* Wed Dec 14 2005 Dan Walsh <dwalsh@redhat.com> 1.29.2-3
- Remove commands from genhomedircon for installer
This commit is contained in:
parent
69182daad3
commit
235a937b7a
@ -1,8 +1,12 @@
|
|||||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/genhomedircon policycoreutils-1.29.1/scripts/genhomedircon
|
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/genhomedircon policycoreutils-1.29.2/scripts/genhomedircon
|
||||||
--- nsapolicycoreutils/scripts/genhomedircon 2005-12-07 07:28:00.000000000 -0500
|
--- nsapolicycoreutils/scripts/genhomedircon 2005-12-07 07:28:00.000000000 -0500
|
||||||
+++ policycoreutils-1.29.1/scripts/genhomedircon 2005-12-14 14:12:00.000000000 -0500
|
+++ policycoreutils-1.29.2/scripts/genhomedircon 2005-12-19 18:17:05.000000000 -0500
|
||||||
@@ -29,11 +29,14 @@
|
@@ -26,64 +26,70 @@
|
||||||
import commands, sys, os, pwd, string, getopt, re
|
#
|
||||||
|
#
|
||||||
|
|
||||||
|
-import commands, sys, os, pwd, string, getopt, re
|
||||||
|
+import sys, os, pwd, string, getopt, re
|
||||||
from semanage import *;
|
from semanage import *;
|
||||||
|
|
||||||
-fd=open("/etc/shells", 'r')
|
-fd=open("/etc/shells", 'r')
|
||||||
@ -18,10 +22,134 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/genhomedircon po
|
|||||||
+ VALID_SHELLS.remove("/sbin/nologin")
|
+ VALID_SHELLS.remove("/sbin/nologin")
|
||||||
+except:
|
+except:
|
||||||
+ VALID_SHELLS = ['/bin/sh', '/bin/bash', '/bin/ash', '/bin/bsh', '/bin/ksh', '/usr/bin/ksh', '/usr/bin/pdksh', '/bin/tcsh', '/bin/csh', '/bin/zsh']
|
+ VALID_SHELLS = ['/bin/sh', '/bin/bash', '/bin/ash', '/bin/bsh', '/bin/ksh', '/usr/bin/ksh', '/usr/bin/pdksh', '/bin/tcsh', '/bin/csh', '/bin/zsh']
|
||||||
|
+
|
||||||
|
+def findval(file, var, delim=""):
|
||||||
|
+ val=""
|
||||||
|
+ fd=open(file, 'r')
|
||||||
|
+ for i in fd.read().split('\n'):
|
||||||
|
+ if i.startswith(var) == 1:
|
||||||
|
+ if delim == "":
|
||||||
|
+ val = i.split()[1]
|
||||||
|
+ else:
|
||||||
|
+ val = i.split(delim)[1]
|
||||||
|
+ val = val.split("#")[0]
|
||||||
|
+ val = val.strip()
|
||||||
|
+ fd.close()
|
||||||
|
+ return val
|
||||||
|
|
||||||
def getStartingUID():
|
def getStartingUID():
|
||||||
starting_uid = sys.maxint
|
starting_uid = sys.maxint
|
||||||
@@ -163,21 +166,29 @@
|
- rc=commands.getstatusoutput("grep -h '^UID_MIN' /etc/login.defs")
|
||||||
|
- if rc[0] == 0:
|
||||||
|
- uid_min = re.sub("^UID_MIN[^0-9]*", "", rc[1])
|
||||||
|
- #stip any comment from the end of the line
|
||||||
|
+ uid_min= findval("/etc/login.defs", "UID_MIN")
|
||||||
|
+ if uid_min != "":
|
||||||
|
uid_min = uid_min.split("#")[0]
|
||||||
|
uid_min = uid_min.strip()
|
||||||
|
if int(uid_min) < starting_uid:
|
||||||
|
starting_uid = int(uid_min)
|
||||||
|
- rc=commands.getstatusoutput("grep -h '^LU_UIDNUMBER' /etc/libuser.conf")
|
||||||
|
- if rc[0] == 0:
|
||||||
|
