From 11164c2c0a8816d49e94ca0343e421016e606603 Mon Sep 17 00:00:00 2001 From: Iker Pedrosa Date: Wed, 27 Oct 2021 12:02:57 +0200 Subject: [PATCH] useradd: generate home and mail directories with selinux user attribute Signed-off-by: Iker Pedrosa --- shadow-4.9-move-create-home.patch | 40 +++++++++--- ....9-semanage-close-the-selabel-handle.patch | 61 +++++++++++++++++++ shadow-utils.spec | 10 ++- 3 files changed, 101 insertions(+), 10 deletions(-) create mode 100644 shadow-4.9-semanage-close-the-selabel-handle.patch diff --git a/shadow-4.9-move-create-home.patch b/shadow-4.9-move-create-home.patch index 94bb84c..0ed6ea7 100644 --- a/shadow-4.9-move-create-home.patch +++ b/shadow-4.9-move-create-home.patch @@ -1,8 +1,22 @@ +From 09c752f00f9dfc610f66d68be38c9e5be8ca7f15 Mon Sep 17 00:00:00 2001 +From: Iker Pedrosa +Date: Fri, 8 Oct 2021 13:09:59 +0200 +Subject: [PATCH] useradd: create directories after the SELinux user + +Create the home and mail folders after the SELinux user has been set for +the added user. This will allow the folders to be created with the +SELinux user label. + +Signed-off-by: Iker Pedrosa +--- + src/useradd.c | 46 +++++++++++++++++++++++----------------------- + 1 file changed, 23 insertions(+), 23 deletions(-) + diff --git a/src/useradd.c b/src/useradd.c -index baeffb35..02e1402c 100644 +index 6269c01c..b463a170 100644 --- a/src/useradd.c +++ b/src/useradd.c -@@ -2644,27 +2644,12 @@ int main (int argc, char **argv) +@@ -2670,27 +2670,12 @@ int main (int argc, char **argv) usr_update (); @@ -34,17 +48,14 @@ index baeffb35..02e1402c 100644 /* * tallylog_reset needs to be able to lookup * a valid existing user name, -@@ -2695,9 +2680,24 @@ int main (int argc, char **argv) - exit(1); +@@ -2716,15 +2701,30 @@ int main (int argc, char **argv) } + #endif /* WITH_SELINUX */ -- nscd_flush_cache ("passwd"); -- nscd_flush_cache ("group"); -- sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP); + if (mflg) { + create_home (); + if (home_added) { -+ copy_tree (def_template, prefix_user_home, false, true, ++ copy_tree (def_template, prefix_user_home, false, false, + (uid_t)-1, user_id, (gid_t)-1, user_gid); + } else { + fprintf (stderr, @@ -59,6 +70,19 @@ index baeffb35..02e1402c 100644 + if (!rflg) { + create_mail (); + } ++ + if (run_parts ("/etc/shadow-maint/useradd-post.d", (char*)user_name, + "useradd")) { + exit(1); + } +- nscd_flush_cache ("passwd"); +- nscd_flush_cache ("group"); +- sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP); +- return E_SUCCESS; } + +-- +2.31.1 + diff --git a/shadow-4.9-semanage-close-the-selabel-handle.patch b/shadow-4.9-semanage-close-the-selabel-handle.patch new file mode 100644 index 0000000..11a23e4 --- /dev/null +++ b/shadow-4.9-semanage-close-the-selabel-handle.patch @@ -0,0 +1,61 @@ +From 234af5cf67fc1a3ba99fc246ba65869a3c416545 Mon Sep 17 00:00:00 2001 +From: Iker Pedrosa +Date: Fri, 8 Oct 2021 13:13:13 +0200 +Subject: [PATCH] semanage: close the selabel handle + +Close the selabel handle to update the file_context. This means that the +file_context will be remmaped and used by selabel_lookup() to return +the appropriate context to label the home folder. + +Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1993081 + +Signed-off-by: Iker Pedrosa +--- + lib/prototypes.h | 1 + + lib/selinux.c | 5 +++++ + lib/semanage.c | 1 + + 3 files changed, 7 insertions(+) + +diff --git a/lib/prototypes.h b/lib/prototypes.h +index 1d1586d4..b697e0ec 100644 +--- a/lib/prototypes.h ++++ b/lib/prototypes.h +@@ -392,6 +392,7 @@ extern /*@observer@*/const char *crypt_make_salt (/*@null@*//*@observer@*/const + /* selinux.c */ + #ifdef WITH_SELINUX + extern int set_selinux_file_context (const char *dst_name, mode_t mode); ++extern void reset_selinux_handle (void); + extern int reset_selinux_file_context (void); + extern int check_selinux_permit (const char *perm_name); + #endif +diff --git a/lib/selinux.c b/lib/selinux.c +index c83545f9..b075d4c0 100644 +--- a/lib/selinux.c ++++ b/lib/selinux.c +@@ -50,6 +50,11 @@ static void cleanup(void) + } + } + ++void reset_selinux_handle (void) ++{ ++ cleanup(); ++} ++ + /* + * set_selinux_file_context - Set the security context before any file or + * directory creation. +diff --git a/lib/semanage.c b/lib/semanage.c +index 0d30456a..a5bf9218 100644 +--- a/lib/semanage.c ++++ b/lib/semanage.c +@@ -293,6 +293,7 @@ int set_seuser (const char *login_name, const char *seuser_name) + } + + ret = 0; ++ reset_selinux_handle(); + + done: + semanage_seuser_key_free (key); +-- +2.31.1 + diff --git a/shadow-utils.spec b/shadow-utils.spec index 051708d..871a2e1 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.9 -Release: 4%{?dist} +Release: 5%{?dist} Epoch: 2 License: BSD and GPLv2+ URL: https://github.com/shadow-maint/shadow @@ -21,7 +21,7 @@ Source6: shadow-utils.HOME_MODE.xml Patch0: shadow-4.9-redhat.patch # Be more lenient with acceptable user/group names - non upstreamable Patch1: shadow-4.8-goodname.patch -# Move create home to the end of main - upstreamability unknown +# https://github.com/shadow-maint/shadow/commit/09c752f00f9dfc610f66d68be38c9e5be8ca7f15 Patch2: shadow-4.9-move-create-home.patch # SElinux related - upstreamability unknown Patch3: shadow-4.9-default-range.patch @@ -53,6 +53,8 @@ Patch15: shadow-4.9-usermod-allow-all-group-types.patch Patch16: shadow-4.9-useradd-avoid-generating-empty-subid-range.patch # https://github.com/shadow-maint/shadow/commit/234e8fa7b134d1ebabfdad980a3ae5b63c046c62 Patch17: shadow-4.9-libmisc-fix-default-value-in-SHA_get_salt_rounds.patch +# https://github.com/shadow-maint/shadow/commit/234af5cf67fc1a3ba99fc246ba65869a3c416545 +Patch18: shadow-4.9-semanage-close-the-selabel-handle.patch ### Dependencies ### Requires: audit-libs >= 1.6.5 @@ -130,6 +132,7 @@ Development files for shadow-utils-subid. %patch15 -p1 -b .usermod-allow-all-group-types %patch16 -p1 -b .useradd-avoid-generating-empty-subid-range %patch17 -p1 -b .libmisc-fix-default-value-in-SHA_get_salt_rounds +%patch18 -p1 -b .semanage-close-the-selabel-handle iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -300,6 +303,9 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.la %{_libdir}/libsubid.so %changelog +* Wed Oct 27 2021 Iker Pedrosa - 2:4.9-5 +- useradd: generate home and mail directories with selinux user attribute + * Thu Sep 23 2021 Iker Pedrosa - 2:4.9-4 - login.defs: include HMAC_CRYPTO_ALGO key - Clean spec file: organize dependencies and move License location