From: Daniel J Walsh <dwalsh@redhat.com>
To: SELinux <SELinux@tycho.nsa.gov>
Subject: relabel python script.
Date: Fri, 05 Dec 2003 10:59:24 -0500 [thread overview]
Message-ID: <3FD0AB5C.4030103@redhat.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 839 bytes --]
The attached script is something I wrote to handle the problem of
labeling users home directories. Russell's latest policy has added
several security contexts to files in the users home directories (.ssh,
.pgp, .xauthority etc). The problem is the current 'make label' labels
all entries in the users home directory with user_*_t. If you define a
certain user at staff_t (required by policy if you want to become
sysadm_t) by default he will not be able to login.
This script figures out the default role for all users and then if the
user is not root and the default role is not user_u, it adds entries to
file_contexts to properly label this users home directories. The script
then runs a make relabel.
This functionality should probably be added to either seuser or make
relabel to make this easier to do.
Ideas?
Dan
[-- Attachment #2: relabel.py --]
[-- Type: text/plain, Size: 1379 bytes --]
#!/usr/bin/python
import commands
import sys
import os
policy_dir="/etc/security/selinux/src/policy"
context_dir="%s/file_contexts" % policy_dir
def makeFileContext():
rc=commands.getstatusoutput("cd %s;rm file_contexts/file_contexts; make file_contexts/file_contexts" % policy_dir)
if rc[0] != 0:
raise ValueError, rc[1]
def makeRelabel():
rc=commands.getstatusoutput("cd %s;make relabel" % policy_dir)
if rc[0] != 0:
raise ValueError, rc[1]
def getUsers():
rc=commands.getstatusoutput("seuser show users")
udict={}
if rc[0] == 0:
ulist=rc[1].strip().split("\n")
for u in ulist:
user=u.split(":")
if user[0]=="root" or user[0]=="user_u" or user[0]=="system_u":
continue
role = user[1].split()[0].split("_r")[0]
if role == "user":
continue
udict[user[0]]=role
return udict
def usage():
print "Usage: %s" % sys.argv[0]
sys.exit(1)
def update(user, role):
rc=commands.getstatusoutput("cd %s; grep -h '/home/\[\^' file_contexts | grep -v vmware | sed 's|/home/\[\^\/\]+|/home/%s|g' | sed 's/user/%s/' > /tmp/user_context.tmp; cat /tmp/user_context.tmp >> file_contexts; rm /tmp/user_context.tmp" % (context_dir,user, role))
if rc[0] != 0:
print rc[1]
sys.exit(1)
return rc
try:
makeFileContext()
users=getUsers()
for u in users.keys():
update (u, users[u])
makeRelabel()
except ValueError, error:
print error
next reply other threads:[~2003-12-05 15:59 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-12-05 15:59 Daniel J Walsh [this message]
2003-12-09 20:18 ` relabel python script Karl MacMillan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3FD0AB5C.4030103@redhat.com \
--to=dwalsh@redhat.com \
--cc=SELinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.