Re: [PATCH 1/5] adding seadmin support

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 2013-11-12 at 15:19 -0200, Leonidas Da Silva Barbosa wrote:
> Thanks a lot Grift, this idea of shell script fits well with
> what Daniel said, instead have the tool acts as sudo and to
> many hardcode, it generates a script such as this you typed, that
> can be used in many system to set upt this admin users.
>  
> I believe I can use some ideas from your script and put it into a template 
> script generate by sepolicy admin. I still need to dig a little more in your 
> script and Dan ideas. 
> 

The script has a lot of bugs still (lot of corner cases)

Ive it uploaded to github:

https://github.com/mypublicrepositories/myadmins/blob/master/myadmins.sh

Also i cant get sepermit to work on Fedora 19 ( at least not with sshd
(thats all i tried) 

even if i add the debug option to sepermit.so it still does not log a
thing and my confined admin is able to login in permissive mode :(


> 
> 
> On Tue, Nov 12, 2013 at 03:17:42PM +0100, Dominick Grift wrote:
> > On Mon, 2013-11-11 at 15:10 +0100, Dominick Grift wrote:
> > 
> > > > I wrote a simple bash script that creates SELinux confined admins.
> > > > 
> > > > I didnt bother to add any sanity checking or call commands with paths or
> > > > anything like that.
> > > > 
> > > > Was just playing:
> > > 
> > > Theres a few bugs in this script though (needless to say) I should
> > > probably also add sepermit support
> > > 
> > > Also the policy API's have some rough edges, but generally things seem
> > > to work
> > > 
> > 
> > playing with it some more.
> > 
> > added (probably too many) checks
> > added sepermit stuff
> > tried to get rid of some hardcoding
> > 
> > it generates a setup and remove script
> > 
> > some of the script is really ugly and its also very slow, but o well..
> > just for fun
> > 
> > > #!/bin/bash --
> > > 
> > > shopt -s -o nounset
> > > 
> > > declare -rx SCRIPT=${0##*/}
> > > 
> > > declare USER_PREFIX=""
> > > declare ROLE_PREFIX=""
> > > declare INTERFACE_PREFIX=""
> > > 
> > > declare SU=""
> > > declare SUDO=""
> > > declare GUI=""
> > > 
> > > umask 077
> > > 
> > > for util in /bin/grep /bin/awk /bin/sort /bin/cat /bin/bash /bin/chmod /bin/rm \
> > >     /usr/bin/seinfo /bin/cp /bin/chmod /bin/head;
> > > do
> > >     if [ ! -x $util ] ; then
> > >         printf "$SCRIPT:$LINENO: %s\n" "Utility '$util' is not executable" >&2
> > >         exit 192
> > >     fi
> > > done
> > > 
> > > for util in /usr/sbin/semanage /usr/sbin/semodule /usr/sbin/useradd  \
> > >     /usr/sbin/userdel /bin/whoami;
> > > do
> > >     if [ ! -f $util ] ; then
> > >         printf "$SCRIPT:$LINENO: %s\n" "Utility '$util' is not available" >&2
> > >         exit 192
> > >     fi
> > > done
> > > 
> > > if [ ! -c /dev/null ] ; then
> > >     printf "$SCRIPT:$LINENO: %s\n" "Device '/dev/null' not found" >&2
> > >     exit 192
> > > fi
> > > 
> > > if [ ! -w $PWD ] ; then
> > >     printf "$SCRIPT:$LINENO: %s\n" "Current directory '$PWD' is not writable" >&2
> > >     exit 192
> > > fi
> > > 
> > > interface_prefixes() {
> > >         /bin/grep -r "_admin',\`"  /usr/share/selinux/devel/include/ | \
> > >         /bin/awk -F "/" '{ print $8 }' | \
> > >         /bin/awk -F "\`" '{ print $2 }' | \
> > >         /bin/awk -F "_" '{ print $1 }' | /bin/sort
> > > }
> > > 
> > > # Expects a single parameter: user_prefix
> > > 
> > > user() {
> > >         /bin/cat > $1.te << EOF
> > > policy_module($1, 1.0.0)
> > > 
> > > userdom_restricted_user_template($1)
> > > 
> > > EOF
> > > }       
> > > 
> > > # Expects a single parameter: user_prefix
> > > 
> > > gui_user() {
> > >         /bin/cat > $1.te << EOF
> > > policy_module($1, 1.0.0)
> > > 
> > > userdom_unpriv_user_template($1)
> > > 
> > > EOF
> > > }       
> > > 
> > > # Expects a single parameter: user_prefix
> > > 
> > > sudo() {
> > >         /bin/cat >> $1.te <<EOF
> > > optional_policy(\`
> > > sudo_role_template($1, ${1}_r, ${1}_t)
> > > ')
> > > 
> > > EOF
> > > }
> > > 
> > > # Expects single parameter: user_prefix
> > > 
> > > su() {
> > >         /bin/cat >> $1.te <<EOF
> > > optional_policy(\`
> > > su_role_template($1, ${1}_r, ${1}_t)
> > > ')
> > > 
> > > optional_policy(\`
> > > seutil_run_newrole(${1}_t, ${1}_r)
> > > ')
> > > 
> > > EOF
> > > }
> > > 
> > > # Expects two parameters: user_prefix, role_prefix
> > > 
> > > role() {
> > >         /bin/cat >> $1.te << EOF
> > > userdom_base_user_template($2)
> > > 
> > > allow ${1}_r ${2}_r;    
> > > 
> > > EOF
> > > }
> > > 
> > > # Expects two parameters: user_prefix, role_prefix
> > > 
> > > interface() {
> > >         /bin/cat >> $1.te << EOF
> > > optional_policy(\`
> > > ${interface}_admin(${2}_t, ${2}_r)
> > > ')
> > > 
> > > EOF
> > > }
> > > 
> > > if [ $# -eq 0 ] ; then
> > >         printf "%s\n" "Type --help for help."
> > >         exit 192
> > > fi
> > > 
> > > while [ $# -gt 0 ] ; do
> > >     case "$1" in
> > >         -h | --help)
> > >             printf "%s\n" "$SCRIPT - Generate SELinux confined administrators"
> > >             printf "%s\n" ""
> > >             printf "%s\n" "-h | --help                                 Display this help message"
> > >             printf "%s\n" "-l | --list                                 List service interface prefixes"
> > >             printf "%s\n" "-r | --role [role_prefix]                   Role prefix"
> > >             printf "%s\n" "-u | --user [user_prefix]                   User prefix"
> > >             printf "%s\n" "-i | --interface [interface_prefix,(...)]   Service interface prefix"
> > >             printf "%s\n" ""
> > >             printf "%s\n" "--su                                        Enable SU for user"
> > >             printf "%s\n" "--sudo                                      Enable SUDO for user"
> > >             printf "%s\n" "--gui                                       User GUI support"
> > >             printf "%s\n" ""
> > >             printf "%s\n" "Examples:"
> > >             printf "%s\n" ""
> > >             printf "%s\n" "joe the apm administrator:"
> > >             printf "%s\n" "$SCRIPT -u joe -r apmadm -i apm --sudo"
> > >             printf "%s\n" ""
> > >             printf "%s\n" "jane the lamp stack administrator:"
> > >             printf "%s\n" "$SCRIPT -u jane -r lampadm -i apache,mysql,postfix --gui --su"
> > >             exit 0
> > >             ;;
> > >         -l | --list )
> > >  
> > >             interface_prefixes
> > >             exit 0
> > >             ;;
> > >         -r | --role ) shift
> > > 
> > >             if [ $# -eq 0 ] ; then
> > >                 printf "$SCRIPT:$LINENO: %s\n" "Role prefix is missing" >&2
> > >                 exit 192
> > >             fi
> > > 
> > >             if [ $(/usr/bin/seinfo -r"${1}_r" 2>/dev/null) ] ; then
> > >                 printf "$SCRIPT:$LINENO: %s\n" "Role prefix '$1' is already taken" >&2
> > >                 exit 192
> > >             fi
> > > 
> > >             if [ $(/usr/bin/seinfo -t"${1}_t" 2>/dev/null) ] ; then
> > >                 printf "$SCRIPT:$LINENO: %s\n" "Role prefix '$1' is already taken" >&2
> > >                 exit 192
> > >             fi
> > > 
> > >             ROLE_PREFIX="$1"
> > >             ;;
> > >         -u | --user )
> > > 
> > >             shift
> > > 
> > >             if [ $# -eq 0 ] ; then
> > >                 printf "$SCRIPT:$LINENO: %s\n" "User prefix is missing" >&2
> > >                 exit 192
> > >             fi
> > > 
> > >             if [ $(/usr/bin/seinfo -r"${1}_r" 2>/dev/null) ] ; then
> > >                 printf "$SCRIPT:$LINENO: %s\n" "User prefix '$1' is already taken" >&2
> > >                 exit 192
> > >             fi
> > > 
> > >             if [ $(/usr/bin/seinfo -t"${1}_t" 2>/dev/null) ] ; then
> > >                 printf "$SCRIPT:$LINENO: %s\n" "User prefix '$1' is already taken" >&2
> > >                 exit 192
> > >             fi
> > > 
> > >             USER_PREFIX="$1"
> > >             ;;
> > >         -i | --interface )
> > > 
> > >             shift
> > > 
> > >             if [ $# -eq 0 ] ; then
> > >                 printf "$SCRIPT:$LINENO: %s\n" "Interface prefix is missing" >&2
> > >                 exit 192
> > >             fi
> > > 
> > >             INTERFACE_PREFIX="$1"
> > >             ;;
> > >         --su )
> > > 
> > >             SU=SU
