1 |
commit: c7d0c5c923977ecd27f6e3464d12b296151c17ad |
2 |
Author: Christian Göttsche <cgzones <AT> googlemail <DOT> com> |
3 |
AuthorDate: Sun Jan 31 20:50:11 2021 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Sat Feb 6 20:54:11 2021 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c7d0c5c9 |
7 |
|
8 |
genhomedircon: drop backwards compatibility section |
9 |
|
10 |
Signed-off-by: Christian Göttsche <cgzones <AT> googlemail.com> |
11 |
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> |
12 |
|
13 |
support/genhomedircon.py | 162 +---------------------------------------------- |
14 |
1 file changed, 1 insertion(+), 161 deletions(-) |
15 |
|
16 |
diff --git a/support/genhomedircon.py b/support/genhomedircon.py |
17 |
index bb4e5061..e9d72067 100644 |
18 |
--- a/support/genhomedircon.py |
19 |
+++ b/support/genhomedircon.py |
20 |
@@ -40,7 +40,7 @@ |
21 |
# are always "real" (including root, in the default configuration). |
22 |
# |
23 |
|
24 |
-import sys, os, pwd, getopt, re |
25 |
+import sys, pwd, getopt, re |
26 |
from subprocess import getstatusoutput |
27 |
|
28 |
EXCLUDE_LOGINS=["/sbin/nologin", "/bin/false"] |
29 |
@@ -69,162 +69,6 @@ def getStartingUID(): |
30 |
starting_uid = 500 |
31 |
return starting_uid |
32 |
|
33 |
-############################################################################# |
34 |
-# |
35 |
-# This section is just for backwards compatibility |
36 |
-# |
37 |
-############################################################################# |
38 |
-def getPrefixes(): |
39 |
- ulist = pwd.getpwall() |
40 |
- STARTING_UID=getStartingUID() |
41 |
- prefixes = {} |
42 |
- for u in ulist: |
43 |
- if u[2] >= STARTING_UID and \ |
44 |
- not u[6] in EXCLUDE_LOGINS and \ |
45 |
- u[5] != "/" and \ |
46 |
- u[5].count("/") > 1: |
47 |
- prefix = u[5][:u[5].rfind("/")] |
48 |
- if not prefix in prefixes: |
49 |
- prefixes[prefix] = "" |
50 |
- return prefixes |
51 |
- |
52 |
-def getUsers(filecontextdir): |
53 |
- rc = getstatusoutput("grep ^user %s/users" % filecontextdir) |
54 |
- udict = {} |
55 |
- if rc[0] == 0: |
56 |
- ulist = rc[1].strip().split("\n") |
57 |
- for u in ulist: |
58 |
- user = u.split() |
59 |
- try: |
60 |
- if user[1] == "user_u" or user[1] == "system_u": |
61 |
- continue |
62 |
- # !!! chooses first role in the list to use in the file context !!! |
63 |
- role = user[3] |
64 |
- if role == "{": |
65 |
- role = user[4] |
66 |
- role = role.split("_r")[0] |
67 |
- home = pwd.getpwnam(user[1])[5] |
68 |
- if home == "/": |
69 |
- continue |
70 |
- prefs = {} |
71 |
- prefs["role"] = role |
72 |
- prefs["home"] = home |
73 |
- udict[user[1]] = prefs |
74 |
- except KeyError: |
75 |
- sys.stderr.write("The user \"%s\" is not present in the passwd file, skipping...\n" % user[1]) |
76 |
- return udict |
77 |
- |
78 |
-def update(filecontext, user, prefs): |
79 |
- rc=getstatusoutput("grep -h '^HOME_DIR' %s | grep -v vmware | sed -e 's|HOME_DIR|%s|' -e 's/ROLE/%s/' -e 's/system_u/%s/'" % (filecontext, prefs["home"], prefs["role"], user)) |
80 |
- if rc[0] == 0: |
81 |
- print(rc[1]) |
82 |
- else: |
83 |
- errorExit("grep/sed error " + rc[1]) |
84 |
- return rc |
85 |
- |
86 |
-def oldgenhomedircon(filecontextdir, filecontext): |
87 |
- sys.stderr.flush() |
88 |
- |
89 |
- if os.path.isdir(filecontextdir) == 0: |
90 |
- sys.stderr.write("New usage is the following\n") |
91 |
- usage() |
92 |
- #We are going to define home directory used by libuser and show-utils as a home directory root |
93 |
- prefixes = {} |
94 |
- rc=getstatusoutput("grep -h '^HOME' /etc/default/useradd") |
95 |
- if rc[0] == 0: |
96 |
- homedir = rc[1].split("=")[1] |
97 |
- homedir = homedir.split("#")[0] |
98 |
- homedir = homedir.strip() |
99 |
- if not homedir in prefixes: |
100 |
- prefixes[homedir] = "" |
101 |
- else: |
102 |
- #rc[0] == 256 means the file was there, we read it, but the grep didn't match |
103 |
- if rc[0] != 256: |
104 |
- sys.stderr.write("%s\n" % rc[1]) |
105 |
- sys.stderr.write("You do not have access to /etc/default/useradd HOME=\n") |
106 |
- sys.stderr.flush() |
107 |
- |
108 |
- |
109 |
- rc=getstatusoutput("grep -h '^LU_HOMEDIRECTORY' /etc/libuser.conf") |
110 |
- if rc[0] == 0: |
111 |
- homedir = rc[1].split("=")[1] |
112 |
- homedir = homedir.split("#")[0] |
113 |
- homedir = homedir.strip() |
