SELinux user for user's login.
* NEWS, src/usermod.c, man/usermod.8.xml: Likewise.
* libmisc/system.c, libmisc/Makefile.am, lib/prototypes.h: Added
safe_system(). Used to run semanage.
* lib/prototypes.h, libmisc/copydir.c: Make a
selinux_file_context() an extern function.
* libmisc/copydir.c: Reset SELinux to create files with default
contexts at the end of copy_tree().
* NEWS, src/userdel.c: Delete the SELinux user mapping for user's
login.
+2009-04-11 Peter Vrabec <pvrabec@redhat.com>
+
+ * NEWS, src/useradd.c, man/useradd.8.xml: add -Z option to map
+ SELinux user for user's login.
+ * NEWS, src/usermod.c, man/usermod.8.xml: Likewise.
+ * libmisc/system.c, libmisc/Makefile.am, lib/prototypes.h: Added
+ safe_system(). Used to run semanage.
+ * lib/prototypes.h, libmisc/copydir.c: Make a
+ selinux_file_context() an extern function.
+ * libmisc/copydir.c: Reset SELinux to create files with default
+ contexts at the end of copy_tree().
+ * NEWS, src/userdel.c: Delete the SELinux user mapping for user's
+ login.
+
2009-04-11 Peter Vrabec <pvrabec@redhat.com>
* src/useradd.c (get_defaults): Close the default file after the
- pwck
* warn for users with UID set to (uid_t)-1.
- su
- *
+ * Preserve COLORTERM in addition to TERM when su is called with the -l
+ option.
- useradd
* audit logging improvements.
* Speedup (see "addition of users or groups" above).
* See CREATE_HOME above.
* New -M/--no-create-home option to disable CREATE_HOME.
* do not create users with UID set to (gid_t)-1.
+ * Added -Z option to map SELinux user for user's login.
- userdel
* audit logging improvements.
* Do not fail if the removed user is not in the shadow database.
* When the user's group shall be removed, do not fail if this group is
not in the gshadow file.
+ * Delete the SELinux user mapping for user's login.
- usermod
* Allow adding LDAP users (or any user not present in the local passwd
file) to local groups
* do not create users with UID set to (gid_t)-1.
+ * Added -Z option to map SELinux user for user's login.
shadow-4.1.2.1 -> shadow-4.1.2.2 23-11-2008
newusers
- add logging to SYSLOG & AUDIT
- use CREATE_HOME
+ - Add a -Z option (see useradd / usermod)
Document when/where option appeared, document whether an option is standard
or not.
long int uid, long int gid);
extern int remove_tree (const char *root);
+#ifdef WITH_SELINUX
+extern int selinux_file_context (const char *dst_name);
+#endif
+
/* encrypt.c */
extern char *pw_encrypt (const char *, const char *);
/* shell.c */
extern int shell (const char *, const char *, char *const *);
+/* system.c */
+extern int safe_system (const char *command,
+ const char *argv[],
+ const char *env[],
+ int ignore_stderr);
+
/* strtoday.c */
extern long strtoday (const char *);
setugid.c \
setupenv.c \
shell.c \
+ system.c \
strtoday.c \
sub.c \
sulog.c \
* selinux_file_context () should be called before any creation of file,
* symlink, directory, ...
*
+ * Callers may have to Reset SELinux to create files with default
+ * contexts:
+ * setfscreatecon (NULL);
*/
-static int selinux_file_context (const char *dst_name)
+int selinux_file_context (const char *dst_name)
{
static bool selinux_checked = false;
static bool selinux_enabled;
src_orig = NULL;
dst_orig = NULL;
}
+
+#ifdef WITH_SELINUX
+ /* Reset SELinux to create files with default contexts */
+ setfscreatecon (NULL);
+#endif
+
return err;
}
--- /dev/null
+/*
+ * Copyright (c) 2009 - , Peter Vrabec
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. The name of the copyright holders or contributors may not be used to
+ * endorse or promote products derived from this software without
+ * specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+ * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+#include <config.h>
+
+#ident "$Id$"
+
+#include <stdio.h>
+#include <sys/wait.h>
+#include <fcntl.h>
+#include "prototypes.h"
+#include "defines.h"
+
+int safe_system (const char *command,
+ const char *argv[],
+ const char *env[],
+ int ignore_stderr)
+{
+ int status = -1;
+ int fd;
+ pid_t pid;
+
+ pid = fork();
+ if (pid < 0) {
+ return -1;
+ }
+
+ if (pid) { /* Parent */
+ waitpid (pid, &status, 0);
+ return status;
+ }
+
+ fd = open ("/dev/null", O_RDWR);
+ /* Child */
+ dup2 (fd, 0); // Close Stdin
+ if (ignore_stderr) {
+ dup2 (fd, 2); // Close Stderr
+ }
+
+ execve (command, (char *const *) argv, (char *const *) env);
+ fprintf (stderr, _("Failed to exec '%s'\n"), argv[0]);
+ exit (-1);
+}
+
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>
+ <option>-Z</option>, <option>--selinux-user</option>
+ <replaceable>SEUSER</replaceable>
+ </term>
+ <listitem>
+ <para>
+ The SELinux user for the user's login. The default is to leave this
+ field blank, which causes the system to select the default SELinux
+ user.
