[Pkg-shadow-commits] r2643 - in upstream/trunk: . lib libmisc man src
Nicolas FRANÇOIS
nekral-guest at alioth.debian.org
Sat Apr 11 15:34:10 UTC 2009
Author: nekral-guest
Date: 2009-04-11 15:34:10 +0000 (Sat, 11 Apr 2009)
New Revision: 2643
Added:
upstream/trunk/libmisc/system.c
Modified:
upstream/trunk/ChangeLog
upstream/trunk/NEWS
upstream/trunk/TODO
upstream/trunk/lib/prototypes.h
upstream/trunk/libmisc/Makefile.am
upstream/trunk/libmisc/copydir.c
upstream/trunk/man/useradd.8.xml
upstream/trunk/man/usermod.8.xml
upstream/trunk/src/useradd.c
upstream/trunk/src/userdel.c
upstream/trunk/src/usermod.c
Log:
* NEWS, src/useradd.c, man/useradd.8.xml: add -Z option to map
SELinux user for user's login.
* NEWS, src/usermod.c, man/usermod.8.xml: Likewise.
* libmisc/system.c, libmisc/Makefile.am, lib/prototypes.h: Added
safe_system(). Used to run semanage.
* lib/prototypes.h, libmisc/copydir.c: Make a
selinux_file_context() an extern function.
* libmisc/copydir.c: Reset SELinux to create files with default
contexts at the end of copy_tree().
* NEWS, src/userdel.c: Delete the SELinux user mapping for user's
login.
Modified: upstream/trunk/ChangeLog
===================================================================
--- upstream/trunk/ChangeLog 2009-04-11 14:55:49 UTC (rev 2642)
+++ upstream/trunk/ChangeLog 2009-04-11 15:34:10 UTC (rev 2643)
@@ -1,5 +1,19 @@
2009-04-11 Peter Vrabec <pvrabec at redhat.com>
+ * NEWS, src/useradd.c, man/useradd.8.xml: add -Z option to map
+ SELinux user for user's login.
+ * NEWS, src/usermod.c, man/usermod.8.xml: Likewise.
+ * libmisc/system.c, libmisc/Makefile.am, lib/prototypes.h: Added
+ safe_system(). Used to run semanage.
+ * lib/prototypes.h, libmisc/copydir.c: Make a
+ selinux_file_context() an extern function.
+ * libmisc/copydir.c: Reset SELinux to create files with default
+ contexts at the end of copy_tree().
+ * NEWS, src/userdel.c: Delete the SELinux user mapping for user's
+ login.
+
+2009-04-11 Peter Vrabec <pvrabec at redhat.com>
+
* src/useradd.c (get_defaults): Close the default file after the
default values were read.
Modified: upstream/trunk/NEWS
===================================================================
--- upstream/trunk/NEWS 2009-04-11 14:55:49 UTC (rev 2642)
+++ upstream/trunk/NEWS 2009-04-11 15:34:10 UTC (rev 2643)
@@ -89,22 +89,26 @@
- pwck
* warn for users with UID set to (uid_t)-1.
- su
- *
+ * Preserve COLORTERM in addition to TERM when su is called with the -l
+ option.
- useradd
* audit logging improvements.
* Speedup (see "addition of users or groups" above).
* See CREATE_HOME above.
* New -M/--no-create-home option to disable CREATE_HOME.
* do not create users with UID set to (gid_t)-1.
+ * Added -Z option to map SELinux user for user's login.
- userdel
* audit logging improvements.
* Do not fail if the removed user is not in the shadow database.
* When the user's group shall be removed, do not fail if this group is
not in the gshadow file.
+ * Delete the SELinux user mapping for user's login.
- usermod
* Allow adding LDAP users (or any user not present in the local passwd
file) to local groups
* do not create users with UID set to (gid_t)-1.
+ * Added -Z option to map SELinux user for user's login.
shadow-4.1.2.1 -> shadow-4.1.2.2 23-11-2008
Modified: upstream/trunk/TODO
===================================================================
--- upstream/trunk/TODO 2009-04-11 14:55:49 UTC (rev 2642)
+++ upstream/trunk/TODO 2009-04-11 15:34:10 UTC (rev 2643)
@@ -46,6 +46,7 @@
newusers
- add logging to SYSLOG & AUDIT
- use CREATE_HOME
+ - Add a -Z option (see useradd / usermod)
Document when/where option appeared, document whether an option is standard
or not.
Modified: upstream/trunk/lib/prototypes.h
===================================================================
--- upstream/trunk/lib/prototypes.h 2009-04-11 14:55:49 UTC (rev 2642)
+++ upstream/trunk/lib/prototypes.h 2009-04-11 15:34:10 UTC (rev 2643)
@@ -118,6 +118,10 @@
long int uid, long int gid);
extern int remove_tree (const char *root);
+#ifdef WITH_SELINUX
+extern int selinux_file_context (const char *dst_name);
+#endif
+
/* encrypt.c */
extern char *pw_encrypt (const char *, const char *);
@@ -304,6 +308,12 @@
/* shell.c */
extern int shell (const char *, const char *, char *const *);
+/* system.c */
+extern int safe_system (const char *command,
+ const char *argv[],
+ const char *env[],
+ int ignore_stderr);
+
/* strtoday.c */
extern long strtoday (const char *);
Modified: upstream/trunk/libmisc/Makefile.am
===================================================================
--- upstream/trunk/libmisc/Makefile.am 2009-04-11 14:55:49 UTC (rev 2642)
+++ upstream/trunk/libmisc/Makefile.am 2009-04-11 15:34:10 UTC (rev 2643)
@@ -48,6 +48,7 @@
setugid.c \
setupenv.c \
shell.c \
+ system.c \
strtoday.c \
sub.c \
sulog.c \
Modified: upstream/trunk/libmisc/copydir.c
===================================================================
--- upstream/trunk/libmisc/copydir.c 2009-04-11 14:55:49 UTC (rev 2642)
+++ upstream/trunk/libmisc/copydir.c 2009-04-11 15:34:10 UTC (rev 2643)
@@ -83,8 +83,11 @@
* selinux_file_context () should be called before any creation of file,
* symlink, directory, ...
*
+ * Callers may have to Reset SELinux to create files with default
+ * contexts:
+ * setfscreatecon (NULL);
*/
-static int selinux_file_context (const char *dst_name)
+int selinux_file_context (const char *dst_name)
{
static bool selinux_checked = false;
static bool selinux_enabled;
@@ -259,6 +262,12 @@
src_orig = NULL;
dst_orig = NULL;
}
+
+#ifdef WITH_SELINUX
+ /* Reset SELinux to create files with default contexts */
+ setfscreatecon (NULL);
+#endif
+
return err;
}
Added: upstream/trunk/libmisc/system.c
===================================================================
--- upstream/trunk/libmisc/system.c (rev 0)
+++ upstream/trunk/libmisc/system.c 2009-04-11 15:34:10 UTC (rev 2643)
@@ -0,0 +1,69 @@
+/*
+ * Copyright (c) 2009 - , Peter Vrabec
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. The name of the copyright holders or contributors may not be used to
+ * endorse or promote products derived from this software without
+ * specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+ * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+#include <config.h>
+
+#ident "$Id$"
+
+#include <stdio.h>
+#include <sys/wait.h>
+#include <fcntl.h>
+#include "prototypes.h"
+#include "defines.h"
+
+int safe_system (const char *command,
+ const char *argv[],
+ const char *env[],
+ int ignore_stderr)
+{
+ int status = -1;
+ int fd;
+ pid_t pid;
+
+ pid = fork();
+ if (pid < 0) {
+ return -1;
+ }
+
+ if (pid) { /* Parent */
+ waitpid (pid, &status, 0);
+ return status;
+ }
+
+ fd = open ("/dev/null", O_RDWR);
+ /* Child */
+ dup2 (fd, 0); // Close Stdin
+ if (ignore_stderr) {
+ dup2 (fd, 2); // Close Stderr
+ }
+
+ execve (command, (char *const *) argv, (char *const *) env);
+ fprintf (stderr, _("Failed to exec '%s'\n"), argv[0]);
+ exit (-1);
+}
+
Property changes on: upstream/trunk/libmisc/system.c
___________________________________________________________________
Added: svn:keywords
+ Id
Modified: upstream/trunk/man/useradd.8.xml
===================================================================
--- upstream/trunk/man/useradd.8.xml 2009-04-11 14:55:49 UTC (rev 2642)
+++ upstream/trunk/man/useradd.8.xml 2009-04-11 15:34:10 UTC (rev 2643)
@@ -459,6 +459,19 @@
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>
+ <option>-Z</option>, <option>--selinux-user</option>
+ <replaceable>SEUSER</replaceable>
+ </term>
+ <listitem>
+ <para>
+ The SELinux user for the user's login. The default is to leave this
+ field blank, which causes the system to select the default SELinux
+ user.
