diff -up shadow-4.5/lib/selinux.c.userdel-chroot shadow-4.5/lib/selinux.c --- shadow-4.5/lib/selinux.c.userdel-chroot 2017-11-06 13:40:41.396131526 +0100 +++ shadow-4.5/lib/selinux.c 2017-11-06 13:40:41.418132035 +0100 @@ -75,7 +75,7 @@ int set_selinux_file_context (const char } return 0; error: - if (security_getenforce () != 0) { + if (security_getenforce () > 0) { return 1; } return 0; @@ -95,7 +95,7 @@ int reset_selinux_file_context (void) selinux_checked = true; } if (selinux_enabled) { - if (setfscreatecon (NULL) != 0) { + if (setfscreatecon (NULL) != 0 && security_getenforce () > 0) { return 1; } } diff -up shadow-4.5/src/userdel.c.userdel-chroot shadow-4.5/src/userdel.c --- shadow-4.5/src/userdel.c.userdel-chroot 2017-11-06 13:40:41.410131850 +0100 +++ shadow-4.5/src/userdel.c 2017-11-06 15:26:56.567954410 +0100 @@ -96,6 +96,7 @@ static char *user_home; static bool fflg = false; static bool rflg = false; static bool Zflg = false; +static bool Rflg = false; static bool is_shadow_pwd; @@ -958,6 +959,7 @@ int main (int argc, char **argv) rflg = true; break; case 'R': /* no-op, handled in process_root_flag () */ + Rflg = true; break; #ifdef WITH_SELINUX case 'Z': @@ -1032,9 +1034,12 @@ int main (int argc, char **argv) */ user_name = argv[argc - 1]; { - struct passwd *pwd; - pwd = getpwnam (user_name); /* local, no need for xgetpwnam */ + const struct passwd *pwd; + + pw_open(O_RDONLY); + pwd = pw_locate (user_name); /* we care only about local users */ if (NULL == pwd) { + pw_close(); fprintf (stderr, _("%s: user '%s' does not exist\n"), Prog, user_name); #ifdef WITH_AUDIT @@ -1048,6 +1053,7 @@ int main (int argc, char **argv) user_id = pwd->pw_uid; user_gid = pwd->pw_gid; user_home = xstrdup (pwd->pw_dir); + pw_close(); } #ifdef WITH_TCB if (shadowtcb_set_user (user_name) == SHADOWTCB_FAILURE) { @@ -1079,7 +1085,7 @@ int main (int argc, char **argv) * Note: This is a best effort basis. The user may log in between, * a cron job may be started on her behalf, etc. */ - if (user_busy (user_name, user_id) != 0) { + if (!Rflg && user_busy (user_name, user_id) != 0) { if (!fflg) { #ifdef WITH_AUDIT audit_logger (AUDIT_DEL_USER, Prog,