4c107ae3b8
- Fix auditing to semanage - Change genhomedircon to use new prefix interface in libselinux
636 lines
24 KiB
Diff
636 lines
24 KiB
Diff
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/scripts/genhomedircon policycoreutils-1.29.20/scripts/genhomedircon
|
|
--- nsapolicycoreutils/scripts/genhomedircon 2006-01-30 18:32:39.000000000 -0500
|
|
+++ policycoreutils-1.29.20/scripts/genhomedircon 2006-02-09 10:27:15.000000000 -0500
|
|
@@ -4,7 +4,7 @@
|
|
#
|
|
# genhomedircon - this script is used to generate file context
|
|
# configuration entries for user home directories based on their
|
|
-# default roles and is run when building the policy. Specifically, we
|
|
+# default prefixes and is run when building the policy. Specifically, we
|
|
# replace HOME_ROOT, HOME_DIR, and ROLE macros in .fc files with
|
|
# generic and user-specific values.
|
|
#
|
|
@@ -15,9 +15,7 @@
|
|
# The file CONTEXTDIR/files/homedir_template exists. This file is used to
|
|
# set up the home directory context for each real user.
|
|
#
|
|
-# If a user has more than one role, genhomedircon uses the first role in the list.
|
|
-#
|
|
-# If a user is not listed in CONTEXTDIR/seusers, he will default to user_u, role user
|
|
+# If a user is not listed in CONTEXTDIR/seusers, he will default to user_u, prefix user
|
|
#
|
|
# "Real" users (as opposed to system users) are those whose UID is greater than
|
|
# or equal STARTING_UID (usually 500) and whose login is not a member of
|
|
@@ -170,37 +168,34 @@
|
|
def heading(self):
|
|
ret = "\n#\n#\n# User-specific file contexts, generated via %s\n" % sys.argv[0]
|
|
if self.semanaged:
|
|
- ret += "# use seusers command to manage system users in order to change the file_context\n#\n#\n"
|
|
+ ret += "# use semanage command to manage system users in order to change the file_context\n#\n#\n"
|
|
else:
|
|
ret += "# edit %s to change file_context\n#\n#\n" % (self.selinuxdir+self.type+"/seusers")
|
|
return ret
|
|
|
|
- def defaultrole(self, name):
|
|
+ def get_default_prefix(self, name):
|
|
for idx in range(self.usize):
|
|
user = semanage_user_by_idx(self.ulist, idx)
|
|
if semanage_user_get_name(user) == name:
|
|
- if name == "staff_u" or name == "root" and self.type != "targeted":
|
|
- return "staff_r"
|
|
- else:
|
|
- return "user_r"
|
|
+ return semanage_user_get_prefix(user)
|
|
return name
|
|
- def getOldRole(self, role):
|
|
- rc=grep(self.selinuxdir+self.type+"/users/system.users", "^user %s" % role)
|
|
+ def get_old_prefix(self, user):
|
|
+ rc=grep(self.selinuxdir+self.type+"/users/system.users", "^user %s" % user)
|
|
if rc == "":
|
|
- rc=grep(self.selinuxdir+self.type+"/users/local.users", "^user %s" % role)
|
|
+ rc=grep(self.selinuxdir+self.type+"/users/local.users", "^user %s" % user)
|
|
if rc != "":
|
|
user=rc.split()
|
|
- role = user[3]
|
|
- if role == "{":
|
|
- role = user[4]
|
|
- return role
|
|
+ prefix = user[3]
|
|
+ if prefix == "{":
|
|
+ prefix = user[4]
|
|
+ if len(prefix) > 2 and (prefix[-2:] == "_r" or prefix[-2:] == "_u"):
|
|
+ prefix = prefix[:-2]
|
|
+ return prefix
|
|
|
|
- def adduser(self, udict, user, seuser, role):
|
|
- if seuser == "user_u" or user == "__default__":
|
|
+ def adduser(self, udict, user, seuser, prefix):
|
|
+ if seuser == "user_u" or user == "__default__" or user == "system_u":
|
|
return
|
|
- # !!! chooses first role in the list to use in the file context !!!
