diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/genhomedircon policycoreutils-1.29.20/scripts/genhomedircon --- nsapolicycoreutils/scripts/genhomedircon 2006-01-30 18:32:39.000000000 -0500 +++ policycoreutils-1.29.20/scripts/genhomedircon 2006-02-09 10:27:15.000000000 -0500 @@ -4,7 +4,7 @@ # # genhomedircon - this script is used to generate file context # configuration entries for user home directories based on their -# default roles and is run when building the policy. Specifically, we +# default prefixes and is run when building the policy. Specifically, we # replace HOME_ROOT, HOME_DIR, and ROLE macros in .fc files with # generic and user-specific values. # @@ -15,9 +15,7 @@ # The file CONTEXTDIR/files/homedir_template exists. This file is used to # set up the home directory context for each real user. # -# If a user has more than one role, genhomedircon uses the first role in the list. -# -# If a user is not listed in CONTEXTDIR/seusers, he will default to user_u, role user +# If a user is not listed in CONTEXTDIR/seusers, he will default to user_u, prefix user # # "Real" users (as opposed to system users) are those whose UID is greater than # or equal STARTING_UID (usually 500) and whose login is not a member of @@ -170,37 +168,34 @@ def heading(self): ret = "\n#\n#\n# User-specific file contexts, generated via %s\n" % sys.argv[0] if self.semanaged: - ret += "# use seusers command to manage system users in order to change the file_context\n#\n#\n" + ret += "# use semanage command to manage system users in order to change the file_context\n#\n#\n" else: ret += "# edit %s to change file_context\n#\n#\n" % (self.selinuxdir+self.type+"/seusers") return ret - def defaultrole(self, name): + def get_default_prefix(self, name): for idx in range(self.usize): user = semanage_user_by_idx(self.ulist, idx) if semanage_user_get_name(user) == name: - if name == "staff_u" or name == "root" and self.type != "targeted": - return "staff_r" - else: - return "user_r" + return semanage_user_get_prefix(user) return name - def getOldRole(self, role): - rc=grep(self.selinuxdir+self.type+"/users/system.users", "^user %s" % role) + def get_old_prefix(self, user): + rc=grep(self.selinuxdir+self.type+"/users/system.users", "^user %s" % user) if rc == "": - rc=grep(self.selinuxdir+self.type+"/users/local.users", "^user %s" % role) + rc=grep(self.selinuxdir+self.type+"/users/local.users", "^user %s" % user) if rc != "": user=rc.split() - role = user[3] - if role == "{": - role = user[4] - return role + prefix = user[3] + if prefix == "{": + prefix = user[4] + if len(prefix) > 2 and (prefix[-2:] == "_r" or prefix[-2:] == "_u"): + prefix = prefix[:-2] + return prefix - def adduser(self, udict, user, seuser, role): - if seuser == "user_u" or user == "__default__": + def adduser(self, udict, user, seuser, prefix): + if seuser == "user_u" or user == "__default__" or user == "system_u": return - # !!! chooses first role in the list to use in the file context !!! - if role[-2:] == "_r" or role[-2:] == "_u": - role = role[:-2] + # !!! chooses first prefix in the list to use in the file context !!! try: home = pwd.getpwnam(user)[5] if home == "/": @@ -217,7 +212,7 @@ return prefs = {} prefs["seuser"] = seuser - prefs["role"] = role + prefs["prefix"] = prefix prefs["home"] = home udict[user] = prefs @@ -229,7 +224,7 @@ user=[] seuser = semanage_seuser_by_idx(list, idx) seusername=semanage_seuser_get_sename(seuser) - self.adduser(udict, semanage_seuser_get_name(seuser), seusername, self.defaultrole(seusername)) + self.adduser(udict, semanage_seuser_get_name(seuser), seusername, self.get_default_prefix(seusername)) else: try: @@ -242,8 +237,8 @@ if len(user) < 2: continue - role=self.getOldRole(user[1]) - self.adduser(udict, user[0], user[1], role) + prefix=self.get_old_prefix(user[1]) + self.adduser(udict, user[0], user[1], prefix) fd.close() except IOError, error: # Must be install so force add of root @@ -251,40 +246,37 @@ return udict - def getHomeDirContext(self, user, seuser, home, role): + def getHomeDirContext(self, user, seuser, home, prefix): ret="\n\n#\n# Home Context for user %s\n#\n\n" % user fd=open(self.getHomeDirTemplate(), 'r') for i in fd.read().split('\n'): if i.startswith("HOME_DIR") == 1: i=i.replace("HOME_DIR", home) - i=i.replace("ROLE", role) + i=i.replace("ROLE", prefix) i=i.replace("system_u", seuser) ret = ret+i+"\n" fd.close() return ret - def getUserContext(self, user, sel_user, role): + def getUserContext(self, user, sel_user, prefix): ret="" fd=open(self.getHomeDirTemplate(), 'r') for i in fd.read().split('\n'): if i.find("USER") == 1: i=i.replace("USER", user) - i=i.replace("ROLE", role) + i=i.replace("ROLE", prefix) i=i.replace("system_u", sel_user) ret=ret+i+"\n" fd.close() return ret def genHomeDirContext(self): - if self.semanaged and grep(self.getHomeDirTemplate(), "ROLE") != "": - warning("genhomedircon: Warning! No support yet for expanding ROLE macros in the %s file when using libsemanage." % self.getHomeDirTemplate()); - warning("genhomedircon: You must manually update file_contexts.homedirs for any non-user_r users (including root)."); users = self.getUsers() ret="" - # Fill in HOME and ROLE for users that are defined + # Fill in HOME and prefix for users that are defined for u in users.keys(): - ret += self.getHomeDirContext (u, users[u]["seuser"], users[u]["home"], users[u]["role"]) - ret += self.getUserContext (u, users[u]["seuser"], users[u]["role"]) + ret += self.getHomeDirContext (u, users[u]["seuser"], users[u]["home"], users[u]["prefix"]) + ret += self.getUserContext (u, users[u]["seuser"], users[u]["prefix"]) return ret+"\n" def checkExists(self, home): diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-1.29.20/semanage/seobject.py --- nsapolicycoreutils/semanage/seobject.py 2006-02-02 12:08:04.000000000 -0500 +++ policycoreutils-1.29.20/semanage/seobject.py 2006-02-10 11:48:59.000000000 -0500 @@ -21,8 +21,11 @@ # # -import pwd, string, selinux, tempfile, os, re +import pwd, string, selinux, tempfile, os, re, sys from semanage import *; +import audit + +audit_fd=audit.audit_open() def validate_level(raw): sensitivity="s([0-9]|1[0-5])" @@ -170,119 +173,145 @@ if sename == "": sename = "user_u" - (rc,k) = semanage_seuser_key_create(self.sh, name) - if rc < 0: - raise ValueError("Could not create a key for %s" % name) - - (rc,exists) = semanage_seuser_exists(self.sh, k) - if rc < 0: - raise ValueError("Could not check if login mapping for %s is defined" % name) - if exists: - raise ValueError("Login mapping for %s is already defined" % name) try: - pwd.getpwnam(name) - except: - raise ValueError("Linux User %s does not exist" % name) - - (rc,u) = semanage_seuser_create(self.sh) - if rc < 0: - raise ValueError("Could not create login mapping for %s" % name) + (rc,k) = semanage_seuser_key_create(self.sh, name) + if rc < 0: + raise ValueError("Could not create a key for %s" % name) - rc = semanage_seuser_set_name(self.sh, u, name) - if rc < 0: - raise ValueError("Could not set name for %s" % name) + (rc,exists) = semanage_seuser_exists(self.sh, k) + if rc < 0: + raise ValueError("Could not check if login mapping for %s is defined" % name) + if exists: + raise ValueError("Login mapping for %s is already defined" % name) + try: + pwd.getpwnam(name) + except: + raise ValueError("Linux User %s does not exist" % name) - rc = semanage_seuser_set_mlsrange(self.sh, u, serange) - if rc < 0: - raise ValueError("Could not set MLS range for %s" % name) + (rc,u) = semanage_seuser_create(self.sh) + if rc < 0: + raise ValueError("Could not create login mapping for %s" % name) - rc = semanage_seuser_set_sename(self.sh, u, sename) - if rc < 0: - raise ValueError("Could not set SELinux user for %s" % name) + rc = semanage_seuser_set_name(self.sh, u, name) + if rc < 0: + raise ValueError("Could not set name for %s" % name) - rc = semanage_begin_transaction(self.sh) - if rc < 0: - raise ValueError("Could not start semanage transaction") + rc = semanage_seuser_set_mlsrange(self.sh, u, serange) + if rc < 0: + raise ValueError("Could not set MLS range for %s" % name) - rc = semanage_seuser_modify_local(self.sh, k, u) - if rc < 0: - raise ValueError("Could not add login mapping for %s" % name) + rc = semanage_seuser_set_sename(self.sh, u, sename) + if rc < 0: + raise ValueError("Could not set SELinux user for %s" % name) - rc = semanage_commit(self.sh) - if rc < 0: - raise ValueError("Could not add login mapping for %s" % name) + rc = semanage_begin_transaction(self.sh) + if rc < 0: + raise ValueError("Could not start semanage transaction") + rc = semanage_seuser_modify_local(self.sh, k, u) + if rc < 0: + raise ValueError("Could not add login mapping for %s" % name) + + rc = semanage_commit(self.sh) + if rc < 0: + raise ValueError("Could not add login mapping for %s" % name) + + except ValueError, error: + audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"add SELinux user mapping", name, 0, sename, "", serange, "", "", "", "", "", "", 0); + raise error + + audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"add SELinux user mapping", name, 0, sename, "", serange, "", "", "", "", "", "", 1); semanage_seuser_key_free(k) semanage_seuser_free(u) def modify(self, name, sename = "", serange = ""): - if sename == "" and serange == "": - raise ValueError("Requires seuser or serange") + oldsename="" + oldserange="" + try: + if sename == "" and serange == "": + raise ValueError("Requires seuser or serange") - (rc,k) = semanage_seuser_key_create(self.sh, name) - if rc < 0: - raise ValueError("Could not create a key for %s" % name) + (rc,k) = semanage_seuser_key_create(self.sh, name) + if rc < 0: + raise ValueError("Could not create a key for %s" % name) - (rc,exists) = semanage_seuser_exists(self.sh, k) - if rc < 0: - raise ValueError("Could not check if login mapping for %s is defined" % name) - if not exists: - raise ValueError("Login mapping for %s is not defined" % name) + (rc,exists) = semanage_seuser_exists(self.sh, k) + if rc < 0: + raise ValueError("Could not check if login mapping for %s is defined" % name) + if not exists: + raise ValueError("Login mapping for %s is not defined" % name) - (rc,u) = semanage_seuser_query(self.sh, k) - if rc < 0: - raise ValueError("Could not query seuser for %s" % name) + (rc,u) = semanage_seuser_query(self.sh, k) + if rc < 0: + raise ValueError("Could not query seuser for %s" % name) - if serange != "": - semanage_seuser_set_mlsrange(self.sh, u, untranslate(serange)) - if sename != "": - semanage_seuser_set_sename(self.sh, u, sename) + oldserange=semanage_seuser_get_mlsrange(u) + oldsename=semanage_seuser_get_sename(u) + if serange != "": + semanage_seuser_set_mlsrange(self.sh, u, untranslate(serange)) + else: + serange=oldserange + if sename != "": + semanage_seuser_set_sename(self.sh, u, sename) + else: + sename=oldsename - rc = semanage_begin_transaction(self.sh) - if rc < 0: - raise ValueError("Could not srart semanage transaction") + rc = semanage_begin_transaction(self.sh) + if rc < 0: + raise ValueError("Could not srart semanage transaction") - rc = semanage_seuser_modify_local(self.sh, k, u) - if rc < 0: - raise ValueError("Could not modify login mapping for %s" % name) - - rc = semanage_commit(self.sh) - if rc < 0: - raise ValueError("Could not modify login mapping for %s" % name) + rc = semanage_seuser_modify_local(self.sh, k, u) + if rc < 0: + raise ValueError("Could not modify login mapping for %s" % name) + + rc = semanage_commit(self.sh) + if rc < 0: + raise ValueError("Could not modify login mapping for %s" % name) + except ValueError, error: + audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"modify selinux user mapping", name, 0, sename, "", serange, "", oldsename, "", oldserange, "", "", "", 0); + raise error + + audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"modify selinux user mapping", name, 0, sename, "", serange, oldsename, "", oldserange, "", 1); semanage_seuser_key_free(k) semanage_seuser_free(u) def delete(self, name): - (rc,k) = semanage_seuser_key_create(self.sh, name) - if rc < 0: - raise ValueError("Could not create a key for %s" % name) + try: + (rc,k) = semanage_seuser_key_create(self.sh, name) + if rc < 0: + raise ValueError("Could not create a key for %s" % name) - (rc,exists) = semanage_seuser_exists(self.sh, k) - if rc < 0: - raise ValueError("Could not check if login mapping for %s is defined" % name) - if not exists: - raise ValueError("Login mapping for %s is not defined" % name) + (rc,exists) = semanage_seuser_exists(self.sh, k) + if rc < 0: + raise ValueError("Could not check if login mapping for %s is defined" % name) + if not exists: + raise ValueError("Login mapping for %s is not defined" % name) - (rc,exists) = semanage_seuser_exists_local(self.sh, k) - if rc < 0: - raise ValueError("Could not check if login mapping for %s is defined" % name) - if not exists: - raise ValueError("Login mapping for %s is defined in policy, cannot be deleted" % name) + (rc,exists) = semanage_seuser_exists_local(self.sh, k) + if rc < 0: + raise ValueError("Could not check if login mapping for %s is defined" % name) + if not exists: + raise ValueError("Login mapping for %s is defined in policy, cannot be deleted" % name) - rc = semanage_begin_transaction(self.sh) - if rc < 0: - raise ValueError("Could not start semanage transaction") + rc = semanage_begin_transaction(self.sh) + if rc < 0: + raise ValueError("Could not start semanage transaction") - rc = semanage_seuser_del_local(self.sh, k) + rc = semanage_seuser_del_local(self.sh, k) - if rc < 0: - raise ValueError("Could not delete login mapping for %s" % name) + if rc < 0: + raise ValueError("Could not delete login mapping for %s" % name) - rc = semanage_commit(self.sh) - if rc < 0: - raise ValueError("Could not delete login mapping for %s" % name) - + rc = semanage_commit(self.sh) + if rc < 0: + raise ValueError("Could not delete login mapping for %s" % name) + + except ValueError, error: + audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"delete SELinux user mapping", name, 0, name, "", "", "", "", "", "", "", "", 0); + raise error + + audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"delete SELinux user mapping", name, 0, name, "", "", "", "", "", "", "", "", 1); semanage_seuser_key_free(k) @@ -322,127 +351,145 @@ else: selevel = untranslate(selevel) - (rc,k) = semanage_user_key_create(self.sh, name) - if rc < 0: - raise ValueError("Could not create a key for %s" % name) - - (rc,exists) = semanage_user_exists(self.sh, k) - if rc < 0: - raise ValueError("Could not check if SELinux user %s is defined" % name) - if exists: - raise ValueError("SELinux user %s is already defined" % name) + seroles=" ".join(roles) + try: + (rc,k) = semanage_user_key_create(self.sh, name) + if rc < 0: + raise ValueError("Could not create a key for %s" % name) - (rc,u) = semanage_user_create(self.sh) - if rc < 0: - raise ValueError("Could not create SELinux user for %s" % name) + (rc,exists) = semanage_user_exists(self.sh, k) + if rc < 0: + raise ValueError("Could not check if SELinux user %s is defined" % name) + if