114 |
- homedir = re.sub(r"[^/a-zA-Z0-9].*$", "", homedir) |
115 |
- if not homedir in prefixes: |
116 |
- prefixes[homedir] = "" |
117 |
- |
118 |
- #the idea is that we need to find all of the home_root_t directories we do this by just accepting |
119 |
- #any default home directory defined by either /etc/libuser.conf or /etc/default/useradd |
120 |
- #we then get the potential home directory roots from /etc/passwd or nis or wherever and look at |
121 |
- #the defined homedir for all users with UID > STARTING_UID. This list of possible root homedirs |
122 |
- #is then checked to see if it has an explicit context defined in the file_contexts. Explicit |
123 |
- #is any regex that would match it which does not end with .*$ or .+$ since those are general |
124 |
- #recursive matches. We then take any regex which ends with [pattern](/.*)?$ and just check against |
125 |
- #[pattern] |
126 |
- potential_prefixes = getPrefixes() |
127 |
- prefix_regex = {} |
128 |
- #this works by grepping the file_contexts for |
129 |
- # 1. ^/ makes sure this is not a comment |
130 |
- # 2. prints only the regex in the first column first cut on \t then on space |
131 |
- rc=getstatusoutput("grep \"^/\" %s | cut -f 1 | cut -f 1 -d \" \" " % (sys.argv[2]) ) |
132 |
- if rc[0] == 0: |
133 |
- prefix_regex = rc[1].split("\n") |
134 |
- else: |
135 |
- sys.stderr.write("%s\n" % rc[1]) |
136 |
- sys.stderr.write("You do not have access to grep/cut/the file contexts\n") |
137 |
- sys.stderr.flush() |
138 |
- for potential in potential_prefixes.keys(): |
139 |
- addme = 1 |
140 |
- for regex in prefix_regex: |
141 |
- #match a trailing (/*)? which is actually a bug in rpc_pipefs |
142 |
- regex = re.sub(r"\(/\*\)\?$", "", regex) |
143 |
- #match a trailing .+ |
144 |
- regex = re.sub(r"\.+$", "", regex) |
145 |
- #match a trailing .* |
146 |
- regex = re.sub(r"\.\*$", "", regex) |
147 |
- #strip a (/.*)? which matches anything trailing to a /*$ which matches trailing /'s |
148 |
- regex = re.sub(r"\(\/\.\*\)\?", "", regex) |
149 |
- regex = regex + "/*$" |
150 |
- if re.search(regex, potential, 0): |
151 |
- addme = 0 |
152 |
- if addme == 1: |
153 |
- if not potential in prefixes: |
154 |
- prefixes[potential] = "" |
155 |
- |
156 |
- |
157 |
- if prefixes.__eq__({}): |
158 |
- sys.stderr.write("LU_HOMEDIRECTORY not set in /etc/libuser.conf\n") |
159 |
- sys.stderr.write("HOME= not set in /etc/default/useradd\n") |
160 |
- sys.stderr.write("And no users with a reasonable homedir found in passwd/nis/ldap/etc...\n") |
161 |
- sys.stderr.write("Assuming /home is the root of home directories\n") |
162 |
- sys.stderr.flush() |
163 |
- prefixes["/home"] = "" |
164 |
- |
165 |
- # There may be a more elegant sed script to expand a macro to multiple lines, but this works |
166 |
- sed_root = "h; s|^HOME_ROOT|%s|" % (prefixes.keys() + "|; p; g; s|^HOME_ROOT|") |
167 |
- sed_dir = "h; s|^HOME_DIR|%s/[^/]+|; s|ROLE_|user_|" % (prefixes.keys() + "/[^/]+|; s|ROLE_|user_|; p; g; s|^HOME_DIR|") |
168 |
- |
169 |
- # Fill in HOME_ROOT, HOME_DIR, and ROLE for users not explicitly defined in /etc/security/selinux/src/policy/users |
170 |
- rc=getstatusoutput("sed -e \"/^HOME_ROOT/{%s}\" -e \"/^HOME_DIR/{%s}\" %s" % (sed_root, sed_dir, filecontext)) |
171 |
- if rc[0] == 0: |
172 |
- print(rc[1]) |
173 |
- else: |
174 |
- errorExit("sed error " + rc[1]) |
175 |
- |
176 |
- users = getUsers(filecontextdir) |
177 |
- print("\n#\n# User-specific file contexts\n#\n") |
178 |
- |
179 |
- # Fill in HOME and ROLE for users that are defined |
180 |
- for u in users.keys(): |
181 |
- update(filecontext, u, users[u]) |
182 |
- |
183 |
-############################################################################# |
184 |
-# |
185 |
-# End of backwards compatibility section |
186 |
-# |
187 |
-############################################################################# |
188 |
- |
189 |
def getDefaultHomeDir(): |
190 |
ret = [] |
191 |
rc=getstatusoutput("grep -h '^HOME' /etc/default/useradd") |
192 |
@@ -466,10 +310,6 @@ try: |
193 |
if setype is None: |
194 |
setype=getSELinuxType(directory) |
195 |
|
196 |
- if len(cmds) == 2: |
197 |
- oldgenhomedircon(cmds[0], cmds[1]) |
198 |
- sys.exit(0) |
199 |
- |
200 |
if len(cmds) != 0: |
201 |
usage() |
202 |
selconf=selinuxConfig(directory, setype, usepwd) |