diff options
author | Christian Göttsche <cgzones@googlemail.com> | 2021-01-31 21:50:11 +0100 |
---|---|---|
committer | Jason Zaman <perfinion@gentoo.org> | 2021-02-06 12:54:11 -0800 |
commit | c7d0c5c923977ecd27f6e3464d12b296151c17ad (patch) | |
tree | 27ca760838e2f024352db6c5a3e29d8d343a7200 /support | |
parent | apps/screen.fc: Added fcontext for tmux xdg directory. (diff) | |
download | hardened-refpolicy-c7d0c5c923977ecd27f6e3464d12b296151c17ad.tar.gz hardened-refpolicy-c7d0c5c923977ecd27f6e3464d12b296151c17ad.tar.bz2 hardened-refpolicy-c7d0c5c923977ecd27f6e3464d12b296151c17ad.zip |
genhomedircon: drop backwards compatibility section
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
Diffstat (limited to 'support')
-rw-r--r-- | support/genhomedircon.py | 162 |
1 files changed, 1 insertions, 161 deletions
diff --git a/support/genhomedircon.py b/support/genhomedircon.py index bb4e5061..e9d72067 100644 --- a/support/genhomedircon.py +++ b/support/genhomedircon.py @@ -40,7 +40,7 @@ # are always "real" (including root, in the default configuration). # -import sys, os, pwd, getopt, re +import sys, pwd, getopt, re from subprocess import getstatusoutput EXCLUDE_LOGINS=["/sbin/nologin", "/bin/false"] @@ -69,162 +69,6 @@ def getStartingUID(): starting_uid = 500 return starting_uid -############################################################################# -# -# This section is just for backwards compatibility -# -############################################################################# -def getPrefixes(): - ulist = pwd.getpwall() - STARTING_UID=getStartingUID() - prefixes = {} - for u in ulist: - if u[2] >= STARTING_UID and \ - not u[6] in EXCLUDE_LOGINS and \ - u[5] != "/" and \ - u[5].count("/") > 1: - prefix = u[5][:u[5].rfind("/")] - if not prefix in prefixes: - prefixes[prefix] = "" - return prefixes - -def getUsers(filecontextdir): - rc = getstatusoutput("grep ^user %s/users" % filecontextdir) - udict = {} - if rc[0] == 0: - ulist = rc[1].strip().split("\n") - for u in ulist: - user = u.split() - try: - if user[1] == "user_u" or user[1] == "system_u": - continue - # !!! chooses first role in the list to use in the file context !!! - role = user[3] - if role == "{": - role = user[4] - role = role.split("_r")[0] - home = pwd.getpwnam(user[1])[5] - if home == "/": - continue - prefs = {} - prefs["role"] = role - prefs["home"] = home - udict[user[1]] = prefs - except KeyError: - sys.stderr.write("The user \"%s\" is not present in the passwd file, skipping...\n" % user[1]) - return udict - -def update(filecontext, user, prefs): - rc=getstatusoutput("grep -h '^HOME_DIR' %s | grep -v vmware | sed -e 's|HOME_DIR|%s|' -e 's/ROLE/%s/' -e 's/system_u/%s/'" % (filecontext, prefs["home"], prefs["role"], user)) - if rc[0] == 0: - print(rc[1]) - else: - errorExit("grep/sed error " + rc[1]) - return rc - -def oldgenhomedircon(filecontextdir, filecontext): - sys.stderr.flush() - - if os.path.isdir(filecontextdir) == 0: - sys.stderr.write("New usage is the following\n") - usage() - #We are going to define home directory used by libuser and show-utils as a home directory root - prefixes = {} - rc=getstatusoutput("grep -h '^HOME' /etc/default/useradd") - if rc[0] == 0: - homedir = rc[1].split("=")[1] - homedir = homedir.split("#")[0] - homedir = homedir.strip() - if not homedir in prefixes: - prefixes[homedir] = "" - else: - #rc[0] == 256 means the file was there, we read it, but the grep didn't match - if rc[0] != 256: - sys.stderr.write("%s\n" % rc[1]) - sys.stderr.write("You do not have access to /etc/default/useradd HOME=\n") - sys.stderr.flush() - - - rc=getstatusoutput("grep -h '^LU_HOMEDIRECTORY' /etc/libuser.conf") - if rc[0] == 0: - homedir = rc[1].split("=")[1] - homedir = homedir.split("#")[0] - homedir = homedir.strip() - homedir = re.sub(r"[^/a-zA-Z0-9].