emo/shadow
1
0
Fork 0
Code Issues Pull Requests Packages Releases Activity

* src/usermod.c, man/usermod.8.xml: usermod -Z "" removes the

Browse Source 
SELinux user mapping for the modified user.
	* src/useradd.c: Zflg is #defined as user_selinux non empty.
This commit is contained in:
nekral-guest 2011-11-21 22:02:15 +00:00
parent e570b8ded4
commit 360f12cd44
5 changed files with 44 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
ChangeLog
View File

@ -1,3 +1,9 @@
2011-11-21 Nicolas François <nicolas.francois@centraliens.net>
* src/usermod.c, man/usermod.8.xml: usermod -Z "" removes the
SELinux user mapping for the modified user.
* src/useradd.c: Zflg is #defined as user_selinux non empty.
2011-11-21 Peter Vrabec <pvrabec@redhat.com> 2011-11-21 Peter Vrabec <pvrabec@redhat.com>
* libmisc/copydir.c: Ignore errors to copy ACLs if the operation * libmisc/copydir.c: Ignore errors to copy ACLs if the operation

2
man/useradd.8.xml
View File

@ -507,7 +507,7 @@
<para> <para>
The SELinux user for the user's login. The default is to leave this The SELinux user for the user's login. The default is to leave this
field blank, which causes the system to select the default SELinux field blank, which causes the system to select the default SELinux
user. user.
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>

9
man/usermod.8.xml
View File

@ -377,9 +377,12 @@
</term> </term>
<listitem> <listitem>
<para> <para>
The SELinux user for the user's login. The default is to leave The new SELinux user for the user's login.
this field the blank, which causes the system to select the </para>
default SELinux user. <para>
A blank <replaceable>SEUSER</replaceable> will remove the
SELinux user mapping for user <replaceable>LOGIN</replaceable>
(if any).
</para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>

12
src/useradd.c
View File

@ -111,7 +111,7 @@ static const char *user_home = "";
static const char *user_shell = ""; static const char *user_shell = "";
static const char *create_mail_spool = ""; static const char *create_mail_spool = "";
#ifdef WITH_SELINUX #ifdef WITH_SELINUX
static const char *user_selinux = ""; static /*@notnull@*/const char *user_selinux = "";
#endif /* WITH_SELINUX */ #endif /* WITH_SELINUX */
static long user_expire = -1; static long user_expire = -1;
@ -145,12 +145,13 @@ static bool
oflg = false, /* permit non-unique user ID to be specified with -u */ oflg = false, /* permit non-unique user ID to be specified with -u */
rflg = false, /* create a system account */ rflg = false, /* create a system account */
sflg = false, /* shell program for new account */ sflg = false, /* shell program for new account */
#ifdef WITH_SELINUX
Zflg = false, /* new selinux user */
#endif /* WITH_SELINUX */
uflg = false, /* specify user ID for new account */ uflg = false, /* specify user ID for new account */
Uflg = false; /* create a group having the same name as the user */ Uflg = false; /* create a group having the same name as the user */
#ifdef WITH_SELINUX
#define Zflg ('\0' != *user_selinux)
#endif /* WITH_SELINUX */
static bool home_added = false; static bool home_added = false;
/* /*
@ -1214,7 +1215,6 @@ static void process_flags (int argc, char **argv)
case 'Z': case 'Z':
if (is_selinux_enabled () > 0) { if (is_selinux_enabled () > 0) {
user_selinux = optarg; user_selinux = optarg;
Zflg = true;
} else { } else {
fprintf (stderr, fprintf (stderr,
_("%s: -Z requires SELinux enabled kernel\n"), _("%s: -Z requires SELinux enabled kernel\n"),
@ -2058,7 +2058,7 @@ int main (int argc, char **argv)
close_files (); close_files ();
#ifdef WITH_SELINUX #ifdef WITH_SELINUX
if (Zflg && ('\0' != *user_selinux)) { if (Zflg) {
if (set_seuser (user_name, user_selinux) != 0) { if (set_seuser (user_name, user_selinux) != 0) {
fprintf (stderr, fprintf (stderr,
_("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),

34
src/usermod.c
View File

@ -1890,17 +1890,33 @@ int main (int argc, char **argv)
nscd_flush_cache ("group"); nscd_flush_cache ("group");
#ifdef WITH_SELINUX #ifdef WITH_SELINUX
if (Zflg && *user_selinux) { if (Zflg) {
if (set_seuser (user_name, user_selinux) != 0) { if ('\0' != *user_selinux) {
fprintf (stderr, if (set_seuser (user_name, user_selinux) != 0) {
_("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), fprintf (stderr,
Prog, user_name, user_selinux); _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
Prog, user_name, user_selinux);
#ifdef WITH_AUDIT #ifdef WITH_AUDIT
audit_logger (AUDIT_USER_CHAUTHTOK, Prog, audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
"modifying User mapping ", "modifying User mapping ",
user_name, (unsigned int) user_id, 0); user_name, (unsigned int) user_id,
SHADOW_AUDIT_FAILURE);
#endif /* WITH_AUDIT */ #endif /* WITH_AUDIT */
fail_exit (E_SE_UPDATE); fail_exit (E_SE_UPDATE);
}
} else {
if (del_seuser (user_name) != 0) {
fprintf (stderr,
_("%s: warning: the user name %s to SELinux user mapping removal failed.\n"),
Prog, user_name);
#ifdef WITH_AUDIT
audit_logger (AUDIT_ADD_USER, Prog,
"removing SELinux user mapping",
user_name, (unsigned int) user_id,
SHADOW_AUDIT_FAILURE);
#endif /* WITH_AUDIT */
fail_exit (E_SE_UPDATE);
}
} }
} }
#endif /* WITH_SELINUX */ #endif /* WITH_SELINUX */