- lu_uidnumber = re.sub("^LU_UIDNUMBER[^0-9]*", "", rc[1])
|
||||||
|
- #stip any comment from the end of the line
|
||||||
|
- lu_uidnumber = re.sub("[ \t].*", "", lu_uidnumber)
|
||||||
|
- lu_uidnumber = lu_uidnumber.split("#")[0]
|
||||||
|
- lu_uidnumber = lu_uidnumber.strip()
|
||||||
|
- if int(lu_uidnumber) < starting_uid:
|
||||||
|
- starting_uid = int(lu_uidnumber)
|
||||||
|
+
|
||||||
|
+ uid_min= findval("/etc/libuser.conf", "LU_UIDNUMBER", "=")
|
||||||
|
+ if uid_min != "":
|
||||||
|
+ uid_min = uid_min.split("#")[0]
|
||||||
|
+ uid_min = uid_min.strip()
|
||||||
|
+ if int(uid_min) < starting_uid:
|
||||||
|
+ starting_uid = int(uid_min)
|
||||||
|
+
|
||||||
|
if starting_uid == sys.maxint:
|
||||||
|
starting_uid = 500
|
||||||
|
return starting_uid
|
||||||
|
|
||||||
|
def getDefaultHomeDir():
|
||||||
|
ret = []
|
||||||
|
- rc=commands.getstatusoutput("grep -h '^HOME' /etc/default/useradd")
|
||||||
|
- if rc[0] == 0:
|
||||||
|
- homedir = rc[1].split("=")[1]
|
||||||
|
- homedir = homedir.split("#")[0]
|
||||||
|
- homedir = homedir.strip()
|
||||||
|
- if not homedir in ret:
|
||||||
|
- ret.append(homedir)
|
||||||
|
-
|
||||||
|
- rc=commands.getstatusoutput("grep -h '^LU_HOMEDIRECTORY' /etc/libuser.conf")
|
||||||
|
- if rc[0] == 0:
|
||||||
|
- homedir = rc[1].split("=")[1]
|
||||||
|
- homedir = homedir.split("#")[0]
|
||||||
|
- homedir = homedir.strip()
|
||||||
|
- if not homedir in ret:
|
||||||
|
- ret.append(homedir)
|
||||||
|
-
|
||||||
|
+ homedir=findval("/etc/default/useradd", "HOME", "=")
|
||||||
|
+ if homedir != "" and not homedir in ret:
|
||||||
|
+ ret.append(homedir)
|
||||||
|
+
|
||||||
|
+ homedir=findval("/etc/libuser.conf", "LU_HOMEDIRECTORY", "=")
|
||||||
|
+ if homedir != "" and not homedir in ret:
|
||||||
|
+ ret.append(homedir)
|
||||||
|
+
|
||||||
|
if ret == []:
|
||||||
|
ret.append("/home")
|
||||||
|
return ret
|
||||||
|
|
||||||
|
def getSELinuxType(directory):
|
||||||
|
- rc=commands.getstatusoutput("grep ^SELINUXTYPE= %s/config" % directory)
|
||||||
|
- if rc[0]==0:
|
||||||
|
- return rc[1].split("=")[-1].strip()
|
||||||
|
+ val=findval(directory+"/config", "SELINUXTYPE", "=")
|
||||||
|
+ if val != "":
|
||||||
|
+ return val
|
||||||
|
return "targeted"
|
||||||
|
|
||||||
|
def usage(error = ""):
|
||||||
|
@@ -129,11 +135,17 @@
|
||||||
|
return self.getFileContextDir()+"/homedir_template"
|
||||||
|
|
||||||
|
def getHomeRootContext(self, homedir):
|
||||||
|
- rc=commands.getstatusoutput("grep HOME_ROOT %s | sed -e \"s|^HOME_ROOT|%s|\"" % ( self.getHomeDirTemplate(), homedir))
|
||||||
|
- if rc[0] == 0:
|
||||||
|
- return rc[1]+"\n"
|
||||||
|
- else:
|
||||||
|
- errorExit("sed error %s" % rc[1])
|
||||||
|
+ ret=""
|
||||||
|
+ fd=open(self.getHomeDirTemplate(), 'r')
|
||||||
|
+
|
||||||
|
+ for i in fd.read().split('\n'):
|
||||||
|
