[selinux-policy: 1213/3172] add users_extra support

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 20:49:46 UTC 2010 

commit 90b331fa99ac11b29e120f34fe292c121d4aad6d
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Wed Feb 15 19:46:20 2006 +0000

    add users_extra support

 refpolicy/Changelog                      |    1 +
 refpolicy/Makefile                       |    4 ++--
 refpolicy/Rules.modular                  |   11 +++++++++--
 refpolicy/policy/support/misc_macros.spt |   12 +++++++++---
 refpolicy/policy/users                   |   20 +++++++++++---------
 5 files changed, 32 insertions(+), 16 deletions(-)
---
diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 2a89416..6cce9a3 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -1,3 +1,4 @@
+- Add users_extra support.
 - Postfix fixes from Serge Hallyn.
 - Run python and shell directly to interpret scripts so policy
   sources need not be executable.
diff --git a/refpolicy/Makefile b/refpolicy/Makefile
index 00f3235..356a6ee 100644
--- a/refpolicy/Makefile
+++ b/refpolicy/Makefile
@@ -112,6 +112,7 @@ GLOBALTUN = $(POLDIR)/global_tunables
 GLOBALBOOL = $(POLDIR)/global_booleans
 TUNABLES = $(POLDIR)/tunables.conf
 ROLEMAP = $(POLDIR)/rolemap
+USER_FILES := $(POLDIR)/users
 
 # local config file paths
 ifndef LOCAL_ROOT
@@ -215,7 +216,6 @@ APPCONF := config/appconfig-$(TYPE)
 APPDIR := $(CONTEXTPATH)
 APPFILES := $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types) $(CONTEXTPATH)/files/media
 CONTEXTFILES += $(wildcard $(APPCONF)/*_context*) $(APPCONF)/media
-USER_FILES := $(POLDIR)/users
 
 ALL_LAYERS := $(filter-out $(MODDIR)/CVS,$(shell find $(wildcard $(MODDIR)/*) -maxdepth 0 -type d))
 ifdef LOCAL_ROOT
@@ -251,7 +251,7 @@ BASE_MODS := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if
 MOD_MODS := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODMOD)") print $$1 }' $(MOD_CONF) 2> /dev/null) $(APPS_MODS)))
 OFF_MODS := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODUNUSED)") print $$1 }' $(MOD_CONF) 2> /dev/null) $(APPS_OFF)))
 
-# filesystems to be labeled
+# filesystems to be used in labeling targets
 FILESYSTEMS = $(shell mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs| jfs).*rw/{print $$3}';)
 
 ########################################
diff --git a/refpolicy/Rules.modular b/refpolicy/Rules.modular
index 18e29e9..02e6d36 100644
--- a/refpolicy/Rules.modular
+++ b/refpolicy/Rules.modular
@@ -11,6 +11,8 @@ BASE_FC := $(BUILDDIR)/base.fc
 BASE_CONF := $(BUILDDIR)/base.conf
 BASE_MOD := $(TMPDIR)/base.mod
 
+USERS_EXTRA := $(TMPDIR)/users_extra
+
 BASE_SECTIONS := $(TMPDIR)/pre_te_files.conf $(TMPDIR)/generated_definitions.conf $(TMPDIR)/all_interfaces.conf $(TMPDIR)/all_attrs_types.conf $(GLOBALBOOL) $(GLOBALTUN) $(TMPDIR)/only_te_rules.conf $(TMPDIR)/all_post.conf
 
 BASE_PRE_TE_FILES := $(SECCLASS) $(ISIDS) $(AVS) $(M4SUPPORT) $(POLDIR)/mls $(POLDIR)/mcs
@@ -86,15 +88,20 @@ $(BUILDDIR)/%.pp: $(TMPDIR)/%.mod $(TMPDIR)/%.mod.fc
 #
 # Create a base module package
 #
-$(BASE_PKG): $(BASE_MOD) $(BASE_FC)
+$(BASE_PKG): $(BASE_MOD) $(BASE_FC) $(USERS_EXTRA)
 	@echo "Creating $(NAME) base module package"
 	@test -d $(BUILDDIR) || mkdir -p $(BUILDDIR)
-	$(verbose) $(SEMOD_PKG) -o $@ -m $(BASE_MOD) -f $(BASE_FC)
+	$(verbose) $(SEMOD_PKG) -o $@ -m $(BASE_MOD) -f $(BASE_FC) -u $(USERS_EXTRA)
 
