* [refpolicy] [m4-isms patch 6/6] Remove use of gen_user in users
@ 2010-08-24 19:50 James Carter
2010-08-25 13:11 ` Christopher J. PeBenito
0 siblings, 1 reply; 3+ messages in thread
From: James Carter @ 2010-08-24 19:50 UTC (permalink / raw)
To: refpolicy
I can't parse the following either manually or with the help of a
computer:
define(`gen_user',`dnl
ifdef(`users_extra',`dnl
ifelse(`$2',,,`user $1 prefix $2;')
',`dnl
user $1 roles { $3 }`'ifdef(`enable_mls', ` level $4 range $5')`'ifdef(`enable_mcs',` level s0 range s0`'ifelse(`$6',,,` - s0:$6')');
')dnl
')
I am not sure what the right solution is here. I could implement
something that does the job of gen_user (I sort of do that for
gen_context), but I can't deal with ifdef's in macro call arguments and
I don't want MCS specific parts built in, so I haven't done that.
This is very ugly.
---
policy/users | 55 +++++++++++++++++++++++++++++++++++++++++++++++--------
1 file changed, 47 insertions(+), 8 deletions(-)
--- a/policy/users
+++ b/policy/users
@@ -15,7 +15,7 @@
# and a user process should never be assigned the system user
# identity.
#
-gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+# gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
#
# user_u is a generic user identity for Linux users who have no
@@ -24,12 +24,12 @@ gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
# SELinux user identity for a Linux user. If you do not want to
# permit any access to such users, then remove this entry.
#
-gen_user(user_u, user, user_r, s0, s0)
-gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
-gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
+# gen_user(user_u, user, user_r, s0, s0)
+# gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
+# gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
# Until order dependence is fixed for users:
-gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
+# gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
#
# The following users correspond to Unix identities.
@@ -38,8 +38,47 @@ gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_al
# role should use the staff_r role instead of the user_r role when
# not in the sysadm_r.
#
-ifdef(`direct_sysadm_daemon',`
- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+#ifdef(`direct_sysadm_daemon',`
+# gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+#',`
+# gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
+#')
+
+ifdef(`enable_mls',`
+ user system_u roles system_r level s0 range s0 - mls_systemhigh;
+ user user_u roles user_r level s0 range s0;
+ user staff_u roles { staff_r sysadm_r secadm_r auditadm_r } level s0 range s0 - mls_systemhigh;
+ user sysadm_u roles sysadm_r level s0 range s0 - mls_systemhigh;
+ user unconfined_u roles unconfined_r level s0 range s0 - mls_systemhigh;
+ ifdef(`direct_sysadm_daemon',`
+ user root roles { sysadm_r staff_r secadm_r auditadm_r system_r } level s0 range s0 - mls_systemhigh;
+ ',`
+ user root roles { sysadm_r staff_r secadm_r auditadm_r } level s0 range s0 - mls_systemhigh;
+ ')
',`
- gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
+ ifdef(`enable_mcs',`
+ user system_u roles system_r level s0 range s0 - s0:mcs_allcats;
+ user user_u roles user_r level s0 range s0;
+ user staff_u roles { staff_r sysadm_r } level s0 range s0 - s0:mcs_allcats;
+ user sysadm_u roles sysadm_r level s0 range s0 - s0:mcs_allcats;
+ user unconfined_u roles unconfined_r level s0 range s0 - s0:mcs_allcats;
+ ifdef(`direct_sysadm_daemon',`
+ user root roles { sysadm_r staff_r system_r } level s0 range s0 - s0:mcs_allcats;
+ ',`
+ user root roles { sysadm_r staff_r } level s0 range s0 - s0:mcs_allcats;
+ ')
+ ',`
+ # No MLS
+ # Not supporting MCS
+ user system_u roles system_r;
+ user user_u roles user_r;
+ user staff_u roles { staff_r sysadm_r };
+ user sysadm_u roles sysadm_r;
+ user unconfined_u roles unconfined_r;
+ ifdef(`direct_sysadm_daemon',`
+ user root roles { sysadm_r staff_r system_r };
+ ',`
+ user root roles { sysadm_r staff_r };
+ ')
+ ')
')
--
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency
^ permalink raw reply [flat|nested] 3+ messages in thread
* [refpolicy] [m4-isms patch 6/6] Remove use of gen_user in users
2010-08-24 19:50 [refpolicy] [m4-isms patch 6/6] Remove use of gen_user in users James Carter
@ 2010-08-25 13:11 ` Christopher J. PeBenito
2010-08-25 14:30 ` James Carter
0 siblings, 1 reply; 3+ messages in thread
From: Christopher J. PeBenito @ 2010-08-25 13:11 UTC (permalink / raw)
To: refpolicy
On 08/24/10 15:50, James Carter wrote:
> I can't parse the following either manually or with the help of a
> computer:
>
> define(`gen_user',`dnl
> ifdef(`users_extra',`dnl
> ifelse(`$2',,,`user $1 prefix $2;')
> ',`dnl
> user $1 roles { $3 }`'ifdef(`enable_mls', ` level $4 range $5')`'ifdef(`enable_mcs',` level s0 range s0`'ifelse(`$6',,,` - s0:$6')');
> ')dnl
> ')
>
> I am not sure what the right solution is here. I could implement
> something that does the job of gen_user (I sort of do that for
> gen_context), but I can't deal with ifdef's in macro call arguments and
> I don't want MCS specific parts built in, so I haven't done that.
>
> This is very ugly.
The main reason for this is that so much stuff goes on one line, and
some of it is optional. Additionally, the users_extra file is generated
out of gen_user(), so this breaks that support.
>
> ---
> policy/users | 55 +++++++++++++++++++++++++++++++++++++++++++++++--------
> 1 file changed, 47 insertions(+), 8 deletions(-)
>
> --- a/policy/users
> +++ b/policy/users
> @@ -15,7 +15,7 @@
> # and a user process should never be assigned the system user
> # identity.
> #
> -gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
> +# gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
>
> #
> # user_u is a generic user identity for Linux users who have no
> @@ -24,12 +24,12 @@ gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
> # SELinux user identity for a Linux user. If you do not want to
> # permit any access to such users, then remove this entry.
> #
> -gen_user(user_u, user, user_r, s0, s0)
> -gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
> -gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
> +# gen_user(user_u, user, user_r, s0, s0)
> +# gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
> +# gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
>
> # Until order dependence is fixed for users:
> -gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
> +# gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
>
> #
> # The following users correspond to Unix identities.
> @@ -38,8 +38,47 @@ gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_al
> # role should use the staff_r role instead of the user_r role when
> # not in the sysadm_r.
> #
> -ifdef(`direct_sysadm_daemon',`
> - gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
> +#ifdef(`direct_sysadm_daemon',`
> +# gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
> +#',`
> +# gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
> +#')
> +
> +ifdef(`enable_mls',`
> + user system_u roles system_r level s0 range s0 - mls_systemhigh;
> + user user_u roles user_r level s0 range s0;
> + user staff_u roles { staff_r sysadm_r secadm_r auditadm_r } level s0 range s0 - mls_systemhigh;
> + user sysadm_u roles sysadm_r level s0 range s0 - mls_systemhigh;
> + user unconfined_u roles unconfined_r level s0 range s0 - mls_systemhigh;
> + ifdef(`direct_sysadm_daemon',`
> + user root roles { sysadm_r staff_r secadm_r auditadm_r system_r } level s0 range s0 - mls_systemhigh;
> + ',`
> + user root roles { sysadm_r staff_r secadm_r auditadm_r } level s0 range s0 - mls_systemhigh;
> + ')
> ',`
> - gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
> + ifdef(`enable_mcs',`
> + user system_u roles system_r level s0 range s0 - s0:mcs_allcats;
> + user user_u roles user_r level s0 range s0;
> + user staff_u roles { staff_r sysadm_r } level s0 range s0 - s0:mcs_allcats;
> + user sysadm_u roles sysadm_r level s0 range s0 - s0:mcs_allcats;
> + user unconfined_u roles unconfined_r level s0 range s0 - s0:mcs_allcats;
> + ifdef(`direct_sysadm_daemon',`
> + user root roles { sysadm_r staff_r system_r } level s0 range s0 - s0:mcs_allcats;
> + ',`
> + user root roles { sysadm_r staff_r } level s0 range s0 - s0:mcs_allcats;
> + ')
> + ',`
> + # No MLS
> + # Not supporting MCS
> + user system_u roles system_r;
> + user user_u roles user_r;
> + user staff_u roles { staff_r sysadm_r };
> + user sysadm_u roles sysadm_r;
> + user unconfined_u roles unconfined_r;
> + ifdef(`direct_sysadm_daemon',`
> + user root roles { sysadm_r staff_r system_r };
> + ',`
> + user root roles { sysadm_r staff_r };
> + ')
> + ')
> ')
>
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 3+ messages in thread
* [refpolicy] [m4-isms patch 6/6] Remove use of gen_user in users
2010-08-25 13:11 ` Christopher J. PeBenito
@ 2010-08-25 14:30 ` James Carter
0 siblings, 0 replies; 3+ messages in thread
From: James Carter @ 2010-08-25 14:30 UTC (permalink / raw)
To: refpolicy
On Wed, 2010-08-25 at 09:11 -0400, Christopher J. PeBenito wrote:
> On 08/24/10 15:50, James Carter wrote:
> > I can't parse the following either manually or with the help of a
> > computer:
> >
> > define(`gen_user',`dnl
> > ifdef(`users_extra',`dnl
> > ifelse(`$2',,,`user $1 prefix $2;')
> > ',`dnl
> > user $1 roles { $3 }`'ifdef(`enable_mls', ` level $4 range $5')`'ifdef(`enable_mcs',` level s0 range s0`'ifelse(`$6',,,` - s0:$6')');
> > ')dnl
> > ')
> >
> > I am not sure what the right solution is here. I could implement
> > something that does the job of gen_user (I sort of do that for
> > gen_context), but I can't deal with ifdef's in macro call arguments and
> > I don't want MCS specific parts built in, so I haven't done that.