*$", "", homedir) - if not homedir in prefixes: - prefixes[homedir] = "" - - #the idea is that we need to find all of the home_root_t directories we do this by just accepting - #any default home directory defined by either /etc/libuser.conf or /etc/default/useradd - #we then get the potential home directory roots from /etc/passwd or nis or wherever and look at - #the defined homedir for all users with UID > STARTING_UID. This list of possible root homedirs - #is then checked to see if it has an explicit context defined in the file_contexts. Explicit - #is any regex that would match it which does not end with .*$ or .+$ since those are general - #recursive matches. We then take any regex which ends with [pattern](/.*)?$ and just check against - #[pattern] - potential_prefixes = getPrefixes() - prefix_regex = {} - #this works by grepping the file_contexts for - # 1. ^/ makes sure this is not a comment - # 2. prints only the regex in the first column first cut on \t then on space - rc=getstatusoutput("grep \"^/\" %s | cut -f 1 | cut -f 1 -d \" \" " % (sys.argv[2]) ) - if rc[0] == 0: - prefix_regex = rc[1].split("\n") - else: - sys.stderr.write("%s\n" % rc[1]) - sys.stderr.write("You do not have access to grep/cut/the file contexts\n") - sys.stderr.flush() - for potential in potential_prefixes.keys(): - addme = 1 - for regex in prefix_regex: - #match a trailing (/*)? which is actually a bug in rpc_pipefs - regex = re.sub(r"\(/\*\)\?$", "", regex) - #match a trailing .+ - regex = re.sub(r"\.+$", "", regex) - #match a trailing .* - regex = re.sub(r"\.\*$", "", regex) - #strip a (/.*)? which matches anything trailing to a /*$ which matches trailing /'s - regex = re.sub(r"\(\/\.\*\)\?", "", regex) - regex = regex + "/*$" - if re.search(regex, potential, 0): - addme = 0 - if addme == 1: - if not potential in prefixes: - prefixes[potential] = "" - - - if prefixes.__eq__({}): - sys.stderr.write("LU_HOMEDIRECTORY not set in /etc/libuser.conf\n") - sys.stderr.write("HOME= not set in /etc/default/useradd\n") - sys.stderr.write("And no users with a reasonable homedir found in passwd/nis/ldap/etc...\n") - sys.stderr.write("Assuming /home is the root of home directories\n") - sys.stderr.flush() - prefixes["/home"] = "" - - # There may be a more elegant sed script to expand a macro to multiple lines, but this works - sed_root = "h; s|^HOME_ROOT|%s|" % (prefixes.keys() + "|; p; g; s|^HOME_ROOT|") - sed_dir = "h; s|^HOME_DIR|%s/[^/]+|; s|ROLE_|user_|" % (prefixes.keys() + "/[^/]+|; s|ROLE_|user_|; p; g; s|^HOME_DIR|") - - # Fill in HOME_ROOT, HOME_DIR, and ROLE for users not explicitly defined in /etc/security/selinux/src/policy/users - rc=getstatusoutput("sed -e \"/^HOME_ROOT/{%s}\" -e \"/^HOME_DIR/{%s}\" %s" % (sed_root, sed_dir, filecontext)) - if rc[0] == 0: - print(rc[1]) - else: - errorExit("sed error " + rc[1]) - - users = getUsers(filecontextdir) - print("\n#\n# User-specific file contexts\n#\n") - - # Fill in HOME and ROLE for users that are defined - for u in users.keys(): - update(filecontext, u, users[u]) - -############################################################################# -# -# End of backwards compatibility section -# -############################################################################# - def getDefaultHomeDir(): ret = [] rc=getstatusoutput("grep -h '^HOME' /etc/default/useradd") @@ -466,10 +310,6 @@ try: if setype is None: setype=getSELinuxType(directory) - if len(cmds) == 2: - oldgenhomedircon(cmds[0], cmds[1]) - sys.exit(0) - if len(cmds) != 0: usage() selconf=selinuxConfig(directory, setype, usepwd) |