|
|
b83095d |
diff -up /dev/null shadow-4.1.1/libmisc/system.c
|
|
|
b83095d |
--- /dev/null 2008-03-19 11:34:26.687502959 +0100
|
|
|
b83095d |
+++ shadow-4.1.1/libmisc/system.c 2008-04-05 14:55:29.000000000 +0200
|
|
|
b83095d |
@@ -0,0 +1,37 @@
|
|
|
b83095d |
+#include <config.h>
|
|
|
b83095d |
+
|
|
|
b83095d |
+#ident "$Id: shell.c,v 1.13 2006/01/18 19:38:27 kloczek Exp $"
|
|
|
b83095d |
+
|
|
|
b83095d |
+#include <stdio.h>
|
|
|
b83095d |
+#include <sys/wait.h>
|
|
|
b83095d |
+#include <fcntl.h>
|
|
|
b83095d |
+#include "prototypes.h"
|
|
|
b83095d |
+#include "defines.h"
|
|
|
b83095d |
+
|
|
|
b83095d |
+int safe_system(const char *command, const char *argv[], const char *env[], int ignore_stderr)
|
|
|
b83095d |
+{
|
|
|
b83095d |
+ int status = -1;
|
|
|
b83095d |
+ int fd;
|
|
|
b83095d |
+ pid_t pid;
|
|
|
b83095d |
+
|
|
|
b83095d |
+ pid = fork();
|
|
|
b83095d |
+ if (pid < 0)
|
|
|
b83095d |
+ return -1;
|
|
|
b83095d |
+
|
|
|
b83095d |
+ if (pid) { /* Parent */
|
|
|
b83095d |
+ waitpid(pid, &status, 0);
|
|
|
b83095d |
+ return status;
|
|
|
b83095d |
+ }
|
|
|
b83095d |
+
|
|
|
b83095d |
+ fd = open("/dev/null", O_RDWR);
|
|
|
b83095d |
+ /* Child */
|
|
|
b83095d |
+ dup2(fd,0); // Close Stdin
|
|
|
b83095d |
+ if (ignore_stderr)
|
|
|
b83095d |
+ dup2(fd,2); // Close Stderr
|
|
|
b83095d |
+
|
|
|
b83095d |
+ execve(command, (char *const *) argv, (char *const *) env);
|
|
|
b83095d |
+ fprintf (stderr,
|
|
|
b83095d |
+ _("Failed to exec '%s'\n"), argv[0]);
|
|
|
b83095d |
+ exit (-1);
|
|
|
b83095d |
+}
|
|
|
b83095d |
+
|
|
|
b83095d |
diff -up shadow-4.1.1/libmisc/copydir.c.selinux shadow-4.1.1/libmisc/copydir.c
|
|
|
b83095d |
--- shadow-4.1.1/libmisc/copydir.c.selinux 2008-01-06 13:02:04.000000000 +0100
|
|
|
b83095d |
+++ shadow-4.1.1/libmisc/copydir.c 2008-04-05 14:55:29.000000000 +0200
|
|
|
b83095d |
@@ -82,7 +82,7 @@ static int copy_file (const char *src, c
|
|
|
b83095d |
* symlink, directory, ...
