diff --git a/libsemanage/man/man5/semanage.conf.5 b/libsemanage/man/man5/semanage.conf.5 index c60bdc6..6a8b4e8 100644 --- a/libsemanage/man/man5/semanage.conf.5 +++ b/libsemanage/man/man5/semanage.conf.5 @@ -56,6 +56,11 @@ It controls whether the previously linked module is saved (with name "base.linke It can be set to either "true" or "false" and by default it is set to "false" (the previous module is deleted). .TP +.B ignoredirs +List, separated by ";", of directories to ignore when setting up users homedirs. +Some distributions use this to stop labeling /root as a homedir. + +.TP .B usepasswd Whether or not to enable the use getpwent() to obtain a list of home directories to label. It can be set to either "true" or "false". By default it is set to "true". diff --git a/libsemanage/src/conf-parse.y b/libsemanage/src/conf-parse.y index 77c00b2..bbdac1d 100644 --- a/libsemanage/src/conf-parse.y +++ b/libsemanage/src/conf-parse.y @@ -58,7 +58,7 @@ static int parse_errors; } %token MODULE_STORE VERSION EXPAND_CHECK FILE_MODE SAVE_PREVIOUS SAVE_LINKED -%token LOAD_POLICY_START SETFILES_START DISABLE_GENHOMEDIRCON HANDLE_UNKNOWN USEPASSWD +%token LOAD_POLICY_START SETFILES_START DISABLE_GENHOMEDIRCON HANDLE_UNKNOWN USEPASSWD IGNOREDIRS %token BZIP_BLOCKSIZE BZIP_SMALL %token VERIFY_MOD_START VERIFY_LINKED_START VERIFY_KERNEL_START BLOCK_END %token PROG_PATH PROG_ARGS @@ -84,6 +84,7 @@ single_opt: module_store | save_linked | disable_genhomedircon | usepasswd + | ignoredirs | handle_unknown | bzip_blocksize | bzip_small @@ -166,6 +167,10 @@ usepasswd: USEPASSWD '=' ARG { free($3); } +ignoredirs: IGNOREDIRS '=' ARG { + current_conf->ignoredirs = strdup($3); + } + handle_unknown: HANDLE_UNKNOWN '=' ARG { if (strcasecmp($3, "deny") == 0) { current_conf->handle_unknown = SEPOL_DENY_UNKNOWN; @@ -262,6 +267,7 @@ static int semanage_conf_init(semanage_conf_t * conf) { conf->store_type = SEMANAGE_CON_DIRECT; conf->store_path = strdup(basename(semanage_policy_root())); + conf->ignoredirs = NULL; conf->policyvers = sepol_policy_kern_vers_max(); conf->expand_check = 1; conf->handle_unknown = -1; @@ -354,6 +360,7 @@ void semanage_conf_destroy(semanage_conf_t * conf) { if (conf != NULL) { free(conf->store_path); + free(conf->ignoredirs); semanage_conf_external_prog_destroy(conf->load_policy); semanage_conf_external_prog_destroy(conf->setfiles); semanage_conf_external_prog_destroy(conf->mod_prog); diff --git a/libsemanage/src/conf-scan.l b/libsemanage/src/conf-scan.l index e57119d..7ef4154 100644 --- a/libsemanage/src/conf-scan.l +++ b/libsemanage/src/conf-scan.l @@ -47,6 +47,7 @@ save-previous return SAVE_PREVIOUS; save-linked return SAVE_LINKED; disable-genhomedircon return DISABLE_GENHOMEDIRCON; usepasswd return USEPASSWD; +ignoredirs return IGNOREDIRS; handle-unknown return HANDLE_UNKNOWN; bzip-blocksize return BZIP_BLOCKSIZE; bzip-small return BZIP_SMALL; diff --git a/libsemanage/src/direct_api.c b/libsemanage/src/direct_api.c index 8fcfb88..4f919a6 100644 --- a/libsemanage/src/direct_api.c +++ b/libsemanage/src/direct_api.c @@ -992,7 +992,7 @@ static int semanage_direct_commit(semanage_handle_t * sh) * which requires the out policydb */ if (!sh->conf->disable_genhomedircon) { if (out && (retval = - semanage_genhomedircon(sh, out, sh->conf->usepasswd)) != 0) { + semanage_genhomedircon(sh, out, sh->conf->usepasswd, sh->conf->ignoredirs)) != 0) { ERR(sh, "semanage_genhomedircon returned error code %d.", retval); goto cleanup; diff --git a/libsemanage/src/genhomedircon.c b/libsemanage/src/genhomedircon.c index 847d87e..d2646ae 100644 --- a/libsemanage/src/genhomedircon.c +++ b/libsemanage/src/genhomedircon.c @@ -113,6 +113,61 @@ typedef struct { int