|
|
- if role[-2:] == "_r" or role[-2:] == "_u":
|
|
- role = role[:-2]
|
|
+ # !!! chooses first prefix in the list to use in the file context !!!
|
|
try:
|
|
home = pwd.getpwnam(user)[5]
|
|
if home == "/":
|
|
@@ -217,7 +212,7 @@
|
|
return
|
|
prefs = {}
|
|
prefs["seuser"] = seuser
|
|
- prefs["role"] = role
|
|
+ prefs["prefix"] = prefix
|
|
prefs["home"] = home
|
|
udict[user] = prefs
|
|
|
|
@@ -229,7 +224,7 @@
|
|
user=[]
|
|
seuser = semanage_seuser_by_idx(list, idx)
|
|
seusername=semanage_seuser_get_sename(seuser)
|
|
- self.adduser(udict, semanage_seuser_get_name(seuser), seusername, self.defaultrole(seusername))
|
|
+ self.adduser(udict, semanage_seuser_get_name(seuser), seusername, self.get_default_prefix(seusername))
|
|
|
|
else:
|
|
try:
|
|
@@ -242,8 +237,8 @@
|
|
if len(user) < 2:
|
|
continue
|
|
|
|
- role=self.getOldRole(user[1])
|
|
- self.adduser(udict, user[0], user[1], role)
|
|
+ prefix=self.get_old_prefix(user[1])
|
|
+ self.adduser(udict, user[0], user[1], prefix)
|
|
fd.close()
|
|
except IOError, error:
|
|
# Must be install so force add of root
|
|
@@ -251,40 +246,37 @@
|
|
|
|
return udict
|
|
|
|
- def getHomeDirContext(self, user, seuser, home, role):
|
|
+ def getHomeDirContext(self, user, seuser, home, prefix):
|
|
ret="\n\n#\n# Home Context for user %s\n#\n\n" % user
|
|
fd=open(self.getHomeDirTemplate(), 'r')
|
|
for i in fd.read().split('\n'):
|
|
if i.startswith("HOME_DIR") == 1:
|
|
i=i.replace("HOME_DIR", home)
|
|
- i=i.replace("ROLE", role)
|
|
+ i=i.replace("ROLE", prefix)
|
|
i=i.replace("system_u", seuser)
|
|
ret = ret+i+"\n"
|
|
fd.close()
|
|
return ret
|
|
|
|
- def getUserContext(self, user, sel_user, role):
|
|
+ def getUserContext(self, user, sel_user, prefix):
|
|
ret=""
|
|
fd=open(self.getHomeDirTemplate(), 'r')
|
|
for i in fd.read().split('\n'):
|
|
if i.find("USER") == 1:
|
|
i=i.replace("USER", user)
|
|
- i=i.replace("ROLE", role)
|
|
+ i=i.replace("ROLE", prefix)
|
|
i=i.replace("system_u", sel_user)
|
|
ret=ret+i+"\n"
|
|
fd.close()
|
|
return ret
|
|
|
|
def genHomeDirContext(self):
|
|
- if self.semanaged and grep(self.getHomeDirTemplate(), "ROLE") != "":
|
|
- warning("genhomedircon: Warning! No support yet for expanding ROLE macros in the %s file when using libsemanage." % self.getHomeDirTemplate());
|
|
- warning("genhomedircon: You must manually update file_contexts.homedirs for any non-user_r users (including root).");
|
|
users = self.getUsers()
|
|
ret=""
|
|
- # Fill in HOME and ROLE for users that are defined
|
|
+ # Fill in HOME and prefix for users that are defined
|
|
for u in users.keys():
|
|
- ret += self.getHomeDirContext (u, users[u]["seuser"], users[u]["home"], users[u]["role"])
|
|
- ret += self.getUserContext (u, users[u]["seuser"], users[u]["role"])
|
|
+ ret += self.getHomeDirContext (u, users[u]["seuser"], users[u]["home"], users[u]["prefix"])
|
|
+ ret += self.getUserContext (u, users[u]["seuser"], users[u]["prefix"])
|
|
return ret+"\n"
|
|
|
|
def checkExists(self, home):
|
|
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-1.29.20/semanage/seobject.py
|
|
