PERFORCE change 109986 for review
Todd Miller
millert at FreeBSD.org
Tue Nov 14 20:51:59 UTC 2006
http://perforce.freebsd.org/chv.cgi?CH=109986
Change 109986 by millert at millert_g5tower on 2006/11/14 20:38:31
Darwinize genhomedircon and enable it in policy builds
Affected files ...
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/Rules.monolithic#8 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/support/genhomedircon#2 edit
Differences ...
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/Rules.monolithic#8 (text+ko) ====
@@ -212,8 +212,7 @@
@mkdir -p $(contextpath)/files
$(verbose) $(INSTALL) -m 644 $(fc) $(fcpath)
$(verbose) $(INSTALL) -m 644 $(homedir_template) $(homedirpath)
- # XXX - Disable genhomedircon for now
- #$(verbose) $(genhomedircon) -d $(topdir) -t $(NAME) $(USEPWD)
+ $(verbose) $(genhomedircon) -d $(topdir) -t $(NAME) $(USEPWD)
ifeq "$(DISTRO)" "rhel4"
# Setfiles in RHEL4 does not look at file_contexts.homedirs.
$(verbose) cat $@.homedirs >> $@
==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/support/genhomedircon#2 (text+ko) ====
@@ -42,30 +42,11 @@
import commands, sys, os, pwd, string, getopt, re
-EXCLUDE_LOGINS=["/sbin/nologin", "/bin/false"]
+EXCLUDE_LOGINS=["/sbin/nologin", "/usr/bin/false"]
+# Mac OS X uses a starting uid of 501 but use 500 for consistency
def getStartingUID():
- starting_uid = sys.maxint
- rc=commands.getstatusoutput("grep -h '^UID_MIN' /etc/login.defs")
- if rc[0] == 0:
- uid_min = re.sub("^UID_MIN[^0-9]*", "", rc[1])
- #stip any comment from the end of the line
- uid_min = uid_min.split("#")[0]
- uid_min = uid_min.strip()
- if int(uid_min) < starting_uid:
- starting_uid = int(uid_min)
- rc=commands.getstatusoutput("grep -h '^LU_UIDNUMBER' /etc/libuser.conf")
- if rc[0] == 0:
- lu_uidnumber = re.sub("^LU_UIDNUMBER[^0-9]*", "", rc[1])
- #stip any comment from the end of the line
- lu_uidnumber = re.sub("[ \t].*", "", lu_uidnumber)
- lu_uidnumber = lu_uidnumber.split("#")[0]
- lu_uidnumber = lu_uidnumber.strip()
- if int(lu_uidnumber) < starting_uid:
- starting_uid = int(lu_uidnumber)
- if starting_uid == sys.maxint:
- starting_uid = 500
- return starting_uid
+ return 500
#############################################################################
#
@@ -126,35 +107,11 @@
if os.path.isdir(filecontextdir) == 0:
sys.stderr.write("New usage is the following\n")
usage()
- #We are going to define home directory used by libuser and show-utils as a home directory root
- prefixes = {}
- rc=commands.getstatusoutput("grep -h '^HOME' /etc/default/useradd")
- if rc[0] == 0:
- homedir = rc[1].split("=")[1]
- homedir = homedir.split("#")[0]
- homedir = homedir.strip()
- if not prefixes.has_key(homedir):
- prefixes[homedir] = ""
- else:
- #rc[0] == 256 means the file was there, we read it, but the grep didn't match
- if rc[0] != 256:
- sys.stderr.write("%s\n" % rc[1])
- sys.stderr.write("You do not have access to /etc/default/useradd HOME=\n")
- sys.stderr.flush()
+ # For Mac OS X, most homedirs live in /Users
+ prefixes["/home"] = ""
-
- rc=commands.getstatusoutput("grep -h '^LU_HOMEDIRECTORY' /etc/libuser.conf")
- if rc[0] == 0:
- homedir = rc[1].split("=")[1]
- homedir = homedir.split("#")[0]
- homedir = homedir.strip()
- homedir = re.sub(r"[^/a-zA-Z0-9].*$", "", homedir)
- if not prefixes.has_key(homedir):
- prefixes[homedir] = ""
-
- #the idea is that we need to find all of the home_root_t directories we do this by just accepting
- #any default home directory defined by either /etc/libuser.conf or /etc/default/useradd
- #we then get the potential home directory roots from /etc/passwd or nis or whereever and look at
+ #the idea is that we need to find all of the home_root_t directories
+ #we get the potential home directory roots from netinfo or ldap and look at
#the defined homedir for all users with UID > STARTING_UID. This list of possible root homedirs
#is then checked to see if it has an explicite context defined in the file_contexts. Explicit
#is any regex that would match it which does not end with .*$ or .+$ since those are general
@@ -191,19 +148,11 @@
prefixes[potential] = ""
- if prefixes.__eq__({}):
- sys.stderr.write("LU_HOMEDIRECTORY not set in /etc/libuser.conf\n")
- sys.stderr.write("HOME= not set in /etc/default/useradd\n")
- sys.stderr.write("And no users with a reasonable homedir found in passwd/nis/ldap/etc...\n")
- sys.stderr.write("Assuming /home is the root of home directories\n")
- sys.stderr.flush()
- prefixes["/home"] = ""
-
# There may be a more elegant sed script to expand a macro to multiple lines, but this works
sed_root = "h; s|^HOME_ROOT|%s|" % (string.join(prefixes.keys(), "|; p; g; s|^HOME_ROOT|"),)
sed_dir = "h; s|^HOME_DIR|%s/[^/]+|; s|ROLE_|user_|" % (string.join(prefixes.keys(), "/[^/]+|; s|ROLE_|user_|; p; g; s|^HOME_DIR|"),)
- # Fill in HOME_ROOT, HOME_DIR, and ROLE for users not explicitly defined in /etc/security/selinux/src/policy/users
+ # Fill in HOME_ROOT, HOME_DIR, and ROLE for users not explicitly defined in /etc/sedarwin/refpolicy/src/policy/users
rc=commands.getstatusoutput("sed -e \"/^HOME_ROOT/{%s}\" -e \"/^HOME_DIR/{%s}\" %s" % (sed_root, sed_dir, filecontext))
if rc[0] == 0:
print rc[1]
@@ -223,36 +172,10 @@
#
#############################################################################
+# Homedirs live in /Users on Mac OS X by default
def getDefaultHomeDir():
ret = []
- rc=commands.getstatusoutput("grep -h '^HOME' /etc/default/useradd")
- if rc[0] == 0:
- homedir = rc[1].split("=")[1]
- homedir = homedir.split("#")[0]
- homedir = homedir.strip()
- if not homedir in ret:
- ret.append(homedir)
- else:
- #rc[0] == 256 means the file was there, we read it, but the grep didn't match
- if rc[0] != 256:
- sys.stderr.write("%s\n" % rc[1])
- sys.stderr.write("You do not have access to /etc/default/useradd HOME=\n")
- sys.stderr.flush()
- rc=commands.getstatusoutput("grep -h '^LU_HOMEDIRECTORY' /etc/libuser.conf")
- if rc[0] == 0:
- homedir = rc[1].split("=")[1]
- homedir = homedir.split("#")[0]
- homedir = homedir.strip()
- if not homedir in ret:
- ret.append(homedir)
- else:
- #rc[0] == 256 means the file was there, we read it, but the grep didn't match
- if rc[0] != 256:
- sys.stderr.write("%s\n" % rc[1])
- sys.stderr.write("You do not have access to /etc/libuser.conf LU_HOMEDIRECTORY=\n")
- sys.stderr.flush()
- if ret == []:
- ret.append("/home")
+ ret.append("/Users")
return ret
def getSELinuxType(directory):
@@ -279,7 +202,7 @@
sys.exit(1)
class selinuxConfig:
- def __init__(self, selinuxdir="/etc/selinux", type="targeted", usepwd=1):
+ def __init__(self, selinuxdir="/etc/sedarwin", type="refpolicy", usepwd=1):
self.type=type
self.selinuxdir=selinuxdir +"/"
self.contextdir="/contexts"
@@ -444,7 +367,7 @@
#
try:
usepwd=1
- directory="/etc/selinux"
+ directory="/etc/sedarwin"
type=None
gopts, cmds = getopt.getopt(sys.argv[1:], 'nd:t:', ['help',
'type=',
More information about the trustedbsd-cvs
mailing list