rpms/shadow-utils/devel shadow-4.1.0-selinux.patch, 1.1, 1.2 shadow-utils.spec, 1.110, 1.111

Peter Vrabec (pvrabec) fedora-extras-commits at redhat.com
Mon Mar 3 14:14:14 UTC 2008


Author: pvrabec

Update of /cvs/extras/rpms/shadow-utils/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv5674

Modified Files:
	shadow-4.1.0-selinux.patch shadow-utils.spec 
Log Message:
fix selinux labeling  (#433757)


shadow-4.1.0-selinux.patch:

Index: shadow-4.1.0-selinux.patch
===================================================================
RCS file: /cvs/extras/rpms/shadow-utils/devel/shadow-4.1.0-selinux.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- shadow-4.1.0-selinux.patch	12 Dec 2007 15:07:44 -0000	1.1
+++ shadow-4.1.0-selinux.patch	3 Mar 2008 14:14:07 -0000	1.2
@@ -1,6 +1,6 @@
-diff -up /dev/null shadow-4.1.0/libmisc/system.c
---- /dev/null	2007-12-08 00:31:02.590331462 +0100
-+++ shadow-4.1.0/libmisc/system.c	2007-12-12 14:13:30.000000000 +0100
+diff -upb shadow-4.1.0/libmisc/system.c.selinux shadow-4.1.0/libmisc/system.c
+--- shadow-4.1.0/libmisc/system.c.selinux	2008-03-03 14:18:17.000000000 +0100
++++ shadow-4.1.0/libmisc/system.c	2008-03-03 14:18:17.000000000 +0100
 @@ -0,0 +1,37 @@
 +#include <config.h>
 +
@@ -39,21 +39,9 @@
 +	exit (-1);
 +}
 +
-diff -up shadow-4.1.0/libmisc/copydir.c.selinux shadow-4.1.0/libmisc/copydir.c
---- shadow-4.1.0/libmisc/copydir.c.selinux	2007-11-11 00:45:59.000000000 +0100
-+++ shadow-4.1.0/libmisc/copydir.c	2007-12-12 14:13:30.000000000 +0100
-@@ -54,7 +54,7 @@ struct link_name {
- static struct link_name *links;
- 
- #ifdef WITH_SELINUX
--static int selinux_file_context (const char *dst_name)
-+int selinux_file_context (const char *dst_name)
- {
- 	security_context_t scontext = NULL;
- 
-diff -up shadow-4.1.0/libmisc/Makefile.am.selinux shadow-4.1.0/libmisc/Makefile.am
+diff -upb shadow-4.1.0/libmisc/Makefile.am.selinux shadow-4.1.0/libmisc/Makefile.am
 --- shadow-4.1.0/libmisc/Makefile.am.selinux	2007-11-23 10:15:48.000000000 +0100
-+++ shadow-4.1.0/libmisc/Makefile.am	2007-12-12 14:13:30.000000000 +0100
++++ shadow-4.1.0/libmisc/Makefile.am	2008-03-03 14:18:17.000000000 +0100
 @@ -42,6 +42,7 @@ libmisc_a_SOURCES = \
  	setugid.c \
  	setupenv.c \
@@ -62,139 +50,208 @@
  	strtoday.c \
  	sub.c \
  	sulog.c \
-diff -up shadow-4.1.0/src/useradd.c.selinux shadow-4.1.0/src/useradd.c
---- shadow-4.1.0/src/useradd.c.selinux	2007-12-12 14:11:41.000000000 +0100
-+++ shadow-4.1.0/src/useradd.c	2007-12-12 14:24:12.000000000 +0100
-@@ -100,6 +100,7 @@ static const char *user_comment = "";
- static const char *user_home = "";
- static const char *user_shell = "";
- static const char *create_mail_spool = "";
-+static const char *user_selinux = "";
+diff -upb shadow-4.1.0/libmisc/copydir.c.selinux shadow-4.1.0/libmisc/copydir.c
+--- shadow-4.1.0/libmisc/copydir.c.selinux	2007-11-11 00:45:59.000000000 +0100
++++ shadow-4.1.0/libmisc/copydir.c	2008-03-03 14:19:01.000000000 +0100
+@@ -54,7 +54,7 @@ struct link_name {
+ static struct link_name *links;
  
- static long user_expire = -1;
- static int is_shadow_pwd;
-@@ -170,6 +171,7 @@ static int set_defaults (void);
- static int get_groups (char *);
- static void usage (void);
- static void new_pwent (struct passwd *);
-+static void selinux_update_mapping (void);
+ #ifdef WITH_SELINUX
+-static int selinux_file_context (const char *dst_name)
++int selinux_file_context (const char *dst_name)
+ {
+ 	security_context_t scontext = NULL;
  
- static long scale_age (long);
- static void new_spent (struct spwd *);
-@@ -356,6 +358,7 @@ static void get_defaults (void)
- 			def_create_mail_spool = xstrdup (cp);
+@@ -199,7 +199,7 @@ int copy_tree (const char *src_root, con
+ 		if (strlen (src_root) + strlen (ent->d_name) + 2 >
+ 		    sizeof src_name) {
+ 			err++;
+-			break;
++			break;
  		}
+ 		snprintf (src_name, sizeof src_name, "%s/%s", src_root,
+ 			  ent->d_name);
+@@ -207,7 +207,7 @@ int copy_tree (const char *src_root, con
+ 		if (strlen (dst_root) + strlen (ent->d_name) + 2 >
+ 		    sizeof dst_name) {
+ 			err++;
+-			break;
++			break;
+ 		}
+ 		snprintf (dst_name, sizeof dst_name, "%s/%s", dst_root,
+ 			  ent->d_name);
+@@ -313,7 +313,7 @@ int copy_tree (const char *src_root, con
+ 			if (mknod (dst_name, sb.st_mode & ~07777, sb.st_rdev)
+ 			    || chown (dst_name,
+ 				      uid == (uid_t) - 1 ? sb.st_uid : uid,
+-				      gid == (gid_t) - 1 ? sb.st_gid : gid)
++				      gid == (gid_t) - 1 ? sb.st_gid : gid)
+ 			    || chmod (dst_name, sb.st_mode & 07777)) {
+ 				err++;
+ 				break;
+@@ -363,6 +363,10 @@ int copy_tree (const char *src_root, con
+ 		src_orig = 0;
+ 		dst_orig = 0;
  	}
-+	fclose(fp);
- }
- 
- /*
-@@ -644,6 +647,10 @@ static void usage (void)
- 			   "                                account\n"
- 			   "  -s, --shell SHELL             the login shell for the new user account\n"
- 			   "  -u, --uid UID                 force use the UID for the new user account\n"
 +#ifdef WITH_SELINUX
-+                           "  -Z, --selinux-user SEUSER     use a specific SEUSER for the SELinux user mapping\n"
++	/* Reset SELinux to create files with default contexts */
++	setfscreatecon (NULL);
 +#endif
-+
- 			   "\n"));
- 	exit (E_USAGE);
+ 	return err ? -1 : 0;
  }
-@@ -1030,11 +1037,18 @@ static void process_flags (int argc, cha
- 			{"non-unique", no_argument, NULL, 'o'},
- 			{"password", required_argument, NULL, 'p'},
- 			{"shell", required_argument, NULL, 's'},
-+#ifdef WITH_SELINUX
-+			{"selinux-user", required_argument, NULL, 'Z'},
-+#endif
- 			{"uid", required_argument, NULL, 'u'},
- 			{NULL, 0, NULL, '\0'}
- 		};
- 		while ((c =
+ 
+diff -upb shadow-4.1.0/man/usermod.8.xml.selinux shadow-4.1.0/man/usermod.8.xml
+--- shadow-4.1.0/man/usermod.8.xml.selinux	2007-12-09 00:24:36.000000000 +0100
++++ shadow-4.1.0/man/usermod.8.xml	2008-03-03 14:18:17.000000000 +0100
+@@ -245,6 +245,19 @@
+ 	  </para>
+ 	</listitem>
+       </varlistentry>
++       <varlistentry>
++        <term>
++         <option>-Z</option>, <option>--selinux-user</option>
++         <replaceable>SEUSER</replaceable>
++       </term>
++       <listitem>
++         <para>
++           The SELinux user for the user's login. The default is to leave this
++           field the blank, which causes the system to select the default
++           SELinux user.
++         </para>
++       </listitem>
++      </varlistentry>
+     </variablelist>
+   </refsect1>
+ 
+diff -upb shadow-4.1.0/man/useradd.8.selinux shadow-4.1.0/man/useradd.8
+--- shadow-4.1.0/man/useradd.8.selinux	2008-03-03 14:14:45.000000000 +0100
++++ shadow-4.1.0/man/useradd.8	2008-03-03 14:18:17.000000000 +0100
+@@ -163,6 +163,11 @@ doesn\'t work yet\.
+ Allow the creation of a user account with a duplicate (non\-unique) UID\.
+ .RE
+ .PP
++\fB\-Z\fR, \fB\-\-selinux-user\fR \fISEUSER\fR
++.RS 4
++The SELinux user for the user\'s login\. The default is to leave this field blank, which causes the system to select the default SELinux user\.
++.RE
++.PP
+ \fB\-p\fR, \fB\-\-password\fR \fIPASSWORD\fR
+ .RS 4
+ The encrypted password, as returned by
+diff -upb shadow-4.1.0/man/usermod.8.selinux shadow-4.1.0/man/usermod.8
+--- shadow-4.1.0/man/usermod.8.selinux	2007-12-10 00:07:16.000000000 +0100
++++ shadow-4.1.0/man/usermod.8	2008-03-03 14:18:17.000000000 +0100
+@@ -133,6 +133,11 @@ Note: if you wish to unlock the account 
+ value from
+ \fI/etc/default/useradd\fR)\.
+ .RE
++.PP
++\fB\-Z\fR, \fB\-\-selinux-user\fR \fISEUSER\fR
++.RS 4
++The SELinux user for the user\'s login\. The default is to leave this field blank, which causes the system to select the default SELinux user.
++.RE
+ .SH "CAVEATS"
+ .PP
+ 
+diff -upb shadow-4.1.0/man/useradd.8.xml.selinux shadow-4.1.0/man/useradd.8.xml
+--- shadow-4.1.0/man/useradd.8.xml.selinux	2007-12-09 00:24:36.000000000 +0100
++++ shadow-4.1.0/man/useradd.8.xml	2008-03-03 14:18:17.000000000 +0100
+@@ -273,6 +273,19 @@
+ 	    between 0 and 999 are typically reserved for system accounts.
+ 	  </para>
+ 	</listitem>
++      </varlistentry>
++      <varlistentry>
++	<term>
++	  <option>-Z</option>, <option>--selinux-user</option>
++	  <replaceable>SEUSER</replaceable>
++	</term>
++	<listitem>
++	  <para>
++	    The SELinux user for the user's login. The default is to leave this
++	    field blank, which causes the system to select the default SELinux
++            user.
++	  </para>
++	</listitem>
+       </varlistentry>
+     </variablelist>
+ 
+@@ -346,7 +359,7 @@
+ 	    </para>
+ 	  </listitem>
+ 	</varlistentry>
+-      </variablelist>
++      </variablelist>
+ 
+     </refsect2>
+   </refsect1>
+@@ -399,7 +412,7 @@
+ 
+   <refsect1 id='files'>
+     <title>FILES</title>
+-    <variablelist>
++    <variablelist>
+       <varlistentry>
+ 	<term><filename>/etc/passwd</filename></term>
+ 	<listitem>
+diff -upb shadow-4.1.0/lib/prototypes.h.selinux shadow-4.1.0/lib/prototypes.h
+--- shadow-4.1.0/lib/prototypes.h.selinux	2007-11-23 21:10:52.000000000 +0100
++++ shadow-4.1.0/lib/prototypes.h	2008-03-03 14:18:17.000000000 +0100
+@@ -53,6 +53,9 @@ extern int is_listed (const char *, cons
+ /* copydir.c */
+ extern int copy_tree (const char *, const char *, uid_t, gid_t);
+ extern int remove_tree (const char *);
 +#ifdef WITH_SELINUX
-+			getopt_long (argc, argv, "b:c:d:De:f:g:G:k:K:mlMnrop:s:u:Z:",
-+#else
- 			getopt_long (argc, argv, "b:c:d:De:f:g:G:k:K:mlMnrop:s:u:",
++extern int selinux_file_context (const char *dst_name);
 +#endif
- 				     long_options, NULL)) != -1) {
- 			switch (c) {
- 			case 'b':
-@@ -1215,6 +1229,17 @@ static void process_flags (int argc, cha
-                         case 'M':
-                                 Mflg++;
-                                 break;
-+#ifdef WITH_SELINUX
-+                        case 'Z':
-+				if (is_selinux_enabled() > 0)
-+					user_selinux = optarg;
-+				else {
-+					fprintf (stderr,_("%s: -Z requires SELinux enabled kernel\n"), Prog);
+ 
+ /* encrypt.c */
+ extern char *pw_encrypt (const char *, const char *);
+@@ -151,6 +154,9 @@ extern void setup_env (struct passwd *);
+ /* shell.c */
+ extern int shell (const char *, const char *, char *const *);
+ 
++/* system.c */
++extern int safe_system(const char *command, const char *argv[], const char *env[], int ignore_stderr);
 +
-+					exit (E_BAD_ARG);
-+				}
-+                                break;
+ /* strtoday.c */
+ extern long strtoday (const char *);
+ 
+diff -upb shadow-4.1.0/lib/defines.h.selinux shadow-4.1.0/lib/defines.h
+--- shadow-4.1.0/lib/defines.h.selinux	2007-11-24 12:18:35.000000000 +0100
++++ shadow-4.1.0/lib/defines.h	2008-03-03 14:18:17.000000000 +0100
+@@ -342,4 +342,7 @@ extern char *strerror ();
+ #include <libaudit.h>
+ #endif
+ 
++#ifdef WITH_SELINUX
++#include <selinux/selinux.h>
 +#endif
- 			default:
- 				usage ();
- 			}
-@@ -1583,6 +1608,33 @@ static void usr_update (void)
- 		grp_update ();
- }
+ #endif				/* _DEFINES_H_ */
+diff -upb shadow-4.1.0/src/userdel.c.selinux shadow-4.1.0/src/userdel.c
+--- shadow-4.1.0/src/userdel.c.selinux	2007-11-24 23:41:19.000000000 +0100
++++ shadow-4.1.0/src/userdel.c	2008-03-03 14:18:17.000000000 +0100
+@@ -809,6 +809,17 @@ int main (int argc, char **argv)
+ #endif
+ 	}
  
