|
[patch 3/3] Remove legacy genhomedircon python script
Index: ghdc/policycoreutils/scripts/Makefile
- ghdc.orig/policycoreutils/scripts/Makefile
+++ ghdc/policycoreutils/scripts/Makefile
@@ -5,18 +5,14 @@ SBINDIR ?= $(PREFIX)/sbin
MANDIR ?= $(PREFIX)/share/man
LOCALEDIR ?= /usr/share/locale
-TARGETS=genhomedircon
-
-all: $(TARGETS) fixfiles
+all: fixfiles
install: all
-mkdir -p $(BINDIR)
- install -m 755 $(TARGETS) $(SBINDIR)
install -m 755 chcat $(BINDIR)
install -m 755 fixfiles $(DESTDIR)/sbin
-mkdir -p $(MANDIR)/man8
install -m 644 fixfiles.8 $(MANDIR)/man8/
- install -m 644 genhomedircon.8 $(MANDIR)/man8/
install -m 644 chcat.8 $(MANDIR)/man8/
clean:
Index: ghdc/policycoreutils/scripts/genhomedircon
- ghdc.orig/policycoreutils/scripts/genhomedircon
+++ /dev/null
@@ -1,386 +0,0 @@
-#! /usr/bin/python -E
-# Copyright (C) 2004 Tresys Technology, LLC
-# see file 'COPYING' for use and warranty information
-#
-# genhomedircon - this script is used to generate file context
-# configuration entries for user home directories based on their
-# default prefixes and is run when building the policy. Specifically, we
-# replace HOME_ROOT, HOME_DIR, and ROLE macros in .fc files with
-# generic and user-specific values.
-#
-# Based off original script by Dan Walsh, <dwalsh@redhat.com>
-#
-# ASSUMPTIONS:
-#
-# The file CONTEXTDIR/files/homedir_template exists. This file is used to
-# set up the home directory context for each real user.
-#
-# If a user is not listed in CONTEXTDIR/seusers, he will default to user_u, prefix user
-#
-# "Real" users (as opposed to system users) are those whose UID is greater than
-# or equal STARTING_UID (usually 500) and whose login is not a member of
-# EXCLUDE_LOGINS. Users who are explicitly defined in CONTEXTDIR/seusers
-# are always "real" (including root, in the default configuration).
-#
-#
-
-import sys, os, pwd, string, getopt, re
-from semanage import *;
-import gettext
-gettext.install('policycoreutils')
-
-def grep(file, var):
- ret = ""
- fd = open(file, 'r')
-
- for i in fd.readlines():
- if re.search(var, i, 0) != None:
- ret = i
- break
- fd.close()
- return ret
-
-def findval(file, var, delim = ""):
- val = ""
- try:
- fd = open(file, 'r')
- for i in fd.readlines():
- if i.startswith(var) == 1:
- if delim == "":
- val = i.split()[1]
- else:
- val = i.split(delim)[1]
- val = val.split("#")[0]
- val = val.strip()
- fd.close()
- except:
- val = ""
- return val
-
-def getStartingUID():
- starting_uid = sys.maxint
- uid_min = findval("/etc/login.defs", "UID_MIN")
- if uid_min != "":
- uid_min = uid_min.split("#")[0]
- uid_min = uid_min.strip()
- if int(uid_min) < starting_uid:
- starting_uid = int(uid_min)
-
- uid_min = findval("/etc/libuser.conf", "LU_UIDNUMBER", "=")
- if uid_min != "":
- uid_min = uid_min.split("#")[0]
- uid_min = uid_min.strip()
- if int(uid_min) < starting_uid:
- starting_uid = int(uid_min)
-
- if starting_uid == sys.maxint:
- starting_uid = 500
- return starting_uid
-
-def getDefaultHomeDir():
- ret = []
- homedir = findval("/etc/default/useradd", "HOME", "=")
- if homedir != "" and not homedir in ret:
- ret.append(homedir)
-
- homedir = findval("/etc/libuser.conf", "LU_HOMEDIRECTORY", "=")
- if homedir != "" and not homedir in ret:
- ret.append(homedir)
-
- if ret == []:
- ret.append("/home")
-
- # Add /export/home if it exists
- # Some customers use this for automounted homedirs
- if os.path.exists("/export/home"):
- ret.append("/export/home")
-
- return ret
-
-def getSELinuxType(directory):
- val = findval(directory+"/config", "SELINUXTYPE", "=")
- if val != "":
- return val
- return "targeted"
-
-def usage(rc=0, error = ""):
- if error != "":
- sys.stderr.write("%s\n" % error)
- rc = 1
- sys.stderr.write("Usage: %s [ -d selinuxdir ] [-n | --nopasswd] [-t selinuxtype ]\n" % sys.argv[0])
- sys.stderr.flush()
- sys.exit(rc)
-
-def warning(warning = ""):
- sys.stderr.write("%s\n" % warning)
- sys.stderr.flush()
-
-def errorExit(error):
- sys.stderr.write("%s exiting for: " % sys.argv[0])
- sys.stderr.write("%s\n" % error)
- sys.stderr.flush()
- sys.exit(1)
-
-class selinuxConfig:
- def __init__(self, selinuxdir = "/etc/selinux", type = "targeted", usepwd = 1):
- self.semanageHandle = semanage_handle_create()
- self.semanaged = semanage_is_managed(self.semanageHandle)
- if self.semanaged:
- rc = semanage_connect(self.semanageHandle)
- if rc:
- errorExit("Unable to connect to semanage")
- (status, self.ulist) = semanage_user_list(self.semanageHandle)
- self.type = type
- self.selinuxdir = selinuxdir +"/"
- self.contextdir = "/contexts"
- self.filecontextdir = self.contextdir+"/files"
- self.usepwd = usepwd
-
- def getFileContextDir(self):
- return self.selinuxdir+self.type+self.filecontextdir
-
- def getFileContextFile(self):
- return self.getFileContextDir()+"/file_contexts"
-
- def getContextDir(self):
- return self.selinuxdir+self.type+self.contextdir
-
- def getHomeDirTemplate(self):
- return self.getFileContextDir()+"/homedir_template"
-
- def getHomeRootContext(self, homedir):
- ret = ""
- fd = open(self.getHomeDirTemplate(), 'r')
-
- for i in fd.readlines():
- if i.find("HOME_ROOT") == 0:
- i = i.replace("HOME_ROOT", homedir)
- ret += i
- fd.close()
- if ret == "":
- errorExit("No Home Root Context Found")
- return ret
-
- def heading(self):
- ret = "\n#\n#\n# User-specific file contexts, generated via %s\n" % sys.argv[0]
- if self.semanaged:
- ret += "# use semanage command to manage system users in order to change the file_context\n#\n#\n"
- else:
- ret += "# edit %s to change file_context\n#\n#\n" % (self.selinuxdir+self.type+"/seusers")
- return ret
-
- def get_default_prefix(self, name):
- for user in self.ulist:
- if semanage_user_get_name(user) == name:
- return semanage_user_get_prefix(user)
- return name
-
- def get_old_prefix(self, user):
- rc = grep(self.selinuxdir+self.type+"/users/system.users", "^user %s" % user)
- if rc == "":
- rc = grep(self.selinuxdir+self.type+"/users/local.users", "^user %s" % user)
- if rc != "":
- user = rc.split()
- prefix = user[3]
- if prefix == "{":
- prefix = user[4]
- if len(prefix) > 2 and (prefix[-2:] == "_r" or prefix[-2:] == "_u"):
- prefix = prefix[:-2]
- return prefix
-
- def adduser(self, udict, user, seuser, prefix):
- if seuser == "user_u" or user == "__default__" or user == "system_u":
- return
- # !!! chooses first prefix in the list to use in the file context !!!
