genhomedircon

genhomedircon

[Russell Coker]

[-- Attachment #1: Type: text/plain, Size: 569 bytes --]

I have made some minor changes to genhomedircon (attached a diff against the 
Fedora version and a copy of the modified script).

This improves the error handling code to make it clear when an error condition 
is caused by bad parameters and when it's by an internal error.  It also 
fixes a bug so that now the following line in the "users" file will be 
accepted and not cause the program to abort:
user root roles user_r;

Previously it demanded the following instead:
user root roles { user_r };

-- 
http://apac.redhat.com/disclaimer
See above URL for disclaimer.

[-- Attachment #2: g.diff --]
[-- Type: text/x-diff, Size: 1918 bytes --]

--- genhomedircon.orig	2004-06-16 16:04:11.000000000 +1000
+++ genhomedircon	2004-06-16 16:00:59.000000000 +1000
@@ -51,7 +51,10 @@
 				if user[1] == "user_u" or user[1] == "system_u":
 					continue
 				# !!! chooses first role in the list to use in the file context !!!
-				role = user[4].split("_r")[0]
+				role = user[3]
+				if role == "{":
+					role = user[4]
+				role = role.split("_r")[0]
 				home = pwd.getpwnam(user[1])[5]
 				if home == "/":
 					continue
@@ -70,18 +73,24 @@
 	sys.stderr.flush()
 	sys.exit(1)
 	
+def errorExit(error):
+	sys.stderr.write("%s exiting for: " % sys.argv[0])
+	sys.stderr.write("%s\n" % error)
+	sys.stderr.flush()
+	sys.exit(1)
+	
 def update(filecontext, user, prefs):
 	rc=commands.getstatusoutput("grep -h '^HOME_DIR' %s | grep -v vmware | sed -e 's|HOME_DIR|%s|' -e 's/ROLE/%s/' -e 's/system_u/%s/'" % (filecontext, prefs["home"], prefs["role"], user))
 	if rc[0] == 0:
 		print rc[1]
 	else:
-		usage(rc[1])
+		errorExit(join("grep/sed error ", rc[1]))
 	return rc
 
 try:
 	if len(sys.argv) != 3:
 		print len(sys.argv)
-		usage()
+		usage("Incorrect parameters")
 
 	FILECONTEXTDIR=sys.argv[1]
 	prefixes = getPrefixes()
@@ -91,8 +100,7 @@
 		homedir = rc[1].split("=")[1]
 	else:
 		sys.stderr.write("%s\n" % (rc[1],))
-		sys.stderr.write("You do not have access to /etc/default/useradd
-, default /home\n")
+		sys.stderr.write("You do not have access to /etc/default/useradd, default /home\n")
 		sys.stderr.flush()
 		homedir = "/home"
 		
@@ -109,7 +117,7 @@
 	if rc[0] == 0:
 		print rc[1]
 	else:
-		usage(rc[1])
+		errorExit(join("sed error ", rc[1]))
 
 	users = getUsers()
 	print "\n#\n# User-specific file contexts\n#\n"
@@ -118,6 +126,6 @@
 	for u in users.keys():
 		update(sys.argv[2], u, users[u]) 
 except ValueError, error:
-	usage(error)
+	errorExit(join("ValueError ", error))
 except IndexError, error:
-	usage()
+	errorExit("IndexError")

[-- Attachment #3: genhomedircon --]
[-- Type: application/x-python, Size: 4117 bytes --]

genhomedircon

[Russell Coker]

[-- Attachment #1: Type: text/plain, Size: 700 bytes --]

The attached patch fixes a bug in genhomedircon.

Without this if you create system users with "useradd -r" and give them home 
directories in unusual locations (such as /usr/DIR or /var/run/DIR) then a 
file_contexts file will be generated that will mess up your system.

This match makes it check /etc/login.defs for the value of UID_MIN.

