From: Daniel J Walsh <dwalsh@redhat.com>
To: Stephen Smalley <sds@epoch.ncsc.mil>
Cc: SELinux ML <selinux@tycho.nsa.gov>, Nalin Dahyabhai <nalin@redhat.com>
Subject: Re: Manipulating user roles without policy-sources installed
Date: Fri, 10 Dec 2004 13:09:24 -0500 [thread overview]
Message-ID: <41B9E654.1080206@redhat.com> (raw)
In-Reply-To: <1102696635.1628.132.camel@moss-spartans.epoch.ncsc.mil>
[-- Attachment #1: Type: text/plain, Size: 2831 bytes --]
Stephen Smalley wrote:
>On Fri, 2004-12-10 at 11:23, Daniel J Walsh wrote:
>
>
>>I want to change genpolusers syntax to be
>>
>>genpolusers inpolicy outpolicy userfile1 [userfile2 ... ]
>>
>>
>
>Yes, that's easy enough to do, and as no one has used genpolusers to
>date AFAIK, changing the interface is ok with me.
>
>________________________________________________________________________
>
>
>>diff --exclude-from=exclude -N -u -r nsapolicy/local.users policy-1.19.12/local.users
>>--- nsapolicy/local.users 1969-12-31 19:00:00.000000000 -0500
>>+++ policy-1.19.12/local.users 2004-12-10 10:59:20.750916770 -0500
>>+# or if you want to be able to directly start daemons
>>+
>>+#user jadmin roles { staff_r sysadm_r system_r };
>>
>>
>
>Rather than just have this as a comment in the file, why not use an
>ifdef in the source file here and apply m4 to it as well so that there
>is a single line in the installed file that either includes system_r or
>does not based on what tunables were set when the policy was built?
>Reduces user confusion, particularly since you are always enabling
>direct_sysadm_daemon for FC and it is also needed for rpm %post
>scriptlet processing in a number of cases.
>
>
>
Ok, I did that, but had to hack a little to get it to work. Basically
had to uncomment it in the original source and
sed it back to a comment for the final version.
>>diff --exclude-from=exclude -N -u -r nsapolicy/Makefile policy-1.19.12/Makefile
>>--- nsapolicy/Makefile 2004-10-25 14:01:13.000000000 -0400
>>+++ policy-1.19.12/Makefile 2004-12-10 10:54:18.524901686 -0500
>>+$(USERPATH)/system.users: $(ALL_TUNABLES) $(USER_FILES) policy.conf
>>+ @mkdir -p $(USERPATH)
>>+ @echo "# " > tmp/system.users
>>+ @echo "# Do not edit this file. " >> tmp/system.users
>>+ @echo "# This file is replaced on reinstalls of this policy." >> tmp/system.users
>>+ @echo "# Please edit users.custom to make local changes." >> tmp/system.users
>>+ @echo "#" >> tmp/system.users
>>+ m4 $(ALL_TUNABLES) tmp/program_used_flags.te $(USER_FILES) | grep -h -v "^#" | grep [a-zA-Z] >> tmp/system.users
>>+ install -m 644 tmp/system.users $@
>>
>>
>
>The comment says "users.custom", but you've named it "local.users".
>
>
Fixed
>I'm also unclear on the purpose of the grep's - just to make it more
>readable?
>
Yes, but more importantly to get rid of misleading comments. I removed
the last grep since that could eliminate some info, So now it is a
hard to read file, but at least it does not have bad comments.
>If you just want the user statement, you could just grep for
>lines beginning with user unless you are worried about multi-line user
>statements in the base policy (which is allowed by checkpolicy, since it
>uses a semicolon terminator).
>
>
Yes so I will just remove lines that begin with #.
Dan
[-- Attachment #2: policy-users.patch --]
[-- Type: text/x-patch, Size: 3347 bytes --]
diff --exclude-from=exclude -N -u -r nsapolicy/local.users policy-1.19.12/local.users
--- nsapolicy/local.users 1969-12-31 19:00:00.000000000 -0500
+++ policy-1.19.12/local.users 2004-12-10 12:22:56.485903999 -0500
@@ -0,0 +1,21 @@
+##################################
+#
+# User configuration.
+#
+# This file defines additional users recognized by the system security policy.
+# Only the user identities defined in this file and the users.system file
+# may be used as the user attribute in a security context.
+#
+# Each user has a set of roles that may be entered by processes
+# with the users identity. The syntax of a user declaration is:
+#
+# user username roles role_set [ ranges MLS_range_set ];
+#
+# The MLS range set should only be specified if MLS was enabled
+# for the module and checkpolicy.
+
+# sample for administrative user
+user jadmin roles { staff_r sysadm_r ifdef(`direct_sysadm_daemon', `system_r') };
+
+# sample for regular user
+#user jdoe roles { user_r };
diff --exclude-from=exclude -N -u -r nsapolicy/Makefile policy-1.19.12/Makefile
--- nsapolicy/Makefile 2004-10-25 14:01:13.000000000 -0400
+++ policy-1.19.12/Makefile 2004-12-10 12:25:23.282396928 -0500
@@ -26,6 +26,7 @@
INSTALLDIR = $(DESTDIR)/etc/selinux/strict
POLICYPATH = $(INSTALLDIR)/policy
SRCPATH = $(INSTALLDIR)/src
+USERPATH = $(INSTALLDIR)/users
CONTEXTPATH = $(INSTALLDIR)/contexts
LOADPATH = $(POLICYPATH)/$(POLICYVER)
FCPATH = $(CONTEXTPATH)/files/file_contexts
@@ -37,13 +38,13 @@
ALLTEFILES := attrib.te tmp/program_used_flags.te $(ALL_MACROS) $(ALL_TYPES) $(ALL_DOMAINS) assert.te
TE_RBAC_FILES := $(ALLTEFILES) rbac
ALL_TUNABLES := $(wildcard tunables/*.tun )
-
+USER_FILES := users serviceusers
POLICYFILES = $(addprefix $(FLASKDIR),security_classes initial_sids access_vectors)
ifeq ($(MLS),y)
POLICYFILES += mls
endif
POLICYFILES += $(ALL_TUNABLES) $(TE_RBAC_FILES)
-POLICYFILES += users serviceusers
+POLICYFILES += $(USER_FILES)
POLICYFILES += constraints initial_sid_contexts fs_use genfs_contexts net_contexts
UNUSED_TE_FILES := $(wildcard domains/program/unused/*.te)
@@ -54,9 +55,24 @@
APPDIR=$(CONTEXTPATH)
APPFILES = $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts) $(CONTEXTPATH)/files/media
+$(USERPATH)/system.users: $(ALL_TUNABLES) $(USER_FILES) policy.conf
+ @mkdir -p $(USERPATH)
+ @echo "# " > tmp/system.users
+ @echo "# Do not edit this file. " >> tmp/system.users
+ @echo "# This file is replaced on reinstalls of this policy." >> tmp/system.users
+ @echo "# Please edit local.users to make local changes." >> tmp/system.users
+ @echo "#" >> tmp/system.users
+ m4 $(ALL_TUNABLES) tmp/program_used_flags.te $(USER_FILES) | grep -v "^#" >> tmp/system.users
+ install -m 644 tmp/system.users $@
+
+$(USERPATH)/local.users: local.users
+ @mkdir -p $(USERPATH)
+ m4 $(ALL_TUNABLES) tmp/program_used_flags.te $(USERPATH)/local.users | sed 's/^user/#user/g' >> tmp/local.users
+ install -m 644 tmp/local.users $@
+
ROOTFILES = $(addprefix $(APPDIR)/users/,root)
-install: $(APPFILES) $(ROOTFILES) $(LOADPATH) $(FCPATH)
+install: $(APPFILES) $(ROOTFILES) $(LOADPATH) $(FCPATH) $(USERPATH)/system.users $(USERPATH)/local.users
@echo "Validating file_contexts ..."
