From owner-p4-projects@FreeBSD.ORG Tue Nov 14 20:44:31 2006 Return-Path: X-Original-To: p4-projects@freebsd.org Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id EDC3016A4AB; Tue, 14 Nov 2006 20:44:30 +0000 (UTC) X-Original-To: perforce@freebsd.org Delivered-To: perforce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CAE1F16A4E6 for ; Tue, 14 Nov 2006 20:44:30 +0000 (UTC) (envelope-from millert@freebsd.org) Received: from repoman.freebsd.org (repoman.freebsd.org [216.136.204.115]) by mx1.FreeBSD.org (Postfix) with ESMTP id C12BD43F38 for ; Tue, 14 Nov 2006 20:38:39 +0000 (GMT) (envelope-from millert@freebsd.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.13.6/8.13.6) with ESMTP id kAEKcdWv047774 for ; Tue, 14 Nov 2006 20:38:39 GMT (envelope-from millert@freebsd.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.13.6/8.13.4/Submit) id kAEKcd23047771 for perforce@freebsd.org; Tue, 14 Nov 2006 20:38:39 GMT (envelope-from millert@freebsd.org) Date: Tue, 14 Nov 2006 20:38:39 GMT Message-Id: <200611142038.kAEKcd23047771@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to millert@freebsd.org using -f From: Todd Miller To: Perforce Change Reviews Cc: Subject: PERFORCE change 109986 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Nov 2006 20:44:31 -0000 http://perforce.freebsd.org/chv.cgi?CH=109986 Change 109986 by millert@millert_g5tower on 2006/11/14 20:38:31 Darwinize genhomedircon and enable it in policy builds Affected files ... .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/Rules.monolithic#8 edit .. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/support/genhomedircon#2 edit Differences ... ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/Rules.monolithic#8 (text+ko) ==== @@ -212,8 +212,7 @@ @mkdir -p $(contextpath)/files $(verbose) $(INSTALL) -m 644 $(fc) $(fcpath) $(verbose) $(INSTALL) -m 644 $(homedir_template) $(homedirpath) - # XXX - Disable genhomedircon for now - #$(verbose) $(genhomedircon) -d $(topdir) -t $(NAME) $(USEPWD) + $(verbose) $(genhomedircon) -d $(topdir) -t $(NAME) $(USEPWD) ifeq "$(DISTRO)" "rhel4" # Setfiles in RHEL4 does not look at file_contexts.homedirs. $(verbose) cat $@.homedirs >> $@ ==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/support/genhomedircon#2 (text+ko) ==== @@ -42,30 +42,11 @@ import commands, sys, os, pwd, string, getopt, re -EXCLUDE_LOGINS=["/sbin/nologin", "/bin/false"] +EXCLUDE_LOGINS=["/sbin/nologin", "/usr/bin/false"] +# Mac OS X uses a starting uid of 501 but use 500 for consistency def getStartingUID(): - starting_uid = sys.maxint - rc=commands.getstatusoutput("grep -h '^UID_MIN' /etc/login.defs") - if rc[0] == 0: - uid_min = re.sub("^UID_MIN[^0-9]*", "", rc[1]) - #stip any comment from the end of the line - uid_min = uid_min.split("#")[0] - uid_min = uid_min.strip() - if int(uid_min) < starting_uid: - starting_uid = int(uid_min) - rc=commands.getstatusoutput("grep -h '^LU_UIDNUMBER' /etc/libuser.conf") - if rc[0] == 0: - lu_uidnumber = re.sub("^LU_UIDNUMBER[^0-9]*", "", rc[1]) - #stip any comment from the end of the line - lu_uidnumber = re.sub("[ \t].*", "", lu_uidnumber) - lu_uidnumber = lu_uidnumber.split("#")[0] - lu_uidnumber = lu_uidnumber.strip() - if int(lu_uidnumber) < starting_uid: - starting_uid = int(lu_uidnumber) - if starting_uid == sys.maxint: - starting_uid = 500 - return starting_uid + return 500 ############################################################################# # @@ -126,35 +107,11 @@ if os.path.isdir(filecontextdir) == 0: sys.stderr.write("New usage is the following\n") usage() - #We are going to define home directory used by libuser and show-utils as a home directory root - prefixes = {} - rc=commands.getstatusoutput("grep -h '^HOME' /etc/default/useradd") - if rc[0] == 0: - homedir = rc[1].split("=")[1] - homedir = homedir.split("#")[0] - homedir = homedir.strip() - if not prefixes.has_key(homedir): - prefixes[homedir] = "" - else: - #rc[0] == 256 means the file was there, we read it, but the grep didn't match - if rc[0] != 256: - sys.stderr.write("%s\n" % rc[1]) - sys.stderr.write("You do not have access to /etc/default/useradd HOME=\n") - sys.stderr.flush() + # For Mac OS X, most homedirs live in /Users + prefixes["/home"] = "" - - rc=commands.getstatusoutput("grep -h '^LU_HOMEDIRECTORY' /etc/libuser.conf") - if rc[0] == 0: - homedir = rc[1].split("=")[1] - homedir = homedir.split("#")[0] - homedir = homedir.strip() - homedir = re.sub(r"[^/a-zA-Z0-9].