- try:
- home = pwd.getpwnam(user)[5]
- if home == "/":
- # Probably install so hard code to /root
- if user == "root":
- home = "/root"
- else:
- return
- except KeyError:
- if user == "root":
- home = "/root"
- else:
- sys.stderr.write("The user \"%s\" is not present in the passwd file, skipping...\n" % user)
- return
- prefs = {}
- prefs["seuser"] = seuser
- prefs["prefix"] = prefix
- prefs["home"] = home
- udict[user] = prefs
-
- def getUsers(self):
- udict = {}
- if self.semanaged:
- (status, list) = semanage_seuser_list(self.semanageHandle)
- for seuser in list:
- user = []
- seusername = semanage_seuser_get_sename(seuser)
- self.adduser(udict, semanage_seuser_get_name(seuser), seusername, self.get_default_prefix(seusername))
-
- else:
- try:
- fd = open(self.selinuxdir+self.type+"/seusers")
- for u in fd.readlines():
- u = u.strip()
- if len(u) == 0 or u[0] == "#":
- continue
- user = u.split(":")
- if len(user) < 2:
- continue
-
- prefix = self.get_old_prefix(user[1])
- self.adduser(udict, user[0], user[1], prefix)
- fd.close()
- except IOError, error:
- # Must be install so force add of root
- self.adduser(udict, "root", "root", "root")
-
- return udict
-
- def getHomeDirContext(self, user, seuser, home, prefix):
- ret = "\n\n#\n# Home Context for user %s\n#\n\n" % user
- fd = open(self.getHomeDirTemplate(), 'r')
- for i in fd.readlines():
- if i.startswith("HOME_DIR") == 1:
- i = i.replace("HOME_DIR", home)
- i = i.replace("ROLE", prefix)
- i = i.replace("system_u", seuser)
- ret = ret+i
- fd.close()
- return ret
-
- def getUserContext(self, user, sel_user, prefix):
- ret = ""
- fd = open(self.getHomeDirTemplate(), 'r')
- for i in fd.readlines():
- if i.find("USER") == 1:
- i = i.replace("USER", user)
- i = i.replace("ROLE", prefix)
- i = i.replace("system_u", sel_user)
- ret = ret+i
- fd.close()
- return ret
-
- def genHomeDirContext(self):
- users = self.getUsers()
- ret = ""
- # Fill in HOME and prefix for users that are defined
- for u in users.keys():
- ret += self.getHomeDirContext (u, users[u]["seuser"], users[u]["home"], users[u]["prefix"])
- ret += self.getUserContext (u, users[u]["seuser"], users[u]["prefix"])
- return ret+"\n"
-
- def checkExists(self, home):
- fd = open(self.getFileContextFile())
- for i in fd.readlines():
- if len(i) == 0:
- continue
- try:
- regex = i.split()[0]
- #match a trailing .+
- regex = re.sub("\.+$", "", regex)
- regex = re.sub("\.\*$", "", regex)
- #strip a (/.*)? which matches anything trailing to a /*$ which matches trailing /'s
-
- regex = re.sub("\(\/\.\*\)\?", "", regex)
- regex = regex + "/*$"
- if re.search(home, regex, 0):
- return 1
- except:
- continue
- return 0
-
- def getHomeDirs(self):
- homedirs = getDefaultHomeDir()
- starting_uid = getStartingUID()
- if self.usepwd == 0:
- return homedirs
- ulist = pwd.getpwall()
- for u in ulist:
- if u[2] >= starting_uid and \
- u[6] in VALID_SHELLS and \
- u[5] != "/" and \
- string.count(u[5], "/") > 1:
- homedir = u[5][:string.rfind(u[5], "/")]
- if not homedir in homedirs:
- if self.checkExists(homedir) == 1:
- warning("%s homedir %s or its parent directory conflicts with a\ndefined context in %s,\n%s will not create a new context. This usually indicates an incorrectly defined system account. If it is a system account please make sure its login shell is /sbin/nologin." % (u[0], u[5], self.getFileContextFile(), sys.argv[0]))
- else:
- homedirs.append(homedir)
-
- homedirs.sort()
- return homedirs
-
- def genoutput(self):
- ret = self.heading()
- for h in self.getHomeDirs():
- ret += self.getHomeDirContext ("user_u", "user_u" , h+'/[^/]*', "user")
- ret += self.getHomeRootContext(h)
- ret += self.getUserContext(".*", "user_u", "user") + "\n"
- ret += self.genHomeDirContext()
- return ret
-
- def printout(self):
- print self.genoutput()
-
- def write(self):
- fd = open(self.getFileContextDir()+"/file_contexts.homedirs", "w")
- fd.write(self.genoutput())
- fd.close()
-
-if os.getuid() > 0 or os.geteuid() > 0:
- print _("You must be root to run %s.") % sys.argv[0]
- sys.exit(1)
-
-try:
- fd = open("/etc/shells", 'r')
- VALID_SHELLS = fd.read().split("\n")
- fd.close()
- if "/sbin/nologin" in VALID_SHELLS:
- VALID_SHELLS.remove("/sbin/nologin")
- if "" in VALID_SHELLS:
- VALID_SHELLS.remove("")
-except:
- VALID_SHELLS = ['/bin/sh', '/bin/bash', '/bin/ash', '/bin/bsh', '/bin/ksh', '/usr/bin/ksh', '/usr/bin/pdksh', '/bin/tcsh', '/bin/csh', '/bin/zsh']
-
-#
-# This script will generate home dir file context
-# based off the homedir_template file, entries in the password file, and
-#
-try:
- usepwd = 1
- directory = "/etc/selinux"
- type = None
- gopts, cmds = getopt.getopt(sys.argv[1:], 'hnd:t:', ['help',
- 'type=',
- 'nopasswd',
- 'dir='])
- for o,a in gopts:
- if o == '--type' or o == "-t":
- type = a
- if o == '--nopasswd' or o == "-n":
- usepwd = 0
- if o == '--dir' or o == "-d":
- directory = a
- if o == '--help' or o == "-h":
- usage()
-except getopt.error, error:
- errorExit(_("Options Error %s ") % error)
-
-if type == None:
- type = getSELinuxType(directory)
-
-if len(cmds) != 0:
- usage(1)
-
-selconf = selinuxConfig(directory, type, usepwd)
-try:
- selconf.write()
-except IOError, error:
- sys.stderr.write("%s: %s\n" % ( sys.argv[0], error ))
- sys.exit(1)
-
Index: ghdc/policycoreutils/scripts/genhomedircon.8
- ghdc.orig/policycoreutils/scripts/genhomedircon.8
+++ /dev/null
@@ -1,82 +0,0 @@
-.\" Hey, Emacs! This is an -*- nroff -*- source file.