-+static void selinux_update_mapping () {
-+
 +#ifdef WITH_SELINUX
-+	if (is_selinux_enabled() <= 0) return;
-+
-+        if (*user_selinux) { /* must be done after passwd write() */
-+		const char *argv[7];
++	if (is_selinux_enabled() > 0) { 
++		const char *argv[5];
 +		argv[0] = "/usr/sbin/semanage";
 +		argv[1] = "login";
-+		argv[2] = "-a";
-+		argv[3] = "-s";
-+		argv[4] = user_selinux;
-+		argv[5] = user_name;
-+		argv[6] = NULL;
-+                if (safe_system(argv[0], argv, NULL, 0)) {
-+			fprintf (stderr,
-+				 _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
-+				 Prog, user_name, user_selinux);
-+#ifdef WITH_AUDIT
-+			audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
-+				      "adding SELinux user mapping", user_name, user_id, 0);
++		argv[2] = "-d";
++		argv[3] = user_name;
++		argv[4] = NULL;
++                safe_system(argv[0], argv, NULL, 1);
++        }
 +#endif        
-+		}
-+	}
-+#endif
-+
-+}
- /*
-  * create_home - create the user's home directory
-  *
-@@ -1592,7 +1644,11 @@ static void usr_update (void)
-  */
- static void create_home (void)
- {
-+
- 	if (access (user_home, F_OK)) {
-+#ifdef WITH_SELINUX
-+		selinux_file_context (user_home);
-+#endif
- 		/* XXX - create missing parent directories.  --marekm */
- 		if (mkdir (user_home, 0)) {
- 			fprintf (stderr,
-@@ -1818,6 +1874,8 @@ int main (int argc, char **argv)
- 
- 	usr_update ();
- 
-+	selinux_update_mapping();
-+
- 	if (mflg) {
- 		create_home ();
- 		if (home_added)
-diff -up shadow-4.1.0/src/usermod.c.selinux shadow-4.1.0/src/usermod.c
+ 	/*
+ 	 * Cancel any crontabs or at jobs. Have to do this before we remove
+ 	 * the entry from /etc/passwd.
+diff -upb shadow-4.1.0/src/usermod.c.selinux shadow-4.1.0/src/usermod.c
 --- shadow-4.1.0/src/usermod.c.selinux	2007-11-24 23:41:19.000000000 +0100
-+++ shadow-4.1.0/src/usermod.c	2007-12-12 14:21:44.000000000 +0100
++++ shadow-4.1.0/src/usermod.c	2008-03-03 14:18:17.000000000 +0100
 @@ -90,6 +90,7 @@ static char *user_comment;
  static char *user_home;
  static char *user_newhome;
@@ -211,6 +268,21 @@
  
