From 32f6a7815739e283e02319ff3ce2e8c0d16e7697 Mon Sep 17 00:00:00 2001 From: Tomas Mraz Date: Fri, 14 Jun 2013 15:27:20 +0200 Subject: [PATCH] report error to stdout when SELinux context for home directory cannot be determined (#973647) - audit the changing home directory owner (#885797) - do not set the default SELinux MLS range (#852676) --- shadow-4.1.5.1-audit-owner.patch | 32 +++++++++++++++++++++++++++ shadow-4.1.5.1-default-range.patch | 35 ++++++++++++++++++++++++++++++ shadow-4.1.5.1-errmsg.patch | 23 ++++++++++++++++++++ shadow-utils.spec | 15 ++++++++++++- 4 files changed, 104 insertions(+), 1 deletion(-) create mode 100644 shadow-4.1.5.1-audit-owner.patch create mode 100644 shadow-4.1.5.1-default-range.patch create mode 100644 shadow-4.1.5.1-errmsg.patch diff --git a/shadow-4.1.5.1-audit-owner.patch b/shadow-4.1.5.1-audit-owner.patch new file mode 100644 index 0000000..6fbbdbf --- /dev/null +++ b/shadow-4.1.5.1-audit-owner.patch @@ -0,0 +1,32 @@ +diff -up shadow-4.1.5.1/src/usermod.c.audit shadow-4.1.5.1/src/usermod.c +--- shadow-4.1.5.1/src/usermod.c.audit 2011-11-21 23:02:16.000000000 +0100 ++++ shadow-4.1.5.1/src/usermod.c 2013-06-14 14:54:20.237026550 +0200 +@@ -1513,6 +1513,14 @@ static void move_home (void) + fail_exit (E_HOMEDIR); + } + ++#ifdef WITH_AUDIT ++ if (uflg || gflg) { ++ audit_logger (AUDIT_USER_CHAUTHTOK, Prog, ++ "changing home directory owner", ++ user_newname, (unsigned int) user_newid, 1); ++ } ++#endif ++ + if (rename (user_home, user_newhome) == 0) { + /* FIXME: rename above may have broken symlinks + * pointing to the user's home directory +@@ -1947,6 +1955,13 @@ int main (int argc, char **argv) + * ownership. + * + */ ++#ifdef WITH_AUDIT ++ if (uflg || gflg) { ++ audit_logger (AUDIT_USER_CHAUTHTOK, Prog, ++ "changing home directory owner", ++ user_newname, (unsigned int) user_newid, 1); ++ } ++#endif + if (chown_tree (dflg ? user_newhome : user_home, + user_id, + uflg ? user_newid : (uid_t)-1, diff --git a/shadow-4.1.5.1-default-range.patch b/shadow-4.1.5.1-default-range.patch new file mode 100644 index 0000000..45c677a --- /dev/null +++ b/shadow-4.1.5.1-default-range.patch @@ -0,0 +1,35 @@ +diff -up shadow-4.1.5.1/lib/semanage.c.default-range shadow-4.1.5.1/lib/semanage.c +--- shadow-4.1.5.1/lib/semanage.c.default-range 2012-01-08 17:35:44.000000000 +0100 ++++ shadow-4.1.5.1/lib/semanage.c 2013-06-14 15:14:51.970237594 +0200 +@@ -143,6 +143,7 @@ static int semanage_user_mod (semanage_h + goto done; + } + ++#if 0 + ret = semanage_seuser_set_mlsrange (handle, seuser, DEFAULT_SERANGE); + if (ret != 0) { + fprintf (stderr, +@@ -150,6 +151,7 @@ static int semanage_user_mod (semanage_h + ret = 1; + goto done; + } ++#endif + + ret = semanage_seuser_set_sename (handle, seuser, seuser_name); + if (ret != 0) { +@@ -200,6 +202,7 @@ static int semanage_user_add (semanage_h + goto done; + } + ++#if 0 + ret = semanage_seuser_set_mlsrange (handle, seuser, DEFAULT_SERANGE); + if (ret != 0) { + fprintf (stderr, +@@ -208,6 +211,7 @@ static int semanage_user_add (semanage_h + ret = 1; + goto done; + } ++#endif + + ret = semanage_seuser_set_sename (handle, seuser, seuser_name); + if (ret != 0) { diff --git a/shadow-4.1.5.1-errmsg.patch b/shadow-4.1.5.1-errmsg.patch new file mode 100644 index 0000000..6f3a1d2 --- /dev/null +++ b/shadow-4.1.5.1-errmsg.patch @@ -0,0 +1,23 @@ +diff -up shadow-4.1.5.1/src/useradd.c.logmsg shadow-4.1.5.1/src/useradd.c +--- shadow-4.1.5.1/src/useradd.c.logmsg 2013-02-20 15:41:44.000000000 +0100 ++++ shadow-4.1.5.1/src/useradd.c 2013-06-14 14:22:59.529661095 +0200 +@@ -1760,6 +1760,9 @@ static void create_home (void) + if (access (user_home, F_OK) != 0) { + #ifdef WITH_SELINUX + if (set_selinux_file_context (user_home, NULL) != 0) { ++ fprintf (stderr, ++ _("%s: cannot set SELinux context for home directory %s\n"), ++ Prog, user_home); + fail_exit (E_HOMEDIR); + } + #endif +@@ -1789,6 +1792,9 @@ static void create_home (void) + #ifdef WITH_SELINUX + /* Reset SELinux to create files with default contexts */ + if (reset_selinux_file_context () != 0) { ++ fprintf (stderr, ++ _("%s: cannot reset SELinux file creation context\n"), ++ Prog); + fail_exit (E_HOMEDIR); + } + #endif diff --git a/shadow-utils.spec b/shadow-utils.spec index 2b214d3..a7b86c6 100644 --- a/shadow-utils.spec +++ b/shadow-utils.spec @@ -1,7 +1,7 @@ Summary: Utilities for managing accounts and shadow password files Name: shadow-utils Version: 4.1.5.1 -Release: 5%{?dist} +Release: 6%{?dist} Epoch: 2 URL: http://pkg-shadow.alioth.debian.org/ Source0: http://pkg-shadow.alioth.debian.org/releases/shadow-%{version}.tar.bz2 @@ -18,6 +18,10 @@ Patch8: shadow-4.1.5.1-backup-mode.patch Patch9: shadow-4.1.5.1-merge-group.patch Patch10: shadow-4.1.5.1-orig-context.patch Patch11: shadow-4.1.5.1-logmsg.patch +Patch12: shadow-4.1.5.1-errmsg.patch +Patch13: shadow-4.1.5.1-audit-owner.patch +Patch14: shadow-4.1.5.1-default-range.patch + License: BSD and GPLv2+ Group: System Environment/Base BuildRequires: libselinux-devel >= 1.25.2-1 @@ -56,6 +60,9 @@ are used for managing group accounts. %patch9 -p1 -b .merge-group %patch10 -p1 -b .orig-context %patch11 -p1 -b .logmsg +%patch12 -p1 -b .errmsg +%patch13 -p1 -b .audit-owner +%patch14 -p1 -b .default-range iconv -f ISO88591 -t utf-8 doc/HOWTO > doc/HOWTO.utf8 cp -f doc/HOWTO.utf8 doc/HOWTO @@ -209,6 +216,12 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/vigr.8* %changelog +* Fri Jun 14 2013 Tomas Mraz - 2:4.1.5.1-6 +- report error to stdout when SELinux context for home directory + cannot be determined (#973647) +- audit the changing home directory owner (#885797) +- do not set the default SELinux MLS range (#852676) + * Tue Mar 19 2013 Tomas Mraz - 2:4.1.5.1-5 - improve the failure syslog message in useradd (#830617)