Do not write error message to screen when looking for previous record for auditing.

- Add mls_range from user record if the MLS range is not specified by the seuser add record.
- Error out if seuser or mls range is not specified when adding user records

libsemanage-rhat.patch

@@ -198,11 +198,66 @@ index 57ef49f..4b040c3 100644
  	free(storepath);
  	return retval;
  }
+diff --git a/libsemanage/src/seuser_record.c b/libsemanage/src/seuser_record.c
+index 8823b1e..d92633e 100644
+--- a/libsemanage/src/seuser_record.c
++++ b/libsemanage/src/seuser_record.c
+@@ -140,19 +140,50 @@ const char *semanage_seuser_get_sename(const semanage_seuser_t * seuser)
+ 
+ hidden_def(semanage_seuser_get_sename)
+ 
++#include <semanage/user_record.h>
++#include <semanage/users_policy.h>
++#include <errno.h>
+ int semanage_seuser_set_sename(semanage_handle_t * handle,
+ 			       semanage_seuser_t * seuser, const char *sename)
+ {
+ 
++	semanage_user_t *u = NULL;
++	const char *mls_range = semanage_seuser_get_mlsrange(seuser);
+ 	char *tmp_sename = strdup(sename);
++	int rc;
+ 	if (!tmp_sename) {
+ 		ERR(handle,
+ 		    "out of memory, could not set seuser (SELinux) name");
+ 		return STATUS_ERR;
+ 	}
++	/* Default MLS_range if not set to the "sename" user record mls range */
++	if (!mls_range && semanage_mls_enabled(handle)) {
++		semanage_user_key_t *key = NULL;
++		
++		rc = semanage_user_key_create(handle, sename, &key);
++		if (rc < 0)
++			goto err;
++
++		rc = semanage_user_query(handle, key, &u);
++		semanage_user_key_free(key);
++		if (rc == STATUS_ERR)
++			goto err;
++		else if (rc == STATUS_NODATA) {
++			ERR(handle, "SELinux user %s does not exist", sename);
++			errno = EINVAL;
++			rc = STATUS_ERR;
++			goto err;
++		}
++		mls_range = semanage_user_get_mlsrange(u);
++		semanage_seuser_set_mlsrange(handle, seuser, mls_range);
++		semanage_user_free(u);
++	}
+ 	free(seuser->sename);
+ 	seuser->sename = tmp_sename;
+ 	return STATUS_SUCCESS;
++err:
++	free(tmp_sename);
++	return rc;
+ }
+ 
+ hidden_def(semanage_seuser_set_sename)
 diff --git a/libsemanage/src/seusers_local.c b/libsemanage/src/seusers_local.c
-index e7cf12c..ed0af21 100644
+index e7cf12c..d8020a9 100644
 --- a/libsemanage/src/seusers_local.c
 +++ b/libsemanage/src/seusers_local.c
-@@ -8,27 +8,117 @@ typedef struct semanage_seuser record_t;
+@@ -8,27 +8,131 @@ typedef struct semanage_seuser record_t;
  
  #include <sepol/policydb.h>
  #include <sepol/context.h>
@@ -294,10 +349,24 @@ index e7cf12c..ed0af21 100644
  {
 -
 +	int rc;
++	void *callback = (void *) handle->msg_callback;
  	dbase_config_t *dconfig = semanage_seuser_dbase_local(handle);
 -	return dbase_modify(handle, dconfig, key, data);
++	const char *sename = semanage_seuser_get_sename(data);
++	const char *mls_range = semanage_seuser_get_mlsrange(data);
 +	semanage_seuser_t *previous = NULL;
++	if (!sename) {
++		errno=EINVAL;
++		return -1;
++	}
++	if (!mls_range && semanage_mls_enabled(handle)) {
++		errno=EINVAL;
++		return -1;
++	}
++
++	handle->msg_callback = NULL;
 +	semanage_seuser_query(handle, key, &previous);
++	handle->msg_callback = callback;
 +	rc = dbase_modify(handle, dconfig, key, data);
 +	if (semanage_seuser_audit(handle, data, previous, AUDIT_ROLE_ASSIGN, rc == 0) < 0) 
 +		rc = -1;

libsemanage.spec

@@ -7,7 +7,7 @@
 Summary: SELinux binary policy manipulation library 
 Name: libsemanage
 Version: 2.1.10
-Release: 9%{?dist}
+Release: 10%{?dist}
 License: LGPLv2+
 Group: System Environment/Libraries
 Source: libsemanage-%{version}.tgz
@@ -179,6 +179,11 @@ rm -rf ${RPM_BUILD_ROOT}
 %endif # if with_python3
 
 %changelog
+* Thu Sep 19 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.10-10
+- Do not write error message to screen when looking for previous record for auditing.
+- Add mls_range from user record if the MLS range is not specified by the seuser add record.
+- Error out if seuser or mls range is not specified when adding user records
+
 * Mon Sep 9 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.10-9
 - Create symlink from policy.kern to active kernel.