Add support for ignoredirs param in /etc/selinux/semanage.conf
This commit is contained in:
Dan Walsh
parent
a29afa3a34
commit
32db106626
@ -1,22 +1,240 @@
|
|||||||
|
diff --git a/libsemanage/man/man5/semanage.conf.5 b/libsemanage/man/man5/semanage.conf.5
|
||||||
|
index c60bdc6..6a8b4e8 100644
|
||||||
|
--- a/libsemanage/man/man5/semanage.conf.5
|
||||||
|
+++ b/libsemanage/man/man5/semanage.conf.5
|
||||||
|
@@ -56,6 +56,11 @@ It controls whether the previously linked module is saved (with name "base.linke
|
||||||
|
It can be set to either "true" or "false" and by default it is set to "false" (the previous module is deleted).
|
||||||
|
|
||||||
|
.TP
|
||||||
|
+.B ignoredirs
|
||||||
|
+List, separated by ";", of directories to ignore when setting up users homedirs.
|
||||||
|
+Some distributions use this to stop labeling /root as a homedir.
|
||||||
|
+
|
||||||
|
+.TP
|
||||||
|
.B usepasswd
|
||||||
|
Whether or not to enable the use getpwent() to obtain a list of home directories to label. It can be set to either "true" or "false".
|
||||||
|
By default it is set to "true".
|
||||||
|
diff --git a/libsemanage/src/conf-parse.y b/libsemanage/src/conf-parse.y
|
||||||
|
index 77c00b2..bbdac1d 100644
|
||||||
|
--- a/libsemanage/src/conf-parse.y
|
||||||
|
+++ b/libsemanage/src/conf-parse.y
|
||||||
|
@@ -58,7 +58,7 @@ static int parse_errors;
|
||||||
|
}
|
||||||
|
|
||||||
|
%token MODULE_STORE VERSION EXPAND_CHECK FILE_MODE SAVE_PREVIOUS SAVE_LINKED
|
||||||
|
-%token LOAD_POLICY_START SETFILES_START DISABLE_GENHOMEDIRCON HANDLE_UNKNOWN USEPASSWD
|
||||||
|
+%token LOAD_POLICY_START SETFILES_START DISABLE_GENHOMEDIRCON HANDLE_UNKNOWN USEPASSWD IGNOREDIRS
|
||||||
|
%token BZIP_BLOCKSIZE BZIP_SMALL
|
||||||
|
%token VERIFY_MOD_START VERIFY_LINKED_START VERIFY_KERNEL_START BLOCK_END
|
||||||
|
%token PROG_PATH PROG_ARGS
|
||||||
|
@@ -84,6 +84,7 @@ single_opt: module_store
|
||||||
|
| save_linked
|
||||||
|
| disable_genhomedircon
|
||||||
|
| usepasswd
|
||||||
|
+ | ignoredirs
|
||||||
|
| handle_unknown
|
||||||
|
| bzip_blocksize
|
||||||
|
| bzip_small
|
||||||
|
@@ -166,6 +167,10 @@ usepasswd: USEPASSWD '=' ARG {
|
||||||
|
free($3);
|
||||||
|
}
|
||||||
|
|
||||||
|
+ignoredirs: IGNOREDIRS '=' ARG {
|
||||||
|
+ current_conf->ignoredirs = strdup($3);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
handle_unknown: HANDLE_UNKNOWN '=' ARG {
|
||||||
|
if (strcasecmp($3, "deny") == 0) {
|
||||||
|
current_conf->handle_unknown = SEPOL_DENY_UNKNOWN;
|
||||||
|
@@ -262,6 +267,7 @@ static int semanage_conf_init(semanage_conf_t * conf)
|
||||||
|
{
|
||||||
|
conf->store_type = SEMANAGE_CON_DIRECT;
|
||||||
|
conf->store_path = strdup(basename(semanage_policy_root()));
|
||||||
|
+ conf->ignoredirs = NULL;
|
||||||
|
conf->policyvers = sepol_policy_kern_vers_max();
|
||||||
|
conf->expand_check = 1;
|
||||||
|
conf->handle_unknown = -1;
|
||||||
|
@@ -354,6 +360,7 @@ void semanage_conf_destroy(semanage_conf_t * conf)
|
||||||
|
{
|
||||||
|
if (conf != NULL) {
|
||||||
|
free(conf->store_path);
|
||||||
|
+ free(conf->ignoredirs);
