diff -up shadow-4.8/lib/commonio.c.selinux shadow-4.8/lib/commonio.c

--- shadow-4.8/lib/commonio.c.selinux	2019-07-23 17:26:08.000000000 +0200

+++ shadow-4.8/lib/commonio.c	2020-01-13 10:08:53.769101131 +0100

@@ -964,7 +964,7 @@ int commonio_close (struct commonio_db *

 		snprintf (buf, sizeof buf, "%s-", db->filename);

 #ifdef WITH_SELINUX

-		if (set_selinux_file_context (buf) != 0) {

+		if (set_selinux_file_context (buf, db->filename) != 0) {

 			errors++;

 		}

 #endif

@@ -997,7 +997,7 @@ int commonio_close (struct commonio_db *

 	snprintf (buf, sizeof buf, "%s+", db->filename);

 #ifdef WITH_SELINUX

-	if (set_selinux_file_context (buf) != 0) {

+	if (set_selinux_file_context (buf, db->filename) != 0) {

 		errors++;

 	}

 #endif

diff -up shadow-4.8/libmisc/copydir.c.selinux shadow-4.8/libmisc/copydir.c

--- shadow-4.8/libmisc/copydir.c.selinux	2019-07-23 17:26:08.000000000 +0200

+++ shadow-4.8/libmisc/copydir.c	2020-01-13 10:08:53.769101131 +0100

@@ -484,7 +484,7 @@ static int copy_dir (const char *src, co

 	 */

 #ifdef WITH_SELINUX

-	if (set_selinux_file_context (dst) != 0) {

+	if (set_selinux_file_context (dst, NULL) != 0) {

 		return -1;

 	}

 #endif				/* WITH_SELINUX */

@@ -605,7 +605,7 @@ static int copy_symlink (const char *src

 	}

 #ifdef WITH_SELINUX

-	if (set_selinux_file_context (dst) != 0) {

+	if (set_selinux_file_context (dst, NULL) != 0) {

 		free (oldlink);

 		return -1;

 	}

@@ -684,7 +684,7 @@ static int copy_special (const char *src

 	int err = 0;

 #ifdef WITH_SELINUX

-	if (set_selinux_file_context (dst) != 0) {

+	if (set_selinux_file_context (dst, NULL) != 0) {

 		return -1;

 	}

 #endif				/* WITH_SELINUX */

@@ -744,7 +744,7 @@ static int copy_file (const char *src, c

 		return -1;

 	}

 #ifdef WITH_SELINUX

-	if (set_selinux_file_context (dst) != 0) {

+	if (set_selinux_file_context (dst, NULL) != 0) {

 		return -1;

 	}

 #endif				/* WITH_SELINUX */

diff -up shadow-4.8/lib/prototypes.h.selinux shadow-4.8/lib/prototypes.h

--- shadow-4.8/lib/prototypes.h.selinux	2020-01-13 10:08:53.769101131 +0100

+++ shadow-4.8/lib/prototypes.h	2020-01-13 10:11:20.914627399 +0100

@@ -334,7 +334,7 @@ extern /*@observer@*/const char *crypt_m

 /* selinux.c */

 #ifdef WITH_SELINUX

-extern int set_selinux_file_context (const char *dst_name);

+extern int set_selinux_file_context (const char *dst_name, const char *orig_name);

 extern int reset_selinux_file_context (void);

 extern int check_selinux_permit (const char *perm_name);

 #endif

diff -up shadow-4.8/lib/selinux.c.selinux shadow-4.8/lib/selinux.c

--- shadow-4.8/lib/selinux.c.selinux	2019-11-12 01:18:25.000000000 +0100

+++ shadow-4.8/lib/selinux.c	2020-01-13 10:08:53.769101131 +0100

@@ -51,7 +51,7 @@ static bool selinux_enabled;

  *	Callers may have to Reset SELinux to create files with default

  *	contexts with reset_selinux_file_context

  */

-int set_selinux_file_context (const char *dst_name)

+int set_selinux_file_context (const char *dst_name, const char *orig_name)

 {

 	/*@null@*/security_context_t scontext = NULL;

@@ -63,19 +63,23 @@ int set_selinux_file_context (const char

 	if (selinux_enabled) {

 		/* Get the default security context for this file */

 		if (matchpathcon (dst_name, 0, &scontext) < 0) {

-			if (security_getenforce () != 0) {

-				return 1;

-			}

+			/* We could not get the default, copy the original */

+			if (orig_name == NULL)

+				goto error;

+			if (getfilecon (orig_name, &scontext) < 0)

+				goto error;

 		}

 		/* Set the security context for the next created file */

-		if (setfscreatecon (scontext) < 0) {

-			if (security_getenforce () != 0) {

-				return 1;

