diff --exclude-from=exclude -N -u -r nsapolicy/local.users policy-1.19.12/local.users --- nsapolicy/local.users 1969-12-31 19:00:00.000000000 -0500 +++ policy-1.19.12/local.users 2004-12-10 12:22:56.485903999 -0500 @@ -0,0 +1,21 @@ +################################## +# +# User configuration. +# +# This file defines additional users recognized by the system security policy. +# Only the user identities defined in this file and the users.system file +# may be used as the user attribute in a security context. +# +# Each user has a set of roles that may be entered by processes +# with the users identity. The syntax of a user declaration is: +# +# user username roles role_set [ ranges MLS_range_set ]; +# +# The MLS range set should only be specified if MLS was enabled +# for the module and checkpolicy. + +# sample for administrative user +user jadmin roles { staff_r sysadm_r ifdef(`direct_sysadm_daemon', `system_r') }; + +# sample for regular user +#user jdoe roles { user_r }; diff --exclude-from=exclude -N -u -r nsapolicy/Makefile policy-1.19.12/Makefile --- nsapolicy/Makefile 2004-10-25 14:01:13.000000000 -0400 +++ policy-1.19.12/Makefile 2004-12-10 12:25:23.282396928 -0500 @@ -26,6 +26,7 @@ INSTALLDIR = $(DESTDIR)/etc/selinux/strict POLICYPATH = $(INSTALLDIR)/policy SRCPATH = $(INSTALLDIR)/src +USERPATH = $(INSTALLDIR)/users CONTEXTPATH = $(INSTALLDIR)/contexts LOADPATH = $(POLICYPATH)/$(POLICYVER) FCPATH = $(CONTEXTPATH)/files/file_contexts @@ -37,13 +38,13 @@ ALLTEFILES := attrib.te tmp/program_used_flags.te $(ALL_MACROS) $(ALL_TYPES) $(ALL_DOMAINS) assert.te TE_RBAC_FILES := $(ALLTEFILES) rbac ALL_TUNABLES := $(wildcard tunables/*.tun ) - +USER_FILES := users serviceusers POLICYFILES = $(addprefix $(FLASKDIR),security_classes initial_sids access_vectors) ifeq ($(MLS),y) POLICYFILES += mls endif POLICYFILES += $(ALL_TUNABLES) $(TE_RBAC_FILES) -POLICYFILES += users serviceusers +POLICYFILES += $(USER_FILES) POLICYFILES += constraints initial_sid_contexts fs_use genfs_contexts net_contexts UNUSED_TE_FILES := $(wildcard domains/program/unused/*.te) @@ -54,9 +55,24 @@ APPDIR=$(CONTEXTPATH) APPFILES = $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts) $(CONTEXTPATH)/files/media +$(USERPATH)/system.users: $(ALL_TUNABLES) $(USER_FILES) policy.conf + @mkdir -p $(USERPATH) + @echo "# " > tmp/system.users + @echo "# Do not edit this file. " >> tmp/system.users + @echo "# This file is replaced on reinstalls of this policy." >> tmp/system.users + @echo "# Please edit local.users to make local changes." >> tmp/system.users + @echo "#" >> tmp/system.users + m4 $(ALL_TUNABLES) tmp/program_used_flags.te $(USER_FILES) | grep -v "^#" >> tmp/system.users + install -m 644 tmp/system.users $@ + +$(USERPATH)/local.users: local.users + @mkdir -p $(USERPATH) + m4 $(ALL_TUNABLES) tmp/program_used_flags.te $(USERPATH)/local.users | sed 's/^user/#user/g' >> tmp/local.users + install -m 644 tmp/local.users $@ + ROOTFILES = $(addprefix $(APPDIR)/users/,root) -install: $(APPFILES) $(ROOTFILES) $(LOADPATH) $(FCPATH) +install: $(APPFILES) $(ROOTFILES) $(LOADPATH) $(FCPATH) $(USERPATH)/system.users $(USERPATH)/local.users @echo "Validating file_contexts ..." $(SETFILES) -q -c $(LOADPATH) $(FCPATH)