|
||||||
|
semanage_conf_external_prog_destroy(conf->load_policy);
|
||||||
|
semanage_conf_external_prog_destroy(conf->setfiles);
|
||||||
|
semanage_conf_external_prog_destroy(conf->mod_prog);
|
||||||
|
diff --git a/libsemanage/src/conf-scan.l b/libsemanage/src/conf-scan.l
|
||||||
|
index e57119d..7ef4154 100644
|
||||||
|
--- a/libsemanage/src/conf-scan.l
|
||||||
|
+++ b/libsemanage/src/conf-scan.l
|
||||||
|
@@ -47,6 +47,7 @@ save-previous return SAVE_PREVIOUS;
|
||||||
|
save-linked return SAVE_LINKED;
|
||||||
|
disable-genhomedircon return DISABLE_GENHOMEDIRCON;
|
||||||
|
usepasswd return USEPASSWD;
|
||||||
|
+ignoredirs return IGNOREDIRS;
|
||||||
|
handle-unknown return HANDLE_UNKNOWN;
|
||||||
|
bzip-blocksize return BZIP_BLOCKSIZE;
|
||||||
|
bzip-small return BZIP_SMALL;
|
||||||
|
diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c
|
||||||
|
index 8fcfb88..4f919a6 100644
|
||||||
|
--- a/libsemanage/src/direct_api.c
|
||||||
|
+++ b/libsemanage/src/direct_api.c
|
||||||
|
@@ -992,7 +992,7 @@ static int semanage_direct_commit(semanage_handle_t * sh)
|
||||||
|
* which requires the out policydb */
|
||||||
|
if (!sh->conf->disable_genhomedircon) {
|
||||||
|
if (out && (retval =
|
||||||
|
- semanage_genhomedircon(sh, out, sh->conf->usepasswd)) != 0) {
|
||||||
|
+ semanage_genhomedircon(sh, out, sh->conf->usepasswd, sh->conf->ignoredirs)) != 0) {
|
||||||
|
ERR(sh, "semanage_genhomedircon returned error code %d.",
|
||||||
|
retval);
|
||||||
|
goto cleanup;
|
||||||
diff --git a/libsemanage/src/genhomedircon.c b/libsemanage/src/genhomedircon.c
|
diff --git a/libsemanage/src/genhomedircon.c b/libsemanage/src/genhomedircon.c
|
||||||
index 847d87e..2870fa8 100644
|
index 847d87e..d2646ae 100644
|
||||||
--- a/libsemanage/src/genhomedircon.c
|
--- a/libsemanage/src/genhomedircon.c
|
||||||
+++ b/libsemanage/src/genhomedircon.c
|
+++ b/libsemanage/src/genhomedircon.c
|
||||||
@@ -314,6 +314,8 @@ static semanage_list_t *get_home_dirs(genhomedircon_settings_t * s)
|
@@ -113,6 +113,61 @@ typedef struct {
|
||||||
|
int matched;
|
||||||
|
} fc_match_handle_t;
|
||||||
|
|
||||||
|
+typedef struct IgnoreDir {
|
||||||
|
+ struct IgnoreDir *next;
|
||||||
|
+ char *dir;
|
||||||
|
+} ignoredir_t;
|
||||||
|
+
|
||||||
|
+ignoredir_t *ignore_head = NULL;
|
||||||
|
+
|
||||||
|
+static void ignore_free(void) {
|
||||||
|
+ ignoredir_t *next;
|
||||||
|
+
|
||||||
|
+ while (ignore_head) {
|
||||||
|
+ next = ignore_head->next;
|
||||||
|
+ free(ignore_head->dir);
|
||||||
|
+ free(ignore_head);
|
||||||
|
+ ignore_head = next;
|
||||||
|
+ }
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static int ignore_setup(char *ignoredirs) {
|
||||||
|
+ char *tok;
|
||||||
|
+ ignoredir_t *ptr = NULL;
|
||||||
|
+
|
||||||
|
+ tok = strtok(ignoredirs, ";");
|
||||||
|
+ while(tok) {
|
||||||
|
+ ptr = calloc(sizeof(ignoredir_t),1);
|
||||||
|
+ if (!ptr)
|
||||||
|
+ goto err;
|
||||||
|
+ ptr->dir = strdup(tok);
|
||||||
|
+ if (!ptr->dir)
|
||||||
|
+ goto err;
|
||||||
|
+
|
||||||
|
+ ptr->next = ignore_head;
|
||||||
|
