diff --git a/ChangeLog b/ChangeLog index b69f9c26..0f816a72 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +2011-11-21 Nicolas François + + * src/usermod.c, man/usermod.8.xml: usermod -Z "" removes the + SELinux user mapping for the modified user. + * src/useradd.c: Zflg is #defined as user_selinux non empty. + 2011-11-21 Peter Vrabec * libmisc/copydir.c: Ignore errors to copy ACLs if the operation diff --git a/man/useradd.8.xml b/man/useradd.8.xml index ff165b12..fba75c5f 100644 --- a/man/useradd.8.xml +++ b/man/useradd.8.xml @@ -507,7 +507,7 @@ The SELinux user for the user's login. The default is to leave this field blank, which causes the system to select the default SELinux - user. + user. diff --git a/man/usermod.8.xml b/man/usermod.8.xml index f56d1713..226f4b8a 100644 --- a/man/usermod.8.xml +++ b/man/usermod.8.xml @@ -377,9 +377,12 @@ - The SELinux user for the user's login. The default is to leave - this field the blank, which causes the system to select the - default SELinux user. + The new SELinux user for the user's login. + + + A blank SEUSER will remove the + SELinux user mapping for user LOGIN + (if any). diff --git a/src/useradd.c b/src/useradd.c index ca56dc18..f1b2fa81 100644 --- a/src/useradd.c +++ b/src/useradd.c @@ -111,7 +111,7 @@ static const char *user_home = ""; static const char *user_shell = ""; static const char *create_mail_spool = ""; #ifdef WITH_SELINUX -static const char *user_selinux = ""; +static /*@notnull@*/const char *user_selinux = ""; #endif /* WITH_SELINUX */ static long user_expire = -1; @@ -145,12 +145,13 @@ static bool oflg = false, /* permit non-unique user ID to be specified with -u */ rflg = false, /* create a system account */ sflg = false, /* shell program for new account */ -#ifdef WITH_SELINUX - Zflg = false, /* new selinux user */ -#endif /* WITH_SELINUX */ uflg = false, /* specify user ID for new account */ Uflg = false; /* create a group having the same name as the user */ +#ifdef WITH_SELINUX +#define Zflg ('\0' != *user_selinux) +#endif /* WITH_SELINUX */ + static bool home_added = false; /* @@ -1214,7 +1215,6 @@ static void process_flags (int argc, char **argv) case 'Z': if (is_selinux_enabled () > 0) { user_selinux = optarg; - Zflg = true; } else { fprintf (stderr, _("%s: -Z requires SELinux enabled kernel\n"), @@ -2058,7 +2058,7 @@ int main (int argc, char **argv) close_files (); #ifdef WITH_SELINUX - if (Zflg && ('\0' != *user_selinux)) { + if (Zflg) { if (set_seuser (user_name, user_selinux) != 0) { fprintf (stderr, _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), diff --git a/src/usermod.c b/src/usermod.c index b8e56fde..d9642789 100644 --- a/src/usermod.c +++ b/src/usermod.c @@ -1890,17 +1890,33 @@ int main (int argc, char **argv) nscd_flush_cache ("group"); #ifdef WITH_SELINUX - if (Zflg && *user_selinux) { - if (set_seuser (user_name, user_selinux) != 0) { - fprintf (stderr, - _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), - Prog, user_name, user_selinux); + if (Zflg) { + if ('\0' != *user_selinux) { + if (set_seuser (user_name, user_selinux) != 0) { + fprintf (stderr, + _("%s: warning: the user name %s to %s SELinux user mapping failed.\n"), + Prog, user_name, user_selinux); #ifdef WITH_AUDIT - audit_logger (AUDIT_USER_CHAUTHTOK, Prog, - "modifying User mapping ", - user_name, (unsigned int) user_id, 0); + audit_logger (AUDIT_USER_CHAUTHTOK, Prog, + "modifying User mapping ", + user_name, (unsigned int) user_id, + SHADOW_AUDIT_FAILURE); #endif /* WITH_AUDIT */ - fail_exit (E_SE_UPDATE); + fail_exit (E_SE_UPDATE); + } + } else { + if (del_seuser (user_name) != 0) { + fprintf (stderr, + _("%s: warning: the user name %s to SELinux user mapping removal failed.\n"), + Prog, user_name); +#ifdef WITH_AUDIT + audit_logger (AUDIT_ADD_USER, Prog, + "removing SELinux user mapping", + user_name, (unsigned int) user_id, + SHADOW_AUDIT_FAILURE); +#endif /* WITH_AUDIT */ + fail_exit (E_SE_UPDATE); + } } } #endif /* WITH_SELINUX */