Re: [PATCH v2 1/1] genhomedircon: use userprefix as the role for homedir content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 10/06/2016 07:09 AM, Gary Tierney wrote:
> Treat a users prefix like a mapping to the role for file context
> specifications in users homedirs.  This behavior is only applicable when
> the users prefix is the identifier of a role which is valid for the
> given user.  If the prefix is not a valid role, then genhomedircon will
> write contexts out as normal.
> 
> Additionally, this commit enables configuring RBACSEP in policy:
> 
> (tunableif enable_rbacsep
>     (true
>         (userprefix user_u user_r)
>     (false
>         (userprefix user_u object_r))))

Thanks, applied.

> 
> Signed-off-by: Gary Tierney <gary.tierney@xxxxxxx>
> ---
>  libsemanage/src/genhomedircon.c | 38 +++++++++++++++++++++++++++++++++++---
>  1 file changed, 35 insertions(+), 3 deletions(-)
> 
> diff --git a/libsemanage/src/genhomedircon.c b/libsemanage/src/genhomedircon.c
> index 3fc9e7a..0dd2b29 100644
> --- a/libsemanage/src/genhomedircon.c
> +++ b/libsemanage/src/genhomedircon.c
> @@ -100,6 +100,7 @@ typedef struct user_entry {
>  	char *home;
>  	char *level;
>  	char *login;
> +	char *homedir_role;
>  	struct user_entry *next;
>  } genhomedircon_user_entry_t;
>  
> @@ -177,6 +178,13 @@ static int ignore(const char *homedir) {
>  	return 0;
>  }
>  
> +static int prefix_is_homedir_role(const semanage_user_t *user,
> +				  const char *prefix)
> +{
> +	return strcmp(OBJECT_R, prefix) == 0 ||
> +		semanage_user_has_role(user, prefix);
> +}
> +
>  static semanage_list_t *default_shell_list(void)
>  {
>  	semanage_list_t *list = NULL;
> @@ -638,6 +646,11 @@ static int write_contexts(genhomedircon_settings_t *s, FILE *out,
>  			goto fail;
>  		}
>  
> +		if (user->homedir_role &&
> +		    sepol_context_set_role(sepolh, context, user->homedir_role) < 0) {
> +			goto fail;
> +		}
> +
>  		if (sepol_context_to_string(sepolh, context,
>  					    &new_context_str) < 0) {
>  			goto fail;
> @@ -756,7 +769,7 @@ static int name_user_cmp(char *key, semanage_user_t ** val)
>  static int push_user_entry(genhomedircon_user_entry_t ** list, const char *n,
>  			   const char *u, const char *g, const char *sen,
>  			   const char *pre, const char *h, const char *l,
> -			   const char *ln)
> +			   const char *ln, const char *hd_role)
>  {
>  	genhomedircon_user_entry_t *temp = NULL;
>  	char *name = NULL;
> @@ -767,6 +780,7 @@ static int push_user_entry(genhomedircon_user_entry_t ** list, const char *n,
>  	char *home = NULL;
>  	char *level = NULL;
>  	char *lname = NULL;
> +	char *homedir_role = NULL;
>  
>  	temp = malloc(sizeof(genhomedircon_user_entry_t));
>  	if (!temp)
> @@ -795,6 +809,11 @@ static int push_user_entry(genhomedircon_user_entry_t ** list, const char *n,
>  	lname = strdup(ln);
>  	if (!lname)
>  		goto cleanup;
> +	if (hd_role) {
> +		homedir_role = strdup(hd_role);
> +		if (!homedir_role)
> +			goto cleanup;
> +	}
>  
>  	temp->name = name;
>  	temp->uid = uid;
> @@ -804,6 +823,7 @@ static int push_user_entry(genhomedircon_user_entry_t ** list, const char *n,
>  	temp->home = home;
>  	temp->level = level;
>  	temp->login = lname;
> +	temp->homedir_role = homedir_role;
>  	temp->next = (*list);
>  	(*list) = temp;
>  
> @@ -818,6 +838,7 @@ static int push_user_entry(genhomedircon_user_entry_t ** list, const char *n,
>  	free(home);
>  	free(level);
>  	free(lname);
> +	free(homedir_role);
>  	free(temp);
>  	return STATUS_ERR;
>  }
> @@ -839,6 +860,7 @@ static void pop_user_entry(genhomedircon_user_entry_t ** list)
>  	free(temp->home);
>  	free(temp->level);
>  	free(temp->login);
> +	free(temp->homedir_role);
>  	free(temp);
>  }
>  
> @@ -852,6 +874,7 @@ static int setup_fallback_user(genhomedircon_settings_t * s)
>  	const char *seuname = NULL;
>  	const char *prefix = NULL;
>  	const char *level = NULL;
> +	const char *homedir_role = NULL;
>  	unsigned int i;
>  	int retval;
>  	int errors = 0;
> @@ -886,10 +909,14 @@ static int setup_fallback_user(genhomedircon_settings_t * s)
>  					level = FALLBACK_LEVEL;
>  			}
>  
> +			if (prefix_is_homedir_role(u, prefix)) {
> +				homedir_role = prefix;
> +			}
> +
>  			if (push_user_entry(&(s->fallback), FALLBACK_NAME,
>  					    FALLBACK_UIDGID, FALLBACK_UIDGID,
>  					    seuname, prefix, "", level,
> -					    FALLBACK_NAME) != 0)
> +					    FALLBACK_NAME, homedir_role) != 0)
>  				errors = STATUS_ERR;
>  			semanage_user_key_free(key);
>  			if (u)
> @@ -946,6 +973,7 @@ static int add_user(genhomedircon_settings_t * s,
>  	struct passwd pwstorage, *pwent = NULL;
>  	const char *prefix = NULL;
>  	const char *level = NULL;
> +	const char *homedir_role = NULL;
>  	char uid[11];
>  	char gid[11];
>  
> @@ -969,6 +997,10 @@ static int add_user(genhomedircon_settings_t * s,
>  		level = FALLBACK_LEVEL;
>  	}
>  
> +	if (prefix_is_homedir_role(user, prefix)) {
> +		homedir_role = prefix;
> +	}
> +
>  	retval = getpwnam_r(name, &pwstorage, rbuf, rbuflen, &pwent);
>  	if (retval != 0 || pwent == NULL) {
>  		if (retval != 0 && retval != ENOENT) {
> @@ -1010,7 +1042,7 @@ static int add_user(genhomedircon_settings_t * s,
>  	}
>  
>  	retval = push_user_entry(head, name, uid, gid, sename, prefix,
> -				pwent->pw_dir, level, selogin);
> +				pwent->pw_dir, level, selogin, homedir_role);
>  cleanup:
>  	free(rbuf);
>  	return retval;
> 

_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.



[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux