Hi,
Again no rational and not original author
--- a/libsemanage/src/genhomedircon.c
+++ b/libsemanage/src/genhomedircon.c
@@ -283,8 +283,8 @@
char *rbuf = NULL;
char *path = NULL;
long rbuflen;
- uid_t temp, minuid = 0;
- int minuid_set = 0;
+ uid_t temp, minuid = 0, maxuid = 0;
+ int minuid_set = 0, maxuid_set = 0;
struct passwd pwstorage, *pwbuf;
struct stat buf;
int retval;
@@ -334,6 +334,16 @@
}
free(path);
path = NULL;
+ path = semanage_findval(PATH_ETC_LOGIN_DEFS, "UID_MAX", NULL);
+ if (path && *path) {
+ temp = atoi(path);
+ if (!maxuid_set || temp > maxuid) {
+ maxuid = temp;
+ maxuid_set = 1;
+ }
+ }
+ free(path);
+ path = NULL;
path = semanage_findval(PATH_ETC_LIBUSER, "LU_UIDNUMBER", "=");
if (path && *path) {
@@ -350,6 +360,10 @@
minuid = 500;
minuid_set = 1;
}
+ if (!maxuid_set) {
+ maxuid = 60000;
+ maxuid_set = 1;
+ }
rbuflen = sysconf(_SC_GETPW_R_SIZE_MAX);
if (rbuflen <= 0)
@@ -359,7 +373,7 @@
goto fail;
setpwent();
while ((retval = getpwent_r(&pwstorage, rbuf, rbuflen, &pwbuf)) == 0) {
- if (pwbuf->pw_uid < minuid)
+ if (pwbuf->pw_uid < minuid || pwbuf->pw_uid > maxuid)
continue;
if (!semanage_list_find(shells, pwbuf->pw_shell))
continue;
@@ -392,7 +406,7 @@
/* NOTE: old genhomedircon printed a warning on match */
if (hand.matched) {
- WARN(s->h_semanage, "%s homedir %s or its parent directory conflicts with a file context already specified in the policy. This usually indicates an incorrectly defined system account. If it is a system account please make sure its uid is less than %u or its login shell is /sbin/nologin.", pwbuf->pw_name, pwbuf->pw_dir, minuid);
+ WARN(s->h_semanage, "%s homedir %s or its parent directory conflicts with a file context already specified in the policy. This usually indicates an incorrectly defined system account. If it is a system account please make sure its uid is less than %u or greater than %u or its login shell is /sbin/nologin.", pwbuf->pw_name, pwbuf->pw_dir, minuid, maxuid);
} else {
if (semanage_list_push(&homedir_list, path))
goto fail;
@@ -743,7 +757,7 @@
semanage_seuser_t **seuser_list = NULL;
unsigned int nseusers = 0;
semanage_user_key_t *key = NULL;
- semanage_user_t *u = NULL;
+ semanage_user_t *the_user = NULL;
const char *name = NULL;
const char *seuname = NULL;
const char *prefix = NULL;
@@ -769,22 +783,22 @@
errors = STATUS_ERR;
break;
}
- if (semanage_user_query(s->h_semanage, key, &u) < 0)
+ if (semanage_user_query(s->h_semanage, key, &the_user) < 0)
{
prefix = name;
level = "s0";
}
else
{
- prefix = semanage_user_get_prefix(u);
- level = semanage_user_get_mlslevel(u);
+ prefix = semanage_user_get_prefix(the_user);
+ level = semanage_user_get_mlslevel(the_user);
}
if (set_fallback_user(s, seuname, prefix, level) != 0)
errors = STATUS_ERR;
semanage_user_key_free(key);
- if (u)
- semanage_user_free(u);
+ if (the_user)
+ semanage_user_free(the_user);
break;
}
}
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
