* Wed Nov 9 2005 Dan Walsh <dwalsh@redhat.com> 1.27.26-2

- Fix genhomedircon to use seusers file
This commit is contained in:
Daniel J Walsh 2005-11-09 19:13:13 +00:00
parent 03496a1f36
commit 54ecf23b9a
2 changed files with 281 additions and 29 deletions

View File

@ -1,28 +1,277 @@
--- policycoreutils-1.27.7/newrole/newrole.pamd.rhat 2005-10-12 15:25:48.000000000 -0400 diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/genhomedircon policycoreutils-1.27.26/scripts/genhomedircon
+++ policycoreutils-1.27.7/newrole/newrole.pamd 2005-10-13 13:41:50.000000000 -0400 --- nsapolicycoreutils/scripts/genhomedircon 2005-09-12 16:33:30.000000000 -0400
@@ -1,6 +1,6 @@ +++ policycoreutils-1.27.26/scripts/genhomedircon 2005-11-09 14:11:49.000000000 -0500
#%PAM-1.0 @@ -15,30 +15,16 @@
-auth required /lib/security/$ISA/pam_stack.so service=system-auth # The file CONTEXTDIR/files/homedir_template exists. This file is used to
-account required /lib/security/$ISA/pam_stack.so service=system-auth # set up the home directory context for each real user.
-password required /lib/security/$ISA/pam_stack.so service=system-auth #
-session required /lib/security/$ISA/pam_stack.so service=system-auth -# If a user has more than one role in CONTEXTDIR/local.users, genhomedircon uses
-session optional /lib/security/$ISA/pam_xauth.so -# the first role in the list.
+auth include system-auth +# If a user has more than one role, genhomedircon uses the first role in the list.
+account include system-auth #
+password include system-auth -# If a user is not listed in CONTEXTDIR/local.users, he will default to user_u, role user
+session include system-auth +# If a user is not listed in CONTEXTDIR/seusers, he will default to user_u, role user
+session optional pam_xauth.so #
--- policycoreutils-1.27.7/run_init/run_init.pamd.rhat 2005-10-13 13:44:20.000000000 -0400 # "Real" users (as opposed to system users) are those whose UID is greater than
+++ policycoreutils-1.27.7/run_init/run_init.pamd 2005-10-13 13:45:25.000000000 -0400 # or equal STARTING_UID (usually 500) and whose login is not a member of
@@ -1,6 +1,6 @@ -# EXCLUDE_LOGINS. Users who are explicitly defined in CONTEXTDIR/local.users
#%PAM-1.0 +# EXCLUDE_LOGINS. Users who are explicitly defined in CONTEXTDIR/seusers
-auth required /lib/security/$ISA/pam_stack.so service=system-auth # are always "real" (including root, in the default configuration).
-account required /lib/security/$ISA/pam_stack.so service=system-auth #
-password required /lib/security/$ISA/pam_stack.so service=system-auth #
-session required /lib/security/$ISA/pam_stack.so service=system-auth -# Old ASSUMPTIONS:
-session optional /lib/security/$ISA/pam_xauth.so -#
+auth include system-auth -# If a user has more than one role in FILECONTEXTDIR/users, genhomedircon uses
+account include system-auth -# the first role in the list.
+password include system-auth -#
+session include system-auth -# If a user is not listed in FILECONTEXTDIR/users, genhomedircon assumes that
+session optional pam_xauth.so -# the user's home dir will be found in one of the HOME_ROOTs.
-#
-# "Real" users (as opposed to system users) are those whose UID is greater than
-# or equal STARTING_UID (usually 500) and whose login is not a member of
-# EXCLUDE_LOGINS. Users who are explicitly defined in FILECONTEXTDIR/users
-# are always "real" (including root, in the default configuration).
-#
import commands, sys, os, pwd, string, getopt, re
@@ -67,169 +53,6 @@
starting_uid = 500
return starting_uid
-#############################################################################
-#
-# This section is just for backwards compatability
-#
-#############################################################################
-def getPrefixes():
- ulist = pwd.getpwall()
- STARTING_UID=getStartingUID()
- prefixes = {}
- for u in ulist:
- if u[2] >= STARTING_UID and \
- not u[6] in EXCLUDE_LOGINS and \
- u[5] != "/" and \
- string.count(u[5], "/") > 1:
- prefix = u[5][:string.rfind(u[5], "/")]
- if not prefixes.has_key(prefix):
- prefixes[prefix] = ""
- return prefixes
-
-def getUsers(filecontextdir):
- rc = commands.getstatusoutput("grep ^user %s/users" % filecontextdir)
- udict = {}
- if rc[0] == 0:
- ulist = rc[1].strip().split("\n")
- for u in ulist:
- user = u.split()
- try:
- if user[1] == "user_u" or user[1] == "system_u":
- continue
- # !!! chooses first role in the list to use in the file context !!!
- role = user[3]
- if role == "{":
- role = user[4]
- role = role.split("_r")[0]
- home = pwd.getpwnam(user[1])[5]
- if home == "/":
- continue
- prefs = {}
- prefs["role"] = role
- prefs["home"] = home
- udict[user[1]] = prefs
- except KeyError:
- sys.stderr.write("The user \"%s\" is not present in the passwd file, skipping...\n" % user[1])
- return udict
-
-def update(filecontext, user, prefs):
- rc=commands.getstatusoutput("grep -h '^HOME_DIR' %s | grep -v vmware | sed -e 's|HOME_DIR|%s|' -e 's/ROLE/%s/' -e 's/system_u/%s/'" % (filecontext, prefs["home"], prefs["role"], user))
- if rc[0] == 0:
- print rc[1]
- else:
- errorExit(string.join("grep/sed error ", rc[1]))
- return rc
-
-def oldgenhomedircon(filecontextdir, filecontext):
- sys.stderr.write("Using genhomedircon in this fashion is supported for backwards compatability\n")
- sys.stderr.write("Please update to the latest policy\n")
- sys.stderr.flush()
-
- if os.path.isdir(filecontextdir) == 0:
- sys.stderr.write("New usage is the following\n")
- usage()
- #We are going to define home directory used by libuser and show-utils as a home directory root
- prefixes = {}
- rc=commands.getstatusoutput("grep -h '^HOME' /etc/default/useradd")
- if rc[0] == 0:
- homedir = rc[1].split("=")[1]
- homedir = homedir.split("#")[0]
- homedir = homedir.strip()
- if not prefixes.has_key(homedir):
- prefixes[homedir] = ""
- else:
- #rc[0] == 256 means the file was there, we read it, but the grep didn't match
- if rc[0] != 256:
- sys.stderr.write("%s\n" % rc[1])
- sys.stderr.write("You do not have access to /etc/default/useradd HOME=\n")
- sys.stderr.flush()
-
-
- rc=commands.getstatusoutput("grep -h '^LU_HOMEDIRECTORY' /etc/libuser.conf")
- if rc[0] == 0:
- homedir = rc[1].split("=")[1]
- homedir = homedir.split("#")[0]
- homedir = homedir.strip()
- homedir = re.sub(r"[^/a-zA-Z0-9].*$", "", homedir)
- if not prefixes.has_key(homedir):
- prefixes[homedir] = ""
- else:
- if rc[0] != 256:
- sys.stderr.write("%s\n" % rc[1])
- sys.stderr.write("You do not have access to /etc/libuser.conf LU_HOMEDIRECTORY=\n")
- sys.stderr.flush()
-
- #the idea is that we need to find all of the home_root_t directories we do this by just accepting
- #any default home directory defined by either /etc/libuser.conf or /etc/default/useradd
- #we then get the potential home directory roots from /etc/passwd or nis or whereever and look at
- #the defined homedir for all users with UID > STARTING_UID. This list of possible root homedirs
- #is then checked to see if it has an explicite context defined in the file_contexts. Explicit
- #is any regex that would match it which does not end with .*$ or .+$ since those are general
- #recursive matches. We then take any regex which ends with [pattern](/.*)?$ and just check against
- #[pattern]
- potential_prefixes = getPrefixes()
- prefix_regex = {}
- #this works by grepping the file_contexts for
- # 1. ^/ makes sure this is not a comment
- # 2. prints only the regex in the first column first cut on \t then on space
- rc=commands.getstatusoutput("grep \"^/\" %s | cut -f 1 | cut -f 1 -d \" \" " % (sys.argv[2]) )
- if rc[0] == 0:
- prefix_regex = rc[1].split("\n")
- else:
- sys.stderr.write("%s\n" % rc[1])
- sys.stderr.write("You do not have access to grep/cut/the file contexts\n")
- sys.stderr.flush()
- for potential in potential_prefixes.keys():
- addme = 1
- for regex in prefix_regex:
- #match a trailing (/*)? which is actually a bug in rpc_pipefs
- regex = re.sub("\(/\*\)\?$", "", regex)
- #match a trailing .+
- regex = re.sub("\.+$", "", regex)
- #match a trailing .*
- regex = re.sub("\.\*$", "", regex)
- #strip a (/.*)? which matches anything trailing to a /*$ which matches trailing /'s
- regex = re.sub("\(\/\.\*\)\?", "", regex)
- regex = regex + "/*$"
- if re.search(regex, potential, 0):
- addme = 0
- if addme == 1:
- if not prefixes.has_key(potential):
- prefixes[potential] = ""
-
-
- if prefixes.__eq__({}):
- sys.stderr.write("LU_HOMEDIRECTORY not set in /etc/libuser.conf\n")
- sys.stderr.write("HOME= not set in /etc/default/useradd\n")
