Manipulating user roles without policy-sources installed

[Daniel J Walsh <dwalsh@redhat.com>]

[-- Attachment #1: Type: text/plain, Size: 835 bytes --]

Take a look at this patch that will install the users file on the system 
and allow local admins to manipulate  a local.users file.
We still need to handle file context though, perhaps include filecontext 
file pre genhomedircon.

I want to change genpolusers syntax to be

genpolusers inpolicy outpolicy userfile1 [userfile2 ... ]

So if I add a user to /etc/selinux/strict/users/local.users I execute

genpolusers /etc/selinux/strict/policy/policy.18 
/etc/selinux/strict/policy/policy.18.new 
/etc/selinux/strict/users/system.users \ 
/etc/selinux/strict/users/local.users
mv -f /etc/selinux/strict/policy/policy.18.new 
/etc/selinux/strict/policy/policy.18
load_policy /etc/selinux/strict/policy/policy.18

Tools like useradd and system-config-users can start to manipulate 
/etc/selinux/strict/users/local.users, to setup roles.


[-- Attachment #2: policy-users.patch --]
[-- Type: text/x-patch, Size: 3540 bytes --]

diff --exclude-from=exclude -N -u -r nsapolicy/local.users policy-1.19.12/local.users
--- nsapolicy/local.users	1969-12-31 19:00:00.000000000 -0500
+++ policy-1.19.12/local.users	2004-12-10 10:59:20.750916770 -0500
@@ -0,0 +1,25 @@
+##################################
+#
+# User configuration.
+#
+# This file defines additional users recognized by the system security policy.
+# Only the user identities defined in this file and the users.system file
+# may be used as the user attribute in a security context.
+#
+# Each user has a set of roles that may be entered by processes
+# with the users identity.  The syntax of a user declaration is:
+#
+# 	user username roles role_set [ ranges MLS_range_set ];
+#
+# The MLS range set should only be specified if MLS was enabled
+# for the module and checkpolicy.
+
+# sample for administrative user
+#user jadmin roles { staff_r sysadm_r };
+
+# or if you want to be able to directly start daemons 
+
+#user jadmin roles { staff_r sysadm_r system_r };
+
+# sample for regular user
+#user jdoe roles { user_r }; 
diff --exclude-from=exclude -N -u -r nsapolicy/Makefile policy-1.19.12/Makefile
--- nsapolicy/Makefile	2004-10-25 14:01:13.000000000 -0400
+++ policy-1.19.12/Makefile	2004-12-10 10:54:18.524901686 -0500
@@ -26,6 +26,7 @@
 INSTALLDIR = $(DESTDIR)/etc/selinux/strict
 POLICYPATH = $(INSTALLDIR)/policy
 SRCPATH = $(INSTALLDIR)/src
+USERPATH = $(INSTALLDIR)/users
 CONTEXTPATH = $(INSTALLDIR)/contexts
 LOADPATH = $(POLICYPATH)/$(POLICYVER)
 FCPATH = $(CONTEXTPATH)/files/file_contexts
@@ -37,13 +38,13 @@
 ALLTEFILES := attrib.te tmp/program_used_flags.te $(ALL_MACROS) $(ALL_TYPES) $(ALL_DOMAINS) assert.te 
 TE_RBAC_FILES := $(ALLTEFILES) rbac
 ALL_TUNABLES := $(wildcard tunables/*.tun )
-
+USER_FILES := users serviceusers
 POLICYFILES = $(addprefix $(FLASKDIR),security_classes initial_sids access_vectors)
 ifeq ($(MLS),y)
 POLICYFILES += mls
 endif
 POLICYFILES += $(ALL_TUNABLES) $(TE_RBAC_FILES)
-POLICYFILES += users serviceusers
+POLICYFILES += $(USER_FILES)
 POLICYFILES += constraints initial_sid_contexts fs_use genfs_contexts net_contexts
 
 UNUSED_TE_FILES := $(wildcard domains/program/unused/*.te)
@@ -54,9 +55,23 @@
 APPDIR=$(CONTEXTPATH)
 APPFILES = $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts) $(CONTEXTPATH)/files/media
 
+$(USERPATH)/system.users: $(ALL_TUNABLES) $(USER_FILES) policy.conf
+	@mkdir -p $(USERPATH)
+	@echo "# " > tmp/system.users
+	@echo "# Do not edit this file. " >> tmp/system.users
+	@echo "# This file is replaced on reinstalls of this policy." >> tmp/system.users
+	@echo "# Please edit users.custom to make local changes." >> tmp/system.users
+	@echo "#" >> tmp/system.users
+	m4 $(ALL_TUNABLES) tmp/program_used_flags.te $(USER_FILES) | grep -h -v "^#" | grep [a-zA-Z] >> tmp/system.users
+	install -m 644 tmp/system.users $@
+
+$(USERPATH)/local.users: local.users
+	@mkdir -p $(USERPATH)
+	install -m 644 $< $@
+
 ROOTFILES = $(addprefix $(APPDIR)/users/,root)
 
-install: $(APPFILES) $(ROOTFILES) $(LOADPATH) $(FCPATH) 
+install: $(APPFILES) $(ROOTFILES) $(LOADPATH) $(FCPATH) $(USERPATH)/system.users $(USERPATH)/local.users
 	@echo "Validating file_contexts ..."	
 	$(SETFILES) -q -c $(LOADPATH) $(FCPATH)
 
@@ -99,6 +114,7 @@
 $(LOADPATH):  policy.conf $(CHECKPOLICY)
 	mkdir -p $(POLICYPATH)
 	$(CHECKPOLICY) -o $@ policy.conf
+
 # Note: Can't use install, so not sure how to deal with mode, user, and group
 #	other than by default.