add users_extra support

This commit is contained in:
Chris PeBenito 2006-02-15 19:46:20 +00:00
parent e2680fb47f
commit 90b331fa99
5 changed files with 31 additions and 15 deletions

View File

@ -1,3 +1,4 @@
- Add users_extra support.
- Postfix fixes from Serge Hallyn.
- Run python and shell directly to interpret scripts so policy
sources need not be executable.

View File

@ -112,6 +112,7 @@ GLOBALTUN = $(POLDIR)/global_tunables
GLOBALBOOL = $(POLDIR)/global_booleans
TUNABLES = $(POLDIR)/tunables.conf
ROLEMAP = $(POLDIR)/rolemap
USER_FILES := $(POLDIR)/users
# local config file paths
ifndef LOCAL_ROOT
@ -215,7 +216,6 @@ APPCONF := config/appconfig-$(TYPE)
APPDIR := $(CONTEXTPATH)
APPFILES := $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types) $(CONTEXTPATH)/files/media
CONTEXTFILES += $(wildcard $(APPCONF)/*_context*) $(APPCONF)/media
USER_FILES := $(POLDIR)/users
ALL_LAYERS := $(filter-out $(MODDIR)/CVS,$(shell find $(wildcard $(MODDIR)/*) -maxdepth 0 -type d))
ifdef LOCAL_ROOT
@ -251,7 +251,7 @@ BASE_MODS := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if
MOD_MODS := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODMOD)") print $$1 }' $(MOD_CONF) 2> /dev/null) $(APPS_MODS)))
OFF_MODS := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODUNUSED)") print $$1 }' $(MOD_CONF) 2> /dev/null) $(APPS_OFF)))
# filesystems to be labeled
# filesystems to be used in labeling targets
FILESYSTEMS = $(shell mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs| jfs).*rw/{print $$3}';)
########################################

View File

@ -11,6 +11,8 @@ BASE_FC := $(BUILDDIR)/base.fc
BASE_CONF := $(BUILDDIR)/base.conf
BASE_MOD := $(TMPDIR)/base.mod
USERS_EXTRA := $(TMPDIR)/users_extra
BASE_SECTIONS := $(TMPDIR)/pre_te_files.conf $(TMPDIR)/generated_definitions.conf $(TMPDIR)/all_interfaces.conf $(TMPDIR)/all_attrs_types.conf $(GLOBALBOOL) $(GLOBALTUN) $(TMPDIR)/only_te_rules.conf $(TMPDIR)/all_post.conf
BASE_PRE_TE_FILES := $(SECCLASS) $(ISIDS) $(AVS) $(M4SUPPORT) $(POLDIR)/mls $(POLDIR)/mcs
@ -86,15 +88,20 @@ $(BUILDDIR)/%.pp: $(TMPDIR)/%.mod $(TMPDIR)/%.mod.fc
#
# Create a base module package
#
$(BASE_PKG): $(BASE_MOD) $(BASE_FC)
$(BASE_PKG): $(BASE_MOD) $(BASE_FC) $(USERS_EXTRA)
@echo "Creating $(NAME) base module package"
@test -d $(BUILDDIR) || mkdir -p $(BUILDDIR)
$(verbose) $(SEMOD_PKG) -o $@ -m $(BASE_MOD) -f $(BASE_FC)
$(verbose) $(SEMOD_PKG) -o $@ -m $(BASE_MOD) -f $(BASE_FC) -u $(USERS_EXTRA)
$(BASE_MOD): $(BASE_CONF)
@echo "Compiling $(NAME) base module"
$(verbose) $(CHECKMODULE) $^ -o $@
$(USERS_EXTRA): $(M4SUPPORT) $(USER_FILES)
@test -d $(TMPDIR) || mkdir -p $(TMPDIR)
$(verbose) $(M4) $(M4PARAM) -D users_extra $^ | \
$(SED) -r -n -e 's/^[[:blank:]]*//g' -e '/^user/p' > $@
########################################
#
# Construct a base.conf

View File

@ -23,9 +23,15 @@ define(`__endline__',`
########################################
#
# gen_user(username, role_set, mls_defaultlevel, mls_range, [mcs_categories])
# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_categories])
#
define(`gen_user',`user $1 roles { $2 }`'ifdef(`enable_mls', ` level $3 range $4')`'ifdef(`enable_mcs',` level s0 range s0`'ifelse(`$5',,,` - s0:$5')');')
define(`gen_user',`dnl
ifdef(`users_extra',`dnl
ifelse(`$2',,,`user $1 prefix $2;')
',`dnl
user $1 roles { $3 }`'ifdef(`enable_mls', ` level $4 range $5')`'ifdef(`enable_mcs',` level s0 range s0`'ifelse(`$6',,,` - s0:$6')');
')dnl
')
########################################
#

View File

@ -5,8 +5,10 @@
#
#
# gen_user(username, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
#
# Note: Identities without a prefix wil not be listed
# in the users_extra file used by genhomedircon.
#
# system_u is the user identity for system processes and objects.
@ -14,7 +16,7 @@
# and a user process should never be assigned the system user
# identity.
#
gen_user(system_u, system_r, s0, s0 - s15:c0.c255, c0.c255)
gen_user(system_u,, system_r, s0, s0 - s15:c0.c255, c0.c255)
#
# user_u is a generic user identity for Linux users who have no
@ -24,11 +26,11 @@ gen_user(system_u, system_r, s0, s0 - s15:c0.c255, c0.c255)
# permit any access to such users, then remove this entry.
#
ifdef(`targeted_policy',`
gen_user(user_u, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
gen_user(user_u, user, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
',`
gen_user(user_u, user_r, s0, s0)
gen_user(staff_u, staff_r sysadm_r ifdef(`enable_mls',`secadm_r'), s0, s0 - s15:c0.c255, c0.c255)
gen_user(sysadm_u, sysadm_r, s0, s0 - s15:c0.c255, c0.c255)
gen_user(user_u, user, user_r, s0, s0)
gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r'), s0, s0 - s15:c0.c255, c0.c255)
gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - s15:c0.c255, c0.c255)
')
#
@ -39,11 +41,11 @@ gen_user(sysadm_u, sysadm_r, s0, s0 - s15:c0.c255, c0.c255)
# not in the sysadm_r.
#
ifdef(`targeted_policy',`
gen_user(root, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
gen_user(root, user, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
',`
ifdef(`direct_sysadm_daemon',`
gen_user(root, sysadm_r staff_r ifdef(`enable_mls',`secadm_r') system_r, s0, s0 - s15:c0.c255, c0.c255)
gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r') system_r, s0, s0 - s15:c0.c255, c0.c255)
',`
gen_user(root, sysadm_r staff_r ifdef(`enable_mls',`secadm_r'), s0, s0 - s15:c0.c255, c0.c255)
gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r'), s0, s0 - s15:c0.c255, c0.c255)
')
')