add users_extra support
This commit is contained in:
parent
e2680fb47f
commit
90b331fa99
@ -1,3 +1,4 @@
|
||||
- Add users_extra support.
|
||||
- Postfix fixes from Serge Hallyn.
|
||||
- Run python and shell directly to interpret scripts so policy
|
||||
sources need not be executable.
|
||||
|
@ -112,6 +112,7 @@ GLOBALTUN = $(POLDIR)/global_tunables
|
||||
GLOBALBOOL = $(POLDIR)/global_booleans
|
||||
TUNABLES = $(POLDIR)/tunables.conf
|
||||
ROLEMAP = $(POLDIR)/rolemap
|
||||
USER_FILES := $(POLDIR)/users
|
||||
|
||||
# local config file paths
|
||||
ifndef LOCAL_ROOT
|
||||
@ -215,7 +216,6 @@ APPCONF := config/appconfig-$(TYPE)
|
||||
APPDIR := $(CONTEXTPATH)
|
||||
APPFILES := $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types) $(CONTEXTPATH)/files/media
|
||||
CONTEXTFILES += $(wildcard $(APPCONF)/*_context*) $(APPCONF)/media
|
||||
USER_FILES := $(POLDIR)/users
|
||||
|
||||
ALL_LAYERS := $(filter-out $(MODDIR)/CVS,$(shell find $(wildcard $(MODDIR)/*) -maxdepth 0 -type d))
|
||||
ifdef LOCAL_ROOT
|
||||
@ -251,7 +251,7 @@ BASE_MODS := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if
|
||||
MOD_MODS := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODMOD)") print $$1 }' $(MOD_CONF) 2> /dev/null) $(APPS_MODS)))
|
||||
OFF_MODS := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODUNUSED)") print $$1 }' $(MOD_CONF) 2> /dev/null) $(APPS_OFF)))
|
||||
|
||||
# filesystems to be labeled
|
||||
# filesystems to be used in labeling targets
|
||||
FILESYSTEMS = $(shell mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs| jfs).*rw/{print $$3}';)
|
||||
|
||||
########################################
|
||||
|
@ -11,6 +11,8 @@ BASE_FC := $(BUILDDIR)/base.fc
|
||||
BASE_CONF := $(BUILDDIR)/base.conf
|
||||
BASE_MOD := $(TMPDIR)/base.mod
|
||||
|
||||
USERS_EXTRA := $(TMPDIR)/users_extra
|
||||
|
||||
BASE_SECTIONS := $(TMPDIR)/pre_te_files.conf $(TMPDIR)/generated_definitions.conf $(TMPDIR)/all_interfaces.conf $(TMPDIR)/all_attrs_types.conf $(GLOBALBOOL) $(GLOBALTUN) $(TMPDIR)/only_te_rules.conf $(TMPDIR)/all_post.conf
|
||||
|
||||
BASE_PRE_TE_FILES := $(SECCLASS) $(ISIDS) $(AVS) $(M4SUPPORT) $(POLDIR)/mls $(POLDIR)/mcs
|
||||
@ -86,15 +88,20 @@ $(BUILDDIR)/%.pp: $(TMPDIR)/%.mod $(TMPDIR)/%.mod.fc
|
||||
#
|
||||
# Create a base module package
|
||||
#
|
||||
$(BASE_PKG): $(BASE_MOD) $(BASE_FC)
|
||||
$(BASE_PKG): $(BASE_MOD) $(BASE_FC) $(USERS_EXTRA)
|
||||
@echo "Creating $(NAME) base module package"
|
||||
@test -d $(BUILDDIR) || mkdir -p $(BUILDDIR)
|
||||
$(verbose) $(SEMOD_PKG) -o $@ -m $(BASE_MOD) -f $(BASE_FC)
|
||||
$(verbose) $(SEMOD_PKG) -o $@ -m $(BASE_MOD) -f $(BASE_FC) -u $(USERS_EXTRA)
|
||||
|
||||
$(BASE_MOD): $(BASE_CONF)
|
||||
@echo "Compiling $(NAME) base module"
|
||||
$(verbose) $(CHECKMODULE) $^ -o $@
|
||||
|
||||
$(USERS_EXTRA): $(M4SUPPORT) $(USER_FILES)
|
||||
@test -d $(TMPDIR) || mkdir -p $(TMPDIR)
|
||||
$(verbose) $(M4) $(M4PARAM) -D users_extra $^ | \
|
||||
$(SED) -r -n -e 's/^[[:blank:]]*//g' -e '/^user/p' > $@
|
||||
|
||||
########################################
|
||||
#
|
||||
# Construct a base.conf
|
||||
|
@ -23,9 +23,15 @@ define(`__endline__',`
