* Tue Feb 07 2006 Dan Walsh <dwalsh@redhat.com> 1.29.20-2

- Fix auditing to semanage
- Change genhomedircon to use new prefix interface in libselinux
This commit is contained in:
Daniel J Walsh 2006-02-10 17:04:04 +00:00
parent 49470329fc
commit 4c107ae3b8
2 changed files with 211 additions and 77 deletions

View File

@ -1,7 +1,27 @@
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/genhomedircon policycoreutils-1.29.20/scripts/genhomedircon
--- nsapolicycoreutils/scripts/genhomedircon 2006-01-30 18:32:39.000000000 -0500
+++ policycoreutils-1.29.20/scripts/genhomedircon 2006-02-07 10:36:38.000000000 -0500
@@ -170,7 +170,7 @@
+++ policycoreutils-1.29.20/scripts/genhomedircon 2006-02-09 10:27:15.000000000 -0500
@@ -4,7 +4,7 @@
#
# genhomedircon - this script is used to generate file context
# configuration entries for user home directories based on their
-# default roles and is run when building the policy. Specifically, we
+# default prefixes and is run when building the policy. Specifically, we
# replace HOME_ROOT, HOME_DIR, and ROLE macros in .fc files with
# generic and user-specific values.
#
@@ -15,9 +15,7 @@
# The file CONTEXTDIR/files/homedir_template exists. This file is used to
# set up the home directory context for each real user.
#
-# If a user has more than one role, genhomedircon uses the first role in the list.
-#
-# If a user is not listed in CONTEXTDIR/seusers, he will default to user_u, role user
+# If a user is not listed in CONTEXTDIR/seusers, he will default to user_u, prefix user
#
# "Real" users (as opposed to system users) are those whose UID is greater than
# or equal STARTING_UID (usually 500) and whose login is not a member of
@@ -170,37 +168,34 @@
def heading(self):
ret = "\n#\n#\n# User-specific file contexts, generated via %s\n" % sys.argv[0]
if self.semanaged:
@ -10,18 +30,130 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/genhomedircon po
else:
ret += "# edit %s to change file_context\n#\n#\n" % (self.selinuxdir+self.type+"/seusers")
return ret
@@ -196,7 +196,7 @@
return role
- def defaultrole(self, name):
+ def get_default_prefix(self, name):
for idx in range(self.usize):
user = semanage_user_by_idx(self.ulist, idx)
if semanage_user_get_name(user) == name:
- if name == "staff_u" or name == "root" and self.type != "targeted":
- return "staff_r"
- else:
- return "user_r"
+ return semanage_user_get_prefix(user)
return name
- def getOldRole(self, role):
- rc=grep(self.selinuxdir+self.type+"/users/system.users", "^user %s" % role)
+ def get_old_prefix(self, user):
+ rc=grep(self.selinuxdir+self.type+"/users/system.users", "^user %s" % user)
if rc == "":
- rc=grep(self.selinuxdir+self.type+"/users/local.users", "^user %s" % role)
+ rc=grep(self.selinuxdir+self.type+"/users/local.users", "^user %s" % user)
if rc != "":
user=rc.split()
- role = user[3]
- if role == "{":
- role = user[4]
- return role
+ prefix = user[3]
+ if prefix == "{":
+ prefix = user[4]
+ if len(prefix) > 2 and (prefix[-2:] == "_r" or prefix[-2:] == "_u"):
+ prefix = prefix[:-2]
+ return prefix
def adduser(self, udict, user, seuser, role):
- def adduser(self, udict, user, seuser, role):
- if seuser == "user_u" or user == "__default__":
+ def adduser(self, udict, user, seuser, prefix):
+ if seuser == "user_u" or user == "__default__" or user == "system_u":
return
# !!! chooses first role in the list to use in the file context !!!
if role[-2:] == "_r" or role[-2:] == "_u":
- # !!! chooses first role in the list to use in the file context !!!
- if role[-2:] == "_r" or role[-2:] == "_u":
- role = role[:-2]
+ # !!! chooses first prefix in the list to use in the file context !!!
try:
home = pwd.getpwnam(user)[5]
if home == "/":
@@ -217,7 +212,7 @@
return
prefs = {}
prefs["seuser"] = seuser
- prefs["role"] = role
+ prefs["prefix"] = prefix
prefs["home"] = home
udict[user] = prefs
@@ -229,7 +224,7 @@
user=[]
seuser = semanage_seuser_by_idx(list, idx)
seusername=semanage_seuser_get_sename(seuser)
- self.adduser(udict, semanage_seuser_get_name(seuser), seusername, self.defaultrole(seusername))
+ self.adduser(udict, semanage_seuser_get_name(seuser), seusername, self.get_default_prefix(seusername))
else:
try:
@@ -242,8 +237,8 @@
if len(user) < 2:
continue
- role=self.getOldRole(user[1])
- self.adduser(udict, user[0], user[1], role)
+ prefix=self.get_old_prefix(user[1])
+ self.adduser(udict, user[0], user[1], prefix)
fd.close()
except IOError, error:
# Must be install so force add of root
@@ -251,40 +246,37 @@
return udict
- def getHomeDirContext(self, user, seuser, home, role):
+ def getHomeDirContext(self, user, seuser, home, prefix):
ret="\n\n#\n# Home Context for user %s\n#\n\n" % user
fd=open(self.getHomeDirTemplate(), 'r')
for i in fd.read().split('\n'):
if i.startswith("HOME_DIR") == 1:
i=i.replace("HOME_DIR", home)
- i=i.replace("ROLE", role)
+ i=i.replace("ROLE", prefix)
i=i.replace("system_u", seuser)
ret = ret+i+"\n"
fd.close()
return ret
- def getUserContext(self, user, sel_user, role):
+ def getUserContext(self, user, sel_user, prefix):
ret=""
fd=open(self.getHomeDirTemplate(), 'r')
for i in fd.read().split('\n'):
if i.find("USER") == 1:
i=i.replace("USER", user)
- i=i.replace("ROLE", role)
+ i=i.replace("ROLE", prefix)
i=i.replace("system_u", sel_user)
ret=ret+i+"\n"
fd.close()
return ret
def genHomeDirContext(self):
- if self.semanaged and grep(self.getHomeDirTemplate(), "ROLE") != "":
- warning("genhomedircon: Warning! No support yet for expanding ROLE macros in the %s file when using libsemanage." % self.getHomeDirTemplate());
- warning("genhomedircon: You must manually update file_contexts.homedirs for any non-user_r users (including root).");
users = self.getUsers()
ret=""
- # Fill in HOME and ROLE for users that are defined
+ # Fill in HOME and prefix for users that are defined
for u in users.keys():
- ret += self.getHomeDirContext (u, users[u]["seuser"], users[u]["home"], users[u]["role"])
- ret += self.getUserContext (u, users[u]["seuser"], users[u]["role"])
+ ret += self.getHomeDirContext (u, users[u]["seuser"], users[u]["home"], users[u]["prefix"])
+ ret += self.getUserContext (u, users[u]["seuser"], users[u]["prefix"])
return ret+"\n"
def checkExists(self, home):
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-1.29.20/semanage/seobject.py
--- nsapolicycoreutils/semanage/seobject.py 2006-02-02 12:08:04.000000000 -0500
+++ policycoreutils-1.29.20/semanage/seobject.py 2006-02-07 10:35:46.000000000 -0500
+++ policycoreutils-1.29.20/semanage/seobject.py 2006-02-10 11:48:59.000000000 -0500
@@ -21,8 +21,11 @@
#
#
@ -35,7 +167,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/seobject.py pol
def validate_level(raw):
sensitivity="s([0-9]|1[0-5])"
@@ -170,119 +173,143 @@
@@ -170,119 +173,145 @@
if sename == "":
sename = "user_u"
@ -117,18 +249,18 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/seobject.py pol
+ raise ValueError("Could not add login mapping for %s" % name)
+
+ except ValueError, error:
+ audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],error.args[0],
+ name, 0, "", "", "", 0);
+ audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"add SELinux user mapping", name, 0, sename, "", serange, "", "", "", "", "", "", 0);
+ raise error
+
+ audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"adding selinux user mapping",
+ name, 0, "", "", "", 1);
+ audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"add SELinux user mapping", name, 0, sename, "", serange, "", "", "", "", "", "", 1);
semanage_seuser_key_free(k)
semanage_seuser_free(u)
def modify(self, name, sename = "", serange = ""):
- if sename == "" and serange == "":
- raise ValueError("Requires seuser or serange")
+ oldsename=""
+ oldserange=""
+ try:
+ if sename == "" and serange == "":
+ raise ValueError("Requires seuser or serange")
@ -162,10 +294,16 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/seobject.py pol
- semanage_seuser_set_mlsrange(self.sh, u, untranslate(serange))
- if sename != "":
- semanage_seuser_set_sename(self.sh, u, sename)
+ oldserange=semanage_seuser_get_mlsrange(u)
+ oldsename=semanage_seuser_get_sename(u)
+ if serange != "":
+ semanage_seuser_set_mlsrange(self.sh, u, untranslate(serange))
+ else:
+ serange=oldserange
+ if sename != "":
+ semanage_seuser_set_sename(self.sh, u, sename)
+ else:
+ sename=oldsename
- rc = semanage_begin_transaction(self.sh)
- if rc < 0:
@ -184,18 +322,16 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/seobject.py pol
+ rc = semanage_seuser_modify_local(self.sh, k, u)
+ if rc < 0:
+ raise ValueError("Could not modify login mapping for %s" % name)
+
+ rc = semanage_commit(self.sh)
+ if rc < 0:
+ raise ValueError("Could not modify login mapping for %s" % name)
+
+ except ValueError, error:
+ audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],error.args[0],
+ name, 0, "", "", "", 0);
+ audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"modify selinux user mapping", name, 0, sename, "", serange, "", oldsename, "", oldserange, "", "", "", 0);
+ raise error
+
+ audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"modify selinux user mapping",
+ name, 0, "", "", "", 1);
+
+ audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"modify selinux user mapping", name, 0, sename, "", serange, oldsename, "", oldserange, "", 1);
semanage_seuser_key_free(k)
semanage_seuser_free(u)
@ -254,109 +390,107 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/seobject.py pol
+ raise ValueError("Could not delete login mapping for %s" % name)
+
+ except ValueError, error:
+ audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],error.args[0],
+ name, 0, "", "", "", 0);
+ audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"delete SELinux user mapping", name, 0, name, "", "", "", "", "", "", "", "", 0);
+ raise error
+
+ audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"delete selinux user mapping",
+ name, 0, "", "", "", 1);
+
+ audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"delete SELinux user mapping", name, 0, name, "", "", "", "", "", "", "", "", 1);
semanage_seuser_key_free(k)
@@ -322,127 +349,150 @@
@@ -322,127 +351,145 @@
else:
selevel = untranslate(selevel)
- (rc,k) = semanage_user_key_create(self.sh, name)
- if rc < 0:
- raise ValueError("Could not create a key for %s" % name)
+ try:
+ (rc,k) = semanage_user_key_create(self.sh, name)
+ if rc < 0:
+ raise ValueError("Could not create a key for %s" % name)
-
- (rc,exists) = semanage_user_exists(self.sh, k)
- if rc < 0:
- raise ValueError("Could not check if SELinux user %s is defined" % name)
- if exists:
- raise ValueError("SELinux user %s is already defined" % name)
+ seroles=" ".join(roles)
+ try:
+ (rc,k) = semanage_user_key_create(self.sh, name)
+ if rc < 0:
+ raise ValueError("Could not create a key for %s" % name)
- (rc,u) = semanage_user_create(self.sh)
