* Wed Nov 9 2005 Dan Walsh <dwalsh@redhat.com> 1.27.26-2
- Fix genhomedircon to use seusers file
This commit is contained in:
parent
03496a1f36
commit
54ecf23b9a
@ -1,28 +1,277 @@
|
|||||||
--- policycoreutils-1.27.7/newrole/newrole.pamd.rhat 2005-10-12 15:25:48.000000000 -0400
|
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/genhomedircon policycoreutils-1.27.26/scripts/genhomedircon
|
||||||
+++ policycoreutils-1.27.7/newrole/newrole.pamd 2005-10-13 13:41:50.000000000 -0400
|
--- nsapolicycoreutils/scripts/genhomedircon 2005-09-12 16:33:30.000000000 -0400
|
||||||
@@ -1,6 +1,6 @@
|
+++ policycoreutils-1.27.26/scripts/genhomedircon 2005-11-09 14:11:49.000000000 -0500
|
||||||
#%PAM-1.0
|
@@ -15,30 +15,16 @@
|
||||||
-auth required /lib/security/$ISA/pam_stack.so service=system-auth
|
# The file CONTEXTDIR/files/homedir_template exists. This file is used to
|
||||||
-account required /lib/security/$ISA/pam_stack.so service=system-auth
|
# set up the home directory context for each real user.
|
||||||
-password required /lib/security/$ISA/pam_stack.so service=system-auth
|
#
|
||||||
-session required /lib/security/$ISA/pam_stack.so service=system-auth
|
-# If a user has more than one role in CONTEXTDIR/local.users, genhomedircon uses
|
||||||
-session optional /lib/security/$ISA/pam_xauth.so
|
-# the first role in the list.
|
||||||
+auth include system-auth
|
+# If a user has more than one role, genhomedircon uses the first role in the list.
|
||||||
+account include system-auth
|
#
|
||||||
+password include system-auth
|
-# If a user is not listed in CONTEXTDIR/local.users, he will default to user_u, role user
|
||||||
+session include system-auth
|
+# If a user is not listed in CONTEXTDIR/seusers, he will default to user_u, role user
|
||||||
+session optional pam_xauth.so
|
#
|
||||||
--- policycoreutils-1.27.7/run_init/run_init.pamd.rhat 2005-10-13 13:44:20.000000000 -0400
|
# "Real" users (as opposed to system users) are those whose UID is greater than
|
||||||
+++ policycoreutils-1.27.7/run_init/run_init.pamd 2005-10-13 13:45:25.000000000 -0400
|
# or equal STARTING_UID (usually 500) and whose login is not a member of
|
||||||
@@ -1,6 +1,6 @@
|
-# EXCLUDE_LOGINS. Users who are explicitly defined in CONTEXTDIR/local.users
|
||||||
#%PAM-1.0
|
+# EXCLUDE_LOGINS. Users who are explicitly defined in CONTEXTDIR/seusers
|
||||||
-auth required /lib/security/$ISA/pam_stack.so service=system-auth
|
# are always "real" (including root, in the default configuration).
|
||||||
-account required /lib/security/$ISA/pam_stack.so service=system-auth
|
#
|
||||||
-password required /lib/security/$ISA/pam_stack.so service=system-auth
|
#
|
||||||
-session required /lib/security/$ISA/pam_stack.so service=system-auth
|
-# Old ASSUMPTIONS:
|
||||||
-session optional /lib/security/$ISA/pam_xauth.so
|
-#
|
||||||
+auth include system-auth
|
-# If a user has more than one role in FILECONTEXTDIR/users, genhomedircon uses
|
||||||
+account include system-auth
|
-# the first role in the list.
|
||||||
+password include system-auth
|
-#
|
||||||
+session include system-auth
|
-# If a user is not listed in FILECONTEXTDIR/users, genhomedircon assumes that
|
||||||
+session optional pam_xauth.so
|
-# the user's home dir will be found in one of the HOME_ROOTs.
|
||||||
|
-#
|
||||||
|
-# "Real" users (as opposed to system users) are those whose UID is greater than
|
||||||
|
-# or equal STARTING_UID (usually 500) and whose login is not a member of
|
||||||
|
-# EXCLUDE_LOGINS. Users who are explicitly defined in FILECONTEXTDIR/users
|
||||||
|
-# are always "real" (including root, in the default configuration).
|
||||||
|
-#
|
||||||
|
|
||||||
|
import commands, sys, os, pwd, string, getopt, re
|
||||||
|
|
||||||
|
@@ -67,169 +53,6 @@
|
||||||
|
starting_uid = 500
|
||||||
|
return starting_uid
|
||||||
|
|
||||||
|
-#############################################################################
|
||||||
|
-#
|
||||||
|
-# This section is just for backwards compatability
|
||||||
|
-#
|
||||||
|
-#############################################################################
|
||||||
|
-def getPrefixes():
|
||||||
|
- ulist = pwd.getpwall()
|
||||||
|
- STARTING_UID=getStartingUID()
|
||||||
|
- prefixes = {}
|
||||||
|
- for u in ulist:
|
||||||
|
- if u[2] >= STARTING_UID and \
|
||||||
|
- not u[6] in EXCLUDE_LOGINS and \
|
||||||
|
- u[5] != "/" and \
|
||||||
|
- string.count(u[5], "/") > 1:
|
||||||
|
- prefix = u[5][:string.rfind(u[5], "/")]
|
||||||
|
- if not prefixes.has_key(prefix):
|
||||||
|
- prefixes[prefix] = ""
|
||||||
|
- return prefixes
|
||||||
|
-
|
||||||
|
-def getUsers(filecontextdir):
|
||||||
|
- rc = commands.getstatusoutput("grep ^user %s/users" % filecontextdir)
|
||||||
|
- udict = {}
|
||||||
|
- if rc[0] == 0:
|
||||||
|
- ulist = rc[1].strip().split("\n")
|
||||||
|
- for u in ulist:
|
||||||
|
- user = u.split()
|
||||||
|
- try:
|
||||||
|
- if user[1] == "user_u" or user[1] == "system_u":
|
||||||
|
- continue
|
||||||
|
- # !!! chooses first role in the list to use in the file context !!!
|
||||||
|
- role = user[3]
|
||||||
|
- if role == "{":
|
||||||
|
- role = user[4]
|
||||||
|
- role = role.split("_r")[0]
|
||||||
|
- home = pwd.getpwnam(user[1])[5]
|
||||||
|
- if home == "/":
|
||||||
|
- continue
|
||||||
|
- prefs = {}
|
||||||
|
- prefs["role"] = role
|
||||||
|
- prefs["home"] = home
|
||||||
|
- udict[user[1]] = prefs
|
||||||
|
- except KeyError:
|
||||||
|
- sys.stderr.write("The user \"%s\" is not present in the passwd file, skipping...\n" % user[1])
|
||||||
|
- return udict
|
||||||
|
-
|
||||||
|
-def update(filecontext, user, prefs):
|
||||||
|
- rc=commands.getstatusoutput("grep -h '^HOME_DIR' %s | grep -v vmware | sed -e 's|HOME_DIR|%s|' -e 's/ROLE/%s/' -e 's/system_u/%s/'" % (filecontext, prefs["home"], prefs["role"], user))
|
||||||
|
- if rc[0] == 0:
|
||||||
|
- print rc[1]
|
||||||
|
- else:
|
||||||
|
- errorExit(string.join("grep/sed error ", rc[1]))
|
||||||
|
- return rc
|
||||||
|
-
|
||||||
|
-def oldgenhomedircon(filecontextdir, filecontext):
|
||||||
|
- sys.stderr.write("Using genhomedircon in this fashion is supported for backwards compatability\n")
|
||||||
|
- sys.stderr.write("Please update to the latest policy\n")
|
||||||
|
- sys.stderr.flush()
|
||||||
|
-
|
||||||
|
- if os.path.isdir(filecontextdir) == 0:
|
||||||
|
- sys.stderr.write("New usage is the following\n")
|
||||||
|
- usage()
|
||||||
|
- #We are going to define home directory used by libuser and show-utils as a home directory root
|
||||||
|
- prefixes = {}
|
||||||
|
- rc=commands.getstatusoutput("grep -h '^HOME' /etc/default/useradd")
|
||||||
|
- if rc[0] == 0:
|
||||||
|
- homedir = rc[1].split("=")[1]
|
||||||
|
- homedir = homedir.split("#")[0]
|
||||||
|
- homedir = homedir.strip()
|
||||||
|
- if not prefixes.has_key(homedir):
|
||||||
|
- prefixes[homedir] = ""
|
||||||
|
- else:
|
||||||
