[gentoo-commits] proj/hardened-refpolicy:master commit in: support/ - gentoo-commits

From:	Jason Zaman <perfinion@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: support/
Date:	Sun, 07 Feb 2021 03:20:09
Message-Id:	`1612644851.c7d0c5c923977ecd27f6e3464d12b296151c17ad.perfinion@gentoo`

1

commit:     c7d0c5c923977ecd27f6e3464d12b296151c17ad

2

Author:     Christian Göttsche <cgzones <AT> googlemail <DOT> com>

3

AuthorDate: Sun Jan 31 20:50:11 2021 +0000

4

Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>

5

CommitDate: Sat Feb  6 20:54:11 2021 +0000

6

URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c7d0c5c9

7

8

genhomedircon: drop backwards compatibility section

9

10

Signed-off-by: Christian Göttsche <cgzones <AT> googlemail.com>

11

Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

12

13

 support/genhomedircon.py | 162 +----------------------------------------------

14

 1 file changed, 1 insertion(+), 161 deletions(-)

15

16

diff --git a/support/genhomedircon.py b/support/genhomedircon.py

17

index bb4e5061..e9d72067 100644

18

--- a/support/genhomedircon.py

19

+++ b/support/genhomedircon.py

20

@@ -40,7 +40,7 @@

21

 #  are always "real" (including root, in the default configuration).

22

#

23

24

-import sys, os, pwd, getopt, re

25

+import sys, pwd, getopt, re

26

 from subprocess import getstatusoutput

27

28

 EXCLUDE_LOGINS=["/sbin/nologin", "/bin/false"]

29

@@ -69,162 +69,6 @@ def getStartingUID():

30

 		starting_uid = 500

31

 	return starting_uid

32

33

-#############################################################################

34

-#

35

-# This section is just for backwards compatibility

36

-#

37

-#############################################################################

38

-def getPrefixes():

39

-	ulist = pwd.getpwall()

40

-	STARTING_UID=getStartingUID()

41

-	prefixes = {}

42

-	for u in ulist:

43

-		if u[2] >= STARTING_UID and \

44

-				not u[6] in EXCLUDE_LOGINS and \

45

-				u[5] != "/" and \

46

-				u[5].count("/") > 1:

47

-			prefix = u[5][:u[5].rfind("/")]

48

-			if not prefix in prefixes:

49

-				prefixes[prefix] = ""

50

-	return prefixes

51

-

52

-def getUsers(filecontextdir):

53

-	rc = getstatusoutput("grep ^user %s/users" % filecontextdir)

54

-	udict = {}

55

-	if rc[0] == 0:

56

-		ulist = rc[1].strip().split("\n")

57

-		for u in ulist:

58

-			user = u.split()

59

-			try:

60

-				if user[1] == "user_u" or user[1] == "system_u":

61

-					continue

62

-				# !!! chooses first role in the list to use in the file context !!!

63

-				role = user[3]

64

-				if role == "{":

65

-					role = user[4]

66

-				role = role.split("_r")[0]

67

-				home = pwd.getpwnam(user[1])[5]

68

-				if home == "/":

69

-					continue

70

-				prefs = {}

71

-				prefs["role"] = role

72

-				prefs["home"] = home

73

-				udict[user[1]] = prefs

74

-			except KeyError:

75

-				sys.stderr.write("The user \"%s\" is not present in the passwd file, skipping...\n" % user[1])

76

-	return udict

77

-

78

-def update(filecontext, user, prefs):

79

-	rc=getstatusoutput("grep -h '^HOME_DIR' %s | grep -v vmware | sed -e 's|HOME_DIR|%s|' -e 's/ROLE/%s/' -e 's/system_u/%s/'" % (filecontext, prefs["home"], prefs["role"], user))

80

-	if rc[0] == 0:

81

-		print(rc[1])

82

-	else:

83

-		errorExit("grep/sed error " + rc[1])

84

-	return rc

85

-

86

-def oldgenhomedircon(filecontextdir, filecontext):

87

-        sys.stderr.flush()

88

-

89

-        if os.path.isdir(filecontextdir) == 0:

90

-                sys.stderr.write("New usage is the following\n")

91

-                usage()

92

-        #We are going to define home directory used by libuser and show-utils as a home directory root

93

-        prefixes = {}

94

-        rc=getstatusoutput("grep -h '^HOME' /etc/default/useradd")

95

-        if rc[0] == 0:

96

-                homedir = rc[1].split("=")[1]

97

-                homedir = homedir.split("#")[0]

98

-                homedir = homedir.strip()

99

-                if not homedir in prefixes:

100

-                        prefixes[homedir] = ""

101

-        else:

102

-                #rc[0] == 256 means the file was there, we read it, but the grep didn't match

103

-                if rc[0] != 256:

104

-                        sys.stderr.write("%s\n" % rc[1])

105

-                        sys.stderr.write("You do not have access to /etc/default/useradd HOME=\n")

106

-                        sys.stderr.flush()

107

-

108

-

109

-        rc=getstatusoutput("grep -h '^LU_HOMEDIRECTORY' /etc/libuser.conf")

110

-        if rc[0] == 0:

111

-                homedir = rc[1].split("=")[1]

112

-                homedir = homedir.split("#")[0]

113

-                homedir = homedir.strip()

114

-                homedir = re.sub(r"[^/a-zA-Z0-9].*$", "", homedir)

115

-                if not homedir in prefixes:

116

-                        prefixes[homedir] = ""

117

-

118

-        #the idea is that we need to find all of the home_root_t directories we do this by just accepting

119

-        #any default home directory defined by either /etc/libuser.conf or /etc/default/useradd

120

-        #we then get the potential home directory roots from /etc/passwd or nis or wherever and look at

121

-        #the defined homedir for all users with UID > STARTING_UID.  This list of possible root homedirs

122

-        #is then checked to see if it has an explicit context defined in the file_contexts.  Explicit

123

-        #is any regex that would match it which does not end with .*$ or .+$ since those are general

124

-        #recursive matches.  We then take any regex which ends with [pattern](/.*)?$ and just check against

125

-        #[pattern]

126

-        potential_prefixes = getPrefixes()

127

-        prefix_regex = {}

128

-        #this works by grepping the file_contexts for

129

-        # 1. ^/ makes sure this is not a comment

130

-        # 2. prints only the regex in the first column first cut on \t then on space

131

-        rc=getstatusoutput("grep \"^/\" %s | cut -f 1 | cut -f 1 -d \" \" " %  (sys.argv[2]) )

132

-        if rc[0] == 0:

133

-                prefix_regex = rc[1].split("\n")

134

-        else:

135

-                sys.stderr.write("%s\n" % rc[1])

136

-                sys.stderr.write("You do not have access to grep/cut/the file contexts\n")

137

-                sys.stderr.flush()

138

-        for potential in potential_prefixes.keys():

139

-                addme = 1

140

-                for regex in prefix_regex:

141

-                        #match a trailing (/*)? which is actually a bug in rpc_pipefs

142

-                        regex = re.sub(r"\(/\*\)\?$", "", regex)

143

-                        #match a trailing .+

144

-                        regex = re.sub(r"\.+$", "", regex)

145

-                        #match a trailing .*

146

-                        regex = re.sub(r"\.\*$", "", regex)

147

-                        #strip a (/.*)? which matches anything trailing to a /*$ which matches trailing /'s

148

-                        regex = re.sub(r"\(\/\.\*\)\?", "", regex)

149

-                        regex = regex + "/*$"

150

-                        if re.search(regex, potential, 0):

151

-                                addme = 0

152

-                if addme == 1:

153

-                        if not potential in prefixes:

154

-                                prefixes[potential] = ""

155

-

156

-

157

-        if prefixes.__eq__({}):

158

-                sys.stderr.write("LU_HOMEDIRECTORY not set in /etc/libuser.conf\n")

