Proposed patch to policy file_contexts

Proposed patch to policy file_contexts

[Daniel J Walsh]

[-- Attachment #1: Type: text/plain, Size: 305 bytes --]

Since the file_contexts file is now being build with m4, I am proposing 
this patch to allow for simpler specifications of alternate 
homedirectories or staff users.

As we are roling this out we are finding many users placing their 
homedirectories in the non standard location.

What do you think?

Dan

[-- Attachment #2: policy-homedir.patch --]
[-- Type: text/x-diff, Size: 2654 bytes --]

--- policy-1.6/file_contexts/users.fc.homedir	2004-02-26 15:03:53.957826373 -0500
+++ policy-1.6/file_contexts/users.fc	2004-02-26 15:03:07.283167405 -0500
@@ -0,0 +1,9 @@
+#
+# If you have an alternate homedir you would specify it here
+#
+#home_dir(user, /local_home)
+#
+#  If you have alternate members of staff you would specify it here
+#
+#home_dir(staff, /home,jadmin)
+#home_dir(staff, /local_home,jadmin)
--- policy-1.6/file_contexts/types.fc.homedir	2004-02-26 14:57:19.071019536 -0500
+++ policy-1.6/file_contexts/types.fc	2004-02-26 14:59:04.624938026 -0500
@@ -82,9 +82,7 @@
 # 
 # Ordinary user home directories.
 #
-/home			-d	system_u:object_r:home_root_t
-/home/[^/]+		-d	system_u:object_r:user_home_dir_t
-/home/[^/]+/.+			system_u:object_r:user_home_t
+home_dir(user,/home)
 
 #
 # /bin
@@ -418,7 +416,8 @@
 /lost\+found(/.*)?		system_u:object_r:lost_found_t
 /usr/lost\+found(/.*)?		system_u:object_r:lost_found_t
 /boot/lost\+found(/.*)?		system_u:object_r:lost_found_t
-/home/lost\+found(/.*)?		system_u:object_r:lost_found_t
+# moved to home.fc 
+# /home/lost\+found(/.*)?		system_u:object_r:lost_found_t
 /var/lost\+found(/.*)?		system_u:object_r:lost_found_t
 /tmp/lost\+found(/.*)?		system_u:object_r:lost_found_t
 /usr/local/lost\+found(/.*)?	system_u:object_r:lost_found_t
--- policy-1.6/file_contexts/homedir.homedir	2004-02-26 14:57:07.079392137 -0500
+++ policy-1.6/file_contexts/homedir	2004-02-26 14:56:33.529232470 -0500
@@ -0,0 +1,14 @@
+define(`home_dir',`
+$2			-d	system_u:object_r:home_root_t
+ifelse($3,`',`
+$2/[^/]+		-d	system_u:object_r:$1_home_dir_t
+$2/[^/]+/.+			system_u:object_r:$1_home_t
+$2/\.journal			<<none>>
+$2/lost\+found(/.*)?		system_u:object_r:lost_found_t
+', `
+$2/$3/[^/]+		-d	system_u:object_r:$1_home_dir_t
+$2/$3/[^/]+/.+			system_u:object_r:$1_home_t
+$2/$3/\.journal			<<none>>
+$2/$3/lost\+found(/.*)?		system_u:object_r:lost_found_t
+')
+')
--- policy-1.6/Makefile.homedir	2004-02-26 15:00:50.902774628 -0500
+++ policy-1.6/Makefile	2004-02-26 15:01:16.167883200 -0500
@@ -51,7 +51,7 @@
 UNUSED_TE_FILES := $(wildcard domains/program/unused/*.te)
 
 FC = file_contexts/file_contexts
-FCFILES=file_contexts/types.fc $(wildcard file_contexts/misc/*.fc) $(patsubst domains/program/%.te,file_contexts/program/%.fc, $(wildcard domains/program/*.te))
+FCFILES=file_contexts/homedir file_contexts/types.fc file_contexts/users.fc $(wildcard file_contexts/misc/*.fc) $(patsubst domains/program/%.te,file_contexts/program/%.fc, $(wildcard domains/program/*.te))
 
 APPDIR=$(DESTDIR)/etc/security
 APPFILES = $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context)

Re: Proposed patch to policy file_contexts

[Dale Amon]

On Thu, Feb 26, 2004 at 03:10:21PM -0500, Daniel J Walsh wrote:
> Since the file_contexts file is now being build with m4, I am proposing 
> this patch to allow for simpler specifications of alternate 
> homedirectories or staff users.
> 
> As we are roling this out we are finding many users placing their 
> homedirectories in the non standard location.
> 
> What do you think?

Now that you mention it, I resemble that remark. I
do (on some systems) place my administrative accounts
on a different drive than user home dirs. I hadn't
run across the problem yet because my test systems
are dead normal.

-- 
------------------------------------------------------
   Dale Amon     amon@islandone.org    +44-7802-188325
       International linux systems consultancy
     Hardware & software system design, security
    and networking, systems programming and Admin
	      "Have Laptop, Will Travel"
------------------------------------------------------

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Proposed patch to policy file_contexts

[Stephen Smalley]

On Thu, 2004-02-26 at 15:10, Daniel J Walsh wrote:
> --- policy-1.6/file_contexts/homedir.homedir	2004-02-26 14:57:07.079392137 -0500
> +++ policy-1.6/file_contexts/homedir	2004-02-26 14:56:33.529232470 -0500
> @@ -0,0 +1,14 @@
> +define(`home_dir',`
> +$2			-d	system_u:object_r:home_root_t
> +ifelse($3,`',`
> +$2/[^/]+		-d	system_u:object_r:$1_home_dir_t
> +$2/[^/]+/.+			system_u:object_r:$1_home_t
> +$2/\.journal			<<none>>
> +$2/lost\+found(/.*)?		system_u:object_r:lost_found_t
> +', `
> +$2/$3/[^/]+		-d	system_u:object_r:$1_home_dir_t
> +$2/$3/[^/]+/.+			system_u:object_r:$1_home_t
> +$2/$3/\.journal			<<none>>
> +$2/$3/lost\+found(/.*)?		system_u:object_r:lost_found_t
> +')
> +')

I doubt you want to move the \.journal and lost\+found entries into
these macros, as they are only applicable to the root directory of each
filesystem, not individual home directories.  Should this file be called
homedir.fc rather than just homedir?



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Proposed patch to policy file_contexts

[Karl MacMillan]

[-- Attachment #1: Type: text/plain, Size: 4526 bytes --]

Dan,

We have been looking at this lately and come up with a solution that
modifies the genhomedircon script (which is attached). It looks like
your changes don't address all of the file contexts - just what is in
types.fc. Our genhomedircon handles 2 main cases:

1. For policy users it generates specific file_contexts entries
including those in modules (i.e. not just in types.fc).
2. It generates generic entries for all home directory prefixes based on
the contents /etc/passwd and /etc/defaults/useradd.

It does this by replacing /home with the magic string HOME_ROOT,
/home/[^/] with HOME_DIR, and user_* with ROLE_* in the file contexts
file. Those strings are then replaced with the correct entries. For
example, the gpg entry:

/home/[^/]+/\.gnupg(/.+)?       system_u:object_r:user_gpg_secret_t
/root/\.gnupg(/.+)?             system_u:object_r:sysadm_gpg_secret_t

would be replaced with:

HOME_DIR/\.gnupg(/.+)?  system_u:object_r:ROLE_gpg_secret_t

The genhomedircon script would then replace the strings appropriately
with information from the policy and system. Let me know what you think.
I can send a patch that includes the policy changes if this change looks
good.

Karl

On Thu, 2004-02-26 at 15:10, Daniel J Walsh wrote:
> Since the file_contexts file is now being build with m4, I am proposing 
> this patch to allow for simpler specifications of alternate 
> homedirectories or staff users.
> 
> As we are roling this out we are finding many users placing their 
> homedirectories in the non standard location.
> 
> What do you think?
> 
> Dan
> 
> ______________________________________________________________________
> --- policy-1.6/file_contexts/users.fc.homedir	2004-02-26 15:03:53.957826373 -0500
> +++ policy-1.6/file_contexts/users.fc	2004-02-26 15:03:07.283167405 -0500
> @@ -0,0 +1,9 @@
> +#
> +# If you have an alternate homedir you would specify it here
> +#
> +#home_dir(user, /local_home)
> +#
> +#  If you have alternate members of staff you would specify it here
> +#
> +#home_dir(staff, /home,jadmin)
> +#home_dir(staff, /local_home,jadmin)
> --- policy-1.6/file_contexts/types.fc.homedir	2004-02-26 14:57:19.071019536 -0500
> +++ policy-1.6/file_contexts/types.fc	2004-02-26 14:59:04.624938026 -0500
> @@ -82,9 +82,7 @@
>  # 
>  # Ordinary user home directories.
>  #
> -/home			-d	system_u:object_r:home_root_t
> -/home/[^/]+		-d	system_u:object_r:user_home_dir_t
> -/home/[^/]+/.+			system_u:object_r:user_home_t
> +home_dir(user,/home)
>  
>  #
>  # /bin
> @@ -418,7 +416,8 @@
>  /lost\+found(/.*)?		system_u:object_r:lost_found_t
>  /usr/lost\+found(/.*)?		system_u:object_r:lost_found_t
>  /boot/lost\+found(/.*)?		system_u:object_r:lost_found_t
> -/home/lost\+found(/.*)?		system_u:object_r:lost_found_t
> +# moved to home.fc 
> +# /home/lost\+found(/.*)?		system_u:object_r:lost_found_t
>  /var/lost\+found(/.*)?		system_u:object_r:lost_found_t
>  /tmp/lost\+found(/.*)?		system_u:object_r:lost_found_t
>  /usr/local/lost\+found(/.*)?	system_u:object_r:lost_found_t
> --- policy-1.6/file_contexts/homedir.homedir	2004-02-26 14:57:07.079392137 -0500
> +++ policy-1.6/file_contexts/homedir	2004-02-26 14:56:33.529232470 -0500
> @@ -0,0 +1,14 @@
> +define(`home_dir',`
> +$2			-d	system_u:object_r:home_root_t
> +ifelse($3,`',`
> +$2/[^/]+		-d	system_u:object_r:$1_home_dir_t
> +$2/[^/]+/.+			system_u:object_r:$1_home_t
> +$2/\.journal			<<none>>
> +$2/lost\+found(/.*)?		system_u:object_r:lost_found_t
> +', `
> +$2/$3/[^/]+		-d	system_u:object_r:$1_home_dir_t
> +$2/$3/[^/]+/.+			system_u:object_r:$1_home_t
> +$2/$3/\.journal			<<none>>
> +$2/$3/lost\+found(/.*)?		system_u:object_r:lost_found_t
> +')
> +')
> --- policy-1.6/Makefile.homedir	2004-02-26 15:00:50.902774628 -0500
> +++ policy-1.6/Makefile	2004-02-26 15:01:16.167883200 -0500
> @@ -51,7 +51,7 @@
>  UNUSED_TE_FILES := $(wildcard domains/program/unused/*.te)
>  
>  FC = file_contexts/file_contexts
> -FCFILES=file_contexts/types.fc $(wildcard file_contexts/misc/*.fc) $(patsubst domains/program/%.te,file_contexts/program/%.fc, $(wildcard domains/program/*.te))
> +FCFILES=file_contexts/homedir file_contexts/types.fc file_contexts/users.fc $(wildcard file_contexts/misc/*.fc) $(patsubst domains/program/%.te,file_contexts/program/%.fc, $(wildcard domains/program/*.te))
>  
>  APPDIR=$(DESTDIR)/etc/security
>  APPFILES = $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context)
-- 
Karl MacMillan
Tresys Technology
kmacmillan@tresys.com
http://www.tresys.com
(410) 290-1411 x134