Also perhaps we should make STARTING_UID default to 500.  500 is the default 
value for this in Fedora.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

[-- Attachment #2: diff --]
[-- Type: text/x-diff, Size: 593 bytes --]

--- genhomedircon	2004-07-19 22:29:23.851864480 +1000
+++ /usr/sbin/genhomedircon	2004-07-19 22:47:01.984003944 +1000
@@ -25,7 +25,6 @@
 import commands, sys, os, pwd, string
 
 EXCLUDE_LOGINS=["/sbin/nologin", "/bin/false"]
-STARTING_UID=100
 
 def getPrefixes():
 	ulist = pwd.getpwall()
@@ -92,6 +91,12 @@
 		print len(sys.argv)
 		usage("Incorrect parameters")
 
+	rc=commands.getstatusoutput("grep -h '^UID_MIN' /etc/login.defs | sed -e 's/^UID_MIN[^0-9]*//'")
+	if rc[0] == 0:
+		STARTING_UID=rc[1]
+	else:
+		STARTING_UID=100
+
 	FILECONTEXTDIR=sys.argv[1]
 	prefixes = getPrefixes()
 

genhomedircon

[Russell Coker]

[-- Attachment #1: Type: text/plain, Size: 348 bytes --]

In genhomedircon version 1.16 there is some duplicated code.  The attached 
patch removes it.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

[-- Attachment #2: genhomedircon.diff --]
[-- Type: text/x-diff, Size: 446 bytes --]

--- policycoreutils-1.16.orig/scripts/genhomedircon	2004-08-12 22:38:42.000000000 +1000
+++ policycoreutils-1.16/scripts/genhomedircon	2004-08-20 21:46:10.000000000 +1000
@@ -97,12 +97,6 @@
 	else:
 		STARTING_UID=500
 
-	rc=commands.getstatusoutput("grep -h '^UID_MIN' /etc/login.defs | sed -e 's/^UID_MIN[^0-9]*//'")
-	if rc[0] == 0:
-		STARTING_UID=rc[1]
-	else:
-		STARTING_UID=500
-
 	FILECONTEXTDIR=sys.argv[1]
 	prefixes = getPrefixes()
 

genhomedircon

[Russell Coker]

[-- Attachment #1: Type: text/plain, Size: 742 bytes --]

        def checkExists(self, home):
                fd = open(self.getFileContextFile())
                for i in  fd.read().split('\n'):
                    if len(i) == 0:
                            continue
                    regex = i.split()[0]


The above code at line 282 in genhomedircon in FC5 has a bug in that it can't 
handle a line in the file contexts file containing " ".

The attached patch fixes a bug in the FC5 policy which generates such a line 
with only a space.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

[-- Attachment #2: diff --]
[-- Type: text/x-diff, Size: 642 bytes --]

diff -ru serefpolicy-2.2.38.orig/policy/support/misc_macros.spt serefpolicy-2.2.38/policy/support/misc_macros.spt
--- serefpolicy-2.2.38.orig/policy/support/misc_macros.spt	2006-05-08 23:54:02.000000000 +1000
+++ serefpolicy-2.2.38/policy/support/misc_macros.spt	2006-05-19 20:15:07.000000000 +1000
@@ -37,7 +37,7 @@
 #
 # gen_context(context,mls_sensitivity,[mcs_categories])
 #
-define(`gen_context',`$1`'ifdef(`enable_mls',`:$2')`'ifdef(`enable_mcs',`:s0`'ifelse(`$3',,,`:$3')')') dnl
+define(`gen_context',`$1`'ifdef(`enable_mls',`:$2')`'ifdef(`enable_mcs',`:s0`'ifelse(`$3',,,`:$3')')')dnl
 
 ########################################
 #

Re: genhomedircon

[Christopher J. PeBenito]

On Fri, 2006-05-19 at 20:28 +1000, Russell Coker wrote:
[cut]
> The above code at line 282 in genhomedircon in FC5 has a bug in that it can't 
> handle a line in the file contexts file containing " ".
> 
> The attached patch fixes a bug in the FC5 policy which generates such a line 
> with only a space.

Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.