SELinux user mapping for the modified user.
* src/useradd.c: Zflg is #defined as user_selinux non empty.
+2011-11-21 Nicolas François <nicolas.francois@centraliens.net>
+
+ * src/usermod.c, man/usermod.8.xml: usermod -Z "" removes the
+ SELinux user mapping for the modified user.
+ * src/useradd.c: Zflg is #defined as user_selinux non empty.
+
2011-11-21 Peter Vrabec <pvrabec@redhat.com>
* libmisc/copydir.c: Ignore errors to copy ACLs if the operation
<para>
The SELinux user for the user's login. The default is to leave this
field blank, which causes the system to select the default SELinux
- user.
+ user.
</para>
</listitem>
</varlistentry>
</term>
<listitem>
<para>
- The SELinux user for the user's login. The default is to leave
- this field the blank, which causes the system to select the
- default SELinux user.
+ The new SELinux user for the user's login.
+ </para>
+ <para>
+ A blank <replaceable>SEUSER</replaceable> will remove the
+ SELinux user mapping for user <replaceable>LOGIN</replaceable>
+ (if any).
</para>
</listitem>
</varlistentry>
static const char *user_shell = "";
static const char *create_mail_spool = "";
#ifdef WITH_SELINUX
-static const char *user_selinux = "";
+static /*@notnull@*/const char *user_selinux = "";
#endif /* WITH_SELINUX */
static long user_expire = -1;
oflg = false, /* permit non-unique user ID to be specified with -u */
rflg = false, /* create a system account */
sflg = false, /* shell program for new account */
-#ifdef WITH_SELINUX
- Zflg = false, /* new selinux user */
-#endif /* WITH_SELINUX */
uflg = false, /* specify user ID for new account */
Uflg = false; /* create a group having the same name as the user */
+#ifdef WITH_SELINUX
+#define Zflg ('\0' != *user_selinux)
+#endif /* WITH_SELINUX */
+
static bool home_added = false;
/*
case 'Z':
if (is_selinux_enabled () > 0) {
user_selinux = optarg;
- Zflg = true;
} else {
fprintf (stderr,
_("%s: -Z requires SELinux enabled kernel\n"),
close_files ();
#ifdef WITH_SELINUX
- if (Zflg && ('\0' != *user_selinux)) {
+ if (Zflg) {
if (set_seuser (user_name, user_selinux) != 0) {
fprintf (stderr,
_("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
nscd_flush_cache ("group");
#ifdef WITH_SELINUX
- if (Zflg && *user_selinux) {
- if (set_seuser (user_name, user_selinux) != 0) {
- fprintf (stderr,
- _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
- Prog, user_name, user_selinux);
+ if (Zflg) {
+ if ('\0' != *user_selinux) {
+ if (set_seuser (user_name, user_selinux) != 0) {
+ fprintf (stderr,
+ _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
+ Prog, user_name, user_selinux);
#ifdef WITH_AUDIT
- audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
- "modifying User mapping ",
- user_name, (unsigned int) user_id, 0);
+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+ "modifying User mapping ",
+ user_name, (unsigned int) user_id,
+ SHADOW_AUDIT_FAILURE);
+#endif /* WITH_AUDIT */
+ fail_exit (E_SE_UPDATE);
+ }
+ } else {
+ if (del_seuser (user_name) != 0) {
+ fprintf (stderr,
+ _("%s: warning: the user name %s to SELinux user mapping removal failed.\n"),
+ Prog, user_name);
+#ifdef WITH_AUDIT
+ audit_logger (AUDIT_ADD_USER, Prog,
+ "removing SELinux user mapping",
+ user_name, (unsigned int) user_id,
+ SHADOW_AUDIT_FAILURE);
#endif /* WITH_AUDIT */
- fail_exit (E_SE_UPDATE);
+ fail_exit (E_SE_UPDATE);
+ }
}
}
#endif /* WITH_SELINUX */
projects / shadow / commitdiff