[refpolicy] [m4-isms patch 6/6] Remove use of gen_user in users

[cpebenito@tresys.com (Christopher J. PeBenito)]

On 08/24/10 15:50, James Carter wrote:
> I can't parse the following either manually or with the help of a
> computer:
>
> define(`gen_user',`dnl
> ifdef(`users_extra',`dnl
> ifelse(`$2',,,`user $1 prefix $2;')
> ',`dnl
> user $1 roles { $3 }`'ifdef(`enable_mls', ` level $4 range $5')`'ifdef(`enable_mcs',` level s0 range s0`'ifelse(`$6',,,` - s0:$6')');
> ')dnl
> ')
>
> I am not sure what the right solution is here.  I could implement
> something that does the job of gen_user (I sort of do that for
> gen_context), but I can't deal with ifdef's in macro call arguments and
> I don't want MCS specific parts built in, so I haven't done that.
>
> This is very ugly.

The main reason for this is that so much stuff goes on one line, and 
some of it is optional.  Additionally, the users_extra file is generated 
out of gen_user(), so this breaks that support.

>
> ---
>   policy/users |   55 +++++++++++++++++++++++++++++++++++++++++++++++--------
>   1 file changed, 47 insertions(+), 8 deletions(-)
>
> --- a/policy/users
> +++ b/policy/users
> @@ -15,7 +15,7 @@
>   # and a user process should never be assigned the system user
>   # identity.
>   #
> -gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
> +# gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
>
>   #
>   # user_u is a generic user identity for Linux users who have no
> @@ -24,12 +24,12 @@ gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
>   # SELinux user identity for a Linux user.  If you do not want to
>   # permit any access to such users, then remove this entry.
>   #
> -gen_user(user_u, user, user_r, s0, s0)
> -gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
> -gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
> +# gen_user(user_u, user, user_r, s0, s0)
> +# gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
> +# gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
>
>   # Until order dependence is fixed for users:
> -gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
> +# gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
>
>   #
>   # The following users correspond to Unix identities.
> @@ -38,8 +38,47 @@ gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_al
>   # role should use the staff_r role instead of the user_r role when
>   # not in the sysadm_r.
>   #
> -ifdef(`direct_sysadm_daemon',`
> -       gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
> +#ifdef(`direct_sysadm_daemon',`
> +#      gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
> +#',`
> +#      gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
> +#')
> +
> +ifdef(`enable_mls',`
> +       user system_u roles system_r level s0 range s0 - mls_systemhigh;
> +       user user_u roles user_r level s0 range s0;
> +       user staff_u roles { staff_r sysadm_r secadm_r auditadm_r } level s0 range s0 - mls_systemhigh;
> +       user sysadm_u roles sysadm_r level s0 range s0 - mls_systemhigh;
> +       user unconfined_u roles unconfined_r level s0 range s0 - mls_systemhigh;
> +       ifdef(`direct_sysadm_daemon',`
> +               user root roles { sysadm_r staff_r secadm_r auditadm_r system_r } level s0 range s0 - mls_systemhigh;
> +       ',`
> +               user root roles { sysadm_r staff_r secadm_r auditadm_r } level s0 range s0 - mls_systemhigh;
> +       ')
>   ',`
> -       gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
> +       ifdef(`enable_mcs',`
> +               user system_u roles system_r level s0 range s0 - s0:mcs_allcats;
> +               user user_u roles user_r level s0 range s0;
> +               user staff_u roles { staff_r sysadm_r } level s0 range s0 - s0:mcs_allcats;
> +               user sysadm_u roles sysadm_r level s0 range s0 - s0:mcs_allcats;
> +               user unconfined_u roles unconfined_r level s0 range s0 - s0:mcs_allcats;
> +               ifdef(`direct_sysadm_daemon',`
> +                       user root roles { sysadm_r staff_r system_r } level s0 range s0 - s0:mcs_allcats;
> +               ',`
> +                       user root roles { sysadm_r staff_r } level s0 range s0 - s0:mcs_allcats;
> +               ')
> +       ',`
> +               # No MLS
> +               # Not supporting MCS
> +               user system_u roles system_r;
> +               user user_u roles user_r;
> +               user staff_u roles { staff_r sysadm_r };
> +               user sysadm_u roles sysadm_r;
> +               user unconfined_u roles unconfined_r;
> +               ifdef(`direct_sysadm_daemon',`
> +                       user root roles { sysadm_r staff_r system_r };
> +               ',`
> +                       user root roles { sysadm_r staff_r };
> +               ')
> +       ')
>   ')
>


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com