  static void new_spent (struct spwd *);
  static void fail_exit (int);
+@@ -250,12 +252,12 @@ static int get_groups (char *list)
+ #endif
+ 
+ 		if (ngroups == sys_ngroups) {
+-			fprintf (stderr,
++			fprintf (stderr,
+ 				 _
+ 				 ("%s: too many groups specified (max %d).\n"),
+ 				 Prog, ngroups);
+ 			break;
+-		}
++		}
+ 
+ 		/*
+ 		 * Add the group name to the user's list of groups.
 @@ -302,6 +304,9 @@ static void usage (void)
  			   "  -s, --shell SHELL             new login shell for the user account\n"
  			   "  -u, --uid UID                 new UID for the user account\n"
@@ -221,6 +293,33 @@
  			   "\n"));
  	exit (E_USAGE);
  }
+@@ -332,7 +337,7 @@ static char *new_pw_passwd (char *pw_pas
+ 				   "You should set a password with usermod -p to unlock this user account.\n"),
+ 				 Prog);
+ 			return pw_pass;
+-		}
++		}
+ 
+ #ifdef WITH_AUDIT
+ 		audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "updating password",
+@@ -405,7 +410,7 @@ static void new_pwent (struct passwd *pw
+ #else
+ 		pwent->pw_gecos = user_comment;
+ #endif
+-	}
++	}
+ 
+ 	if (dflg) {
+ #ifdef WITH_AUDIT
+@@ -826,7 +831,7 @@ static void process_flags (int argc, cha
+ 		user_comment = xstrdup (pwd->pw_gecos);
+ 		user_home = xstrdup (pwd->pw_dir);
+ 		user_shell = xstrdup (pwd->pw_shell);
+-	}
++	}
+ #ifdef WITH_AUDIT
+ 	user_newname = user_name;
+ 	user_newid = user_id;
 @@ -888,13 +893,20 @@ static void process_flags (int argc, cha
  			{"move-home", no_argument, NULL, 'm'},
  			{"non-unique", no_argument, NULL, 'o'},
@@ -242,6 +341,15 @@
  				     long_options, NULL)) != -1) {
  			switch (c) {
  			case 'a':
+@@ -966,7 +978,7 @@ static void process_flags (int argc, cha
+ 					fprintf (stderr,
+ 						 _("%s: unknown group %s\n"),
+ 						 Prog, optarg);
+-					exit (E_NOTFOUND);
++					exit (E_NOTFOUND);
+ 				}
+ 				user_newgid = grp->gr_gid;
+ 				gflg++;
 @@ -1028,6 +1040,16 @@ static void process_flags (int argc, cha
  			case 'U':
  				Uflg++;
@@ -259,6 +367,15 @@
  			default:
  				usage ();
  			}
+@@ -1040,7 +1062,7 @@ static void process_flags (int argc, cha
+ 		exit (E_USAGE);
+ 	}
+ 	if (!is_shadow_pwd && (eflg || fflg)) {
+-		fprintf (stderr,
++		fprintf (stderr,
+ 			 _
+ 			 ("%s: shadow passwords required for -e and -f\n"),
+ 			 Prog);
 @@ -1575,6 +1597,8 @@ int main (int argc, char **argv)
  	nscd_flush_cache ("passwd");
  	nscd_flush_cache ("group");
@@ -331,134 +448,228 @@
 +	}
 +#endif
 +}
-diff -up shadow-4.1.0/src/userdel.c.selinux shadow-4.1.0/src/userdel.c
---- shadow-4.1.0/src/userdel.c.selinux	2007-11-24 23:41:19.000000000 +0100
-+++ shadow-4.1.0/src/userdel.c	2007-12-12 14:13:30.000000000 +0100
-@@ -809,6 +809,17 @@ int main (int argc, char **argv)
- #endif
- 	}
+diff -upb shadow-4.1.0/src/useradd.c.selinux shadow-4.1.0/src/useradd.c
+--- shadow-4.1.0/src/useradd.c.selinux	2008-03-03 14:14:45.000000000 +0100
++++ shadow-4.1.0/src/useradd.c	2008-03-03 14:19:01.000000000 +0100
+@@ -100,6 +100,7 @@ static const char *user_comment = "";
+ static const char *user_home = "";
+ static const char *user_shell = "";
+ static const char *create_mail_spool = "";
++static const char *user_selinux = "";
  