+ if i.find("HOME_ROOT") == 0:
|
||||||
|
+ i=i.replace("HOME_ROOT", homedir)
|
||||||
|
+ ret = i+"\n"
|
||||||
|
+ fd.close()
|
||||||
|
+ if ret=="":
|
||||||
|
+ errorExit("No Home Root Context Found")
|
||||||
|
+ return ret
|
||||||
|
|
||||||
|
def heading(self):
|
||||||
|
ret = "\n#\n#\n# User-specific file contexts, generated via %s\n" % sys.argv[0]
|
||||||
|
@@ -152,32 +164,40 @@
|
||||||
|
return "user_r"
|
||||||
|
return name
|
||||||
|
def getOldRole(self, role):
|
||||||
|
- rc = commands.getstatusoutput('grep "^user %s" %s' % (role, self.selinuxdir+self.type+"/users/system.users"))
|
||||||
|
- if rc[0] != 0:
|
||||||
|
- rc = commands.getstatusoutput('grep "^user %s" %s' % (role, self.selinuxdir+self.type+"/users/local.users"))
|
||||||
|
- if rc[0] == 0:
|
||||||
|
- user=rc[1].split()
|
||||||
|
+ rc=findval(self.selinuxdir+self.type+"/users/system.users", 'grep "^user %s" %s' % role, "=")
|
||||||
|
+ if rc == "":
|
||||||
|
+ rc=findval(self.selinuxdir+self.type+"/users/local.users", 'grep "^user %s" %s' % role, "=")
|
||||||
|
+ if rc != "":
|
||||||
|
+ user=rc.split()
|
||||||
|
role = user[3]
|
||||||
|
if role == "{":
|
||||||
|
role = user[4]
|
||||||
return role
|
return role
|
||||||
|
|
||||||
def adduser(self, udict, user, seuser, role):
|
def adduser(self, udict, user, seuser, role):
|
||||||
@ -62,3 +190,136 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/genhomedircon po
|
|||||||
|
|
||||||
def getUsers(self):
|
def getUsers(self):
|
||||||
udict = {}
|
udict = {}
|
||||||
|
@@ -190,30 +210,45 @@
|
||||||
|
self.adduser(udict, semanage_seuser_get_name(seuser), seusername, self.defaultrole(seusername))
|
||||||
|
|
||||||
|
else:
|
||||||
|
- rc = commands.getstatusoutput("grep -v '^ *#' %s" % self.selinuxdir+self.type+"/seusers")
|
||||||
|
- if rc[0] == 0 and rc[1] != "":
|
||||||
|
- ulist = rc[1].split("\n")
|
||||||
|
- for u in ulist:
|
||||||
|
- if len(u)==0:
|
||||||
|
- continue
|
||||||
|
- user = u.split(":")
|
||||||
|
- if len(user) < 3:
|
||||||
|
- continue
|
||||||
|
- role=self.getOldRole(user[1])
|
||||||
|
- self.adduser(udict, user[0], user[1], role)
|
||||||
|
+ fd =open(self.selinuxdir+self.type+"/seusers")
|
||||||
|
+ for u in fd.read().split('\n'):
|
||||||
|
+ u=u.strip()
|
||||||
|
+ if len(u)==0 or u[0]=="#":
|
||||||
|
+ continue
|
||||||
|
+ user = u.split(":")
|
||||||
|
+ if len(user) < 3:
|
||||||
|
+ continue
|
||||||
|
+ role=self.getOldRole(user[1])
|
||||||
|
+ self.adduser(udict, user[0], user[1], role)
|
||||||
|
+ fd.close()
|
||||||
|
return udict
|
||||||
|
|
||||||
|
def getHomeDirContext(self, user, home, role):
|
||||||
|
ret="\n\n#\n# Home Context for user %s\n#\n\n" % user
|
||||||
|
- rc=commands.getstatusoutput("grep '^HOME_DIR' %s | sed -e 's|HOME_DIR|%s|' -e 's/ROLE/%s/' -e 's/system_u/%s/'" % (self.getHomeDirTemplate(), home, role, user))
