On 10/06/2016 07:09 AM, Gary Tierney wrote: > Treat a users prefix like a mapping to the role for file context > specifications in users homedirs. This behavior is only applicable when > the users prefix is the identifier of a role which is valid for the > given user. If the prefix is not a valid role, then genhomedircon will > write contexts out as normal. > > Additionally, this commit enables configuring RBACSEP in policy: > > (tunableif enable_rbacsep > (true > (userprefix user_u user_r) > (false > (userprefix user_u object_r)))) Thanks, applied. > > Signed-off-by: Gary Tierney <gary.tierney@xxxxxxx> > --- > libsemanage/src/genhomedircon.c | 38 +++++++++++++++++++++++++++++++++++--- > 1 file changed, 35 insertions(+), 3 deletions(-) > > diff --git a/libsemanage/src/genhomedircon.c b/libsemanage/src/genhomedircon.c > index 3fc9e7a..0dd2b29 100644 > --- a/libsemanage/src/genhomedircon.c > +++ b/libsemanage/src/genhomedircon.c > @@ -100,6 +100,7 @@ typedef struct user_entry { > char *home; > char *level; > char *login; > + char *homedir_role; > struct user_entry *next; > } genhomedircon_user_entry_t; > > @@ -177,6 +178,13 @@ static int ignore(const char *homedir) { > return 0; > } > > +static int prefix_is_homedir_role(const semanage_user_t *user, > + const char *prefix) > +{ > + return strcmp(OBJECT_R, prefix) == 0 || > + semanage_user_has_role(user, prefix); > +} > + > static semanage_list_t *default_shell_list(void) > { > semanage_list_t *list = NULL; > @@ -638,6 +646,11 @@ static int write_contexts(genhomedircon_settings_t *s, FILE *out, > goto fail; > } > > + if (user->homedir_role && > + sepol_context_set_role(sepolh, context, user->homedir_role) < 0) { > + goto fail; > + } > + > if (sepol_context_to_string(sepolh, context, > &new_context_str) < 0) { > goto fail; > @@ -756,7 +769,7 @@ static int name_user_cmp(char *key, semanage_user_t ** val) > static int push_user_entry(genhomedircon_user_entry_t ** list, const char *n, > const char *u, const char *g, const char *sen, > const char *pre, const char *h, const char *l, > - const char *ln) > + const char *ln, const char *hd_role) > { > genhomedircon_user_entry_t *temp = NULL; > char *name = NULL; > @@ -767,6 +780,7 @@ static int push_user_entry(genhomedircon_user_entry_t ** list, const char *n, > char *home = NULL; > char *level = NULL; > char *lname = NULL; > + char *homedir_role = NULL; > > temp = malloc(sizeof(genhomedircon_user_entry_t)); > if (!temp) > @@ -795,6 +809,11 @@ static int push_user_entry(genhomedircon_user_entry_t ** list, const char *n, > lname = strdup(ln); > if (!lname) > goto cleanup; > + if (hd_role) { > + homedir_role = strdup(hd_role); > + if (!homedir_role) > + goto cleanup; > + } > > temp->name = name; > temp->uid = uid; > @@ -804,6 +823,7 @@ static int push_user_entry(genhomedircon_user_entry_t ** list, const char *n, > temp->home = home; > temp->level = level; > temp->login = lname; > + temp->homedir_role = homedir_role; > temp->next = (*list); > (*list) = temp; > > @@ -818,6 +838,7 @@ static int push_user_entry(genhomedircon_user_entry_t ** list, const char *n, > free(home); > free(level); > free(lname); > + free(homedir_role); > free(temp); > return STATUS_ERR; > } > @@ -839,6 +860,7 @@ static void pop_user_entry(genhomedircon_user_entry_t ** list) > free(temp->home); > free(temp->level); > free(temp->login); > + free(temp->homedir_role); > free(temp); > } > > @@ -852,6 +874,7 @@ static int setup_fallback_user(genhomedircon_settings_t * s) > const char *seuname = NULL; > const char *prefix = NULL; > const char *level = NULL; > + const char *homedir_role = NULL; > unsigned int i; > int retval; > int errors = 0; > @@ -886,10 +909,14 @@ static int setup_fallback_user(genhomedircon_settings_t * s) > level = FALLBACK_LEVEL; > } > > + if (prefix_is_homedir_role(u, prefix)) { > + homedir_role = prefix; > + } > + > if (push_user_entry(&(s->fallback), FALLBACK_NAME, > FALLBACK_UIDGID, FALLBACK_UIDGID, > seuname, prefix, "", level, > - FALLBACK_NAME) != 0) > + FALLBACK_NAME, homedir_role) != 0) > errors = STATUS_ERR; > semanage_user_key_free(key); > if (u) > @@ -946,6 +973,7 @@ static int add_user(genhomedircon_settings_t * s, > struct passwd pwstorage, *pwent = NULL; > const char *prefix = NULL; > const char *level = NULL; > + const char *homedir_role = NULL; > char uid[11]; > char gid[11]; > > @@ -969,6 +997,10 @@ static int add_user(genhomedircon_settings_t * s, > level = FALLBACK_LEVEL; > } > > + if (prefix_is_homedir_role(user, prefix)) { > + homedir_role = prefix; > + } > + > retval = getpwnam_r(name, &pwstorage, rbuf, rbuflen, &pwent); > if (retval != 0 || pwent == NULL) { > if (retval != 0 && retval != ENOENT) { > @@ -1010,7 +1042,7 @@ static int add_user(genhomedircon_settings_t * s, > } > > retval = push_user_entry(head, name, uid, gid, sename, prefix, > - pwent->pw_dir, level, selogin); > + pwent->pw_dir, level, selogin, homedir_role); > cleanup: > free(rbuf); > return retval; > _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.