--- nsapolicycoreutils/semanage/seobject.py 2006-02-02 12:08:04.000000000 -0500
|
|
+++ policycoreutils-1.29.20/semanage/seobject.py 2006-02-10 11:48:59.000000000 -0500
|
|
@@ -21,8 +21,11 @@
|
|
#
|
|
#
|
|
|
|
-import pwd, string, selinux, tempfile, os, re
|
|
+import pwd, string, selinux, tempfile, os, re, sys
|
|
from semanage import *;
|
|
+import audit
|
|
+
|
|
+audit_fd=audit.audit_open()
|
|
|
|
def validate_level(raw):
|
|
sensitivity="s([0-9]|1[0-5])"
|
|
@@ -170,119 +173,145 @@
|
|
if sename == "":
|
|
sename = "user_u"
|
|
|
|
- (rc,k) = semanage_seuser_key_create(self.sh, name)
|
|
- if rc < 0:
|
|
- raise ValueError("Could not create a key for %s" % name)
|
|
-
|
|
- (rc,exists) = semanage_seuser_exists(self.sh, k)
|
|
- if rc < 0:
|
|
- raise ValueError("Could not check if login mapping for %s is defined" % name)
|
|
- if exists:
|
|
- raise ValueError("Login mapping for %s is already defined" % name)
|
|
try:
|
|
- pwd.getpwnam(name)
|
|
- except:
|
|
- raise ValueError("Linux User %s does not exist" % name)
|
|
-
|
|
- (rc,u) = semanage_seuser_create(self.sh)
|
|
- if rc < 0:
|
|
- raise ValueError("Could not create login mapping for %s" % name)
|
|
+ (rc,k) = semanage_seuser_key_create(self.sh, name)
|
|
+ if rc < 0:
|
|
+ raise ValueError("Could not create a key for %s" % name)
|
|
|
|
- rc = semanage_seuser_set_name(self.sh, u, name)
|
|
- if rc < 0:
|
|
- raise ValueError("Could not set name for %s" % name)
|
|
+ (rc,exists) = semanage_seuser_exists(self.sh, k)
|
|
+ if rc < 0:
|
|
+ raise ValueError("Could not check if login mapping for %s is defined" % name)
|
|
+ if exists:
|
|
+ raise ValueError("Login mapping for %s is already defined" % name)
|
|
+ try:
|
|
+ pwd.getpwnam(name)
|
|
+ except:
|
|
+ raise ValueError("Linux User %s does not exist" % name)
|
|
|
|
- rc = semanage_seuser_set_mlsrange(self.sh, u, serange)
|
|
- if rc < 0:
|
|
- raise ValueError("Could not set MLS range for %s" % name)
|
|
+ (rc,u) = semanage_seuser_create(self.sh)
|
|
+ if rc < 0:
|
|
+ raise ValueError("Could not create login mapping for %s" % name)
|
|
|
|
- rc = semanage_seuser_set_sename(self.sh, u, sename)
|
|
- if rc < 0:
|
|
- raise ValueError("Could not set SELinux user for %s" % name)
|
|
+ rc = semanage_seuser_set_name(self.sh, u, name)
|
|
+ if rc < 0:
|
|
+ raise ValueError("Could not set name for %s" % name)
|
|
|
|
- rc = semanage_begin_transaction(self.sh)
|
|
- if rc < 0:
|
|
- raise ValueError("Could not start semanage transaction")
|
|
+ rc = semanage_seuser_set_mlsrange(self.sh, u, serange)
|
|
+ if rc < 0:
|
|
+ raise ValueError("Could not set MLS range for %s" % name)
|
|
|
|
- rc = semanage_seuser_modify_local(self.sh, k, u)
|
|
- if rc < 0:
|
|
- raise ValueError("Could not add login mapping for %s" % name)
|
|
+ rc = semanage_seuser_set_sename(self.sh, u, sename)
|
|
+ if rc < 0:
|
|
+ raise ValueError("Could not set SELinux user for %s" % name)
|
|
|
|
- rc = semanage_commit(self.sh)
|
|
- if rc < 0:
|
|
- raise ValueError("Could not add login mapping for %s" % name)
|
|
+ rc = semanage_begin_transaction(self.sh)
|
|
+ if rc < 0:
|
|
+ raise ValueError("Could not start semanage transaction")
|
|
|
|
+ rc = semanage_seuser_modify_local(self.sh, k, u)
|
|
+ if rc < 0:
|
|
+ raise ValueError("Could not add login mapping for %s" % name)
|
|
+
|
|
+ rc = semanage_commit(self.sh)
|
|
+ if rc < 0:
|
|
+ raise ValueError("Could not add login mapping for %s" % name)
|
|
+
|
|
+ except ValueError, error:
|
|
+ audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"add SELinux user mapping", name, 0, sename, "", serange, "", "", "", "", "", "", 0);
|
|
+ raise error
|
|
+
|
|
+ audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"add SELinux user mapping", name, 0, sename, "", serange, "", "", "", "", "", "", 1);
|
|
semanage_seuser_key_free(k)
|
|
semanage_seuser_free(u)
|
|
|
|
def modify(self, name, sename = "", serange = ""):
|
|
- if sename == "" and serange == "":
|
|
- raise ValueError("Requires seuser or serange")
|
|
+ oldsename=""
|
|
+ oldserange=""
|
|
+ try:
|
|
+ if sename == "" and serange == "":
|
|
+ raise ValueError("Requires seuser or serange")
|
|
|
|
- (rc,k) = semanage_seuser_key_create(self.sh, name)
|
|
- if rc < 0:
|
|
- raise ValueError("Could not create a key for %s" % name)
|
|
+ (rc,k) = semanage_seuser_key_create(self.sh, name)
|
|
+ if rc < 0:
|
|
+ raise ValueError("Could not create a key for %s" % name)
|
|
|
|
- (rc,exists) = semanage_seuser_exists(self.sh, k)
|
|
- if rc < 0:
|
|
- raise ValueError("Could not check if login mapping for %s is defined" % name)
|
|
- if not exists:
|
|
- raise ValueError("Login mapping for %s is not defined" % name)
|
|
+ (rc,exists) = semanage_seuser_exists(self.sh, k)
|
|
+ if rc < 0:
|
|
+ raise ValueError("Could not check if login mapping for %s is defined" % name)
|
|
+ if not exists:
|
|
+ raise ValueError("Login mapping for %s is not defined" % name)
|
|
|
|
- (rc,u) = semanage_seuser_query(self.sh, k)
|
|
- if rc < 0:
|
|
- raise ValueError("Could not query seuser for %s" % name)
|
|
+ (rc,u) = semanage_seuser_query(self.sh, k)
|
|
+ if rc < 0:
|
|
+ raise ValueError("Could not query seuser for %s" % name)
|
|
|
|
- if serange != "":
|
|
- semanage_seuser_set_mlsrange(self.sh, u, untranslate(serange))
|
|
- if sename != "":
|
|
- semanage_seuser_set_sename(self.sh, u, sename)
|
|
+ oldserange=semanage_seuser_get_mlsrange(u)
|
|
+ oldsename=semanage_seuser_get_sename(u)
|
|
+ if serange != "":
|
|
+ semanage_seuser_set_mlsrange(self.sh, u, untranslate(serange))
|
|
+ else:
|
|
+ serange=oldserange
|
|
+ if sename != "":
|
|
+ semanage_seuser_set_sename(self.sh, u, sename)
|
|
+ else:
|
|
+ sename=oldsename
|
|
|
|
- rc = semanage_begin_transaction(self.sh)
|
|
- if rc < 0:
|
|
- raise ValueError("Could not srart semanage transaction")
|
|
+ rc = semanage_begin_transaction(self.sh)
|
|
+ if rc < 0:
|
|
+ raise ValueError("Could not srart semanage transaction")
|
|
|
|
- rc = semanage_seuser_modify_local(self.sh, k, u)
|
|
- if rc < 0:
|
|
- raise ValueError("Could not modify login mapping for %s" % name)
|
|
-
|
|
- rc = semanage_commit(self.sh)
|
|
- if rc < 0:
|
|
- raise ValueError("Could not modify login mapping for %s" % name)
|
|
+ rc = semanage_seuser_modify_local(self.sh, k, u)
|
|
+ if rc < 0:
|
|
+ raise ValueError("Could not modify login mapping for %s" % name)
|
|
+
|
|
+ rc = semanage_commit(self.sh)
|
|
+ if rc < 0:
|
|
+ raise ValueError("Could not modify login mapping for %s" % name)
|
|
|
|
+ except ValueError, error:
|
|
+ audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"modify selinux user mapping", name, 0, sename, "", serange, "", oldsename, "", oldserange, "", "", "", 0);
|
|
+ raise error
|
|
+
|
|
+ audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"modify selinux user mapping", name, 0, sename, "", serange, oldsename, "", oldserange, "", 1);
|
|
semanage_seuser_key_free(k)
|
|
semanage_seuser_free(u)
|
|
|
|
def delete(self, name):
|
|
- (rc,k) = semanage_seuser_key_create(self.sh, name)
|
|
- if rc < 0:
|
|
- raise ValueError("Could not create a key for %s" % name)
|
|
+ try:
|
|
+ (rc,k) = semanage_seuser_key_create(self.sh, name)
|
|
+ if rc < 0:
|
|
+ raise ValueError("Could not create a key for %s" % name)
|
|
|
|
- (rc,exists) = semanage_seuser_exists(self.sh, k)
|
|
- if rc < 0:
|
|
- raise ValueError("Could not check if login mapping for %s is defined" % name)
|
|
- if not exists:
|
|
- raise ValueError("Login mapping for %s is not defined" % name)
|
|
+ (rc,exists) = semanage_seuser_exists(self.sh, k)
|
|
+ if rc < 0:
|
|
+ raise ValueError("Could not check if login mapping for %s is defined" % name)
|
|
+ if not exists:
|
|
+ raise ValueError("Login mapping for %s is not defined" % name)
|
|
|
|
- (rc,exists) = semanage_seuser_exists_local(self.sh, k)
|
|
- if rc < 0:
|
|
- raise ValueError("Could not check if login mapping for %s is defined" % name)
|
|
- if not exists:
|
|
- raise ValueError("Login mapping for %s is defined in policy, cannot be deleted" % name)
|
|
+ (rc,exists) = semanage_seuser_exists_local(self.sh, k)
|
|
+ if rc < 0:
|
|
+ raise ValueError("Could not check if login mapping for %s is defined" % name)
|
|
+ if not exists:
|
|
+ raise ValueError("Login mapping for %s is defined in policy, cannot be deleted" % name)
|
|
|
|
- rc = semanage_begin_transaction(self.sh)
|
|
- if rc < 0:
|
|
- raise ValueError("Could not start semanage transaction")
|
|
+ rc = semanage_begin_transaction(self.sh)
|
|
+ if rc < 0:
|
|
+ raise ValueError("Could not start semanage transaction")
|
|
|
|
- rc = semanage_seuser_del_local(self.sh, k)
|
|
+ rc = semanage_seuser_del_local(self.sh, k)
|
|
|
|
- if rc < 0:
|
|
- raise ValueError("Could not delete login mapping for %s" % name)
|
|
+ if rc < 0:
|
|
+ raise ValueError("Could not delete login mapping for %s" % name)
|
|
|
|
- rc = semanage_commit(self.sh)
|
|
- if rc < 0:
|
|
- raise ValueError("Could not delete login mapping for %s" % name)
|
|
-
|
|
+ rc = semanage_commit(self.sh)
|
|
+ if rc < 0:
|
|
+ raise ValueError("Could not delete login mapping for %s" % name)
|
|
+
|
|
+ except ValueError, error:
|
|
+ audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"delete SELinux user mapping", name, 0, name, "", "", "", "", "", "", "", "", 0);
|
|
+ raise error
|
|
+
|
|
+ audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"delete SELinux user mapping", name, 0, name, "", "", "", "", "", "", "", "", 1);
