On 12/29/2016 12:05 AM, Guido Trentalancia wrote:
> The following patch makes sure that the SELinux identity
> reserved for system processes and objects is skipped
> when adding users and that no prefix is associated to it.
>
> A warning is produced when a Unix identity is found to be
> equal to the SELinux user identity for system processes
> and objects.
>
> Signed-off-by: Guido Trentalancia <guido@xxxxxxxxxxxxxxxx>
> ---
> include/semanage/user_record.h | 2 ++
> src/genhomedircon.c | 20 ++++++++++++++++----
> src/user_record.c | 15 ++++++++++++---
> 3 files changed, 30 insertions(+), 7 deletions(-)
>
> diff -pru libsemanage-2.6-orig/include/semanage/user_record.h libsemanage-2.6/include/semanage/user_record.h
> --- libsemanage-2.6-orig/include/semanage/user_record.h 2016-10-14 17:31:26.000000000 +0200
> +++ libsemanage-2.6/include/semanage/user_record.h 2016-12-28 23:22:50.848589870 +0100
> @@ -6,6 +6,8 @@
> #include <stddef.h>
> #include <semanage/handle.h>
>
> +#define SYS_OBJECTS_USERID "system_u"
SELinux is supposed to be a flexible and customizable framework that
allow for fine-grained mandatory access control.
hard-coding customizable identifiers is frowned upon by some of us
> +
> struct semanage_user;
> typedef struct semanage_user semanage_user_t;
>
> diff -pru libsemanage-2.6-orig/src/genhomedircon.c libsemanage-2.6/src/genhomedircon.c
> --- libsemanage-2.6-orig/src/genhomedircon.c 2016-10-14 17:31:26.000000000 +0200
> +++ libsemanage-2.6/src/genhomedircon.c 2016-12-28 23:34:38.510319855 +0100
> @@ -998,14 +998,26 @@ static int add_user(genhomedircon_settin
> homedir_role = prefix;
> }
>
> + /* There should be no Unix identity corresponding
> + * to SELinux user reserved for system processes
> + * and objects */
> retval = getpwnam_r(name, &pwstorage, rbuf, rbuflen, &pwent);
> - if (retval != 0 || pwent == NULL) {
> - if (retval != 0 && retval != ENOENT) {
> + if (strcmp(name, SYS_OBJECTS_USERID)) {
> + if (retval != 0 || pwent == NULL) {
> + if (retval != 0 && retval != ENOENT) {
> + goto cleanup;
> + }
> +
> + WARN(s->h_semanage,
> + "user %s not in password file", name);
> + retval = STATUS_SUCCESS;
> goto cleanup;
> }
> + } else {
> + if (retval)
> + WARN(s->h_semanage,
> + "There should be no Unix identity \"%s\" !", SYS_OBJECTS_USERID);
>
> - WARN(s->h_semanage,
> - "user %s not in password file", name);
> retval = STATUS_SUCCESS;
> goto cleanup;
> }
> diff -pru libsemanage-2.6-orig/src/user_record.c libsemanage-2.6/src/user_record.c
> --- libsemanage-2.6-orig/src/user_record.c 2016-10-14 17:31:26.000000000 +0200
> +++ libsemanage-2.6/src/user_record.c 2016-12-28 23:30:51.544449423 +0100
> @@ -348,9 +348,18 @@ hidden int semanage_user_join(semanage_h
> if (semanage_user_extra_set_name(handle, tmp_user->extra, name)
> < 0)
> goto err;
> - if (semanage_user_extra_set_prefix
> - (handle, tmp_user->extra, "user") < 0)
> - goto err;
> +
> + /* The user identity reserved for system processes
> + * and objects shall have no prefix */
> + if (strcmp(name, SYS_OBJECTS_USERID)) {
> + if (semanage_user_extra_set_prefix
> + (handle, tmp_user->extra, "user") < 0)
> + goto err;
> + } else {
> + if (semanage_user_extra_set_prefix
> + (handle, tmp_user->extra, "") < 0)
> + goto err;
> + }
> }
>
> if (semanage_user_set_name(handle, tmp_user, name) < 0)
> _______________________________________________
> Selinux mailing list
> Selinux@xxxxxxxxxxxxx
> To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
> To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
>
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
Attachment:
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