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
<refsect2 id='changing_the_default_values'>
</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term>
+ <option>-Z</option>, <option>--selinux-user</option>
+ <replaceable>SEUSER</replaceable>
+ </term>
+ <listitem>
+ <para>
+ The SELinux user for the user's login. The default is to leave
+ this field the blank, which causes the system to select the
+ default SELinux user.
+ </para>
+ </listitem>
+ </varlistentry>
</variablelist>
</refsect1>
static const char *user_home = "";
static const char *user_shell = "";
static const char *create_mail_spool = "";
+#ifdef WITH_SELINUX
+static const char *user_selinux = "";
+#endif
static long user_expire = -1;
static bool is_shadow_pwd;
static int get_groups (char *);
static void usage (void);
static void new_pwent (struct passwd *);
+#ifdef WITH_SELINUX
+static void selinux_update_mapping (void);
+#endif
static long scale_age (long);
static void new_spent (struct spwd *);
" -s, --shell SHELL the login shell for the new user account\n"
" -u, --uid UID force use the UID for the new user account\n"
" -U, --user-group create a group with the same name as the user\n"
+#ifdef WITH_SELINUX
+ " -Z, --selinux-user SEUSER use a specific SEUSER for the SELinux user mapping\n"
+#endif
"\n"), stderr);
exit (E_USAGE);
}
{"password", required_argument, NULL, 'p'},
{"system", no_argument, NULL, 'r'},
{"shell", required_argument, NULL, 's'},
+#ifdef WITH_SELINUX
+ {"selinux-user", required_argument, NULL, 'Z'},
+#endif
{"uid", required_argument, NULL, 'u'},
{"user-group", no_argument, NULL, 'U'},
{NULL, 0, NULL, '\0'}
};
while ((c = getopt_long (argc, argv,
+#ifdef WITH_SELINUX
+ "b:c:d:De:f:g:G:k:K:lmMNop:rs:u:UZ:",
+#else
"b:c:d:De:f:g:G:k:K:lmMNop:rs:u:U",
+#endif
long_options, NULL)) != -1) {
switch (c) {
case 'b':
case 'U':
Uflg = true;
break;
+#ifdef WITH_SELINUX
+ case 'Z':
+ if (is_selinux_enabled () > 0) {
+ user_selinux = optarg;
+ } else {
+ fprintf (stderr,
+ _("%s: -Z requires SELinux enabled kernel\n"),
+ Prog);
+
+ exit (E_BAD_ARG);
+ }
+ break;
+#endif
default:
usage ();
}
}
}
+#ifdef WITH_SELINUX
+static void selinux_update_mapping (void) {
+ if (is_selinux_enabled () <= 0) return;
+
+ if (*user_selinux) { /* must be done after passwd write() */
+ const char *argv[7];
+ argv[0] = "/usr/sbin/semanage";
+ argv[1] = "login";
+ argv[2] = "-a";
+ argv[3] = "-s";
+ argv[4] = user_selinux;
+ argv[5] = user_name;
+ argv[6] = NULL;
+ if (safe_system (argv[0], argv, NULL, 0)) {
+ fprintf (stderr,
+ _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
+ Prog, user_name, user_selinux);
+#ifdef WITH_AUDIT
+ audit_logger (AUDIT_ADD_USER, Prog,
+ "adding SELinux user mapping",
+ user_name, (unsigned int) user_id, 0);
+#endif
+ }
+ }
+}
+#endif
/*
* create_home - create the user's home directory
*
static void create_home (void)
{
if (access (user_home, F_OK) != 0) {
+#ifdef WITH_SELINUX
+ selinux_file_context (user_home);
+#endif
/* XXX - create missing parent directories. --marekm */
if (mkdir (user_home, 0) != 0) {
fprintf (stderr,
"adding home directory",
user_name, (unsigned int) user_id,
SHADOW_AUDIT_SUCCESS);
+#endif
+#ifdef WITH_SELINUX
+ /* Reset SELinux to create files with default contexts */
+ setfscreatecon (NULL);
#endif
}
}
close_files ();
+#ifdef WITH_SELINUX
+ selinux_update_mapping ();
+#endif
+
nscd_flush_cache ("passwd");
nscd_flush_cache ("group");
audit_help_open ();
#endif
+#ifdef WITH_SELINUX
+ if (is_selinux_enabled () > 0) {
+ const char *argv[5];
+ argv[0] = "/usr/sbin/semanage";
+ argv[1] = "login";
+ argv[2] = "-d";
+ argv[3] = user_name;
+ argv[4] = NULL;
+ safe_system (argv[0], argv, NULL, 1);
+ }
+#endif
/*
* Get my name so that I can use it to report errors.
