PERFORCE change 109986 for review

Todd Miller millert at FreeBSD.org
Tue Nov 14 20:51:59 UTC 2006


http://perforce.freebsd.org/chv.cgi?CH=109986

Change 109986 by millert at millert_g5tower on 2006/11/14 20:38:31

	Darwinize genhomedircon and enable it in policy builds

Affected files ...

.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/Rules.monolithic#8 edit
.. //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/support/genhomedircon#2 edit

Differences ...

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/Rules.monolithic#8 (text+ko) ====

@@ -212,8 +212,7 @@
 	@mkdir -p $(contextpath)/files
 	$(verbose) $(INSTALL) -m 644 $(fc) $(fcpath)
 	$(verbose) $(INSTALL) -m 644 $(homedir_template) $(homedirpath)
-	# XXX - Disable genhomedircon for now
-	#$(verbose) $(genhomedircon) -d $(topdir) -t $(NAME) $(USEPWD)
+	$(verbose) $(genhomedircon) -d $(topdir) -t $(NAME) $(USEPWD)
 ifeq "$(DISTRO)" "rhel4"
 # Setfiles in RHEL4 does not look at file_contexts.homedirs.
 	$(verbose) cat $@.homedirs >> $@

==== //depot/projects/trustedbsd/sedarwin8/policies/sedarwin/refpolicy/support/genhomedircon#2 (text+ko) ====

@@ -42,30 +42,11 @@
 
 import commands, sys, os, pwd, string, getopt, re
 
-EXCLUDE_LOGINS=["/sbin/nologin", "/bin/false"]
+EXCLUDE_LOGINS=["/sbin/nologin", "/usr/bin/false"]
 
+# Mac OS X uses a starting uid of 501 but use 500 for consistency
 def getStartingUID():
-	starting_uid = sys.maxint
-	rc=commands.getstatusoutput("grep -h '^UID_MIN' /etc/login.defs")
-	if rc[0] == 0:
-		uid_min = re.sub("^UID_MIN[^0-9]*", "", rc[1])
-		#stip any comment from the end of the line
-		uid_min = uid_min.split("#")[0]
-		uid_min = uid_min.strip()
-		if int(uid_min) < starting_uid:
-			starting_uid = int(uid_min)
-	rc=commands.getstatusoutput("grep -h '^LU_UIDNUMBER' /etc/libuser.conf")
-	if rc[0] == 0:
-		lu_uidnumber = re.sub("^LU_UIDNUMBER[^0-9]*", "", rc[1])
-		#stip any comment from the end of the line
-		lu_uidnumber = re.sub("[ \t].*", "", lu_uidnumber)
-		lu_uidnumber = lu_uidnumber.split("#")[0]
-		lu_uidnumber = lu_uidnumber.strip()
-		if int(lu_uidnumber) < starting_uid:
-			starting_uid = int(lu_uidnumber)
-	if starting_uid == sys.maxint:
-		starting_uid = 500
-	return starting_uid
+	return 500
 
 #############################################################################
 #
@@ -126,35 +107,11 @@
 	if os.path.isdir(filecontextdir) == 0:
 		sys.stderr.write("New usage is the following\n")
 		usage()
-        #We are going to define home directory used by libuser and show-utils as a home directory root
-        prefixes = {}
-        rc=commands.getstatusoutput("grep -h '^HOME' /etc/default/useradd")
-        if rc[0] == 0:
-                homedir = rc[1].split("=")[1]
-                homedir = homedir.split("#")[0]
-                homedir = homedir.strip()
-                if not prefixes.has_key(homedir):
-                        prefixes[homedir] = ""
-        else:
-                #rc[0] == 256 means the file was there, we read it, but the grep didn't match
-                if rc[0] != 256:
-                        sys.stderr.write("%s\n" % rc[1])
-                        sys.stderr.write("You do not have access to /etc/default/useradd HOME=\n")
-                        sys.stderr.flush()
+	# For Mac OS X, most homedirs live in /Users
+	prefixes["/home"] = ""
 
-
-        rc=commands.getstatusoutput("grep -h '^LU_HOMEDIRECTORY' /etc/libuser.conf")
-        if rc[0] == 0:
-                homedir = rc[1].split("=")[1]
-                homedir = homedir.split("#")[0]
-                homedir = homedir.strip()
-                homedir = re.sub(r"[^/a-zA-Z0-9].*$", "", homedir)
-                if not prefixes.has_key(homedir):
-                        prefixes[homedir] = ""
-
-        #the idea is that we need to find all of the home_root_t directories we do this by just accepting
-        #any default home directory defined by either /etc/libuser.conf or /etc/default/useradd
-        #we then get the potential home directory roots from /etc/passwd or nis or whereever and look at
+        #the idea is that we need to find all of the home_root_t directories
+        #we get the potential home directory roots from netinfo or ldap and look at
         #the defined homedir for all users with UID > STARTING_UID.  This list of possible root homedirs
         #is then checked to see if it has an explicite context defined in the file_contexts.  Explicit
         #is any regex that would match it which does not end with .*$ or .+$ since those are general
@@ -191,19 +148,11 @@
                                 prefixes[potential] = ""
 
 
-        if prefixes.__eq__({}):
-                sys.stderr.write("LU_HOMEDIRECTORY not set in /etc/libuser.conf\n")
-                sys.stderr.write("HOME= not set in /etc/default/useradd\n")
-                sys.stderr.write("And no users with a reasonable homedir found in passwd/nis/ldap/etc...\n")
-                sys.stderr.write("Assuming /home is the root of home directories\n")
-                sys.stderr.flush()
-                prefixes["/home"] = ""
-
 	# There may be a more elegant sed script to expand a macro to multiple lines, but this works
 	sed_root = "h; s|^HOME_ROOT|%s|" % (string.join(prefixes.keys(), "|; p; g; s|^HOME_ROOT|"),)
 	sed_dir = "h; s|^HOME_DIR|%s/[^/]+|; s|ROLE_|user_|" % (string.join(prefixes.keys(), "/[^/]+|; s|ROLE_|user_|; p; g; s|^HOME_DIR|"),)
 
-	# Fill in HOME_ROOT, HOME_DIR, and ROLE for users not explicitly defined in /etc/security/selinux/src/policy/users
+	# Fill in HOME_ROOT, HOME_DIR, and ROLE for users not explicitly defined in /etc/sedarwin/refpolicy/src/policy/users
 	rc=commands.getstatusoutput("sed -e \"/^HOME_ROOT/{%s}\" -e \"/^HOME_DIR/{%s}\" %s" % (sed_root, sed_dir, filecontext))
 	if rc[0] == 0:
 		print rc[1]
@@ -223,36 +172,10 @@
 #
 #############################################################################
 
+# Homedirs live in /Users on Mac OS X by default
 def getDefaultHomeDir():
 	ret = []
-	rc=commands.getstatusoutput("grep -h '^HOME' /etc/default/useradd")
-	if rc[0] == 0:
-		homedir = rc[1].split("=")[1]
-		homedir = homedir.split("#")[0]
-		homedir = homedir.strip()
-		if not homedir in ret:
-			ret.append(homedir)
-	else:
-		#rc[0] == 256 means the file was there, we read it, but the grep didn't match
-		if rc[0] != 256:
-			sys.stderr.write("%s\n" % rc[1])
-			sys.stderr.write("You do not have access to /etc/default/useradd HOME=\n")
-			sys.stderr.flush()
-	rc=commands.getstatusoutput("grep -h '^LU_HOMEDIRECTORY' /etc/libuser.conf")
-	if rc[0] == 0:
-		homedir = rc[1].split("=")[1]
-		homedir = homedir.split("#")[0]
-		homedir = homedir.strip()
-		if not homedir in ret:
-			ret.append(homedir)
-	else:
-		#rc[0] == 256 means the file was there, we read it, but the grep didn't match
-		if rc[0] != 256:
-			sys.stderr.write("%s\n" % rc[1])
-			sys.stderr.write("You do not have access to /etc/libuser.conf LU_HOMEDIRECTORY=\n")
-			sys.stderr.flush()
-	if ret == []:
-		ret.append("/home")
+	ret.append("/Users")
 	return ret
 
 def getSELinuxType(directory):
@@ -279,7 +202,7 @@
 	sys.exit(1)
 
 class selinuxConfig:
-	def __init__(self, selinuxdir="/etc/selinux", type="targeted", usepwd=1):
+	def __init__(self, selinuxdir="/etc/sedarwin", type="refpolicy", usepwd=1):
 		self.type=type
 		self.selinuxdir=selinuxdir +"/"
 		self.contextdir="/contexts"
@@ -444,7 +367,7 @@
 #
 try:
 	usepwd=1
-	directory="/etc/selinux"
+	directory="/etc/sedarwin"
 	type=None
 	gopts, cmds = getopt.getopt(sys.argv[1:], 'nd:t:', ['help',
 						'type=',


More information about the trustedbsd-cvs mailing list