diff -up shadow-4.1.4.3/man/useradd.8.semange shadow-4.1.4.3/man/useradd.8
--- shadow-4.1.4.3/man/useradd.8.semange 2011-08-02 12:57:47.971838218 +0200
+++ shadow-4.1.4.3/man/useradd.8 2011-08-02 12:57:47.985838145 +0200
@@ -640,6 +640,11 @@ can\*(Aqt create home directory
.RS 4
can\*(Aqt create mail spool
.RE
+.PP
+\fI14\fR
+.RS 4
+can\'t update SELinux user mapping
+.RE
.SH "SEE ALSO"
.PP
diff -up shadow-4.1.4.3/man/userdel.8.semange shadow-4.1.4.3/man/userdel.8
--- shadow-4.1.4.3/man/userdel.8.semange 2011-02-16 00:14:13.000000000 +0100
+++ shadow-4.1.4.3/man/userdel.8 2011-08-02 12:57:47.985838145 +0200
@@ -76,6 +76,11 @@ variable in the
login\&.defs
file\&.
.RE
+.PP
+\fB\-Z\fR, \fB\-\-selinux-user\fR
+.RS 4
+Remove SELinux user assigned to the userĀ“s login from SELinux login mapping.
+.RE
.SH "CONFIGURATION"
.PP
The following configuration variables in
diff -up shadow-4.1.4.3/src/useradd.c.semange shadow-4.1.4.3/src/useradd.c
--- shadow-4.1.4.3/src/useradd.c.semange 2011-08-02 12:57:47.968838234 +0200
+++ shadow-4.1.4.3/src/useradd.c 2011-08-02 12:58:17.626684439 +0200
@@ -164,6 +164,7 @@ static bool home_added = false;
#define E_GRP_UPDATE 10 /* can't update group file */
#define E_HOMEDIR 12 /* can't create home directory */
#define E_MAIL_SPOOL 13 /* can't create mail spool */
+#define E_SE_UPDATE 14 /* can't update SELinux user mapping */
#define DGROUP "GROUP="
#define HOME "HOME="
@@ -181,9 +182,6 @@ static int set_defaults (void);
static int get_groups (char *);
static void usage (void);
static void new_pwent (struct passwd *);
-#ifdef WITH_SELINUX
-static void selinux_update_mapping (void);
-#endif
static long scale_age (long);
static void new_spent (struct spwd *);
@@ -1710,32 +1708,6 @@ static void usr_update (void)
}
}
-#ifdef WITH_SELINUX
-static void selinux_update_mapping (void) {
- if (is_selinux_enabled () <= 0) return;
-
- if (*user_selinux) { /* must be done after passwd write() */
- const char *argv[7];
- argv[0] = "/usr/sbin/semanage";
- argv[1] = "login";
- argv[2] = "-a";
- argv[3] = "-s";
- argv[4] = user_selinux;
- argv[5] = user_name;
- argv[6] = NULL;
- if (safe_system (argv[0], argv, NULL, 0)) {
- fprintf (stderr,
- _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
- Prog, user_name, user_selinux);
-#ifdef WITH_AUDIT
- audit_logger (AUDIT_ADD_USER, Prog,
- "adding SELinux user mapping",
- user_name, (unsigned int) user_id, 0);
-#endif
- }
- }
-}
-#endif
/*
* create_home - create the user's home directory
*
@@ -2025,7 +1997,30 @@ int main (int argc, char **argv)
close_files ();
#ifdef WITH_SELINUX
- selinux_update_mapping ();
+ if (Zflg && *user_selinux) {
+ if (is_selinux_enabled () > 0) {
+ const char *argv[7];
+
+ argv[0] = "/usr/sbin/semanage";
+ argv[1] = "login";
+ argv[2] = "-a";
+ argv[3] = "-s";
+ argv[4] = user_selinux;
+ argv[5] = user_name;
+ argv[6] = NULL;
+ if (safe_system (argv[0], argv, NULL, 0)) {
+ fprintf (stderr,
+ _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
+ Prog, user_name, user_selinux);
+ #ifdef WITH_AUDIT
+ audit_logger (AUDIT_ADD_USER, Prog,
+ "adding SELinux user mapping",
+ user_name, (unsigned int) user_id, 0);
+ #endif
+ fail_exit (E_SE_UPDATE);
+ }
+ }
+ }
#endif
nscd_flush_cache ("passwd");
diff -up shadow-4.1.4.3/src/userdel.c.semange shadow-4.1.4.3/src/userdel.c
--- shadow-4.1.4.3/src/userdel.c.semange 2011-02-13 18:58:16.000000000 +0100
+++ shadow-4.1.4.3/src/userdel.c 2011-08-02 12:57:47.988838130 +0200
@@ -82,6 +82,7 @@ static char *user_home;
static bool fflg = false;
static bool rflg = false;
+static bool Zflg = false;
static bool is_shadow_pwd;
@@ -120,6 +121,9 @@ static void usage (void)
" even if not owned by user\n"
" -h, --help display this help message and exit\n"
" -r, --remove remove home directory and mail spool\n"
+#ifdef WITH_SELINUX
+ " -Z, --selinux-user remove SELinux user from SELinux user mapping\n"
+#endif
"\n"), stderr);
exit (E_USAGE);
}
@@ -766,9 +770,17 @@ int main (int argc, char **argv)
{"force", no_argument, NULL, 'f'},
{"help", no_argument, NULL, 'h'},
{"remove", no_argument, NULL, 'r'},
+#ifdef WITH_SELINUX
+ {"selinux-user", required_argument, NULL, 'Z'},
+#endif
{NULL, 0, NULL, '\0'}
};
- while ((c = getopt_long (argc, argv, "fhr",
+ while ((c = getopt_long (argc, argv,
+#ifdef WITH_SELINUX
+ "fhrZ",
+#else
+ "fhr",
+#endif
long_options, NULL)) != -1) {
switch (c) {
case 'f': /* force remove even if not owned by user */
@@ -777,6 +789,19 @@ int main (int argc, char **argv)
case 'r': /* remove home dir and mailbox */
rflg = true;
break;
+#ifdef WITH_SELINUX
+ case 'Z':
+ if (is_selinux_enabled () > 0) {
+ Zflg = true;
+ } else {
+ fprintf (stderr,
+ _("%s: -Z requires SELinux enabled kernel\n"),
+ Prog);
+
+ exit (E_BAD_ARG);
+ }
+ break;
+#endif
default:
usage ();
}
@@ -975,14 +1000,16 @@ int main (int argc, char **argv)
#endif
#ifdef WITH_SELINUX
- if (is_selinux_enabled () > 0) {
- const char *args[5];
- args[0] = "/usr/sbin/semanage";
- args[1] = "login";
- args[2] = "-d";
- args[3] = user_name;
- args[4] = NULL;
- safe_system (args[0], args, NULL, 1);
+ if (Zflg) {
+ if (is_selinux_enabled () > 0) {
+ const char *args[5];
+ args[0] = "/usr/sbin/semanage";
+ args[1] = "login";
+ args[2] = "-d";
+ args[3] = user_name;
+ args[4] = NULL;
+ safe_system (args[0], args, NULL, 1);
+ }
}
#endif
diff -up shadow-4.1.4.3/src/usermod.c.semange shadow-4.1.4.3/src/usermod.c
--- shadow-4.1.4.3/src/usermod.c.semange 2011-02-13 18:58:16.000000000 +0100
+++ shadow-4.1.4.3/src/usermod.c 2011-08-02 12:57:47.989838125 +0200
@@ -82,6 +82,9 @@
#define E_GRP_UPDATE 10 /* can't update group file */
/* #define E_NOSPACE 11 insufficient space to move home dir */
#define E_HOMEDIR 12 /* unable to complete home dir move */
+#define E_SE_UPDATE 13 /* can't update SELinux user mapping */
+
+
#define VALID(s) (strcspn (s, ":\n") == strlen (s))
/*
* Global variables
@@ -151,9 +154,6 @@ static void date_to_str (char *buf, size
static int get_groups (char *);
static void usage (void);
static void new_pwent (struct passwd *);
-#ifdef WITH_SELINUX
-static void selinux_update_mapping (void);
-#endif
static void new_spent (struct spwd *);
static void fail_exit (int);
@@ -1785,8 +1785,32 @@ int main (int argc, char **argv)
nscd_flush_cache ("group");
#ifdef WITH_SELINUX
- if (Zflg) {
- selinux_update_mapping ();
+ if (Zflg && *user_selinux) {
+ if (is_selinux_enabled () > 0) {
+ const char *argv[7];
+
+ argv[0] = "/usr/sbin/semanage";
+ argv[1] = "login";
+ argv[2] = "-m";
+ argv[3] = "-s";
+ argv[4] = user_selinux;
+ argv[5] = user_name;
+ argv[6] = NULL;
+ if (safe_system (argv[0], argv, NULL, 1)) {
+ argv[2] = "-a";
+ if (safe_system (argv[0], argv, NULL, 0)) {
+ fprintf (stderr,
+ _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
+ Prog, user_name, user_selinux);
+ #ifdef WITH_AUDIT
+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+ "modifying User mapping ",
+ user_name, (unsigned int) user_id, 0);
+ #endif
+ fail_exit (E_SE_UPDATE);
+ }
+ }
+ }
}
#endif
@@ -1816,34 +1840,3 @@ int main (int argc, char **argv)
return E_SUCCESS;
}
-#ifdef WITH_SELINUX
-static void selinux_update_mapping (void) {
- const char *argv[7];
-
- if (is_selinux_enabled () <= 0) return;
-
- if (*user_selinux) {
- argv[0] = "/usr/sbin/semanage";
- argv[1] = "login";
- argv[2] = "-m";
- argv[3] = "-s";
- argv[4] = user_selinux;
- argv[5] = user_name;
- argv[6] = NULL;
- if (safe_system (argv[0], argv, NULL, 1)) {
- argv[2] = "-a";
- if (safe_system (argv[0], argv, NULL, 0)) {
- fprintf (stderr,
- _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
- Prog, user_name, user_selinux);
-#ifdef WITH_AUDIT
- audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
- "modifying User mapping ",
- user_name, (unsigned int) user_id, 0);
-#endif
- }
- }
- }
-}
-#endif
-