From f3e86ad067aec72476d7c82ccf2cd1aaaeea3f08 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Thu, 17 Feb 2005 23:12:06 +0000 Subject: [PATCH] * Thu Feb 17 2005 Dan Walsh 1.21.17-1 - Update to latest from NSA * Merged new genhomedircon script from Dan Walsh. * Changed load_policy to call sepol_genusers(). --- .cvsignore | 1 + policycoreutils-rhat.patch | 753 ++++++++++++++++++++++++++++++------- policycoreutils.spec | 23 +- sources | 1 + 4 files changed, 642 insertions(+), 136 deletions(-) diff --git a/.cvsignore b/.cvsignore index 4d52b5c..6aeebf1 100644 --- a/.cvsignore +++ b/.cvsignore @@ -20,3 +20,4 @@ nsadiff exclude nsapolicycoreutils policycoreutils-1.21.15.tgz +policycoreutils-1.21.17.tgz diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index ff397e7..b43841a 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -1,6 +1,6 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/restorecon/restorecon.c policycoreutils-1.21.15/restorecon/restorecon.c --- nsapolicycoreutils/restorecon/restorecon.c 2005-02-09 10:02:49.000000000 -0500 -+++ policycoreutils-1.21.15/restorecon/restorecon.c 2005-02-11 16:08:04.000000000 -0500 ++++ policycoreutils-1.21.15/restorecon/restorecon.c 2005-02-17 11:22:38.000000000 -0500 @@ -130,6 +130,11 @@ if (len > 0 && filename[len-1]=='/' && (strcmp(filename,"/") != 0)) { filename[len-1]=0; @@ -15,80 +15,189 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/restorecon/restorecon.c return 1; diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/genhomedircon policycoreutils-1.21.15/scripts/genhomedircon --- nsapolicycoreutils/scripts/genhomedircon 2005-01-28 11:16:36.000000000 -0500 -+++ policycoreutils-1.21.15/scripts/genhomedircon 2005-02-11 16:52:19.000000000 -0500 -@@ -13,38 +13,116 @@ ++++ policycoreutils-1.21.15/scripts/genhomedircon 2005-02-17 12:08:24.000000000 -0500 +@@ -1,7 +1,6 @@ + #! /usr/bin/env python + # Copyright (C) 2004 Tresys Technology, LLC + # see file 'COPYING' for use and warranty information +- + # + # genhomedircon - this script is used to generate file context + # configuration entries for user home directories based on their +@@ -13,6 +12,22 @@ # # ASSUMPTIONS: # --# If a user has more than one role in FILECONTEXTDIR/users, genhomedircon uses +# The file CONTEXTDIR/files/homedir_template exists. This file is used to +# set up the home directory context for each real user. +# +# If a user has more than one role in CONTEXTDIR/local.users, genhomedircon uses ++# the first role in the list. ++# ++# If a user is not listed in CONTEXTDIR/local.users, he will default to user_u, role user ++# ++# "Real" users (as opposed to system users) are those whose UID is greater than ++# or equal STARTING_UID (usually 500) and whose login is not a member of ++# EXCLUDE_LOGINS. Users who are explicitly defined in CONTEXTDIR/local.users ++# are always "real" (including root, in the default configuration). ++# ++# ++# Old ASSUMPTIONS: ++# + # If a user has more than one role in FILECONTEXTDIR/users, genhomedircon uses # the first role in the list. # --# If a user is not listed in FILECONTEXTDIR/users, genhomedircon assumes that --# the user's home dir will be found in one of the HOME_ROOTs. -+# If a user is not listed in CONTEXTDIR/local.users, he will default to user_u, role user - # - # "Real" users (as opposed to system users) are those whose UID is greater than - # or equal STARTING_UID (usually 500) and whose login is not a member of --# EXCLUDE_LOGINS. Users who are explicitly defined in FILECONTEXTDIR/users -+# EXCLUDE_LOGINS. Users who are explicitly defined in CONTEXTDIR/local.users +@@ -25,12 +40,24 @@ # are always "real" (including root, in the default configuration). # -+# -import commands, sys, os, pwd, string +import commands, sys, os, pwd, string, getopt -+ -+rhplPath="/usr/lib/python%d.%d/site-packages/rhpl" % (sys.version_info[0], sys.version_info[1]) -+if not rhplPath in sys.path: -+ sys.path.append(rhplPath) -+ -+rhplPath="/usr/lib64/python%d.%d/site-packages/rhpl" % (sys.version_info[0], sys.version_info[1]) -+if not rhplPath in sys.path: -+ sys.path.append(rhplPath) -+ -+from Conf import * EXCLUDE_LOGINS=["/sbin/nologin", "/bin/false"] --def getPrefixes(): -- ulist = pwd.getpwall() -- prefixes = {} -- for u in ulist: -- if u[2] >= STARTING_UID and \ -- not u[6] in EXCLUDE_LOGINS and \ -- u[5] != "/" and \ -- string.count(u[5], "/") > 1: -- prefix = u[5][:string.rfind(u[5], "/")] -- if not prefixes.has_key(prefix): -- prefixes[prefix] = "" -- return prefixes -- --def getUsers(): -- rc = commands.getstatusoutput("grep ^user %s/users" % FILECONTEXTDIR) +def getStartingUID(): -+ conf=Conf("/etc/login.defs") -+ while conf.findnextcodeline(): -+ if conf.getfields()[0] == "UID_MIN": -+ return int(conf.getfields()[1]) -+ -+ conf.nextline() ++ rc=commands.getstatusoutput("grep ^UID_MIN /etc/login.defs | tail -1") ++ if rc[0]==0: ++ return rc[1].split()[-1] + return 500 + -+def getDefaultHomeDir(): -+ conf=ConfShellVar("/etc/default/useradd") -+ if conf.has_key("HOME"): -+ return conf["HOME"] -+ else: -+ return "/home" ++############################################################################# ++# ++# This section is just for backwards compatability ++# ++############################################################################# + def getPrefixes(): + ulist = pwd.getpwall() ++ STARTING_UID=getStartingUID() + prefixes = {} + for u in ulist: + if u[2] >= STARTING_UID and \ +@@ -42,8 +69,8 @@ + prefixes[prefix] = "" + return prefixes + +-def getUsers(): +- rc = commands.getstatusoutput("grep ^user %s/users" % FILECONTEXTDIR) ++def getUsers(filecontextdir): ++ rc = commands.getstatusoutput("grep ^user %s/users" % filecontextdir) + udict = {} + if rc[0] == 0: + ulist = rc[1].strip().split("\n") +@@ -68,19 +95,6 @@ + sys.stderr.write("The user \"%s\" is not present in the passwd file, skipping...\n" % (user[1],)) + return udict + +-def usage(error = ""): +- if error != "": +- sys.stderr.write("%s\n" % (error,)) +- sys.stderr.write("Usage: %s POLICYSOURCEDIR FILE_CONTEXTS\n" % sys.argv[0]) +- sys.stderr.flush() +- sys.exit(1) +- +-def errorExit(error): +- sys.stderr.write("%s exiting for: " % sys.argv[0]) +- sys.stderr.write("%s\n" % error) +- sys.stderr.flush() +- sys.exit(1) +- + def update(filecontext, user, prefs): + rc=commands.getstatusoutput("grep -h '^HOME_DIR' %s | grep -v vmware | sed -e 's|HOME_DIR|%s|' -e 's/ROLE/%s/' -e 's/system_u/%s/'" % (filecontext, prefs["home"], prefs["role"], user)) + if rc[0] == 0: +@@ -89,51 +103,245 @@ + errorExit(string.join("grep/sed error ", rc[1])) + return rc + +-try: +- if len(sys.argv) != 3: +- print len(sys.argv) +- usage("Incorrect parameters") +- +- rc=commands.getstatusoutput("grep -h '^UID_MIN' /etc/login.defs | sed -e 's/^UID_MIN[^0-9]*//'") +- if rc[0] == 0: +- STARTING_UID=int(rc[1]) +- else: +- STARTING_UID=500 ++def oldgenhomedircon(filecontextdir, filecontext): ++ sys.stderr.write("Using genhomedircon in this fashion is supported for backards compatability\n") ++ sys.stderr.write("Please update to the latest policy\n") ++ sys.stderr.flush() + ++ if os.path.isdir(filecontextdir) == 0: ++ sys.stderr.write("New usage is the following\n") ++ usage() ++ ++ prefixes = getPrefixes() ++ ++ rc=commands.getstatusoutput("grep -h '^HOME' /etc/default/useradd") ++ if rc[0] == 0: ++ homedir = rc[1].split("=")[1] ++ else: ++ sys.stderr.write("%s\n" % (rc[1],)) ++ sys.stderr.write("You do not have access to /etc/default/useradd, default /home\n") ++ sys.stderr.flush() ++ homedir = "/home" ++ ++ ++ if not prefixes.has_key(homedir): ++ prefixes[homedir] = "" + +- FILECONTEXTDIR=sys.argv[1] +- prefixes = getPrefixes() ++ # There may be a more elegant sed script to expand a macro to multiple lines, but this works ++ sed_root = "h; s|^HOME_ROOT|%s|" % (string.join(prefixes.keys(), "|; p; g; s|^HOME_ROOT|"),) ++ sed_dir = "h; s|^HOME_DIR|%s/[^/]+|; s|ROLE_|user_|" % (string.join(prefixes.keys(), "/[^/]+|; s|ROLE_|user_|; p; g; s|^HOME_DIR|"),) ++ ++ # Fill in HOME_ROOT, HOME_DIR, and ROLE for users not explicitly defined in /etc/security/selinux/src/policy/users ++ rc=commands.getstatusoutput("sed -e \"/^HOME_ROOT/{%s}\" -e \"/^HOME_DIR/{%s}\" %s" % (sed_root, sed_dir, filecontext)) ++ if rc[0] == 0: ++ print rc[1] ++ else: ++ errorExit(string.join("sed error ", rc[1])) ++ ++ users = getUsers(filecontextdir) ++ print "\n#\n# User-specific file contexts\n#\n" ++ ++ # Fill in HOME and ROLE for users that are defined ++ for u in users.keys(): ++ update(filecontext, u, users[u]) + +- rc=commands.getstatusoutput("grep -h '^HOME' /etc/default/useradd") +- if rc[0] == 0: +- homedir = rc[1].split("=")[1] +- else: +- sys.stderr.write("%s\n" % (rc[1],)) +- sys.stderr.write("You do not have access to /etc/default/useradd, default /home\n") +- sys.stderr.flush() +- homedir = "/home" +- ++############################################################################# ++# ++# End of backwards compatability section ++# ++############################################################################# + +- if not prefixes.has_key(homedir): +- prefixes[homedir] = "" ++def getDefaultHomeDir(): ++ rc=commands.getstatusoutput("grep ^HOME= /etc/default/useradd | tail -1") ++ if rc[0]==0: ++ return rc[1].split("=")[-1] ++ return "/home" ++ ++def getSELinuxType(directory): ++ rc=commands.getstatusoutput("grep ^SELINUXTYPE= %s/config | tail -1" % directory) ++ if rc[0]==0: ++ return rc[1].split("=")[-1] ++ return "targeted" + +- # There may be a more elegant sed script to expand a macro to multiple lines, but this works +- sed_root = "h; s|^HOME_ROOT|%s|" % (string.join(prefixes.keys(), "|; p; g; s|^HOME_ROOT|"),) +- sed_dir = "h; s|^HOME_DIR|%s/[^/]+|; s|ROLE_|user_|" % (string.join(prefixes.keys(), "/[^/]+|; s|ROLE_|user_|; p; g; s|^HOME_DIR|"),) +def usage(error = ""): + if error != "": + sys.stderr.write("%s\n" % (error,)) -+ sys.stderr.write("Usage: %s [ -d selinuxdir ] [-n] [-t selinuxtype ]\n" % sys.argv[0]) ++ sys.stderr.write("Usage: %s [ -d selinuxdir ] [-n | --nopasswd] [-t selinuxtype ]\n" % sys.argv[0]) + sys.stderr.flush() + sys.exit(1) + @@ -106,26 +215,18 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/genhomedircon po + def __init__(self, selinuxdir="/etc/selinux", type="targeted", usepwd=1): + self.type=type + self.selinuxdir=selinuxdir +"/" -+ self.selinuxconfig=self.selinuxdir+"config" + self.contextdir="/contexts" + self.filecontextdir=self.contextdir+"/files" + self.usepwd=usepwd -+ if os.access(self.selinuxconfig, os.F_OK) == 1: -+ conf=ConfShellVar(self.selinuxconfig) -+ if conf.has_key("SELINUXTYPE"): -+ self.type=conf.vars["SELINUXTYPE"] + -+ def getSelinuxType(self): -+ return self.type -+ + def getFileContextDir(self): -+ return self.selinuxdir+self.getSelinuxType()+self.filecontextdir ++ return self.selinuxdir+self.type+self.filecontextdir + + def getFileContextFile(self): + return self.getFileContextDir()+"/file_contexts" + + def getContextDir(self): -+ return self.selinuxdir+self.getSelinuxType()+self.contextdir ++ return self.selinuxdir+self.type+self.contextdir + + def getHomeDirTemplate(self): + return self.getFileContextDir()+"/homedir_template" @@ -138,87 +239,49 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/genhomedircon po + errorExit(string.join("sed error ", rc[1])) + + def getUsersFile(self): -+ return self.selinuxdir+self.getSelinuxType()+"/users/local.users" ++ return self.selinuxdir+self.type+"/users/local.users" + + + def heading(self): + ret = "\n#\n#\n# User-specific file contexts, generated via %s\n" % sys.argv[0] + ret += "# edit %s to change file_context\n#\n#\n" % self.getUsersFile() + return ret -+ -+ def getUsers(self): -+ rc = commands.getstatusoutput("grep ^user %s" % self.getUsersFile()) - udict = {} -+ prefs = {} - if rc[0] == 0: - ulist = rc[1].strip().split("\n") - for u in ulist: -@@ -68,72 +146,96 @@ - sys.stderr.write("The user \"%s\" is not present in the passwd file, skipping...