> > >             ;;
> > >         --sudo )
> > > 
> > >             SUDO=SUDO
> > >             ;;
> > >         --gui )
> > > 
> > >             GUI=GUI
> > >             ;;
> > >         -* )
> > > 
> > >             printf "$SCRIPT:$LINENO: %s\n" "switch $1 not supported" >&2
> > >             exit 192
> > >             ;;
> > >         * )
> > > 
> > >             printf "$SCRIPT:$LINENO: %s\n" "extra argument or missing switch" >&2
> > >             exit 192
> > >             ;;
> > >     esac
> > >     shift
> > > done
> > > 
> > > if [ -z "$ROLE_PREFIX" ] ; then
> > >         printf "%s\n" "Role prefix missing" >&2
> > >         exit 192
> > > fi
> > > 
> > > if [ -z "$USER_PREFIX" ] ; then
> > >         printf "%s\n" "User prefix missing" >&2
> > >         exit 192
> > > fi
> > > 
> > > if [ -z "$INTERFACE_PREFIX" ] ; then
> > >         printf "$SCRIPT:$LINENO: %s\n" "Interface prefix missing" >&2
> > >         exit 192
> > > fi
> > > 
> > > if [ ! -f /usr/share/selinux/devel/include/system/userdomain.if ] ; then
> > >     printf "$SCRIPT:$LINENO: %s\n" "File '/usr/share/selinux/devel/include/system/userdomain.if' \
> > > not found" >&2
> > >     exit 192
> > > elif [ $(/bin/grep userdom_restricted_user_template \
> > > /usr/share/selinux/devel/include/system/userdomain.if \
> > > | /bin/awk -F "\`" '{ print $2 }' | /bin/awk -F "\'" '{ print $1 }' 2>/dev/null) \
> > > != "userdom_restricted_user_template" ] ; then
> > >     printf "$SCRIPT:$LINENO: %s\n" "Template 'userdom_restricted_user_template()' not found" >&2
> > >     exit 192
> > > elif [ $(/bin/grep userdom_unpriv_user_template \
> > > /usr/share/selinux/devel/include/system/userdomain.if \
> > > | /bin/awk -F "\`" '{ print $2 }' | /bin/awk -F "\'" '{ print $1 }' 2>/dev/null) \
> > > != "userdom_unpriv_user_template" ] ; then
> > >     printf "$SCRIPT:$LINENO: %s\n" "Template 'userdom_unpriv_user_template()' not found" >&2
> > >     exit 192
> > > fi
> > > 
> > > if [ ! -f /usr/share/selinux/devel/include/admin/sudo.if ] ; then
> > >     printf "$SCRIPT:$LINENO: %s\n" "File '/usr/share/selinux/devel/include/admin/sudo.if' \
> > > not found" >&2
> > >     exit 192
> > > elif [ $(/bin/grep sudo_role_template /usr/share/selinux/devel/include/admin/sudo.if \
> > > | /bin/awk -F "\`" '{ print $2 }' | /bin/awk -F "\'" '{ print $1 }' 2>/dev/null) \
> > > != "sudo_role_template" ] ; then
> > >     printf "$SCRIPT:$LINENO: %s\n" "Template 'sudo_role_template()' not found" >&2
> > >     exit 192
> > > fi
> > > 
> > > if [ ! -f /usr/share/selinux/devel/include/admin/su.if ] ; then
> > >     printf "$SCRIPT:$LINENO: %s\n" "File '/usr/share/selinux/devel/include/admin/su.if' \
> > > not found" >&2
> > >     exit 192
> > > elif [ $(/bin/grep su_role_template /usr/share/selinux/devel/include/admin/su.if \
> > > | /bin/awk -F "\`" '{ print $2 }' | /bin/awk -F "\'" '{ print $1 }' 2>/dev/null) \
> > > != "su_role_template" ] ; then
> > >     printf "$SCRIPT:$LINENO: %s\n" "Template 'su_role_template()' not found" >&2
> > >     exit 192
> > > fi
> > > 
> > > if [ ! -f /usr/share/selinux/devel/include/system/selinuxutil.if ] ; then
> > >     printf "$SCRIPT:$LINENO: %s\n" "File \
> > > '/usr/share/selinux/devel/include/system/selinuxutil.if' not found" >&2
> > >     exit 192
> > > elif [ $(/bin/grep seutil_run_newrole \
> > > /usr/share/selinux/devel/include/system/selinuxutil.if \
> > > | /bin/awk -F "\`" '{ print $2 }' | /bin/awk -F "\'" '{ print $1 }' 2>/dev/null) \
> > > != "seutil_run_newrole" ] ; then
