[selinux-policy: 1213/3172] add users_extra support
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 20:49:46 UTC 2010
commit 90b331fa99ac11b29e120f34fe292c121d4aad6d
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Wed Feb 15 19:46:20 2006 +0000
add users_extra support
refpolicy/Changelog | 1 +
refpolicy/Makefile | 4 ++--
refpolicy/Rules.modular | 11 +++++++++--
refpolicy/policy/support/misc_macros.spt | 12 +++++++++---
refpolicy/policy/users | 20 +++++++++++---------
5 files changed, 32 insertions(+), 16 deletions(-)
---
diff --git a/refpolicy/Changelog b/refpolicy/Changelog
index 2a89416..6cce9a3 100644
--- a/refpolicy/Changelog
+++ b/refpolicy/Changelog
@@ -1,3 +1,4 @@
+- Add users_extra support.
- Postfix fixes from Serge Hallyn.
- Run python and shell directly to interpret scripts so policy
sources need not be executable.
diff --git a/refpolicy/Makefile b/refpolicy/Makefile
index 00f3235..356a6ee 100644
--- a/refpolicy/Makefile
+++ b/refpolicy/Makefile
@@ -112,6 +112,7 @@ GLOBALTUN = $(POLDIR)/global_tunables
GLOBALBOOL = $(POLDIR)/global_booleans
TUNABLES = $(POLDIR)/tunables.conf
ROLEMAP = $(POLDIR)/rolemap
+USER_FILES := $(POLDIR)/users
# local config file paths
ifndef LOCAL_ROOT
@@ -215,7 +216,6 @@ APPCONF := config/appconfig-$(TYPE)
APPDIR := $(CONTEXTPATH)
APPFILES := $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types) $(CONTEXTPATH)/files/media
CONTEXTFILES += $(wildcard $(APPCONF)/*_context*) $(APPCONF)/media
-USER_FILES := $(POLDIR)/users
ALL_LAYERS := $(filter-out $(MODDIR)/CVS,$(shell find $(wildcard $(MODDIR)/*) -maxdepth 0 -type d))
ifdef LOCAL_ROOT
@@ -251,7 +251,7 @@ BASE_MODS := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if
MOD_MODS := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODMOD)") print $$1 }' $(MOD_CONF) 2> /dev/null) $(APPS_MODS)))
OFF_MODS := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODUNUSED)") print $$1 }' $(MOD_CONF) 2> /dev/null) $(APPS_OFF)))
-# filesystems to be labeled
+# filesystems to be used in labeling targets
FILESYSTEMS = $(shell mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs| jfs).*rw/{print $$3}';)
########################################
diff --git a/refpolicy/Rules.modular b/refpolicy/Rules.modular
index 18e29e9..02e6d36 100644
--- a/refpolicy/Rules.modular
+++ b/refpolicy/Rules.modular
@@ -11,6 +11,8 @@ BASE_FC := $(BUILDDIR)/base.fc
BASE_CONF := $(BUILDDIR)/base.conf
BASE_MOD := $(TMPDIR)/base.mod
+USERS_EXTRA := $(TMPDIR)/users_extra
+
BASE_SECTIONS := $(TMPDIR)/pre_te_files.conf $(TMPDIR)/generated_definitions.conf $(TMPDIR)/all_interfaces.conf $(TMPDIR)/all_attrs_types.conf $(GLOBALBOOL) $(GLOBALTUN) $(TMPDIR)/only_te_rules.conf $(TMPDIR)/all_post.conf
BASE_PRE_TE_FILES := $(SECCLASS) $(ISIDS) $(AVS) $(M4SUPPORT) $(POLDIR)/mls $(POLDIR)/mcs
@@ -86,15 +88,20 @@ $(BUILDDIR)/%.pp: $(TMPDIR)/%.mod $(TMPDIR)/%.mod.fc
#
# Create a base module package
#
-$(BASE_PKG): $(BASE_MOD) $(BASE_FC)
+$(BASE_PKG): $(BASE_MOD) $(BASE_FC) $(USERS_EXTRA)
@echo "Creating $(NAME) base module package"
@test -d $(BUILDDIR) || mkdir -p $(BUILDDIR)
- $(verbose) $(SEMOD_PKG) -o $@ -m $(BASE_MOD) -f $(BASE_FC)
+ $(verbose) $(SEMOD_PKG) -o $@ -m $(BASE_MOD) -f $(BASE_FC) -u $(USERS_EXTRA)
$(BASE_MOD): $(BASE_CONF)
@echo "Compiling $(NAME) base module"
$(verbose) $(CHECKMODULE) $^ -o $@
+$(USERS_EXTRA): $(M4SUPPORT) $(USER_FILES)
+ @test -d $(TMPDIR) || mkdir -p $(TMPDIR)
+ $(verbose) $(M4) $(M4PARAM) -D users_extra $^ | \
+ $(SED) -r -n -e 's/^[[:blank:]]*//g' -e '/^user/p' > $@
+
########################################
#
# Construct a base.conf
diff --git a/refpolicy/policy/support/misc_macros.spt b/refpolicy/policy/support/misc_macros.spt
index f854137..1e57e33 100644
--- a/refpolicy/policy/support/misc_macros.spt
+++ b/refpolicy/policy/support/misc_macros.spt
@@ -23,9 +23,15 @@ define(`__endline__',`
########################################
#
-# gen_user(username, role_set, mls_defaultlevel, mls_range, [mcs_categories])
-#
-define(`gen_user',`user $1 roles { $2 }`'ifdef(`enable_mls', ` level $3 range $4')`'ifdef(`enable_mcs',` level s0 range s0`'ifelse(`$5',,,` - s0:$5')');')
+# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_categories])
+#
+define(`gen_user',`dnl
+ifdef(`users_extra',`dnl
+ifelse(`$2',,,`user $1 prefix $2;')
+',`dnl
+user $1 roles { $3 }`'ifdef(`enable_mls', ` level $4 range $5')`'ifdef(`enable_mcs',` level s0 range s0`'ifelse(`$6',,,` - s0:$6')');
+')dnl
+')
########################################
#
diff --git a/refpolicy/policy/users b/refpolicy/policy/users
index 351bd00..820504f 100644
--- a/refpolicy/policy/users
+++ b/refpolicy/policy/users
@@ -5,8 +5,10 @@
#
#
-# gen_user(username, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
+# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories])
#
+# Note: Identities without a prefix wil not be listed
+# in the users_extra file used by genhomedircon.
#
# system_u is the user identity for system processes and objects.
@@ -14,7 +16,7 @@
# and a user process should never be assigned the system user
# identity.
#
-gen_user(system_u, system_r, s0, s0 - s15:c0.c255, c0.c255)
+gen_user(system_u,, system_r, s0, s0 - s15:c0.c255, c0.c255)
#
# user_u is a generic user identity for Linux users who have no
@@ -24,11 +26,11 @@ gen_user(system_u, system_r, s0, s0 - s15:c0.c255, c0.c255)
# permit any access to such users, then remove this entry.
#
ifdef(`targeted_policy',`
-gen_user(user_u, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
+gen_user(user_u, user, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
',`
-gen_user(user_u, user_r, s0, s0)
-gen_user(staff_u, staff_r sysadm_r ifdef(`enable_mls',`secadm_r'), s0, s0 - s15:c0.c255, c0.c255)
-gen_user(sysadm_u, sysadm_r, s0, s0 - s15:c0.c255, c0.c255)
+gen_user(user_u, user, user_r, s0, s0)
+gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r'), s0, s0 - s15:c0.c255, c0.c255)
+gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - s15:c0.c255, c0.c255)
')
#
@@ -39,11 +41,11 @@ gen_user(sysadm_u, sysadm_r, s0, s0 - s15:c0.c255, c0.c255)
# not in the sysadm_r.
#
ifdef(`targeted_policy',`
- gen_user(root, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
+ gen_user(root, user, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255)
',`
ifdef(`direct_sysadm_daemon',`
- gen_user(root, sysadm_r staff_r ifdef(`enable_mls',`secadm_r') system_r, s0, s0 - s15:c0.c255, c0.c255)
+ gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r') system_r, s0, s0 - s15:c0.c255, c0.c255)
',`
- gen_user(root, sysadm_r staff_r ifdef(`enable_mls',`secadm_r'), s0, s0 - s15:c0.c255, c0.c255)
+ gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r'), s0, s0 - s15:c0.c255, c0.c255)
')
')
More information about the scm-commits
mailing list