - int ignore_stderr) -{ - int status = -1; - int fd; - pid_t pid; - - pid = fork(); - if (pid < 0) { - return -1; - } - - if (pid) { /* Parent */ - if (waitpid (pid, &status, 0) > 0) { - return status; - } else { - return -1; - } - } - - fd = open ("/dev/null", O_RDWR); - /* Child */ - dup2 (fd, 0); // Close Stdin - if (ignore_stderr) { - dup2 (fd, 2); // Close Stderr - } - - execve (command, (char *const *) argv, (char *const *) env); - fprintf (stderr, _("Failed to exec '%s'\n"), argv[0]); - exit (EXIT_FAILURE); -} - diff -up shadow-4.1.4.3/lib/prototypes.h.libsemanage shadow-4.1.4.3/lib/prototypes.h --- shadow-4.1.4.3/lib/prototypes.h.libsemanage 2011-02-13 18:58:23.000000000 +0100 +++ shadow-4.1.4.3/lib/prototypes.h 2011-11-09 14:11:26.457362095 +0100 @@ -331,12 +331,6 @@ extern void spw_free (/*@out@*/ /*@only@ /* shell.c */ extern int shell (const char *file, /*@null@*/const char *arg, char *const envp[]); -/* system.c */ -extern int safe_system (const char *command, - const char *argv[], - const char *env[], - int ignore_stderr); - /* strtoday.c */ extern long strtoday (const char *); @@ -403,4 +397,8 @@ extern /*@null@*/ /*@only@*/struct spwd /* yesno.c */ extern bool yes_or_no (bool read_only); +/* selinux.c */ +int set_seuser(const char *login_name, const char *seuser_name); +int del_seuser(const char *login_name); + #endif /* _PROTOTYPES_H */ diff -up shadow-4.1.4.3/lib/selinux.c.libsemanage shadow-4.1.4.3/lib/selinux.c --- shadow-4.1.4.3/lib/selinux.c.libsemanage 2011-11-09 14:11:26.458362092 +0100 +++ shadow-4.1.4.3/lib/selinux.c 2011-11-09 14:11:26.458362092 +0100 @@ -0,0 +1,341 @@ +/* + shadow-utils + + su-selinux.c + + Copyright (C) Jakub Hrozek 2010 + Copyright (C) Peter Vrabec 2011 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include + +#include "defines.h" + +#include +#include +#include + + +#ifndef DEFAULT_SERANGE +#define DEFAULT_SERANGE "s0" +#endif + + +static void semanage_error_callback(void *varg, + semanage_handle_t *handle, + const char *fmt, ...) +{ + int ret; + char * message = NULL; + va_list ap; + + + va_start(ap, fmt); + ret = vasprintf(&message, fmt, ap); + va_end(ap); + if (ret < 0) { + /* ENOMEM */ + return; + } + + switch (semanage_msg_get_level(handle)) { + case SEMANAGE_MSG_ERR: + case SEMANAGE_MSG_WARN: + fprintf(stderr, "[libsemanage]: %s\n", message); + break; + case SEMANAGE_MSG_INFO: + /* nop */ + break; + } + + free(message); +} + + +static semanage_handle_t *semanage_init(void) +{ + int ret; + semanage_handle_t *handle = NULL; + + handle = semanage_handle_create(); + if (!handle) { + fprintf(stderr, _("Cannot create SELinux management handle\n")); + return NULL; + } + + semanage_msg_set_callback(handle, semanage_error_callback, NULL); + + ret = semanage_is_managed(handle); + if (ret != 1) { + fprintf(stderr, _("SELinux policy not managed\n")); + goto fail; + } + + ret = semanage_access_check(handle); + if (ret < SEMANAGE_CAN_READ) { + fprintf(stderr, _("Cannot read SELinux policy store\n")); + goto fail; + } + + ret = semanage_connect(handle); + if (ret != 0) { + fprintf(stderr, _("Cannot estabilish SELinux management connection\n")); + goto fail; + } + + ret = semanage_begin_transaction(handle); + if (ret != 0) { + fprintf(stderr, _("Cannot begin SELinux transaction\n")); + goto fail; + } + + return handle; +fail: + semanage_handle_destroy(handle); + return NULL; +} + + +static int semanage_user_mod(semanage_handle_t *handle, + semanage_seuser_key_t *key, + const char *login_name, + const char *seuser_name) +{ + int ret; + semanage_seuser_t *seuser = NULL; + + semanage_seuser_query(handle, key, &seuser); + if (seuser == NULL) { + fprintf(stderr, _("Could not query seuser for %s\n"), login_name); + ret = 1; + goto done; + } + + ret = semanage_seuser_set_mlsrange(handle, seuser, DEFAULT_SERANGE); + if (ret != 0) { + fprintf(stderr, _("Could not set serange for %s\n"), login_name); + ret = 1; + goto done; + } + + ret = semanage_seuser_set_sename(handle, seuser, seuser_name); + if (ret != 0) { + fprintf(stderr, _("Could not set sename for %s\n"), login_name); + ret = 1; + goto done; + } + + ret = semanage_seuser_modify_local(handle, key, seuser); + if (ret != 0) { + fprintf(stderr, _("Could not modify login mapping for %s\n"), login_name); + ret = 1; + goto done; + } + + ret = 0; +done: + semanage_seuser_free(seuser); + return ret; +} + + +static int semanage_user_add(semanage_handle_t *handle, + semanage_seuser_key_t *key, + const char *login_name, + const char *seuser_name) +{ + int ret; + semanage_seuser_t *seuser = NULL; + + ret = semanage_seuser_create(handle, &seuser); + if (ret != 0) { + fprintf(stderr, _("Cannot create SELinux login mapping for %s\n"), login_name); + ret = 1; + goto done; + } + + ret = semanage_seuser_set_name(handle, seuser, login_name); + if (ret != 0) { + fprintf(stderr, _("Could not set name for %s\n"), login_name); + ret = 1; + goto done; + } + + ret = semanage_seuser_set_mlsrange(handle, seuser, DEFAULT_SERANGE); + if (ret != 0) { + fprintf(stderr, _("Could not set serange for %s\n"), login_name); + ret = 1; + goto done; + } + + ret = semanage_seuser_set_sename(handle, seuser, seuser_name); + if (ret != 0) { + fprintf(stderr, _("Could not set SELinux user for %s\n"), login_name); + ret = 1; + goto done; + } + + ret = semanage_seuser_modify_local(handle, key, seuser); + if (ret != 0) { + fprintf(stderr, _("Could not add login mapping for %s\n"), login_name); + ret = 1; + goto done; + } + + ret = 0; +done: + semanage_seuser_free(seuser); + return ret; +} + + +int set_seuser(const char *login_name, const char *seuser_name) +{ + semanage_handle_t *handle = NULL; + semanage_seuser_key_t *key = NULL; + int ret; + int seuser_exists = 0; + + if (seuser_name == NULL) { + /* don't care, just let system pick the defaults */ + return 0; + } + + handle = semanage_init(); + if (!handle) { + fprintf(stderr, _("Cannot init SELinux management\n")); + ret = 1; + goto done; + } + + ret = semanage_seuser_key_create(handle, login_name, &key); + if (ret != 0) { + fprintf(stderr, _("Cannot create SELinux user key\n")); + ret = 1; + goto done; + } + + ret = semanage_seuser_exists(handle, key, &seuser_exists); + if (ret < 0) { + fprintf(stderr, _("Cannot verify the SELinux user\n")); + ret = 1; + goto done; + } + + if (seuser_exists) { + ret = semanage_user_mod(handle, key, login_name, seuser_name); + if (ret != 0) { + fprintf(stderr, _("Cannot modify SELinux