-.\" Copyright (c) 2005 Manoj Srivastava <srivasta@debian.org>
-.\"
-.\" This is free documentation; you can redistribute it and/or
-.\" modify it under the terms of the GNU General Public License as
-.\" published by the Free Software Foundation; either version 2 of
-.\" the License, or (at your option) any later version.
-.\"
-.\" The GNU General Public License's references to "object code"
-.\" and "executables" are to be interpreted as the output of any
-.\" document formatting or typesetting system, including
-.\" intermediate and printed output.
-.\"
-.\" This manual is distributed in the hope that it will be useful,
-.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
-.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-.\" GNU General Public License for more details.
-.\"
-.\" You should have received a copy of the GNU General Public
-.\" License along with this manual; if not, write to the Free
-.\" Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139,
-.\" USA.
-.\"
-.\"
-.TH GENHOMEDIRCON "8" "January 2005" "Security Enhanced Linux" ""
-.SH NAME
-genhomedircon \- generate SELinux file context configuration entries for user home directories
-.SH SYNOPSIS
-.B genhomedircon [ -d selinuxdir ] [-n | --nopasswd] [-t selinuxtype ] [-h]
-
-.SH OPTIONS
-.TP
-.B "\-h"
-Print a short usage message
-.TP
-.B "\-d selinuxdir (\-\-directory)"
-Directory where selinux files are installed defaults to /etc/selinux
-.TP
-.B
-\-n \-\-nopasswd
-Indicates to the utility not to read homedirectories out of the password database.
-.TP
-\-t selinuxtype (\-\-type)
-Indicates the selinux type of this install. Defaults to "targeted".
-.SH DESCRIPTION
-.PP
-This utility is used to generate file context configuration entries for
-user home directories based on their
-.B prefix
-entry in the the
-.B semanage user record.
-genhomedircon is run when building
-the policy. It is also run automaticaly when ever the
-.B semanage
-utility modifies
-.B user
-or
-.B login
-records.
-Specifically, we replace HOME_ROOT, HOME_DIR, and ROLE macros in the
-.I /etc/selinux/<<SELINUXTYPE>>/contexts/files/homedir_template
-file with generic and user-specific values. HOME_ROOT and HOME_DIR is replaced with each distinct location where login users homedirectories are located. Defaults to /home. ROLE is replaced based on the prefix entry in the
-.B user
-record.
-.PP
-genhomedircon searches through all password entires for all "login" user home directories, (as opposed
-to system users). Login users are those whose UID is greater than or equal
-.I STARTING_UID
-(default 500) and whose login shell is not "/sbin/nologin", or
-"/bin/false".
-.PP
-.SH AUTHOR
-This manual page was originally written by
-.I Manoj Srivastava <srivasta@debian.org>,
-for the Debian GNU/Linux system, based on the comments and the code
-in the utility, and then updated by Dan Walsh of Red Hat. The
-.B genhomedircon
-utility was originally written by
-.I Dan Walsh of Red Hat
-with some modifications by
-.I Tresys Technology, LLC.
-
--
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
Received on Tue 22 May 2007 - 13:10:06 EDT
|
|