diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/genhomedircon policycoreutils-1.29.2/scripts/genhomedircon --- nsapolicycoreutils/scripts/genhomedircon 2005-12-07 07:28:00.000000000 -0500 +++ policycoreutils-1.29.2/scripts/genhomedircon 2005-12-20 06:32:04.000000000 -0500 @@ -26,64 +26,73 @@ # # -import commands, sys, os, pwd, string, getopt, re +import sys, os, pwd, string, getopt, re from semanage import *; -fd=open("/etc/shells", 'r') -VALID_SHELLS=fd.read().split('\n') -fd.close() -if "/sbin/nologin" in VALID_SHELLS: - VALID_SHELLS.remove("/sbin/nologin") +try: + fd=open("/etc/shells", 'r') + VALID_SHELLS=fd.read().split('\n') + fd.close() + if "/sbin/nologin" in VALID_SHELLS: + VALID_SHELLS.remove("/sbin/nologin") +except: + VALID_SHELLS = ['/bin/sh', '/bin/bash', '/bin/ash', '/bin/bsh', '/bin/ksh', '/usr/bin/ksh', '/usr/bin/pdksh', '/bin/tcsh', '/bin/csh', '/bin/zsh'] + +def findval(file, var, delim=""): + val="" + try: + fd=open(file, 'r') + for i in fd.read().split('\n'): + if i.startswith(var) == 1: + if delim == "": + val = i.split()[1] + else: + val = i.split(delim)[1] + val = val.split("#")[0] + val = val.strip() + fd.close() + except: + val="" + return val def getStartingUID(): starting_uid = sys.maxint - rc=commands.getstatusoutput("grep -h '^UID_MIN' /etc/login.defs") - if rc[0] == 0: - uid_min = re.sub("^UID_MIN[^0-9]*", "", rc[1]) - #stip any comment from the end of the line + uid_min= findval("/etc/login.defs", "UID_MIN") + if uid_min != "": uid_min = uid_min.split("#")[0] uid_min = uid_min.strip() if int(uid_min) < starting_uid: starting_uid = int(uid_min) - rc=commands.getstatusoutput("grep -h '^LU_UIDNUMBER' /etc/libuser.conf") - if rc[0] == 0: - lu_uidnumber = re.sub("^LU_UIDNUMBER[^0-9]*", "", rc[1]) - #stip any comment from the end of the line - lu_uidnumber = re.sub("[ \t].*", "", lu_uidnumber) - lu_uidnumber = lu_uidnumber.split("#")[0] - lu_uidnumber = lu_uidnumber.strip() - if int(lu_uidnumber) < starting_uid: - starting_uid = int(lu_uidnumber) + + uid_min= findval("/etc/libuser.conf", "LU_UIDNUMBER", "=") + if uid_min != "": + uid_min = uid_min.split("#")[0] + uid_min = uid_min.strip() + if int(uid_min) < starting_uid: + starting_uid = int(uid_min) + if starting_uid == sys.maxint: starting_uid = 500 return starting_uid def getDefaultHomeDir(): ret = [] - rc=commands.getstatusoutput("grep -h '^HOME' /etc/default/useradd") - if rc[0] == 0: - homedir = rc[1].split("=")[1] - homedir = homedir.split("#")[0] - homedir = homedir.strip() - if not homedir in ret: - ret.append(homedir) - - rc=commands.getstatusoutput("grep -h '^LU_HOMEDIRECTORY' /etc/libuser.conf") - if rc[0] == 0: - homedir = rc[1].split("=")[1] - homedir = homedir.split("#")[0] - homedir = homedir.strip() - if not homedir in ret: - ret.append(homedir) - + homedir=findval("/etc/default/useradd", "HOME", "=") + if homedir != "" and not homedir in ret: + ret.append(homedir) + + homedir=findval("/etc/libuser.conf", "LU_HOMEDIRECTORY", "=") + if homedir != "" and not homedir in ret: + ret.append(homedir) + if ret == []: ret.append("/home") return ret def getSELinuxType(directory): - rc=commands.getstatusoutput("grep ^SELINUXTYPE= %s/config" % directory) - if rc[0]==0: - return rc[1].split("=")[-1].strip() + val=findval(directory+"/config", "SELINUXTYPE", "=") + if val != "": + return val return "targeted" def usage(error = ""): @@ -129,11 +138,17 @@ return self.getFileContextDir()+"/homedir_template" def