|
|
semanage_seuser_key_free(k)
|
|
|
|
|
|
@@ -322,127 +351,145 @@
|
|
else:
|
|
selevel = untranslate(selevel)
|
|
|
|
- (rc,k) = semanage_user_key_create(self.sh, name)
|
|
- if rc < 0:
|
|
- raise ValueError("Could not create a key for %s" % name)
|
|
-
|
|
- (rc,exists) = semanage_user_exists(self.sh, k)
|
|
- if rc < 0:
|
|
- raise ValueError("Could not check if SELinux user %s is defined" % name)
|
|
- if exists:
|
|
- raise ValueError("SELinux user %s is already defined" % name)
|
|
+ seroles=" ".join(roles)
|
|
+ try:
|
|
+ (rc,k) = semanage_user_key_create(self.sh, name)
|
|
+ if rc < 0:
|
|
+ raise ValueError("Could not create a key for %s" % name)
|
|
|
|
- (rc,u) = semanage_user_create(self.sh)
|
|
- if rc < 0:
|
|
- raise ValueError("Could not create SELinux user for %s" % name)
|
|
+ (rc,exists) = semanage_user_exists(self.sh, k)
|
|
+ if rc < 0:
|
|
+ raise ValueError("Could not check if SELinux user %s is defined" % name)
|
|
+ if exists:
|
|
+ raise ValueError("SELinux user %s is already defined" % name)
|
|
|
|
- rc = semanage_user_set_name(self.sh, u, name)
|
|
- if rc < 0:
|
|
- raise ValueError("Could not set name for %s" % name)
|
|
+ (rc,u) = semanage_user_create(self.sh)
|
|
+ if rc < 0:
|
|
+ raise ValueError("Could not create SELinux user for %s" % name)
|
|
|
|
- for r in roles:
|
|
- rc = semanage_user_add_role(self.sh, u, r)
|
|
+ rc = semanage_user_set_name(self.sh, u, name)
|
|
if rc < 0:
|
|
- raise ValueError("Could not add role %s for %s" % (r, name))
|
|
+ raise ValueError("Could not set name for %s" % name)
|
|
|
|
- rc = semanage_user_set_mlsrange(self.sh, u, serange)
|
|
- if rc < 0:
|
|
- raise ValueError("Could not set MLS range for %s" % name)
|
|
+ for r in roles:
|
|
+ rc = semanage_user_add_role(self.sh, u, r)
|
|
+ if rc < 0:
|
|
+ raise ValueError("Could not add role %s for %s" % (r, name))
|
|
|
|
- rc = semanage_user_set_mlslevel(self.sh, u, selevel)
|
|
- if rc < 0:
|
|
- raise ValueError("Could not set MLS level for %s" % name)
|
|
+ rc = semanage_user_set_mlsrange(self.sh, u, serange)
|
|
+ if rc < 0:
|
|
+ raise ValueError("Could not set MLS range for %s" % name)
|
|
|
|
- (rc,key) = semanage_user_key_extract(self.sh,u)
|
|
- if rc < 0:
|
|
- raise ValueError("Could not extract key for %s" % name)
|
|
+ rc = semanage_user_set_mlslevel(self.sh, u, selevel)
|
|
+ if rc < 0:
|
|
+ raise ValueError("Could not set MLS level for %s" % name)
|
|
|
|
- rc = semanage_begin_transaction(self.sh)
|
|
- if rc < 0:
|
|
- raise ValueError("Could not start semanage transaction")
|
|
+ (rc,key) = semanage_user_key_extract(self.sh,u)
|
|
+ if rc < 0:
|
|
+ raise ValueError("Could not extract key for %s" % name)
|
|
|
|
- rc = semanage_user_modify_local(self.sh, k, u)
|
|
- if rc < 0:
|
|
- raise ValueError("Could not add SELinux user %s" % name)
|
|
+ rc = semanage_begin_transaction(self.sh)
|
|
+ if rc < 0:
|
|
+ raise ValueError("Could not start semanage transaction")
|
|
|
|
- rc = semanage_commit(self.sh)
|
|
- if rc < 0:
|
|
- raise ValueError("Could not add SELinux user %s" % name)
|
|
+ rc = semanage_user_modify_local(self.sh, k, u)
|
|
+ if rc < 0:
|
|
+ raise ValueError("Could not add SELinux user %s" % name)
|
|
+
|
|
+ rc = semanage_commit(self.sh)
|
|
+ if rc < 0:
|
|
+ raise ValueError("Could not add SELinux user %s" % name)
|
|
|
|
+ except ValueError, error:
|
|
+ audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"add SELinux user record", name, 0, name, seroles, serange, "", "", "", "", "", "", 0);
|
|
+ raise error
|
|
+
|
|
+ audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"add SELinux user record", name, 0, name, seroles, serange, "", "", "", "", "", "", 1);
|
|
semanage_user_key_free(k)
|
|
semanage_user_free(u)
|
|
|
|
def modify(self, name, roles = [], selevel = "", serange = ""):
|
|
- if len(roles) == 0 and serange == "" and selevel == "":
|
|
- raise ValueError("Requires roles, level or range")
|
|
+ try:
|
|
+ if len(roles) == 0 and serange == "" and selevel == "":
|
|
+ raise ValueError("Requires roles, level or range")
|
|
|
|
- (rc,k) = semanage_user_key_create(self.sh, name)
|
|
- if rc < 0:
|
|
- raise ValueError("Could not create a key for %s" % name)
|
|
+ (rc,k) = semanage_user_key_create(self.sh, name)
|
|
+ if rc < 0:
|
|
+ raise ValueError("Could not create a key for %s" % name)
|
|
|
|
- (rc,exists) = semanage_user_exists(self.sh, k)
|
|
- if rc < 0:
|
|
- raise ValueError("Could not check if SELinux user %s is defined" % name)
|
|
- if not exists:
|
|
- raise ValueError("SELinux user %s is not defined" % name)
|
|
-
|
|
- (rc,u) = semanage_user_query(self.sh, k)
|
|
- if rc < 0:
|
|
- raise ValueError("Could not query user for %s" % name)
|
|
+ (rc,exists) = semanage_user_exists(self.sh, k)
|
|
+ if rc < 0:
|
|
+ raise ValueError("Could not check if SELinux user %s is defined" % name)
|
|
+ if not exists:
|
|
+ raise ValueError("SELinux user %s is not defined" % name)
|
|
|
|
- if serange != "":
|
|
- semanage_user_set_mlsrange(self.sh, u, untranslate(serange))
|
|
- if selevel != "":
|
|
- semanage_user_set_mlslevel(self.sh, u, untranslate(selevel))
|
|
-
|
|
- if len(roles) != 0:
|
|
- for r in roles:
|
|
- semanage_user_add_role(self.sh, u, r)
|
|
+ (rc,u) = semanage_user_query(self.sh, k)
|
|
+ if rc < 0:
|
|
+ raise ValueError("Could not query user for %s" % name)
|
|
|
|
- rc = semanage_begin_transaction(self.sh)
|
|
- if rc < 0:
|
|
- raise ValueError("Could not start semanage transaction")
|
|
+ if serange != "":
|
|
+ semanage_user_set_mlsrange(self.sh, u, untranslate(serange))
|
|
+ if selevel != "":
|
|
+ semanage_user_set_mlslevel(self.sh, u, untranslate(selevel))
|
|
+
|
|
+ if len(roles) != 0:
|
|
+ for r in roles:
|
|
+ semanage_user_add_role(self.sh, u, r)
|
|
|
|
- rc = semanage_user_modify_local(self.sh, k, u)
|
|
- if rc < 0:
|
|
- raise ValueError("Could not modify SELinux user %s" % name)
|
|
+ rc = semanage_begin_transaction(self.sh)
|
|
+ if rc < 0:
|
|
+ raise ValueError("Could not start semanage transaction")
|
|
|
|
- rc = semanage_commit(self.sh)
|
|
- if rc < 0:
|
|
- raise ValueError("Could not modify SELinux user %s" % name)
|
|
+ rc = semanage_user_modify_local(self.sh, k, u)
|
|
+ if rc < 0:
|
|
