[Pkg-shadow-devel] packaging next 4.1.3
Peter Vrabec
pvrabec at redhat.com
Mon Apr 20 09:15:36 UTC 2009
Hi Nicolas,
I'm sorry for confusing. My fault. I have to take back what I had written in
previous email.
It doesn't matter if there is "if Zflg" before selinux_update_mapping. semange
is performed only if user_selinux is defined. So you can keep it as it is or
change it to:
if(Zflg)
selinux_update_mapping;
Peter.
On Thursday 16 April 2009 01:16:13 am Nicolas François wrote:
> On Wed, Apr 15, 2009 at 02:21:48PM +0200, pvrabec at redhat.com wrote:
> > I think the intention was to SET the context of each copied file, because
> > selinux file context is not copied.
>
> right. I missed this use case.
>
> When used by usermod, to rename a home directory, it seems better to
> keep the SE Linux attributes. I think a parameter will be needed.
>
> > btw. I'm sending a selinux patch, some things we messed up :(
>
> I applied the two patches in 4.1.3.1
>
> > 1. useradd - we always have to call semanage in case the selinux is
> > turned off
>
> There is still something missing.
> When selinux_update_mapping() is called but Zflg is not set, *user_selinux
> will be '\0' and selinux_update_mapping() becomes a no-op.
>
> What should be the semanage command when a user is added, but no specific
> selinux user?
> just semanage login -a user_name (i.e. the same without -s user_selinux)
>
> i.e. would the following patch make sense:
>
>
> Index: src/useradd.c
> ===================================================================
> --- src/useradd.c (révision 2691)
> +++ src/useradd.c (copie de travail)
> @@ -1699,15 +1699,20 @@
> static void selinux_update_mapping (void) {
> if (is_selinux_enabled () <= 0) return;
>
> - if (*user_selinux) { /* must be done after passwd write() */
> + /* must be done after passwd write() */
> const char *argv[7];
> argv[0] = "/usr/sbin/semanage";
> argv[1] = "login";
> argv[2] = "-a";
> + if (*user_selinux) {
> argv[3] = "-s";
> argv[4] = user_selinux;
> argv[5] = user_name;
> argv[6] = NULL;
> + } else {
> + argv[3] = user_name;
> + argv[4] = NULL;
> + }
> if (safe_system (argv[0], argv, NULL, 0)) {
> fprintf (stderr,
> _("%s: warning: the user name %s to %s SELinux user mapping
> failed.\n"), @@ -1718,7 +1723,6 @@
> user_name, (unsigned int) user_id, 0);
> #endif
> }
> - }
> }
> #endif
> /*
>
> Best Regards,
More information about the Pkg-shadow-devel
mailing list