getHomeRootContext(self, homedir): - rc=commands.getstatusoutput("grep HOME_ROOT %s | sed -e \"s|^HOME_ROOT|%s|\"" % ( self.getHomeDirTemplate(), homedir)) - if rc[0] == 0: - return rc[1]+"\n" - else: - errorExit("sed error %s" % rc[1]) + ret="" + fd=open(self.getHomeDirTemplate(), 'r') + + for i in fd.read().split('\n'): + if i.find("HOME_ROOT") == 0: + i=i.replace("HOME_ROOT", homedir) + ret = i+"\n" + fd.close() + if ret=="": + errorExit("No Home Root Context Found") + return ret def heading(self): ret = "\n#\n#\n# User-specific file contexts, generated via %s\n" % sys.argv[0] @@ -152,32 +167,40 @@ return "user_r" return name def getOldRole(self, role): - rc = commands.getstatusoutput('grep "^user %s" %s' % (role, self.selinuxdir+self.type+"/users/system.users")) - if rc[0] != 0: - rc = commands.getstatusoutput('grep "^user %s" %s' % (role, self.selinuxdir+self.type+"/users/local.users")) - if rc[0] == 0: - user=rc[1].split() + rc=findval(self.selinuxdir+self.type+"/users/system.users", 'grep "^user %s" %s' % role, "=") + if rc == "": + rc=findval(self.selinuxdir+self.type+"/users/local.users", 'grep "^user %s" %s' % role, "=") + if rc != "": + user=rc.split() role = user[3] if role == "{": role = user[4] return role def adduser(self, udict, user, seuser, role): + if seuser == "user_u" or user == "__default__": + return + # !!! chooses first role in the list to use in the file context !!! + if role[-2:] == "_r" or role[-2:] == "_u": + role = role[:-2] try: - if seuser == "user_u" or user == "__default__": - return - # !!! chooses first role in the list to use in the file context !!! - if role[-2:] == "_r" or role[-2:] == "_u": - role = role[:-2] home = pwd.getpwnam(user)[5] if home == "/": - return - prefs = {} - prefs["role"] = role - prefs["home"] = home - udict[seuser] = prefs + # Probably install so hard code to /root + if user == "root": + home="/root" + else: + return except KeyError: - sys.stderr.write("The user \"%s\" is not present in the passwd file, skipping...\n" % user) + if user == "root": + home = "/root" + else: + sys.stderr.write("The user \"%s\" is not present in the passwd file, skipping...\n" % user) + return + prefs = {} + prefs["role"] = role + prefs["home"] = home + udict[seuser] = prefs def getUsers(self): udict = {} @@ -190,30 +213,45 @@ self.adduser(udict, semanage_seuser_get_name(seuser), seusername, self.defaultrole(seusername)) else: - rc = commands.getstatusoutput("grep -v '^ *#' %s" % self.selinuxdir+self.type+"/seusers") - if rc[0] == 0 and rc[1] != "": - ulist = rc[1].split("\n") - for u in ulist: - if len(u)==0: - continue - user = u.split(":") - if len(user) < 3: - continue - role=self.getOldRole(user[1]) - self.adduser(udict, user[0], user[1], role) + fd =open(self.selinuxdir+self.type+"/seusers") + for u in fd.read().split('\n'): + u=u.strip() + if len(u)==0 or u[0]=="#": + continue + user = u.split(":") + if len(user) < 3: + continue + role=self.getOldRole(user[1]) + self.adduser(udict, user[0], user[1], role) + fd.close() return udict def getHomeDirContext(self, user, home, role): ret="\n\n#\n# Home Context for user %s\n#\n\n" % user - rc=commands.getstatusoutput("grep '^HOME_DIR' %s | sed -e 's|HOME_DIR|%s|' -e 's/ROLE/%s/' -e 's/system_u/%s/'" % (self.getHomeDirTemplate(), home, role, user)) - return ret + rc[1] + "\n" + fd=open(self.getHomeDirTemplate(), 'r') + for i in fd.read().split('\n'): + if