matched; } fc_match_handle_t; +typedef struct IgnoreDir { + struct IgnoreDir *next; + char *dir; +} ignoredir_t; + +ignoredir_t *ignore_head = NULL; + +static void ignore_free(void) { + ignoredir_t *next; + + while (ignore_head) { + next = ignore_head->next; + free(ignore_head->dir); + free(ignore_head); + ignore_head = next; + } +} + +static int ignore_setup(char *ignoredirs) { + char *tok; + ignoredir_t *ptr = NULL; + + tok = strtok(ignoredirs, ";"); + while(tok) { + ptr = calloc(sizeof(ignoredir_t),1); + if (!ptr) + goto err; + ptr->dir = strdup(tok); + if (!ptr->dir) + goto err; + + ptr->next = ignore_head; + ignore_head = ptr; + + tok = strtok(NULL, ";"); + } + + return 0; +err: + free(ptr); + ignore_free(); + return -1; +} + +static int ignore(const char *homedir) { + ignoredir_t *ptr = ignore_head; + while (ptr) { + if (strcmp(ptr->dir, homedir) == 0) { + return 1; + } + ptr = ptr->next; + } + return 0; +} + static semanage_list_t *default_shell_list(void) { semanage_list_t *list = NULL; @@ -314,6 +369,8 @@ static semanage_list_t *get_home_dirs(genhomedircon_settings_t * s) } if (strcmp(pwbuf->pw_dir, "/") == 0) continue; + if (ignore(pwbuf->pw_dir)) + continue; if (semanage_str_count(pwbuf->pw_dir, '/') <= 1) continue; if (!(path = strdup(pwbuf->pw_dir))) { @@ -660,9 +717,12 @@ static int set_fallback_user(genhomedircon_settings_t *s, const char *user, { char *fallback_user = strdup(user); char *fallback_user_prefix = strdup(prefix); - char *fallback_user_level = strdup(level); + char *fallback_user_level = NULL; + if (level) + fallback_user_level = strdup(level); - if (fallback_user == NULL || fallback_user_prefix == NULL || fallback_user_level == NULL) { + if (fallback_user == NULL || fallback_user_prefix == NULL || + (fallback_user_level == NULL && level != NULL)) { free(fallback_user); free(fallback_user_prefix); free(fallback_user_level); @@ -829,6 +889,8 @@ static genhomedircon_user_entry_t *get_users(genhomedircon_settings_t * s, * /root */ continue; } + if (ignore(pwent->pw_dir)) + continue; if (push_user_entry(&head, name, seuname, prefix, pwent->pw_dir, level) != STATUS_SUCCESS) { *errors = STATUS_ERR; @@ -980,7 +1042,8 @@ done: int semanage_genhomedircon(semanage_handle_t * sh, sepol_policydb_t * policydb, - int usepasswd) + int usepasswd, + char *ignoredirs) { genhomedircon_settings_t s; FILE *out = NULL; @@ -998,6 +1061,8 @@ int semanage_genhomedircon(semanage_handle_t * sh, if (s.fallback_user == NULL || s.fallback_user_prefix == NULL || s.fallback_user_level == NULL) return STATUS_ERR; + if (ignoredirs) ignore_setup(ignoredirs); + s.usepasswd = usepasswd; s.h_semanage = sh; s.policydb = policydb; @@ -1014,6 +1079,7 @@ int semanage_genhomedircon(semanage_handle_t * sh, free(s.fallback_user); free(s.fallback_user_prefix); + ignore_free(); return retval; } diff --git a/libsemanage/src/genhomedircon.h b/libsemanage/src/genhomedircon.h index 443e345..3f9ef8f 100644 --- a/libsemanage/src/genhomedircon.h +++ b/libsemanage/src/genhomedircon.h @@ -23,6 +23,7 @@ #include "utilities.h" int semanage_genhomedircon(semanage_handle_t * sh, - sepol_policydb_t * policydb, int usepasswd); + sepol_policydb_t * policydb, int usepasswd, + char *ignoredirs); #endif diff --git a/libsemanage/src/semanage_conf.h b/libsemanage/src/semanage_conf.h index f58d9ac..95f8ec3 100644 --- a/libsemanage/src/semanage_conf.h +++ b/libsemanage/src/semanage_conf.h @@ -43,6 +43,7 @@ typedef struct semanage_conf { mode_t file_mode; int bzip_blocksize; int bzip_small; + char *ignoredirs; /* ";" separated of list for genhomedircon to ignore */ struct external_prog *load_policy; struct external_prog *setfiles; struct external_prog *mod_prog, *linked_prog, *kernel_prog;