* src/usermod.c, man/usermod.8.xml: usermod -Z "" removes the

SELinux user mapping for the modified user.
	* src/useradd.c: Zflg is #defined as user_selinux non empty.

ChangeLog

@@ -1,3 +1,9 @@
+2011-11-21  Nicolas François  <nicolas.francois@centraliens.net>
+
+	* src/usermod.c, man/usermod.8.xml: usermod -Z "" removes the
+	SELinux user mapping for the modified user.
+	* src/useradd.c: Zflg is #defined as user_selinux non empty.
+
 2011-11-21  Peter Vrabec  <pvrabec@redhat.com>
 
 	* libmisc/copydir.c: Ignore errors to copy ACLs if the operation

man/useradd.8.xml

@@ -507,7 +507,7 @@
 	  <para>
 	    The SELinux user for the user's login. The default is to leave this
 	    field blank, which causes the system to select the default SELinux
-	     user.
+	    user.
 	  </para>
 	</listitem>
       </varlistentry>

man/usermod.8.xml

@@ -377,9 +377,12 @@
 	</term>
 	<listitem>
 	  <para>
-	    The SELinux user for the user's login. The default is to leave
-	    this field the blank, which causes the system to select the
-	    default SELinux user.
+	    The new SELinux user for the user's login.
+	  </para>
+	  <para>
+	    A blank <replaceable>SEUSER</replaceable> will remove the
+	    SELinux user mapping for user <replaceable>LOGIN</replaceable>
+	    (if any).
 	  </para>
 	</listitem>
       </varlistentry>

src/useradd.c

@@ -111,7 +111,7 @@ static const char *user_home = "";
 static const char *user_shell = "";
 static const char *create_mail_spool = "";
 #ifdef WITH_SELINUX
-static const char *user_selinux = "";
+static /*@notnull@*/const char *user_selinux = "";
 #endif				/* WITH_SELINUX */
 
 static long user_expire = -1;
@@ -145,12 +145,13 @@ static bool
     oflg = false,		/* permit non-unique user ID to be specified with -u */
     rflg = false,		/* create a system account */
     sflg = false,		/* shell program for new account */
-#ifdef WITH_SELINUX
-    Zflg = false,		/* new selinux user */
-#endif				/* WITH_SELINUX */
     uflg = false,		/* specify user ID for new account */
     Uflg = false;		/* create a group having the same name as the user */
 
+#ifdef WITH_SELINUX
+#define Zflg ('\0' != *user_selinux)
+#endif				/* WITH_SELINUX */
+
 static bool home_added = false;
 
 /*
@@ -1214,7 +1215,6 @@ static void process_flags (int argc, char **argv)
 			case 'Z':
 				if (is_selinux_enabled () > 0) {
 					user_selinux = optarg;
-					Zflg = true;
 				} else {
 					fprintf (stderr,
 					         _("%s: -Z requires SELinux enabled kernel\n"),
@@ -2058,7 +2058,7 @@ int main (int argc, char **argv)
 	close_files ();
 
 #ifdef WITH_SELINUX
-	if (Zflg && ('\0' != *user_selinux)) {
+	if (Zflg) {
 		if (set_seuser (user_name, user_selinux) != 0) {
 			fprintf (stderr,
 			         _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),

src/usermod.c

@@ -1890,17 +1890,33 @@ int main (int argc, char **argv)
 	nscd_flush_cache ("group");
 
 #ifdef WITH_SELINUX
-	if (Zflg && *user_selinux) {
-		if (set_seuser (user_name, user_selinux) != 0) {
-			fprintf (stderr,
-			         _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
-			         Prog, user_name, user_selinux);
+	if (Zflg) {
+		if ('\0' != *user_selinux) {
+			if (set_seuser (user_name, user_selinux) != 0) {
+				fprintf (stderr,
+				         _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
+				         Prog, user_name, user_selinux);
 #ifdef WITH_AUDIT
-			audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
-			              "modifying User mapping ",
-			              user_name, (unsigned int) user_id, 0);
+				audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+				              "modifying User mapping ",
+				              user_name, (unsigned int) user_id,
+				              SHADOW_AUDIT_FAILURE);
 #endif				/* WITH_AUDIT */
-			fail_exit (E_SE_UPDATE);
+				fail_exit (E_SE_UPDATE);
+			}
+		} else {
+			if (del_seuser (user_name) != 0) {
+				fprintf (stderr,
+				         _("%s: warning: the user name %s to SELinux user mapping removal failed.\n"),
+				         Prog, user_name);
+#ifdef WITH_AUDIT
+				audit_logger (AUDIT_ADD_USER, Prog,
+				              "removing SELinux user mapping",
+				              user_name, (unsigned int) user_id,
+				              SHADOW_AUDIT_FAILURE);
+#endif				/* WITH_AUDIT */
+				fail_exit (E_SE_UPDATE);
+			}
 		}
 	}
 #endif				/* WITH_SELINUX */