useradd: generate home and mail directories with selinux user attribute

Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>

shadow-4.9-move-create-home.patch

@@ -1,8 +1,22 @@
+From 09c752f00f9dfc610f66d68be38c9e5be8ca7f15 Mon Sep 17 00:00:00 2001
+From: Iker Pedrosa <ipedrosa@redhat.com>
+Date: Fri, 8 Oct 2021 13:09:59 +0200
+Subject: [PATCH] useradd: create directories after the SELinux user
+
+Create the home and mail folders after the SELinux user has been set for
+the added user. This will allow the folders to be created with the
+SELinux user label.
+
+Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
+---
+ src/useradd.c | 46 +++++++++++++++++++++++-----------------------
+ 1 file changed, 23 insertions(+), 23 deletions(-)
+
 diff --git a/src/useradd.c b/src/useradd.c
-index baeffb35..02e1402c 100644
+index 6269c01c..b463a170 100644
 --- a/src/useradd.c
 +++ b/src/useradd.c
-@@ -2644,27 +2644,12 @@ int main (int argc, char **argv)
+@@ -2670,27 +2670,12 @@ int main (int argc, char **argv)
  
  	usr_update ();
  
@@ -34,17 +48,14 @@ index baeffb35..02e1402c 100644
  	/*
  	 * tallylog_reset needs to be able to lookup
  	 * a valid existing user name,
-@@ -2695,9 +2680,24 @@ int main (int argc, char **argv)
+@@ -2716,15 +2701,30 @@ int main (int argc, char **argv)
- 		exit(1);
  	}
+ #endif				/* WITH_SELINUX */
  
--	nscd_flush_cache ("passwd");
--	nscd_flush_cache ("group");
--	sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
 +	if (mflg) {
 +		create_home ();
 +		if (home_added) {
-+			copy_tree (def_template, prefix_user_home, false, true,
++			copy_tree (def_template, prefix_user_home, false, false,
 +			           (uid_t)-1, user_id, (gid_t)-1, user_gid);
 +		} else {
 +			fprintf (stderr,
@@ -59,6 +70,19 @@ index baeffb35..02e1402c 100644
 +	if (!rflg) {
 +		create_mail ();
 +	}
++
+ 	if (run_parts ("/etc/shadow-maint/useradd-post.d", (char*)user_name,
+ 			"useradd")) {
+ 		exit(1);
+ 	}
  
+-	nscd_flush_cache ("passwd");
+-	nscd_flush_cache ("group");
+-	sssd_flush_cache (SSSD_DB_PASSWD | SSSD_DB_GROUP);
+-
  	return E_SUCCESS;
  }
+ 
+-- 
+2.31.1
+

shadow-4.9-semanage-close-the-selabel-handle.patch

@@ -0,0 +1,61 @@
+From 234af5cf67fc1a3ba99fc246ba65869a3c416545 Mon Sep 17 00:00:00 2001
+From: Iker Pedrosa <ipedrosa@redhat.com>
+Date: Fri, 8 Oct 2021 13:13:13 +0200
+Subject: [PATCH] semanage: close the selabel handle
+
+Close the selabel handle to update the file_context. This means that the
+file_context will be remmaped and used by selabel_lookup() to return
+the appropriate context to label the home folder.
+
+Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=1993081
+
+Signed-off-by: Iker Pedrosa <ipedrosa@redhat.com>
+---
+ lib/prototypes.h | 1 +
+ lib/selinux.c    | 5 +++++
+ lib/semanage.c   | 1 +
+ 3 files changed, 7 insertions(+)
+
+diff --git a/lib/prototypes.h b/lib/prototypes.h
+index 1d1586d4..b697e0ec 100644
+--- a/lib/prototypes.h
++++ b/lib/prototypes.h
+@@ -392,6 +392,7 @@ extern /*@observer@*/const char *crypt_make_salt (/*@null@*//*@observer@*/const
+ /* selinux.c */
+ #ifdef WITH_SELINUX
+ extern int set_selinux_file_context (const char *dst_name, mode_t mode);
++extern void reset_selinux_handle (void);
+ extern int reset_selinux_file_context (void);
+ extern int check_selinux_permit (const char *perm_name);
+ #endif
+diff --git a/lib/selinux.c b/lib/selinux.c
+index c83545f9..b075d4c0 100644
+--- a/lib/selinux.c
++++ b/lib/selinux.c
+@@ -50,6 +50,11 @@ static void cleanup(void)
+ 	}
+ }
+ 
++void reset_selinux_handle (void)
++{
++    cleanup();
++}
++
+ /*
+  * set_selinux_file_context - Set the security context before any file or
+  *                            directory creation.
+diff --git a/lib/semanage.c b/lib/semanage.c
+index 0d30456a..a5bf9218 100644
+--- a/lib/semanage.c
++++ b/lib/semanage.c
+@@ -293,6 +293,7 @@ int set_seuser (const char *login_name, const char *seuser_name)
+ 	}
+ 
+ 	ret = 0;
++	reset_selinux_handle();
+ 
+ done:
+ 	semanage_seuser_key_free (key);
+-- 
+2.31.1
+