> > >     printf "$SCRIPT:$LINENO: %s\n" "Interface 'seutil_run_newrole()' not found" >&2
> > >     exit 192
> > > fi
> > > 
> > > if [ ! -f /usr/share/selinux/devel/include/support/misc_macros.spt ] ; then
> > >     printf "$SCRIPT:$LINENO: %s\n" "File \
> > > '/usr/share/selinux/devel/include/support/misc_macros.spt' not found" >&2
> > >     exit 192
> > > elif [ $(/bin/grep gen_user \
> > > /usr/share/selinux/devel/include/support/misc_macros.spt \
> > > | /bin/awk -F "\`" '{ print $2 }' | /bin/awk -F "\'" '{ print $1 }' 2>/dev/null) \
> > > != "gen_user" ] ; then
> > >     printf "$SCRIPT:$LINENO: %s\n" "Interface 'gen_user()' not found" >&2
> > >     exit 192
> > > fi
> > > 
> > > if [ ! $(/usr/bin/seinfo -rsystem_r 2>/dev/null) ] ; then
> > >     printf "$SCRIPT:$LINENO: %s\n" "Role 'system_r' not found" >&2
> > >     exit 192
> > > fi
> > > 
> > > if [ ! $(/usr/bin/seinfo -tlocal_login_t 2>/dev/null) ] ; then
> > >     printf "$SCRIPT:$LINENO: %s\n" "Type 'local_login_t' not found" >&2
> > >     exit 192
> > > fi
> > > 
> > > if [ ! $(/usr/bin/seinfo -tsshd_t 2>/dev/null) ] ; then
> > >     printf "$SCRIPT:$LINENO: %s\n" "Type 'sshd_t' not found" >&2
> > >     exit 192
> > > fi
> > > 
> > > if [ ! $(/usr/bin/seinfo -txdm_t 2>/dev/null) ] ; then
> > >     printf "$SCRIPT:$LINENO: %s\n" "Type 'xdm_t' not found" >&2
> > >     exit 192
> > > fi
> > > 
> > > if [ -f "${USER_PREFIX}.te" ] ; then
> > >     printf "%s\n" "Replacing '${USER_PREFIX}.te' source policy file" >&2
> > > fi
> > > 
> > > if [ ! -z "$USER_PREFIX" -a "$GUI" == "GUI" ] ; then
> > >         gui_user $USER_PREFIX
> > > elif [ ! -z "$USER_PREFIX" -a "$GUI" == "" ] ; then
> > >         user $USER_PREFIX
> > > else
> > >         printf "$SCRIPT:$LINENO: %s\n" "Unhandled exception" >&2
> > >         exit 192;
> > > fi
> > > 
> > > if [ "$SUDO" == "SUDO" ] ; then
> > >         sudo $USER_PREFIX
> > > fi
> > > 
> > > if [ "$SU" == "SU" ] ; then
> > >         su $USER_PREFIX
> > > fi
> > > 
> > > if [ ! -z "$ROLE_PREFIX" ] ; then
> > >         role $USER_PREFIX $ROLE_PREFIX
> > > fi
> > > 
> > > if [ ! -z "$INTERFACE_PREFIX" ] ; then
> > > 
> > >         INTERFACE_PREFIX=$(echo $INTERFACE_PREFIX | /bin/sed s/,/" "/)
> > > 
> > >         for interface in $INTERFACE_PREFIX; do
> > >                 interface_prefixes | /bin/grep $interface >/dev/null
> > > 
> > >                 if [ "$?" != 0 ] ; then
> > >                         printf "$SCRIPT:$LINENO: %s\n" "Interface prefix '$interface' unavailable" >&2
> > >                         /bin/rm -f $USER_PREFIX.te
> > >                         exit 192
> > >                 fi
> > >         done
> > > fi
> > > 
> > > for interface in $INTERFACE_PREFIX; do
> > >     interface $USER_PREFIX $ROLE_PREFIX
> > > done
> > > 
> > > /bin/cat >> ${USER_PREFIX}.te <<EOF
> > > gen_user(${USER_PREFIX}_u, user, ${USER_PREFIX}_r ${ROLE_PREFIX}_r, s0, s0 - mls_systemhigh, mcs_allcats)
> > > 
> > > EOF
> > > 
> > > if [ ! -z "$USER_PREFIX" -a "$GUI" == "GUI" ] ; then
> > >     if [ "$(/usr/bin/seinfo --sensitivity | /bin/head -n 1 | /bin/awk -F " " \
> > > '{ print $2 }')" == "0" ] ; then
> > >         /bin/cat > ${USER_PREFIX}_u <<EOF
> > > ${USER_PREFIX}_r:${USER_PREFIX}_t ${USER_PREFIX}_r:${USER_PREFIX}_t
> > > system_r:local_login_t ${USER_PREFIX}_r:${USER_PREFIX}_t
> > > system_r:sshd_t ${USER_PREFIX}_r:${USER_PREFIX}_t
> > > system_r:xdm_t ${USER_PREFIX}_r:${USER_PREFIX}_t
> > > EOF
> > >     else
> > >         /bin/cat > ${USER_PREFIX}_u <<EOF