-			}

-		}

+		if (setfscreatecon (scontext) < 0)

+			goto error;

 		freecon (scontext);

 	}

 	return 0;

+    error:

+	if (security_getenforce () != 0) {

+		return 1;

+	}

+	return 0;

 }

 /*

diff -up shadow-4.8/lib/semanage.c.selinux shadow-4.8/lib/semanage.c

--- shadow-4.8/lib/semanage.c.selinux	2019-07-23 17:26:08.000000000 +0200

+++ shadow-4.8/lib/semanage.c	2020-01-13 10:08:53.766101181 +0100

@@ -294,6 +294,9 @@ int set_seuser (const char *login_name,

 	ret = 0;

+        /* drop obsolete matchpathcon cache */

+        matchpathcon_fini();

+

 done:

 	semanage_seuser_key_free (key);

 	semanage_handle_destroy (handle);

@@ -369,6 +372,10 @@ int del_seuser (const char *login_name)

 	}

 	ret = 0;

+

+        /* drop obsolete matchpathcon cache */

+        matchpathcon_fini();

+

 done:

 	semanage_handle_destroy (handle);

 	return ret;

diff -up shadow-4.8/src/useradd.c.selinux shadow-4.8/src/useradd.c

--- shadow-4.8/src/useradd.c.selinux	2020-01-13 10:08:53.762101248 +0100

+++ shadow-4.8/src/useradd.c	2020-01-13 10:08:53.767101164 +0100

@@ -2078,7 +2078,7 @@ static void create_home (void)

 		++bhome;

 #ifdef WITH_SELINUX

-		if (set_selinux_file_context (prefix_user_home) != 0) {

+		if (set_selinux_file_context (prefix_user_home, NULL) != 0) {

 			fprintf (stderr,

 			         _("%s: cannot set SELinux context for home directory %s\n"),

 			         Prog, user_home);

@@ -2232,6 +2232,7 @@ static void create_mail (void)

  */

 int main (int argc, char **argv)

 {

+	int rv = E_SUCCESS;

 #ifdef ACCT_TOOLS_SETUID

 #ifdef USE_PAM

 	pam_handle_t *pamh = NULL;

@@ -2454,27 +2455,12 @@ int main (int argc, char **argv)

 	usr_update ();

-	if (mflg) {

-		create_home ();

-		if (home_added) {

-			copy_tree (def_template, prefix_user_home, false, false,

-			           (uid_t)-1, user_id, (gid_t)-1, user_gid);

-		} else {

-			fprintf (stderr,

-			         _("%s: warning: the home directory %s already exists.\n"

-			           "%s: Not copying any file from skel directory into it.\n"),

-			         Prog, user_home, Prog);

-		}

-

-	}

-

-	/* Do not create mail directory for system accounts */

-	if (!rflg) {

-		create_mail ();

-	}

-

 	close_files ();

+	nscd_flush_cache ("passwd");

+	nscd_flush_cache ("group");

+	sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);

+

 	/*

 	 * tallylog_reset needs to be able to lookup

 	 * a valid existing user name,

@@ -2485,8 +2471,9 @@ int main (int argc, char **argv)

 	}

 #ifdef WITH_SELINUX

-	if (Zflg) {

-		if (set_seuser (user_name, user_selinux) != 0) {

+	if (Zflg && *user_selinux) {

+		if (is_selinux_enabled () > 0) {

+		    if (set_seuser (user_name, user_selinux) != 0) {

 			fprintf (stderr,

 			         _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),

 			         Prog, user_name, user_selinux);

@@ -2495,15 +2482,31 @@ int main (int argc, char **argv)

 			              "adding SELinux user mapping",

 			              user_name, (unsigned int) user_id, 0);

 #endif				/* WITH_AUDIT */

-			fail_exit (E_SE_UPDATE);

+			rv = E_SE_UPDATE;

+		    }

 		}

 	}

 #endif				/* WITH_SELINUX */

-	nscd_flush_cache ("passwd");

-	nscd_flush_cache ("group");

-	sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);

+	if (mflg) {

+		create_home ();

+		if (home_added) {

+			copy_tree (def_template, prefix_user_home, false, true,

+			           (uid_t)-1, user_id, (gid_t)-1, user_gid);

+		} else {

+			fprintf (stderr,

+			         _("%s: warning: the home directory %s already exists.\n"

+			           "%s: Not copying any file from skel directory into it.\n"),

+			         Prog, user_home, Prog);

+		}

+

+	}

+

+	/* Do not create mail directory for system accounts */

+	if (!rflg) {

+		create_mail ();

+	}

-	return E_SUCCESS;

+	return rv;

 }