- sys.stderr.write("And no users with a reasonable homedir found in passwd/nis/ldap/etc...\n")
- sys.stderr.write("Assuming /home is the root of home directories\n")
- sys.stderr.flush()
- prefixes["/home"] = ""
-
- # There may be a more elegant sed script to expand a macro to multiple lines, but this works
- sed_root = "h; s|^HOME_ROOT|%s|" % (string.join(prefixes.keys(), "|; p; g; s|^HOME_ROOT|"),)
- sed_dir = "h; s|^HOME_DIR|%s/[^/]+|; s|ROLE_|user_|" % (string.join(prefixes.keys(), "/[^/]+|; s|ROLE_|user_|; p; g; s|^HOME_DIR|"),)
-
- # Fill in HOME_ROOT, HOME_DIR, and ROLE for users not explicitly defined in /etc/security/selinux/src/policy/users
- rc=commands.getstatusoutput("sed -e \"/^HOME_ROOT/{%s}\" -e \"/^HOME_DIR/{%s}\" %s" % (sed_root, sed_dir, filecontext))
- if rc[0] == 0:
- print rc[1]
- else:
- errorExit(string.join("sed error ", rc[1]))
-
- users = getUsers(filecontextdir)
- print "\n#\n# User-specific file contexts\n#\n"
-
- # Fill in HOME and ROLE for users that are defined
- for u in users.keys():
- update(filecontext, u, users[u])
-
-#############################################################################
-#
-# End of backwards compatability section
-#
-#############################################################################
-
def getDefaultHomeDir():
ret = []
rc=commands.getstatusoutput("grep -h '^HOME' /etc/default/useradd")
@@ -313,11 +136,8 @@
errorExit(string.join("sed error ", rc[1]))
def getUsersFile(self):
- return self.selinuxdir+self.type+"/users/local.users"
+ return self.selinuxdir+self.type+"/seusers"
- def getSystemUsersFile(self):
- return self.selinuxdir+self.type+"/users/system.users"
-
def heading(self):
ret = "\n#\n#\n# User-specific file contexts, generated via %s\n" % sys.argv[0]
ret += "# edit %s to change file_context\n#\n#\n" % self.getUsersFile()
@@ -325,10 +145,7 @@
def getUsers(self):
users=""
- rc = commands.getstatusoutput('grep "^user" %s' % self.getSystemUsersFile())
- if rc[0] == 0:
- users+=rc[1]+"\n"
- rc = commands.getstatusoutput("grep ^user %s" % self.getUsersFile())
+ rc = commands.getstatusoutput("grep -v '^ *#' %s" % self.getUsersFile())
if rc[0] == 0:
users+=rc[1]
udict = {}
@@ -336,24 +153,24 @@
if users != "":
ulist = users.split("\n")
for u in ulist:
- user = u.split()
+ if len(u)==0:
+ continue
+ user = u.split(":")
try:
- if len(user)==0 or user[1] == "user_u" or user[1] == "system_u":
+ if len(user)==0 or user[1] == "user_u" or user[1] == "root":
continue
# !!! chooses first role in the list to use in the file context !!!
- role = user[3]
- if role == "{":
- role = user[4]
- role = role.split("_r")[0]
- home = pwd.getpwnam(user[1])[5]
+ role = user[1]
+ role = role.split("_u")[0]
+ home = pwd.getpwnam(user[0])[5]
if home == "/":
continue
prefs = {}
prefs["role"] = role
prefs["home"] = home
- udict[user[1]] = prefs
+ udict[user[0]] = prefs
except KeyError:
- sys.stderr.write("The user \"%s\" is not present in the passwd file, skipping...\n" % user[1])
+ sys.stderr.write("The user \"%s\" is not present in the passwd file, skipping...\n" % user[0])
return udict
def getHomeDirContext(self, user, home, role):
@@ -478,10 +295,6 @@
if type==None:
type=getSELinuxType(directory)
- if len(cmds) == 2:
- oldgenhomedircon(cmds[0], cmds[1])
- sys.exit(0)
-
if len(cmds) != 0:
usage()
selconf=selinuxConfig(directory, type, usepwd)

View File

@ -3,7 +3,7 @@
Summary: SELinux policy core utilities. Summary: SELinux policy core utilities.
Name: policycoreutils Name: policycoreutils
Version: 1.27.26 Version: 1.27.26
Release: 1 Release: 2
License: GPL License: GPL
Group: System Environment/Base Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
@ -86,6 +86,9 @@ rm -rf ${RPM_BUILD_ROOT}
%config(noreplace) %{_sysconfdir}/sestatus.conf %config(noreplace) %{_sysconfdir}/sestatus.conf
%changelog %changelog
* Wed Nov 9 2005 Dan Walsh <dwalsh@redhat.com> 1.27.26-2
- Fix genhomedircon to use seusers file
* Tue Nov 8 2005 Dan Walsh <dwalsh@redhat.com> 1.27.26-1 * Tue Nov 8 2005 Dan Walsh <dwalsh@redhat.com> 1.27.26-1
* Added -B (--build) option to semodule to force a rebuild. * Added -B (--build) option to semodule to force a rebuild.
* Reverted setsebool patch to call semanage_set_reload_bools(). * Reverted setsebool patch to call semanage_set_reload_bools().