- if rc < 0:
- raise ValueError("Could not create SELinux user for %s" % name)
+ (rc,exists) = semanage_user_exists(self.sh, k)
+ if rc < 0:
+ raise ValueError("Could not check if SELinux user %s is defined" % name)
+ if exists:
+ raise ValueError("SELinux user %s is already defined" % name)
- (rc,u) = semanage_user_create(self.sh)
- rc = semanage_user_set_name(self.sh, u, name)
- if rc < 0:
- raise ValueError("Could not create SELinux user for %s" % name)
- raise ValueError("Could not set name for %s" % name)
+ (rc,u) = semanage_user_create(self.sh)
+ if rc < 0:
+ raise ValueError("Could not create SELinux user for %s" % name)
- rc = semanage_user_set_name(self.sh, u, name)
- if rc < 0:
- raise ValueError("Could not set name for %s" % name)
+ rc = semanage_user_set_name(self.sh, u, name)
+ if rc < 0:
+ raise ValueError("Could not set name for %s" % name)
- for r in roles:
- rc = semanage_user_add_role(self.sh, u, r)
+ for r in roles:
+ rc = semanage_user_add_role(self.sh, u, r)
+ if rc < 0:
+ raise ValueError("Could not add role %s for %s" % (r, name))
+
+ rc = semanage_user_set_mlsrange(self.sh, u, serange)
+ rc = semanage_user_set_name(self.sh, u, name)
if rc < 0:
- raise ValueError("Could not add role %s for %s" % (r, name))
+ raise ValueError("Could not set MLS range for %s" % name)
+ raise ValueError("Could not set name for %s" % name)
- rc = semanage_user_set_mlsrange(self.sh, u, serange)
- if rc < 0:
- raise ValueError("Could not set MLS range for %s" % name)
+ rc = semanage_user_set_mlslevel(self.sh, u, selevel)
+ if rc < 0:
+ raise ValueError("Could not set MLS level for %s" % name)
+ for r in roles:
+ rc = semanage_user_add_role(self.sh, u, r)
+ if rc < 0:
+ raise ValueError("Could not add role %s for %s" % (r, name))
- rc = semanage_user_set_mlslevel(self.sh, u, selevel)
- if rc < 0:
- raise ValueError("Could not set MLS level for %s" % name)
+ (rc,key) = semanage_user_key_extract(self.sh,u)
+ rc = semanage_user_set_mlsrange(self.sh, u, serange)
+ if rc < 0:
+ raise ValueError("Could not extract key for %s" % name)
+ raise ValueError("Could not set MLS range for %s" % name)
- (rc,key) = semanage_user_key_extract(self.sh,u)
- if rc < 0:
- raise ValueError("Could not extract key for %s" % name)
+ rc = semanage_begin_transaction(self.sh)
+ rc = semanage_user_set_mlslevel(self.sh, u, selevel)
+ if rc < 0:
+ raise ValueError("Could not start semanage transaction")
+ raise ValueError("Could not set MLS level for %s" % name)
- rc = semanage_begin_transaction(self.sh)
- if rc < 0:
- raise ValueError("Could not start semanage transaction")
+ rc = semanage_user_modify_local(self.sh, k, u)
+ (rc,key) = semanage_user_key_extract(self.sh,u)
+ if rc < 0:
+ raise ValueError("Could not add SELinux user %s" % name)
+ raise ValueError("Could not extract key for %s" % name)
- rc = semanage_user_modify_local(self.sh, k, u)
- if rc < 0:
- raise ValueError("Could not add SELinux user %s" % name)
+ rc = semanage_commit(self.sh)
+ rc = semanage_begin_transaction(self.sh)
+ if rc < 0:
+ raise ValueError("Could not add SELinux user %s" % name)
+ raise ValueError("Could not start semanage transaction")
- rc = semanage_commit(self.sh)
- if rc < 0:
- raise ValueError("Could not add SELinux user %s" % name)
+ except ValueError, error:
+ audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],error.args[0],
+ name, 0, "", "", "", 0);
+ raise error
+ rc = semanage_user_modify_local(self.sh, k, u)
+ if rc < 0:
+ raise ValueError("Could not add SELinux user %s" % name)
+
+ rc = semanage_commit(self.sh)
+ if rc < 0:
+ raise ValueError("Could not add SELinux user %s" % name)
+ audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"add Selinux User Record",
+ name, 0, "", "", "", 1);
+ except ValueError, error:
+ audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"add SELinux user record", name, 0, name, seroles, serange, "", "", "", "", "", "", 0);
+ raise error
+
+ audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"add SELinux user record", name, 0, name, seroles, serange, "", "", "", "", "", "", 1);
semanage_user_key_free(k)
semanage_user_free(u)
@ -423,7 +557,6 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/seobject.py pol
- rc = semanage_commit(self.sh)
- if rc < 0:
- raise ValueError("Could not modify SELinux user %s" % name)
-
+ rc = semanage_user_modify_local(self.sh, k, u)
+ if rc < 0:
+ raise ValueError("Could not modify SELinux user %s" % name)
@ -433,12 +566,10 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/seobject.py pol
+ raise ValueError("Could not modify SELinux user %s" % name)
+
+ except ValueError, error:
+ audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],error.args[0],
+ name, 0, "", "", "", 0);
+ audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"modify SELinux user record", name, 0, seuser, seroles, serange, oldseuser, oldseroles, olrserange, "", 0);
+ raise error
+
+ audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"modify Selinux User Record",
+ name, 0, "", "", "", 1);
+ audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"modify SELinux user record", name, 0, seuser, seroles, serange, oldseuser, oldseroles, olrserange, "", 1);
semanage_user_key_free(k)
semanage_user_free(u)
@ -495,12 +626,10 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/seobject.py pol
+ if rc < 0:
+ raise ValueError("Could not delete SELinux user %s" % name)
+ except ValueError, error:
+ audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],error.args[0],
+ name, 0, "", "", "", 0);
+ audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"delete SELinux user record", name, 0, "", "", "", "", "", "", "", "", "", 0);
+ raise error
+ audit.audit_log_acct_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"Delete Selinux User Record",
+ name, 0, "", "", "", 1);
+ audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"delete SELinux user record", name, 0, "", "", "", "", "", "", "", "", "", 1);
semanage_user_key_free(k)
def get_all(self):

View File

@ -1,10 +1,11 @@
%define libauditver 1.1.4-3
%define libsepolver 1.11.13-1
%define libsemanagever 1.5.21-1
%define libsemanagever 1.5.21-2
%define libselinuxver 1.29.7-1
Summary: SELinux policy core utilities.
Name: policycoreutils
Version: 1.29.20
Release: 1
Release: 2
License: GPL
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
@ -12,7 +13,7 @@ Patch: policycoreutils-rhat.patch
BuildRequires: pam-devel libsepol-devel >= %{libsepolver} libsemanage-devel >= %{libsemanagever} libselinux-devel >= %{libselinuxver}
PreReq: /bin/mount /bin/egrep /bin/awk /usr/bin/diff
Requires: libsepol >= %{libsepolver} libsemanage >= %{libsemanagever} libselinux-python coreutils audit-libs-python
Requires: libsepol >= %{libsepolver} libsemanage >= %{libsemanagever} libselinux-python coreutils audit-libs-python >= %{libauditver}
BuildRoot: %{_tmppath}/%{name}-buildroot
%description
@ -97,6 +98,10 @@ rm -rf ${RPM_BUILD_ROOT}
%{_libdir}/python2.4/site-packages/seobject.py*
%changelog
* Tue Feb 07 2006 Dan Walsh <dwalsh@redhat.com> 1.29.20-2
- Fix auditing to semanage
- Change genhomedircon to use new prefix interface in libselinux
* Tue Feb 07 2006 Dan Walsh <dwalsh@redhat.com> 1.29.20-1
- Update from upstream
* Merged seuser/user_extra support patch to semodule_package