$(SETFILES) -q -c $(LOADPATH) $(FCPATH)
next prev parent reply other threads:[~2004-12-10 18:09 UTC|newest]
Thread overview: 59+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-12-07 0:08 patch: add can_create() macro, allow file_type_auto_trans(a,b,c, { file dir }) Thomas Bleher
2004-12-08 19:32 ` James Carter
2004-12-09 16:31 ` Some more fixes Daniel J Walsh
2004-12-09 18:35 ` Thomas Bleher
2004-12-10 20:14 ` James Carter
2004-12-09 16:50 ` Single home directory type for all roles Daniel J Walsh
2004-12-09 17:20 ` Stephen Smalley
2004-12-09 17:40 ` Stephen Smalley
2004-12-10 16:23 ` Manipulating user roles without policy-sources installed Daniel J Walsh
2004-12-10 16:37 ` Stephen Smalley
2004-12-10 18:09 ` Daniel J Walsh [this message]
2004-12-10 18:38 ` Stephen Smalley
2004-12-09 17:47 ` Single home directory type for all roles Russell Coker
2004-12-09 17:53 ` Stephen Smalley
2004-12-09 18:12 ` Russell Coker
2004-12-09 18:18 ` Stephen Smalley
2004-12-09 18:45 ` Stephen Smalley
2004-12-09 19:08 ` Russell Coker
2004-12-09 20:03 ` Casey Schaufler
2004-12-10 12:20 ` Russell Coker
2004-12-10 15:22 ` Valdis.Kletnieks
2004-12-10 16:19 ` Casey Schaufler
2004-12-10 17:00 ` Valdis.Kletnieks
2004-12-10 17:06 ` Stephen Smalley
2004-12-10 17:29 ` Casey Schaufler
2004-12-09 20:40 ` Valdis.Kletnieks
2004-12-10 3:03 ` Russell Coker
2004-12-10 14:09 ` Daniel J Walsh
2004-12-10 14:31 ` Stephen Smalley
2004-12-10 15:43 ` Colin Walters
2004-12-10 16:33 ` Casey Schaufler
2004-12-13 13:25 ` Russell Coker
2004-12-13 13:56 ` Daniel J Walsh
2004-12-13 14:19 ` Russell Coker
2004-12-09 19:07 ` Thomas Bleher
2004-12-09 19:19 ` Russell Coker
2004-12-09 17:28 ` Colin Walters
2004-12-09 18:02 ` Russell Coker
2004-12-09 19:45 ` Daniel J Walsh
2004-12-09 20:07 ` Stephen Smalley
2004-12-09 20:13 ` Russell Coker
2004-12-09 20:22 ` Daniel J Walsh
2004-12-09 20:30 ` Russell Coker
2004-12-09 21:38 ` Thomas Bleher
2004-12-10 2:56 ` Russell Coker
2004-12-09 22:29 ` Colin Walters
2004-12-10 13:11 ` Stephen Smalley
2004-12-10 16:28 ` Colin Walters
2004-12-09 21:16 ` Thomas Bleher
2004-12-10 2:58 ` Russell Coker
2004-12-09 22:43 ` Colin Walters
2004-12-10 2:23 ` Russell Coker
2004-12-10 15:48 ` Colin Walters
2004-12-10 21:58 ` Luke Kenneth Casson Leighton
2004-12-09 19:38 ` Daniel J Walsh
2004-12-09 19:58 ` Stephen Smalley
2004-12-09 20:09 ` Daniel J Walsh
2004-12-09 20:17 ` Russell Coker
2004-12-09 20:38 ` Daniel J Walsh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=41B9E654.1080206@redhat.com \
--to=dwalsh@redhat.com \
--cc=nalin@redhat.com \
--cc=sds@epoch.ncsc.mil \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.