This feature enable the user to create a SEuser adm
based on SElinux adm role and link a LOGIN against
it (seisolate: Isolate admin), that way complementing
sepolicy adm roles create.
diff --git a/policycoreutils/sepolicy/sepolicy.py b/policycoreutils/sepolicy/sepolicy.py
index b25d3b2..0380604 100755
--- a/policycoreutils/sepolicy/sepolicy.py
+++ b/policycoreutils/sepolicy/sepolicy.py
@@ -446,6 +446,27 @@ def gen_generate_args(parser):
help=_("Generate Policy for %s") % poltype[XUSER])
pol.set_defaults(func=generate)
+# Will create a SElinux adm user or (as defined here) a Isolate adm.
+def isolateadm(args):
+ from sepolicy import seisolate
+
+ if args.adminrole and args.login:
+ seisolate.create_user(args.adminrole, args.login)
+ seisolate.link(args.adminrole, args.login)
+
+
+def gen_isolateadm_args(parser):
+ isoadm = parser.add_parser("isolateadm",
+ help=_("Create a link beteween LOGIN and SEadm user"))
+ isoadm.add_argument("-a", "--adminrole", dest="adminrole",
+ action="store", required=True,
+ help=_("Receive an admin role name"))
+ isoadm.add_argument("-l", "--login", dest="login",
+ action="store", required=True,
+ help=_("Receive a LOGIN to create the SEadm user"))
+ isoadm.set_defaults(func=isolateadm)
+
+
if __name__ == '__main__':
parser = argparse.ArgumentParser(description='SELinux Policy Inspection Tool')
subparsers = parser.add_subparsers(help=_("commands"))
@@ -459,6 +480,7 @@ if __name__ == '__main__':
gen_manpage_args(subparsers)
gen_network_args(subparsers)
gen_transition_args(subparsers)
+ gen_isolateadm_args(subparsers)
try:
args = parser.parse_args()
diff --git a/policycoreutils/sepolicy/sepolicy/seisolate.py b/policycoreutils/sepolicy/sepolicy/seisolate.py
index e69de29..f9be58a 100644
--- a/policycoreutils/sepolicy/sepolicy/seisolate.py
+++ b/policycoreutils/sepolicy/sepolicy/seisolate.py
@@ -0,0 +1,62 @@
+#! /usr/bin/python -Es
+
+import sys
+import seobject
+import sepolicy
+
+from shutil import copy2
+from os import chmod as set_permissions
+
+# PATH to staff_u that will be base to new users created.
+STAFF_U = "staff_u"
+COMMON_PATH = "/etc/selinux/targeted/contexts/users/"
+
+# These are constants used to create SEADM user to a Isolate Admin environment.
+SELEVEL = "s0"
+PREFIX = "user"
+SERANGE = "s0-s0:c0.c1023"
+
+SUDOERS_PATH = "/etc/sudoers.d/"
+SUDOERS_ENTRY = "%s ALL=(ALL) ROLE=%s TYPE=%s ALL"
+
+# Initialize adm roles list.
+ADM_ROLES = [adm_r for adm_r in sepolicy.get_all_roles() if (adm_r[:-2]).
+ endswith('adm')]
+# Initialize a dictionary of se_adm_users with adm_role as key.
+ADM_USERS = {key: 'se_'+key[:-2]+'_u' for key in ADM_ROLES}
+
+
+store = ""
+__create_user = seobject.seluserRecords(store)
+__create_link = seobject.loginRecords(store)
+
+
+def create_user(adm_role, login):
+ import pwd
+ try:
+ pwd.getpwnam(login)
+ except KeyError:
+ print("User/Login %s doesn't exist" % login)
+ sys.exit(1)
+
+ seadm_user = ADM_USERS[adm_role]
+ roles = "staff_r {role1} {role2}".format(role1=adm_role,
+ role2="system_r" if adm_role == "sysadm_r" else "")
+
+ if not seadm_user in sepolicy.get_all_users():
+ __create_user.add(seadm_user, roles.split(), SELEVEL,
+ SERANGE, PREFIX)
+ copy2(COMMON_PATH+STAFF_U, COMMON_PATH+seadm_user)
+
+
+def create_link(adm_role, login):
+ seadm_user = ADM_USERS[adm_role]
+ adm_domain = adm_role.replace("_r", "_t")
+
+ if seadm_user in sepolicy.get_all_users():
+ __create_link.add(login, seadm_user, SERANGE)
+
+ with open(SUDOERS_PATH+login, 'w') as f:
+ f.write(SUDOERS_ENTRY % (login, adm_role, adm_domain))
+
+ set_permissions(SUDOERS_PATH+login, 0440)
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