*$", "", homedir) - if not prefixes.has_key(homedir): - prefixes[homedir] = "" - - #the idea is that we need to find all of the home_root_t directories we do this by just accepting - #any default home directory defined by either /etc/libuser.conf or /etc/default/useradd - #we then get the potential home directory roots from /etc/passwd or nis or whereever and look at + #the idea is that we need to find all of the home_root_t directories + #we get the potential home directory roots from netinfo or ldap and look at #the defined homedir for all users with UID > STARTING_UID. This list of possible root homedirs #is then checked to see if it has an explicite context defined in the file_contexts. Explicit #is any regex that would match it which does not end with .*$ or .+$ since those are general @@ -191,19 +148,11 @@ prefixes[potential] = "" - if prefixes.__eq__({}): - sys.stderr.write("LU_HOMEDIRECTORY not set in /etc/libuser.conf\n") - sys.stderr.write("HOME= not set in /etc/default/useradd\n") - sys.stderr.write("And no users with a reasonable homedir found in passwd/nis/ldap/etc...\n") - sys.stderr.write("Assuming /home is the root of home directories\n") - sys.stderr.flush() - prefixes["/home"] = "" - # There may be a more elegant sed script to expand a macro to multiple lines, but this works sed_root = "h; s|^HOME_ROOT|%s|" % (string.join(prefixes.keys(), "|; p; g; s|^HOME_ROOT|"),) sed_dir = "h; s|^HOME_DIR|%s/[^/]+|; s|ROLE_|user_|" % (string.join(prefixes.keys(), "/[^/]+|; s|ROLE_|user_|; p; g; s|^HOME_DIR|"),) - # Fill in HOME_ROOT, HOME_DIR, and ROLE for users not explicitly defined in /etc/security/selinux/src/policy/users + # Fill in HOME_ROOT, HOME_DIR, and ROLE for users not explicitly defined in /etc/sedarwin/refpolicy/src/policy/users rc=commands.getstatusoutput("sed -e \"/^HOME_ROOT/{%s}\" -e \"/^HOME_DIR/{%s}\" %s" % (sed_root, sed_dir, filecontext)) if rc[0] == 0: print rc[1] @@ -223,36 +172,10 @@ # ############################################################################# +# Homedirs live in /Users on Mac OS X by default def getDefaultHomeDir(): ret = [] - rc=commands.getstatusoutput("grep -h '^HOME' /etc/default/useradd") - if rc[0] == 0: - homedir = rc[1].split("=")[1] - homedir = homedir.split("#")[0] - homedir = homedir.strip() - if not homedir in ret: - ret.append(homedir) - else: - #rc[0] == 256 means the file was there, we read it, but the grep didn't match - if rc[0] != 256: - sys.stderr.write("%s\n" % rc[1]) - sys.stderr.write("You do not have access to /etc/default/useradd HOME=\n") - sys.stderr.flush() - rc=commands.getstatusoutput("grep -h '^LU_HOMEDIRECTORY' /etc/libuser.conf") - if rc[0] == 0: - homedir = rc[1].split("=")[1] - homedir = homedir.split("#")[0] - homedir = homedir.strip() - if not homedir in ret: - ret.append(homedir) - else: - #rc[0] == 256 means the file was there, we read it, but the grep didn't match - if rc[0] != 256: - sys.stderr.write("%s\n" % rc[1]) - sys.stderr.write("You do not have access to /etc/libuser.conf LU_HOMEDIRECTORY=\n") - sys.stderr.flush() - if ret == []: - ret.append("/home") + ret.append("/Users") return ret def getSELinuxType(directory): @@ -279,7 +202,7 @@ sys.exit(1) class selinuxConfig: - def __init__(self, selinuxdir="/etc/selinux", type="targeted", usepwd=1): + def __init__(self, selinuxdir="/etc/sedarwin", type="refpolicy", usepwd=1): self.type=type self.selinuxdir=selinuxdir +"/" self.contextdir="/contexts" @@ -444,7 +367,7 @@ # try: usepwd=1 - directory="/etc/selinux" + directory="/etc/sedarwin" type=None gopts, cmds = getopt.getopt(sys.argv[1:], 'nd:t:', ['help', 'type=',