*/
static char *user_home;
static char *user_newhome;
static char *user_shell;
+#ifdef WITH_SELINUX
+static const char *user_selinux = "";
+#endif
static char *user_newshell;
static long user_expire;
static long user_newexpire;
oflg = false, /* permit non-unique user ID to be specified with -u */
pflg = false, /* new encrypted password */
sflg = false, /* new shell program */
+#ifdef WITH_SELINUX
+ Zflg = false, /* new selinux user */
+#endif
uflg = false, /* specify new user ID */
Uflg = false; /* unlock the password */
static int get_groups (char *);
static void usage (void);
static void new_pwent (struct passwd *);
+#ifdef WITH_SELINUX
+static void selinux_update_mapping (void);
+#endif
static void new_spent (struct spwd *);
static void fail_exit (int);
" -s, --shell SHELL new login shell for the user account\n"
" -u, --uid UID new UID for the user account\n"
" -U, --unlock unlock the user account\n"
+#ifdef WITH_SELINUX
+ " -Z, --selinux-user new SELinux user mapping for the user account\n"
+#endif
"\n"), stderr);
exit (E_USAGE);
}
{"move-home", no_argument, NULL, 'm'},
{"non-unique", no_argument, NULL, 'o'},
{"password", required_argument, NULL, 'p'},
+#ifdef WITH_SELINUX
+ {"selinux-user", required_argument, NULL, 'Z'},
+#endif
{"shell", required_argument, NULL, 's'},
{"uid", required_argument, NULL, 'u'},
{"unlock", no_argument, NULL, 'U'},
{NULL, 0, NULL, '\0'}
};
while ((c = getopt_long (argc, argv,
+#ifdef WITH_SELINUX
+ "ac:d:e:f:g:G:hl:Lmop:s:u:UZ:",
+#else
"ac:d:e:f:g:G:hl:Lmop:s:u:U",
+#endif
long_options, NULL)) != -1) {
switch (c) {
case 'a':
case 'U':
Uflg = true;
break;
+#ifdef WITH_SELINUX
+ case 'Z':
+ if (is_selinux_enabled () > 0) {
+ user_selinux = optarg;
+ Zflg = true;
+ } else {
+ fprintf (stderr,
+ _("%s: -Z requires SELinux enabled kernel\n"),
+ Prog);
+ exit (E_BAD_ARG);
+ }
+ break;
+#endif
default:
usage ();
}
}
if (!(Uflg || uflg || sflg || pflg || oflg || mflg || Lflg ||
- lflg || Gflg || gflg || fflg || eflg || dflg || cflg)) {
+ lflg || Gflg || gflg || fflg || eflg || dflg || cflg
+#ifdef WITH_SELINUX
+ || Zflg
+#endif
+ )) {
fprintf (stderr, _("%s: no changes\n"), Prog);
exit (E_SUCCESS);
}
nscd_flush_cache ("passwd");
nscd_flush_cache ("group");
+#ifdef WITH_SELINUX
+ selinux_update_mapping ();
+#endif
+
if (mflg) {
move_home ();
}
/* NOT REACHED */
}
+#ifdef WITH_SELINUX
+static void selinux_update_mapping (void) {
+ const char *argv[7];
+
+ if (is_selinux_enabled () <= 0) return;
+
+ if (*user_selinux) {
+ argv[0] = "/usr/sbin/semanage";
+ argv[1] = "login";
+ argv[2] = "-m";
+ argv[3] = "-s";
+ argv[4] = user_selinux;
+ argv[5] = user_name;
+ argv[6] = NULL;
+ if (safe_system (argv[0], argv, NULL, 1)) {
+ argv[2] = "-a";
+ if (safe_system (argv[0], argv, NULL, 0)) {
+ fprintf (stderr,
+ _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"),
+ Prog, user_name, user_selinux);
+#ifdef WITH_AUDIT
+ audit_logger (AUDIT_USER_CHAUTHTOK, Prog,
+ "modifying User mapping ",
+ user_name, (unsigned int) user_id, 0);
+#endif
+ }
+ }
+ }
+}
+#endif
+
projects / shadow / commitdiff