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
<refsect2 id='changing_the_default_values'>
Modified: upstream/trunk/man/usermod.8.xml
===================================================================
--- upstream/trunk/man/usermod.8.xml 2009-04-11 14:55:49 UTC (rev 2642)
+++ upstream/trunk/man/usermod.8.xml 2009-04-11 15:34:10 UTC (rev 2643)
@@ -289,6 +289,19 @@
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>
+ <option>-Z</option>, <option>--selinux-user</option>
+ <replaceable>SEUSER</replaceable>
+ </term>
+ <listitem>
+ <para>
+ The SELinux user for the user's login. The default is to leave
+ this field the blank, which causes the system to select the
+ default SELinux user.
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect1>
Modified: upstream/trunk/src/useradd.c
===================================================================
--- upstream/trunk/src/useradd.c 2009-04-11 14:55:49 UTC (rev 2642)
+++ upstream/trunk/src/useradd.c 2009-04-11 15:34:10 UTC (rev 2643)
@@ -108,6 +108,9 @@
static const char *user_home = "";
static const char *user_shell = "";
static const char *create_mail_spool = "";
+#ifdef WITH_SELINUX
+static const char *user_selinux = "";
+#endif
static long user_expire = -1;
static bool is_shadow_pwd;
@@ -175,6 +178,9 @@
static int get_groups (char *);
static void usage (void);
static void new_pwent (struct passwd *);
+#ifdef WITH_SELINUX
+static void selinux_update_mapping (void);
+#endif
static long scale_age (long);
static void new_spent (struct spwd *);
@@ -692,6 +698,9 @@
" -s, --shell SHELL the login shell for the new user account\n"
" -u, --uid UID force use the UID for the new user account\n"
" -U, --user-group create a group with the same name as the user\n"
+#ifdef WITH_SELINUX
+ " -Z, --selinux-user SEUSER use a specific SEUSER for the SELinux user mapping\n"
+#endif
"\n"), stderr);
exit (E_USAGE);
}
@@ -954,12 +963,19 @@
{"password", required_argument, NULL, 'p'},
{"system", no_argument, NULL, 'r'},
{"shell", required_argument, NULL, 's'},
+#ifdef WITH_SELINUX
+ {"selinux-user", required_argument, NULL, 'Z'},
+#endif
{"uid", required_argument, NULL, 'u'},
{"user-group", no_argument, NULL, 'U'},
{NULL, 0, NULL, '\0'}
};
while ((c = getopt_long (argc, argv,
+#ifdef WITH_SELINUX
+ "b:c:d:De:f:g:G:k:K:lmMNop:rs:u:UZ:",
+#else
"b:c:d:De:f:g:G:k:K:lmMNop:rs:u:U",