[-- Attachment #2: genhomedircon --]
[-- Type: text/plain, Size: 3514 bytes --]

#!/usr/bin/python
# Copyright (C) 2004 Tresys Technology, LLC
# see file 'COPYING' for use and warranty information

#
# genhomedircon - Replace HOME_ROOT, HOME_DIR, and ROLE macros in .fc files
#  with generic and user-specific values.
#
# ASSUMPTIONS:
#
# If a user has more than one role in FILECONTEXTDIR/users, genhomedircon uses
#  the first role in the list.
#
# If a user is not listed in FILECONTEXTDIR/users, genhomedircon assumes that
#  the user's home dir will be found in one of the HOME_ROOTs.
#
# "Real" users (as opposed to system users) are those whose UID is greater than
#  or equal STARTING_UID (usually 100) and whose login is not a member of
#  EXCLUDE_LOGINS.  Users who are explicitly defined in FILECONTEXTDIR/users
#  are always "real" (including root, in the default configuration).
#

import commands, sys, os, pwd, string

FILECONTEXTDIR="/etc/security/selinux/src/policy/"
EXCLUDE_LOGINS=["/sbin/nologin", "/bin/false"]
STARTING_UID=100

def getPrefixes():
	ulist = pwd.getpwall()
	prefixes = {}
	for u in ulist:
		if u[2] >= STARTING_UID and \
		   not u[6] in EXCLUDE_LOGINS and \
		   u[5] != "/" and \
		   string.count(u[5], "/") > 1:
			prefix = u[5][:string.rfind(u[5], "/")]
			if not prefixes.has_key(prefix):
				prefixes[prefix] = ""
	return prefixes

def getUsers():
	rc = commands.getstatusoutput("grep ^user %s/users" % FILECONTEXTDIR)
	udict = {}
	if rc[0] == 0:
		ulist = rc[1].strip().split("\n")
		for u in ulist:
			user = u.split()
			try:
				if user[1] == "user_u" or user[1] == "system_u":
					continue
				# !!! chooses first role in the list to use in the file context !!!
				role = user[4].split("_r")[0]
				home = pwd.getpwnam(user[1])[5]
				if home == "/":
					continue
				prefs = {}
				prefs["role"] = role
				prefs["home"] = home
				udict[user[1]] = prefs
			except KeyError:
				sys.stderr.write("The user \"%s\" is not present in the passwd file, skipping...\n" % (user[1],))
	return udict

def usage(error = ""):
	if error != "":
		sys.stderr.write("%s\n" % (error,))
	sys.stderr.write("Usage: %s FILE_CONTEXTS\n" % sys.argv[0])
	sys.stderr.flush()
	sys.exit(1)

def update(filecontext, user, prefs):
	rc=commands.getstatusoutput("grep -h '^HOME_DIR' %s | grep -v vmware | sed -e 's|HOME_DIR|%s|g' -e 's/ROLE/%s/' -e 's/system_u/%s/'" % (filecontext, prefs["home"], prefs["role"], user))
	if rc[0] == 0:
		print rc[1]
	else:
		usage(rc[1])
	return rc

try:
	prefixes = getPrefixes()

	rc=commands.getstatusoutput("grep -h '^HOME' /etc/default/useradd")
	if rc[0] == 0:
		homedir = rc[1].split("=")[1]
	else:
		sys.stderr.write("%s\n" % (rc[1],))
		sys.stderr.write("Do you have access to /etc/default/useradd?\n")
		sys.stderr.flush()
		sys.exit(1)

	if not prefixes.has_key(homedir):
		prefixes[homedir] = ""

	if len(prefixes) == 1:
		regex_root = prefixes.keys()[0]
	else:
		regex_root = "(%s)" % (string.join(prefixes, "\|"),)
	regex_dir = "%s/[^/]+" % (regex_root,)

	# Fill in HOME_ROOT, HOME_DIR, and ROLE for users not explicitly defined in /etc/security/selinux/src/policy/users
	rc=commands.getstatusoutput("sed -e 's|^HOME_ROOT|%s|g' -e 's|^HOME_DIR|%s|g' -e 's/ROLE_/user_/' %s" % (regex_root, regex_dir, sys.argv[1]))
	if rc[0] == 0:
		print rc[1]
	else:
		usage(rc[1])

	users = getUsers()
	print "\n#\n# User-specific file contexts\n#\n"

	# Fill in HOME and ROLE for users that are defined
	for u in users.keys():
		update(sys.argv[1], u, users[u])

except ValueError, error:
	usage(error)
except IndexError, error:
	usage()

Re: Proposed patch to policy file_contexts

[Daniel J Walsh]

Karl MacMillan wrote:

>Dan,
>
>We have been looking at this lately and come up with a solution that
>modifies the genhomedircon script (which is attached). It looks like
>your changes don't address all of the file contexts - just what is in
>types.fc. Our genhomedircon handles 2 main cases:
>
>1. For policy users it generates specific file_contexts entries
>including those in modules (i.e. not just in types.fc).
>2. It generates generic entries for all home directory prefixes based on
>the contents /etc/passwd and /etc/defaults/useradd.
>
>It does this by replacing /home with the magic string HOME_ROOT,
>/home/[^/] with HOME_DIR, and user_* with ROLE_* in the file contexts
>file. Those strings are then replaced with the correct entries. For
>example, the gpg entry:
>
>/home/[^/]+/\.gnupg(/.+)?       system_u:object_r:user_gpg_secret_t
>/root/\.gnupg(/.+)?             system_u:object_r:sysadm_gpg_secret_t
>
>would be replaced with:
>
>HOME_DIR/\.gnupg(/.+)?  system_u:object_r:ROLE_gpg_secret_t
>
>The genhomedircon script would then replace the strings appropriately
>with information from the policy and system. Let me know what you think.
>I can send a patch that includes the policy changes if this change looks
>good.
>
>Karl
>  
>
Yes this looks good to me, as you pointed out their were flaws in my 
assumption.  :^(
I have pulled my changes out, if you can send me a patch to policy, I 
will apply it and test it out.

Thanks.