|
||||
|
||||
########################################
|
||||
#
|
||||
# gen_user(username, role_set, mls_defaultlevel, mls_range, [mcs_categories])
|
||||
# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_categories])
|
||||
#
|
||||
define(`gen_user',`user $1 roles { $2 }`'ifdef(`enable_mls', ` level $3 range $4')`'ifdef(`enable_mcs',` level s0 range s0`'ifelse(`$5',,,` - s0:$5')');')
|
||||
define(`gen_user',`dnl
|
||||
ifdef(`users_extra',`dnl
|
||||
ifelse(`$2',,,`user $1 prefix $2;')
|
||||
',`dnl
|
||||
user $1 roles { $3 }`'ifdef(`enable_mls', ` level $4 range $5')`'ifdef(`enable_mcs',` level s0 range s0`'ifelse(`$6',,,` - s0:$6')');
|
||||
')dnl
|
||||
')
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -5,8 +5,10 @@
|
||||
#
|
||||
|
||||
#
|
||||
# gen_user(username, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
|
||||
# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
|
||||
#
|
||||
# Note: Identities without a prefix wil not be listed
|
||||
# in the users_extra file used by genhomedircon.
|
||||
|
||||
#
|
||||
# system_u is the user identity for system processes and objects.
|
||||
@ -14,7 +16,7 @@
|
||||
# and a user process should never be assigned the system user
|
||||
# identity.
|
||||
#
|
||||
gen_user(system_u, system_r, s0, s0 - s15:c0.c255, c0.c255)
|
||||
gen_user(system_u,, system_r, s0, s0 - s15:c0.c255, c0.c255)
|
||||
|
||||
#
|
||||
# user_u is a generic user identity for Linux users who have no
|
||||
@ -24,11 +26,11 @@ gen_user(system_u, system_r, s0, s0 - s15:c0.c255, c0.c255)
|
||||
# permit any access to such users, then remove this entry.
|
||||
#
|
||||
ifdef(`targeted_policy',`
|
||||
gen_user(user_u, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
|
||||
gen_user(user_u, user, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
|
||||
',`
|
||||
gen_user(user_u, user_r, s0, s0)
|
||||
gen_user(staff_u, staff_r sysadm_r ifdef(`enable_mls',`secadm_r'), s0, s0 - s15:c0.c255, c0.c255)
|
||||
gen_user(sysadm_u, sysadm_r, s0, s0 - s15:c0.c255, c0.c255)
|
||||
gen_user(user_u, user, user_r, s0, s0)
|
||||
gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r'), s0, s0 - s15:c0.c255, c0.c255)
|
||||
gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - s15:c0.c255, c0.c255)
|
||||
')
|
||||
|
||||
#
|
||||
@ -39,11 +41,11 @@ gen_user(sysadm_u, sysadm_r, s0, s0 - s15:c0.c255, c0.c255)
|
||||
# not in the sysadm_r.
|
||||
#
|
||||
ifdef(`targeted_policy',`
|
||||
gen_user(root, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
|
||||
gen_user(root, user, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
|
||||
',`
|
||||
ifdef(`direct_sysadm_daemon',`
|
||||
gen_user(root, sysadm_r staff_r ifdef(`enable_mls',`secadm_r') system_r, s0, s0 - s15:c0.c255, c0.c255)
|
||||
gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r') system_r, s0, s0 - s15:c0.c255, c0.c255)
|
||||
',`
|
||||
gen_user(root, sysadm_r staff_r ifdef(`enable_mls',`secadm_r'), s0, s0 - s15:c0.c255, c0.c255)
|
||||
gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r'), s0, s0 - s15:c0.c255, c0.c255)
|
||||
')
|
||||
')
|
||||
|
Loading…
Reference in New Issue
Block a user