|
||||||
|
- return ret + rc[1] + "\n"
|
||||||
|
+ fd=open(self.getHomeDirTemplate(), 'r')
|
||||||
|
+ for i in fd.read().split('\n'):
|
||||||
|
+ if i.startswith("HOME_DIR") == 1:
|
||||||
|
+ i=i.replace("HOME_DIR", home)
|
||||||
|
+ i=i.replace("ROLE", role)
|
||||||
|
+ i=i.replace("system_u", user)
|
||||||
|
+ ret = ret+i+"\n"
|
||||||
|
+ fd.close()
|
||||||
|
+ return ret
|
||||||
|
|
||||||
|
def getUserContext(self, user, sel_user, role):
|
||||||
|
- rc=commands.getstatusoutput("grep 'USER' %s | sed -e 's/USER/%s/' -e 's/ROLE/%s/' -e 's/system_u/%s/'" % (self.getHomeDirTemplate(), user, role, sel_user))
|
||||||
|
- return rc[1] + "\n"
|
||||||
|
+ ret=""
|
||||||
|
+ fd=open(self.getHomeDirTemplate(), 'r')
|
||||||
|
+ for i in fd.read().split('\n'):
|
||||||
|
+ if i.find("USER") == 1:
|
||||||
|
+ i=i.replace("USER", user)
|
||||||
|
+ i=i.replace("ROLE", role)
|
||||||
|
+ i=i.replace("system_u", sel_user)
|
||||||
|
+ ret=ret+i+"\n"
|
||||||
|
+ fd.close()
|
||||||
|
+ return ret
|
||||||
|
|
||||||
|
def genHomeDirContext(self):
|
||||||
|
- if commands.getstatusoutput("grep -q 'ROLE' %s" % self.getHomeDirTemplate())[0] == 0 and self.semanaged:
|
||||||
|
+ if self.semanaged and findval(self.getHomeDirTemplate(), "ROLE", "=") != "":
|
||||||
|
warning("genhomedircon: Warning! No support yet for expanding ROLE macros in the %s file when using libsemanage." % self.getHomeDirTemplate());
|
||||||
|
warning("genhomedircon: You must manually update file_contexts.homedirs for any non-user_r users (including root).");
|
||||||
|
users = self.getUsers()
|
||||||
|
@@ -225,40 +260,23 @@
|
||||||
|
return ret+"\n"
|
||||||
|
|
||||||
|
def checkExists(self, home):
|
||||||
|
- if commands.getstatusoutput("grep -E '^%s[^[:alnum:]_-]' %s" % (home, self.getFileContextFile()))[0] == 0:
|
||||||
|
- return 0
|
||||||
|
- #this works by grepping the file_contexts for
|
||||||
|
- # 1. ^/ makes sure this is not a comment
|
||||||
|
- # 2. prints only the regex in the first column first cut on \t then on space
|
||||||
|
- rc=commands.getstatusoutput("grep \"^/\" %s | cut -f 1 | cut -f 1 -d \" \" " % self.getFileContextFile() )
|
||||||
|
- if rc[0] == 0:
|
||||||
|
- prefix_regex = rc[1].split("\n")
|
||||||
|
- else:
|
||||||
|
- warning("%s\nYou do not have access to read %s\n" % (rc[1], self.getFileContextFile()))
|
||||||
|
-
|
||||||
|
- exists=1
|
||||||
|
- for regex in prefix_regex:
|
||||||
|
- #match a trailing (/*)? which is actually a bug in rpc_pipefs
|
||||||
|
- regex = re.sub("\(/\*\)\?$", "", regex)
|
||||||
|
- #match a trailing .+
|
||||||
|
- regex = re.sub("\.+$", "", regex)
|
||||||
|
- #match a trailing .*
|
||||||
|
- regex = re.sub("\.\*$", "", regex)
|
||||||
|
- #strip a (/.*)? which matches anything trailing to a /*$ which matches trailing /'s
|
||||||
|
- regex = re.sub("\(\/\.\*\)\?", "", regex)