Dan

>On Thu, 2004-02-26 at 15:10, Daniel J Walsh wrote:
>  
>
>>Since the file_contexts file is now being build with m4, I am proposing 
>>this patch to allow for simpler specifications of alternate 
>>homedirectories or staff users.
>>
>>As we are roling this out we are finding many users placing their 
>>homedirectories in the non standard location.
>>
>>What do you think?
>>
>>Dan
>>
>>______________________________________________________________________
>>--- policy-1.6/file_contexts/users.fc.homedir	2004-02-26 15:03:53.957826373 -0500
>>+++ policy-1.6/file_contexts/users.fc	2004-02-26 15:03:07.283167405 -0500
>>@@ -0,0 +1,9 @@
>>+#
>>+# If you have an alternate homedir you would specify it here
>>+#
>>+#home_dir(user, /local_home)
>>+#
>>+#  If you have alternate members of staff you would specify it here
>>+#
>>+#home_dir(staff, /home,jadmin)
>>+#home_dir(staff, /local_home,jadmin)
>>--- policy-1.6/file_contexts/types.fc.homedir	2004-02-26 14:57:19.071019536 -0500
>>+++ policy-1.6/file_contexts/types.fc	2004-02-26 14:59:04.624938026 -0500
>>@@ -82,9 +82,7 @@
>> # 
>> # Ordinary user home directories.
>> #
>>-/home			-d	system_u:object_r:home_root_t
>>-/home/[^/]+		-d	system_u:object_r:user_home_dir_t
>>-/home/[^/]+/.+			system_u:object_r:user_home_t
>>+home_dir(user,/home)
>> 
>> #
>> # /bin
>>@@ -418,7 +416,8 @@
>> /lost\+found(/.*)?		system_u:object_r:lost_found_t
>> /usr/lost\+found(/.*)?		system_u:object_r:lost_found_t
>> /boot/lost\+found(/.*)?		system_u:object_r:lost_found_t
>>-/home/lost\+found(/.*)?		system_u:object_r:lost_found_t
>>+# moved to home.fc 
>>+# /home/lost\+found(/.*)?		system_u:object_r:lost_found_t
>> /var/lost\+found(/.*)?		system_u:object_r:lost_found_t
>> /tmp/lost\+found(/.*)?		system_u:object_r:lost_found_t
>> /usr/local/lost\+found(/.*)?	system_u:object_r:lost_found_t
>>--- policy-1.6/file_contexts/homedir.homedir	2004-02-26 14:57:07.079392137 -0500
>>+++ policy-1.6/file_contexts/homedir	2004-02-26 14:56:33.529232470 -0500
>>@@ -0,0 +1,14 @@
>>+define(`home_dir',`
>>+$2			-d	system_u:object_r:home_root_t
>>+ifelse($3,`',`
>>+$2/[^/]+		-d	system_u:object_r:$1_home_dir_t
>>+$2/[^/]+/.+			system_u:object_r:$1_home_t
>>+$2/\.journal			<<none>>
>>+$2/lost\+found(/.*)?		system_u:object_r:lost_found_t
>>+', `
>>+$2/$3/[^/]+		-d	system_u:object_r:$1_home_dir_t
>>+$2/$3/[^/]+/.+			system_u:object_r:$1_home_t
>>+$2/$3/\.journal			<<none>>
>>+$2/$3/lost\+found(/.*)?		system_u:object_r:lost_found_t
>>+')
>>+')
>>--- policy-1.6/Makefile.homedir	2004-02-26 15:00:50.902774628 -0500
>>+++ policy-1.6/Makefile	2004-02-26 15:01:16.167883200 -0500
>>@@ -51,7 +51,7 @@
>> UNUSED_TE_FILES := $(wildcard domains/program/unused/*.te)
>> 
>> FC = file_contexts/file_contexts
>>-FCFILES=file_contexts/types.fc $(wildcard file_contexts/misc/*.fc) $(patsubst domains/program/%.te,file_contexts/program/%.fc, $(wildcard domains/program/*.te))
>>+FCFILES=file_contexts/homedir file_contexts/types.fc file_contexts/users.fc $(wildcard file_contexts/misc/*.fc) $(patsubst domains/program/%.te,file_contexts/program/%.fc, $(wildcard domains/program/*.te))
>> 
>> APPDIR=$(DESTDIR)/etc/security
>> APPFILES = $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context)
>>    
>>
>>------------------------------------------------------------------------
>>
>>#!/usr/bin/python
>># Copyright (C) 2004 Tresys Technology, LLC
>># see file 'COPYING' for use and warranty information
>>
>>#
>># genhomedircon - Replace HOME_ROOT, HOME_DIR, and ROLE macros in .fc files
>>#  with generic and user-specific values.
>>#
>># ASSUMPTIONS:
>>#
>># If a user has more than one role in FILECONTEXTDIR/users, genhomedircon uses
>>#  the first role in the list.
>>#
>># If a user is not listed in FILECONTEXTDIR/users, genhomedircon assumes that
>>#  the user's home dir will be found in one of the HOME_ROOTs.
>>#
>># "Real" users (as opposed to system users) are those whose UID is greater than
>>#  or equal STARTING_UID (usually 100) and whose login is not a member of
>>#  EXCLUDE_LOGINS.  Users who are explicitly defined in FILECONTEXTDIR/users
>>#  are always "real" (including root, in the default configuration).
>>#
>>
>>import commands, sys, os, pwd, string
>>
>>FILECONTEXTDIR="/etc/security/selinux/src/policy/"
>>EXCLUDE_LOGINS=["/sbin/nologin", "/bin/false"]
>>STARTING_UID=100
>>
>>def getPrefixes():
>>	ulist = pwd.getpwall()
>>	prefixes = {}
>>	for u in ulist:
>>		if u[2] >= STARTING_UID and \
>>		   not u[6] in EXCLUDE_LOGINS and \
>>		   u[5] != "/" and \
>>		   string.count(u[5], "/") > 1:
>>			prefix = u[5][:string.rfind(u[5], "/")]
>>			if not prefixes.has_key(prefix):
>>				prefixes[prefix] = ""
>>	return prefixes
>>
>>def getUsers():
>>	rc = commands.getstatusoutput("grep ^user %s/users" % FILECONTEXTDIR)
>>	udict = {}
>>	if rc[0] == 0:
>>		ulist = rc[1].strip().split("\n")
>>		for u in ulist:
>>			user = u.split()
>>			try:
>>				if user[1] == "user_u" or user[1] == "system_u":
>>					continue
>>				# !!! chooses first role in the list to use in the file context !!!
>>				role = user[4].split("_r")[0]
>>				home = pwd.getpwnam(user[1])[5]
>>				if home == "/":
>>					continue
>>				prefs = {}
>>				prefs["role"] = role
>>				prefs["home"] = home
>>				udict[user[1]] = prefs
>>			except KeyError:
>>				sys.stderr.write("The user \"%s\" is not present in the passwd file, skipping...\n" % (user[1],))
>>	return udict
>>
>>def usage(error = ""):
>>	if error != "":
>>		sys.stderr.write("%s\n" % (error,))
>>	sys.stderr.write("Usage: %s FILE_CONTEXTS\n" % sys.argv[0])
>>	sys.stderr.flush()
>>	sys.exit(1)
>>
>>def update(filecontext, user, prefs):
>>	rc=commands.getstatusoutput("grep -h '^HOME_DIR' %s | grep -v vmware | sed -e 's|HOME_DIR|%s|g' -e 's/ROLE/%s/' -e 's/system_u/%s/'" % (filecontext, prefs["home"], prefs["role"], user))
>>	if rc[0] == 0:
>>		print rc[1]
>>	else:
>>		usage(rc[1])
>>	return rc
>>
>>try:
>>	prefixes = getPrefixes()
>>
>>	rc=commands.getstatusoutput("grep -h '^HOME' /etc/default/useradd")
>>	if rc[0] == 0:
>>		homedir = rc[1].split("=")[1]
>>	else:
>>		sys.stderr.write("%s\n" % (rc[1],))
>>		sys.stderr.write("Do you have access to /etc/default/useradd?\n")
>>		sys.stderr.flush()
>>		sys.exit(1)
>>
>>	if not prefixes.has_key(homedir):
>>		prefixes[homedir] = ""
>>
>>	if len(prefixes) == 1:
>>		regex_root = prefixes.keys()[0]
>>	else:
>>		regex_root = "(%s)" % (string.join(prefixes, "\|"),)
>>	regex_dir = "%s/[^/]+" % (regex_root,)
>>
>>	# Fill in HOME_ROOT, HOME_DIR, and ROLE for users not explicitly defined in /etc/security/selinux/src/policy/users
>>	rc=commands.getstatusoutput("sed -e 's|^HOME_ROOT|%s|g' -e 's|^HOME_DIR|%s|g' -e 's/ROLE_/user_/' %s" % (regex_root, regex_dir, sys.argv[1]))
>>	if rc[0] == 0:
>>		print rc[1]
>>	else:
>>		usage(rc[1])
>>
>>	users = getUsers()
>>	print "\n#\n# User-specific file contexts\n#\n"
>>
>>	# Fill in HOME and ROLE for users that are defined
>>	for u in users.keys():
>>		update(sys.argv[1], u, users[u])
>>
>>except ValueError, error:
>>	usage(error)
>>except IndexError, error:
>>	usage()
>>    
>>

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Proposed patch to policy file_contexts

[Karl MacMillan]

[-- Attachment #1: Type: text/plain, Size: 7999 bytes --]

On Tue, 2004-03-02 at 11:36, Daniel J Walsh wrote:

> Yes this looks good to me, as you pointed out their were flaws in my 
> assumption.  :^(
> I have pulled my changes out, if you can send me a patch to policy, I 
> will apply it and test it out.
> 
> Thanks.
> 
> Dan
> 

Dan,

I have attached a patch. It is against a cvs version from last week, so
I'm not certain that it is completely current.

Karl

> >On Thu, 2004-02-26 at 15:10, Daniel J Walsh wrote:
> >  
> >
> >>Since the file_contexts file is now being build with m4, I am proposing 
> >>this patch to allow for simpler specifications of alternate 
> >>homedirectories or staff users.
> >>
> >>As we are roling this out we are finding many users placing their 
> >>homedirectories in the non standard location.
> >>
> >>What do you think?
> >>
> >>Dan
> >>
> >>______________________________________________________________________
> >>--- policy-1.6/file_contexts/users.fc.homedir	2004-02-26 15:03:53.957826373 -0500
> >>+++ policy-1.6/file_contexts/users.fc	2004-02-26 15:03:07.283167405 -0500
> >>@@ -0,0 +1,9 @@
> >>+#
> >>+# If you have an alternate homedir you would specify it here
> >>+#
> >>+#home_dir(user, /local_home)
> >>+#
> >>+#  If you have alternate members of staff you would specify it here
> >>+#
> >>+#home_dir(staff, /home,jadmin)
> >>+#home_dir(staff, /local_home,jadmin)
> >>--- policy-1.6/file_contexts/types.fc.homedir	2004-02-26 14:57:19.071019536 -0500
> >>+++ policy-1.6/file_contexts/types.fc	2004-02-26 14:59:04.624938026 -0500
> >>@@ -82,9 +82,7 @@
> >> # 
> >> # Ordinary user home directories.
> >> #
> >>-/home			-d	system_u:object_r:home_root_t
> >>-/home/[^/]+		-d	system_u:object_r:user_home_dir_t
> >>-/home/[^/]+/.+			system_u:object_r:user_home_t
> >>+home_dir(user,/home)
> >> 
> >> #
> >> # /bin
> >>@@ -418,7 +416,8 @@
> >> /lost\+found(/.*)?		system_u:object_r:lost_found_t
> >> /usr/lost\+found(/.*)?		system_u:object_r:lost_found_t
> >> /boot/lost\+found(/.*)?		system_u:object_r:lost_found_t
> >>-/home/lost\+found(/.*)?		system_u:object_r:lost_found_t
> >>+# moved to home.fc 
> >>+# /home/lost\+found(/.*)?		system_u:object_r:lost_found_t
> >> /var/lost\+found(/.*)?		system_u:object_r:lost_found_t
> >> /tmp/lost\+found(/.*)?		system_u:object_r:lost_found_t
> >> /usr/local/lost\+found(/.*)?	system_u:object_r:lost_found_t
> >>--- policy-1.6/file_contexts/homedir.homedir	2004-02-26 14:57:07.079392137 -0500
> >>+++ policy-1.6/file_contexts/homedir	2004-02-26 14:56:33.529232470 -0500
> >>@@ -0,0 +1,14 @@
> >>+define(`home_dir',`
> >>+$2			-d	system_u:object_r:home_root_t
> >>+ifelse($3,`',`
> >>+$2/[^/]+		-d	system_u:object_r:$1_home_dir_t
> >>+$2/[^/]+/.+			system_u:object_r:$1_home_t
> >>+$2/\.journal			<<none>>
> >>+$2/lost\+found(/.*)?		system_u:object_r:lost_found_t
> >>+', `
> >>+$2/$3/[^/]+		-d	system_u:object_r:$1_home_dir_t
> >>+$2/$3/[^/]+/.+			system_u:object_r:$1_home_t
> >>+$2/$3/\.journal			<<none>>
> >>+$2/$3/lost\+found(/.*)?		system_u:object_r:lost_found_t
> >>+')
> >>+')
> >>--- policy-1.6/Makefile.homedir	2004-02-26 15:00:50.902774628 -0500
> >>+++ policy-1.6/Makefile	2004-02-26 15:01:16.167883200 -0500
> >>@@ -51,7 +51,7 @@
> >> UNUSED_TE_FILES := $(wildcard domains/program/unused/*.te)
> >> 
> >> FC = file_contexts/file_contexts
> >>-FCFILES=file_contexts/types.fc $(wildcard file_contexts/misc/*.fc) $(patsubst domains/program/%.te,file_contexts/program/%.fc, $(wildcard domains/program/*.te))
> >>+FCFILES=file_contexts/homedir file_contexts/types.fc file_contexts/users.fc $(wildcard file_contexts/misc/*.fc) $(patsubst domains/program/%.te,file_contexts/program/%.fc, $(wildcard domains/program/*.te))
> >> 
> >> APPDIR=$(DESTDIR)/etc/security
> >> APPFILES = $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context)
> >>    
> >>
> >>------------------------------------------------------------------------
> >>
> >>#!/usr/bin/python
> >># Copyright (C) 2004 Tresys Technology, LLC
> >># see file 'COPYING' for use and warranty information
> >>
> >>#
> >># genhomedircon - Replace HOME_ROOT, HOME_DIR, and ROLE macros in .fc files
> >>#  with generic and user-specific values.
> >>#
> >># ASSUMPTIONS:
> >>#
> >># If a user has more than one role in FILECONTEXTDIR/users, genhomedircon uses
> >>#  the first role in the list.
> >>#
> >># If a user is not listed in FILECONTEXTDIR/users, genhomedircon assumes that
> >>#  the user's home dir will be found in one of the HOME_ROOTs.
> >>#
> >># "Real" users (as opposed to system users) are those whose UID is greater than
> >>#  or equal STARTING_UID (usually 100) and whose login is not a member of
> >>#  EXCLUDE_LOGINS.  Users who are explicitly defined in FILECONTEXTDIR/users
> >>#  are always "real" (including root, in the default configuration).
> >>#
> >>
> >>import commands, sys, os, pwd, string
> >>
> >>FILECONTEXTDIR="/etc/security/selinux/src/policy/"
> >>EXCLUDE_LOGINS=["/sbin/nologin", "/bin/false"]
> >>STARTING_UID=100
> >>
> >>def getPrefixes():
> >>	ulist = pwd.getpwall()
> >>	prefixes = {}
> >>	for u in ulist:
> >>		if u[2] >= STARTING_UID and \
> >>		   not u[6] in EXCLUDE_LOGINS and \
> >>		   u[5] != "/" and \
> >>		   string.count(u[5], "/") > 1:
> >>			prefix = u[5][:string.rfind(u[5], "/")]
> >>			if not prefixes.has_key(prefix):
> >>				prefixes[prefix] = ""
> >>	return prefixes
> >>
> >>def getUsers():
> >>	rc = commands.getstatusoutput("grep ^user %s/users" % FILECONTEXTDIR)
> >>	udict = {}
> >>	if rc[0] == 0:
> >>		ulist = rc[1].strip().split("\n")
> >>		for u in ulist:
> >>			user = u.split()
> >>			try:
> >>				if user[1] == "user_u" or user[1] == "system_u":
> >>					continue
> >>				# !!! chooses first role in the list to use in the file context !!!
> >>				role = user[4].split("_r")[0]
> >>				home = pwd.getpwnam(user[1])[5]
> >>				if home == "/":
> >>					continue
> >>				prefs = {}
> >>				prefs["role"] = role
> >>				prefs["home"] = home
> >>				udict[user[1]] = prefs
> >>			except KeyError:
> >>				sys.stderr.write("The user \"%s\" is not present in the passwd file, skipping...\n" % (user[1],))
> >>	return udict
> >>
> >>def usage(error = ""):
> >>	if error != "":
> >>		sys.stderr.write("%s\n" % (error,))
> >>	sys.stderr.write("Usage: %s FILE_CONTEXTS\n" % sys.argv[0])
> >>	sys.stderr.flush()
> >>	sys.exit(1)
> >>
> >>def update(filecontext, user, prefs):
> >>	rc=commands.getstatusoutput("grep -h '^HOME_DIR' %s | grep -v vmware | sed -e 's|HOME_DIR|%s|g' -e 's/ROLE/%s/' -e 's/system_u/%s/'" % (filecontext, prefs["home"], prefs["role"], user))
> >>	if rc[0] == 0:
> >>		print rc[1]
> >>	else:
> >>		usage(rc[1])
> >>	return rc
> >>
> >>try:
> >>	prefixes = getPrefixes()
> >>
> >>	rc=commands.getstatusoutput("grep -h '^HOME' /etc/default/useradd")
> >>	if rc[0] == 0:
> >>		homedir = rc[1].split("=")[1]
> >>	else:
> >>		sys.stderr.write("%s\n" % (rc[1],))
> >>		sys.stderr.write("Do you have access to /etc/default/useradd?\n")
> >>		sys.stderr.flush()
> >>		sys.exit(1)
> >>
> >>	if not prefixes.has_key(homedir):
> >>		prefixes[homedir] = ""
> >>
> >>	if len(prefixes) == 1:
> >>		regex_root = prefixes.keys()[0]
> >>	else:
> >>		regex_root = "(%s)" % (string.join(prefixes, "\|"),)
> >>	regex_dir = "%s/[^/]+" % (regex_root,)
> >>
> >>	# Fill in HOME_ROOT, HOME_DIR, and ROLE for users not explicitly defined in /etc/security/selinux/src/policy/users
> >>	rc=commands.getstatusoutput("sed -e 's|^HOME_ROOT|%s|g' -e 's|^HOME_DIR|%s|g' -e 's/ROLE_/user_/' %s" % (regex_root, regex_dir, sys.argv[1]))
> >>	if rc[0] == 0:
> >>		print rc[1]
> >>	else:
> >>		usage(rc[1])
> >>
> >>	users = getUsers()
> >>	print "\n#\n# User-specific file contexts\n#\n"
> >>
> >>	# Fill in HOME and ROLE for users that are defined
> >>	for u in users.keys():
> >>		update(sys.argv[1], u, users[u])
> >>
> >>except ValueError, error:
> >>	usage(error)
> >>except IndexError, error:
> >>	usage()
> >>    
> >>
-- 
Karl MacMillan
Tresys Technology
kmacmillan@tresys.com
http://www.tresys.com
(410) 290-1411 x134

