SELinux Mailing List - NSA/CSS

Skip All Menus Skip Top Menu

Top Navigation Menus

Research Skip Research Menus Research Menu Security Enhanced Linux What's New Frequently Asked Questions Background Documents License Download Participating Mail List Archives Remaining Work Contributors Related Work Press Releases Information Assurance Research NIARL In-house Research Areas Mathematical Sciences Program Sabbaticals Computer & Information Sciences Research Technology Transfer Advanced Computing Advanced Mathematics Communications & Networking Information Processing Microelectronics Other Technologies Technology Fact Sheets Publications Related Links	Skip Search Box Searchbox SELinux Mailing List [patch 3/3] Remove legacy genhomedircon python script This message: [ Message body ] [ More options ] Related messages: [ Next message ] [ Previous message ] [ In reply to ] [ Next in thread ] From: jbrindle_at_tresys.com Date: Mon, 21 May 2007 05:54:17 -0400 Index: ghdc/policycoreutils/scripts/Makefile ghdc.orig/policycoreutils/scripts/Makefile +++ ghdc/policycoreutils/scripts/Makefile @@ -5,18 +5,14 @@ SBINDIR ?= $(PREFIX)/sbin MANDIR ?= $(PREFIX)/share/man LOCALEDIR ?= /usr/share/locale -TARGETS=genhomedircon - -all: $(TARGETS) fixfiles +all: fixfiles install: all -mkdir -p $(BINDIR) - install -m 755 $(TARGETS) $(SBINDIR) install -m 755 chcat $(BINDIR) install -m 755 fixfiles $(DESTDIR)/sbin -mkdir -p $(MANDIR)/man8 install -m 644 fixfiles.8 $(MANDIR)/man8/ - install -m 644 genhomedircon.8 $(MANDIR)/man8/ install -m 644 chcat.8 $(MANDIR)/man8/ clean: Index: ghdc/policycoreutils/scripts/genhomedircon ghdc.orig/policycoreutils/scripts/genhomedircon +++ /dev/null @@ -1,386 +0,0 @@ -#! /usr/bin/python -E -# Copyright (C) 2004 Tresys Technology, LLC -# see file 'COPYING' for use and warranty information -# -# genhomedircon - this script is used to generate file context -# configuration entries for user home directories based on their -# default prefixes and is run when building the policy. Specifically, we -# replace HOME_ROOT, HOME_DIR, and ROLE macros in .fc files with -# generic and user-specific values. -# -# Based off original script by Dan Walsh, <dwalsh@redhat.com> -# *-# ASSUMPTIONS:* -# -# The file CONTEXTDIR/files/homedir_template exists. This file is used to -# set up the home directory context for each real user. -# -# If a user is not listed in CONTEXTDIR/seusers, he will default to user_u, prefix user -# -# "Real" users (as opposed to system users) are those whose UID is greater than -# or equal STARTING_UID (usually 500) and whose login is not a member of -# EXCLUDE_LOGINS. Users who are explicitly defined in CONTEXTDIR/seusers -# are always "real" (including root, in the default configuration). -# -# - -import sys, os, pwd, string, getopt, re -from semanage import ;* -import gettext -gettext.install('policycoreutils') - -def grep(file, var): ret = "" fd = open(file, 'r') - for i in fd.readlines(): if re.search(var, i, 0) != None: ret = i break fd.close() return ret - -def findval(file, var, delim = ""): val = "" try: fd = open(file, 'r') for i in fd.readlines(): if i.startswith(var) == 1: if delim == "": val = i.split()[1] else: val = i.split(delim)[1] val = val.split("#")[0] val = val.strip() fd.close() except: val = "" return val - -def getStartingUID(): starting_uid = sys.maxint uid_min = findval("/etc/login.defs", "UID_MIN") if uid_min != "": uid_min = uid_min.split("#")[0] uid_min = uid_min.strip() if int(uid_min) < starting_uid: starting_uid = int(uid_min) - uid_min = findval("/etc/libuser.conf", "LU_UIDNUMBER", "=") if uid_min != "": uid_min = uid_min.split("#")[0] uid_min = uid_min.strip() if int(uid_min) < starting_uid: starting_uid = int(uid_min) - if starting_uid == sys.maxint: starting_uid = 500 return starting_uid - -def getDefaultHomeDir(): ret = [] homedir = findval("/etc/default/useradd", "HOME", "=") if homedir != "" and not homedir in ret: ret.append(homedir) - homedir = findval("/etc/libuser.conf", "LU_HOMEDIRECTORY", "=") if homedir != "" and not homedir in ret: ret.append(homedir) - if ret == []: ret.append("/home") - # Add /export/home if it exists # Some customers use this for automounted homedirs if os.path.exists("/export/home"): ret.append("/export/home") - return ret - -def getSELinuxType(directory): val = findval(directory+"/config", "SELINUXTYPE", "=") if val != "": return val return "targeted" - -def usage(rc=0, error = ""): if error != "": sys.stderr.write("%s\n" % error) rc = 1 sys.stderr.write("Usage: %s [ -d selinuxdir ] [-n \| --nopasswd] [-t selinuxtype ]\n" % sys.argv[0]) sys.stderr.flush() sys.exit(rc) - -def warning(warning = ""): sys.stderr.write("%s\n" % warning) sys.stderr.flush() - -def errorExit(error): sys.stderr.write("%s exiting for: " % sys.argv[0]) sys.stderr.write("%s\n" % error) sys.stderr.flush() sys.exit(1) - -class selinuxConfig: def __init__(self, selinuxdir = "/etc/selinux", type = "targeted", usepwd = 1): self.semanageHandle = semanage_handle_create() self.semanaged = semanage_is_managed(self.semanageHandle) if self.semanaged: rc = semanage_connect(self.semanageHandle) if rc: errorExit("Unable to connect to semanage") (status, self.ulist) = semanage_user_list(self.semanageHandle) self.type = type self.selinuxdir = selinuxdir +"/" self.contextdir = "/contexts" self.filecontextdir = self.contextdir+"/files" self.usepwd = usepwd - def getFileContextDir(self): return self.selinuxdir+self.type+self.filecontextdir - def getFileContextFile(self): return self.getFileContextDir()+"/file_contexts" - def getContextDir(self): return self.selinuxdir+self.type+self.contextdir - def getHomeDirTemplate(self): return self.getFileContextDir()+"/homedir_template" - def getHomeRootContext(self, homedir): ret = "" fd = open(self.getHomeDirTemplate(), 'r') - for i in fd.readlines(): if i.find("HOME_ROOT") == 0: i = i.replace("HOME_ROOT", homedir) ret += i fd.close() if ret == "": errorExit("No Home Root Context Found") return ret - def heading(self): ret = "\n#\n#\n# User-specific file contexts, generated via %s\n" % sys.argv[0] if self.semanaged: ret += "# use semanage command to manage system users in order to change the file_context\n#\n#\n" else: ret += "# edit %s to change file_context\n#\n#\n" % (self.selinuxdir+self.type+"/seusers") return ret - def get_default_prefix(self, name): for user in self.ulist: if semanage_user_get_name(user) == name: return semanage_user_get_prefix(user) return name - def get_old_prefix(self, user): rc = grep(self.selinuxdir+self.type+"/users/system.users", "^user %s" % user) if rc == "": rc = grep(self.selinuxdir+self.type+"/users/local.users", "^user %s" % user) if rc != "": user = rc.split() prefix = user[3] if prefix == "{": prefix = user[4] if len(prefix) > 2 and (prefix[-2:] == "_r" or prefix[-2:] == "_u"): prefix = prefix[:-2] return prefix - def adduser(self, udict, user, seuser, prefix): if seuser == "user_u" or user == "__default__" or user == "system_u": return # !!! chooses first prefix in the list to use in the file context !!! try: home = pwd.getpwnam(user)[5] if home == "/": # Probably install so hard code to /root if user == "root": home = "/root" else: return except KeyError: if user == "root": home = "/root" else: sys.stderr.write("The user \"%s\" is not present in the passwd file, skipping...\n" % user) return prefs = {} prefs["seuser"] = seuser prefs["prefix"] = prefix prefs["home"] = home udict[user] = prefs - def getUsers(self): udict = {} if self.semanaged: (status, list) = semanage_seuser_list(self.semanageHandle) for seuser in list: user = [] seusername = semanage_seuser_get_sename(seuser) self.adduser(udict, semanage_seuser_get_name(seuser), seusername, self.get_default_prefix(seusername)) - else: try: fd = open(self.selinuxdir+self.type+"/seusers") for u in fd.readlines(): u = u.strip() if len(u) == 0 or u[0] == "#": continue user = u.split(":") if len(user) < 2: continue - prefix = self.get_old_prefix(user[1]) self.adduser(udict, user[0], user[1], prefix) fd.close() except IOError, error: # Must be install so force add of root self.adduser(udict, "root", "root", "root") - return udict - def getHomeDirContext(self, user, seuser, home, prefix): ret = "\n\n#\n# Home Context for user %s\n#\n\n" % user fd = open(self.getHomeDirTemplate(), 'r') for i in fd.readlines(): if i.startswith("HOME_DIR") == 1: i = i.replace("HOME_DIR", home) i = i.replace("ROLE", prefix) i = i.replace("system_u", seuser) ret = ret+i fd.close() return ret - def getUserContext(self, user, sel_user, prefix): ret = "" fd = open(self.getHomeDirTemplate(), 'r') for i in fd.readlines(): if i.find("USER") == 1: i = i.replace("USER", user) i = i.replace("ROLE", prefix) i = i.replace("system_u", sel_user) ret = ret+i fd.close() return ret - def genHomeDirContext(self): users = self.getUsers() ret = "" # Fill in HOME and prefix for users that are defined for u in users.keys(): ret += self.getHomeDirContext (u, users[u]["seuser"], users[u]["home"], users[u]["prefix"]) ret += self.getUserContext (u, users[u]["seuser"], users[u]["prefix"]) return ret+"\n" - def checkExists(self, home): fd = open(self.getFileContextFile()) for i in fd.readlines(): if len(i) == 0: continue try: regex = i.split()[0] #match a trailing .+ regex = re.sub("\.+$", "", regex) regex = re.sub("\.\$", "", regex) #strip a (/.)? which matches anything trailing to a /$ which matches trailing /'s - regex = re.sub("\(\/\.\\)\?", "", regex) regex = regex + "/$" if re.search(home, regex, 0): return 1 except: continue return 0 - def getHomeDirs(self): homedirs = getDefaultHomeDir() starting_uid = getStartingUID() if self.usepwd == 0: return homedirs ulist = pwd.getpwall() for u in ulist: if u[2] >= starting_uid and \ u[6] in VALID_SHELLS and \ u[5] != "/" and \ string.count(u[5], "/") > 1: homedir = u[5][:string.rfind(u[5], "/")] if not homedir in homedirs: if self.checkExists(homedir) == 1: warning("%s homedir %s or its parent directory conflicts with a\ndefined context in %s,\n%s will not create a new context. This usually indicates an incorrectly defined system account. If it is a system account please make sure its login shell is /sbin/nologin." % (u[0], u[5], self.getFileContextFile(), sys.argv[0])) else: homedirs.append(homedir) - homedirs.sort() return homedirs - def genoutput(self): ret = self.heading() for h in self.getHomeDirs(): ret += self.getHomeDirContext ("user_u", "user_u" , h+'/[^/]', "user") ret += self.getHomeRootContext(h) ret += self.getUserContext(".", "user_u", "user") + "\n" ret += self.genHomeDirContext() return ret - def printout(self): print self.genoutput() - def write(self): fd = open(self.getFileContextDir()+"/file_contexts.homedirs", "w") fd.write(self.genoutput()) fd.close() - -if os.getuid() > 0 or os.geteuid() > 0:* print _("You must be root to run %s.") % sys.argv[0] sys.exit(1) - -try: fd = open("/etc/shells", 'r') VALID_SHELLS = fd.read().split("\n") fd.close() if "/sbin/nologin" in VALID_SHELLS: VALID_SHELLS.remove("/sbin/nologin") if "" in VALID_SHELLS: VALID_SHELLS.remove("") -except: VALID_SHELLS = ['/bin/sh', '/bin/bash', '/bin/ash', '/bin/bsh', '/bin/ksh', '/usr/bin/ksh', '/usr/bin/pdksh', '/bin/tcsh', '/bin/csh', '/bin/zsh'] - -# -# This script will generate home dir file context -# based off the homedir_template file, entries in the password file, and -# -try: usepwd = 1 directory = "/etc/selinux" type = None gopts, cmds = getopt.getopt(sys.argv[1:], 'hnd:t:', ['help', 'type=', 'nopasswd', 'dir=']) for o,a in gopts: if o == '--type' or o == "-t": type = a if o == '--nopasswd' or o == "-n": usepwd = 0 if o == '--dir' or o == "-d": directory = a if o == '--help' or o == "-h": usage() -except getopt.error, error: errorExit(_("Options Error %s ") % error) - -if type == None: type = getSELinuxType(directory) - -if len(cmds) != 0: usage(1) - -selconf = selinuxConfig(directory, type, usepwd) -try: selconf.write() -except IOError, error: sys.stderr.write("%s: %s\n" % ( sys.argv[0], error )) sys.exit(1) - Index: ghdc/policycoreutils/scripts/genhomedircon.8 ghdc.orig/policycoreutils/scripts/genhomedircon.8 +++ /dev/null @@ -1,82 +0,0 @@ -.