159

-                sys.stderr.write("HOME= not set in /etc/default/useradd\n")

160

-                sys.stderr.write("And no users with a reasonable homedir found in passwd/nis/ldap/etc...\n")

161

-                sys.stderr.write("Assuming /home is the root of home directories\n")

162

-                sys.stderr.flush()

163

-                prefixes["/home"] = ""

164

-

165

-        # There may be a more elegant sed script to expand a macro to multiple lines, but this works

166

-        sed_root = "h; s|^HOME_ROOT|%s|" % (prefixes.keys() + "|; p; g; s|^HOME_ROOT|")

167

-        sed_dir = "h; s|^HOME_DIR|%s/[^/]+|; s|ROLE_|user_|" % (prefixes.keys() + "/[^/]+|; s|ROLE_|user_|; p; g; s|^HOME_DIR|")

168

-

169

-        # Fill in HOME_ROOT, HOME_DIR, and ROLE for users not explicitly defined in /etc/security/selinux/src/policy/users

170

-        rc=getstatusoutput("sed -e \"/^HOME_ROOT/{%s}\" -e \"/^HOME_DIR/{%s}\" %s" % (sed_root, sed_dir, filecontext))

171

-        if rc[0] == 0:

172

-                print(rc[1])

173

-        else:

174

-                errorExit("sed error " + rc[1])

175

-

176

-        users = getUsers(filecontextdir)

177

-        print("\n#\n# User-specific file contexts\n#\n")

178

-

179

-        # Fill in HOME and ROLE for users that are defined

180

-        for u in users.keys():

181

-                update(filecontext, u, users[u])

182

-

183

-#############################################################################

184

-#

185

-# End of backwards compatibility section

186

-#

187

-#############################################################################

188

-

189

 def getDefaultHomeDir():

190

 	ret = []

191

 	rc=getstatusoutput("grep -h '^HOME' /etc/default/useradd")

192

@@ -466,10 +310,6 @@ try:

193

 	if setype is None:

194

 		setype=getSELinuxType(directory)

195

196

-	if len(cmds) == 2:

197

-		oldgenhomedircon(cmds[0], cmds[1])

198

-		sys.exit(0)

199

-

200

 	if len(cmds) != 0:

201

 		usage()

202

 	selconf=selinuxConfig(directory, setype, usepwd)

