From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: <4378C285.3080005@tresys.com> Date: Mon, 14 Nov 2005 11:59:49 -0500 From: Joshua Brindle MIME-Version: 1.0 To: Daniel J Walsh CC: Stephen Smalley , SE Linux Subject: Re: rawhide targeted vs. refpolicy rpm References: <4374BDEC.4050600@redhat.com> <200511111717.16542.csellers@tresys.com> <200511141041.49643.csellers@tresys.com> <1131983537.5415.137.camel@moss-spartans.epoch.ncsc.mil> <4378B88B.6040003@redhat.com> In-Reply-To: <4378B88B.6040003@redhat.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Sender: owner-selinux@tycho.nsa.gov List-Id: selinux@tycho.nsa.gov Daniel J Walsh wrote: > policycoreutils patch to genhomedircon to use libsemanage to read > seusers file. > > > > class selinuxConfig: > def __init__(self, selinuxdir="/etc/selinux", type="targeted", usepwd=1): > + self.semanageHandle=semanage_handle_create() > + self.semanaged=semanage_is_managed(self.semanageHandle) > + if self.semanaged: > + semanage_connect(self.semanageHandle) > + (status, self.ulist, self.usize) = semanage_user_list(self.semanageHandle) > self.type=type > self.selinuxdir=selinuxdir +"/" > self.contextdir="/contexts" > @@ -313,47 +142,72 @@ > errorExit(string.join("sed error ", rc[1])) > > def getUsersFile(self): > - return self.selinuxdir+self.type+"/users/local.users" > + if self.semanaged: > + return self.selinuxdir+self.type+"module/active/seusers" Why should this return a path at all in the managed case? genhomedircon (or any semanage user) can't make an assumption that a particular path is used, accessible or even on the same computer. > + else: > + return self.selinuxdir+self.type+"/seusers" > > - def getSystemUsersFile(self): > - return self.selinuxdir+self.type+"/users/system.users" > - > def heading(self): > ret = "\n#\n#\n# User-specific file contexts, generated via %s\n" % sys.argv[0] > ret += "# edit %s to change file_context\n#\n#\n" % self.getUsersFile() > return ret > > + > + def defaultrole(self, name): > + for idx in range(self.usize): > + user = semanage_user_by_idx(self.ulist, idx) > + if semanage_user_get_name(user) == name: > + role=semanage_user_get_defrole(user) > + if role=="system_r": > + # targeted policy > + return "user_r" I don't understand this case. Why wouldn't user_get_defrole return user_r in the targeted case? > + else: > + return role > + return name > + def adduser(self, udict, user, seuser, role): > + try: > + if seuser == "user_u" or user == "__default__": > + return > + # !!! chooses first role in the list to use in the file context !!! or what semanage considers the default role, right? > + if role[-2:] == "_r" or role[-2:] == "_u": > + role = role[:-2] > + home = pwd.getpwnam(user)[5] > + if home == "/": > + return > + prefs = {} > + prefs["role"] = role > + prefs["home"] = home > + udict[seuser] = prefs > + except KeyError: > + sys.stderr.write("The user \"%s\" is not present in the passwd file, skipping...\n" % user) > + -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.