add users_extra support
This commit is contained in:
parent
e2680fb47f
commit
90b331fa99
@ -1,3 +1,4 @@
|
|||||||
|
- Add users_extra support.
|
||||||
- Postfix fixes from Serge Hallyn.
|
- Postfix fixes from Serge Hallyn.
|
||||||
- Run python and shell directly to interpret scripts so policy
|
- Run python and shell directly to interpret scripts so policy
|
||||||
sources need not be executable.
|
sources need not be executable.
|
||||||
|
@ -112,6 +112,7 @@ GLOBALTUN = $(POLDIR)/global_tunables
|
|||||||
GLOBALBOOL = $(POLDIR)/global_booleans
|
GLOBALBOOL = $(POLDIR)/global_booleans
|
||||||
TUNABLES = $(POLDIR)/tunables.conf
|
TUNABLES = $(POLDIR)/tunables.conf
|
||||||
ROLEMAP = $(POLDIR)/rolemap
|
ROLEMAP = $(POLDIR)/rolemap
|
||||||
|
USER_FILES := $(POLDIR)/users
|
||||||
|
|
||||||
# local config file paths
|
# local config file paths
|
||||||
ifndef LOCAL_ROOT
|
ifndef LOCAL_ROOT
|
||||||
@ -215,7 +216,6 @@ APPCONF := config/appconfig-$(TYPE)
|
|||||||
APPDIR := $(CONTEXTPATH)
|
APPDIR := $(CONTEXTPATH)
|
||||||
APPFILES := $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types) $(CONTEXTPATH)/files/media
|
APPFILES := $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types) $(CONTEXTPATH)/files/media
|
||||||
CONTEXTFILES += $(wildcard $(APPCONF)/*_context*) $(APPCONF)/media
|
CONTEXTFILES += $(wildcard $(APPCONF)/*_context*) $(APPCONF)/media
|
||||||
USER_FILES := $(POLDIR)/users
|
|
||||||
|
|
||||||
ALL_LAYERS := $(filter-out $(MODDIR)/CVS,$(shell find $(wildcard $(MODDIR)/*) -maxdepth 0 -type d))
|
ALL_LAYERS := $(filter-out $(MODDIR)/CVS,$(shell find $(wildcard $(MODDIR)/*) -maxdepth 0 -type d))
|
||||||
ifdef LOCAL_ROOT
|
ifdef LOCAL_ROOT
|
||||||
@ -251,7 +251,7 @@ BASE_MODS := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if
|
|||||||
MOD_MODS := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODMOD)") print $$1 }' $(MOD_CONF) 2> /dev/null) $(APPS_MODS)))
|
MOD_MODS := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODMOD)") print $$1 }' $(MOD_CONF) 2> /dev/null) $(APPS_MODS)))
|
||||||
OFF_MODS := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODUNUSED)") print $$1 }' $(MOD_CONF) 2> /dev/null) $(APPS_OFF)))
|
OFF_MODS := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODUNUSED)") print $$1 }' $(MOD_CONF) 2> /dev/null) $(APPS_OFF)))
|
||||||
|
|
||||||
# filesystems to be labeled
|
# filesystems to be used in labeling targets
|
||||||
FILESYSTEMS = $(shell mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs| jfs).*rw/{print $$3}';)
|
FILESYSTEMS = $(shell mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs| jfs).*rw/{print $$3}';)
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
|
@ -11,6 +11,8 @@ BASE_FC := $(BUILDDIR)/base.fc
|
|||||||
BASE_CONF := $(BUILDDIR)/base.conf
|
BASE_CONF := $(BUILDDIR)/base.conf
|
||||||
BASE_MOD := $(TMPDIR)/base.mod
|
BASE_MOD := $(TMPDIR)/base.mod
|
||||||
|
|
||||||
|
USERS_EXTRA := $(TMPDIR)/users_extra
|
||||||
|
|
||||||
BASE_SECTIONS := $(TMPDIR)/pre_te_files.conf $(TMPDIR)/generated_definitions.conf $(TMPDIR)/all_interfaces.conf $(TMPDIR)/all_attrs_types.conf $(GLOBALBOOL) $(GLOBALTUN) $(TMPDIR)/only_te_rules.conf $(TMPDIR)/all_post.conf
|
BASE_SECTIONS := $(TMPDIR)/pre_te_files.conf $(TMPDIR)/generated_definitions.conf $(TMPDIR)/all_interfaces.conf $(TMPDIR)/all_attrs_types.conf $(GLOBALBOOL) $(GLOBALTUN) $(TMPDIR)/only_te_rules.conf $(TMPDIR)/all_post.conf
|
||||||
|
|
||||||
BASE_PRE_TE_FILES := $(SECCLASS) $(ISIDS) $(AVS) $(M4SUPPORT) $(POLDIR)/mls $(POLDIR)/mcs
|
BASE_PRE_TE_FILES := $(SECCLASS) $(ISIDS) $(AVS) $(M4SUPPORT) $(POLDIR)/mls $(POLDIR)/mcs
|
||||||
@ -86,15 +88,20 @@ $(BUILDDIR)/%.pp: $(TMPDIR)/%.mod $(TMPDIR)/%.mod.fc
|
|||||||
#
|
#
|
||||||
# Create a base module package
|
# Create a base module package
|
||||||
#
|
#
|
||||||
$(BASE_PKG): $(BASE_MOD) $(BASE_FC)
|
$(BASE_PKG): $(BASE_MOD) $(BASE_FC) $(USERS_EXTRA)
|
||||||
@echo "Creating $(NAME) base module package"
|
@echo "Creating $(NAME) base module package"
|
||||||
@test -d $(BUILDDIR) || mkdir -p $(BUILDDIR)
|
@test -d $(BUILDDIR) || mkdir -p $(BUILDDIR)
|
||||||
$(verbose) $(SEMOD_PKG) -o $@ -m $(BASE_MOD) -f $(BASE_FC)
|
$(verbose) $(SEMOD_PKG) -o $@ -m $(BASE_MOD) -f $(BASE_FC) -u $(USERS_EXTRA)
|
||||||
|
|
||||||
$(BASE_MOD): $(BASE_CONF)
|
