diff --git a/shadow-4.1.1-selinux.patch b/shadow-4.1.1-selinux.patch deleted file mode 100644 index b99ea98..0000000 --- a/shadow-4.1.1-selinux.patch +++ /dev/null @@ -1,490 +0,0 @@ -diff -up /dev/null shadow-4.1.1/libmisc/system.c ---- /dev/null 2008-03-19 11:34:26.687502959 +0100 -+++ shadow-4.1.1/libmisc/system.c 2008-04-05 14:55:29.000000000 +0200 -@@ -0,0 +1,37 @@ -+#include -+ -+#ident "$Id: shell.c,v 1.13 2006/01/18 19:38:27 kloczek Exp $" -+ -+#include -+#include -+#include -+#include "prototypes.h" -+#include "defines.h" -+ -+int safe_system(const char *command, const char *argv[], const char *env[], int ignore_stderr) -+{ -+ int status = -1; -+ int fd; -+ pid_t pid; -+ -+ pid = fork(); -+ if (pid < 0) -+ return -1; -+ -+ if (pid) { /* Parent */ -+ waitpid(pid, &status, 0); -+ return status; -+ } -+ -+ fd = open("/dev/null", O_RDWR); -+ /* Child */ -+ dup2(fd,0); // Close Stdin -+ if (ignore_stderr) -+ dup2(fd,2); // Close Stderr -+ -+ execve(command, (char *const *) argv, (char *const *) env); -+ fprintf (stderr, -+ _("Failed to exec '%s'\n"), argv[0]); -+ exit (-1); -+} -+ -diff -up shadow-4.1.1/libmisc/copydir.c.selinux shadow-4.1.1/libmisc/copydir.c ---- shadow-4.1.1/libmisc/copydir.c.selinux 2008-01-06 13:02:04.000000000 +0100 -+++ shadow-4.1.1/libmisc/copydir.c 2008-04-05 14:55:29.000000000 +0200 -@@ -82,7 +82,7 @@ static int copy_file (const char *src, c - * symlink, directory, ... - * - */ --static int selinux_file_context (const char *dst_name) -+int selinux_file_context (const char *dst_name) - { - security_context_t scontext = NULL; - -@@ -253,6 +253,12 @@ int copy_tree (const char *src_root, con - src_orig = 0; - dst_orig = 0; - } -+ -+#ifdef WITH_SELINUX -+ /* Reset SELinux to create files with default contexts */ -+ setfscreatecon (NULL); -+#endif -+ - return err; - } - -diff -up shadow-4.1.1/libmisc/Makefile.am.selinux shadow-4.1.1/libmisc/Makefile.am ---- shadow-4.1.1/libmisc/Makefile.am.selinux 2008-01-27 15:21:48.000000000 +0100 -+++ shadow-4.1.1/libmisc/Makefile.am 2008-04-05 14:55:29.000000000 +0200 -@@ -43,6 +43,7 @@ libmisc_a_SOURCES = \ - setugid.c \ - setupenv.c \ - shell.c \ -+ system.c \ - strtoday.c \ - sub.c \ - sulog.c \ -diff -up shadow-4.1.1/src/useradd.c.selinux shadow-4.1.1/src/useradd.c ---- shadow-4.1.1/src/useradd.c.selinux 2008-04-05 14:55:29.000000000 +0200 -+++ shadow-4.1.1/src/useradd.c 2008-04-05 14:55:29.000000000 +0200 -@@ -101,6 +101,7 @@ static const char *user_comment = ""; - static const char *user_home = ""; - static const char *user_shell = ""; - static const char *create_mail_spool = ""; -+static const char *user_selinux = ""; - - static long user_expire = -1; - static int is_shadow_pwd; -@@ -173,6 +174,7 @@ static int set_defaults (void); - static int get_groups (char *); - static void usage (void); - static void new_pwent (struct passwd *); -+static void selinux_update_mapping (void); - - static long scale_age (long); - static void new_spent (struct spwd *); -@@ -373,6 +375,7 @@ static void get_defaults (void) - def_create_mail_spool = xstrdup (cp); - } - } -+ fclose(fp); - } - - /* -@@ -665,6 +668,9 @@ static void usage (void) - " -s, --shell SHELL the login shell for the new user account\n" - " -u, --uid UID force use the UID for the new user account\n" - " -U, --user-group create a group with the same name as the user\n" -+#ifdef WITH_SELINUX -+ " -Z, --selinux-user SEUSER use a specific SEUSER for the SELinux user mapping\n" -+#endif - "\n"), stderr); - exit (E_USAGE); - } -@@ -880,12 +886,19 @@ static void process_flags (int argc, cha - {"password", required_argument, NULL, 'p'}, - {"system", no_argument, NULL, 'r'}, - {"shell", required_argument, NULL, 's'}, -+#ifdef WITH_SELINUX -+ {"selinux-user", required_argument, NULL, 'Z'}, -+#endif - {"uid", required_argument, NULL, 'u'}, - {"user-group", no_argument, NULL, 'U'}, - {NULL, 0, NULL, '\0'} - }; - while ((c = -+#ifdef WITH_SELINUX -+ getopt_long (argc, argv, "b:c:d:De:f:g:G:k:K:lmMnNop:rs:u:UZ:", -+#else - getopt_long (argc, argv, "b:c:d:De:f:g:G:k:K:lmMnNop:rs:u:U", -+#endif - long_options, NULL)) != -1) { - switch (c) { - case 'b': -@@ -1070,6 +1083,17 @@ static void process_flags (int argc, cha - case 'U': - Uflg++; - break; -+#ifdef WITH_SELINUX -+ case 'Z': -+ if (is_selinux_enabled() > 0) -+ user_selinux = optarg; -+ else { -+ fprintf (stderr,_("%s: -Z requires SELinux enabled kernel\n"), Prog); -+ -+ exit (E_BAD_ARG); -+ } -+ break; -+#endif - default: - usage (); - } -@@ -1476,6 +1500,33 @@ static void usr_update (void) - grp_update (); - } - -+static void selinux_update_mapping () { -+ -+#ifdef WITH_SELINUX -+ if (is_selinux_enabled() <= 0) return; -+ -+ if (*user_selinux) { /* must be done after passwd write() */ -+ const char *argv[7]; -+ argv[0] = "/usr/sbin/semanage"; -+ argv[1] = "login"; -+ argv[2] = "-a"; -+ argv[3] = "-s"; -+ argv[4] = user_selinux; -+ argv[5] = user_name; -+ argv[6] = NULL; -+ if (safe_system(argv[0], argv, NULL, 0)) { -+ fprintf (stderr, -+ _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), -+ Prog, user_name, user_selinux); -+#ifdef WITH_AUDIT -+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -+ "adding SELinux user mapping", user_name, user_id, 0); -+#endif -+ } -+ } -+#endif -+ -+} - /* - * create_home - create the user's home directory - * -@@ -1485,7 +1536,11 @@ static void usr_update (void) - */ - static void create_home (void) - { -+ - if (access (user_home, F_OK)) { -+#ifdef WITH_SELINUX -+ selinux_file_context (user_home); -+#endif - /* XXX - create missing parent directories. --marekm */ - if (mkdir (user_home, 0)) { - fprintf (stderr, -@@ -1507,6 +1562,10 @@ static void create_home (void) - audit_logger (AUDIT_USER_CHAUTHTOK, Prog, - "adding home directory", user_name, user_id, 1); - #endif -+#ifdef WITH_SELINUX -+ /* Reset SELinux to create files with default contexts */ -+ setfscreatecon (NULL); -+#endif - } - } - -@@ -1760,6 +1819,8 @@ int main (int argc, char **argv) - - close_files (); - -+ selinux_update_mapping(); -+ - nscd_flush_cache ("passwd"); - nscd_flush_cache ("group"); - -diff -up shadow-4.1.1/src/usermod.c.selinux shadow-4.1.1/src/usermod.c ---- shadow-4.1.1/src/usermod.c.selinux 2008-02-24 13:35:13.000000000 +0100 -+++ shadow-4.1.1/src/usermod.c 2008-04-05 14:55:29.000000000 +0200 -@@ -91,6 +91,7 @@ static char *user_newcomment; - static char *user_home; - static char *user_newhome; - static char *user_shell; -+static const char *user_selinux = ""; - static char *user_newshell; - static long user_expire; - static long user_newexpire; -@@ -138,6 +139,7 @@ static void date_to_str (char *buf, size - static int get_groups (char *); - static void usage (void); - static void new_pwent (struct passwd *); -+static void selinux_update_mapping (void); - - static void new_spent (struct spwd *); - static void fail_exit (int); -@@ -320,6 +322,9 @@ static void usage (void) - " -s, --shell SHELL new login shell for the user account\n" - " -u, --uid UID new UID for the user account\n" - " -U, --unlock unlock the user account\n" -+#ifdef WITH_SELINUX -+ " -Z, --selinux-user new selinux user mapping for the user account\n" -+#endif - "\n"), stderr); - exit (E_USAGE); - } -@@ -846,13 +851,20 @@ static void process_flags (int argc, cha - {"move-home", no_argument, NULL, 'm'}, - {"non-unique", no_argument, NULL, 'o'}, - {"password", required_argument, NULL, 'p'}, -+#ifdef WITH_SELINUX -+ {"selinux-user", required_argument, NULL, 'Z'}, -+#endif - {"shell", required_argument, NULL, 's'}, - {"uid", required_argument, NULL, 'u'}, - {"unlock", no_argument, NULL, 'U'}, - {NULL, 0, NULL, '\0'} - }; - while ((c = -- getopt_long (argc, argv, "ac:d:e:f:g:G:hl:Lmop:s:u:U", -+#ifdef WITH_SELINUX -+ getopt_long (argc, argv, "ac:d:e:f:g:G:hl:Lmop:s:u:UZ:", -+#else -+ getopt_long (argc, argv, "ac:d:e:f:g:G:hl:Lmop:s:u:U", -+#endif - long_options, NULL)) != -1) { - switch (c) { - case 'a': -@@ -953,6 +965,16 @@ static void process_flags (int argc, cha - case 'U': - Uflg++; - break; -+#ifdef WITH_SELINUX -+ case 'Z': -+ if (is_selinux_enabled() > 0) -+ user_selinux = optarg; -+ else { -+ fprintf (stderr, _("%s: -Z requires SELinux enabled kernel\n"), Prog); -+ exit (E_BAD_ARG); -+ } -+ break; -+#endif - default: - usage (); - } -@@ -1530,6 +1552,8 @@ int main (int argc, char **argv) - nscd_flush_cache ("passwd"); - nscd_flush_cache ("group"); - -+ selinux_update_mapping(); -+ - if (mflg) - move_home (); - -@@ -1558,3 +1582,62 @@ int main (int argc, char **argv) - exit (E_SUCCESS); - /* NOT REACHED */ - } -+ -+static void selinux_update_mapping () { -+#ifdef WITH_SELINUX -+ const char *argv[7]; -+ -+ if (is_selinux_enabled() <= 0) return; -+ -+ if (*user_selinux) { -+ argv[0] = "/usr/sbin/semanage"; -+ argv[1] = "login"; -+ argv[2] = "-m"; -+ argv[3] = "-s"; -+ argv[4] = user_selinux; -+ argv[5] = user_name; -+ argv[6] = NULL; -+ if (safe_system(argv[0], argv, NULL, 1)) { -+ argv[2] = "-a"; -+ if (safe_system(argv[0], argv, NULL, 0)) { -+ fprintf (stderr, -+ _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), -+ Prog, user_name, user_selinux); -+#ifdef WITH_AUDIT -+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -+ "modifying User mapping ", user_name, user_id, 0); -+#endif -+ } -+ } -+ } -+ -+ if (dflg || *user_selinux) { -+ argv[0] = "/usr/sbin/genhomedircon"; -+ argv[1] = NULL; -+ if(safe_system(argv[0], argv, NULL,0)) { -+ fprintf (stderr, -+ _("%s: warning: unable to relabel the homedir %s for %s.\n"), -+ Prog, user_home, user_name); -+#ifdef WITH_AUDIT -+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -+ "relabeling home directory", user_name, user_id, 0); -+#endif -+ } -+ -+ argv[0] = "/sbin/restorecon"; -+ argv[1] = "-F"; -+ argv[2] = "-R"; -+ argv[3] = user_home; -+ argv[4] = NULL; -+ if (safe_system(argv[0], argv, NULL, 0)) { -+ fprintf (stderr, -+ _("%s: warning: unable to relabel the homedir %s for %s.\n"), -+ Prog, user_home, user_name); -+#ifdef WITH_AUDIT -+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog, -+ "relabeling home directory", user_name, user_id, 0); -+#endif -+ } -+ } -+#endif -+} -diff -up shadow-4.1.1/src/userdel.c.selinux shadow-4.1.1/src/userdel.c ---- shadow-4.1.1/src/userdel.c.selinux 2008-03-08 21:48:26.000000000 +0100 -+++ shadow-4.1.1/src/userdel.c 2008-04-05 14:55:29.000000000 +0200 -@@ -809,6 +809,17 @@ int main (int argc, char **argv) - #endif - } - -+#ifdef WITH_SELINUX -+ if (is_selinux_enabled() > 0) { -+ const char *argv[5]; -+ argv[0] = "/usr/sbin/semanage"; -+ argv[1] = "login"; -+ argv[2] = "-d"; -+ argv[3] = user_name; -+ argv[4] = NULL; -+ safe_system(argv[0], argv, NULL, 1); -+ } -+#endif - /* - * Cancel any crontabs or at jobs. Have to do this before we remove - * the entry from /etc/passwd. -diff -up shadow-4.1.1/man/useradd.8.selinux shadow-4.1.1/man/useradd.8 ---- shadow-4.1.1/man/useradd.8.selinux 2008-04-05 14:55:29.000000000 +0200 -+++ shadow-4.1.1/man/useradd.8 2008-04-05 15:00:03.000000000 +0200 -@@ -219,6 +219,11 @@ options are not specified) is defined by - variable in - \fIlogin\.defs\fR\. - .RE -+.PP -+\fB\-Z\fR, \fB\-\-selinux-user\fR \fISEUSER\fR -+.RS 4 -+The SELinux user for the user\'s login\. The default is to leave this field blank, which causes the system to select the default SELinux user\. -+.RE - .SS "Changing the default values" - .PP - When invoked with only the -diff -up shadow-4.1.1/man/usermod.8.xml.selinux shadow-4.1.1/man/usermod.8.xml ---- shadow-4.1.1/man/usermod.8.xml.selinux 2007-12-31 17:48:34.000000000 +0100 -+++ shadow-4.1.1/man/usermod.8.xml 2008-04-05 14:55:29.000000000 +0200 -@@ -245,6 +245,19 @@ - - - -+ -+ -+ , -+ SEUSER -+ -+ -+ -+ The SELinux user for the user's login. The default is to leave this -+ field the blank, which causes the system to select the default -+ SELinux user. -+ -+ -+ - - - -diff -up shadow-4.1.1/man/usermod.8.selinux shadow-4.1.1/man/usermod.8 ---- shadow-4.1.1/man/usermod.8.selinux 2008-04-03 00:43:16.000000000 +0200 -+++ shadow-4.1.1/man/usermod.8 2008-04-05 14:55:29.000000000 +0200 -@@ -133,6 +133,11 @@ Note: if you wish to unlock the account - value from - \fI/etc/default/useradd\fR)\. - .RE -+.PP -+\fB\-Z\fR, \fB\-\-selinux-user\fR \fISEUSER\fR -+.RS 4 -+The SELinux user for the user\'s login\. The default is to leave this field blank, which causes the system to select the default SELinux user. -+.RE - .SH "CAVEATS" - .PP - -diff -up shadow-4.1.1/man/useradd.8.xml.selinux shadow-4.1.1/man/useradd.8.xml ---- shadow-4.1.1/man/useradd.8.xml.selinux 2008-02-25 22:01:23.000000000 +0100 -+++ shadow-4.1.1/man/useradd.8.xml 2008-04-05 14:55:29.000000000 +0200 -@@ -326,6 +326,19 @@ - - - -+ -+ -+ , -+ SEUSER -+ -+ -+ -+ The SELinux user for the user's login. The default is to leave this -+ field blank, which causes the system to select the default SELinux -+ user. -+ -+ -+ - - - -diff -up shadow-4.1.1/lib/defines.h.selinux shadow-4.1.1/lib/defines.h ---- shadow-4.1.1/lib/defines.h.selinux 2008-02-03 18:52:52.000000000 +0100 -+++ shadow-4.1.1/lib/defines.h 2008-04-05 14:55:29.000000000 +0200 -@@ -321,4 +321,7 @@ extern char *strerror (); - # define unused - #endif - -+#ifdef WITH_SELINUX -+#include -+#endif - #endif /* _DEFINES_H_ */ -diff -up shadow-4.1.1/lib/prototypes.h.selinux shadow-4.1.1/lib/prototypes.h ---- shadow-4.1.1/lib/prototypes.h.selinux 2008-03-18 00:01:32.000000000 +0100 -+++ shadow-4.1.1/lib/prototypes.h 2008-04-05 15:03:41.000000000 +0200 -@@ -51,6 +51,10 @@ extern int copy_tree (const char *src_ro - long int uid, long int gid); - extern int remove_tree (const char *root); - -+#ifdef WITH_SELINUX -+extern int selinux_file_context (const char *dst_name); -+#endif -+ - /* encrypt.c */ - extern char *pw_encrypt (const char *, const char *); - -@@ -194,6 +198,9 @@ extern struct spwd *__spw_dup (const str - /* shell.c */ - extern int shell (const char *, const char *, char *const *); - -+/* system.c */ -+extern int safe_system(const char *command, const char *argv[], const char *env[], int ignore_stderr); -+ - /* strtoday.c */ - extern long strtoday (const char *); - diff --git a/shadow-4.1.2-selinux.patch b/shadow-4.1.2-selinux.patch new file mode 100644 index 0000000..caf43b2 --- /dev/null +++ b/shadow-4.1.2-selinux.patch @@ -0,0 +1,490 @@ +diff -up /dev/null shadow-4.1.2/libmisc/system.c +--- /dev/null 2008-07-15 12:00:55.602698860 +0200 ++++ shadow-4.1.2/libmisc/system.c 2008-07-24 10:14:24.000000000 +0200 +@@ -0,0 +1,37 @@ ++#include ++ ++#ident "$Id: shell.c,v 1.13 2006/01/18 19:38:27 kloczek Exp $" ++ ++#include ++#include ++#include ++#include "prototypes.h" ++#include "defines.h" ++ ++int safe_system(const char *command, const char *argv[], const char *env[], int ignore_stderr) ++{ ++ int status = -1; ++ int fd; ++ pid_t pid; ++ ++ pid = fork(); ++ if (pid < 0) ++ return -1; ++ ++ if (pid) { /* Parent */ ++ waitpid(pid, &status, 0); ++ return status; ++ } ++ ++ fd = open("/dev/null", O_RDWR); ++ /* Child */ ++ dup2(fd,0); // Close Stdin ++ if (ignore_stderr) ++ dup2(fd,2); // Close Stderr ++ ++ execve(command, (char *const *) argv, (char *const *) env); ++ fprintf (stderr, ++ _("Failed to exec '%s'\n"), argv[0]); ++ exit (-1); ++} ++ +diff -up shadow-4.1.2/libmisc/copydir.c.selinux shadow-4.1.2/libmisc/copydir.c +--- shadow-4.1.2/libmisc/copydir.c.selinux 2008-05-24 17:35:17.000000000 +0200 ++++ shadow-4.1.2/libmisc/copydir.c 2008-07-24 10:14:24.000000000 +0200 +@@ -85,7 +85,7 @@ static int copy_file (const char *src, c + * symlink, directory, ... + * + */ +-static int selinux_file_context (const char *dst_name) ++int selinux_file_context (const char *dst_name) + { + security_context_t scontext = NULL; + +@@ -256,6 +256,12 @@ int copy_tree (const char *src_root, con + src_orig = 0; + dst_orig = 0; + } ++ ++#ifdef WITH_SELINUX ++ /* Reset SELinux to create files with default contexts */ ++ setfscreatecon (NULL); ++#endif ++ + return err; + } + +diff -up shadow-4.1.2/libmisc/Makefile.am.selinux shadow-4.1.2/libmisc/Makefile.am +--- shadow-4.1.2/libmisc/Makefile.am.selinux 2008-01-27 15:21:48.000000000 +0100 ++++ shadow-4.1.2/libmisc/Makefile.am 2008-07-24 10:14:24.000000000 +0200 +@@ -43,6 +43,7 @@ libmisc_a_SOURCES = \ + setugid.c \ + setupenv.c \ + shell.c \ ++ system.c \ + strtoday.c \ + sub.c \ + sulog.c \ +diff -up shadow-4.1.2/src/useradd.c.selinux shadow-4.1.2/src/useradd.c +--- shadow-4.1.2/src/useradd.c.selinux 2008-07-24 10:13:23.000000000 +0200 ++++ shadow-4.1.2/src/useradd.c 2008-07-24 10:14:24.000000000 +0200 +@@ -104,6 +104,7 @@ static const char *user_comment = ""; + static const char *user_home = ""; + static const char *user_shell = ""; + static const char *create_mail_spool = ""; ++static const char *user_selinux = ""; + + static long user_expire = -1; + static int is_shadow_pwd; +@@ -176,6 +177,7 @@ static int set_defaults (void); + static int get_groups (char *); + static void usage (void); + static void new_pwent (struct passwd *); ++static void selinux_update_mapping (void); + + static long scale_age (long); + static void new_spent (struct spwd *); +@@ -376,6 +378,7 @@ static void get_defaults (void) + def_create_mail_spool = xstrdup (cp); + } + } ++ fclose(fp); + } + + /* +@@ -668,6 +671,9 @@ static void usage (void) + " -s, --shell SHELL the login shell for the new user account\n" + " -u, --uid UID force use the UID for the new user account\n" + " -U, --user-group create a group with the same name as the user\n" ++#ifdef WITH_SELINUX ++ " -Z, --selinux-user SEUSER use a specific SEUSER for the SELinux user mapping\n" ++#endif + "\n"), stderr); + exit (E_USAGE); + } +@@ -883,12 +889,19 @@ static void process_flags (int argc, cha + {"password", required_argument, NULL, 'p'}, + {"system", no_argument, NULL, 'r'}, + {"shell", required_argument, NULL, 's'}, ++#ifdef WITH_SELINUX ++ {"selinux-user", required_argument, NULL, 'Z'}, ++#endif + {"uid", required_argument, NULL, 'u'}, + {"user-group", no_argument, NULL, 'U'}, + {NULL, 0, NULL, '\0'} + }; + while ((c = ++#ifdef WITH_SELINUX ++ getopt_long (argc, argv, "b:c:d:De:f:g:G:k:K:lmMnNop:rs:u:UZ:", ++#else + getopt_long (argc, argv, "b:c:d:De:f:g:G:k:K:lmMnNop:rs:u:U", ++#endif + long_options, NULL)) != -1) { + switch (c) { + case 'b': +@@ -1073,6 +1086,17 @@ static void process_flags (int argc, cha + case 'U': + Uflg++; + break; ++#ifdef WITH_SELINUX ++ case 'Z': ++ if (is_selinux_enabled() > 0) ++ user_selinux = optarg; ++ else { ++ fprintf (stderr,_("%s: -Z requires SELinux enabled kernel\n"), Prog); ++ ++ exit (E_BAD_ARG); ++ } ++ break; ++#endif + default: + usage (); + } +@@ -1479,6 +1503,33 @@ static void usr_update (void) + grp_update (); + } + ++static void selinux_update_mapping () { ++ ++#ifdef WITH_SELINUX ++ if (is_selinux_enabled() <= 0) return; ++ ++ if (*user_selinux) { /* must be done after passwd write() */ ++ const char *argv[7]; ++ argv[0] = "/usr/sbin/semanage"; ++ argv[1] = "login"; ++ argv[2] = "-a"; ++ argv[3] = "-s"; ++ argv[4] = user_selinux; ++ argv[5] = user_name; ++ argv[6] = NULL; ++ if (safe_system(argv[0], argv, NULL, 0)) { ++ fprintf (stderr, ++ _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), ++ Prog, user_name, user_selinux); ++#ifdef WITH_AUDIT ++ audit_logger (AUDIT_USER_CHAUTHTOK, Prog, ++ "adding SELinux user mapping", user_name, user_id, 0); ++#endif ++ } ++ } ++#endif ++ ++} + /* + * create_home - create the user's home directory + * +@@ -1488,7 +1539,11 @@ static void usr_update (void) + */ + static void create_home (void) + { ++ + if (access (user_home, F_OK)) { ++#ifdef WITH_SELINUX ++ selinux_file_context (user_home); ++#endif + /* XXX - create missing parent directories. --marekm */ + if (mkdir (user_home, 0)) { + fprintf (stderr, +@@ -1510,6 +1565,10 @@ static void create_home (void) + audit_logger (AUDIT_USER_CHAUTHTOK, Prog, + "adding home directory", user_name, user_id, 1); + #endif ++#ifdef WITH_SELINUX ++ /* Reset SELinux to create files with default contexts */ ++ setfscreatecon (NULL); ++#endif + } + } + +@@ -1763,6 +1822,8 @@ int main (int argc, char **argv) + + close_files (); + ++ selinux_update_mapping(); ++ + nscd_flush_cache ("passwd"); + nscd_flush_cache ("group"); + +diff -up shadow-4.1.2/src/usermod.c.selinux shadow-4.1.2/src/usermod.c +--- shadow-4.1.2/src/usermod.c.selinux 2008-05-24 17:35:17.000000000 +0200 ++++ shadow-4.1.2/src/usermod.c 2008-07-24 10:14:24.000000000 +0200 +@@ -94,6 +94,7 @@ static char *user_newcomment; + static char *user_home; + static char *user_newhome; + static char *user_shell; ++static const char *user_selinux = ""; + static char *user_newshell; + static long user_expire; + static long user_newexpire; +@@ -141,6 +142,7 @@ static void date_to_str (char *buf, size + static int get_groups (char *); + static void usage (void); + static void new_pwent (struct passwd *); ++static void selinux_update_mapping (void); + + static void new_spent (struct spwd *); + static void fail_exit (int); +@@ -323,6 +325,9 @@ static void usage (void) + " -s, --shell SHELL new login shell for the user account\n" + " -u, --uid UID new UID for the user account\n" + " -U, --unlock unlock the user account\n" ++#ifdef WITH_SELINUX ++ " -Z, --selinux-user new selinux user mapping for the user account\n" ++#endif + "\n"), stderr); + exit (E_USAGE); + } +@@ -849,13 +854,20 @@ static void process_flags (int argc, cha + {"move-home", no_argument, NULL, 'm'}, + {"non-unique", no_argument, NULL, 'o'}, + {"password", required_argument, NULL, 'p'}, ++#ifdef WITH_SELINUX ++ {"selinux-user", required_argument, NULL, 'Z'}, ++#endif + {"shell", required_argument, NULL, 's'}, + {"uid", required_argument, NULL, 'u'}, + {"unlock", no_argument, NULL, 'U'}, + {NULL, 0, NULL, '\0'} + }; + while ((c = +- getopt_long (argc, argv, "ac:d:e:f:g:G:hl:Lmop:s:u:U", ++#ifdef WITH_SELINUX ++ getopt_long (argc, argv, "ac:d:e:f:g:G:hl:Lmop:s:u:UZ:", ++#else ++ getopt_long (argc, argv, "ac:d:e:f:g:G:hl:Lmop:s:u:U", ++#endif + long_options, NULL)) != -1) { + switch (c) { + case 'a': +@@ -956,6 +968,16 @@ static void process_flags (int argc, cha + case 'U': + Uflg++; + break; ++#ifdef WITH_SELINUX ++ case 'Z': ++ if (is_selinux_enabled() > 0) ++ user_selinux = optarg; ++ else { ++ fprintf (stderr, _("%s: -Z requires SELinux enabled kernel\n"), Prog); ++ exit (E_BAD_ARG); ++ } ++ break; ++#endif + default: + usage (); + } +@@ -1534,6 +1556,8 @@ int main (int argc, char **argv) + nscd_flush_cache ("passwd"); + nscd_flush_cache ("group"); + ++ selinux_update_mapping(); ++ + if (mflg) + move_home (); + +@@ -1562,3 +1586,62 @@ int main (int argc, char **argv) + exit (E_SUCCESS); + /* NOT REACHED */ + } ++ ++static void selinux_update_mapping () { ++#ifdef WITH_SELINUX ++ const char *argv[7]; ++ ++ if (is_selinux_enabled() <= 0) return; ++ ++ if (*user_selinux) { ++ argv[0] = "/usr/sbin/semanage"; ++ argv[1] = "login"; ++ argv[2] = "-m"; ++ argv[3] = "-s"; ++ argv[4] = user_selinux; ++ argv[5] = user_name; ++ argv[6] = NULL; ++ if (safe_system(argv[0], argv, NULL, 1)) { ++ argv[2] = "-a"; ++ if (safe_system(argv[0], argv, NULL, 0)) { ++ fprintf (stderr, ++ _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), ++ Prog, user_name, user_selinux); ++#ifdef WITH_AUDIT ++ audit_logger (AUDIT_USER_CHAUTHTOK, Prog, ++ "modifying User mapping ", user_name, user_id, 0); ++#endif ++ } ++ } ++ } ++ ++ if (dflg || *user_selinux) { ++ argv[0] = "/usr/sbin/genhomedircon"; ++ argv[1] = NULL; ++ if(safe_system(argv[0], argv, NULL,0)) { ++ fprintf (stderr, ++ _("%s: warning: unable to relabel the homedir %s for %s.\n"), ++ Prog, user_home, user_name); ++#ifdef WITH_AUDIT ++ audit_logger (AUDIT_USER_CHAUTHTOK, Prog, ++ "relabeling home directory", user_name, user_id, 0); ++#endif ++ } ++ ++ argv[0] = "/sbin/restorecon"; ++ argv[1] = "-F"; ++ argv[2] = "-R"; ++ argv[3] = user_home; ++ argv[4] = NULL; ++ if (safe_system(argv[0], argv, NULL, 0)) { ++ fprintf (stderr, ++ _("%s: warning: unable to relabel the homedir %s for %s.\n"), ++ Prog, user_home, user_name); ++#ifdef WITH_AUDIT ++ audit_logger (AUDIT_USER_CHAUTHTOK, Prog, ++ "relabeling home directory", user_name, user_id, 0); ++#endif ++ } ++ } ++#endif ++} +diff -up shadow-4.1.2/src/userdel.c.selinux shadow-4.1.2/src/userdel.c +--- shadow-4.1.2/src/userdel.c.selinux 2008-05-24 17:35:17.000000000 +0200 ++++ shadow-4.1.2/src/userdel.c 2008-07-24 10:14:24.000000000 +0200 +@@ -811,6 +811,17 @@ int main (int argc, char **argv) + #endif + } + ++#ifdef WITH_SELINUX ++ if (is_selinux_enabled() > 0) { ++ const char *argv[5]; ++ argv[0] = "/usr/sbin/semanage"; ++ argv[1] = "login"; ++ argv[2] = "-d"; ++ argv[3] = user_name; ++ argv[4] = NULL; ++ safe_system(argv[0], argv, NULL, 1); ++ } ++#endif + /* + * Cancel any crontabs or at jobs. Have to do this before we remove + * the entry from /etc/passwd. +diff -up shadow-4.1.2/man/useradd.8.selinux shadow-4.1.2/man/useradd.8 +--- shadow-4.1.2/man/useradd.8.selinux 2008-07-24 10:13:23.000000000 +0200 ++++ shadow-4.1.2/man/useradd.8 2008-07-24 10:20:27.000000000 +0200 +@@ -239,6 +239,11 @@ options are not specified) is defined by + variable in + \fIlogin\&.defs\fR\&. + .RE ++.PP ++\fB\-Z\fR, \fB\-\-selinux-user\fR \fISEUSER\fR ++.RS 4 ++The SELinux user for the user\'s login\. The default is to leave this field blank, which