On Tue, Jan 10, 2017 at 02:11:24PM +0100, Guido Trentalancia wrote:
> Hello.
>
> I am not using the Fedora policy, but in Reference Policy, if I comment out the line containing "system_u" in the files config/appconfig-{standard,mcs,mls}/seusers then the problem disappears...
They were removed from refpolicy months ago:
https://github.com/TresysTechnology/refpolicy/commit/79f31a04739dad7c7369616cd7c666a57c365511
you should git pull or something.
-- Jason
>
> Regards,
>
> Guido
>
> Il 10 gennaio 2017 09:09:57 CET, Petr Lautrbach <plautrba@xxxxxxxxxx> ha scritto:
> >On 01/09/2017 07:51 PM, Stephen Smalley wrote:
> >> On Mon, 2017-01-09 at 19:46 +0100, Guido Trentalancia wrote:
> >>> Hello,
> >>>
> >>> the patch has been motivated by the fact that libsemanage currently
> >>> searches for the user "system_u" in the passwd file and reports
> >"user
> >>> system_u not in passwd file".
> >>
> >> Don't shoot the messenger. That warning is because the Fedora policy
> >> wrongly has system_u in its seusers/login mapping as a login name.
> >We
> >> should fix it there instead by removing that entry, which should not
> >be
> >> needed.
> >
> >This is supposed to be fixed in selinux-policy-3.13.1-219.fc25
> >
> >Currently there's no plan to backport it to Fedora 24 as genhomedircon
> >in Fedora 24 still uses hardcoded system_u.
> >
> >
> >>>
> >>> Also, I have considered the notes in the file policy/users from
> >>> Reference Policy.
> >>>
> >>> Finally, the prefix for system_u is wrongly set to "user_u" (it
> >>> shouldn't have it).
> >>>
> >>> I have tested the patch and it seems to work fine.
> >>>
> >>> I hope it helps.
> >>>
> >>> Kind regards,
> >>>
> >>> Guido Trentalancia
> >>>
> >>> On the 9th of January 2017 19:39:10 CET, Stephen Smalley
> ><sds@tycho.n
> >>> sa.gov> wrote:
> >>>>
> >>>> On Thu, 2016-12-29 at 19:45 +0100, Guido Trentalancia wrote:
> >>>>>
> >>>>> The following patch makes sure that the SELinux identity
> >>>>> reserved for system processes and objects is skipped
> >>>>> when adding users.
> >>>>>
> >>>>> A warning is produced when a Unix identity is found to be
> >>>>> equal to the SELinux user identity for system processes
> >>>>> and objects.
> >>>>>
> >>>>> This patch also avoids creating an extra record for a user
> >>>>> if there is no prefix.
> >>>>
> >>>> What problem are you encountering that motivated this patch?
> >>>> What is a test case for this problem?
> >>>> What is the behavior before and after this patch?
> >>>>
> >>>>>
> >>>>>
> >>>>> Signed-off-by: Guido Trentalancia <guido@xxxxxxxxxxxxxxxx>
> >>>>> ---
> >>>>> include/semanage/user_record.h | 2 ++
> >>>>> src/genhomedircon.c | 23 +++++++++++++++++++----
> >>>>> src/user_extra_record.c | 39
> >>>>> ++++++++++++++++++++++++++++++++-------
> >>>>> src/user_record.c | 40 +++++++++++++++++++++++++-
> >>>>> ----
> >>>>> ----------
> >>>>> 4 files changed, 78 insertions(+), 26 deletions(-)
> >>>>>
> >>>>> diff -pru a/include/semanage/user_record.h
> >>>>> b/include/semanage/user_record.h
> >>>>> --- a/include/semanage/user_record.h 2016-10-14
> >>>>> 17:31:26.000000000 +0200
> >>>>> +++ b/include/semanage/user_record.h 2016-12-28
> >>>>> 23:22:50.848589870 +0100
> >>>>> @@ -6,6 +6,8 @@
> >>>>> #include <stddef.h>
> >>>>> #include <semanage/handle.h>
> >>>>>
> >>>>> +#define SYS_OBJECTS_USERID "system_u"
> >>>>> +
> >>>>> struct semanage_user;
> >>>>> typedef struct semanage_user semanage_user_t;
> >>>>>
> >>>>> diff -pru a/src/genhomedircon.c b/src/genhomedircon.c
> >>>>> --- a/src/genhomedircon.c 2016-10-14 17:31:26.000000000
> >>>>> +0200
> >>>>> +++ b/src/genhomedircon.c 2016-12-29 17:50:10.781727455
> >>>>> +0100
> >>>>> @@ -181,6 +181,9 @@ static int ignore(const char *homedir) {
> >>>>> static int prefix_is_homedir_role(const semanage_user_t *user,
> >>>>> const char *prefix)
> >>>>> {
> >>>>> + if (!prefix)
> >>>>> + return 0;
> >>>>> +
> >>>>> return strcmp(OBJECT_R, prefix) == 0 ||
> >>>>> semanage_user_has_role(user, prefix);
> >>>>> }
> >>>>> @@ -998,14 +1001,26 @@ static int add_user(genhomedircon_settin
> >>>>> homedir_role = prefix;
> >>>>> }
> >>>>>
> >>>>> + /* There should be no Unix identity corresponding
> >>>>> + * to SELinux user reserved for system processes
> >>>>> + * and objects */
> >>>>> retval = getpwnam_r(name, &pwstorage, rbuf, rbuflen,
> >>>>> &pwent);
> >>>>> - if (retval != 0 || pwent == NULL) {
> >>>>> - if (retval != 0 && retval != ENOENT) {
> >>>>> + if (strcmp(name, SYS_OBJECTS_USERID)) {
> >>>>> + if (retval != 0 || pwent == NULL) {
> >>>>> + if (retval != 0 && retval != ENOENT) {
> >>>>> + goto cleanup;
> >>>>> + }
> >>>>> +
> >>>>> + WARN(s->h_semanage,
> >>>>> + "user %s not in password file",
> >>>>> name);
> >>>>> + retval = STATUS_SUCCESS;
> >>>>> goto cleanup;
> >>>>> }
> >>>>> + } else {
> >>>>> + if (retval)
> >>>>> + WARN(s->h_semanage,
> >>>>> + "There should be no Unix identity
> >>>>> \"%s\" !", SYS_OBJECTS_USERID);
> >>>>>
> >>>>> - WARN(s->h_semanage,
> >>>>> - "user %s not in password file", name);
> >>>>> retval = STATUS_SUCCESS;
> >>>>> goto cleanup;
> >>>>> }
> >>>>> diff -pru a/src/user_extra_record.c b/src/user_extra_record.c
> >>>>> --- a/src/user_extra_record.c 2016-10-14
> >>>>> 17:31:26.000000000
> >>>>> +0200
> >>>>> +++ b/src/user_extra_record.c 2016-12-29
> >>>>> 17:17:26.168737139
> >>>>> +0100
> >>>>> @@ -37,8 +37,9 @@ static int semanage_user_extra_key_extra
> >>>>> semanage_user_key_t
> >>>>> **
> >>>>> key_ptr)
> >>>>> {
> >>>>>
> >>>>> - if (semanage_user_key_create(handle, user_extra->name,
> >>>>> key_ptr) < 0)
> >>>>> - goto err;
> >>>>> + if (user_extra)
> >>>>> + if (semanage_user_key_create(handle, user_extra-
> >>>>>>
> >>>>>> name, key_ptr) < 0)
> >>>>> + goto err;
> >>>>>
> >>>>> return STATUS_SUCCESS;
> >>>>>
> >>>>> @@ -54,7 +55,10 @@ static int semanage_user_extra_compare(c
> >>>>> const char *name;
> >>>>> semanage_user_key_unpack(key, &name);
> >>>>>
> >>>>> - return strcmp(user_extra->name, name);
> >>>>> + if (user_extra)
> >>>>> + return strcmp(user_extra->name, name);
> >>>>> + else
> >>>>> + return 1;
> >>>>> }
> >>>>>
> >>>>> static int semanage_user_extra_compare2(const
> >>>>> semanage_user_extra_t
> >>>>> *
> >>>>> @@ -63,7 +67,10 @@ static int semanage_user_extra_compare2(
> >>>>> user_extra2)
> >>>>> {
> >>>>>
> >>>>> - return strcmp(user_extra->name, user_extra2->name);
> >>>>> + if (user_extra && user_extra2)
> >>>>> + return strcmp(user_extra->name, user_extra2-
> >>>>>> name);
> >>>>> + else
> >>>>> + return 1;
> >>>>> }
> >>>>>
> >>>>> static int semanage_user_extra_compare2_qsort(const
> >>>>> semanage_user_extra_t **
> >>>>> @@ -72,7 +79,10 @@ static int semanage_user_extra_compare2_
> >>>>> user_extra2)
> >>>>> {
> >>>>>
> >>>>> - return strcmp((*user_extra)->name, (*user_extra2)-
> >>>>>> name);
> >>>>> + if (*user_extra && *user_extra2)
> >>>>> + return strcmp((*user_extra)->name,
> >>>>> (*user_extra2)-
> >>>>>>
> >>>>>> name);
> >>>>> + else
> >>>>> + return 1;
> >>>>> }
> >>>>>
> >>>>> /* Name */
> >>>>> @@ -80,7 +90,10 @@ hidden const char *semanage_user_extra_g
> >>>>> user_extra)
> >>>>> {
> >>>>>
> >>>>> - return user_extra->name;
> >>>>> + if (user_extra)
> >>>>> + return user_extra->name;
> >>>>> + else
> >>>>> + return NULL;
> >>>>> }
> >>>>>
> >>>>> hidden int semanage_user_extra_set_name(semanage_handle_t *
> >>>>> handle,
> >>>>> @@ -88,6 +101,9 @@ hidden int semanage_user_extra_set_name(
> >>>>> const char *name)
> >>>>> {
> >>>>>
> >>>>> + if (!user_extra)
> >>>>> + return STATUS_SUCCESS;
> >>>>> +
> >>>>> char *tmp_name = strdup(name);
> >>>>> if (!tmp_name) {
> >>>>> ERR(handle, "out of memory, could not set name
> >>>>> %s "
> >>>>> @@ -104,7 +120,10 @@ hidden const char *semanage_user_extra_g
> >>>>> user_extra)
> >>>>> {
> >>>>>
> >>>>> - return user_extra->prefix;
> >>>>> + if (user_extra)
> >>>>> + return user_extra->prefix;
> >>>>> + else
> >>>>> + return NULL;
> >>>>> }
> >>>>>
> >>>>> hidden int semanage_user_extra_set_prefix(semanage_handle_t *
> >>>>> handle,
> >>>>> @@ -112,6 +131,9 @@ hidden int semanage_user_extra_set_prefi
> >>>>> const char *prefix)
> >>>>> {
> >>>>>
> >>>>> + if (!user_extra)
> >>>>> + return STATUS_SUCCESS;
> >>>>> +
> >>>>> char *tmp_prefix = strdup(prefix);
> >>>>> if (!tmp_prefix) {
> >>>>> ERR(handle, "out of memory, could not set prefix
> >>>>> %s
> >>>>> "
> >>>>> @@ -162,6 +184,9 @@ hidden int semanage_user_extra_clone(sem
> >>>>> semanage_user_extra_t **
> >>>>> user_extra_ptr)
> >>>>> {
> >>>>>
> >>>>> + if (!user_extra)
> >>>>> + return STATUS_SUCCESS;
> >>>>> +
> >>>>> semanage_user_extra_t *new_user_extra = NULL;
> >>>>>
> >>>>> if (semanage_user_extra_create(handle, &new_user_extra)
> >>>>> < 0)
> >>>>> diff -pru a/src/user_record.c b/src/user_record.c
> >>>>> --- a/src/user_record.c 2016-10-14 17:31:26.000000000
> >>>>> +0200