$(BASE_MOD): $(BASE_CONF)
|
||||||
@echo "Compiling $(NAME) base module"
|
@echo "Compiling $(NAME) base module"
|
||||||
$(verbose) $(CHECKMODULE) $^ -o $@
|
$(verbose) $(CHECKMODULE) $^ -o $@
|
||||||
|
|
||||||
|
$(USERS_EXTRA): $(M4SUPPORT) $(USER_FILES)
|
||||||
|
@test -d $(TMPDIR) || mkdir -p $(TMPDIR)
|
||||||
|
$(verbose) $(M4) $(M4PARAM) -D users_extra $^ | \
|
||||||
|
$(SED) -r -n -e 's/^[[:blank:]]*//g' -e '/^user/p' > $@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# Construct a base.conf
|
# Construct a base.conf
|
||||||
|
@ -23,9 +23,15 @@ define(`__endline__',`
|
|||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
# gen_user(username, role_set, mls_defaultlevel, mls_range, [mcs_categories])
|
# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_categories])
|
||||||
#
|
#
|
||||||
define(`gen_user',`user $1 roles { $2 }`'ifdef(`enable_mls', ` level $3 range $4')`'ifdef(`enable_mcs',` level s0 range s0`'ifelse(`$5',,,` - s0:$5')');')
|
define(`gen_user',`dnl
|
||||||
|
ifdef(`users_extra',`dnl
|
||||||
|
ifelse(`$2',,,`user $1 prefix $2;')
|
||||||
|
',`dnl
|
||||||
|
user $1 roles { $3 }`'ifdef(`enable_mls', ` level $4 range $5')`'ifdef(`enable_mcs',` level s0 range s0`'ifelse(`$6',,,` - s0:$6')');
|
||||||
|
')dnl
|
||||||
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
#
|
#
|
||||||
|
@ -5,8 +5,10 @@
|
|||||||
#
|
#
|
||||||
|
|
||||||
#
|
#
|
||||||
# gen_user(username, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
|
# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
|
||||||
#
|
#
|
||||||
|
# Note: Identities without a prefix wil not be listed
|
||||||
|
# in the users_extra file used by genhomedircon.
|
||||||
|
|
||||||
#
|
#
|
||||||
# system_u is the user identity for system processes and objects.
|
# system_u is the user identity for system processes and objects.
|
||||||
@ -14,7 +16,7 @@
|
|||||||
# and a user process should never be assigned the system user
|
# and a user process should never be assigned the system user
|
||||||
# identity.
|
# identity.
|
||||||
#
|
#
|
||||||
gen_user(system_u, system_r, s0, s0 - s15:c0.c255, c0.c255)
|
gen_user(system_u,, system_r, s0, s0 - s15:c0.c255, c0.c255)
|
||||||
|
|
||||||
#
|
#
|
||||||
# user_u is a generic user identity for Linux users who have no
|
# user_u is a generic user identity for Linux users who have no
|
||||||
@ -24,11 +26,11 @@ gen_user(system_u, system_r, s0, s0 - s15:c0.c255, c0.c255)
|
|||||||
# permit any access to such users, then remove this entry.
|
# permit any access to such users, then remove this entry.
|
||||||
#
|
#
|
||||||
ifdef(`targeted_policy',`
|
ifdef(`targeted_policy',`
|
||||||
gen_user(user_u, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
|
gen_user(user_u, user, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
|
||||||
',`
|
',`
|
||||||
gen_user(user_u, user_r, s0, s0)
|
gen_user(user_u, user, user_r, s0, s0)
|
||||||
gen_user(staff_u, staff_r sysadm_r ifdef(`enable_mls',`secadm_r'), s0, s0 - s15:c0.c255, c0.c255)
|
gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r'), s0, s0 - s15:c0.c255, c0.c255)
|
||||||
gen_user(sysadm_u, sysadm_r, s0, s0 - s15:c0.c255, c0.c255)
|
gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - s15:c0.c255, c0.c255)
|
||||||
')
|
')
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -39,11 +41,11 @@ gen_user(sysadm_u, sysadm_r, s0, s0 - s15:c0.c255, c0.c255)
|
|||||||
# not in the sysadm_r.
|
# not in the sysadm_r.
|
||||||
#
|
#
|
||||||
ifdef(`targeted_policy',`
|
ifdef(`targeted_policy',`
|
||||||
gen_user(root, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
|
gen_user(root, user, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
|
||||||
',`
|
',`
|
||||||
ifdef(`direct_sysadm_daemon',`
|
ifdef(`direct_sysadm_daemon',`
|
||||||
gen_user(root, sysadm_r staff_r ifdef(`enable_mls',`secadm_r') system_r, s0, s0 - s15:c0.c255, c0.c255)
|
gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r') system_r, s0, s0 - s15:c0.c255, c0.c255)
|
||||||
',`
|
',`
|
||||||
gen_user(root, sysadm_r staff_r ifdef(`enable_mls',`secadm_r'), s0, s0 - s15:c0.c255, c0.c255)
|
gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r'), s0, s0 - s15:c0.c255, c0.c255)
|
||||||
')
|
')
|
||||||
')
|
')
|
||||||
|
Loading…
Reference in New Issue
Block a user