+#endif
long_options, NULL)) != -1) {
switch (c) {
case 'b':
@@ -1153,6 +1169,19 @@
case 'U':
Uflg = true;
break;
+#ifdef WITH_SELINUX
+ case 'Z':
+ if (is_selinux_enabled () > 0) {
+ user_selinux = optarg;
+ } else {
+ fprintf (stderr,
+ _("%s: -Z requires SELinux enabled kernel\n"),
+ Prog);
+
+ exit (E_BAD_ARG);
+ }
+ break;
+#endif
default:
usage ();
}
@@ -1659,6 +1688,32 @@
}
}
+#ifdef WITH_SELINUX
+static void selinux_update_mapping (void) {
+ if (is_selinux_enabled () <= 0) return;
+
+ if (*user_selinux) { /* must be done after passwd write() */
+ const char *argv[7];
+ argv[0] = "/usr/sbin/semanage";
+ argv[1] = "login";
+ argv[2] = "-a";
+ argv[3] = "-s";
+ argv[4] = user_selinux;
+ argv[5] = user_name;
+ argv[6] = NULL;
+ if (safe_system (argv[0], argv, NULL, 0)) {
+ fprintf (stderr,
+ _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
+ Prog, user_name, user_selinux);
+#ifdef WITH_AUDIT
+ audit_logger (AUDIT_ADD_USER, Prog,
+ "adding SELinux user mapping",
+ user_name, (unsigned int) user_id, 0);
+#endif
+ }
+ }
+}
+#endif
/*
* create_home - create the user's home directory
*
@@ -1669,6 +1724,9 @@
static void create_home (void)
{
if (access (user_home, F_OK) != 0) {
+#ifdef WITH_SELINUX
+ selinux_file_context (user_home);
+#endif
/* XXX - create missing parent directories. --marekm */
if (mkdir (user_home, 0) != 0) {
fprintf (stderr,
@@ -1692,6 +1750,10 @@
user_name, (unsigned int) user_id,
SHADOW_AUDIT_SUCCESS);
#endif
+#ifdef WITH_SELINUX
+ /* Reset SELinux to create files with default contexts */
+ setfscreatecon (NULL);
+#endif
}
}
@@ -1940,6 +2002,10 @@
close_files ();
+#ifdef WITH_SELINUX
+ selinux_update_mapping ();
+#endif
+
nscd_flush_cache ("passwd");
nscd_flush_cache ("group");
Modified: upstream/trunk/src/userdel.c
===================================================================
--- upstream/trunk/src/userdel.c 2009-04-11 14:55:49 UTC (rev 2642)
+++ upstream/trunk/src/userdel.c 2009-04-11 15:34:10 UTC (rev 2643)
@@ -797,6 +797,17 @@
audit_help_open ();
#endif
+#ifdef WITH_SELINUX
+ if (is_selinux_enabled () > 0) {
+ const char *argv[5];
+ argv[0] = "/usr/sbin/semanage";
+ argv[1] = "login";
+ argv[2] = "-d";
+ argv[3] = user_name;
+ argv[4] = NULL;
+ safe_system (argv[0], argv, NULL, 1);
+ }
+#endif
/*
* Get my name so that I can use it to report errors.