> > > ${USER_PREFIX}_r:${USER_PREFIX}_t:s0 ${USER_PREFIX}_r:${USER_PREFIX}_t:s0
> > > system_r:local_login_t:s0 ${USER_PREFIX}_r:${USER_PREFIX}_t:s0
> > > system_r:sshd_t:s0 ${USER_PREFIX}_r:${USER_PREFIX}_t:s0
> > > system_r:xdm_t:s0 ${USER_PREFIX}_r:${USER_PREFIX}_t:s0
> > > EOF
> > >     fi
> > > elif [ ! -z "$USER_PREFIX" -a "$GUI" == "" ] ; then
> > >     if [ "$(/usr/bin/seinfo --sensitivity | /bin/head -n 1 | /bin/awk -F " " \
> > > '{ print $2 }')" == "0" ] ; then
> > >         /bin/cat > ${USER_PREFIX}_u <<EOF
> > > ${USER_PREFIX}_r:${USER_PREFIX}_t ${USER_PREFIX}_r:${USER_PREFIX}_t
> > > system_r:local_login_t ${USER_PREFIX}_r:${USER_PREFIX}_t
> > > system_r:sshd_t ${USER_PREFIX}_r:${USER_PREFIX}_t
> > > EOF
> > >     else
> > >     /bin/cat > ${USER_PREFIX}_u <<EOF
> > > ${USER_PREFIX}_r:${USER_PREFIX}_t:s0 ${USER_PREFIX}_r:${USER_PREFIX}_t:s0
> > > system_r:local_login_t:s0 ${USER_PREFIX}_r:${USER_PREFIX}_t:s0
> > > system_r:sshd_t:s0 ${USER_PREFIX}_r:${USER_PREFIX}_t:s0
> > > EOF
> > >     fi
> > > else
> > >         printf "$SCRIPT:$LINENO: %s\n" "Unhandled exception" >&2
> > >         exit 192;
> > > fi
> > > 
> > > if [ "$SUDO" == "SUDO" ] ; then
> > >     if [ "$(/usr/bin/seinfo --sensitivity | /bin/head -n 1 | /bin/awk -F " " \
> > > '{ print $2 }')" == "0" ] ; then
> > >         /bin/cat >> ${USER_PREFIX}_u <<EOF
> > > ${USER_PREFIX}_r:${USER_PREFIX}_sudo_t ${USER_PREFIX}_r:${USER_PREFIX}_t
> > > EOF
> > >     else
> > >         /bin/cat >> ${USER_PREFIX}_u <<EOF
> > > ${USER_PREFIX}_r:${USER_PREFIX}_sudo_t:s0 ${USER_PREFIX}_r:${USER_PREFIX}_t:s0
> > > EOF
> > >     fi
> > > fi
> > > 
> > > if [ "$SU" == "SU" ] ; then
> > >     if [ "$(/usr/bin/seinfo --sensitivity | /bin/head -n 1 | /bin/awk -F " " \
> > > '{ print $2 }')" == "0" ] ; then
> > >     /bin/cat >> ${USER_PREFIX}_u <<EOF
> > > ${USER_PREFIX}_r:${USER_PREFIX}_su_t ${USER_PREFIX}_r:${USER_PREFIX}_t
> > > EOF
> > >     else
> > >     /bin/cat >> ${USER_PREFIX}_u <<EOF
> > > ${USER_PREFIX}_r:${USER_PREFIX}_su_t:s0 ${USER_PREFIX}_r:${USER_PREFIX}_t:s0
> > > EOF
> > >     fi
> > > fi
> > > 
> > > if [ -f "${USER_PREFIX}_setup.sh" ] ; then
> > >     printf "%s\n" "Replacing '${USER_PREFIX}_setup.sh' script" >&2
> > > fi
> > > 
> > > /bin/cat > ${USER_PREFIX}_setup.sh <<EOF
> > > #!/bin/bash --
> > > 
> > > shopt -s -o nounset
> > > 
> > > declare -rx SCRIPT=\${0##*/}
> > > 
> > > for util in /usr/sbin/semanage /usr/sbin/semodule /usr/sbin/useradd  \
> > > /bin/bash /bin/grep /bin/cp /bin/chmod /bin/awk /bin/head;
> > > do
> > > if [ ! -x \$util ] ; then
> > > printf "\$SCRIPT:\$LINENO: %s\n" "Utility '\$util' is not executable" >&2
> > > exit 192
> > > fi
> > > done
> > > 
> > > if [ ! -r /etc/selinux/config ] ; then
> > > printf "\$SCRIPT:\$LINENO: %s\n" "File '/etc/selinux/config' not readable" >&2
> > > exit 192
> > > fi
> > > 
> > > if [ ! -f /usr/share/selinux/devel/Makefile ] ; then
> > > printf "\$SCRIPT:\$LINENO: %s\n" "File '/usr/share/selinux/devel/Makefile' not found" >&2
> > > exit 192
> > > fi
> > > 
> > > if [ "\$(/usr/sbin/semodule -l | /bin/grep "$USER_PREFIX" | \
> > > awk -F " " '{ print \$1 }')" == "${USER_PREFIX}" ] ; then
> > > printf "\$SCRIPT:\$LINENO: %s\n" "Module with name '$USER_PREFIX' already exists" >&2
> > > exit 192
> > > fi
> > > 
> > > if [ "\$(/usr/sbin/semodule -l | /bin/grep "${USER_PREFIX}" | \
> > > /bin/awk -F " " '{ print \$1 }' | /bin/grep ^$USER_PREFIX$ )" == "$USER_PREFIX" ] ; then
> > > printf "\$SCRIPT:\$LINENO: %s\n" "Module with name '$USER_PREFIX' already exists" >&2
> > > exit 192
> > > fi
> > > 
> > > if [ ! -d /etc/selinux/"\$(/bin/grep ^SELINUXTYPE= /etc/selinux/config | \
> > > /bin/awk -F "=" '{ print \$2 }' | /bin/awk -F " " \
> > > '{ print \$1 }')"/contexts/users/ ] ; then
> > > printf "\$SCRIPT:\$LINENO: %s\n" "Directory '/etc/selinux/"\$(/bin/grep \
> > > ^SELINUXTYPE= /etc/selinux/config | /bin/awk -F "=" '{ print \$2 }' | \
> > > /bin/awk -F " " '{ print \$1 }')"/contexts/users/' not found" >&2
> > > exit 192
> > > elif [ ! -w /etc/selinux/"\$(/bin/grep ^SELINUXTYPE= /etc/selinux/config | \
> > > /bin/awk -F "=" '{ print \$2 }' | /bin/awk -F " " \
> > > '{ print \$1 }')"/contexts/users/ ] ; then
> > > printf "\$SCRIPT:\$LINENO: %s\n" "Directory '/etc/selinux/"\$(/bin/grep \
> > > ^SELINUXTYPE= /etc/selinux/config | /bin/awk -F "=" '{ print \$2 }' | \
> > > /bin/awk -F " " '{ print \$1 }')"/contexts/users/' is not writable" >&2
> > > exit 192
> > > fi
> > > 
> > > if [ -f /etc/selinux/"\$(/bin/grep ^SELINUXTYPE= /etc/selinux/config | \
> > > /bin/awk -F "=" '{ print \$2 }' | /bin/awk -F " " \
> > > '{ print \$1 }')"/contexts/users/${USER_PREFIX}_u ] ; then
> > > printf "\$SCRIPT:\$LINENO: %s\n" "File \
> > > '/etc/selinux/"\$(/bin/grep ^SELINUXTYPE= /etc/selinux/config | \
> > > /bin/awk -F "=" '{ print \$2 }' | /bin/awk -F " " \
> > > '{ print \$1 }')"/contexts/users/${USER_PREFIX}_u' already exists" >&2
> > > exit 192
> > > fi
> > > 
> > > if [ ! -r /etc/passwd ] ; then
> > > printf "\$SCRIPT:\$LINENO: %s\n" "File '/etc/passwd' not readable" >&2
> > > exit 192
> > > fi
> > > 
> > > if [ "\$(/bin/grep "${USER_PREFIX}" /etc/passwd | \
> > > awk -F ":" '{ print \$1 }')" == "${USER_PREFIX}" ] ; then  
> > > printf "\$SCRIPT:\$LINENO: %s\n" "User '${USER_PREFIX}' already exists" >&2
> > > exit 192
> > > fi
> > > 
> > > if [ "\$(/usr/sbin/semanage login -l | /bin/grep "${USER_PREFIX}" | \
> > > /bin/awk -F " " '{ print \$1 }')" == "$USER_PREFIX" ] ; then
> > > printf "\$SCRIPT:\$LINENO: %s\n" "User '${USER_PREFIX}' is already associated" >&2
> > > exit 192
> > > elif [ "\$(/usr/sbin/semanage login -l | /bin/grep "${USER_PREFIX}" | \
> > > /bin/awk -F " " '{ print \$2 }')" == "${USER_PREFIX}_u" ] ; then
> > > printf "\$SCRIPT:\$LINENO: %s\n" "Identity '${USER_PREFIX}_u' already exists" >&2
> > > exit 192
> > > fi
> > > 
> > > if [ ! -f /etc/security/sepermit.conf ] ; then
> > > printf "\$SCRIPT:\$LINENO: %s\n" "File '/etc/security/sepermit.conf' not found" >&2
> > > exit 192
> > > elif [ ! -w /etc/security/sepermit.conf ] ; then
> > > printf "\$SCRIPT:\$LINENO: %s\n" "User '/etc/security/sepermit.conf' is not writable" >&2
> > > exit 192
> > > fi
> > > 
> > > printf "%s\n" "Compiling '${USER_PREFIX}.pp' from '${USER_PREFIX}.te'"
> > > make -f /usr/share/selinux/devel/Makefile ${USER_PREFIX}.pp
> > > 
> > > printf "%s\n" "Installing '${USER_PREFIX}.pp'"
> > > /usr/sbin/semodule -i ${USER_PREFIX}.pp
> > > 
> > > printf "%s\n" "Copying '${USER_PREFIX}_u' to '/etc/selinux/"\$(/bin/grep \
> > > ^SELINUXTYPE= /etc/selinux/config | /bin/awk -F "=" '{ print \$2 }' | \
> > > /bin/awk -F " " '{ print \$1 }')"/contexts/users/'"
> > > /bin/cp ${USER_PREFIX}_u /etc/selinux/"\$(/bin/grep \
> > > ^SELINUXTYPE= /etc/selinux/config | /bin/awk -F "=" '{ print \$2 }' | \
> > > /bin/awk -F " " '{ print \$1 }')"/contexts/users/
> > > 
> > > printf "%s\n" "Adding a new user called '$USER_PREFIX'"
> > > /usr/sbin/useradd $USER_PREFIX
> > > 
> > > printf "%s\n" "Do not forget to set a password for user '$USER_PREFIX' manually!"
> > > 
> > > printf "%s\n" "Associating '$USER_PREFIX' with '${USER_PREFIX}_u'"
> > > 
> > > if [ "\$(/usr/bin/seinfo --sensitivity | /bin/head -n 1 | /bin/awk -F " " '{ print \$2 }')" \
> > > == "0" ] ; then
> > > /usr/sbin/semanage login -a -s ${USER_PREFIX}_u $USER_PREFIX
> > > else
> > > /usr/sbin/semanage login -a -s ${USER_PREFIX}_u -r s0 $USER_PREFIX
> > > fi
> > > 
> > > printf "%s\n" "Appending '$USER_PREFIX' to '/etc/security/sepermit.conf'"
> > > printf "%s\n" "$USER_PREFIX" >> /etc/security/sepermit.conf
> > > 
> > > EOF
> > > 
> > > if [ "$SUDO" == "SUDO" ] ; then
> > >     /bin/cat >> ${USER_PREFIX}_setup.sh <<EOF
> > > if [ ! -d /etc/sudoers.d/ ] ; then
> > > printf "\$SCRIPT:\$LINENO: %s\n" "Directory '/etc/sudoers.d' not found" >&2
> > > exit 192
> > > elif [ ! -w /etc/sudoers.d/ ] ; then
> > > printf "\$SCRIPT:\$LINENO: %s\n" "Directory '/etc/sudoers.d' is not writable" >&2
> > > exit 192
> > > elif [ -f /etc/sudoers.d/${USER_PREFIX} ] ; then
> > > printf "\$SCRIPT:\$LINENO: %s\n" "File '/etc/sudoers.d/${USER_PREFIX}' already exists" >&2
> > > exit 192
> > > fi
> > > 
> > > printf "%s\n" "Setting up sudo for '$USER_PREFIX'"
> > > printf "%s\n" "$USER_PREFIX \${HOSTNAME}=(root) ALL" > /etc/sudoers.d/$USER_PREFIX
> > > /bin/chmod 0440 /etc/sudoers.d/$USER_PREFIX
> > > 
> > > #EOF
> > > EOF
> > > fi
> > > 
> > > /bin/chmod +x ${USER_PREFIX}_setup.sh 
> > > 
> > > if [ -f "${USER_PREFIX}_remove.sh" ] ; then
> > >     printf "%s\n" "Replacing '${USER_PREFIX}_remove.sh' script" >&2
> > > fi
> > > 
> > > /bin/cat > ${USER_PREFIX}_remove.sh <<EOF
> > > #!/bin/bash --
> > > 
> > > shopt -s -o nounset
> > > 
> > > declare -rx SCRIPT=\${0##*/}
> > > 
> > > for util in /usr/sbin/semanage /usr/sbin/semodule /usr/sbin/userdel \
> > > /bin/rm /bin/bash /bin/grep /bin/awk /bin/sed;
> > > do
> > > if [ ! -x $util ] ; then
> > > printf "\$SCRIPT:\$LINENO: %s\n" "Utility '$util' is not executable" >&2
> > > exit 192
> > > fi
> > > done
> > > 
> > > if [ "\$(/usr/sbin/semanage login -l | /bin/grep "${USER_PREFIX}" | \
> > > /bin/awk -F " " '{ print \$1 ":" \$2}')" != ""$USER_PREFIX":"${USER_PREFIX}_u"" ] ; then
> > > printf "\$SCRIPT:\$LINENO: %s\n" "Association '"${USER_PREFIX}":"${USER_PREFIX}_u"' \
> > > not found" >&2
> > > exit 192
> > > fi
> > > 
> > > if [ "\$(/bin/grep "${USER_PREFIX}" /etc/passwd | \
> > > /bin/awk -F ":" '{ print \$1 }')" != "${USER_PREFIX}" ] ; then  
> > > printf "\$SCRIPT:\$LINENO: %s\n" "User '${USER_PREFIX}' does not exist" >&2
> > > exit 192
> > > fi
> > > 
> > > if [ "\$(/usr/sbin/semodule -l | /bin/grep "${USER_PREFIX}" | \
> > > /bin/awk -F " " '{ print \$1 }' | /bin/grep ^$USER_PREFIX$ )" != "$USER_PREFIX" ] ; then
> > > printf "\$SCRIPT:\$LINENO: %s\n" "Module with name '$USER_PREFIX' is not installed" >&2
> > > exit 192
> > > fi
> > > 
> > > if [ ! -d /etc/selinux/"\$(/bin/grep ^SELINUXTYPE= /etc/selinux/config | \
> > > /bin/awk -F "=" '{ print \$2 }' | /bin/awk -F " " '{ print \$1 }')"/contexts/users/ ] ; then
> > > printf "\$SCRIPT:\$LINENO: %s\n" "Directory '/etc/selinux/"\$(/bin/grep \
> > > ^SELINUXTYPE= /etc/selinux/config | /bin/awk -F "=" \
> > > '{ print \$2 }' | /bin/awk -F " " '{ print \$1 }')"/contexts/users/' not found" >&2
> > > exit 192
> > > elif [ ! -w /etc/selinux/"\$(/bin/grep ^SELINUXTYPE= /etc/selinux/config | \
> > > /bin/awk -F "=" '{ print \$2 }' | /bin/awk -F " " '{ print \$1 }')"/contexts/users/ ] ; then