causes the system to select the default SELinux user\. ++.RE + .SS "Changing the default values" + .PP + When invoked with only the +diff -up shadow-4.1.2/man/usermod.8.xml.selinux shadow-4.1.2/man/usermod.8.xml +--- shadow-4.1.2/man/usermod.8.xml.selinux 2007-12-31 17:48:34.000000000 +0100 ++++ shadow-4.1.2/man/usermod.8.xml 2008-07-24 10:14:24.000000000 +0200 +@@ -245,6 +245,19 @@ + + + ++ ++ ++ , ++ SEUSER ++ ++ ++ ++ The SELinux user for the user's login. The default is to leave this ++ field the blank, which causes the system to select the default ++ SELinux user. ++ ++ ++ + + + +diff -up shadow-4.1.2/man/usermod.8.selinux shadow-4.1.2/man/usermod.8 +--- shadow-4.1.2/man/usermod.8.selinux 2008-05-25 01:20:28.000000000 +0200 ++++ shadow-4.1.2/man/usermod.8 2008-07-24 10:21:39.000000000 +0200 +@@ -133,6 +133,11 @@ Note: if you wish to unlock the account + value from + \fI/etc/default/useradd\fR)\&. + .RE ++.PP ++\fB\-Z\fR, \fB\-\-selinux-user\fR \fISEUSER\fR ++.RS 4 ++The SELinux user for the user\'s login\. The default is to leave this field blank, which causes the system to select the default SELinux user. ++.RE + .SH "CAVEATS" + .PP + +diff -up shadow-4.1.2/man/useradd.8.xml.selinux shadow-4.1.2/man/useradd.8.xml +--- shadow-4.1.2/man/useradd.8.xml.selinux 2008-05-20 00:18:17.000000000 +0200 ++++ shadow-4.1.2/man/useradd.8.xml 2008-07-24 10:14:24.000000000 +0200 +@@ -363,6 +363,19 @@ + + + ++ ++ ++ , ++ SEUSER ++ ++ ++ ++ The SELinux user for the user's login. The default is to leave this ++ field blank, which causes the system to select the default SELinux ++ user. ++ ++ ++ + + + +diff -up shadow-4.1.2/lib/defines.h.selinux shadow-4.1.2/lib/defines.h +--- shadow-4.1.2/lib/defines.h.selinux 2008-05-24 19:35:54.000000000 +0200 ++++ shadow-4.1.2/lib/defines.h 2008-07-24 10:14:24.000000000 +0200 +@@ -321,4 +321,7 @@ extern char *strerror (); + # define unused + #endif + ++#ifdef WITH_SELINUX ++#include ++#endif + #endif /* _DEFINES_H_ */ +diff -up shadow-4.1.2/lib/prototypes.h.selinux shadow-4.1.2/lib/prototypes.h +--- shadow-4.1.2/lib/prototypes.h.selinux 2008-04-27 02:40:13.000000000 +0200 ++++ shadow-4.1.2/lib/prototypes.h 2008-07-24 10:14:24.000000000 +0200 +@@ -83,6 +83,10 @@ extern int copy_tree (const char *src_ro + long int uid, long int gid); + extern int remove_tree (const char *root); + ++#ifdef WITH_SELINUX ++extern int selinux_file_context (const char *dst_name); ++#endif ++ + /* encrypt.c */ + extern char *pw_encrypt (const char *, const char *); + +@@ -226,6 +230,9 @@ extern struct spwd *__spw_dup (const str + /* shell.c */ + extern int shell (const char *, const char *, char *const *); + ++/* system.c */ ++extern int safe_system(const char *command, const char *argv[], const char *env[], int ignore_stderr); ++ + /* strtoday.c */ + extern long strtoday (const char *); + diff --git a/shadow-utils.spec b/shadow-utils.spec index 62095e8..36b0310 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -5,7 +5,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.2 -Release: 2%{?dist} +Release: 3%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-%{version}.tar.bz2 @@ -14,7 +14,7 @@ Source2: shadow-4.0.18.1-useradd Patch0: shadow-4.1.2-redhat.patch Patch1: shadow-4.1.2-goodname.patch -Patch2: shadow-4.1.1-selinux.patch +Patch2: shadow-4.1.2-selinux.patch Patch3: shadow-4.1.2-sysAccountDownhill.patch License: BSD @@ -185,6 +185,9 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Thu Jul 24 2008 Peter Vrabec 2:4.1.2-3 +- recreate selinux patch + * Tue Jul 22 2008 Peter Vrabec 2:4.1.2-2 - provide getspnam by man-pages