> >>>>> +++ b/src/user_record.c 2016-12-29 19:23:11.783720792
> >>>>> +0100
> >>>>> @@ -313,6 +313,7 @@ hidden int semanage_user_join(semanage_h
> >>>>> {
> >>>>>
> >>>>> const char *name;
> >>>>> + const char *prefix = NULL;
> >>>>> semanage_user_t *tmp_user = calloc(1,
> >>>>> sizeof(semanage_user_t));
> >>>>> if (!tmp_user)
> >>>>> goto omem;
> >>>>> @@ -324,6 +325,9 @@ hidden int semanage_user_join(semanage_h
> >>>>> else
> >>>>> name = semanage_user_base_get_name(record1);
> >>>>>
> >>>>> + if (record2)
> >>>>> + prefix =
> >>>>> semanage_user_extra_get_prefix(record2);
> >>>>> +
> >>>>> /* Join base record if it exists, create a blank one
> >>>>> otherwise */
> >>>>> if (record1) {
> >>>>> if (semanage_user_base_clone(handle, record1,
> >>>>> &tmp_user->base) <
> >>>>> @@ -337,21 +341,27 @@ hidden int semanage_user_join(semanage_h
> >>>>> goto err;
> >>>>> }
> >>>>>
> >>>>> - /* Join extra record if it exists, create a blank one
> >>>>> otherwise */
> >>>>> - if (record2) {
> >>>>> - if (semanage_user_extra_clone(handle, record2,
> >>>>> &tmp_user->extra)
> >>>>> - < 0)
> >>>>> - goto err;
> >>>>> - } else {
> >>>>> - if (semanage_user_extra_create(handle,
> >>>>> &tmp_user-
> >>>>>>
> >>>>>> extra) < 0)
> >>>>> - goto err;
> >>>>> - if (semanage_user_extra_set_name(handle,
> >>>>> tmp_user-
> >>>>>>
> >>>>>> extra, name)
> >>>>> - < 0)
> >>>>> - goto err;
> >>>>> - if (semanage_user_extra_set_prefix
> >>>>> - (handle, tmp_user->extra, "user") < 0)
> >>>>> - goto err;
> >>>>> - }
> >>>>> + /* SELinux identities without a prefix shall not have an
> >>>>> extra record */
> >>>>> + if (prefix) {
> >>>>> + /* Join extra record if it exists, create a
> >>>>> blank
> >>>>> one otherwise */
> >>>>> + if (record2) {
> >>>>> + if (&tmp_user->extra)
> >>>>> + if
> >>>>> (semanage_user_extra_clone(handle, record2, &tmp_user->extra)
> >>>>> + < 0)
> >>>>> + goto err;
> >>>>> + } else {
> >>>>> + if (semanage_user_extra_create(handle,
> >>>>> &tmp_user->extra) < 0)
> >>>>> + goto err;
> >>>>> + if (semanage_user_extra_set_name(handle,
> >>>>> tmp_user->extra, name)
> >>>>> + < 0)
> >>>>> + goto err;
> >>>>> +
> >>>>> + if (semanage_user_extra_set_prefix
> >>>>> + (handle, tmp_user->extra, "user") <
> >>>>> 0)
> >>>>> + goto err;
> >>>>> + }
> >>>>> + } else
> >>>>> + tmp_user->extra = NULL;
> >>>>>
> >>>>> if (semanage_user_set_name(handle, tmp_user, name) < 0)
> >>>>> goto err;
> >>>>> _______________________________________________
> >>>>> Selinux mailing list
> >>>>> Selinux@xxxxxxxxxxxxx
> >>>>> To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
> >>>>> To get help, send an email containing "help" to Selinux-request@t
> >>>>> ycho
> >>>>> .nsa.gov.
> >> _______________________________________________
> >> Selinux mailing list
> >> Selinux@xxxxxxxxxxxxx
> >> To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
> >> To get help, send an email containing "help" to
> >Selinux-request@xxxxxxxxxxxxx.
> >>
>
> _______________________________________________
> Selinux mailing list
> Selinux@xxxxxxxxxxxxx
> To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
> To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