1	commit: c7d0c5c923977ecd27f6e3464d12b296151c17ad
2	Author: Christian Göttsche <cgzones <AT> googlemail <DOT> com>
3	AuthorDate: Sun Jan 31 20:50:11 2021 +0000
4	Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5	CommitDate: Sat Feb 6 20:54:11 2021 +0000
6	URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c7d0c5c9
7
8	genhomedircon: drop backwards compatibility section
9
10	Signed-off-by: Christian Göttsche <cgzones <AT> googlemail.com>
11	Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
12
13	support/genhomedircon.py \| 162 +----------------------------------------------
14	1 file changed, 1 insertion(+), 161 deletions(-)
15
16	diff --git a/support/genhomedircon.py b/support/genhomedircon.py
17	index bb4e5061..e9d72067 100644
18	--- a/support/genhomedircon.py
19	+++ b/support/genhomedircon.py
20	@@ -40,7 +40,7 @@
21	# are always "real" (including root, in the default configuration).
22	#
23
24	-import sys, os, pwd, getopt, re
25	+import sys, pwd, getopt, re
26	from subprocess import getstatusoutput
27
28	EXCLUDE_LOGINS=["/sbin/nologin", "/bin/false"]
29	@@ -69,162 +69,6 @@ def getStartingUID():
30	starting_uid = 500
31	return starting_uid
32
33	-#############################################################################
34	-#
35	-# This section is just for backwards compatibility
36	-#
37	-#############################################################################
38	-def getPrefixes():
39	- ulist = pwd.getpwall()
40	- STARTING_UID=getStartingUID()
41	- prefixes = {}
42	- for u in ulist:
43	- if u[2] >= STARTING_UID and \
44	- not u[6] in EXCLUDE_LOGINS and \
45	- u[5] != "/" and \
46	- u[5].count("/") > 1:
47	- prefix = u[5][:u[5].rfind("/")]
48	- if not prefix in prefixes:
49	- prefixes[prefix] = ""
50	- return prefixes
51	-
52	-def getUsers(filecontextdir):
53	- rc = getstatusoutput("grep ^user %s/users" % filecontextdir)
54	- udict = {}
55	- if rc[0] == 0:
56	- ulist = rc[1].strip().split("\n")
57	- for u in ulist:
58	- user = u.split()
59	- try:
60	- if user[1] == "user_u" or user[1] == "system_u":
61	- continue
62	- # !!! chooses first role in the list to use in the file context !!!
63	- role = user[3]
64	- if role == "{":
65	- role = user[4]
66	- role = role.split("_r")[0]
67	- home = pwd.getpwnam(user[1])[5]
68	- if home == "/":
69	- continue
70	- prefs = {}
71	- prefs["role"] = role
72	- prefs["home"] = home
73	- udict[user[1]] = prefs
74	- except KeyError:
75	- sys.stderr.write("The user \"%s\" is not present in the passwd file, skipping...\n" % user[1])
76	- return udict
77	-
78	-def update(filecontext, user, prefs):
79	- rc=getstatusoutput("grep -h '^HOME_DIR' %s \| grep -v vmware \| sed -e 's\|HOME_DIR\|%s\|' -e 's/ROLE/%s/' -e 's/system_u/%s/'" % (filecontext, prefs["home"], prefs["role"], user))
80	- if rc[0] == 0:
81	- print(rc[1])
82	- else:
83	- errorExit("grep/sed error " + rc[1])
84	- return rc
85	-
86	-def oldgenhomedircon(filecontextdir, filecontext):
87	- sys.stderr.flush()
88	-
89	- if os.path.isdir(filecontextdir) == 0:
90	- sys.stderr.write("New usage is the following\n")
91	- usage()
92	- #We are going to define home directory used by libuser and show-utils as a home directory root
93	- prefixes = {}
94	- rc=getstatusoutput("grep -h '^HOME' /etc/default/useradd")
95	- if rc[0] == 0:
96	- homedir = rc[1].split("=")[1]
97	- homedir = homedir.split("#")[0]
98	- homedir = homedir.strip()
99	- if not homedir in prefixes:
100	- prefixes[homedir] = ""
101	- else:
102	- #rc[0] == 256 means the file was there, we read it, but the grep didn't match
103	- if rc[0] != 256:
104	- sys.stderr.write("%s\n" % rc[1])
105	- sys.stderr.write("You do not have access to /etc/default/useradd HOME=\n")
106	- sys.stderr.flush()
107	-
108	-
109	- rc=getstatusoutput("grep -h '^LU_HOMEDIRECTORY' /etc/libuser.conf")
110	- if rc[0] == 0:
111	- homedir = rc[1].split("=")[1]
112	- homedir = homedir.split("#")[0]
113	- homedir = homedir.strip()
114	- homedir = re.sub(r"[^/a-zA-Z0-9].*$", "", homedir)
