From 9c124af8868a7d3908c03ec369e28daef17d5f12 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Tue, 30 Mar 2010 15:26:58 +0200
Subject: SELinux login management

Adds a new option -Z to sss_useradd and sss_usermod. This option allows
user to specify the SELinux login context for the user. On deleting the
user with sss_userdel, the login mapping is deleted, so subsequent
adding of the same user would result in the default login context unless
-Z is specified again.

MLS security is not supported as of this patch.
---
 src/tools/sss_useradd.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'src/tools/sss_useradd.c')

diff --git a/src/tools/sss_useradd.c b/src/tools/sss_useradd.c
index 2d88e75e..6c6b5851 100644
--- a/src/tools/sss_useradd.c
+++ b/src/tools/sss_useradd.c
@@ -109,6 +109,7 @@ int main(int argc, const char **argv)
     int pc_create_home = 0;
     const char *pc_username = NULL;
     const char *pc_skeldir = NULL;
+    const char *pc_selinux_user = NULL;
     struct poptOption long_options[] = {
         POPT_AUTOHELP
         { "debug", '\0', POPT_ARG_INT | POPT_ARGFLAG_DOC_HIDDEN, &pc_debug, 0, _("The debug level to run with"), NULL },
@@ -121,6 +122,7 @@ int main(int argc, const char **argv)
         { "create-home", 'm', POPT_ARG_NONE, NULL, 'm', _("Create user's directory if it does not exist"), NULL },
         { "no-create-home", 'M', POPT_ARG_NONE, NULL, 'M', _("Never create user's directory, overrides config"), NULL },
         { "skel", 'k', POPT_ARG_STRING, &pc_skeldir, 0, _("Specify an alternative skeleton directory"), NULL },
+        { "selinux-user", 'Z', POPT_ARG_STRING, &pc_selinux_user, 0, _("The SELinux user for user's login"), NULL },
         POPT_TABLEEND
     };
     poptContext pc = NULL;
@@ -270,6 +272,15 @@ int main(int argc, const char **argv)
 
     end_transaction(tctx);
 
+    /* Set SELinux login context - must be done after transaction is done
+     * b/c libselinux calls getpwnam */
+    ret = set_seuser(tctx->octx->name, pc_selinux_user);
+    if (ret != EOK) {
+        ERROR("Cannot set SELinux login context\n");
+        ret = EXIT_FAILURE;
+        goto fini;
+    }
+
     /* Create user's home directory and/or mail spool */
     if (tctx->octx->create_homedir) {
         /* We need to know the UID and GID of the user, if
-- 
cgit