|
- #rc[0] == 256 means the file was there, we read it, but the grep didn't match
|
||||||
|
- if rc[0] != 256:
|
||||||
|
- sys.stderr.write("%s\n" % rc[1])
|
||||||
|
- sys.stderr.write("You do not have access to /etc/default/useradd HOME=\n")
|
||||||
|
- sys.stderr.flush()
|
||||||
|
-
|
||||||
|
-
|
||||||
|
- rc=commands.getstatusoutput("grep -h '^LU_HOMEDIRECTORY' /etc/libuser.conf")
|
||||||
|
- if rc[0] == 0:
|
||||||
|
- homedir = rc[1].split("=")[1]
|
||||||
|
- homedir = homedir.split("#")[0]
|
||||||
|
- homedir = homedir.strip()
|
||||||
|
- homedir = re.sub(r"[^/a-zA-Z0-9].*$", "", homedir)
|
||||||
|
- if not prefixes.has_key(homedir):
|
||||||
|
- prefixes[homedir] = ""
|
||||||
|
- else:
|
||||||
|
- if rc[0] != 256:
|
||||||
|
- sys.stderr.write("%s\n" % rc[1])
|
||||||
|
- sys.stderr.write("You do not have access to /etc/libuser.conf LU_HOMEDIRECTORY=\n")
|
||||||
|
- sys.stderr.flush()
|
||||||
|
-
|
||||||
|
- #the idea is that we need to find all of the home_root_t directories we do this by just accepting
|
||||||
|
- #any default home directory defined by either /etc/libuser.conf or /etc/default/useradd
|
||||||
|
- #we then get the potential home directory roots from /etc/passwd or nis or whereever and look at
|
||||||
|
- #the defined homedir for all users with UID > STARTING_UID. This list of possible root homedirs
|
||||||
|
- #is then checked to see if it has an explicite context defined in the file_contexts. Explicit
|
||||||
|
- #is any regex that would match it which does not end with .*$ or .+$ since those are general
|
||||||
|
- #recursive matches. We then take any regex which ends with [pattern](/.*)?$ and just check against
|
||||||
|
- #[pattern]
|
||||||
|
- potential_prefixes = getPrefixes()
|
||||||
|
- prefix_regex = {}
|
||||||
|
- #this works by grepping the file_contexts for
|
||||||
|
- # 1. ^/ makes sure this is not a comment
|
||||||
|
- # 2. prints only the regex in the first column first cut on \t then on space
|
||||||
|
- rc=commands.getstatusoutput("grep \"^/\" %s | cut -f 1 | cut -f 1 -d \" \" " % (sys.argv[2]) )
|
||||||
|
- if rc[0] == 0:
|
||||||
|
- prefix_regex = rc[1].split("\n")
|
||||||
|
- else:
|
||||||
|
- sys.stderr.write("%s\n" % rc[1])
|
||||||
|
- sys.stderr.write("You do not have access to grep/cut/the file contexts\n")
|
||||||
|
- sys.stderr.flush()
|
||||||
|
- for potential in potential_prefixes.keys():
|
||||||
|
- addme = 1
|
||||||
|
- for regex in prefix_regex:
|
||||||
|
- #match a trailing (/*)? which is actually a bug in rpc_pipefs
|
||||||
|
- regex = re.sub("\(/\*\)\?$", "", regex)
|
||||||
|
- #match a trailing .+
|
||||||
|
- regex = re.sub("\.+$", "", regex)
|
||||||
|
- #match a trailing .*
|
||||||
|
- regex = re.sub("\.\*$", "", regex)
|
||||||
|
- #strip a (/.*)? which matches anything trailing to a /*$ which matches trailing /'s
|
||||||
|
- regex = re.sub("\(\/\.\*\)\?", "", regex)
|
||||||
|
- regex = regex + "/*$"
|
||||||
|
- if re.search(regex, potential, 0):
|
||||||
|
- addme = 0
|
||||||
|
- if addme == 1:
|
||||||
|
- if not prefixes.has_key(potential):
|
||||||
|
- prefixes[potential] = ""
|
||||||
|
-
|
||||||
|
-
|
||||||
|
- if prefixes.__eq__({}):
|
||||||
|
- sys.stderr.write("LU_HOMEDIRECTORY not set in /etc/libuser.conf\n")
|
||||||
|
- sys.stderr.write("HOME= not set in /etc/default/useradd\n")
|
||||||
|
- sys.stderr.write("And no users with a reasonable homedir found in passwd/nis/ldap/etc...\n")
|
||||||
|
- sys.stderr.write("Assuming /home is the root of home directories\n")
|
||||||
|
- sys.stderr.flush()
|
||||||
|
- prefixes["/home"] = ""
|
||||||
|
-
|
||||||
|
- # There may be a more elegant sed script to expand a macro to multiple lines, but this works
|
||||||
|
- sed_root = "h; s|^HOME_ROOT|%s|" % (string.join(prefixes.keys(), "|; p; g; s|^HOME_ROOT|"),)
|
||||||
|
- sed_dir = "h; s|^HOME_DIR|%s/[^/]+|; s|ROLE_|user_|" % (string.join(prefixes.keys(), "/[^/]+|; s|ROLE_|user_|; p; g; s|^HOME_DIR|"),)
|
||||||
|
-
|
||||||
|
- # Fill in HOME_ROOT, HOME_DIR, and ROLE for users not explicitly defined in /etc/security/selinux/src/policy/users
|
||||||
|
- rc=commands.getstatusoutput("sed -e \"/^HOME_ROOT/{%s}\" -e \"/^HOME_DIR/{%s}\" %s" % (sed_root, sed_dir, filecontext))
|
||||||
|
- if rc[0] == 0:
|
||||||
|
- print rc[1]
|
||||||
|
- else:
|
||||||
|
- errorExit(string.join("sed error ", rc[1]))
|
||||||
|
-
|
||||||
|
- users = getUsers(filecontextdir)
|
||||||
|
- print "\n#\n# User-specific file contexts\n#\n"
|
||||||
|
-
|
||||||
|
- # Fill in HOME and ROLE for users that are defined
|
||||||
|
- for u in users.keys():
|
||||||
|
- update(filecontext, u, users[u])
|
||||||
|
-
|
||||||
|
-#############################################################################
|
||||||
|
-#
|
||||||
|
-# End of backwards compatability section
|
||||||
|
-#
|
||||||
|
-#############################################################################
|
||||||
|
-
|
||||||
|
def getDefaultHomeDir():
|
||||||
|
ret = []
|
||||||
|
rc=commands.getstatusoutput("grep -h '^HOME' /etc/default/useradd")
|
||||||
|
@@ -313,11 +136,8 @@
|
||||||
|
errorExit(string.join("sed error ", rc[1]))
|
||||||
|
|
||||||
|
def getUsersFile(self):
|
||||||
|
- return self.selinuxdir+self.type+"/users/local.users"
|
||||||
|
+ return self.selinuxdir+self.type+"/seusers"
|
||||||
|
|
||||||
|
- def getSystemUsersFile(self):
|
||||||
|
- return self.selinuxdir+self.type+"/users/system.users"
|
||||||
|
-
|
||||||
|
def heading(self):
|
||||||
|
ret = "\n#\n#\n# User-specific file contexts, generated via %s\n" % sys.argv[0]
|
||||||
|
ret += "# edit %s to change file_context\n#\n#\n" % self.getUsersFile()
|
||||||
|
@@ -325,10 +145,7 @@
|
||||||
|
|
||||||
|
def getUsers(self):
|
||||||
|
users=""
|
||||||
|
- rc = commands.getstatusoutput('grep "^user" %s' % self.getSystemUsersFile())
|
||||||
|
- if rc[0] == 0:
|
||||||
|
- users+=rc[1]+"\n"
|
||||||
|
- rc = commands.getstatusoutput("grep ^user %s" % self.getUsersFile())
|
||||||
|
+ rc = commands.getstatusoutput("grep -v '^ *#' %s" % self.getUsersFile())
|
||||||
|
if rc[0] == 0:
|
||||||
|
users+=rc[1]
|
||||||
|
udict = {}
|
||||||
|
@@ -336,24 +153,24 @@
|
||||||
|
if users != "":
|
||||||
|
ulist = users.split("\n")
|
||||||
|
for u in ulist:
|
||||||
|
- user = u.split()
|
||||||
|
+ if len(u)==0:
|
||||||
|
+ continue
|
||||||
|
+ user = u.split(":")
|
||||||
|
try:
|
||||||
|
- if len(user)==0 or user[1] == "user_u" or user[1] == "system_u":
|
||||||
|
+ if len(user)==0 or user[1] == "user_u" or user[1] == "root":
|
||||||
|
continue
|
||||||
|
# !!! chooses first role in the list to use in the file context !!!
|
||||||
|
- role = user[3]
|
||||||
|
- if role == "{":
|
||||||
|
- role = user[4]
|
||||||
|
- role = role.split("_r")[0]
|
||||||
|
- home = pwd.getpwnam(user[1])[5]
|
||||||
|
+ role = user[1]
|
||||||
|
+ role = role.split("_u")[0]
|
||||||
|
+ home = pwd.getpwnam(user[0])[5]
|
||||||
|
if home == "/":
|
||||||
|
continue
|
||||||
|
prefs = {}
|
||||||
|
prefs["role"] = role
|
||||||
|
prefs["home"] = home
|
||||||
|
- udict[user[1]] = prefs
|
||||||
|
+ udict[user[0]] = prefs
|
||||||
|
except KeyError:
|
||||||
|
- sys.stderr.write("The user \"%s\" is not present in the passwd file, skipping...\n" % user[1])
|
||||||
|
+ sys.stderr.write("The user \"%s\" is not present in the passwd file, skipping...\n" % user[0])
|
||||||
|
return udict
|
||||||
|
|
||||||
|
def getHomeDirContext(self, user, home, role):
|
||||||
|
@@ -478,10 +295,6 @@
|
||||||
|
if type==None:
|
||||||
|
type=getSELinuxType(directory)
|
||||||
|
|
||||||
|
- if len(cmds) == 2:
|
||||||
|
- oldgenhomedircon(cmds[0], cmds[1])
|
||||||
|
- sys.exit(0)
|
||||||
|
-
|
||||||
|
if len(cmds) != 0:
|
||||||
|
usage()
|
||||||
|
selconf=selinuxConfig(directory, type, usepwd)
|
||||||
|
@ -3,7 +3,7 @@
|
|||||||
Summary: SELinux policy core utilities.
|
Summary: SELinux policy core utilities.
|
||||||
Name: policycoreutils
|
Name: policycoreutils
|
||||||
Version: 1.27.26
|
Version: 1.27.26
|
||||||
Release: 1
|
Release: 2
|
||||||
License: GPL
|
License: GPL
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
|
Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
|
||||||
@ -86,6 +86,9 @@ rm -rf ${RPM_BUILD_ROOT}
|
|||||||
%config(noreplace) %{_sysconfdir}/sestatus.conf
|
%config(noreplace) %{_sysconfdir}/sestatus.conf
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Nov 9 2005 Dan Walsh <dwalsh@redhat.com> 1.27.26-2
|
||||||
|
- Fix genhomedircon to use seusers file
|
||||||
|
|
||||||
* Tue Nov 8 2005 Dan Walsh <dwalsh@redhat.com> 1.27.26-1
|
* Tue Nov 8 2005 Dan Walsh <dwalsh@redhat.com> 1.27.26-1
|
||||||
* Added -B (--build) option to semodule to force a rebuild.
|
* Added -B (--build) option to semodule to force a rebuild.
|
||||||
* Reverted setsebool patch to call semanage_set_reload_bools().
|
* Reverted setsebool patch to call semanage_set_reload_bools().
|
||||||
|
Loading…
Reference in New Issue
Block a user