[-- Attachment #2: genhomedircon-2-3-2004 --]
[-- Type: text/plain, Size: 16247 bytes --]

# This is a BitKeeper generated patch for the following project:
# Project Name: Tresys SELinux
# This patch format is intended for GNU patch command version 2.5 or higher.
# This patch includes the following deltas:
#	           ChangeSet	1.6     -> 1.10   
#	selinux-usr/policy/file_contexts/program/quota.fc	1.1     -> 1.3    
#	selinux-usr/policy/file_contexts/program/screen.fc	1.1     -> 1.3    
#	selinux-usr/policy/file_contexts/types.fc	1.3     -> 1.5    
#	selinux-usr/policy/file_contexts/program/vmware.fc	1.1     -> 1.3    
#	selinux-usr/policycoreutils/scripts/genhomedircon	1.1     -> 1.5    
#	selinux-usr/policy/Makefile	1.2     -> 1.3    
#	selinux-usr/policy/file_contexts/program/gpg.fc	1.2     -> 1.4    
#	selinux-usr/policy/file_contexts/program/xauth.fc	1.2     -> 1.4    
#	selinux-usr/policy/file_contexts/program/irc.fc	1.2     -> 1.4    
#	selinux-usr/policy/file_contexts/program/mozilla.fc	1.1     -> 1.3    
#	selinux-usr/policy/file_contexts/program/apache.fc	1.2     -> 1.4    
#	selinux-usr/policy/file_contexts/program/ssh.fc	1.2     -> 1.4    
#
# The following is the BitKeeper ChangeSet Log
# --------------------------------------------
# 04/02/20	jathey@bishop.columbia.tresys.com	1.7
# The file context definitions are now better generalized.  Instead of /home being hard coded in the .fc files, there is a new HOME macro which genhomedircon expands to the system's top level HOME directory from /usr/default/useradd.  In the same file context definitions, the "user" in system_u:object_r:user_foo_t has been replaced by the macro ROLE, to clarify that it will be replaced by genhomedircon appropriately.
# genhomedircon will replace HOME with the user's home directory from /etc/passwd and will replace ROLE with the user's first role from /etc/security/selinux/src/policy/users
# All future .fc files should follow these conventions.  
# --------------------------------------------
# 04/02/24	jathey@bishop.columbia.tresys.com	1.8
# new HOME_ROOT and HOME_DIR macros instead of just HOME in .fc files, for better precision
# genhomedircon now searches for home directory prefixes in /etc/passwd as well as /etc/default/useradd, and expands HOME_ROOT and HOME_DIR to accomodate multiple possible prefixes. 
# --------------------------------------------
# 04/02/27	jathey@bishop.columbia.tresys.com	1.9
# new genhomedircon revision
# --------------------------------------------
# 04/03/03	kmacmillan@colossus.columbia.tresys.com	1.10
# Removed copyright statements.
# --------------------------------------------
#
diff -Nru a/selinux-usr/policy/Makefile b/selinux-usr/policy/Makefile
--- a/selinux-usr/policy/Makefile	Wed Mar  3 09:18:07 2004
+++ b/selinux-usr/policy/Makefile	Wed Mar  3 09:18:07 2004
@@ -81,7 +81,7 @@
 $(POLICYVER):  policy.conf $(CHECKPOLICY)
 	$(CHECKPOLICY) $(POLICYCOMPAT) -o $@ policy.conf
 
-$(POLICYCONF): policy.conf 
+$(POLICYCONF): policy.conf
 	mkdir -p $(SRCINSTALLDIR)
 	install -m 644 policy.conf $@
 
@@ -120,10 +120,8 @@
 
 $(FC): $(FCFILES) domains/program domains/misc file_contexts/program file_contexts/misc users
 	m4 $(FCFILES) > $@.tmp
-	@/usr/sbin/genhomedircon $@.tmp  > $@.homedirtmp
-	cat $@.homedirtmp >> $@.tmp
-	@rm $@.homedirtmp
-	mv $@.tmp $@
+	/usr/sbin/genhomedircon $@.tmp > $@
+	rm $@.tmp
 
 clean:
 	rm -f policy.conf
diff -Nru a/selinux-usr/policy/file_contexts/program/apache.fc b/selinux-usr/policy/file_contexts/program/apache.fc
--- a/selinux-usr/policy/file_contexts/program/apache.fc	Wed Mar  3 09:18:07 2004
+++ b/selinux-usr/policy/file_contexts/program/apache.fc	Wed Mar  3 09:18:07 2004
@@ -1,5 +1,5 @@
 # apache
-/home/[^/]+/((www)|(web)|(public_html))(/.+)? system_u:object_r:httpd_user_content_t
+HOME_DIR/((www)|(web)|(public_html))(/.+)? system_u:object_r:httpd_ROLE_content_t
 /var/www		-d	system_u:object_r:httpd_sys_content_t
 /var/www/html(/.*)?		system_u:object_r:httpd_sys_content_t
 /var/www/mrtg(/.*)?		system_u:object_r:httpd_sys_content_t
diff -Nru a/selinux-usr/policy/file_contexts/program/gpg.fc b/selinux-usr/policy/file_contexts/program/gpg.fc
--- a/selinux-usr/policy/file_contexts/program/gpg.fc	Wed Mar  3 09:18:07 2004
+++ b/selinux-usr/policy/file_contexts/program/gpg.fc	Wed Mar  3 09:18:07 2004
@@ -1,4 +1,3 @@
 # gpg
-/home/[^/]+/\.gnupg(/.+)?	system_u:object_r:user_gpg_secret_t
-/root/\.gnupg(/.+)?		system_u:object_r:sysadm_gpg_secret_t
+HOME_DIR/\.gnupg(/.+)?	system_u:object_r:ROLE_gpg_secret_t
 /usr/bin/gpg		--	system_u:object_r:gpg_exec_t
diff -Nru a/selinux-usr/policy/file_contexts/program/irc.fc b/selinux-usr/policy/file_contexts/program/irc.fc
--- a/selinux-usr/policy/file_contexts/program/irc.fc	Wed Mar  3 09:18:07 2004
+++ b/selinux-usr/policy/file_contexts/program/irc.fc	Wed Mar  3 09:18:07 2004
@@ -2,4 +2,4 @@
 /usr/bin/[st]irc	--	system_u:object_r:irc_exec_t
 /usr/bin/ircII		--	system_u:object_r:irc_exec_t
 /usr/bin/tinyirc	--	system_u:object_r:irc_exec_t
-/home/[^/]+/.ircmotd	--	system_u:object_r:user_home_irc_t
+HOME_DIR/.ircmotd	--	system_u:object_r:ROLE_home_irc_t
diff -Nru a/selinux-usr/policy/file_contexts/program/mozilla.fc b/selinux-usr/policy/file_contexts/program/mozilla.fc
--- a/selinux-usr/policy/file_contexts/program/mozilla.fc	Wed Mar  3 09:18:07 2004
+++ b/selinux-usr/policy/file_contexts/program/mozilla.fc	Wed Mar  3 09:18:07 2004
@@ -1,8 +1,6 @@
 #  netscape/mozilla
-/root/\.netscape(/.*)?		system_u:object_r:sysadm_mozilla_rw_t
-/root/\.mozilla(/.*)?		system_u:object_r:sysadm_mozilla_rw_t
-/home/[^/]+/\.netscape(/.*)?	system_u:object_r:user_mozilla_rw_t
-/home/[^/]+/\.mozilla(/.*)?	system_u:object_r:user_mozilla_rw_t
+HOME_DIR/\.netscape(/.*)?	system_u:object_r:ROLE_mozilla_rw_t
+HOME_DIR/\.mozilla(/.*)?	system_u:object_r:ROLE_mozilla_rw_t
 /usr/bin/netscape	--	system_u:object_r:mozilla_exec_t
 /usr/bin/mozilla	--	system_u:object_r:mozilla_exec_t
 /usr/bin/mozilla-snapshot --	system_u:object_r:mozilla_exec_t
diff -Nru a/selinux-usr/policy/file_contexts/program/quota.fc b/selinux-usr/policy/file_contexts/program/quota.fc
--- a/selinux-usr/policy/file_contexts/program/quota.fc	Wed Mar  3 09:18:07 2004
+++ b/selinux-usr/policy/file_contexts/program/quota.fc	Wed Mar  3 09:18:07 2004
@@ -1,4 +1,5 @@
 # quota system
 /var/lib/quota(/.*)?		system_u:object_r:quota_flag_t
 /sbin/quota(check|on)	--	system_u:object_r:quota_exec_t
-/(|home/|var/)quota.(user|group) -- system_u:object_r:quota_db_t
+HOME_ROOT/quota.(user|group) -- system_u:object_r:quota_db_t
+/var/quota.(user|group) -- system_u:object_r:quota_db_t
diff -Nru a/selinux-usr/policy/file_contexts/program/screen.fc b/selinux-usr/policy/file_contexts/program/screen.fc
--- a/selinux-usr/policy/file_contexts/program/screen.fc	Wed Mar  3 09:18:07 2004
+++ b/selinux-usr/policy/file_contexts/program/screen.fc	Wed Mar  3 09:18:07 2004
@@ -1,5 +1,5 @@
 # screen
 /usr/bin/screen		--	system_u:object_r:screen_exec_t
-/home/[^/]+/\.screenrc	--	system_u:object_r:user_home_screen_t
+HOME_DIR/\.screenrc	--	system_u:object_r:ROLE_home_screen_t
 /var/run/screen/S-[^/]+	-d	system_u:object_r:screen_dir_t
 /var/run/screen/S-[^/]+/.*	<<none>>
diff -Nru a/selinux-usr/policy/file_contexts/program/ssh.fc b/selinux-usr/policy/file_contexts/program/ssh.fc
--- a/selinux-usr/policy/file_contexts/program/ssh.fc	Wed Mar  3 09:18:07 2004
+++ b/selinux-usr/policy/file_contexts/program/ssh.fc	Wed Mar  3 09:18:07 2004
@@ -6,8 +6,7 @@
 /etc/ssh/ssh_host_dsa_key --	system_u:object_r:sshd_key_t
 /etc/ssh/ssh_host_rsa_key --	system_u:object_r:sshd_key_t
 /usr/sbin/sshd	        --	system_u:object_r:sshd_exec_t
-/root/\.ssh(/.*)?		system_u:object_r:sysadm_home_ssh_t
-/home/[^/]+/\.ssh(/.*)?		system_u:object_r:user_home_ssh_t
+HOME_DIR/\.ssh(/.*)?		system_u:object_r:ROLE_home_ssh_t
 # subsystems
 /usr/lib/misc/sftp-server --	system_u:object_r:bin_t
 /usr/libexec/openssh/sftp-server -- system_u:object_r:bin_t
diff -Nru a/selinux-usr/policy/file_contexts/program/vmware.fc b/selinux-usr/policy/file_contexts/program/vmware.fc
--- a/selinux-usr/policy/file_contexts/program/vmware.fc	Wed Mar  3 09:18:07 2004
+++ b/selinux-usr/policy/file_contexts/program/vmware.fc	Wed Mar  3 09:18:07 2004
@@ -38,6 +38,6 @@
 # The rules below assume that the user VMWare virtual disks are in the
 # ~/vmware, and the preferences and license files are in ~/.vmware.
 #
-/home/[^/]+/\.vmware(/.*)?	system_u:object_r:vmware_user_file_t
-/home/[^/]+/\vmware(/.*)?	system_u:object_r:vmware_user_file_t
-/home/[^/]+/\vmware[^/]*/.*\.cfg -- system_u:object_r:vmware_user_conf_t
+HOME_DIR/\.vmware(/.*)?	system_u:object_r:vmware_ROLE_file_t
+HOME_DIR/\vmware(/.*)?	system_u:object_r:vmware_ROLE_file_t
+HOME_DIR/\vmware[^/]*/.*\.cfg	--	system_u:object_r:vmware_ROLE_conf_t
diff -Nru a/selinux-usr/policy/file_contexts/program/xauth.fc b/selinux-usr/policy/file_contexts/program/xauth.fc
--- a/selinux-usr/policy/file_contexts/program/xauth.fc	Wed Mar  3 09:18:07 2004
+++ b/selinux-usr/policy/file_contexts/program/xauth.fc	Wed Mar  3 09:18:07 2004
@@ -1,4 +1,3 @@
 # xauth
 /usr/X11R6/bin/xauth	--	system_u:object_r:xauth_exec_t
-/home/[^/]+/\.Xauthority.* --	system_u:object_r:user_home_xauth_t
-/root/\.Xauthority.*	 --	system_u:object_r:sysadm_home_xauth_t
+HOME_DIR/\.Xauthority.* --	system_u:object_r:ROLE_home_xauth_t
diff -Nru a/selinux-usr/policy/file_contexts/types.fc b/selinux-usr/policy/file_contexts/types.fc
--- a/selinux-usr/policy/file_contexts/types.fc	Wed Mar  3 09:18:07 2004
+++ b/selinux-usr/policy/file_contexts/types.fc	Wed Mar  3 09:18:07 2004
@@ -14,13 +14,13 @@
 # The optional type field specifies the file type as shown in the mode
 # field by ls, e.g. use -d to match only directories or -- to match only
 # regular files.
-# 
+#
 # The value of <<none> may be used to indicate that matching files
 # should not be relabeled.
 #
 # The last matching specification is used.
 #
-# If there are multiple hard links to a file that match 
+# If there are multiple hard links to a file that match
 # different specifications and those specifications indicate
 # different security contexts, then a warning is displayed
 # but the file is still labeled based on the last matching
@@ -44,6 +44,17 @@
 /			-d	system_u:object_r:root_t
 
 #
+# Ordinary user home directories.
+# HOME_ROOT expands to all valid home directory prefixes found in /etc/passwd
+# HOME_DIR expands to each user's home directory,
+#                  and to HOME_ROOT/[^/]+ for each HOME_ROOT.
+# ROLE expands to each user's role when role != user_r, and to "user" otherwise.
+#
+HOME_ROOT		-d	system_u:object_r:home_root_t
+HOME_DIR		-d	system_u:object_r:ROLE_home_dir_t
+HOME_DIR/.+			system_u:object_r:ROLE_home_t
+
+#
 # A common mount point
 /mnt			-d	system_u:object_r:root_t
 /mnt/cdrom		-d	system_u:object_r:mnt_t
@@ -75,19 +86,6 @@
 /var/ftp/lib/lib.*\.so.* --	system_u:object_r:shlib_t
 /var/ftp/etc(/.*)?		system_u:object_r:etc_t
 
-# 
-# The superuser home directory.
-#
-/root(/.*)?			system_u:object_r:sysadm_home_t
-/root			-d	system_u:object_r:sysadm_home_dir_t
-
-# 
-# Ordinary user home directories.
-#
-/home			-d	system_u:object_r:home_root_t
-/home/[^/]+		-d	system_u:object_r:user_home_dir_t
-/home/[^/]+/.+			system_u:object_r:user_home_t
-
 #
 # /bin
 #
@@ -408,7 +406,7 @@
 /\.journal			<<none>>
 /usr/\.journal			<<none>>
 /boot/\.journal			<<none>>
-/home/\.journal			<<none>>
+HOME_ROOT/\.journal		<<none>>
 /var/\.journal			<<none>>
 /tmp/\.journal			<<none>>
 /usr/local/\.journal		<<none>>
@@ -419,7 +417,7 @@
 /lost\+found(/.*)?		system_u:object_r:lost_found_t
 /usr/lost\+found(/.*)?		system_u:object_r:lost_found_t
 /boot/lost\+found(/.*)?		system_u:object_r:lost_found_t
-/home/lost\+found(/.*)?		system_u:object_r:lost_found_t
+HOME_ROOT/lost\+found(/.*)?	system_u:object_r:lost_found_t
 /var/lost\+found(/.*)?		system_u:object_r:lost_found_t
 /tmp/lost\+found(/.*)?		system_u:object_r:lost_found_t
 /usr/local/lost\+found(/.*)?	system_u:object_r:lost_found_t
diff -Nru a/selinux-usr/policycoreutils/scripts/genhomedircon b/selinux-usr/policycoreutils/scripts/genhomedircon
--- a/selinux-usr/policycoreutils/scripts/genhomedircon	Wed Mar  3 09:18:07 2004
+++ b/selinux-usr/policycoreutils/scripts/genhomedircon	Wed Mar  3 09:18:07 2004
@@ -1,32 +1,72 @@
 #!/usr/bin/python
-import commands
-import sys
-import os
+#
+# genhomedircon - Replace HOME_ROOT, HOME_DIR, and ROLE macros in .fc files
+#  with generic and user-specific values.
+#
+# ASSUMPTIONS:
+#
+# If a user has more than one role in FILECONTEXTDIR/users, genhomedircon uses
+#  the first role in the list.
+#
+# If a user is not listed in FILECONTEXTDIR/user genhomedircon assumes that the user's 
+#  home dir will be found in one of the HOME_ROOTs.
+#
+# "Real" users (as opposed to system users) are those whose UID is greater than
+#  or equal STARTING_UID (usually 100) and whose login is not a member of
+#  EXCLUDE_LOGINS.  Users who are explicitly defined in FILECONTEXTDIR/users
+#  are always "real" (including root, in the default configuration).
+#
+
+import commands, sys, os, pwd, string
+
 FILECONTEXTDIR="/etc/security/selinux/src/policy/"
+EXCLUDE_LOGINS=["/sbin/nologin", "/bin/false"]
+STARTING_UID=100
+
+def getPrefixes():
+	ulist = pwd.getpwall()
+	prefixes = {}
+	for u in ulist:
+		if u[2] >= STARTING_UID and \
+		not u[6] in EXCLUDE_LOGINS and \
+		u[5] != "/" and \
+		string.count(u[5], "/") > 1:
+			prefix = u[5][:string.rfind(u[5], "/")]
+			if not prefixes.has_key(prefix):
+				prefixes[prefix] = ""
+	return prefixes
 
 def getUsers():
-	rc=commands.getstatusoutput("grep ^user %s/users" % FILECONTEXTDIR)
-	udict={}
+	rc = commands.getstatusoutput("grep ^user %s/users" % FILECONTEXTDIR)
+	udict = {}
 	if rc[0] == 0:
-		ulist=rc[1].strip().split("\n")
+		ulist = rc[1].strip().split("\n")
 		for u in ulist:
-			user=u.split()
-			if user[1]=="root" or user[1]=="user_u" or user[1]=="system_u":
-				continue
-			role = user[4].split("_r")[0]
-			if role == "user":
-				continue
-			udict[user[1]]=role
+			user = u.split()
+			try:
+				if user[1] == "user_u" or user[1] == "system_u":
+					continue
+				# !!! chooses first role in the list to use in the file context !!!
+				role = user[4].split("_r")[0]
+				home = pwd.getpwnam(user[1])[5]
+				if home == "/":
+					continue
+				prefs = {}
+				prefs["role"] = role
+				prefs["home"] = home
+				udict[user[1]] = prefs
+			except KeyError:
+				print "User \"%s\" is not present in the passwd file, skipping" % (user[1],)
 	return udict
 
-def usage(error=""):
+def usage(error = ""):
 	if error != "":
 		print error
 	print "Usage: %s FILE_CONTEXTS" % sys.argv[0]
 	sys.exit(1)
-	
-def update(filecontext, user, role):
-	rc=commands.getstatusoutput("grep -h '/home/\[\^' %s | grep -v vmware | sed -e 's|/home/\[\^\/\]+|/home/%s|g' -e 's/user/%s/' -e 's/system_u/%s/'" % (filecontext, user, role, user))
+
+def update(filecontext, user, prefs):
+	rc=commands.getstatusoutput("grep -h '^HOME_DIR' %s | grep -v vmware | sed -e 's|HOME_DIR|%s|g' -e 's/ROLE/%s/' -e 's/system_u/%s/'" % (filecontext, prefs["home"], prefs["role"], user))
 	if rc[0] == 0:
 		print rc[1]
 	else:
@@ -34,11 +74,40 @@
 	return rc
 
 try:
-	users=getUsers()
+	prefixes = getPrefixes()
+
+	rc=commands.getstatusoutput("grep -h '^HOME' /etc/default/useradd")
+	if rc[0] == 0:
+		homedir = rc[1].split("=")[1]
+	else:
+		print rc[1]
+		print "Do you have access to /etc/default/useradd?"
+		sys.exit(1)
+
+	if not prefixes.has_key(homedir):
+		prefixes[homedir] = ""
+
+	if len(prefixes) == 1:
+		regex_root = prefixes.keys()[0]
+	else:
+		regex_root = "(%s)" % (string.join(prefixes, "\|"),)
+	regex_dir = "%s/[^/]+" % (regex_root,)
+
+	# Fill in HOME_ROOT, HOME_DIR, and ROLE for users not explicitly defined in /etc/security/selinux/src/policy/users
+	rc=commands.getstatusoutput("sed -e 's|^HOME_ROOT|%s|g' -e 's|^HOME_DIR|%s|g' -e 's/ROLE_/user_/' %s" % (regex_root, regex_dir, sys.argv[1]))
+	if rc[0] == 0:
+		print rc[1]
+	else:
+		usage(rc[1])
+
+	users = getUsers()
+	print "\n#\n# User-specific file contexts\n#\n"
+
+	# Fill in HOME and ROLE for users that are defined
 	for u in users.keys():
-		update(sys.argv[1], u, users[u]) 
+		update(sys.argv[1], u, users[u])
+
 except ValueError, error:
 	usage(error)
 except IndexError, error:
 	usage()
-	

Re: Proposed patch to policy file_contexts

[Stephen Smalley]

On Wed, 2004-03-03 at 09:22, Karl MacMillan wrote:
> I have attached a patch. It is against a cvs version from last week, so
> I'm not certain that it is completely current.

It appears that error messages from the script are being written to the
generated file contexts file rather than stderr, e.g. if you have a user
in your policy/users file that is not in /etc/passwd, then you'll get:
User "foo is not present in the passwd file, skipping
in the file contexts configuration.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Proposed patch to policy file_contexts

[Karl MacMillan]

[-- Attachment #1: Type: text/plain, Size: 838 bytes --]

On Wed, 2004-03-03 at 16:21, Stephen Smalley wrote:
> On Wed, 2004-03-03 at 09:22, Karl MacMillan wrote:
> > I have attached a patch. It is against a cvs version from last week, so
> > I'm not certain that it is completely current.
> 
> It appears that error messages from the script are being written to the
> generated file contexts file rather than stderr, e.g. if you have a user
> in your policy/users file that is not in /etc/passwd, then you'll get:
> User "foo is not present in the passwd file, skipping
> in the file contexts configuration.

Here is an updated version that writes all of the error messages to
stderr. There are 2 patches - the first is against the patch I sent
before and the other is the full version.

Karl

-- 
Karl MacMillan
Tresys Technology
kmacmillan@tresys.com
http://www.tresys.com
(410) 290-1411 x134

[-- Attachment #2: genhomedircon-2-3-2004-ver2 --]
[-- Type: text/x-patch, Size: 14027 bytes --]

diff -Nru a/selinux-usr/policy/Makefile b/selinux-usr/policy/Makefile
--- a/selinux-usr/policy/Makefile	Wed Mar  3 16:34:30 2004
+++ b/selinux-usr/policy/Makefile	Wed Mar  3 16:34:30 2004
@@ -81,7 +81,7 @@
 $(POLICYVER):  policy.conf $(CHECKPOLICY)
 	$(CHECKPOLICY) $(POLICYCOMPAT) -o $@ policy.conf
 
-$(POLICYCONF): policy.conf 
+$(POLICYCONF): policy.conf
 	mkdir -p $(SRCINSTALLDIR)
 	install -m 644 policy.conf $@
 
@@ -120,10 +120,8 @@
 
 $(FC): $(FCFILES) domains/program domains/misc file_contexts/program file_contexts/misc users
 	m4 $(FCFILES) > $@.tmp
-	@/usr/sbin/genhomedircon $@.tmp  > $@.homedirtmp
-	cat $@.homedirtmp >> $@.tmp
-	@rm $@.homedirtmp
-	mv $@.tmp $@
+	/usr/sbin/genhomedircon $@.tmp > $@
+	rm $@.tmp
 