+ ignore_head = ptr;
|
||||||
|
+
|
||||||
|
+ tok = strtok(NULL, ";");
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ return 0;
|
||||||
|
+err:
|
||||||
|
+ free(ptr);
|
||||||
|
+ ignore_free();
|
||||||
|
+ return -1;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+static int ignore(const char *homedir) {
|
||||||
|
+ ignoredir_t *ptr = ignore_head;
|
||||||
|
+ while (ptr) {
|
||||||
|
+ if (strcmp(ptr->dir, homedir) == 0) {
|
||||||
|
+ return 1;
|
||||||
|
+ }
|
||||||
|
+ ptr = ptr->next;
|
||||||
|
+ }
|
||||||
|
+ return 0;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static semanage_list_t *default_shell_list(void)
|
||||||
|
{
|
||||||
|
semanage_list_t *list = NULL;
|
||||||
|
@@ -314,6 +369,8 @@ static semanage_list_t *get_home_dirs(genhomedircon_settings_t * s)
|
||||||
}
|
}
|
||||||
if (strcmp(pwbuf->pw_dir, "/") == 0)
|
if (strcmp(pwbuf->pw_dir, "/") == 0)
|
||||||
continue;
|
continue;
|
||||||
+ if (strcmp(pwbuf->pw_dir, "/root") == 0)
|
+ if (ignore(pwbuf->pw_dir))
|
||||||
+ continue;
|
+ continue;
|
||||||
if (semanage_str_count(pwbuf->pw_dir, '/') <= 1)
|
if (semanage_str_count(pwbuf->pw_dir, '/') <= 1)
|
||||||
continue;
|
continue;
|
||||||
if (!(path = strdup(pwbuf->pw_dir))) {
|
if (!(path = strdup(pwbuf->pw_dir))) {
|
||||||
@@ -829,6 +831,8 @@ static genhomedircon_user_entry_t *get_users(genhomedircon_settings_t * s,
|
@@ -660,9 +717,12 @@ static int set_fallback_user(genhomedircon_settings_t *s, const char *user,
|
||||||
|
{
|
||||||
|
char *fallback_user = strdup(user);
|
||||||
|
char *fallback_user_prefix = strdup(prefix);
|
||||||
|
- char *fallback_user_level = strdup(level);
|
||||||
|
+ char *fallback_user_level = NULL;
|
||||||
|
+ if (level)
|
||||||
|
+ fallback_user_level = strdup(level);
|
||||||
|
|
||||||
|
- if (fallback_user == NULL || fallback_user_prefix == NULL || fallback_user_level == NULL) {
|
||||||
|
+ if (fallback_user == NULL || fallback_user_prefix == NULL ||
|
||||||
|
+ (fallback_user_level == NULL && level != NULL)) {
|
||||||
|
free(fallback_user);
|
||||||
|
free(fallback_user_prefix);
|
||||||
|
free(fallback_user_level);
|
||||||
|
@@ -829,6 +889,8 @@ static genhomedircon_user_entry_t *get_users(genhomedircon_settings_t * s,
|
||||||
* /root */
|
* /root */
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
+ if (strcmp(pwent->pw_dir, "/root") == 0)
|
+ if (ignore(pwent->pw_dir))
|
||||||
+ continue;
|
+ continue;
|
||||||
if (push_user_entry(&head, name, seuname,
|
if (push_user_entry(&head, name, seuname,
|
||||||
prefix, pwent->pw_dir, level) != STATUS_SUCCESS) {
|
prefix, pwent->pw_dir, level) != STATUS_SUCCESS) {
|
||||||
*errors = STATUS_ERR;
|
*errors = STATUS_ERR;
|
||||||
|
@@ -980,7 +1042,8 @@ done:
|
||||||
|
|
||||||
|
int semanage_genhomedircon(semanage_handle_t * sh,
|
||||||
|
sepol_policydb_t * policydb,
|
||||||
|
- int usepasswd)
|
||||||
|
+ int usepasswd,
|
||||||
|
+ char *ignoredirs)
|
||||||
|
{
|
||||||
|
genhomedircon_settings_t s;
|
||||||
|
FILE *out = NULL;
|
||||||
|
@@ -998,6 +1061,8 @@ int semanage_genhomedircon(semanage_handle_t * sh,
