From 09c752f00f9dfc610f66d68be38c9e5be8ca7f15 Mon Sep 17 00:00:00 2001 From: Iker Pedrosa Date: Fri, 8 Oct 2021 13:09:59 +0200 Subject: [PATCH 1/2] useradd: create directories after the SELinux user Create the home and mail folders after the SELinux user has been set for the added user. This will allow the folders to be created with the SELinux user label. Signed-off-by: Iker Pedrosa --- src/useradd.c | 46 +++++++++++++++++++++++----------------------- 1 file changed, 23 insertions(+), 23 deletions(-) diff --git a/src/useradd.c b/src/useradd.c index 6269c01c..b463a170 100644 --- a/src/useradd.c +++ b/src/useradd.c @@ -2670,27 +2670,12 @@ int main (int argc, char **argv) usr_update (subuid_count, subgid_count); - if (mflg) { - create_home (); - if (home_added) { - copy_tree (def_template, prefix_user_home, false, false, - (uid_t)-1, user_id, (gid_t)-1, user_gid); - } else { - fprintf (stderr, - _("%s: warning: the home directory %s already exists.\n" - "%s: Not copying any file from skel directory into it.\n"), - Prog, user_home, Prog); - } - - } - - /* Do not create mail directory for system accounts */ - if (!rflg) { - create_mail (); - } - close_files (); + nscd_flush_cache ("passwd"); + nscd_flush_cache ("group"); + sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP); + /* * tallylog_reset needs to be able to lookup * a valid existing user name, @@ -2716,15 +2701,30 @@ int main (int argc, char **argv) } #endif /* WITH_SELINUX */ + if (mflg) { + create_home (); + if (home_added) { + copy_tree (def_template, prefix_user_home, false, false, + (uid_t)-1, user_id, (gid_t)-1, user_gid); + } else { + fprintf (stderr, + _("%s: warning: the home directory %s already exists.\n" + "%s: Not copying any file from skel directory into it.\n"), + Prog, user_home, Prog); + } + + } + + /* Do not create mail directory for system accounts */ + if (!rflg) { + create_mail (); + } + if (run_parts ("/etc/shadow-maint/useradd-post.d", (char*)user_name, "useradd")) { exit(1); } - nscd_flush_cache ("passwd"); - nscd_flush_cache ("group"); - sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP); - return E_SUCCESS; } From 234af5cf67fc1a3ba99fc246ba65869a3c416545 Mon Sep 17 00:00:00 2001 From: Iker Pedrosa Date: Fri, 8 Oct 2021 13:13:13 +0200 Subject: [PATCH 2/2] semanage: close the selabel handle Close the selabel handle to update the file_context. This means that the file_context will be remmaped and used by selabel_lookup() to return the appropriate context to label the home folder. Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1993081 Signed-off-by: Iker Pedrosa --- lib/prototypes.h | 1 + lib/selinux.c | 5 +++++ lib/semanage.c | 1 + 3 files changed, 7 insertions(+) diff --git a/lib/prototypes.h b/lib/prototypes.h index 1d1586d4..b697e0ec 100644 --- a/lib/prototypes.h +++ b/lib/prototypes.h @@ -392,6 +392,7 @@ extern /*@observer@*/const char *crypt_make_salt (/*@null@*//*@observer@*/const /* selinux.c */ #ifdef WITH_SELINUX extern int set_selinux_file_context (const char *dst_name, mode_t mode); +extern void reset_selinux_handle (void); extern int reset_selinux_file_context (void); extern int check_selinux_permit (const char *perm_name); #endif diff --git a/lib/selinux.c b/lib/selinux.c index c83545f9..b075d4c0 100644 --- a/lib/selinux.c +++ b/lib/selinux.c @@ -50,6 +50,11 @@ static void cleanup(void) } } +void reset_selinux_handle (void) +{ + cleanup(); +} + /* * set_selinux_file_context - Set the security context before any file or * directory creation. diff --git a/lib/semanage.c b/lib/semanage.c index 0d30456a..a5bf9218 100644 --- a/lib/semanage.c +++ b/lib/semanage.c @@ -293,6 +293,7 @@ int set_seuser (const char *login_name, const char *seuser_name) } ret = 0; + reset_selinux_handle(); done: semanage_seuser_key_free (key);