[Pkg-shadow-devel] packaging next 4.1.3

[Nicolas François]

On Wed, Apr 15, 2009 at 02:21:48PM +0200, pvrabec at redhat.com wrote:
> I think the intention was to SET the context of each copied file, because 
> selinux file context is not copied.

right. I missed this use case.

When used by usermod, to rename a home directory, it seems better to
keep the SE Linux attributes. I think a parameter will be needed.


> btw. I'm sending a selinux patch, some things we messed up :(

I applied the two patches in 4.1.3.1

> 1. useradd - we always have to call semanage in case the selinux is turned off

There is still something missing.
When selinux_update_mapping() is called but Zflg is not set, *user_selinux
will be '\0' and selinux_update_mapping() becomes a no-op.

What should be the semanage command when a user is added, but no specific
selinux user?
just semanage login -a user_name (i.e. the same without -s user_selinux)

i.e. would the following patch make sense:


Index: src/useradd.c
===================================================================
--- src/useradd.c	(révision 2691)
+++ src/useradd.c	(copie de travail)
@@ -1699,15 +1699,20 @@
 static void selinux_update_mapping (void) {
 	if (is_selinux_enabled () <= 0) return;
 
-	if (*user_selinux) { /* must be done after passwd write() */
+	/* must be done after passwd write() */
 		const char *argv[7];
 		argv[0] = "/usr/sbin/semanage";
 		argv[1] = "login";
 		argv[2] = "-a";
+	if (*user_selinux) {
 		argv[3] = "-s";
 		argv[4] = user_selinux;
 		argv[5] = user_name;
 		argv[6] = NULL;
+	} else {
+		argv[3] = user_name;
+		argv[4] = NULL;
+	}
 		if (safe_system (argv[0], argv, NULL, 0)) {
 			fprintf (stderr,
 			         _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
@@ -1718,7 +1723,6 @@
 			              user_name, (unsigned int) user_id, 0);
 #endif
 		}
-	}
 }
 #endif
 /*

Best Regards,
-- 
Nekral