|
||||||
|
- regex = regex + "/*$"
|
||||||
|
- if re.search(regex, home, 0):
|
||||||
|
- exists = 0
|
||||||
|
- break
|
||||||
|
- if exists == 1:
|
||||||
|
- return 1
|
||||||
|
- else:
|
||||||
|
- return 0
|
||||||
|
-
|
||||||
|
+ fd=open(self.getFileContextFile())
|
||||||
|
+ for i in fd.read().split('\n'):
|
||||||
|
+ if len(i)==0:
|
||||||
|
+ return
|
||||||
|
+ regex=i.split()[0]
|
||||||
|
+ #match a trailing .+
|
||||||
|
+ regex = re.sub("\.+$", "", regex)
|
||||||
|
+ regex = re.sub("\.\*$", "", regex)
|
||||||
|
+ #strip a (/.*)? which matches anything trailing to a /*$ which matches trailing /'s
|
||||||
|
+ regex = re.sub("\(\/\.\*\)\?", "", regex)
|
||||||
|
+ regex = regex + "/*$"
|
||||||
|
+ if re.search(home, regex, 0):
|
||||||
|
+ return 1
|
||||||
|
+ return 0
|
||||||
|
|
||||||
|
def getHomeDirs(self):
|
||||||
|
- homedirs = []
|
||||||
|
- homedirs = homedirs + getDefaultHomeDir()
|
||||||
|
+ homedirs = getDefaultHomeDir()
|
||||||
|
starting_uid=getStartingUID()
|
||||||
|
if self.usepwd==0:
|
||||||
|
return homedirs
|
||||||
|
@@ -270,7 +288,7 @@
|
||||||
|
string.count(u[5], "/") > 1:
|
||||||
|
homedir = u[5][:string.rfind(u[5], "/")]
|
||||||
|
if not homedir in homedirs:
|
||||||
|
- if self.checkExists(homedir)==0:
|
||||||
|
+ if self.checkExists(homedir)==1:
|
||||||
|
warning("%s homedir %s or its parent directoy conflicts with a\ndefined context in %s,\n%s will not create a new context." % (u[0], u[5], self.getFileContextFile(), sys.argv[0]))
|
||||||
|
else:
|
||||||
|
homedirs.append(homedir)
|
||||||
|
@@ -336,4 +354,4 @@
|
||||||
|
except ValueError, error:
|
||||||
|
errorExit("ValueError %s" % error)
|
||||||
|
except IndexError, error:
|
||||||
|
- errorExit("IndexError")
|
||||||
|
+ errorExit("IndexError %s" % error)
|
||||||
|
@ -4,7 +4,7 @@
|
|||||||
Summary: SELinux policy core utilities.
|
Summary: SELinux policy core utilities.
|
||||||
Name: policycoreutils
|
Name: policycoreutils
|
||||||
Version: 1.29.2
|
Version: 1.29.2
|
||||||
Release: 2
|
Release: 3
|
||||||
License: GPL
|
License: GPL
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
|
Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
|
||||||
@ -96,6 +96,9 @@ rm -rf ${RPM_BUILD_ROOT}
|
|||||||
%config(noreplace) %{_sysconfdir}/sestatus.conf
|
%config(noreplace) %{_sysconfdir}/sestatus.conf
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Dec 14 2005 Dan Walsh <dwalsh@redhat.com> 1.29.2-3
|
||||||
|
- Remove commands from genhomedircon for installer
|
||||||
|
|
||||||
* Wed Dec 14 2005 Dan Walsh <dwalsh@redhat.com> 1.29.2-1
|
* Wed Dec 14 2005 Dan Walsh <dwalsh@redhat.com> 1.29.2-1
|
||||||
- Fix genhomedircon to work in installer
|
- Fix genhomedircon to work in installer
|
||||||
- Update to match NSA
|
- Update to match NSA
|
||||||
|
Loading…
Reference in New Issue
Block a user