> >
> > This is very ugly.
>
> The main reason for this is that so much stuff goes on one line, and
> some of it is optional. Additionally, the users_extra file is generated
> out of gen_user(), so this breaks that support.
>
I don't expect you to take these changes.
I expected that I would probably just build in understanding of
gen_user. I have done that with gen_context already.
> >
> > ---
> > policy/users | 55 +++++++++++++++++++++++++++++++++++++++++++++++--------
> > 1 file changed, 47 insertions(+), 8 deletions(-)
> >
> > --- a/policy/users
> > +++ b/policy/users
> > @@ -15,7 +15,7 @@
> > # and a user process should never be assigned the system user
> > # identity.
> > #
> > -gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
> > +# gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
> >
> > #
> > # user_u is a generic user identity for Linux users who have no
> > @@ -24,12 +24,12 @@ gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
> > # SELinux user identity for a Linux user. If you do not want to
> > # permit any access to such users, then remove this entry.
> > #
> > -gen_user(user_u, user, user_r, s0, s0)
> > -gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
> > -gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
> > +# gen_user(user_u, user, user_r, s0, s0)
> > +# gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
> > +# gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
> >
> > # Until order dependence is fixed for users:
> > -gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
> > +# gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
> >
> > #
> > # The following users correspond to Unix identities.
> > @@ -38,8 +38,47 @@ gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_al
> > # role should use the staff_r role instead of the user_r role when
> > # not in the sysadm_r.
> > #
> > -ifdef(`direct_sysadm_daemon',`
> > - gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
> > +#ifdef(`direct_sysadm_daemon',`
> > +# gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
> > +#',`
> > +# gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
> > +#')
> > +
> > +ifdef(`enable_mls',`
> > + user system_u roles system_r level s0 range s0 - mls_systemhigh;
> > + user user_u roles user_r level s0 range s0;
> > + user staff_u roles { staff_r sysadm_r secadm_r auditadm_r } level s0 range s0 - mls_systemhigh;
> > + user sysadm_u roles sysadm_r level s0 range s0 - mls_systemhigh;
> > + user unconfined_u roles unconfined_r level s0 range s0 - mls_systemhigh;
> > + ifdef(`direct_sysadm_daemon',`
> > + user root roles { sysadm_r staff_r secadm_r auditadm_r system_r } level s0 range s0 - mls_systemhigh;
> > + ',`
> > + user root roles { sysadm_r staff_r secadm_r auditadm_r } level s0 range s0 - mls_systemhigh;
> > + ')
> > ',`
> > - gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
> > + ifdef(`enable_mcs',`
> > + user system_u roles system_r level s0 range s0 - s0:mcs_allcats;
> > + user user_u roles user_r level s0 range s0;
> > + user staff_u roles { staff_r sysadm_r } level s0 range s0 - s0:mcs_allcats;
> > + user sysadm_u roles sysadm_r level s0 range s0 - s0:mcs_allcats;
> > + user unconfined_u roles unconfined_r level s0 range s0 - s0:mcs_allcats;
> > + ifdef(`direct_sysadm_daemon',`
> > + user root roles { sysadm_r staff_r system_r } level s0 range s0 - s0:mcs_allcats;
> > + ',`
> > + user root roles { sysadm_r staff_r } level s0 range s0 - s0:mcs_allcats;
> > + ')
> > + ',`
> > + # No MLS
> > + # Not supporting MCS
> > + user system_u roles system_r;
> > + user user_u roles user_r;
> > + user staff_u roles { staff_r sysadm_r };
> > + user sysadm_u roles sysadm_r;
> > + user unconfined_u roles unconfined_r;
> > + ifdef(`direct_sysadm_daemon',`
> > + user root roles { sysadm_r staff_r system_r };
> > + ',`
> > + user root roles { sysadm_r staff_r };
> > + ')
> > + ')
> > ')
> >
>
>
--
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2010-08-25 14:30 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-08-24 19:50 [refpolicy] [m4-isms patch 6/6] Remove use of gen_user in users James Carter
2010-08-25 13:11 ` Christopher J. PeBenito
2010-08-25 14:30 ` James Carter
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.