\n" % (user[1],)) - return udict --def usage(error = ""): -- if error != "": -- sys.stderr.write("%s\n" % (error,)) -- sys.stderr.write("Usage: %s POLICYSOURCEDIR FILE_CONTEXTS\n" % sys.argv[0]) -- sys.stderr.flush() -- sys.exit(1) -- --def errorExit(error): -- sys.stderr.write("%s exiting for: " % sys.argv[0]) -- sys.stderr.write("%s\n" % error) -- sys.stderr.flush() -- sys.exit(1) -- --def update(filecontext, user, prefs): -- rc=commands.getstatusoutput("grep -h '^HOME_DIR' %s | grep -v vmware | sed -e 's|HOME_DIR|%s|' -e 's/ROLE/%s/' -e 's/system_u/%s/'" % (filecontext, prefs["home"], prefs["role"], user)) -- if rc[0] == 0: -- print rc[1] -- else: -- errorExit(string.join("grep/sed error ", rc[1])) -- return rc -- --try: -- if len(sys.argv) != 3: -- print len(sys.argv) -- usage("Incorrect parameters") -- -- rc=commands.getstatusoutput("grep -h '^UID_MIN' /etc/login.defs | sed -e 's/^UID_MIN[^0-9]*//'") -- if rc[0] == 0: -- STARTING_UID=int(rc[1]) -- else: -- STARTING_UID=500 -- -- FILECONTEXTDIR=sys.argv[1] -- prefixes = getPrefixes() -- -- rc=commands.getstatusoutput("grep -h '^HOME' /etc/default/useradd") -- if rc[0] == 0: -- homedir = rc[1].split("=")[1] -- else: -- sys.stderr.write("%s\n" % (rc[1],)) -- sys.stderr.write("You do not have access to /etc/default/useradd, default /home\n") -- sys.stderr.flush() -- homedir = "/home" -- -- -- if not prefixes.has_key(homedir): -- prefixes[homedir] = "" -- -- # There may be a more elegant sed script to expand a macro to multiple lines, but this works -- sed_root = "h; s|^HOME_ROOT|%s|" % (string.join(prefixes.keys(), "|; p; g; s|^HOME_ROOT|"),) -- sed_dir = "h; s|^HOME_DIR|%s/[^/]+|; s|ROLE_|user_|" % (string.join(prefixes.keys(), "/[^/]+|; s|ROLE_|user_|; p; g; s|^HOME_DIR|"),) -- - # Fill in HOME_ROOT, HOME_DIR, and ROLE for users not explicitly defined in /etc/security/selinux/src/policy/users - rc=commands.getstatusoutput("sed -e \"/^HOME_ROOT/{%s}\" -e \"/^HOME_DIR/{%s}\" %s" % (sed_root, sed_dir, sys.argv[2])) -- if rc[0] == 0: ++ def getUsers(self): ++ rc = commands.getstatusoutput("grep ^user %s" % self.getUsersFile()) ++ udict = {} ++ prefs = {} + if rc[0] == 0: - print rc[1] - else: - errorExit(string.join("sed error ", rc[1])) - - users = getUsers() - print "\n#\n# User-specific file contexts\n#\n" -- ++ ulist = rc[1].strip().split("\n") ++ for u in ulist: ++ user = u.split() ++ try: ++ if user[1] == "user_u" or user[1] == "system_u": ++ continue ++ # !!! chooses first role in the list to use in the file context !!! ++ role = user[3] ++ if role == "{": ++ role = user[4] ++ role = role.split("_r")[0] ++ home = pwd.getpwnam(user[1])[5] ++ if home == "/": ++ continue ++ prefs = {} ++ prefs["role"] = role ++ prefs["home"] = home ++ udict[user[1]] = prefs ++ except KeyError: ++ sys.stderr.write("The user \"%s\" is not present in the passwd file, skipping...\n" % (user[1],)) ++ return udict + + def getHomeDirContext(self, user, home, role): + ret="\n\n#\n# Context for user %s\n#\n\n" % user + rc=commands.getstatusoutput("grep '^HOME_DIR' %s | sed -e 's|HOME_DIR|%s|' -e 's/ROLE/%s/' -e 's/system_u/%s/'" % (self.getHomeDirTemplate(), home, role, user)) @@ -234,7 +297,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/genhomedircon po + return ret + + def checkExists(self, home): -+ return commands.getstatusoutput("grep -E '^%s[^[:alnum:]%.\_-]' %s" % (home, self.getFileContextFile()))[0] ++ return commands.getstatusoutput("grep -E '^%s[^[:alnum:]_-]' %s" % (home, self.getFileContextFile()))[0] + + def getHomeDirs(self): + homedirs = [] @@ -286,8 +349,8 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/genhomedircon po +# +try: + usepwd=1 -+ type="targeted" + directory="/etc/selinux" ++ type=None + gopts, cmds = getopt.getopt(sys.argv[1:], 'nd:t:', ['help', + 'type=', + 'nopasswd', @@ -303,6 +366,15 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/genhomedircon po + usage() + + ++ if type==None: ++ type=getSELinuxType(directory) ++ ++ if len(cmds) == 2: ++ oldgenhomedircon(cmds[0], cmds[1]) ++ sys.exit(0) ++ ++ if len(cmds) != 0: ++ usage() + selconf=selinuxConfig(directory, type, usepwd) + selconf.write() + @@ -315,3 +387,426 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/genhomedircon po except IndexError, error: - errorExit("IndexError") + errorExit("IndexError") +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/genhomedircon.8 policycoreutils-1.21.15/scripts/genhomedircon.8 +--- nsapolicycoreutils/scripts/genhomedircon.8 2005-01-21 09:01:37.000000000 -0500 ++++ policycoreutils-1.21.15/scripts/genhomedircon.8 2005-02-17 12:02:12.000000000 -0500 +@@ -26,40 +26,53 @@ + .SH NAME + genhomedircon \- generate file context configuration entries for user home directories + .SH SYNOPSIS +-.B genhomedircon +-.RI POLICYSOURCEDIR FILE_CONTEXTS ++.B genhomedircon [ -d selinuxdir ] [-n | --nopasswd] [-t selinuxtype ] [-h] ++ + .SH OPTIONS + .TP + .B "\-h" + Print a short usage message ++.TP ++.B "\-d selinuxdir (\-\-directory)" ++Directory where selinux files are installed defaults to /etc/selinux ++.TP ++.B ++\-n \-\-nopasswd ++Indicates to the utility not to read homedirectories out of the password database. ++.TP ++\-t selinuxtype (\-\-type) ++Indicates the selinux type of this install. Defaults to "targeted". + .SH DESCRIPTION + .PP +-This utility is used to generate file context configuration entries +-for user home directories based on their default roles and is run when +-building the policy. Specifically, it replaces the +-.B HOME_ROOT, HOME_DIR, +-and +-.B ROLE +-macros in .fc files with generic and user-specific values. It reads +-the list of users from the +-.I <>/users ++This utility is used to generate file context configuration entries for ++user home directories based on their default roles and is run when building ++the policy. It can also be run when ever the ++.I /etc/selinux/<>/users/local.users ++file is changed ++Specifically, we replace HOME_ROOT, HOME_DIR, and ROLE macros in the ++.I /etc/selinux/<>/contexts/files/homedir_template ++file with generic and user-specific values. ++.I local.users + file. If a user has more than one role in +-.I <>/users, ++.I local.users, + .B genhomedircon + uses the first role in the list. + .PP + If a user is not listed in +-.I <>/users, ++.I local.users, + .B genhomedircon + assumes that the user's home dir will be found in one of the +-HOME_ROOTs. When looking for these users, ++HOME_ROOTs. ++When looking for these users, + .B genhomedircon + only considers real users. "Real" users (as opposed + to system users) are those whose UID is greater than or equal + .I STARTING_UID + (default 500) and whose login shell is not "/sbin/nologin", or +-"/bin/false". Users who are explicitly defined in +-.I <>/users ++"/bin/false". ++.PP ++Users who are explicitly defined in ++.I local.users, + are always "real" (including root, in the default configuration). + .SH AUTHOR + This manual page was written by +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/genhomedircon.new policycoreutils-1.21.15/scripts/genhomedircon.new +--- nsapolicycoreutils/scripts/genhomedircon.new 1969-12-31 19:00:00.000000000 -0500 ++++ policycoreutils-1.21.15/scripts/genhomedircon.new 2005-02-17 12:06:12.000000000 -0500 +@@ -0,0 +1,346 @@ ++#! /usr/bin/env python ++# Copyright (C) 2004 Tresys Technology, LLC ++# see file 'COPYING' for use and warranty information ++# ++# genhomedircon - this script is used to generate file context ++# configuration entries for user home directories based on their ++# default roles and is run when building the policy. Specifically, we ++# replace HOME_ROOT, HOME_DIR, and ROLE macros in .fc files with ++# generic and user-specific values. ++# ++# Based off original script by Dan Walsh, ++# ++# ASSUMPTIONS: ++# ++# The file CONTEXTDIR/files/homedir_template exists. This file is used to ++# set up the home directory context for each real user. ++# ++# If a user has more than one role in CONTEXTDIR/local.users, genhomedircon uses ++# the first role in the