|
||||||
|
if (s.fallback_user == NULL || s.fallback_user_prefix == NULL || s.fallback_user_level == NULL)
|
||||||
|
return STATUS_ERR;
|
||||||
|
|
||||||
|
+ if (ignoredirs) ignore_setup(ignoredirs);
|
||||||
|
+
|
||||||
|
s.usepasswd = usepasswd;
|
||||||
|
s.h_semanage = sh;
|
||||||
|
s.policydb = policydb;
|
||||||
|
@@ -1014,6 +1079,7 @@ int semanage_genhomedircon(semanage_handle_t * sh,
|
||||||
|
|
||||||
|
free(s.fallback_user);
|
||||||
|
free(s.fallback_user_prefix);
|
||||||
|
+ ignore_free();
|
||||||
|
|
||||||
|
return retval;
|
||||||
|
}
|
||||||
|
diff --git a/libsemanage/src/genhomedircon.h b/libsemanage/src/genhomedircon.h
|
||||||
|
index 443e345..3f9ef8f 100644
|
||||||
|
--- a/libsemanage/src/genhomedircon.h
|
||||||
|
+++ b/libsemanage/src/genhomedircon.h
|
||||||
|
@@ -23,6 +23,7 @@
|
||||||
|
#include "utilities.h"
|
||||||
|
|
||||||
|
int semanage_genhomedircon(semanage_handle_t * sh,
|
||||||
|
- sepol_policydb_t * policydb, int usepasswd);
|
||||||
|
+ sepol_policydb_t * policydb, int usepasswd,
|
||||||
|
+ char *ignoredirs);
|
||||||
|
|
||||||
|
#endif
|
||||||
|
diff --git a/libsemanage/src/semanage_conf.h b/libsemanage/src/semanage_conf.h
|
||||||
|
index f58d9ac..95f8ec3 100644
|
||||||
|
--- a/libsemanage/src/semanage_conf.h
|
||||||
|
+++ b/libsemanage/src/semanage_conf.h
|
||||||
|
@@ -43,6 +43,7 @@ typedef struct semanage_conf {
|
||||||
|
mode_t file_mode;
|
||||||
|
int bzip_blocksize;
|
||||||
|
int bzip_small;
|
||||||
|
+ char *ignoredirs; /* ";" separated of list for genhomedircon to ignore */
|
||||||
|
struct external_prog *load_policy;
|
||||||
|
struct external_prog *setfiles;
|
||||||
|
struct external_prog *mod_prog, *linked_prog, *kernel_prog;
|
||||||
|
|||||||
@ -10,7 +10,7 @@
|
|||||||
Summary: SELinux binary policy manipulation library
|
Summary: SELinux binary policy manipulation library
|
||||||
Name: libsemanage
|
Name: libsemanage
|
||||||
Version: 2.1.5
|
Version: 2.1.5
|
||||||
Release: 1%{?dist}
|
Release: 2%{?dist}
|
||||||
License: LGPLv2+
|
License: LGPLv2+
|
||||||
Group: System Environment/Libraries
|
Group: System Environment/Libraries
|
||||||
Source: libsemanage-%{version}.tgz
|
Source: libsemanage-%{version}.tgz
|
||||||
@ -180,6 +180,9 @@ rm -rf ${RPM_BUILD_ROOT}
|
|||||||
%endif # if with_python3
|
%endif # if with_python3
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Dec 15 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.5-2
|
||||||
|
- Add support for ignoredirs param in /etc/selinux/semanage.conf
|
||||||
|
|
||||||
* Fri Nov 4 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.5-1
|
* Fri Nov 4 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.5-1
|
||||||
- Upgrade to upstream
|
- Upgrade to upstream
|
||||||
* regenerate .pc on VERSION change
|
* regenerate .pc on VERSION change
|
||||||
|
|||||||
@ -48,3 +48,4 @@ expand-check=0
|
|||||||
usepasswd=False
|
usepasswd=False
|
||||||
bzip-small=true
|
bzip-small=true
|
||||||
bzip-blocksize=5
|
bzip-blocksize=5
|
||||||
|
ignoredirs=/root
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user