Security Enhanced Linux
What's New
Frequently Asked Questions
Background
Documents
License
Download
Participating
Mail List
Archives
Remaining Work
Contributors
Related Work
Press Releases
Information Assurance Research
NIARL In-house Research Areas
Mathematical Sciences Program
Sabbaticals
Computer & Information Sciences Research
Technology Transfer
Advanced Computing
Advanced Mathematics
Communications & Networking
Information Processing
Microelectronics
Other Technologies
Technology Fact Sheets
Publications
Related Links
|
SELinux Mailing ListRe: I am concerned about putting genhomedircon changes inlibsemanage into Fedora 8.
From: Todd C. Miller <tmiller_at_tresys.com>
Date: Wed, 26 Sep 2007 16:01:28 -0400 (EDT)
Index: libsemanage/src/genhomedircon.c
typedef struct user_entry {
return retval;
-static int write_home_dir_context(FILE * out, semanage_list_t * tpl, - const char *user, const char *seuser, - const char *home, const char *role_prefix)+static const char * extract_context(Ustr *line) { + const char whitespace[] = " \t\n"; + size_t off, len; + + /* check for trailing whitespace */ + off = ustr_spn_chrs_rev(line, 0, whitespace, strlen(whitespace)); + + /* find the length of the last field in line */ + len = ustr_cspn_chrs_rev(line, off, whitespace, strlen(whitespace)); + + if (len == 0) + return NULL; + return ustr_cstr(line) + ustr_len(line) - (len + off); +} + +static int check_line(genhomedircon_settings_t * s, Ustr *line) +{ + sepol_context_t *ctx_record = NULL; + const char *ctx_str; + int result; + + ctx_str = extract_context(line); + if (!ctx_str) + return STATUS_ERR; + + result = sepol_context_from_string(s->h_semanage->sepolh, + ctx_str, &ctx_record); + if (result == STATUS_SUCCESS && ctx_record != NULL) { + result = sepol_context_check(s->h_semanage->sepolh, + s->policydb, ctx_record); + sepol_context_free(ctx_record); + } + return result; +} + +static int write_home_dir_context(genhomedircon_settings_t * s, FILE * out, + semanage_list_t * tpl, const char *user, + const char *seuser, const char *home, + const char *role_prefix) +{ replacement_pair_t repl[] = { {.search_for = TEMPLATE_SEUSER,.replace_with = seuser}, {.search_for = TEMPLATE_HOME_DIR,.replace_with = home}, @@ -369,8 +411,12 @@ for (; tpl; tpl = tpl->next) { line = replace_all(tpl->data, repl); - if (!line || !ustr_io_putfileline(&line, out)) + if (!line) goto fail; + if (check_line(s, line) == STATUS_SUCCESS) { + if (!ustr_io_putfileline(&line, out)) + goto fail; + } ustr_sc_free(&line); } return STATUS_SUCCESS; }
-static int write_home_root_context(FILE * out, semanage_list_t * tpl,
- char *homedir)
replacement_pair_t repl[] = { {.search_for = TEMPLATE_HOME_ROOT,.replace_with = homedir}, @@ -391,8 +437,12 @@ for (; tpl; tpl = tpl->next) { line = replace_all(tpl->data, repl); - if (!line || !ustr_io_putfileline(&line, out)) + if (!line) goto fail; + if (check_line(s, line) == STATUS_SUCCESS) { + if (!ustr_io_putfileline(&line, out)) + goto fail; + } ustr_sc_free(&line); } return STATUS_SUCCESS; } -static int write_user_context(FILE * out, semanage_list_t * tpl, char *user, +static int write_user_context(genhomedircon_settings_t * s, FILE * out, + semanage_list_t * tpl, char *user, char *seuser, char *role_prefix) { replacement_pair_t repl[] = { @@ -415,8 +466,12 @@ for (; tpl; tpl = tpl->next) { line = replace_all(tpl->data, repl); - if (!line || !ustr_io_putfileline(&line, out)) + if (!line) goto fail; + if (check_line(s, line) == STATUS_SUCCESS) { + if (!ustr_io_putfileline(&line, out)) + goto fail; + } ustr_sc_free(&line); } return STATUS_SUCCESS; } -static int write_gen_home_dir_context(FILE * out, genhomedircon_settings_t * s, +static int write_gen_home_dir_context(genhomedircon_settings_t * s, FILE * out, semanage_list_t * user_context_tpl, semanage_list_t * homedir_context_tpl){ @@ -615,13 +670,13 @@ } for (; users; pop_user_entry(&users)) { - if (write_home_dir_context(out, homedir_context_tpl, + if (write_home_dir_context(s, out, homedir_context_tpl, users->name, users->sename, users->home, users->prefix)) { return STATUS_ERR; } - if (write_user_context(out, user_context_tpl, users->name, + if (write_user_context(s, out, user_context_tpl, users->name, users->sename, users->prefix)) { return STATUS_ERR; } @@ -690,13 +745,13 @@ ustr_sc_free(&temp); } - if (write_user_context(out, user_context_tpl, + if (write_user_context(s, out, user_context_tpl, ".*", FALLBACK_USER, FALLBACK_USER_PREFIX) != STATUS_SUCCESS) { retval = STATUS_ERR; goto done; } - if (write_gen_home_dir_context(out, s, user_context_tpl, + if (write_gen_home_dir_context(s, out, user_context_tpl, homedir_context_tpl) != STATUS_SUCCESS) { retval = STATUS_ERR; } } -int semanage_genhomedircon(semanage_handle_t * sh, int usepasswd) +int semanage_genhomedircon(semanage_handle_t * sh, + sepol_policydb_t * policydb, + int usepasswd) { genhomedircon_settings_t s; FILE *out = NULL; @@ -725,6 +782,7 @@ s.usepasswd = usepasswd; s.h_semanage = sh; + s.policydb = policydb; if (!(out = fopen(s.fcfilepath, "w"))) { /* couldn't open output file */ Index: libsemanage/src/genhomedircon.h
#include "utilities.h" -int semanage_genhomedircon(semanage_handle_t * sh, int usepasswd); +int semanage_genhomedircon(semanage_handle_t * sh, + sepol_policydb_t * policydb, int usepasswd);
#endif
if (sh->do_rebuild || modified) { - retval = semanage_install_sandbox(sh); + retval = semanage_install_sandbox(sh, out); } cleanup: Index: libsemanage/src/semanage_store.c
@@ -1294,7 +1295,7 @@ } if (!sh->conf->disable_genhomedircon) { if ((retval = - semanage_genhomedircon(sh, TRUE)) != 0) { + semanage_genhomedircon(sh, policydb, TRUE)) != 0) { ERR(sh, "semanage_genhomedircon returned error code %d.", retval); goto cleanup; Index: libsemanage/src/semanage_store.h
-int semanage_install_sandbox(semanage_handle_t * sh);
-
sepol_policydb_t * policydb); -int semanage_install_sandbox(semanage_handle_t * sh); +int semanage_install_sandbox(semanage_handle_t * sh, + sepol_policydb_t * policydb); int semanage_verify_modules(semanage_handle_t * sh, char **module_filenames, int num_modules); -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.Received on Wed 26 Sep 2007 - 16:01:59 EDT |
|
Date Posted: Jan 15, 2009 | Last Modified: Jan 15, 2009 | Last Reviewed: Jan 15, 2009 |