list. ++# ++# If a user is not listed in CONTEXTDIR/local.users, he will default to user_u, role user ++# ++# "Real" users (as opposed to system users) are those whose UID is greater than ++# or equal STARTING_UID (usually 500) and whose login is not a member of ++# EXCLUDE_LOGINS. Users who are explicitly defined in CONTEXTDIR/local.users ++# are always "real" (including root, in the default configuration). ++# ++# ++# Old ASSUMPTIONS: ++# ++# If a user has more than one role in FILECONTEXTDIR/users, genhomedircon uses ++# the first role in the list. ++# ++# If a user is not listed in FILECONTEXTDIR/users, genhomedircon assumes that ++# the user's home dir will be found in one of the HOME_ROOTs. ++# ++# "Real" users (as opposed to system users) are those whose UID is greater than ++# or equal STARTING_UID (usually 500) and whose login is not a member of ++# EXCLUDE_LOGINS. Users who are explicitly defined in FILECONTEXTDIR/users ++# are always "real" (including root, in the default configuration). ++# ++ ++import commands, sys, os, pwd, string, getopt ++ ++EXCLUDE_LOGINS=["/sbin/nologin", "/bin/false"] ++ ++def getStartingUID(): ++ rc=commands.getstatusoutput("grep ^UID_MIN /etc/login.defs | tail -1") ++ if rc[0]==0: ++ return rc[1].split()[-1] ++ return 500 ++ ++############################################################################# ++# ++# This section is just for backwards compatability ++# ++############################################################################# ++def getPrefixes(): ++ ulist = pwd.getpwall() ++ STARTING_UID=getStartingUID() ++ prefixes = {} ++ for u in ulist: ++ if u[2] >= STARTING_UID and \ ++ not u[6] in EXCLUDE_LOGINS and \ ++ u[5] != "/" and \ ++ string.count(u[5], "/") > 1: ++ prefix = u[5][:string.rfind(u[5], "/")] ++ if not prefixes.has_key(prefix): ++ prefixes[prefix] = "" ++ return prefixes ++ ++def getUsers(): ++ rc = commands.getstatusoutput("grep ^user %s/users" % FILECONTEXTDIR) ++ udict = {} ++ if rc[0] == 0: ++ ulist = rc[1].strip().split("\n") ++ for u in ulist: ++ user = u.split() ++ try: ++ if user[1] == "user_u" or user[1] == "system_u": ++ continue ++ # !!! chooses first role in the list to use in the file context !!! ++ role = user[3] ++ if role == "{": ++ role = user[4] ++ role = role.split("_r")[0] ++ home = pwd.getpwnam(user[1])[5] ++ if home == "/": ++ continue ++ prefs = {} ++ prefs["role"] = role ++ prefs["home"] = home ++ udict[user[1]] = prefs ++ except KeyError: ++ sys.stderr.write("The user \"%s\" is not present in the passwd file, skipping...\n" % (user[1],)) ++ return udict ++ ++def update(filecontext, user, prefs): ++ rc=commands.getstatusoutput("grep -h '^HOME_DIR' %s | grep -v vmware | sed -e 's|HOME_DIR|%s|' -e 's/ROLE/%s/' -e 's/system_u/%s/'" % (filecontext, prefs["home"], prefs["role"], user)) ++ if rc[0] == 0: ++ print rc[1] ++ else: ++ errorExit(string.join("grep/sed error ", rc[1])) ++ return rc ++ ++def oldgenhomedircon(filecontextdir, filecontext): ++ if os.path.isdir(filecontextdir) == 0: ++ print "isdir" ++ sys.stderr.write("Using genhomedircon in this fashion is supported for backards compatability\n") ++ sys.stderr.write("Please update to the latest policy\n") ++ sys.stderr.flush() ++ ++ FILECONTEXTDIR=filecontextdir ++ prefixes = getPrefixes() ++ ++ rc=commands.getstatusoutput("grep -h '^HOME' /etc/default/useradd") ++ if rc[0] == 0: ++ homedir = rc[1].split("=")[1] ++ else: ++ sys.stderr.write("%s\n" % (rc[1],)) ++ sys.stderr.write("You do not have access to /etc/default/useradd, default /home\n") ++ sys.stderr.flush() ++ homedir = "/home" ++ ++ ++ if not prefixes.has_key(homedir): ++ prefixes[homedir] = "" ++ ++ # There may be a more elegant sed script to expand a macro to multiple lines, but this works ++ sed_root = "h; s|^HOME_ROOT|%s|" % (string.join(prefixes.keys(), "|; p; g; s|^HOME_ROOT|"),) ++ sed_dir = "h; s|^HOME_DIR|%s/[^/]+|; s|ROLE_|user_|" % (string.join(prefixes.keys(), "/[^/]+|; s|ROLE_|user_|; p; g; s|^HOME_DIR|"),) ++ ++ # Fill in HOME_ROOT, HOME_DIR, and ROLE for users not explicitly defined in /etc/security/selinux/src/policy/users ++ rc=commands.getstatusoutput("sed -e \"/^HOME_ROOT/{%s}\" -e \"/^HOME_DIR/{%s}\" %s" % (sed_root, sed_dir, filecontext)) ++ if rc[0] == 0: ++ print rc[1] ++ else: ++ errorExit(string.join("sed error ", rc[1])) ++ ++ users = getUsers() ++ print "\n#\n# User-specific file contexts\n#\n" ++ ++ # Fill in HOME and ROLE for users that are defined ++ for u in users.keys(): ++ update(filecontext, u, users[u]) ++ ++############################################################################# ++# ++# End of backwards compatability section ++# ++############################################################################# ++ ++def getDefaultHomeDir(): ++ rc=commands.getstatusoutput("grep ^HOME= /etc/default/useradd | tail -1") ++ if rc[0]==0: ++ return rc[1].split("=")[-1] ++ return "/home" ++ ++def getSELinuxType(directory): ++ rc=commands.getstatusoutput("grep ^SELINUXTYPE= %s/config | tail -1" % directory) ++ if rc[0]==0: ++ return rc[1].split("=")[-1] ++ return "targeted" ++ ++def usage(error = ""): ++ if error != "": ++ sys.stderr.write("%s\n" % (error,)) ++ sys.stderr.write("Usage: %s [ -d selinuxdir ] [-n | --nopasswd] [-t selinuxtype ]\n" % sys.argv[0]) ++ sys.stderr.flush() ++ sys.exit(1) ++ ++def warning(warning = ""): ++ sys.stderr.write("%s\n" % warning) ++ sys.stderr.flush() ++ ++def errorExit(error): ++ sys.stderr.write("%s exiting for: " % sys.argv[0]) ++ sys.stderr.write("%s\n" % error) ++ sys.stderr.flush() ++ sys.exit(1) ++ ++class selinuxConfig: ++ def __init__(self, selinuxdir="/etc/selinux", type="targeted", usepwd=1): ++ self.type=type ++ self.selinuxdir=selinuxdir +"/" ++ self.contextdir="/contexts" ++ self.filecontextdir=self.contextdir+"/files" ++ self.usepwd=usepwd ++ ++ def getFileContextDir(self): ++ return self.selinuxdir+self.type+self.filecontextdir ++ ++ def getFileContextFile(self): ++ return self.getFileContextDir()+"/file_contexts" ++ ++ def getContextDir(self): ++ return self.selinuxdir+self.type+self.contextdir ++ ++ def getHomeDirTemplate(self): ++ return self.getFileContextDir()+"/homedir_template" ++ ++ def getHomeRootContext(self, homedir): ++ rc=commands.getstatusoutput("grep HOME_ROOT %s | sed -e \"s|^HOME_ROOT|%s|\"" % ( self.getHomeDirTemplate(), homedir)) ++ if rc[0] == 0: ++ return rc[1] ++ else: ++ errorExit(string.join("sed error ", rc[1])) ++ ++ def getUsersFile(self): ++ return self.selinuxdir+self.type+"/users/local.users" ++ ++ ++ def heading(self): ++ ret = "\n#\n#\n# User-specific file contexts, generated via %s\n" % sys.argv[0] ++ ret += "# edit %s to change file_context\n#\n#\n" % self.getUsersFile() ++ return ret ++ ++ def getUsers(self): ++ rc = commands.getstatusoutput("grep ^user %s" % self.getUsersFile()) ++ udict = {} ++ prefs = {} ++ if rc[0] == 0: ++ ulist = rc[1].strip().split("\n") ++ for u in ulist: ++ user = u.split() ++ try: ++ if user[1] == "user_u" or user[1] == "system_u": ++ continue ++ # !!! chooses first role in the list to use in the file context !!! ++ role = user[3] ++ if role == "{": ++ role = user[4] ++ role = role.split("_r")[0] ++ home = pwd.getpwnam(user[1])[5] ++ if home == "/": ++ continue ++ prefs = {} ++ prefs["role"] = role ++ prefs["home"] = home ++ udict[user[1]] = prefs ++ except KeyError: ++ sys.stderr.write("The user \"%s\" is not present in the passwd file, skipping...