shadow-utils.spec

@@ -1,7 +1,7 @@
 Summary: Utilities for managing accounts and shadow password files
 Name: shadow-utils
 Version: 4.9
-Release: 4%{?dist}
+Release: 5%{?dist}
 Epoch: 2
 License: BSD and GPLv2+
 URL: https://github.com/shadow-maint/shadow
@@ -21,7 +21,7 @@ Source6: shadow-utils.HOME_MODE.xml
 Patch0: shadow-4.9-redhat.patch
 # Be more lenient with acceptable user/group names - non upstreamable
 Patch1: shadow-4.8-goodname.patch
-# Move create home to the end of main - upstreamability unknown
+# https://github.com/shadow-maint/shadow/commit/09c752f00f9dfc610f66d68be38c9e5be8ca7f15
 Patch2: shadow-4.9-move-create-home.patch
 # SElinux related - upstreamability unknown
 Patch3: shadow-4.9-default-range.patch
@@ -53,6 +53,8 @@ Patch15: shadow-4.9-usermod-allow-all-group-types.patch
 Patch16: shadow-4.9-useradd-avoid-generating-empty-subid-range.patch
 # https://github.com/shadow-maint/shadow/commit/234e8fa7b134d1ebabfdad980a3ae5b63c046c62
 Patch17: shadow-4.9-libmisc-fix-default-value-in-SHA_get_salt_rounds.patch
+# https://github.com/shadow-maint/shadow/commit/234af5cf67fc1a3ba99fc246ba65869a3c416545
+Patch18: shadow-4.9-semanage-close-the-selabel-handle.patch
 
 ### Dependencies ###
 Requires: audit-libs >= 1.6.5
@@ -130,6 +132,7 @@ Development files for shadow-utils-subid.
 %patch15 -p1 -b .usermod-allow-all-group-types
 %patch16 -p1 -b .useradd-avoid-generating-empty-subid-range
 %patch17 -p1 -b .libmisc-fix-default-value-in-SHA_get_salt_rounds
+%patch18 -p1 -b .semanage-close-the-selabel-handle
 
 iconv -f ISO88591 -t utf-8  doc/HOWTO > doc/HOWTO.utf8
 cp -f doc/HOWTO.utf8 doc/HOWTO
@@ -300,6 +303,9 @@ rm -f $RPM_BUILD_ROOT/%{_libdir}/libsubid.la
 %{_libdir}/libsubid.so
 
 %changelog
+* Wed Oct 27 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-5
+- useradd: generate home and mail directories with selinux user attribute
+
 * Thu Sep 23 2021 Iker Pedrosa <ipedrosa@redhat.com> - 2:4.9-4
 - login.defs: include HMAC_CRYPTO_ALGO key
 - Clean spec file: organize dependencies and move License location