i.startswith("HOME_DIR") == 1: + i=i.replace("HOME_DIR", home) + i=i.replace("ROLE", role) + i=i.replace("system_u", user) + ret = ret+i+"\n" + fd.close() + return ret def getUserContext(self, user, sel_user, role): - rc=commands.getstatusoutput("grep 'USER' %s | sed -e 's/USER/%s/' -e 's/ROLE/%s/' -e 's/system_u/%s/'" % (self.getHomeDirTemplate(), user, role, sel_user)) - return rc[1] + "\n" + ret="" + fd=open(self.getHomeDirTemplate(), 'r') + for i in fd.read().split('\n'): + if i.find("USER") == 1: + i=i.replace("USER", user) + i=i.replace("ROLE", role) + i=i.replace("system_u", sel_user) + ret=ret+i+"\n" + fd.close() + return ret def genHomeDirContext(self): - if commands.getstatusoutput("grep -q 'ROLE' %s" % self.getHomeDirTemplate())[0] == 0 and self.semanaged: + if self.semanaged and findval(self.getHomeDirTemplate(), "ROLE", "=") != "": warning("genhomedircon: Warning! No support yet for expanding ROLE macros in the %s file when using libsemanage." % self.getHomeDirTemplate()); warning("genhomedircon: You must manually update file_contexts.homedirs for any non-user_r users (including root)."); users = self.getUsers() @@ -225,40 +263,23 @@ return ret+"\n" def checkExists(self, home): - if commands.getstatusoutput("grep -E '^%s[^[:alnum:]_-]' %s" % (home, self.getFileContextFile()))[0] == 0: - return 0 - #this works by grepping the file_contexts for - # 1. ^/ makes sure this is not a comment - # 2. prints only the regex in the first column first cut on \t then on space - rc=commands.getstatusoutput("grep \"^/\" %s | cut -f 1 | cut -f 1 -d \" \" " % self.getFileContextFile() ) - if rc[0] == 0: - prefix_regex = rc[1].split("\n") - else: - warning("%s\nYou do not have access to read %s\n" % (rc[1], self.getFileContextFile())) - - exists=1 - for regex in prefix_regex: - #match a trailing (/*)? which is actually a bug in rpc_pipefs - regex = re.sub("\(/\*\)\?$", "", regex) - #match a trailing .+ - regex = re.sub("\.+$", "", regex) - #match a trailing .* - regex = re.sub("\.\*$", "", regex) - #strip a (/.*)? which matches anything trailing to a /*$ which matches trailing /'s - regex = re.sub("\(\/\.\*\)\?", "", regex) - regex = regex + "/*$" - if re.search(regex, home, 0): - exists = 0 - break - if exists == 1: - return 1 - else: - return 0 - + fd=open(self.getFileContextFile()) + for i in fd.read().split('\n'): + if len(i)==0: + return + regex=i.split()[0] + #match a trailing .+ + regex = re.sub("\.+$", "", regex) + regex = re.sub("\.\*$", "", regex) + #strip a (/.*)? which matches anything trailing to a /*$ which matches trailing /'s + regex = re.sub("\(\/\.\*\)\?", "", regex) + regex = regex + "/*$" + if re.search(home, regex, 0): + return 1 + return 0 def getHomeDirs(self): - homedirs = [] - homedirs = homedirs + getDefaultHomeDir() + homedirs = getDefaultHomeDir() starting_uid=getStartingUID() if self.usepwd==0: return homedirs @@ -270,7 +291,7 @@ string.count(u[5], "/") > 1: homedir = u[5][:string.rfind(u[5], "/")] if not homedir in homedirs: - if self.checkExists(homedir)==0: + if self.checkExists(homedir)==1: warning("%s homedir %s or its parent directoy conflicts with a\ndefined context in %s,\n%s will not create a new context." % (u[0], u[5], self.getFileContextFile(), sys.argv[0])) else: homedirs.append(homedir) @@ -336,4 +357,4 @@ except ValueError, error: errorExit("ValueError %s" % error) except IndexError, error: - errorExit("IndexError") + errorExit("IndexError %s" % error)