115	- if not homedir in prefixes:
116	- prefixes[homedir] = ""
117	-
118	- #the idea is that we need to find all of the home_root_t directories we do this by just accepting
119	- #any default home directory defined by either /etc/libuser.conf or /etc/default/useradd
120	- #we then get the potential home directory roots from /etc/passwd or nis or wherever and look at
121	- #the defined homedir for all users with UID > STARTING_UID. This list of possible root homedirs
122	- #is then checked to see if it has an explicit context defined in the file_contexts. Explicit
123	- #is any regex that would match it which does not end with .*$ or .+$ since those are general
124	- #recursive matches. We then take any regex which ends with [pattern](/.*)?$ and just check against
125	- #[pattern]
126	- potential_prefixes = getPrefixes()
127	- prefix_regex = {}
128	- #this works by grepping the file_contexts for
129	- # 1. ^/ makes sure this is not a comment
130	- # 2. prints only the regex in the first column first cut on \t then on space
131	- rc=getstatusoutput("grep \"^/\" %s \| cut -f 1 \| cut -f 1 -d \" \" " % (sys.argv[2]) )
132	- if rc[0] == 0:
133	- prefix_regex = rc[1].split("\n")
134	- else:
135	- sys.stderr.write("%s\n" % rc[1])
136	- sys.stderr.write("You do not have access to grep/cut/the file contexts\n")
137	- sys.stderr.flush()
138	- for potential in potential_prefixes.keys():
139	- addme = 1
140	- for regex in prefix_regex:
141	- #match a trailing (/*)? which is actually a bug in rpc_pipefs
142	- regex = re.sub(r"\(/\*\)\?$", "", regex)
143	- #match a trailing .+
144	- regex = re.sub(r"\.+$", "", regex)
145	- #match a trailing .*
146	- regex = re.sub(r"\.\*$", "", regex)
147	- #strip a (/.)? which matches anything trailing to a /$ which matches trailing /'s
148	- regex = re.sub(r"\(\/\.\*\)\?", "", regex)
149	- regex = regex + "/*$"
150	- if re.search(regex, potential, 0):
151	- addme = 0
152	- if addme == 1:
153	- if not potential in prefixes:
154	- prefixes[potential] = ""
155	-
156	-
157	- if prefixes.__eq__({}):
158	- sys.stderr.write("LU_HOMEDIRECTORY not set in /etc/libuser.conf\n")
159	- sys.stderr.write("HOME= not set in /etc/default/useradd\n")
160	- sys.stderr.write("And no users with a reasonable homedir found in passwd/nis/ldap/etc...\n")
161	- sys.stderr.write("Assuming /home is the root of home directories\n")
162	- sys.stderr.flush()
163	- prefixes["/home"] = ""
164	-
165	- # There may be a more elegant sed script to expand a macro to multiple lines, but this works
166	- sed_root = "h; s\|^HOME_ROOT\|%s\|" % (prefixes.keys() + "\|; p; g; s\|^HOME_ROOT\|")
167	- sed_dir = "h; s\|^HOME_DIR\|%s/[^/]+\|; s\|ROLE_\|user_\|" % (prefixes.keys() + "/[^/]+\|; s\|ROLE_\|user_\|; p; g; s\|^HOME_DIR\|")
168	-
169	- # Fill in HOME_ROOT, HOME_DIR, and ROLE for users not explicitly defined in /etc/security/selinux/src/policy/users
170	- rc=getstatusoutput("sed -e \"/^HOME_ROOT/{%s}\" -e \"/^HOME_DIR/{%s}\" %s" % (sed_root, sed_dir, filecontext))
171	- if rc[0] == 0:
172	- print(rc[1])
173	- else:
174	- errorExit("sed error " + rc[1])
175	-
176	- users = getUsers(filecontextdir)
177	- print("\n#\n# User-specific file contexts\n#\n")
178	-
179	- # Fill in HOME and ROLE for users that are defined
180	- for u in users.keys():
181	- update(filecontext, u, users[u])
182	-
183	-#############################################################################
184	-#
185	-# End of backwards compatibility section
186	-#
187	-#############################################################################
188	-
189	def getDefaultHomeDir():
190	ret = []
191	rc=getstatusoutput("grep -h '^HOME' /etc/default/useradd")
192	@@ -466,10 +310,6 @@ try:
193	if setype is None:
194	setype=getSELinuxType(directory)
195
196	- if len(cmds) == 2:
197	- oldgenhomedircon(cmds[0], cmds[1])
198	- sys.exit(0)
199	-
200	if len(cmds) != 0:
201	usage()
202	selconf=selinuxConfig(directory, setype, usepwd)

Gentoo Archives: gentoo-commits