 clean:
 	rm -f policy.conf
diff -Nru a/selinux-usr/policy/file_contexts/program/apache.fc b/selinux-usr/policy/file_contexts/program/apache.fc
--- a/selinux-usr/policy/file_contexts/program/apache.fc	Wed Mar  3 16:34:30 2004
+++ b/selinux-usr/policy/file_contexts/program/apache.fc	Wed Mar  3 16:34:30 2004
@@ -1,5 +1,5 @@
 # apache
-/home/[^/]+/((www)|(web)|(public_html))(/.+)? system_u:object_r:httpd_user_content_t
+HOME_DIR/((www)|(web)|(public_html))(/.+)? system_u:object_r:httpd_ROLE_content_t
 /var/www		-d	system_u:object_r:httpd_sys_content_t
 /var/www/html(/.*)?		system_u:object_r:httpd_sys_content_t
 /var/www/mrtg(/.*)?		system_u:object_r:httpd_sys_content_t
diff -Nru a/selinux-usr/policy/file_contexts/program/gpg.fc b/selinux-usr/policy/file_contexts/program/gpg.fc
--- a/selinux-usr/policy/file_contexts/program/gpg.fc	Wed Mar  3 16:34:30 2004
+++ b/selinux-usr/policy/file_contexts/program/gpg.fc	Wed Mar  3 16:34:30 2004
@@ -1,4 +1,3 @@
 # gpg
-/home/[^/]+/\.gnupg(/.+)?	system_u:object_r:user_gpg_secret_t
-/root/\.gnupg(/.+)?		system_u:object_r:sysadm_gpg_secret_t
+HOME_DIR/\.gnupg(/.+)?	system_u:object_r:ROLE_gpg_secret_t
 /usr/bin/gpg		--	system_u:object_r:gpg_exec_t
diff -Nru a/selinux-usr/policy/file_contexts/program/irc.fc b/selinux-usr/policy/file_contexts/program/irc.fc
--- a/selinux-usr/policy/file_contexts/program/irc.fc	Wed Mar  3 16:34:30 2004
+++ b/selinux-usr/policy/file_contexts/program/irc.fc	Wed Mar  3 16:34:30 2004
@@ -2,4 +2,4 @@
 /usr/bin/[st]irc	--	system_u:object_r:irc_exec_t
 /usr/bin/ircII		--	system_u:object_r:irc_exec_t
 /usr/bin/tinyirc	--	system_u:object_r:irc_exec_t
-/home/[^/]+/.ircmotd	--	system_u:object_r:user_home_irc_t
+HOME_DIR/.ircmotd	--	system_u:object_r:ROLE_home_irc_t
diff -Nru a/selinux-usr/policy/file_contexts/program/mozilla.fc b/selinux-usr/policy/file_contexts/program/mozilla.fc
--- a/selinux-usr/policy/file_contexts/program/mozilla.fc	Wed Mar  3 16:34:30 2004
+++ b/selinux-usr/policy/file_contexts/program/mozilla.fc	Wed Mar  3 16:34:30 2004
@@ -1,8 +1,6 @@
 #  netscape/mozilla
-/root/\.netscape(/.*)?		system_u:object_r:sysadm_mozilla_rw_t
-/root/\.mozilla(/.*)?		system_u:object_r:sysadm_mozilla_rw_t
-/home/[^/]+/\.netscape(/.*)?	system_u:object_r:user_mozilla_rw_t
-/home/[^/]+/\.mozilla(/.*)?	system_u:object_r:user_mozilla_rw_t
+HOME_DIR/\.netscape(/.*)?	system_u:object_r:ROLE_mozilla_rw_t
+HOME_DIR/\.mozilla(/.*)?	system_u:object_r:ROLE_mozilla_rw_t
 /usr/bin/netscape	--	system_u:object_r:mozilla_exec_t
 /usr/bin/mozilla	--	system_u:object_r:mozilla_exec_t
 /usr/bin/mozilla-snapshot --	system_u:object_r:mozilla_exec_t
diff -Nru a/selinux-usr/policy/file_contexts/program/quota.fc b/selinux-usr/policy/file_contexts/program/quota.fc
--- a/selinux-usr/policy/file_contexts/program/quota.fc	Wed Mar  3 16:34:30 2004
+++ b/selinux-usr/policy/file_contexts/program/quota.fc	Wed Mar  3 16:34:30 2004
@@ -1,4 +1,5 @@
 # quota system
 /var/lib/quota(/.*)?		system_u:object_r:quota_flag_t
 /sbin/quota(check|on)	--	system_u:object_r:quota_exec_t
-/(|home/|var/)quota.(user|group) -- system_u:object_r:quota_db_t
+HOME_ROOT/quota.(user|group) -- system_u:object_r:quota_db_t
+/var/quota.(user|group) -- system_u:object_r:quota_db_t
diff -Nru a/selinux-usr/policy/file_contexts/program/screen.fc b/selinux-usr/policy/file_contexts/program/screen.fc
--- a/selinux-usr/policy/file_contexts/program/screen.fc	Wed Mar  3 16:34:30 2004
+++ b/selinux-usr/policy/file_contexts/program/screen.fc	Wed Mar  3 16:34:30 2004
@@ -1,5 +1,5 @@
 # screen
 /usr/bin/screen		--	system_u:object_r:screen_exec_t
-/home/[^/]+/\.screenrc	--	system_u:object_r:user_home_screen_t
+HOME_DIR/\.screenrc	--	system_u:object_r:ROLE_home_screen_t
 /var/run/screen/S-[^/]+	-d	system_u:object_r:screen_dir_t
 /var/run/screen/S-[^/]+/.*	<<none>>
diff -Nru a/selinux-usr/policy/file_contexts/program/ssh.fc b/selinux-usr/policy/file_contexts/program/ssh.fc
--- a/selinux-usr/policy/file_contexts/program/ssh.fc	Wed Mar  3 16:34:30 2004
+++ b/selinux-usr/policy/file_contexts/program/ssh.fc	Wed Mar  3 16:34:30 2004
@@ -6,8 +6,7 @@
 /etc/ssh/ssh_host_dsa_key --	system_u:object_r:sshd_key_t
 /etc/ssh/ssh_host_rsa_key --	system_u:object_r:sshd_key_t
 /usr/sbin/sshd	        --	system_u:object_r:sshd_exec_t
-/root/\.ssh(/.*)?		system_u:object_r:sysadm_home_ssh_t
-/home/[^/]+/\.ssh(/.*)?		system_u:object_r:user_home_ssh_t
+HOME_DIR/\.ssh(/.*)?		system_u:object_r:ROLE_home_ssh_t
 # subsystems
 /usr/lib/misc/sftp-server --	system_u:object_r:bin_t
 /usr/libexec/openssh/sftp-server -- system_u:object_r:bin_t
diff -Nru a/selinux-usr/policy/file_contexts/program/vmware.fc b/selinux-usr/policy/file_contexts/program/vmware.fc
--- a/selinux-usr/policy/file_contexts/program/vmware.fc	Wed Mar  3 16:34:30 2004
+++ b/selinux-usr/policy/file_contexts/program/vmware.fc	Wed Mar  3 16:34:30 2004
@@ -38,6 +38,6 @@
 # The rules below assume that the user VMWare virtual disks are in the
 # ~/vmware, and the preferences and license files are in ~/.vmware.
 #
-/home/[^/]+/\.vmware(/.*)?	system_u:object_r:vmware_user_file_t
-/home/[^/]+/\vmware(/.*)?	system_u:object_r:vmware_user_file_t
-/home/[^/]+/\vmware[^/]*/.*\.cfg -- system_u:object_r:vmware_user_conf_t
+HOME_DIR/\.vmware(/.*)?	system_u:object_r:vmware_ROLE_file_t
+HOME_DIR/\vmware(/.*)?	system_u:object_r:vmware_ROLE_file_t
+HOME_DIR/\vmware[^/]*/.*\.cfg	--	system_u:object_r:vmware_ROLE_conf_t
diff -Nru a/selinux-usr/policy/file_contexts/program/xauth.fc b/selinux-usr/policy/file_contexts/program/xauth.fc
--- a/selinux-usr/policy/file_contexts/program/xauth.fc	Wed Mar  3 16:34:30 2004
+++ b/selinux-usr/policy/file_contexts/program/xauth.fc	Wed Mar  3 16:34:30 2004
@@ -1,4 +1,3 @@
 # xauth
 /usr/X11R6/bin/xauth	--	system_u:object_r:xauth_exec_t
-/home/[^/]+/\.Xauthority.* --	system_u:object_r:user_home_xauth_t
-/root/\.Xauthority.*	 --	system_u:object_r:sysadm_home_xauth_t
+HOME_DIR/\.Xauthority.* --	system_u:object_r:ROLE_home_xauth_t
diff -Nru a/selinux-usr/policy/file_contexts/types.fc b/selinux-usr/policy/file_contexts/types.fc
--- a/selinux-usr/policy/file_contexts/types.fc	Wed Mar  3 16:34:30 2004
+++ b/selinux-usr/policy/file_contexts/types.fc	Wed Mar  3 16:34:30 2004
@@ -14,13 +14,13 @@
 # The optional type field specifies the file type as shown in the mode
 # field by ls, e.g. use -d to match only directories or -- to match only
 # regular files.
-# 
+#
 # The value of <<none> may be used to indicate that matching files
 # should not be relabeled.
 #
 # The last matching specification is used.
 #
-# If there are multiple hard links to a file that match 
+# If there are multiple hard links to a file that match
 # different specifications and those specifications indicate
 # different security contexts, then a warning is displayed
 # but the file is still labeled based on the last matching
@@ -44,6 +44,17 @@
 /			-d	system_u:object_r:root_t
 
 #
+# Ordinary user home directories.
+# HOME_ROOT expands to all valid home directory prefixes found in /etc/passwd
+# HOME_DIR expands to each user's home directory,
+#                  and to HOME_ROOT/[^/]+ for each HOME_ROOT.
+# ROLE expands to each user's role when role != user_r, and to "user" otherwise.
+#
+HOME_ROOT		-d	system_u:object_r:home_root_t
+HOME_DIR		-d	system_u:object_r:ROLE_home_dir_t
+HOME_DIR/.+			system_u:object_r:ROLE_home_t
+
+#
 # A common mount point
 /mnt			-d	system_u:object_r:root_t
 /mnt/cdrom		-d	system_u:object_r:mnt_t
@@ -75,19 +86,6 @@
 /var/ftp/lib/lib.*\.so.* --	system_u:object_r:shlib_t
 /var/ftp/etc(/.*)?		system_u:object_r:etc_t
 
-# 
-# The superuser home directory.
-#
-/root(/.*)?			system_u:object_r:sysadm_home_t
-/root			-d	system_u:object_r:sysadm_home_dir_t
-
-# 
-# Ordinary user home directories.
-#
-/home			-d	system_u:object_r:home_root_t
-/home/[^/]+		-d	system_u:object_r:user_home_dir_t
-/home/[^/]+/.+			system_u:object_r:user_home_t
-
 #
 # /bin
 #
@@ -408,7 +406,7 @@
 /\.journal			<<none>>
 /usr/\.journal			<<none>>
 /boot/\.journal			<<none>>
-/home/\.journal			<<none>>
+HOME_ROOT/\.journal		<<none>>
 /var/\.journal			<<none>>
 /tmp/\.journal			<<none>>
 /usr/local/\.journal		<<none>>
@@ -419,7 +417,7 @@
 /lost\+found(/.*)?		system_u:object_r:lost_found_t
 /usr/lost\+found(/.*)?		system_u:object_r:lost_found_t
 /boot/lost\+found(/.*)?		system_u:object_r:lost_found_t
-/home/lost\+found(/.*)?		system_u:object_r:lost_found_t
+HOME_ROOT/lost\+found(/.*)?	system_u:object_r:lost_found_t
 /var/lost\+found(/.*)?		system_u:object_r:lost_found_t
 /tmp/lost\+found(/.*)?		system_u:object_r:lost_found_t
 /usr/local/lost\+found(/.*)?	system_u:object_r:lost_found_t
diff -Nru a/selinux-usr/policycoreutils/scripts/genhomedircon b/selinux-usr/policycoreutils/scripts/genhomedircon
--- a/selinux-usr/policycoreutils/scripts/genhomedircon	Wed Mar  3 16:34:30 2004
+++ b/selinux-usr/policycoreutils/scripts/genhomedircon	Wed Mar  3 16:34:30 2004
@@ -1,32 +1,76 @@
-#!/usr/bin/python
-import commands
-import sys
-import os
+#! /usr/bin/env python
+# Copyright (C) 2004 Tresys Technology, LLC
+# see file 'COPYING' for use and warranty information
+
+#
+# genhomedircon - Replace HOME_ROOT, HOME_DIR, and ROLE macros in .fc files
+#  with generic and user-specific values.
+#
+# ASSUMPTIONS:
+#
+# If a user has more than one role in FILECONTEXTDIR/users, genhomedircon uses
+#  the first role in the list.
+#
+# If a user is not listed in FILECONTEXTDIR/users, genhomedircon assumes that
+#  the user's home dir will be found in one of the HOME_ROOTs.
+#
+# "Real" users (as opposed to system users) are those whose UID is greater than
+#  or equal STARTING_UID (usually 100) and whose login is not a member of
+#  EXCLUDE_LOGINS.  Users who are explicitly defined in FILECONTEXTDIR/users
+#  are always "real" (including root, in the default configuration).
+#
+
+import commands, sys, os, pwd, string
+
 FILECONTEXTDIR="/etc/security/selinux/src/policy/"
+EXCLUDE_LOGINS=["/sbin/nologin", "/bin/false"]
+STARTING_UID=100
+
+def getPrefixes():
+	ulist = pwd.getpwall()
+	prefixes = {}
+	for u in ulist:
+		if u[2] >= STARTING_UID and \
+		   not u[6] in EXCLUDE_LOGINS and \
+		   u[5] != "/" and \
+		   string.count(u[5], "/") > 1:
+			prefix = u[5][:string.rfind(u[5], "/")]
+			if not prefixes.has_key(prefix):
+				prefixes[prefix] = ""
+	return prefixes
 
 def getUsers():
-	rc=commands.getstatusoutput("grep ^user %s/users" % FILECONTEXTDIR)
-	udict={}
+	rc = commands.getstatusoutput("grep ^user %s/users" % FILECONTEXTDIR)
+	udict = {}
 	if rc[0] == 0:
-		ulist=rc[1].strip().split("\n")
+		ulist = rc[1].strip().split("\n")
 		for u in ulist:
-			user=u.split()
-			if user[1]=="root" or user[1]=="user_u" or user[1]=="system_u":
-				continue
-			role = user[4].split("_r")[0]
-			if role == "user":
-				continue
-			udict[user[1]]=role
+			user = u.split()
+			try:
+				if user[1] == "user_u" or user[1] == "system_u":
+					continue
+				# !!! chooses first role in the list to use in the file context !!!
+				role = user[4].split("_r")[0]
+				home = pwd.getpwnam(user[1])[5]
+				if home == "/":
+					continue
+				prefs = {}
+				prefs["role"] = role
+				prefs["home"] = home
+				udict[user[1]] = prefs
+			except KeyError:
+				sys.stderr.write("The user \"%s\" is not present in the passwd file, skipping...\n" % (user[1],))
 	return udict
 
