Date: Tue, 14 Nov 2006 20:38:39 GMT From: Todd Miller <millert@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 109986 for review Message-ID: <200611142038.kAEKcd23047771@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=109986 Change 109986 by millert@millert_g5tower on 2006/11/14 20:38:31 Darwinize genhomedircon and enable it in policy builds Affected files ... .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/Rules.monolithic#8 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/support/genhomedircon#2 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/Rules.monolithic#8 (text+ko) ==== @@ -212,8 +212,7 @@ @mkdir -p $(contextpath)/files $(verbose) $(INSTALL) -m 644 $(fc) $(fcpath) $(verbose) $(INSTALL) -m 644 $(homedir_template) $(homedirpath) - # XXX - Disable genhomedircon for now - #$(verbose) $(genhomedircon) -d $(topdir) -t $(NAME) $(USEPWD) + $(verbose) $(genhomedircon) -d $(topdir) -t $(NAME) $(USEPWD) ifeq "$(DISTRO)" "rhel4" # Setfiles in RHEL4 does not look at file_contexts.homedirs. $(verbose) cat $@.homedirs >> $@ ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/support/genhomedircon#2 (text+ko) ==== @@ -42,30 +42,11 @@ import commands, sys, os, pwd, string, getopt, re -EXCLUDE_LOGINS=["/sbin/nologin", "/bin/false"] +EXCLUDE_LOGINS=["/sbin/nologin", "/usr/bin/false"] +# Mac OS X uses a starting uid of 501 but use 500 for consistency def getStartingUID(): - starting_uid = sys.maxint - rc=commands.getstatusoutput("grep -h '^UID_MIN' /etc/login.defs") - if rc[0] == 0: - uid_min = re.sub("^UID_MIN[^0-9]*", "", rc[1]) - #stip any comment from the end of the line - uid_min = uid_min.split("#")[0] - uid_min = uid_min.strip() - if int(uid_min) < starting_uid: - starting_uid = int(uid_min) - rc=commands.getstatusoutput("grep -h '^LU_UIDNUMBER' /etc/libuser.conf") - if rc[0] == 0: - lu_uidnumber = re.sub("^LU_UIDNUMBER[^0-9]*", "", rc[1]) - #stip any comment from the end of the line - lu_uidnumber = re.sub("[ \t].*", "", lu_uidnumber) - lu_uidnumber = lu_uidnumber.split("#")[0] - lu_uidnumber = lu_uidnumber.strip() - if int(lu_uidnumber) < starting_uid: - starting_uid = int(lu_uidnumber) - if starting_uid == sys.maxint: - starting_uid = 500 - return starting_uid + return 500 ############################################################################# # @@ -126,35 +107,11 @@ if os.path.isdir(filecontextdir) == 0: sys.stderr.write("New usage is the following\n") usage() - #We are going to define home directory used by libuser and show-utils as a home directory root - prefixes = {} - rc=commands.getstatusoutput("grep -h '^HOME' /etc/default/useradd") - if rc[0] == 0: - homedir = rc[1].split("=")[1] - homedir = homedir.split("#")[0] - homedir = homedir.strip() - if not prefixes.has_key(homedir): - prefixes[homedir] = "" - else: - #rc[0] == 256 means the file was there, we read it, but the grep didn't match - if rc[0] != 256: - sys.stderr.write("%s\n" % rc[1]) - sys.stderr.write("You do not have access to /etc/default/useradd HOME=\n") - sys.stderr.flush() + # For Mac OS X, most homedirs live in /Users + prefixes["/home"] = "" - - rc=commands.getstatusoutput("grep -h '^LU_HOMEDIRECTORY' /etc/libuser.conf") - if rc[0] == 0: - homedir = rc[1].split("=")[1] - homedir = homedir.split("#")[0] - homedir = homedir.strip() - homedir = re.sub(r"[^/a-zA-Z0-9].*$", "", homedir) - if not prefixes.has_key(homedir): - prefixes[homedir] = "" - - #the idea is that we need to find all of the home_root_t directories we do this by just accepting - #any default home directory defined by either /etc/libuser.conf or /etc/default/useradd - #we then get the potential home directory roots from /etc/passwd or nis or whereever and look at + #the idea is that we need to find all of the home_root_t directories + #we get the potential home directory roots from netinfo or ldap and look at #the defined homedir for all users with UID > STARTING_UID. This list of possible root homedirs #is then checked to see if it has an explicite context defined in the file_contexts. Explicit #is any regex that would match it which does not end with .*$ or .+$ since those are general @@ -191,19 +148,11 @@ prefixes[potential] = "" - if prefixes.__eq__({}): - sys.stderr.write("LU_HOMEDIRECTORY not set in /etc/libuser.conf\n") - sys.stderr.write("HOME= not set in /etc/default/useradd\n") - sys.stderr.write("And no users with a reasonable homedir found in passwd/nis/ldap/etc...\n") - sys.stderr.write("Assuming /home is the root of home directories\n") - sys.stderr.flush() - prefixes["/home"] = "" - # There may be a more elegant sed script to expand a macro to multiple lines, but this works sed_root = "h; s|^HOME_ROOT|%s|" % (string.join(prefixes.keys(), "|; p; g; s|^HOME_ROOT|"),) sed_dir = "h; s|^HOME_DIR|%s/[^/]+|; s|ROLE_|user_|" % (string.join(prefixes.keys(), "/[^/]+|; s|ROLE_|user_|; p; g; s|^HOME_DIR|"),) - # Fill in HOME_ROOT, HOME_DIR, and ROLE for users not explicitly defined in /etc/security/selinux/src/policy/users + # Fill in HOME_ROOT, HOME_DIR, and ROLE for users not explicitly defined in /etc/sedarwin/refpolicy/src/policy/users rc=commands.getstatusoutput("sed -e \"/^HOME_ROOT/{%s}\" -e \"/^HOME_DIR/{%s}\" %s" % (sed_root, sed_dir, filecontext)) if rc[0] == 0: print rc[1] @@ -223,36 +172,10 @@ # ############################################################################# +# Homedirs live in /Users on Mac OS X by default def getDefaultHomeDir(): ret = [] - rc=commands.getstatusoutput("grep -h '^HOME' /etc/default/useradd") - if rc[0] == 0: - homedir = rc[1].split("=")[1] - homedir = homedir.split("#")[0] - homedir = homedir.strip() - if not homedir in ret: - ret.append(homedir) - else: - #rc[0] == 256 means the file was there, we read it, but the grep didn't match - if rc[0] != 256: - sys.stderr.write("%s\n" % rc[1]) - sys.stderr.write("You do not have access to /etc/default/useradd HOME=\n") - sys.stderr.flush() - rc=commands.getstatusoutput("grep -h '^LU_HOMEDIRECTORY' /etc/libuser.conf") - if rc[0] == 0: - homedir = rc[1].split("=")[1] - homedir = homedir.split("#")[0] - homedir = homedir.strip() - if not homedir in ret: - ret.append(homedir) - else: - #rc[0] == 256 means the file was there, we read it, but the grep didn't match - if rc[0] != 256: - sys.stderr.write("%s\n" % rc[1]) - sys.stderr.write("You do not have access to /etc/libuser.conf LU_HOMEDIRECTORY=\n") - sys.stderr.flush() - if ret == []: - ret.append("/home") + ret.append("/Users") return ret def getSELinuxType(directory): @@ -279,7 +202,7 @@ sys.exit(1) class selinuxConfig: - def __init__(self, selinuxdir="/etc/selinux", type="targeted", usepwd=1): + def __init__(self, selinuxdir="/etc/sedarwin", type="refpolicy", usepwd=1): self.type=type self.selinuxdir=selinuxdir +"/" self.contextdir="/contexts" @@ -444,7 +367,7 @@ # try: usepwd=1 - directory="/etc/selinux" + directory="/etc/sedarwin" type=None gopts, cmds = getopt.getopt(sys.argv[1:], 'nd:t:', ['help', 'type=',
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200611142038.kAEKcd23047771>