\n" % (user[1],)) ++ return udict ++ ++ def getHomeDirContext(self, user, home, role): ++ ret="\n\n#\n# Context for user %s\n#\n\n" % user ++ rc=commands.getstatusoutput("grep '^HOME_DIR' %s | sed -e 's|HOME_DIR|%s|' -e 's/ROLE/%s/' -e 's/system_u/%s/'" % (self.getHomeDirTemplate(), home, role, user)) ++ return ret + rc[1] + "\n" ++ ++ def genHomeDirContext(self): ++ users = self.getUsers() ++ ret="" ++ # Fill in HOME and ROLE for users that are defined ++ for u in users.keys(): ++ ret += self.getHomeDirContext (u, users[u]["home"], users[u]["role"]) ++ return ret ++ ++ def checkExists(self, home): ++ return commands.getstatusoutput("grep -E '^%s[^[:alnum:]_-]' %s" % (home, self.getFileContextFile()))[0] ++ ++ def getHomeDirs(self): ++ homedirs = [] ++ homedirs.append(getDefaultHomeDir()) ++ starting_uid=getStartingUID() ++ if self.usepwd==0: ++ return homedirs ++ ulist = pwd.getpwall() ++ for u in ulist: ++ if u[2] >= starting_uid and \ ++ not u[6] in EXCLUDE_LOGINS and \ ++ u[5] != "/" and \ ++ string.count(u[5], "/") > 1: ++ homedir = u[5][:string.rfind(u[5], "/")] ++ if not homedir in homedirs: ++ if self.checkExists(homedir)==0: ++ warning("%s is already defined in %s,\n%s will not create a new context." % (homedir, self.getFileContextFile(), sys.argv[0])) ++ else: ++ homedirs.append(homedir) ++ ++ homedirs.sort() ++ return homedirs ++ ++ def genoutput(self): ++ ret= self.heading() ++ for h in self.getHomeDirs(): ++ ret += self.getHomeDirContext ("user_u" , h+'/[^/]*', "user") ++ ret += "\n" ++ ret += self.getHomeRootContext(h) ++ ret += self.genHomeDirContext() ++ return ret ++ ++ def printout(self): ++ print self.genoutput() ++ ++ def write(self): ++ try: ++ fd = open(self.getFileContextDir()+"/file_contexts.homedirs", "w") ++ fd.write(self.genoutput()) ++ fd.close() ++ except IOError, error: ++ sys.stderr.write("%s: %s\n" % ( sys.argv[0], error )) ++ ++ ++ ++# ++# This script will generate home dir file context ++# based off the homedir_template file, entries in the password file, and ++# ++try: ++ usepwd=1 ++ directory="/etc/selinux" ++ type=None ++ gopts, cmds = getopt.getopt(sys.argv[1:], 'nd:t:', ['help', ++ 'type=', ++ 'nopasswd', ++ 'dir=']) ++ for o,a in gopts: ++ if o == '--type' or o == "-t": ++ type=a ++ if o == '--nopasswd' or o == "-n": ++ usepwd=0 ++ if o == '--dir' or o == "-d": ++ directory=a ++ if o == '--help': ++ usage() ++ ++ ++ if type==None: ++ type=getSELinuxType(directory) ++ ++ if len(cmds) == 2: ++ oldgenhomedircon(cmds[0], cmds[1]) ++ exit(0) ++ ++ if len(cmds) != 0: ++ usage() ++ selconf=selinuxConfig(directory, type, usepwd) ++ selconf.write() ++ ++except getopt.error, error: ++ errorExit(string.join("Options Error ", error)) ++ ++except ValueError, error: ++ errorExit(string.join("ValueError ", error)) ++except IndexError, error: ++ errorExit("IndexError") diff --git a/policycoreutils.spec b/policycoreutils.spec index 7d4813c..8318df6 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -1,16 +1,16 @@ -un%define libselinuxver 1.21.9-2 +%define libselinuxver 1.21.10-1 +%define libsepolver 1.3.5 Summary: SELinux policy core utilities. Name: policycoreutils -Version: 1.21.15 -Release: 8 +Version: 1.21.17 +Release: 1 License: GPL Group: System Environment/Base Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz -Patch: policycoreutils-rhat.patch Prefix: %{_prefix} -BuildRequires: libselinux-devel >= %{libselinuxver} pam-devel libsepol-devel >= 1.1.1 -Requires: libselinux >= %{libselinuxver} libsepol >= 1.1.1 +BuildRequires: libselinux-devel >= %{libselinuxver} pam-devel libsepol-devel >= %{libsepolver} +Requires: libselinux >= %{libselinuxver} libsepol >= %{libsepolver} BuildRoot: %{_tmppath}/%{name}-buildroot @@ -33,7 +33,6 @@ context. %prep %setup -q -%patch -p1 -b .rhat %build make CFLAGS="%{optflags}" all @@ -81,6 +80,16 @@ rm -rf ${RPM_BUILD_ROOT} %config(noreplace) %{_sysconfdir}/sestatus.conf %changelog +* Thu Feb 17 2005 Dan Walsh 1.21.17-1 +- Update to latest from NSA + * Merged new genhomedircon script from Dan Walsh. + * Changed load_policy to call sepol_genusers(). + +* Thu Feb 17 2005 Dan Walsh 1.21.15-9 +- Remove Red Hat rhpl usage +- Add back in original syntax +- Update man page to match new syntax + * Fri Feb 11 2005 Dan Walsh 1.21.15-8 - Fix genhomedircon regular expression - Fix exclude in restorecon diff --git a/sources b/sources index c7137e1..8b90762 100644 --- a/sources +++ b/sources @@ -1 +1,2 @@ 9ca78a2674a69bad77e8d4656f6dff43 policycoreutils-1.21.15.tgz +f521f095156bc704c12273a0be26d6a8 policycoreutils-1.21.17.tgz