-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/15/2013 09:49 AM, Leonidas S. Barbosa wrote: > > This feature enable the user to create a SEuser adm based on SElinux adm > role and link a LOGIN against it (seisolate: Isolate admin), that way > complementing sepolicy adm roles create. > > Comments inside. Also need a man page and an update to sepolicy_bash_completion.sh > > > diff --git a/policycoreutils/sepolicy/sepolicy.py > b/policycoreutils/sepolicy/sepolicy.py index b25d3b2..0380604 100755 --- > a/policycoreutils/sepolicy/sepolicy.py +++ > b/policycoreutils/sepolicy/sepolicy.py @@ -446,6 +446,27 @@ def > gen_generate_args(parser): help=_("Generate Policy for %s") % > poltype[XUSER]) pol.set_defaults(func=generate) > > +# Will create a SElinux adm user or (as defined here) a Isolate adm. +def > isolateadm(args): + from sepolicy import seisolate + + if > args.adminrole and args.login: + > seisolate.create_user(args.adminrole, args.login) + > seisolate.link(args.adminrole, args.login) + + +def > gen_isolateadm_args(parser): + isoadm = parser.add_parser("isolateadm", > + help=_("Create a link beteween LOGIN and > SEadm user")) No crazy about name. sepolicy isolateadm versus sepolicy admin Also not sure what the end goal of this is. Do we want this command to be able to just create a mapping between an existing admin role and a login user? Or should it be able to create a new admin rule and connect everything up? sepolicy admin -l dwalsh -a dbadm_r dbadmin_u Currently you have Do we want to allow Add/Modify/Delete? I think you should allow specification of the command that you will run as root. Default to /bin/bash but allow user to override this. sepolicy admin -e /bin/myscript -l dwalsh ... > + isoadm.add_argument("-a", "--adminrole", dest="adminrole", + > action="store", required=True, + help=_("Receive an > admin role name")) Should this be the primary key and not require a qualifier? It might be better to use "-r" so I can get -a for add? > + isoadm.add_argument("-l", "--login", dest="login", + > action="store", required=True, + help=_("Receive a > LOGIN to create the SEadm user")) > + isoadm.set_defaults(func=isolateadm) + + if __name__ == '__main__': > parser = argparse.ArgumentParser(description='SELinux Policy Inspection > Tool') subparsers = parser.add_subparsers(help=_("commands")) @@ -459,6 > +480,7 @@ if __name__ == '__main__': gen_manpage_args(subparsers) > gen_network_args(subparsers) gen_transition_args(subparsers) + > gen_isolateadm_args(subparsers) > > try: args = parser.parse_args() diff --git > a/policycoreutils/sepolicy/sepolicy/seisolate.py > b/policycoreutils/sepolicy/sepolicy/seisolate.py index e69de29..f9be58a > 100644 --- a/policycoreutils/sepolicy/sepolicy/seisolate.py +++ > b/policycoreutils/sepolicy/sepolicy/seisolate.py @@ -0,0 +1,62 @@ +#! > /usr/bin/python -Es + +import sys +import seobject +import sepolicy + +from > shutil import copy2 +from os import chmod as set_permissions + +# PATH to > staff_u that will be base to new users created. +STAFF_U = "staff_u" > +COMMON_PATH = "/etc/selinux/targeted/contexts/users/" + You should get this from import.selinux Do not want to hard code "targeted", so I can use your tool for other policies. > +# These are constants used to create SEADM user to a Isolate Admin > environment. +SELEVEL = "s0" +PREFIX = "user" +SERANGE = "s0-s0:c0.c1023" > + Ditto. We need a mechanism to get this from the policy. MLS max is s0-s15:c0.c1023 > +SUDOERS_PATH = "/etc/sudoers.d/" +SUDOERS_ENTRY = "%s ALL=(ALL) ROLE=%s > TYPE=%s ALL" + See command above. SUDOERS_ENTRY = "%s ALL=(ALL) ROLE=%s TYPE=%s %s" Default -e to be ALL > +# Initialize adm roles list. +ADM_ROLES = [adm_r for adm_r in > sepolicy.get_all_roles() if (adm_r[:-2]). + endswith('adm')] We have got to get this into policy as an attribute. Since this is by convention right now. > +# Initialize a dictionary of se_adm_users with adm_role as key. +ADM_USERS > = {key: 'se_'+key[:-2]+'_u' for key in ADM_ROLES} + + print ADM_USERS {'auditadm_r': 'se_auditadm_u', 'logadm_r': 'se_logadm_u', 'webadm_r': 'se_webadm_u', 'sysadm_r': 'se_sysadm_u', 'secadm_r': 'se_secadm_u', 'dbadm_r': 'se_dbadm_u'} Is this what you entended? > +store = "" Should have this passed in from command line. > +__create_user = seobject.seluserRecords(store) +__create_link = > seobject.loginRecords(store) + + +def create_user(adm_role, login): + > import pwd + try: + pwd.getpwnam(login) + except KeyError: + > print("User/Login %s doesn't exist" % login) + sys.exit(1) Could do this check at the option parsing, but I guess it is alright here. > + + seadm_user = ADM_USERS[adm_role] + roles = "staff_r {role1} > {role2}".format(role1=adm_role, + role2="system_r" if adm_role > == "sysadm_r" else "") + + if not seadm_user in > sepolicy.get_all_users(): + __create_user.add(seadm_user, > roles.split(), SELEVEL, + SERANGE, PREFIX) + > copy2(COMMON_PATH+STAFF_U, COMMON_PATH+seadm_user) + + +def > create_link(adm_role, login): + seadm_user = ADM_USERS[adm_role] + > adm_domain = adm_role.replace("_r", "_t") + + if seadm_user in > sepolicy.get_all_users(): + __create_link.add(login, seadm_user, > SERANGE) + + with open(SUDOERS_PATH+login, 'w') as f: + > f.write(SUDOERS_ENTRY % (login, adm_role, adm_domain)) Shouldn't this be for append? Or throw exception if it exists? > + + set_permissions(SUDOERS_PATH+login, 0440) > > > -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlJdZLYACgkQrlYvE4MpobMqdACbBQTweM7v2xI4SV1ncZ72TKLJ xvQAn3Yesy7mRhj+FTQ5jniP6UR6xlzp =YXr3 -----END PGP SIGNATURE----- -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux