diff -up shadow-4.1.4.2/man/useradd.8.semange shadow-4.1.4.2/man/useradd.8 --- shadow-4.1.4.2/man/useradd.8.semange 2011-06-28 15:08:46.583254750 +0200 +++ shadow-4.1.4.2/man/useradd.8 2011-06-28 15:08:46.600282568 +0200 @@ -631,6 +631,11 @@ can\'t create home directory .RS 4 can\'t create mail spool .RE +.PP +\fI14\fR +.RS 4 +can\'t update SELinux user mapping +.RE .SH "SEE ALSO" .PP diff -up shadow-4.1.4.2/man/userdel.8.semange shadow-4.1.4.2/man/userdel.8 --- shadow-4.1.4.2/man/userdel.8.semange 2009-07-24 03:16:45.000000000 +0200 +++ shadow-4.1.4.2/man/userdel.8 2011-06-28 15:08:46.601278956 +0200 @@ -67,6 +67,11 @@ variable in the login\&.defs file\&. .RE +.PP +\fB\-Z\fR, \fB\-\-selinux-user\fR +.RS 4 +Remove SELinux user assigned to the userĀ“s login from SELinux login mapping. Use with caution, all the occurrences of the SELinux user will be removed. +.RE .SH "CONFIGURATION" .PP The following configuration variables in diff -up shadow-4.1.4.2/src/useradd.c.semange shadow-4.1.4.2/src/useradd.c --- shadow-4.1.4.2/src/useradd.c.semange 2011-06-28 15:08:46.577257401 +0200 +++ shadow-4.1.4.2/src/useradd.c 2011-06-28 15:54:22.430084199 +0200 @@ -164,6 +164,7 @@ static bool home_added = false; #define E_GRP_UPDATE 10 /* can't update group file */ #define E_HOMEDIR 12 /* can't create home directory */ #define E_MAIL_SPOOL 13 /* can't create mail spool */ +#define E_SE_UPDATE 14 /* can't update SELinux user mapping */ #define DGROUP "GROUP=" #define HOME "HOME=" @@ -181,9 +182,6 @@ static int set_defaults (void); static int get_groups (char *); static void usage (void); static void new_pwent (struct passwd *); -#ifdef WITH_SELINUX -static void selinux_update_mapping (void); -#endif static long scale_age (long); static void new_spent (struct spwd *); @@ -1710,32 +1708,6 @@ static void usr_update (void) } } -#ifdef WITH_SELINUX -static void selinux_update_mapping (void) { - if (is_selinux_enabled () <= 0) return; - - if (*user_selinux) { /* must be done after passwd write() */ - const char *argv[7]; - argv[0] = "/usr/sbin/semanage"; - argv[1] = "login"; - argv[2] = "-a"; - argv[3] = "-s"; - argv[4] = user_selinux; - argv[5] = user_name; - argv[6] = NULL; - if (safe_system (argv[0], argv, NULL, 0)) { - fprintf (stderr, - _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), - Prog, user_name, user_selinux); -#ifdef WITH_AUDIT - audit_logger (AUDIT_ADD_USER, Prog, - "adding SELinux user mapping", - user_name, (unsigned int) user_id, 0); -#endif - } - } -} -#endif /* * create_home - create the user's home directory * @@ -2022,12 +1994,35 @@ int main (int argc, char **argv) create_mail (); } - close_files (); - #ifdef WITH_SELINUX - selinux_update_mapping (); + if (Zflg && *user_selinux) { + if (is_selinux_enabled () > 0) { + const char *argv[7]; + + argv[0] = "/usr/sbin/semanage"; + argv[1] = "login"; + argv[2] = "-a"; + argv[3] = "-s"; + argv[4] = user_selinux; + argv[5] = user_name; + argv[6] = NULL; + if (safe_system (argv[0], argv, NULL, 0)) { + fprintf (stderr, + _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), + Prog, user_name, user_selinux); + #ifdef WITH_AUDIT + audit_logger (AUDIT_ADD_USER, Prog, + "adding SELinux user mapping", + user_name, (unsigned int) user_id, 0); + #endif + fail_exit (E_SE_UPDATE); + } + } + } #endif + close_files (); + nscd_flush_cache ("passwd"); nscd_flush_cache ("group"); diff -up shadow-4.1.4.2/src/userdel.c.semange shadow-4.1.4.2/src/userdel.c --- shadow-4.1.4.2/src/userdel.c.semange 2009-05-22 12:41:12.000000000 +0200 +++ shadow-4.1.4.2/src/userdel.c 2011-06-28 15:08:46.604254774 +0200 @@ -82,6 +82,7 @@ static char *user_home; static bool fflg = false; static bool rflg = false; +static bool Zflg = false; static bool is_shadow_pwd; @@ -120,6 +121,9 @@ static void usage (void) " even if not owned by user\n" " -h, --help display this help message and exit\n" " -r, --remove remove home directory and mail spool\n" +#ifdef WITH_SELINUX + " -Z, --selinux-user remove SELinux user from SELinux user mapping\n" +#endif "\n"), stderr); exit (E_USAGE); } @@ -766,9 +770,17 @@ int main (int argc, char **argv) {"force", no_argument, NULL, 'f'}, {"help", no_argument, NULL, 'h'}, {"remove", no_argument, NULL, 'r'}, +#ifdef WITH_SELINUX + {"selinux-user", required_argument, NULL, 'Z'}, +#endif {NULL, 0, NULL, '\0'} }; - while ((c = getopt_long (argc, argv, "fhr", + while ((c = getopt_long (argc, argv, +#ifdef WITH_SELINUX + "fhrZ", +#else + "fhr", +#endif long_options, NULL)) != -1) { switch (c) { case 'f': /* force remove even if not owned by user */ @@ -777,6 +789,19 @@ int main (int argc, char **argv) case 'r': /* remove home dir and mailbox */ rflg = true; break; +#ifdef WITH_SELINUX + case 'Z': + if (is_selinux_enabled () > 0) { + Zflg = true; + } else { + fprintf (stderr, + _("%s: -Z requires SELinux enabled kernel\n"), + Prog); + + exit (E_BAD_ARG); + } + break; +#endif default: usage (); } @@ -975,14 +1000,16 @@ int main (int argc, char **argv) #endif #ifdef WITH_SELINUX - if (is_selinux_enabled () > 0) { - const char *args[5]; - args[0] = "/usr/sbin/semanage"; - args[1] = "login"; - args[2] = "-d"; - args[3] = user_name; - args[4] = NULL; - safe_system (args[0], args, NULL, 1); + if (Zflg) { + if (is_selinux_enabled () > 0) { + const char *args[5]; + args[0] = "/usr/sbin/semanage"; + args[1] = "login"; + args[2] = "-d"; + args[3] = user_name; + args[4] = NULL; + safe_system (args[0], args, NULL, 1); + } } #endif diff -up shadow-4.1.4.2/src/usermod.c.semange shadow-4.1.4.2/src/usermod.c --- shadow-4.1.4.2/src/usermod.c.semange 2011-06-28 15:49:22.897129091 +0200 +++ shadow-4.1.4.2/src/usermod.c 2011-06-28 15:57:56.509845476 +0200 @@ -82,6 +82,9 @@ #define E_GRP_UPDATE 10 /* can't update group file */ /* #define E_NOSPACE 11 insufficient space to move home dir */ #define E_HOMEDIR 12 /* unable to complete home dir move */ +#define E_SE_UPDATE 13 /* can't update SELinux user mapping */ + + #define VALID(s) (strcspn (s, ":\n") == strlen (s)) /* * Global variables @@ -151,9 +154,6 @@ static void date_to_str (char *buf, size static int get_groups (char *); static void usage (void); static void new_pwent (struct passwd *); -#ifdef WITH_SELINUX -static void selinux_update_mapping (void); -#endif static void new_spent (struct spwd *); static void fail_exit (int); @@ -1785,8 +1785,32 @@ int main (int argc, char **argv) nscd_flush_cache ("group"); #ifdef WITH_SELINUX - if (Zflg) { - selinux_update_mapping (); + if (Zflg && *user_selinux) { + if (is_selinux_enabled () > 0) { + const char *argv[7]; + + argv[0] = "/usr/sbin/semanage"; + argv[1] = "login"; + argv[2] = "-m"; + argv[3] = "-s"; + argv[4] = user_selinux; + argv[5] = user_name; + argv[6] = NULL; + if (safe_system (argv[0], argv, NULL, 1)) { + argv[2] = "-a"; + if (safe_system (argv[0], argv, NULL, 0)) { + fprintf (stderr, + _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), + Prog, user_name, user_selinux); + #ifdef WITH_AUDIT + audit_logger (AUDIT_USER_CHAUTHTOK, Prog, + "modifying User mapping ", + user_name, (unsigned int) user_id, 0); + #endif + fail_exit (E_SE_UPDATE); + } + } + } } #endif @@ -1816,34 +1840,3 @@ int main (int argc, char **argv) return E_SUCCESS; } -#ifdef WITH_SELINUX -static void selinux_update_mapping (void) { - const char *argv[7]; - - if (is_selinux_enabled () <= 0) return; - - if (*user_selinux) { - argv[0] = "/usr/sbin/semanage"; - argv[1] = "login"; - argv[2] = "-m"; - argv[3] = "-s"; - argv[4] = user_selinux; - argv[5] = user_name; - argv[6] = NULL; - if (safe_system (argv[0], argv, NULL, 1)) { - argv[2] = "-a"; - if (safe_system (argv[0], argv, NULL, 0)) { - fprintf (stderr, - _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), - Prog, user_name, user_selinux); -#ifdef WITH_AUDIT - audit_logger (AUDIT_USER_CHAUTHTOK, Prog, - "modifying User mapping ", - user_name, (unsigned int) user_id, 0); -#endif - } - } - } -} -#endif -