 $(BASE_MOD): $(BASE_CONF)
 	@echo "Compiling $(NAME) base module"
 	$(verbose) $(CHECKMODULE) $^ -o $@
 
+$(USERS_EXTRA): $(M4SUPPORT) $(USER_FILES)
+	@test -d $(TMPDIR) || mkdir -p $(TMPDIR)
+	$(verbose) $(M4) $(M4PARAM) -D users_extra $^ | \
+		$(SED) -r -n -e 's/^[[:blank:]]*//g' -e '/^user/p' > $@
+
 ########################################
 #
 # Construct a base.conf
diff --git a/refpolicy/policy/support/misc_macros.spt b/refpolicy/policy/support/misc_macros.spt
index f854137..1e57e33 100644
--- a/refpolicy/policy/support/misc_macros.spt
+++ b/refpolicy/policy/support/misc_macros.spt
@@ -23,9 +23,15 @@ define(`__endline__',`
 
 ########################################
 #
-# gen_user(username, role_set, mls_defaultlevel, mls_range, [mcs_categories])
-#
-define(`gen_user',`user $1 roles { $2 }`'ifdef(`enable_mls', ` level $3 range $4')`'ifdef(`enable_mcs',` level s0 range s0`'ifelse(`$5',,,` - s0:$5')');')
+# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_categories])
+#
+define(`gen_user',`dnl
+ifdef(`users_extra',`dnl
+ifelse(`$2',,,`user $1 prefix $2;')
+',`dnl
+user $1 roles { $3 }`'ifdef(`enable_mls', ` level $4 range $5')`'ifdef(`enable_mcs',` level s0 range s0`'ifelse(`$6',,,` - s0:$6')');
+')dnl
+')
 
 ########################################
 #
diff --git a/refpolicy/policy/users b/refpolicy/policy/users
index 351bd00..820504f 100644
--- a/refpolicy/policy/users
+++ b/refpolicy/policy/users
@@ -5,8 +5,10 @@
 #
 
 #
-# gen_user(username, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
+# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
 #
+# Note: Identities without a prefix wil not be listed
+# in the users_extra file used by genhomedircon.
 
 #
 # system_u is the user identity for system processes and objects.
@@ -14,7 +16,7 @@
 # and a user process should never be assigned the system user
 # identity.
 #
-gen_user(system_u, system_r, s0, s0 - s15:c0.c255, c0.c255)
+gen_user(system_u,, system_r, s0, s0 - s15:c0.c255, c0.c255)
 
 #
 # user_u is a generic user identity for Linux users who have no
@@ -24,11 +26,11 @@ gen_user(system_u, system_r, s0, s0 - s15:c0.c255, c0.c255)
 # permit any access to such users, then remove this entry.
 #
 ifdef(`targeted_policy',`
-gen_user(user_u, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
+gen_user(user_u, user, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
 ',`
-gen_user(user_u, user_r, s0, s0)
-gen_user(staff_u, staff_r sysadm_r ifdef(`enable_mls',`secadm_r'), s0, s0 - s15:c0.c255, c0.c255)
-gen_user(sysadm_u, sysadm_r, s0, s0 - s15:c0.c255, c0.c255)
+gen_user(user_u, user, user_r, s0, s0)
+gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r'), s0, s0 - s15:c0.c255, c0.c255)
+gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - s15:c0.c255, c0.c255)
 ')
 
 #
@@ -39,11 +41,11 @@ gen_user(sysadm_u, sysadm_r, s0, s0 - s15:c0.c255, c0.c255)
 # not in the sysadm_r.
 #
 ifdef(`targeted_policy',`
-	gen_user(root, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
+	gen_user(root, user, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
 ',`
 	ifdef(`direct_sysadm_daemon',`
-		gen_user(root, sysadm_r staff_r ifdef(`enable_mls',`secadm_r') system_r, s0, s0 - s15:c0.c255, c0.c255)
+		gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r') system_r, s0, s0 - s15:c0.c255, c0.c255)
 	',`
-		gen_user(root, sysadm_r staff_r ifdef(`enable_mls',`secadm_r'), s0, s0 - s15:c0.c255, c0.c255)
+		gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r'), s0, s0 - s15:c0.c255, c0.c255)
 	')
 ')

More information about the scm-commits mailing list