user mapping\n")); + ret = 1; + goto done; + } + } else { + ret = semanage_user_add(handle, key, login_name, seuser_name); + if (ret != 0) { + fprintf(stderr, _("Cannot add SELinux user mapping\n")); + ret = 1; + goto done; + } + } + + ret = semanage_commit(handle); + if (ret < 0) { + fprintf(stderr,_("Cannot commit SELinux transaction\n")); + ret = 1; + goto done; + } + + ret = 0; + +done: + semanage_seuser_key_free(key); + semanage_handle_destroy(handle); + return ret; +} + + + + + +int del_seuser(const char *login_name) +{ + semanage_handle_t *handle = NULL; + semanage_seuser_key_t *key = NULL; + int ret; + int exists = 0; + + handle = semanage_init(); + if (!handle) { + fprintf(stderr, _("Cannot init SELinux management\n")); + ret = 1; + goto done; + } + + ret = semanage_seuser_key_create(handle, login_name, &key); + if (ret != 0) { + fprintf(stderr, _("Cannot create SELinux user key\n")); + ret = 1; + goto done; + } + + ret = semanage_seuser_exists(handle, key, &exists); + if (ret < 0) { + fprintf(stderr, _("Cannot verify the SELinux user\n")); + ret = 1; + goto done; + } + + if (!exists) { + fprintf(stderr, _("Login mapping for %s is not defined, OK if default mapping was used\n"), + login_name); + ret = 0; /* probably default mapping */ + goto done; + } + + ret = semanage_seuser_exists_local(handle, key, &exists); + if (ret < 0) { + fprintf(stderr, _("Cannot verify the SELinux user\n")); + ret = 1; + goto done; + } + + if (!exists) { + fprintf(stderr, _("Login mapping for %s is defined in policy, cannot be deleted\n"), + login_name); + ret = 0; /* Login mapping defined in policy can't be deleted */ + goto done; + } + + ret = semanage_seuser_del_local(handle, key); + if (ret != 0) { + fprintf(stderr, _("Could not delete login mapping for %s"), login_name); + ret = 1; + goto done; + } + + ret = semanage_commit(handle); + if (ret < 0) { + fprintf(stderr, _("Cannot commit SELinux transaction\n")); + ret = 1; + goto done; + } + + ret = 0; +done: + semanage_handle_destroy(handle); + return ret; +} + diff -up shadow-4.1.4.3/man/userdel.8.libsemanage shadow-4.1.4.3/man/userdel.8 --- shadow-4.1.4.3/man/userdel.8.libsemanage 2011-11-09 14:19:27.772753117 +0100 +++ shadow-4.1.4.3/man/userdel.8 2011-11-09 14:21:13.947365740 +0100 @@ -243,6 +243,11 @@ can\*(Aqt update group file .RS 4 can\*(Aqt remove home directory .RE +.PP +\fI14\fR +.RS 4 +can\*(Aqt update SELinux user mapping +.PP .SH "CAVEATS" .PP diff -up shadow-4.1.4.3/src/Makefile.in.libsemanage shadow-4.1.4.3/src/Makefile.in --- shadow-4.1.4.3/src/Makefile.in.libsemanage 2011-11-09 14:11:26.431362175 +0100 +++ shadow-4.1.4.3/src/Makefile.in 2011-11-09 14:11:26.459362089 +0100 @@ -431,9 +431,9 @@ su_SOURCES = \ su_LDADD = $(LDADD) $(LIBPAM) $(LIBCRYPT_NOPAM) $(LIBSKEY) $(LIBMD) sulogin_LDADD = $(LDADD) $(LIBCRYPT) -useradd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) -lacl -userdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) -lacl -usermod_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) -lacl +useradd_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) -lacl -lsemanage +userdel_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) -lacl -lsemanage +usermod_LDADD = $(LDADD) $(LIBPAM_SUID) $(LIBAUDIT) $(LIBSELINUX) -lacl -lsemanage vipw_LDADD = $(LDADD) $(LIBSELINUX) all: all-am diff -up shadow-4.1.4.3/src/useradd.c.libsemanage shadow-4.1.4.3/src/useradd.c --- shadow-4.1.4.3/src/useradd.c.libsemanage 2011-11-09 14:11:26.424362196 +0100 +++ shadow-4.1.4.3/src/useradd.c 2011-11-09 14:11:26.460362086 +0100 @@ -1999,16 +1999,7 @@ int main (int argc, char **argv) #ifdef WITH_SELINUX if (Zflg && *user_selinux) { if (is_selinux_enabled () > 0) { - const char *argv[7]; - - argv[0] = "/usr/sbin/semanage"; - argv[1] = "login"; - argv[2] = "-a"; - argv[3] = "-s"; - argv[4] = user_selinux; - argv[5] = user_name; - argv[6] = NULL; - if (safe_system (argv[0], argv, NULL, 0)) { + if (set_seuser(user_name, user_selinux)) { fprintf (stderr, _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), Prog, user_name, user_selinux); diff -up shadow-4.1.4.3/src/userdel.c.libsemanage shadow-4.1.4.3/src/userdel.c --- shadow-4.1.4.3/src/userdel.c.libsemanage 2011-11-09 14:11:26.425362193 +0100 +++ shadow-4.1.4.3/src/userdel.c 2011-11-09 14:18:59.274855167 +0100 @@ -70,6 +70,7 @@ #define E_USER_BUSY 8 /* user currently logged in */ #define E_GRP_UPDATE 10 /* can't update group file */ #define E_HOMEDIR 12 /* can't remove home directory */ +#define E_SE_UPDATE 14 /* can't update SELinux user mapping */ /* * Global variables @@ -1002,13 +1003,17 @@ int main (int argc, char **argv) #ifdef WITH_SELINUX if (Zflg) { if (is_selinux_enabled () > 0) { - const char *args[5]; - args[0] = "/usr/sbin/semanage"; - args[1] = "login"; - args[2] = "-d"; - args[3] = user_name; - args[4] = NULL; - safe_system (args[0], args, NULL, 1); + if (del_seuser(user_name)) { + fprintf (stderr, + _("%s: warning: the user name %s to SELinux user mapping removal failed.\n"), + Prog, user_name); + #ifdef WITH_AUDIT + audit_logger (AUDIT_ADD_USER, Prog, + "removing SELinux user mapping", + user_name, (unsigned int) user_id, 0); + #endif + fail_exit (E_SE_UPDATE); + } } } #endif diff -up shadow-4.1.4.3/src/usermod.c.libsemanage shadow-4.1.4.3/src/usermod.c --- shadow-4.1.4.3/src/usermod.c.libsemanage 2011-11-09 14:11:26.426362190 +0100 +++ shadow-4.1.4.3/src/usermod.c 2011-11-09 14:11:26.463362076 +0100 @@ -1787,28 +1787,16 @@ int main (int argc, char **argv) #ifdef WITH_SELINUX if (Zflg && *user_selinux) { if (is_selinux_enabled () > 0) { - const char *argv[7]; - - argv[0] = "/usr/sbin/semanage"; - argv[1] = "login"; - argv[2] = "-m"; - argv[3] = "-s"; - argv[4] = user_selinux; - argv[5] = user_name; - argv[6] = NULL; - if (safe_system (argv[0], argv, NULL, 1)) { - argv[2] = "-a"; - if (safe_system (argv[0], argv, NULL, 0)) { - fprintf (stderr, - _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), - Prog, user_name, user_selinux); + if (set_seuser(user_name, user_selinux)) { + fprintf (stderr, + _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), + Prog, user_name, user_selinux); #ifdef WITH_AUDIT - audit_logger (AUDIT_USER_CHAUTHTOK, Prog, - "modifying User mapping ", - user_name, (unsigned int) user_id, 0); + audit_logger (AUDIT_USER_CHAUTHTOK, Prog, + "modifying User mapping ", + user_name, (unsigned int) user_id, 0); #endif - fail_exit (E_SE_UPDATE); - } + fail_exit (E_SE_UPDATE); } } }