-def usage(error=""):
+def usage(error = ""):
 	if error != "":
-		print error
-	print "Usage: %s FILE_CONTEXTS" % sys.argv[0]
+		sys.stderr.write("%s\n" % (error,))
+	sys.stderr.write("Usage: %s FILE_CONTEXTS\n" % sys.argv[0])
+	sys.stderr.flush()
 	sys.exit(1)
-	
-def update(filecontext, user, role):
-	rc=commands.getstatusoutput("grep -h '/home/\[\^' %s | grep -v vmware | sed -e 's|/home/\[\^\/\]+|/home/%s|g' -e 's/user/%s/' -e 's/system_u/%s/'" % (filecontext, user, role, user))
+
+def update(filecontext, user, prefs):
+	rc=commands.getstatusoutput("grep -h '^HOME_DIR' %s | grep -v vmware | sed -e 's|HOME_DIR|%s|g' -e 's/ROLE/%s/' -e 's/system_u/%s/'" % (filecontext, prefs["home"], prefs["role"], user))
 	if rc[0] == 0:
 		print rc[1]
 	else:
@@ -34,11 +78,41 @@
 	return rc
 
 try:
-	users=getUsers()
+	prefixes = getPrefixes()
+
+	rc=commands.getstatusoutput("grep -h '^HOME' /etc/default/useradd")
+	if rc[0] == 0:
+		homedir = rc[1].split("=")[1]
+	else:
+		sys.stderr.write("%s\n" % (rc[1],))
+		sys.stderr.write("Do you have access to /etc/default/useradd?\n")
+		sys.stderr.flush()
+		sys.exit(1)
+
+	if not prefixes.has_key(homedir):
+		prefixes[homedir] = ""
+
+	if len(prefixes) == 1:
+		regex_root = prefixes.keys()[0]
+	else:
+		regex_root = "(%s)" % (string.join(prefixes, "\|"),)
+	regex_dir = "%s/[^/]+" % (regex_root,)
+
+	# Fill in HOME_ROOT, HOME_DIR, and ROLE for users not explicitly defined in /etc/security/selinux/src/policy/users
+	rc=commands.getstatusoutput("sed -e 's|^HOME_ROOT|%s|g' -e 's|^HOME_DIR|%s|g' -e 's/ROLE_/user_/' %s" % (regex_root, regex_dir, sys.argv[1]))
+	if rc[0] == 0:
+		print rc[1]
+	else:
+		usage(rc[1])
+
+	users = getUsers()
+	print "\n#\n# User-specific file contexts\n#\n"
+
+	# Fill in HOME and ROLE for users that are defined
 	for u in users.keys():
-		update(sys.argv[1], u, users[u]) 
+		update(sys.argv[1], u, users[u])
+
 except ValueError, error:
 	usage(error)
 except IndexError, error:
 	usage()
-	

[-- Attachment #3: genhomedircon-2-3-2004-ver2-relative --]
[-- Type: text/x-patch, Size: 2424 bytes --]

diff -Nru a/selinux-usr/policycoreutils/scripts/genhomedircon b/selinux-usr/policycoreutils/scripts/genhomedircon
--- a/selinux-usr/policycoreutils/scripts/genhomedircon	Wed Mar  3 16:34:05 2004
+++ b/selinux-usr/policycoreutils/scripts/genhomedircon	Wed Mar  3 16:34:05 2004
@@ -1,4 +1,7 @@
-#!/usr/bin/python
+#! /usr/bin/env python
+# Copyright (C) 2004 Tresys Technology, LLC
+# see file 'COPYING' for use and warranty information
+
 #
 # genhomedircon - Replace HOME_ROOT, HOME_DIR, and ROLE macros in .fc files
 #  with generic and user-specific values.
@@ -8,8 +11,8 @@
 # If a user has more than one role in FILECONTEXTDIR/users, genhomedircon uses
 #  the first role in the list.
 #
-# If a user is not listed in FILECONTEXTDIR/user genhomedircon assumes that the user's 
-#  home dir will be found in one of the HOME_ROOTs.
+# If a user is not listed in FILECONTEXTDIR/users, genhomedircon assumes that
+#  the user's home dir will be found in one of the HOME_ROOTs.
 #
 # "Real" users (as opposed to system users) are those whose UID is greater than
 #  or equal STARTING_UID (usually 100) and whose login is not a member of
@@ -28,9 +31,9 @@
 	prefixes = {}
 	for u in ulist:
 		if u[2] >= STARTING_UID and \
-		not u[6] in EXCLUDE_LOGINS and \
-		u[5] != "/" and \
-		string.count(u[5], "/") > 1:
+		   not u[6] in EXCLUDE_LOGINS and \
+		   u[5] != "/" and \
+		   string.count(u[5], "/") > 1:
 			prefix = u[5][:string.rfind(u[5], "/")]
 			if not prefixes.has_key(prefix):
 				prefixes[prefix] = ""
@@ -56,13 +59,14 @@
 				prefs["home"] = home
 				udict[user[1]] = prefs
 			except KeyError:
-				print "User \"%s\" is not present in the passwd file, skipping" % (user[1],)
+				sys.stderr.write("The user \"%s\" is not present in the passwd file, skipping...\n" % (user[1],))
 	return udict
 
 def usage(error = ""):
 	if error != "":
-		print error
-	print "Usage: %s FILE_CONTEXTS" % sys.argv[0]
+		sys.stderr.write("%s\n" % (error,))
+	sys.stderr.write("Usage: %s FILE_CONTEXTS\n" % sys.argv[0])
+	sys.stderr.flush()
 	sys.exit(1)
 
 def update(filecontext, user, prefs):
@@ -80,8 +84,9 @@
 	if rc[0] == 0:
 		homedir = rc[1].split("=")[1]
 	else:
-		print rc[1]
-		print "Do you have access to /etc/default/useradd?"
+		sys.stderr.write("%s\n" % (rc[1],))
+		sys.stderr.write("Do you have access to /etc/default/useradd?\n")
+		sys.stderr.flush()
 		sys.exit(1)
 
 	if not prefixes.has_key(homedir):

Re: Proposed patch to policy file_contexts

[Stephen Smalley]

On Wed, 2004-03-03 at 16:36, Karl MacMillan wrote:
> Here is an updated version that writes all of the error messages to
> stderr. There are 2 patches - the first is against the patch I sent
> before and the other is the full version.

The resulting file_contexts file maps /root entries to staff*_home_t
rather than sysadm*_home_t.  This is a general limitation of
genhomedircon (not knowing which role to select when multiple ones are
authorized), but the old one avoided the problem by skipping root and
leaving the /root entries in the .fc files.  Now, we could alter the
ordering of roles for root in policy/users as a workaround; that
shouldn't affect the default context as that is governed by
/etc/security/default_contexts. 

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Proposed patch to policy file_contexts

[Karl MacMillan]

On Fri, 2004-03-05 at 12:18, Stephen Smalley wrote:
> On Wed, 2004-03-03 at 16:36, Karl MacMillan wrote:
> > Here is an updated version that writes all of the error messages to
> > stderr. There are 2 patches - the first is against the patch I sent
> > before and the other is the full version.
> 
> The resulting file_contexts file maps /root entries to staff*_home_t
> rather than sysadm*_home_t.  This is a general limitation of
> genhomedircon (not knowing which role to select when multiple ones are
> authorized), but the old one avoided the problem by skipping root and
> leaving the /root entries in the .fc files.  Now, we could alter the
> ordering of roles for root in policy/users as a workaround; that
> shouldn't affect the default context as that is governed by
> /etc/security/default_contexts. 

Our thinking was that root shouldn't be a special case and the ordering
of the roles could take care of everything. I'm not clear why root
should be labeled with sysadm*_home_t, though. Why not treat root like
all of the other admins? Wouldn't labeling root with sysadm*_home_t make
logging in as staff_r for root problematic (for example, when ssh logins
are allowed for root).

Karl

-- 
Karl MacMillan
Tresys Technology
kmacmillan@tresys.com
http://www.tresys.com
(410) 290-1411 x134


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Proposed patch to policy file_contexts

[Russell Coker]

On Tue, 9 Mar 2004 02:59, Karl MacMillan <kmacmillan@tresys.com> wrote:
> > The resulting file_contexts file maps /root entries to staff*_home_t
> > rather than sysadm*_home_t.  This is a general limitation of
> > genhomedircon (not knowing which role to select when multiple ones are
> > authorized), but the old one avoided the problem by skipping root and
> > leaving the /root entries in the .fc files.  Now, we could alter the
> > ordering of roles for root in policy/users as a workaround; that
> > shouldn't affect the default context as that is governed by
> > /etc/security/default_contexts.
>
> Our thinking was that root shouldn't be a special case and the ordering
> of the roles could take care of everything. I'm not clear why root
> should be labeled with sysadm*_home_t, though. Why not treat root like
> all of the other admins? Wouldn't labeling root with sysadm*_home_t make
> logging in as staff_r for root problematic (for example, when ssh logins
> are allowed for root).

Why not allow staff_t to search sysadm_home_dir_t:dir and read 
sysadm_home_t:file?  Then you can login as root:staff_r and still get aliases 
etc setup, and then you can run "newrole -r sysadm_r".

I've got policy to do that in my tree already.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Proposed patch to policy file_contexts

[Stephen Smalley]

On Mon, 2004-03-08 at 10:59, Karl MacMillan wrote:
> Our thinking was that root shouldn't be a special case and the ordering
> of the roles could take care of everything. I'm not clear why root
> should be labeled with sysadm*_home_t, though. Why not treat root like
> all of the other admins? Wouldn't labeling root with sysadm*_home_t make
> logging in as staff_r for root problematic (for example, when ssh logins
> are allowed for root).

Yes, it makes life a little harder for direct remote root logins (but
doesn't prevent them from occurring; you just have to do a subsequent
newrole to get to a full normal operating state).  But it also protects
the integrity of /root's dotfiles more strongly, which can be helpful.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.