[Pkg-shadow-devel] packaging next 4.1.3

Peter Vrabec pvrabec at redhat.com
Mon Apr 20 09:15:36 UTC 2009


Hi Nicolas,

I'm sorry for confusing. My fault. I have to take back what I had written in 
previous email.

It doesn't matter if there is "if Zflg" before selinux_update_mapping. semange 
is performed only if user_selinux is defined. So you can keep it as it is or 
change it to:

if(Zflg)
 selinux_update_mapping; 

Peter.

On Thursday 16 April 2009 01:16:13 am Nicolas François wrote:
> On Wed, Apr 15, 2009 at 02:21:48PM +0200, pvrabec at redhat.com wrote:
> > I think the intention was to SET the context of each copied file, because
> > selinux file context is not copied.
>
> right. I missed this use case.
>
> When used by usermod, to rename a home directory, it seems better to
> keep the SE Linux attributes. I think a parameter will be needed.
>
> > btw. I'm sending a selinux patch, some things we messed up :(
>
> I applied the two patches in 4.1.3.1
>
> > 1. useradd - we always have to call semanage in case the selinux is
> > turned off
>
> There is still something missing.
> When selinux_update_mapping() is called but Zflg is not set, *user_selinux
> will be '\0' and selinux_update_mapping() becomes a no-op.
>
> What should be the semanage command when a user is added, but no specific
> selinux user?
> just semanage login -a user_name (i.e. the same without -s user_selinux)
>
> i.e. would the following patch make sense:
>
>
> Index: src/useradd.c
> ===================================================================
> --- src/useradd.c	(révision 2691)
> +++ src/useradd.c	(copie de travail)
> @@ -1699,15 +1699,20 @@
>  static void selinux_update_mapping (void) {
>  	if (is_selinux_enabled () <= 0) return;
>
> -	if (*user_selinux) { /* must be done after passwd write() */
> +	/* must be done after passwd write() */
>  		const char *argv[7];
>  		argv[0] = "/usr/sbin/semanage";
>  		argv[1] = "login";
>  		argv[2] = "-a";
> +	if (*user_selinux) {
>  		argv[3] = "-s";
>  		argv[4] = user_selinux;
>  		argv[5] = user_name;
>  		argv[6] = NULL;
> +	} else {
> +		argv[3] = user_name;
> +		argv[4] = NULL;
> +	}
>  		if (safe_system (argv[0], argv, NULL, 0)) {
>  			fprintf (stderr,
>  			         _("%s: warning: the user name %s to %s SELinux user mapping
> failed.\n"), @@ -1718,7 +1723,6 @@
>  			              user_name, (unsigned int) user_id, 0);
>  #endif
>  		}
> -	}
>  }
>  #endif
>  /*
>
> Best Regards,





More information about the Pkg-shadow-devel mailing list