\" Hey, Emacs! This is an -- nroff -- source file. -.\" Copyright (c) 2005 Manoj Srivastava <srivasta@debian.org> -.\" -.\" This is free documentation; you can redistribute it and/or -.\" modify it under the terms of the GNU General Public License as -.\" published by the Free Software Foundation; either version 2 of -.\" the License, or (at your option) any later version. -.\" -.\" The GNU General Public License's references to "object code" -.\" and "executables" are to be interpreted as the output of any -.\" document formatting or typesetting system, including -.\" intermediate and printed output. -.\" -.\" This manual is distributed in the hope that it will be useful, -.\" but WITHOUT ANY WARRANTY; without even the implied warranty of -.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -.\" GNU General Public License for more details. -.\" -.\" You should have received a copy of the GNU General Public -.\" License along with this manual; if not, write to the Free -.\" Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, *-.\" USA.* -.\" -.\" -.TH GENHOMEDIRCON "8" "January 2005" "Security Enhanced Linux" "" *-.SH NAME* -genhomedircon \- generate SELinux file context configuration entries for user home directories *-.SH SYNOPSIS* -.B genhomedircon [ -d selinuxdir ] [-n \| --nopasswd] [-t selinuxtype ] [-h] - *-.SH OPTIONS* -.TP -.B "\-h" -Print a short usage message -.TP -.B "\-d selinuxdir (\-\-directory)" -Directory where selinux files are installed defaults to /etc/selinux -.TP -.B -\-n \-\-nopasswd -Indicates to the utility not to read homedirectories out of the password database. -.TP -\-t selinuxtype (\-\-type) -Indicates the selinux type of this install. Defaults to "targeted". *-.SH DESCRIPTION* -.PP -This utility is used to generate file context configuration entries for -user home directories based on their -.B prefix -entry in the the -.B semanage user record. -genhomedircon is run when building -the policy. It is also run automaticaly when ever the -.B semanage -utility modifies -.B user -or -.B login -records. -Specifically, we replace HOME_ROOT, HOME_DIR, and ROLE macros in the -.I /etc/selinux/<<SELINUXTYPE>>/contexts/files/homedir_template -file with generic and user-specific values. HOME_ROOT and HOME_DIR is replaced with each distinct location where login users homedirectories are located. Defaults to /home. ROLE is replaced based on the prefix entry in the -.B user -record. -.PP -genhomedircon searches through all password entires for all "login" user home directories, (as opposed -to system users). Login users are those whose UID is greater than or equal *-.I STARTING_UID* -(default 500) and whose login shell is not "/sbin/nologin", or -"/bin/false". -.PP *-.SH AUTHOR* -This manual page was originally written by -.I Manoj Srivastava <srivasta@debian.org>, -for the Debian GNU/Linux system, based on the comments and the code -in the utility, and then updated by Dan Walsh of Red Hat. The -.B genhomedircon -utility was originally written by -.I Dan Walsh of Red Hat -with some modifications by -.I Tresys Technology, LLC. - -- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. Received on Tue 22 May 2007 - 13:10:06 EDT This message: [ Message body ] Next message: jbrindle_at_tresys.com: "[patch 1/3] libsemanage: genhomedircon replacement" Previous message: Joshua Brindle: "Re: Fedora Core 7 has frozen and Fedora 8 Development has started" In reply to: jbrindle_at_tresys.com: "[patch 0/3] genhomedircon replacement in libsemanage" Next in thread: jbrindle_at_tresys.com: "[patch 1/3] libsemanage: genhomedircon replacement" Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ]
	Date Posted: Jan 15, 2009 \| Last Modified: Jan 15, 2009 \| Last Reviewed: Jan 15, 2009

bottom