> > > printf "\$SCRIPT:\$LINENO: %s\n" "Directory '/etc/selinux/"\$(/bin/grep \
> > > ^SELINUXTYPE= /etc/selinux/config | /bin/awk -F "=" \
> > > '{ print \$2 }' | /bin/awk -F " " '{ print \$1 }')"/contexts/users/' is not writable" >&2
> > > exit 192
> > > fi
> > > 
> > > if [ ! -f /etc/selinux/"\$(/bin/grep ^SELINUXTYPE= /etc/selinux/config | \
> > > /bin/awk -F "=" '{ print \$2 }' | /bin/awk -F " " '{ print \$1 }')"/contexts/users/${USER_PREFIX}_u ] ; then
> > > printf "\$SCRIPT:\$LINENO: %s\n" "File \
> > > '/etc/selinux/"\$(/bin/grep ^SELINUXTYPE= /etc/selinux/config | \
> > > /bin/awk -F "=" '{ print \$2 }' | /bin/awk -F " " '{ print \$1 }')"/contexts/users/${USER_PREFIX}_u' does not \
> > > exist" >&2
> > > exit 192
> > > fi
> > > 
> > > if [ ! -f /etc/security/sepermit.conf ] ; then
> > > printf "\$SCRIPT:\$LINENO: %s\n" "File '/etc/security/sepermit.conf' not found" >&2
> > > exit 192
> > > elif [ ! -w /etc/security/sepermit.conf ] ; then
> > > printf "\$SCRIPT:\$LINENO: %s\n" "User '/etc/security/sepermit.conf' is not writable" >&2
> > > exit 192
> > > fi
> > > 
> > > printf "%s\n" "Removing association of '$USER_PREFIX' with '${USER_PREFIX}_u'"
> > > 
> > > if [ "\$(/usr/bin/seinfo --sensitivity | /bin/head -n 1 | /bin/awk -F " " '{ print \$2 }')" \
> > > == "0" ] ; then
> > > /usr/sbin/semanage login -d -s ${USER_PREFIX}_u $USER_PREFIX
> > > else
> > > /usr/sbin/semanage login -d -s ${USER_PREFIX}_u -r s0 $USER_PREFIX
> > > fi
> > > 
> > > printf "%s\n" "Removing a new user called '$USER_PREFIX'"
> > > /usr/sbin/userdel -r $USER_PREFIX
> > > 
> > > printf "%s\n" "Uninstalling the '$USER_PREFIX' module"
> > > /usr/sbin/semodule -r $USER_PREFIX
> > > 
> > > printf "%s\n" "Removing '/etc/selinux/"\$(/bin/grep ^SELINUXTYPE= \
> > > /etc/selinux/config | /bin/awk -F "=" '{ print \$2 }' | /bin/awk -F " " \
> > > '{ print \$1 }')"/contexts/users/${USER_PREFIX}_u'"
> > > /bin/rm -f /etc/selinux/"\$(/bin/grep ^SELINUXTYPE= /etc/selinux/config | \
> > > /bin/awk -F "=" '{ print \$2 }' | /bin/awk -F " " \
> > > '{ print \$1 }')"/contexts/users/${USER_PREFIX}_u
> > > 
> > > 
> > > printf "%s\n" "Removing '${USER_PREFIX}' from '/etc/security/sepermit.conf'"
> > >  
> > > if [ "\$(/bin/grep ^"$USER_PREFIX" /etc/security/sepermit.conf)" == "$USER_PREFIX" ] ; then
> > > /bin/sed -i "/^${USER_PREFIX}$/d" /etc/security/sepermit.conf
> > > fi
> > > 
> > > EOF
> > > 
> > > if [ "$SUDO" == "SUDO" ] ; then
> > >     /bin/cat >> ${USER_PREFIX}_remove.sh <<EOF
> > > if [ ! -d /etc/sudoers.d/ ] ; then
> > > printf "\$SCRIPT:\$LINENO: %s\n" "Directory '/etc/sudoers.d' not found" >&2
> > > exit 192
> > > elif [ ! -w /etc/sudoers.d/ ] ; then
> > > printf "\$SCRIPT:\$LINENO: %s\n" "Directory '/etc/sudoers.d' is not writable" >&2
> > > exit 192
> > > elif [ ! -f /etc/sudoers.d/${USER_PREFIX} ] ; then
> > > printf "\$SCRIPT:\$LINENO: %s\n" "File '/etc/sudoers.d/${USER_PREFIX}' does not exist" >&2
> > > exit 192
> > > fi
> > > 
> > > printf "%s\n" "Removing '/etc/sudoers.d/$USER_PREFIX'"
> > > /bin/rm -f /etc/sudoers.d/$USER_PREFIX
> > > 
> > > #EOF
> > > EOF
> > > fi
> > > 
> > > /bin/chmod +x ${USER_PREFIX}_remove.sh
> > > 
> > > # TODO: sepermit support
> > > 
> > > #EOF
> > 
> 


--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux





[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux