| 1 |
commit: b4d183812aec480eae859f4c32d20829a8ff53bf |
| 2 |
Author: Christian Göttsche <cgzones <AT> googlemail <DOT> com> |
| 3 |
AuthorDate: Sun Jan 31 20:50:23 2021 +0000 |
| 4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Sat Feb 6 20:54:11 2021 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b4d18381 |
| 7 |
|
| 8 |
genhomedircon: generate file contexts for %{USERNAME} and %{USERID} |
| 9 |
|
| 10 |
Generate substituted file contexts for templated paths containing |
| 11 |
%{USERNAME} or %{USERID}, like semodules' genhomedircon. |
| 12 |
|
| 13 |
Example: |
| 14 |
/run/user/%{USERID} -d gen_context(system_u:object_r:user_runtime_t,s0) |
| 15 |
Signed-off-by: Christian Göttsche <cgzones <AT> googlemail.com> |
| 16 |
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> |
| 17 |
|
| 18 |
support/genhomedircon.py | 24 +++++++++++++++++------- |
| 19 |
1 file changed, 17 insertions(+), 7 deletions(-) |
| 20 |
|
| 21 |
diff --git a/support/genhomedircon.py b/support/genhomedircon.py |
| 22 |
index 13e9c9e8..0490f724 100644 |
| 23 |
--- a/support/genhomedircon.py |
| 24 |
+++ b/support/genhomedircon.py |
| 25 |
@@ -168,7 +168,6 @@ class selinuxConfig: |
| 26 |
if rc[0] == 0: |
| 27 |
users+=rc[1] |
| 28 |
udict = {} |
| 29 |
- prefs = {} |
| 30 |
if users != "": |
| 31 |
ulist = users.split("\n") |
| 32 |
for u in ulist: |
| 33 |
@@ -181,20 +180,31 @@ class selinuxConfig: |
| 34 |
if role == "{": |
| 35 |
role = user[4] |
| 36 |
role = role.split("_r")[0] |
| 37 |
- home = pwd.getpwnam(user[1])[5] |
| 38 |
+ pwdentry = pwd.getpwnam(user[1]) |
| 39 |
+ home = pwdentry[5] |
| 40 |
if home == "/": |
| 41 |
continue |
| 42 |
prefs = {} |
| 43 |
prefs["role"] = role |
| 44 |
prefs["home"] = home |
| 45 |
+ prefs["name"] = pwdentry[0] |
| 46 |
+ prefs["uid"] = pwdentry[2] |
| 47 |
udict[user[1]] = prefs |
| 48 |
except KeyError: |
| 49 |
sys.stderr.write("The user \"%s\" is not present in the passwd file, skipping...\n" % user[1]) |
| 50 |
return udict |
| 51 |
|
| 52 |
- def getHomeDirContext(self, user, home, role): |
| 53 |
- ret="\n\n#\n# Context for user %s\n#\n\n" % user |
| 54 |
- rc=getstatusoutput("grep '^HOME_DIR' %s | sed -e 's|HOME_DIR|%s|' -e 's/ROLE/%s/' -e 's/system_u/%s/'" % (self.getHomeDirTemplate(), home, role, user)) |
| 55 |
+ def getHomeDirContext(self, seuser, home, role, username, userid): |
| 56 |
+ ret = "\n\n#\n# Context for user %s\n#\n\n" % seuser |
| 57 |
+ rc = getstatusoutput("grep -E '^HOME_DIR|%%{USERID}|%%{USERNAME}' %s | sed" |
| 58 |
+ " -e 's|HOME_DIR|%s|'" |
| 59 |
+ " -e 's|ROLE|%s|'" |
| 60 |
+ " -e 's|system_u|%s|'" |
| 61 |
+ " -e 's|%%{USERID}|%s|'" |
| 62 |
+ " -e 's|%%{USERNAME}|%s|'" |
| 63 |
+ % (self.getHomeDirTemplate(), home, role, seuser, userid, username)) |
| 64 |
+ if rc[0] != 0: |
| 65 |
+ errorExit("sed error (" + str(rc[0]) + "): " + rc[1]) |
| 66 |
return ret + rc[1] + "\n" |
| 67 |
|
| 68 |
def genHomeDirContext(self): |
| 69 |
@@ -202,7 +212,7 @@ class selinuxConfig: |
| 70 |
ret="" |
| 71 |
# Fill in HOME and ROLE for users that are defined |
| 72 |
for u in users.keys(): |
| 73 |
- ret += self.getHomeDirContext (u, users[u]["home"], users[u]["role"]) |
| 74 |
+ ret += self.getHomeDirContext (u, users[u]["home"], users[u]["role"], users[u]["name"], users[u]["uid"]) |
| 75 |
return ret+"\n" |
| 76 |
|
| 77 |
def checkExists(self, home): |
| 78 |
@@ -263,7 +273,7 @@ class selinuxConfig: |
| 79 |
def genoutput(self): |
| 80 |
ret= self.heading() |
| 81 |
for h in self.getHomeDirs(): |
| 82 |
- ret += self.getHomeDirContext ("user_u" , h+'/[^/]+', "user") |
| 83 |
+ ret += self.getHomeDirContext ("user_u" , h+'/[^/]+', "user", "[^/]+", "[0-9]+") |
| 84 |
ret += self.getHomeRootContext(h) |
| 85 |
ret += self.genHomeDirContext() |
| 86 |
return ret |
Archives