exists: + raise ValueError("SELinux user %s is already defined" % name) - rc = semanage_user_set_name(self.sh, u, name) - if rc < 0: - raise ValueError("Could not set name for %s" % name) + (rc,u) = semanage_user_create(self.sh) + if rc < 0: + raise ValueError("Could not create SELinux user for %s" % name) - for r in roles: - rc = semanage_user_add_role(self.sh, u, r) + rc = semanage_user_set_name(self.sh, u, name) if rc < 0: - raise ValueError("Could not add role %s for %s" % (r, name)) + raise ValueError("Could not set name for %s" % name) - rc = semanage_user_set_mlsrange(self.sh, u, serange) - if rc < 0: - raise ValueError("Could not set MLS range for %s" % name) + for r in roles: + rc = semanage_user_add_role(self.sh, u, r) + if rc < 0: + raise ValueError("Could not add role %s for %s" % (r, name)) - rc = semanage_user_set_mlslevel(self.sh, u, selevel) - if rc < 0: - raise ValueError("Could not set MLS level for %s" % name) + rc = semanage_user_set_mlsrange(self.sh, u, serange) + if rc < 0: + raise ValueError("Could not set MLS range for %s" % name) - (rc,key) = semanage_user_key_extract(self.sh,u) - if rc < 0: - raise ValueError("Could not extract key for %s" % name) + rc = semanage_user_set_mlslevel(self.sh, u, selevel) + if rc < 0: + raise ValueError("Could not set MLS level for %s" % name) - rc = semanage_begin_transaction(self.sh) - if rc < 0: - raise ValueError("Could not start semanage transaction") + (rc,key) = semanage_user_key_extract(self.sh,u) + if rc < 0: + raise ValueError("Could not extract key for %s" % name) - rc = semanage_user_modify_local(self.sh, k, u) - if rc < 0: - raise ValueError("Could not add SELinux user %s" % name) + rc = semanage_begin_transaction(self.sh) + if rc < 0: + raise ValueError("Could not start semanage transaction") - rc = semanage_commit(self.sh) - if rc < 0: - raise ValueError("Could not add SELinux user %s" % name) + rc = semanage_user_modify_local(self.sh, k, u) + if rc < 0: + raise ValueError("Could not add SELinux user %s" % name) + + rc = semanage_commit(self.sh) + if rc < 0: + raise ValueError("Could not add SELinux user %s" % name) + except ValueError, error: + audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"add SELinux user record", name, 0, name, seroles, serange, "", "", "", "", "", "", 0); + raise error + + audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"add SELinux user record", name, 0, name, seroles, serange, "", "", "", "", "", "", 1); semanage_user_key_free(k) semanage_user_free(u) def modify(self, name, roles = [], selevel = "", serange = ""): - if len(roles) == 0 and serange == "" and selevel == "": - raise ValueError("Requires roles, level or range") + try: + if len(roles) == 0 and serange == "" and selevel == "": + raise ValueError("Requires roles, level or range") - (rc,k) = semanage_user_key_create(self.sh, name) - if rc < 0: - raise ValueError("Could not create a key for %s" % name) + (rc,k) = semanage_user_key_create(self.sh, name) + if rc < 0: + raise ValueError("Could not create a key for %s" % name) - (rc,exists) = semanage_user_exists(self.sh, k) - if rc < 0: - raise ValueError("Could not check if SELinux user %s is defined" % name) - if not exists: - raise ValueError("SELinux user %s is not defined" % name) - - (rc,u) = semanage_user_query(self.sh, k) - if rc < 0: - raise ValueError("Could not query user for %s" % name) + (rc,exists) = semanage_user_exists(self.sh, k) + if rc < 0: + raise ValueError("Could not check if SELinux user %s is defined" % name) + if not exists: + raise ValueError("SELinux user %s is not defined" % name) - if serange != "": - semanage_user_set_mlsrange(self.sh, u, untranslate(serange)) - if selevel != "": - semanage_user_set_mlslevel(self.sh, u, untranslate(selevel)) - - if len(roles) != 0: - for r in roles: - semanage_user_add_role(self.sh, u, r) + (rc,u) = semanage_user_query(self.sh, k) + if rc < 0: + raise ValueError("Could not query user for %s" % name) - rc = semanage_begin_transaction(self.sh) - if rc < 0: - raise ValueError("Could not start semanage transaction") + if serange != "": + semanage_user_set_mlsrange(self.sh, u, untranslate(serange)) + if selevel != "": + semanage_user_set_mlslevel(self.sh, u, untranslate(selevel)) + + if len(roles) != 0: + for r in roles: + semanage_user_add_role(self.sh, u, r) - rc = semanage_user_modify_local(self.sh, k, u) - if rc < 0: - raise ValueError("Could not modify SELinux user %s" % name) + rc = semanage_begin_transaction(self.sh) + if rc < 0: + raise ValueError("Could not start semanage transaction") - rc = semanage_commit(self.sh) - if rc < 0: - raise ValueError("Could not modify SELinux user %s" % name) + rc = semanage_user_modify_local(self.sh, k, u) + if rc < 0: + raise ValueError("Could not modify SELinux user %s" % name) + + rc = semanage_commit(self.sh) + if rc < 0: + raise ValueError("Could not modify SELinux user %s" % name) + + except ValueError, error: + audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"modify SELinux user record", name, 0, seuser, seroles, serange, oldseuser, oldseroles, olrserange, "", 0); + raise error + audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"modify SELinux user record", name, 0, seuser, seroles, serange, oldseuser, oldseroles, olrserange, "", 1); semanage_user_key_free(k) semanage_user_free(u) def delete(self, name): - (rc,k) = semanage_user_key_create(self.sh, name) - if rc < 0: - raise ValueError("Could not create a key for %s" % name) - - (rc,exists) = semanage_user_exists(self.sh, k) - if rc < 0: - raise ValueError("Could not check if SELinux user %s is defined" % name) - if not exists: - raise ValueError("SELinux user %s is not defined" % name) + try: + (rc,k) = semanage_user_key_create(self.sh, name) + if rc < 0: + raise ValueError("Could not create a key for %s" % name) + + (rc,exists) = semanage_user_exists(self.sh, k) + if rc < 0: + raise ValueError("Could not check if SELinux user %s is defined" % name) + if not exists: + raise ValueError("SELinux user %s is not defined" % name) - (rc,exists) = semanage_user_exists_local(self.sh, k) - if rc < 0: - raise ValueError("Could not check if SELinux user %s is defined" % name) - if not exists: - raise ValueError("SELinux user %s is defined in policy, cannot be deleted" % name) + (rc,exists) = semanage_user_exists_local(self.sh, k) + if rc < 0: + raise ValueError("Could not check if SELinux user %s is defined" % name) + if not exists: + raise ValueError("SELinux user %s is defined in policy, cannot be deleted" % name) - rc = semanage_begin_transaction(self.sh) - if rc < 0: - raise ValueError("Could not start semanage transaction") + rc = semanage_begin_transaction(self.sh) + if rc < 0: + raise ValueError("Could not start semanage transaction") - rc = semanage_user_del_local(self.sh, k) - if rc < 0: - raise ValueError("Could not delete SELinux user %s" % name) + rc = semanage_user_del_local(self.sh, k) + if rc < 0: + raise ValueError("Could not delete SELinux user %s" % name) - rc = semanage_commit(self.sh) - if rc < 0: - raise ValueError("Could not delete SELinux user %s" % name) + rc = semanage_commit(self.sh) + if rc < 0: + raise ValueError("Could not delete SELinux user %s" % name) + except ValueError, error: + audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"delete SELinux user record", name, 0, "", "", "", "", "", "", "", "", "", 0); + raise error + audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"delete SELinux user record", name, 0, "", "", "", "", "", "", "", "", "", 1); semanage_user_key_free(k) def get_all(self):