-+#ifdef WITH_SELINUX
-+	if (is_selinux_enabled() > 0) { 
-+		const char *argv[5];
-+		argv[0] = "/usr/sbin/semanage";
-+		argv[1] = "login";
-+		argv[2] = "-d";
-+		argv[3] = user_name;
-+		argv[4] = NULL;
-+                safe_system(argv[0], argv, NULL, 1);
-+        }
-+#endif        
- 	/*
- 	 * Cancel any crontabs or at jobs. Have to do this before we remove
- 	 * the entry from /etc/passwd.
-diff -up shadow-4.1.0/man/useradd.8.selinux shadow-4.1.0/man/useradd.8
---- shadow-4.1.0/man/useradd.8.selinux	2007-12-12 14:11:41.000000000 +0100
-+++ shadow-4.1.0/man/useradd.8	2007-12-12 14:19:21.000000000 +0100
-@@ -163,6 +163,11 @@ doesn\'t work yet\.
- Allow the creation of a user account with a duplicate (non\-unique) UID\.
- .RE
- .PP
-+\fB\-Z\fR, \fB\-\-selinux-user\fR \fISEUSER\fR
-+.RS 4
-+The SELinux user for the user\'s login\. The default is to leave this field blank, which causes the system to select the default SELinux user\.
-+.RE
-+.PP
- \fB\-p\fR, \fB\-\-password\fR \fIPASSWORD\fR
- .RS 4
- The encrypted password, as returned by
-diff -up shadow-4.1.0/man/usermod.8.xml.selinux shadow-4.1.0/man/usermod.8.xml
---- shadow-4.1.0/man/usermod.8.xml.selinux	2007-12-09 00:24:36.000000000 +0100
-+++ shadow-4.1.0/man/usermod.8.xml	2007-12-12 14:13:30.000000000 +0100
-@@ -245,6 +245,19 @@
- 	  </para>
- 	</listitem>
-       </varlistentry>
-+       <varlistentry>
-+        <term>
-+         <option>-Z</option>, <option>--selinux-user</option>
-+         <replaceable>SEUSER</replaceable>
-+       </term>
-+       <listitem>
-+         <para>
-+           The SELinux user for the user's login. The default is to leave this
-+           field the blank, which causes the system to select the default
-+           SELinux user.
-+         </para>
-+       </listitem>
-+      </varlistentry>
-     </variablelist>
-   </refsect1>
+ static long user_expire = -1;
+ static int is_shadow_pwd;
+@@ -170,6 +171,7 @@ static int set_defaults (void);
+ static int get_groups (char *);
+ static void usage (void);
+ static void new_pwent (struct passwd *);
++static void selinux_update_mapping (void);
  
-diff -up shadow-4.1.0/man/usermod.8.selinux shadow-4.1.0/man/usermod.8
---- shadow-4.1.0/man/usermod.8.selinux	2007-12-10 00:07:16.000000000 +0100
-+++ shadow-4.1.0/man/usermod.8	2007-12-12 14:17:10.000000000 +0100
-@@ -133,6 +133,11 @@ Note: if you wish to unlock the account 
- value from
- \fI/etc/default/useradd\fR)\.
- .RE
-+.PP
-+\fB\-Z\fR, \fB\-\-selinux-user\fR \fISEUSER\fR
-+.RS 4
-+The SELinux user for the user\'s login\. The default is to leave this field blank, which causes the system to select the default SELinux user.
-+.RE
- .SH "CAVEATS"
- .PP
+ static long scale_age (long);
+ static void new_spent (struct spwd *);
+@@ -356,6 +358,7 @@ static void get_defaults (void)
+ 			def_create_mail_spool = xstrdup (cp);
+ 		}
+ 	}
++	fclose(fp);
+ }
  
-diff -up shadow-4.1.0/man/useradd.8.xml.selinux shadow-4.1.0/man/useradd.8.xml
---- shadow-4.1.0/man/useradd.8.xml.selinux	2007-12-09 00:24:36.000000000 +0100
-+++ shadow-4.1.0/man/useradd.8.xml	2007-12-12 14:13:30.000000000 +0100
-@@ -274,6 +274,19 @@
- 	  </para>
- 	</listitem>
-       </varlistentry>
-+      <varlistentry>
-+	<term>
-+	  <option>-Z</option>, <option>--selinux-user</option>
-+	  <replaceable>SEUSER</replaceable>
-+	</term>
-+	<listitem>
-+	  <para>
-+	    The SELinux user for the user's login. The default is to leave this
-+	    field blank, which causes the system to select the default SELinux
-+            user.
-+	  </para>
-+	</listitem>
-+      </varlistentry>
-     </variablelist>
+ /*
+@@ -586,7 +589,7 @@ static int get_groups (char *list)
+ #endif
  