|
|
|
b83095d |
*
|
|
|
b83095d |
*/
|
|
|
b83095d |
-static int selinux_file_context (const char *dst_name)
|
|
|
b83095d |
+int selinux_file_context (const char *dst_name)
|
|
|
b83095d |
{
|
|
|
b83095d |
security_context_t scontext = NULL;
|
|
|
b83095d |
|
|
|
b83095d |
@@ -253,6 +253,12 @@ int copy_tree (const char *src_root, con
|
|
|
b83095d |
src_orig = 0;
|
|
|
b83095d |
dst_orig = 0;
|
|
|
b83095d |
}
|
|
|
b83095d |
+
|
|
|
b83095d |
+#ifdef WITH_SELINUX
|
|
|
b83095d |
+ /* Reset SELinux to create files with default contexts */
|
|
|
b83095d |
+ setfscreatecon (NULL);
|
|
|
b83095d |
+#endif
|
|
|
b83095d |
+
|
|
|
b83095d |
return err;
|
|
|
b83095d |
}
|
|
|
b83095d |
|
|
|
b83095d |
diff -up shadow-4.1.1/libmisc/Makefile.am.selinux shadow-4.1.1/libmisc/Makefile.am
|
|
|
b83095d |
--- shadow-4.1.1/libmisc/Makefile.am.selinux 2008-01-27 15:21:48.000000000 +0100
|
|
|
b83095d |
+++ shadow-4.1.1/libmisc/Makefile.am 2008-04-05 14:55:29.000000000 +0200
|
|
|
b83095d |
@@ -43,6 +43,7 @@ libmisc_a_SOURCES = \
|
|
|
b83095d |
setugid.c \
|
|
|
b83095d |
setupenv.c \
|
|
|
b83095d |
shell.c \
|
|
|
b83095d |
+ system.c \
|
|
|
b83095d |
strtoday.c \
|
|
|
b83095d |
sub.c \
|
|
|
b83095d |
sulog.c \
|
|
|
b83095d |
diff -up shadow-4.1.1/src/useradd.c.selinux shadow-4.1.1/src/useradd.c
|
|
|
b83095d |
--- shadow-4.1.1/src/useradd.c.selinux 2008-04-05 14:55:29.000000000 +0200
|
|
|
b83095d |
+++ shadow-4.1.1/src/useradd.c 2008-04-05 14:55:29.000000000 +0200
|
|
|
b83095d |
@@ -101,6 +101,7 @@ static const char *user_comment = "";
|
|
|
b83095d |
static const char *user_home = "";
|
|
|
b83095d |
static const char *user_shell = "";
|
|
|
b83095d |
static const char *create_mail_spool = "";
|
|
|
b83095d |
+static const char *user_selinux = "";
|
|
|
b83095d |
|
|
|
b83095d |
static long user_expire = -1;
|
|
|
b83095d |
static int is_shadow_pwd;
|
|
|
b83095d |
@@ -173,6 +174,7 @@ static int set_defaults (void);
|
|
|
b83095d |
static int get_groups (char *);
|
|
|
b83095d |
static void usage (void);
|
|
|
b83095d |
static void new_pwent (struct passwd *);
|
|
|
b83095d |
+static void selinux_update_mapping (void);
|
|
|
b83095d |
|
|
|
b83095d |
static long scale_age (long);
|
|
|
b83095d |
static void new_spent (struct spwd *);
|
|
|
b83095d |
@@ -373,6 +375,7 @@ static void get_defaults (void)
|
|
|
b83095d |
def_create_mail_spool = xstrdup (cp);
|
|
|
b83095d |
}
|
|
|
b83095d |
}
|
|
|
b83095d |
+ fclose(fp);
|
|
|
b83095d |
}
|
|
|
b83095d |
|
|
|
b83095d |
/*
|
|
|
b83095d |
@@ -665,6 +668,9 @@ static void usage (void)
|
|
|
b83095d |
" -s, --shell SHELL the login shell for the new user account\n"
|
|
|
b83095d |
" -u, --uid UID force use the UID for the new user account\n"
|
|
|
b83095d |
" -U, --user-group create a group with the same name as the user\n"
|
|
|
b83095d |
+#ifdef WITH_SELINUX
|
|
|
b83095d |
+ " -Z, --selinux-user SEUSER use a specific SEUSER for the SELinux user mapping\n"
|
|
|
b83095d |
+#endif
|
|
|
b83095d |
"\n"), stderr);
|
|
|
b83095d |
exit (E_USAGE);
|
|
|
b83095d |
}
|
|
|
b83095d |
@@ -880,12 +886,19 @@ static void process_flags (int argc, cha
|
|
|
b83095d |
{"password", required_argument, NULL, 'p'},
|
|
|
b83095d |
{"system", no_argument, NULL, 'r'},
|
|
|
b83095d |
{"shell", required_argument, NULL, 's'},
|
|
|
b83095d |
+#ifdef WITH_SELINUX
|
|
|
b83095d |
+ {"selinux-user", required_argument, NULL, 'Z'},
|
|
|
b83095d |
+#endif
|
|
|
b83095d |
{"uid", required_argument, NULL, 'u'},
|
|
|
b83095d |
{"user-group", no_argument, NULL, 'U'},
|
|
|
b83095d |
{NULL, 0, NULL, '\0'}
|
|
|
b83095d |
};
|
|
|
b83095d |
while ((c =
|
|
|
b83095d |
+#ifdef WITH_SELINUX
|
|
|
b83095d |
+ getopt_long (argc, argv, "b:c:d:De:f:g:G:k:K:lmMnNop:rs:u:UZ:",
|
|
|
b83095d |
+#else
|
|
|
b83095d |
getopt_long (argc, argv, "b:c:d:De:f:g:G:k:K:lmMnNop:rs:u:U",
|
|
|
b83095d |
+#endif
|
|
|
b83095d |
long_options, NULL)) != -1) {
|
|
|
b83095d |
switch (c) {
|
|
|
b83095d |
case 'b':
|
|
|
b83095d |
@@ -1070,6 +1083,17 @@ static void process_flags (int argc, cha
|
|
|
b83095d |
case 'U':
|
|
|
b83095d |
Uflg++;
|
|
|
b83095d |
break;
|
|
|
b83095d |
+#ifdef WITH_SELINUX
|
|
|
b83095d |
+ case 'Z':
|
|
|
b83095d |
+ if (is_selinux_enabled() > 0)
|
|
|
b83095d |
+ user_selinux = optarg;
|
|
|
b83095d |
+ else {
|
|
|
b83095d |
+ fprintf (stderr,_("%s: -Z requires SELinux enabled kernel\n"), Prog);
|
|
|
b83095d |
+
|
|
|
b83095d |
+ exit (E_BAD_ARG);
|
|
|
b83095d |
+ }
|
|
|
b83095d |
+ break;
|
|
|
b83095d |
+#endif
|
|
|
b83095d |
default:
|
|
|
b83095d |
usage ();
|
|
|
b83095d |
}
|
|
|
b83095d |
@@ -1476,6 +1500,33 @@ static void usr_update (void)
|
|
|
b83095d |
grp_update ();
|
|
|
b83095d |
}
|
|
|
b83095d |
|
|
|
b83095d |
+static void selinux_update_mapping () {
|
|
|
b83095d |
+
|
|
|
b83095d |
+#ifdef WITH_SELINUX
|
|
|
b83095d |
+ if (is_selinux_enabled() <= 0) return;
|
|
|
b83095d |
+
|
|
|
b83095d |
+ if (*user_selinux) { /* must be done after passwd write() */
|
|
|
b83095d |
+ const char *argv[7];
|
|
|
b83095d |
+ argv[0] = "/usr/sbin/semanage";
|
|
|
b83095d |
+ argv[1] = "login";
|
|
|
b83095d |
+ argv[2] = "-a";
|
|
|
b83095d |
+ argv[3] = "-s";
|
|
|
b83095d |
+ argv[4] = user_selinux;
|
|
|
b83095d |
+ argv[5] = user_name;
|
|
|
b83095d |
+ argv[6] = NULL;
|
|
|
b83095d |
+ if (safe_system(argv[0], argv, NULL, 0)) {
|
|
|
b83095d |
+ fprintf (stderr,
|
|
|
b83095d |
+ _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
|
|
|
b83095d |
+ Prog, user_name, user_selinux);
|
|
|
b83095d |
+#ifdef WITH_AUDIT
|
|
|
b83095d |
+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
|
|
|
b83095d |
+ "adding SELinux user mapping", user_name, user_id, 0);
|
|
|
b83095d |
+#endif
|
|
|
b83095d |
+ }
|
|
|
b83095d |
+ }
|
|
|
b83095d |
+#endif
|
|
|
b83095d |
+
|
|
|
b83095d |
+}
|
|
|
b83095d |
/*
|
|
|
b83095d |
* create_home - create the user's home directory
|
|
|
b83095d |
*
|
|
|
b83095d |
@@ -1485,7 +1536,11 @@ static void usr_update (void)
|
|
|
b83095d |
*/
|
|
|
b83095d |
static void create_home (void)
|
|
|
b83095d |
{
|
|
|
b83095d |
+
|
|
|
b83095d |
if (access (user_home, F_OK)) {
|
|
|
b83095d |
+#ifdef WITH_SELINUX
|
|
|
b83095d |
+ selinux_file_context (user_home);
|
|
|
b83095d |
+#endif
|
|
|
b83095d |
/* XXX - create missing parent directories. --marekm */
|
|
|
b83095d |
if (mkdir (user_home, 0)) {
|
|
|
b83095d |
fprintf (stderr,
|
|
|
b83095d |
@@ -1507,6 +1562,10 @@ static void create_home (void)
|
|
|
b83095d |
audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
|
|
|
b83095d |
"adding home directory", user_name, user_id, 1);
|
|
|
b83095d |
#endif
|
|
|
b83095d |
+#ifdef WITH_SELINUX
|
|
|
b83095d |
+ /* Reset SELinux to create files with default contexts */
|
|
|
b83095d |
+ setfscreatecon (NULL);
|
|
|
b83095d |
+#endif
|
|
|
b83095d |
}
|
|
|
b83095d |
}
|
|
|
b83095d |
|
|
|
b83095d |
@@ -1760,6 +1819,8 @@ int main (int argc, char **argv)
|
|
|
b83095d |
|
|
|
b83095d |
close_files ();
|
|
|
b83095d |
|
|
|
b83095d |
+ selinux_update_mapping();
|
|
|
b83095d |
+
|
|
|
b83095d |
nscd_flush_cache ("passwd");
|
|
|
b83095d |
nscd_flush_cache ("group");
|
|
|
b83095d |
|
|
|
b83095d |
diff -up shadow-4.1.1/src/usermod.c.selinux shadow-4.1.1/src/usermod.c
|
|
|
b83095d |
--- shadow-4.1.1/src/usermod.c.selinux 2008-02-24 13:35:13.000000000 +0100
|
|
|
b83095d |
+++ shadow-4.1.1/src/usermod.c 2008-04-05 14:55:29.000000000 +0200
|
|
|
b83095d |
@@ -91,6 +91,7 @@ static char *user_newcomment;
|
|
|
b83095d |
static char *user_home;
|
|
|
b83095d |
static char *user_newhome;
|
|
|
b83095d |
static char *user_shell;
|
|
|
b83095d |
+static const char *user_selinux = "";
|
|
|
b83095d |
static char *user_newshell;
|
|
|
b83095d |
static long user_expire;
|
|
|
b83095d |
static long user_newexpire;
|
|
|
b83095d |
@@ -138,6 +139,7 @@ static void date_to_str (char *buf, size
|
|
|
b83095d |
static int get_groups (char *);
|
|
|
b83095d |
static void usage (void);
|
|
|
b83095d |
static void new_pwent (struct passwd *);
|
|
|
b83095d |
+static void selinux_update_mapping (void);
|
|
|
b83095d |
|
|
|
b83095d |
static void new_spent (struct spwd *);
|
|
|
b83095d |
static void fail_exit (int);
|
|
|
b83095d |
@@ -320,6 +322,9 @@ static void usage (void)
|
|
|
b83095d |
" -s, --shell SHELL new login shell for the user account\n"
|
|
|
b83095d |
" -u, --uid UID new UID for the user account\n"
|
|
|
b83095d |
" -U, --unlock unlock the user account\n"
|
|
|
b83095d |
+#ifdef WITH_SELINUX
|
|
|
b83095d |
+ " -Z, --selinux-user new selinux user mapping for the user account\n"
|
|
|
b83095d |
+#endif
|
|
|
b83095d |
"\n"), stderr);
|
|
|
b83095d |
exit (E_USAGE);
|
|
|
b83095d |
}
|
|
|
b83095d |
@@ -846,13 +851,20 @@ static void process_flags (int argc, cha
|
|
|
b83095d |
{"move-home", no_argument, NULL, 'm'},
|
|
|
b83095d |
{"non-unique", no_argument, NULL, 'o'},
|
|
|
b83095d |
{"password", required_argument, NULL, 'p'},
|
|
|
b83095d |
+#ifdef WITH_SELINUX
|
|
|
b83095d |
+ {"selinux-user", required_argument, NULL, 'Z'},
|
|
|
b83095d |
+#endif
|
|
|
b83095d |
{"shell", required_argument, NULL, 's'},
|
|
|
b83095d |
{"uid", required_argument, NULL, 'u'},
|
|
|
b83095d |
{"unlock", no_argument, NULL, 'U'},
|
|
|
b83095d |
{NULL, 0, NULL, '\0'}
|
|
|
b83095d |
};
|
|
|
b83095d |
while ((c =
|
|
|
b83095d |
- getopt_long (argc, argv, "ac:d:e:f:g:G:hl:Lmop:s:u:U",
|
|
|
b83095d |
+#ifdef WITH_SELINUX
|
|
|
b83095d |
+ getopt_long (argc, argv, "ac:d:e:f:g:G:hl:Lmop:s:u:UZ:",
|
|
|
b83095d |
+#else
|
|
|
b83095d |
+ getopt_long (argc, argv, "ac:d:e:f:g:G:hl:Lmop:s:u:U",
|
|
|
b83095d |
+#endif
|
|
|
b83095d |
long_options, NULL)) != -1) {
|
|
|
b83095d |
switch (c) {
|
|
|
b83095d |
case 'a':
|
|
|
b83095d |
@@ -953,6 +965,16 @@ static void process_flags (int argc, cha
|
|
|
b83095d |
case 'U':
|
|
|
b83095d |
Uflg++;
|
|
|
b83095d |
break;
|
|
|
b83095d |
+#ifdef WITH_SELINUX
|
|
|
b83095d |
+ case 'Z':
|
|
|
b83095d |
+ if (is_selinux_enabled() > 0)
|
|
|
b83095d |
+ user_selinux = optarg;
|
|
|
b83095d |
+ else {
|
|
|
b83095d |
+ fprintf (stderr, _("%s: -Z requires SELinux enabled kernel\n"), Prog);
|
|
|
b83095d |
+ exit (E_BAD_ARG);
|
|
|
b83095d |
+ }
|
|
|
b83095d |
+ break;
|
|
|
b83095d |
+#endif
|
|
|
b83095d |
default:
|
|
|
b83095d |
usage ();
|
|
|
b83095d |
}
|
|
|
b83095d |
@@ -1530,6 +1552,8 @@ int main (int argc, char **argv)
|
|
|
b83095d |
nscd_flush_cache ("passwd");
|
|
|
b83095d |
nscd_flush_cache ("group");
|
|
|
b83095d |
|
|
|
b83095d |
+ selinux_update_mapping();
|
|
|
b83095d |
+
|
|
|
b83095d |
if (mflg)
|
|
|
b83095d |
move_home ();
|
|
|
b83095d |
|
|
|
b83095d |
@@ -1558,3 +1582,62 @@ int main (int argc, char **argv)
|
|
|
b83095d |
exit (E_SUCCESS);
|
|
|
b83095d |
/* NOT REACHED */
|
|
|
b83095d |
}
|
|
|
b83095d |
+
|
|
|
b83095d |
+static void selinux_update_mapping () {
|
|
|
b83095d |
+#ifdef WITH_SELINUX
|
|
|
b83095d |
+ const char *argv[7];
|
|
|
b83095d |
+
|
|
|
b83095d |
+ if (is_selinux_enabled() <= 0) return;
|
|
|
b83095d |
+
|
|
|
b83095d |
+ if (*user_selinux) {
|
|
|
b83095d |
+ argv[0] = "/usr/sbin/semanage";
|
|
|
b83095d |
+ argv[1] = "login";
|
|
|
b83095d |
+ argv[2] = "-m";
|
|
|
b83095d |
+ argv[3] = "-s";
|
|
|
b83095d |
+ argv[4] = user_selinux;
|
|
|
b83095d |
+ argv[5] = user_name;
|
|
|
b83095d |
+ argv[6] = NULL;
|
|
|
b83095d |
+ if (safe_system(argv[0], argv, NULL, 1)) {
|
|
|
b83095d |
+ argv[2] = "-a";
|
|
|
b83095d |
+ if (safe_system(argv[0], argv, NULL, 0)) {
|
|
|
b83095d |
+ fprintf (stderr,
|
|
|
b83095d |
+ _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
|
|
|
b83095d |
+ Prog, user_name, user_selinux);
|
|
|
b83095d |
+#ifdef WITH_AUDIT
|
|
|
b83095d |
+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
|
|
|
b83095d |
+ "modifying User mapping ", user_name, user_id, 0);
|
|
|
b83095d |
+#endif
|
|
|
b83095d |
+ }
|
|
|
b83095d |
+ }
|
|
|
b83095d |
+ }
|
|
|
b83095d |
+
|
|
|
b83095d |
+ if (dflg || *user_selinux) {
|
|
|
b83095d |
+ argv[0] = "/usr/sbin/genhomedircon";
|
|
|
b83095d |
+ argv[1] = NULL;
|
|
|
b83095d |
+ if(safe_system(argv[0], argv, NULL,0)) {
|
|
|
b83095d |
+ fprintf (stderr,
|
|
|
b83095d |
+ _("%s: warning: unable to relabel the homedir %s for %s.\n"),
|
|
|
b83095d |
+ Prog, user_home, user_name);
|
|
|
b83095d |
+#ifdef WITH_AUDIT
|
|
|
b83095d |
+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
|
|
|
b83095d |
+ "relabeling home directory", user_name, user_id, 0);
|
|
|
b83095d |
+#endif
|
|
|
b83095d |
+ }
|
|
|
b83095d |
+
|
|
|
b83095d |
+ argv[0] = "/sbin/restorecon";
|
|
|
b83095d |
+ argv[1] = "-F";
|
|
|
b83095d |
+ argv[2] = "-R";
|
|
|
b83095d |
+ argv[3] = user_home;
|
|
|
b83095d |
+ argv[4] = NULL;
|
|
|
b83095d |
+ if (safe_system(argv[0], argv, NULL, 0)) {
|
|
|
b83095d |
+ fprintf (stderr,
|
|
|
b83095d |
+ _("%s: warning: unable to relabel the homedir %s for %s.\n"),
|
|
|
b83095d |
+ Prog, user_home, user_name);
|
|
|
b83095d |
+#ifdef WITH_AUDIT
|
|
|
b83095d |
+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
|
|
|
b83095d |
+ "relabeling home directory", user_name, user_id, 0);
|
|
|
b83095d |
+#endif
|
|
|
b83095d |
+ }
|
|
|
b83095d |
+ }
|
|
|
b83095d |
+#endif
|
|
|
b83095d |
+}
|
|
|
b83095d |
diff -up shadow-4.1.1/src/userdel.c.selinux shadow-4.1.1/src/userdel.c
|
|
|
b83095d |
--- shadow-4.1.1/src/userdel.c.selinux 2008-03-08 21:48:26.000000000 +0100
|
|
|
b83095d |
+++ shadow-4.1.1/src/userdel.c 2008-04-05 14:55:29.000000000 +0200
|
|
|
b83095d |
@@ -809,6 +809,17 @@ int main (int argc, char **argv)
|
|
|
b83095d |
#endif
|
|
|
b83095d |
}
|
|
|
b83095d |
|
|
|
b83095d |
+#ifdef WITH_SELINUX
|
|
|
b83095d |
+ if (is_selinux_enabled() > 0) {
|
|
|
b83095d |
+ const char *argv[5];
|
|
|
b83095d |
+ argv[0] = "/usr/sbin/semanage";
|
|
|
b83095d |
+ argv[1] = "login";
|
|
|
b83095d |
+ argv[2] = "-d";
|
|
|
b83095d |
+ argv[3] = user_name;
|
|
|
b83095d |
+ argv[4] = NULL;
|
|
|
b83095d |
+ safe_system(argv[0], argv, NULL, 1);
|
|
|
b83095d |
+ }
|
|
|
b83095d |
+#endif
|
|
|
b83095d |
/*
|
|
|
b83095d |
* Cancel any crontabs or at jobs. Have to do this before we remove
|
|
|
b83095d |
* the entry from /etc/passwd.
|
|
|
b83095d |
diff -up shadow-4.1.1/man/useradd.8.selinux shadow-4.1.1/man/useradd.8
|
|
|
b83095d |
--- shadow-4.1.1/man/useradd.8.selinux 2008-04-05 14:55:29.000000000 +0200
|
|
|
b83095d |
+++ shadow-4.1.1/man/useradd.8 2008-04-05 15:00:03.000000000 +0200
|
|
|
b83095d |
@@ -219,6 +219,11 @@ options are not specified) is defined by
|
|
|
b83095d |
variable in
|
|
|
b83095d |
\fIlogin\.defs\fR\.
|
|
|
b83095d |
.RE
|
|
|
b83095d |
+.PP
|
|
|
b83095d |
+\fB\-Z\fR, \fB\-\-selinux-user\fR \fISEUSER\fR
|
|
|
b83095d |
+.RS 4
|
|
|
b83095d |
+The SELinux user for the user\'s login\. The default is to leave this field blank, which causes the system to select the default SELinux user\.
|
|
|
b83095d |
+.RE
|
|
|
b83095d |
.SS "Changing the default values"
|
|
|
b83095d |
.PP
|
|
|
b83095d |
When invoked with only the
|
|
|
b83095d |
diff -up shadow-4.1.1/man/usermod.8.xml.selinux shadow-4.1.1/man/usermod.8.xml
|
|
|
b83095d |
--- shadow-4.1.1/man/usermod.8.xml.selinux 2007-12-31 17:48:34.000000000 +0100
|
|
|
b83095d |
+++ shadow-4.1.1/man/usermod.8.xml 2008-04-05 14:55:29.000000000 +0200
|
|
|
b83095d |
@@ -245,6 +245,19 @@
|
|
|
b83095d |
</para>
|
|
|
b83095d |
</listitem>
|
|
|
b83095d |
</varlistentry>
|
|
|
b83095d |
+ <varlistentry>
|
|
|
b83095d |
+ <term>
|
|
|
b83095d |
+ <option>-Z</option>, <option>--selinux-user</option>
|
|
|
b83095d |
+ <replaceable>SEUSER</replaceable>
|
|
|
b83095d |
+ </term>
|
|
|
b83095d |
+ <listitem>
|
|
|
b83095d |
+ <para>
|
|
|
b83095d |
+ The SELinux user for the user's login. The default is to leave this
|
|
|
b83095d |
+ field the blank, which causes the system to select the default
|
|
|
b83095d |
+ SELinux user.
|
|
|
b83095d |
+ </para>
|
|
|
b83095d |
+ </listitem>
|
|
|
b83095d |
+ </varlistentry>
|
|
|
b83095d |
</variablelist>
|
|
|
b83095d |
</refsect1>
|
|
|
b83095d |
|
|
|
b83095d |
diff -up shadow-4.1.1/man/usermod.8.selinux shadow-4.1.1/man/usermod.8
|
|
|
b83095d |
--- shadow-4.1.1/man/usermod.8.selinux 2008-04-03 00:43:16.000000000 +0200
|
|
|
b83095d |
+++ shadow-4.1.1/man/usermod.8 2008-04-05 14:55:29.000000000 +0200
|
|
|
b83095d |
@@ -133,6 +133,11 @@ Note: if you wish to unlock the account
|
|
|
b83095d |
value from
|
|
|
b83095d |
\fI/etc/default/useradd\fR)\.
|
|
|
b83095d |
.RE
|
|
|
b83095d |
+.PP
|
|
|
b83095d |
+\fB\-Z\fR, \fB\-\-selinux-user\fR \fISEUSER\fR
|
|
|
b83095d |
+.RS 4
|
|
|
b83095d |
+The SELinux user for the user\'s login\. The default is to leave this field blank, which causes the system to select the default SELinux user.
|
|
|
b83095d |
+.RE
|
|
|
b83095d |
.SH "CAVEATS"
|
|
|
b83095d |
.PP
|
|
|
b83095d |
|
|
|
b83095d |
diff -up shadow-4.1.1/man/useradd.8.xml.selinux shadow-4.1.1/man/useradd.8.xml
|
|
|
b83095d |
--- shadow-4.1.1/man/useradd.8.xml.selinux 2008-02-25 22:01:23.000000000 +0100
|
|
|
b83095d |
+++ shadow-4.1.1/man/useradd.8.xml 2008-04-05 14:55:29.000000000 +0200
|
|
|
b83095d |
@@ -326,6 +326,19 @@
|
|
|
b83095d |
</para>
|
|
|
b83095d |
</listitem>
|
|
|
b83095d |
</varlistentry>
|
|
|
b83095d |
+ <varlistentry>
|
|
|
b83095d |
+ <term>
|
|
|
b83095d |
+ <option>-Z</option>, <option>--selinux-user</option>
|
|
|
b83095d |
+ <replaceable>SEUSER</replaceable>
|
|
|
b83095d |
+ </term>
|
|
|
b83095d |
+ <listitem>
|
|
|
b83095d |
+ <para>
|
|
|
b83095d |
+ The SELinux user for the user's login. The default is to leave this
|
|
|
b83095d |
+ field blank, which causes the system to select the default SELinux
|
|
|
b83095d |
+ user.
|
|
|
b83095d |
+ </para>
|
|
|
b83095d |
+ </listitem>
|
|
|
b83095d |
+ </varlistentry>
|
|
|
b83095d |
</variablelist>
|
|
|
b83095d |
|
|
|
b83095d |
<refsect2 id='changing_the_default_values'>
|
|
|
b83095d |
diff -up shadow-4.1.1/lib/defines.h.selinux shadow-4.1.1/lib/defines.h
|
|
|
b83095d |
--- shadow-4.1.1/lib/defines.h.selinux 2008-02-03 18:52:52.000000000 +0100
|
|
|
b83095d |
+++ shadow-4.1.1/lib/defines.h 2008-04-05 14:55:29.000000000 +0200
|
|
|
b83095d |
@@ -321,4 +321,7 @@ extern char *strerror ();
|
|
|
b83095d |
# define unused
|
|
|
b83095d |
#endif
|
|
|
b83095d |
|
|
|
b83095d |
+#ifdef WITH_SELINUX
|
|
|
b83095d |
+#include <selinux/selinux.h>
|
|
|
b83095d |
+#endif
|
|
|
b83095d |
#endif /* _DEFINES_H_ */
|
|
|
b83095d |
diff -up shadow-4.1.1/lib/prototypes.h.selinux shadow-4.1.1/lib/prototypes.h
|
|
|
b83095d |
--- shadow-4.1.1/lib/prototypes.h.selinux 2008-03-18 00:01:32.000000000 +0100
|
|
|
b83095d |
+++ shadow-4.1.1/lib/prototypes.h 2008-04-05 15:03:41.000000000 +0200
|
|
|
b83095d |
@@ -51,6 +51,10 @@ extern int copy_tree (const char *src_ro
|
|
|
b83095d |
long int uid, long int gid);
|
|
|
b83095d |
extern int remove_tree (const char *root);
|
|
|
b83095d |
|
|
|
b83095d |
+#ifdef WITH_SELINUX
|
|
|
b83095d |
+extern int selinux_file_context (const char *dst_name);
|
|
|
b83095d |
+#endif
|
|
|
b83095d |
+
|
|
|
b83095d |
/* encrypt.c */
|
|
|
b83095d |
extern char *pw_encrypt (const char *, const char *);
|
|
|
b83095d |
|
|
|
b83095d |
@@ -194,6 +198,9 @@ extern struct spwd *__spw_dup (const str
|
|
|
b83095d |
/* shell.c */
|
|
|
b83095d |
extern int shell (const char *, const char *, char *const *);
|
|
|
b83095d |
|
|
|
b83095d |
+/* system.c */
|
|
|
b83095d |
+extern int safe_system(const char *command, const char *argv[], const char *env[], int ignore_stderr);
|
|
|
b83095d |
+
|
|
|
b83095d |
/* strtoday.c */
|
|
|
b83095d |
extern long strtoday (const char *);
|
|
|
b83095d |
|