*/
Modified: upstream/trunk/src/usermod.c
===================================================================
--- upstream/trunk/src/usermod.c 2009-04-11 14:55:49 UTC (rev 2642)
+++ upstream/trunk/src/usermod.c 2009-04-11 15:34:10 UTC (rev 2643)
@@ -98,6 +98,9 @@
static char *user_home;
static char *user_newhome;
static char *user_shell;
+#ifdef WITH_SELINUX
+static const char *user_selinux = "";
+#endif
static char *user_newshell;
static long user_expire;
static long user_newexpire;
@@ -120,6 +123,9 @@
oflg = false, /* permit non-unique user ID to be specified with -u */
pflg = false, /* new encrypted password */
sflg = false, /* new shell program */
+#ifdef WITH_SELINUX
+ Zflg = false, /* new selinux user */
+#endif
uflg = false, /* specify new user ID */
Uflg = false; /* unlock the password */
@@ -143,6 +149,9 @@
static int get_groups (char *);
static void usage (void);
static void new_pwent (struct passwd *);
+#ifdef WITH_SELINUX
+static void selinux_update_mapping (void);
+#endif
static void new_spent (struct spwd *);
static void fail_exit (int);
@@ -314,6 +323,9 @@
" -s, --shell SHELL new login shell for the user account\n"
" -u, --uid UID new UID for the user account\n"
" -U, --unlock unlock the user account\n"
+#ifdef WITH_SELINUX
+ " -Z, --selinux-user new SELinux user mapping for the user account\n"
+#endif
"\n"), stderr);
exit (E_USAGE);
}
@@ -876,13 +888,20 @@
{"move-home", no_argument, NULL, 'm'},
{"non-unique", no_argument, NULL, 'o'},
{"password", required_argument, NULL, 'p'},
+#ifdef WITH_SELINUX
+ {"selinux-user", required_argument, NULL, 'Z'},
+#endif
{"shell", required_argument, NULL, 's'},
{"uid", required_argument, NULL, 'u'},
{"unlock", no_argument, NULL, 'U'},
{NULL, 0, NULL, '\0'}
};
while ((c = getopt_long (argc, argv,
+#ifdef WITH_SELINUX
+ "ac:d:e:f:g:G:hl:Lmop:s:u:UZ:",
+#else
"ac:d:e:f:g:G:hl:Lmop:s:u:U",
+#endif
long_options, NULL)) != -1) {
switch (c) {
case 'a':
@@ -996,6 +1015,19 @@
case 'U':
Uflg = true;
break;
+#ifdef WITH_SELINUX
+ case 'Z':
+ if (is_selinux_enabled () > 0) {
+ user_selinux = optarg;
+ Zflg = true;
+ } else {
+ fprintf (stderr,
+ _("%s: -Z requires SELinux enabled kernel\n"),
+ Prog);
+ exit (E_BAD_ARG);
+ }
+ break;
+#endif
default:
usage ();
}
@@ -1036,7 +1068,11 @@
}
if (!(Uflg || uflg || sflg || pflg || oflg || mflg || Lflg ||
- lflg || Gflg || gflg || fflg || eflg || dflg || cflg)) {
+ lflg || Gflg || gflg || fflg || eflg || dflg || cflg
+#ifdef WITH_SELINUX
+ || Zflg
+#endif
+ )) {
fprintf (stderr, _("%s: no changes\n"), Prog);
exit (E_SUCCESS);
}
@@ -1722,6 +1758,10 @@
nscd_flush_cache ("passwd");
nscd_flush_cache ("group");
+#ifdef WITH_SELINUX
+ selinux_update_mapping ();
+#endif
+
if (mflg) {
move_home ();
}
@@ -1749,3 +1789,34 @@
/* NOT REACHED */
}
+#ifdef WITH_SELINUX
+static void selinux_update_mapping (void) {
+ const char *argv[7];
+
+ if (is_selinux_enabled () <= 0) return;
+
+ if (*user_selinux) {
+ argv[0] = "/usr/sbin/semanage";
+ argv[1] = "login";
+ argv[2] = "-m";
+ argv[3] = "-s";
+ argv[4] = user_selinux;
+ argv[5] = user_name;
+ argv[6] = NULL;
+ if (safe_system (argv[0], argv, NULL, 1)) {
+ argv[2] = "-a";
+ if (safe_system (argv[0], argv, NULL, 0)) {
+ fprintf (stderr,
+ _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
+ Prog, user_name, user_selinux);
+#ifdef WITH_AUDIT
+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+ "modifying User mapping ",
+ user_name, (unsigned int) user_id, 0);
+#endif
+ }
+ }
+ }
+}
+#endif
+
More information about the Pkg-shadow-commits
mailing list