+ raise ValueError("Could not modify SELinux user %s" % name)
|
|
+
|
|
+ rc = semanage_commit(self.sh)
|
|
+ if rc < 0:
|
|
+ raise ValueError("Could not modify SELinux user %s" % name)
|
|
+
|
|
+ except ValueError, error:
|
|
+ audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"modify SELinux user record", name, 0, seuser, seroles, serange, oldseuser, oldseroles, olrserange, "", 0);
|
|
+ raise error
|
|
|
|
+ audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"modify SELinux user record", name, 0, seuser, seroles, serange, oldseuser, oldseroles, olrserange, "", 1);
|
|
semanage_user_key_free(k)
|
|
semanage_user_free(u)
|
|
|
|
def delete(self, name):
|
|
- (rc,k) = semanage_user_key_create(self.sh, name)
|
|
- if rc < 0:
|
|
- raise ValueError("Could not create a key for %s" % name)
|
|
-
|
|
- (rc,exists) = semanage_user_exists(self.sh, k)
|
|
- if rc < 0:
|
|
- raise ValueError("Could not check if SELinux user %s is defined" % name)
|
|
- if not exists:
|
|
- raise ValueError("SELinux user %s is not defined" % name)
|
|
+ try:
|
|
+ (rc,k) = semanage_user_key_create(self.sh, name)
|
|
+ if rc < 0:
|
|
+ raise ValueError("Could not create a key for %s" % name)
|
|
+
|
|
+ (rc,exists) = semanage_user_exists(self.sh, k)
|
|
+ if rc < 0:
|
|
+ raise ValueError("Could not check if SELinux user %s is defined" % name)
|
|
+ if not exists:
|
|
+ raise ValueError("SELinux user %s is not defined" % name)
|
|
|
|
- (rc,exists) = semanage_user_exists_local(self.sh, k)
|
|
- if rc < 0:
|
|
- raise ValueError("Could not check if SELinux user %s is defined" % name)
|
|
- if not exists:
|
|
- raise ValueError("SELinux user %s is defined in policy, cannot be deleted" % name)
|
|
+ (rc,exists) = semanage_user_exists_local(self.sh, k)
|
|
+ if rc < 0:
|
|
+ raise ValueError("Could not check if SELinux user %s is defined" % name)
|
|
+ if not exists:
|
|
+ raise ValueError("SELinux user %s is defined in policy, cannot be deleted" % name)
|
|
|
|
- rc = semanage_begin_transaction(self.sh)
|
|
- if rc < 0:
|
|
- raise ValueError("Could not start semanage transaction")
|
|
+ rc = semanage_begin_transaction(self.sh)
|
|
+ if rc < 0:
|
|
+ raise ValueError("Could not start semanage transaction")
|
|
|
|
- rc = semanage_user_del_local(self.sh, k)
|
|
- if rc < 0:
|
|
- raise ValueError("Could not delete SELinux user %s" % name)
|
|
+ rc = semanage_user_del_local(self.sh, k)
|
|
+ if rc < 0:
|
|
+ raise ValueError("Could not delete SELinux user %s" % name)
|
|
|
|
- rc = semanage_commit(self.sh)
|
|
- if rc < 0:
|
|
- raise ValueError("Could not delete SELinux user %s" % name)
|
|
+ rc = semanage_commit(self.sh)
|
|
+ if rc < 0:
|
|
+ raise ValueError("Could not delete SELinux user %s" % name)
|
|
+ except ValueError, error:
|
|
+ audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"delete SELinux user record", name, 0, "", "", "", "", "", "", "", "", "", 0);
|
|
+ raise error
|
|
|
|
+ audit.audit_log_semanage_message(audit_fd, audit.AUDIT_USER_ROLE_CHANGE, sys.argv[0],"delete SELinux user record", name, 0, "", "", "", "", "", "", "", "", "", 1);
|
|
semanage_user_key_free(k)
|
|
|
|
def get_all(self):
|