-     <refsect2 id='changing_the_default_values'>
-diff -up shadow-4.1.0/lib/defines.h.selinux shadow-4.1.0/lib/defines.h
---- shadow-4.1.0/lib/defines.h.selinux	2007-11-24 12:18:35.000000000 +0100
-+++ shadow-4.1.0/lib/defines.h	2007-12-12 14:13:30.000000000 +0100
-@@ -342,4 +342,7 @@ extern char *strerror ();
- #include <libaudit.h>
+ 		if (ngroups == sys_ngroups) {
+-			fprintf (stderr,
++			fprintf (stderr,
+ 				 _
+ 				 ("%s: too many groups specified (max %d).\n"),
+ 				 Prog, ngroups);
+@@ -644,6 +647,10 @@ static void usage (void)
+ 			   "                                account\n"
+ 			   "  -s, --shell SHELL             the login shell for the new user account\n"
+ 			   "  -u, --uid UID                 force use the UID for the new user account\n"
++#ifdef WITH_SELINUX
++                           "  -Z, --selinux-user SEUSER     use a specific SEUSER for the SELinux user mapping\n"
++#endif
++
+ 			   "\n"));
+ 	exit (E_USAGE);
+ }
+@@ -696,7 +703,7 @@ static void new_spent (struct spwd *spen
+ 		spent->sp_warn = scale_age (getdef_num ("PASS_WARN_AGE", -1));
+ 		spent->sp_inact = scale_age (def_inactive);
+ 		spent->sp_expire = scale_age (user_expire);
+-	}
++	}
+ 	else {
+ 		spent->sp_min = scale_age(-1);
+                 spent->sp_max = scale_age(-1);
+@@ -1030,32 +1037,39 @@ static void process_flags (int argc, cha
+ 			{"non-unique", no_argument, NULL, 'o'},
+ 			{"password", required_argument, NULL, 'p'},
+ 			{"shell", required_argument, NULL, 's'},
++#ifdef WITH_SELINUX
++			{"selinux-user", required_argument, NULL, 'Z'},
++#endif
+ 			{"uid", required_argument, NULL, 'u'},
+ 			{NULL, 0, NULL, '\0'}
+ 		};
+ 		while ((c =
++#ifdef WITH_SELINUX
++			getopt_long (argc, argv, "b:c:d:De:f:g:G:k:K:mlMnrop:s:u:Z:",
++#else
+ 			getopt_long (argc, argv, "b:c:d:De:f:g:G:k:K:mlMnrop:s:u:",
++#endif
+ 				     long_options, NULL)) != -1) {
+ 			switch (c) {
+ 			case 'b':
+ 				if (!VALID (optarg)
+ 				    || optarg[0] != '/') {
+-					fprintf (stderr,
++					fprintf (stderr,
+ 						 _
+ 						 ("%s: invalid base directory '%s'\n"),
+ 						 Prog, optarg);
+-					exit (E_BAD_ARG);
++					exit (E_BAD_ARG);
+ 				}
+ 				def_home = optarg;
+ 				bflg++;
+ 				break;
+ 			case 'c':
+ 				if (!VALID (optarg)) {
+-					fprintf (stderr,
++					fprintf (stderr,
+ 						 _
+ 						 ("%s: invalid comment '%s'\n"),
+ 						 Prog, optarg);
+-					exit (E_BAD_ARG);
++					exit (E_BAD_ARG);
+ 				}
+ 				user_comment = optarg;
+ 				cflg++;
+@@ -1063,11 +1077,11 @@ static void process_flags (int argc, cha
+ 			case 'd':
+ 				if (!VALID (optarg)
+ 				    || optarg[0] != '/') {
+-					fprintf (stderr,
++					fprintf (stderr,
+ 						 _
+ 						 ("%s: invalid home directory '%s'\n"),
+ 						 Prog, optarg);
+-					exit (E_BAD_ARG);
++					exit (E_BAD_ARG);
+ 				}
+ 				user_home = optarg;
+ 				dflg++;
+@@ -1161,7 +1175,7 @@ static void process_flags (int argc, cha
+ 						 _
+ 						 ("%s: -K requires KEY=VALUE\n"),
+ 						 Prog);
+-					exit (E_BAD_ARG);
++					exit (E_BAD_ARG);
+ 				}
+ 				/* terminate name, point to value */
+ 				*cp++ = '\0';
+@@ -1215,6 +1229,17 @@ static void process_flags (int argc, cha
+                         case 'M':
+                                 Mflg++;
+                                 break;
++#ifdef WITH_SELINUX
++                        case 'Z':
++				if (is_selinux_enabled() > 0)
++					user_selinux = optarg;
++				else {
++					fprintf (stderr,_("%s: -Z requires SELinux enabled kernel\n"), Prog);
++
++					exit (E_BAD_ARG);
++				}
++                                break;
++#endif
+ 			default:
+ 				usage ();
+ 			}
+@@ -1238,7 +1263,7 @@ static void process_flags (int argc, cha
+ 	 */
+ 	if (Dflg) {
+ 		if (optind != argc)
+-			usage ();
++			usage ();
+ 
+ 		if (uflg || oflg || Gflg || dflg || cflg || mflg)
+ 			usage ();
+@@ -1253,7 +1278,7 @@ static void process_flags (int argc, cha
+ 				 ("%s: invalid user name '%s'\n"),
+ 				 Prog, user_name);
+ #ifdef WITH_AUDIT
+-			audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "adding user",
++			audit_logger (AUDIT_USER_CHAUTHTOK, Prog, "adding user",
+ 				      user_name, -1, 0);
  #endif
+ 			exit (E_BAD_ARG);
+@@ -1583,6 +1608,33 @@ static void usr_update (void)
+ 		grp_update ();
+ }
  
++static void selinux_update_mapping () {
++
 +#ifdef WITH_SELINUX
-+#include <selinux/selinux.h>
++	if (is_selinux_enabled() <= 0) return;
++
++        if (*user_selinux) { /* must be done after passwd write() */
++		const char *argv[7];
++		argv[0] = "/usr/sbin/semanage";
++		argv[1] = "login";
++		argv[2] = "-a";
++		argv[3] = "-s";
++		argv[4] = user_selinux;
++		argv[5] = user_name;
++		argv[6] = NULL;
++                if (safe_system(argv[0], argv, NULL, 0)) {
++			fprintf (stderr,
++				 _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
++				 Prog, user_name, user_selinux);
++#ifdef WITH_AUDIT
++			audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
++				      "adding SELinux user mapping", user_name, user_id, 0);
++#endif        
++		}
++	}
 +#endif
- #endif				/* _DEFINES_H_ */
-diff -up shadow-4.1.0/lib/prototypes.h.selinux shadow-4.1.0/lib/prototypes.h
---- shadow-4.1.0/lib/prototypes.h.selinux	2007-11-23 21:10:52.000000000 +0100
-+++ shadow-4.1.0/lib/prototypes.h	2007-12-12 14:13:30.000000000 +0100
-@@ -53,6 +53,9 @@ extern int is_listed (const char *, cons
- /* copydir.c */
- extern int copy_tree (const char *, const char *, uid_t, gid_t);
- extern int remove_tree (const char *);
++
++}
+ /*
+  * create_home - create the user's home directory
+  *
+@@ -1592,7 +1644,11 @@ static void usr_update (void)
+  */
+ static void create_home (void)
+ {
++
+ 	if (access (user_home, F_OK)) {
 +#ifdef WITH_SELINUX
-+extern int selinux_file_context (const char *dst_name);
++		selinux_file_context (user_home);
 +#endif
+ 		/* XXX - create missing parent directories.  --marekm */
+ 		if (mkdir (user_home, 0)) {
+ 			fprintf (stderr,
+@@ -1614,6 +1670,10 @@ static void create_home (void)
+ 		audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+ 			      "adding home directory", user_name, user_id, 1);
+ #endif
++#ifdef WITH_SELINUX
++	/* Reset SELinux to create files with default contexts */
++		setfscreatecon (NULL);
++#endif
+ 	}
+ }
  
- /* encrypt.c */
- extern char *pw_encrypt (const char *, const char *);
-@@ -151,6 +154,9 @@ extern void setup_env (struct passwd *);
- /* shell.c */
- extern int shell (const char *, const char *, char *const *);
+@@ -1847,6 +1907,8 @@ int main (int argc, char **argv)
  
-+/* system.c */
-+extern int safe_system(const char *command, const char *argv[], const char *env[], int ignore_stderr);
+ 	close_files ();
+ 
++	selinux_update_mapping();
 +
- /* strtoday.c */
- extern long strtoday (const char *);
+ 	nscd_flush_cache ("passwd");
+ 	nscd_flush_cache ("group");
  


Index: shadow-utils.spec
===================================================================
RCS file: /cvs/extras/rpms/shadow-utils/devel/shadow-utils.spec,v
retrieving revision 1.110
retrieving revision 1.111
diff -u -r1.110 -r1.111
--- shadow-utils.spec	19 Feb 2008 12:01:10 -0000	1.110
+++ shadow-utils.spec	3 Mar 2008 14:14:07 -0000	1.111
@@ -5,7 +5,7 @@
 Summary: Utilities for managing accounts and shadow password files
 Name: shadow-utils
 Version: 4.1.0
-Release: 3%{?dist}
+Release: 4%{?dist}
 Epoch: 2
 URL: http://pkg-shadow.alioth.debian.org/
 Source0: ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-%{version}.tar.bz2
@@ -195,6 +195,9 @@
 %{_mandir}/man8/vigr.8*
 
 %changelog
+* Mon Mar 03 2008 Peter Vrabec <pvrabec at redhat.com> 2:4.1.0-4
+- fix selinux labeling  (#433757)
+
 * Tue Feb 19 2008 Peter Vrabec <pvrabec at redhat.com> 2:4.1.0-3
 - fix groupmems segmentation fault (#430813)
 




More information about the fedora-extras-commits mailing list