diff --git a/refpolicy/Changelog b/refpolicy/Changelog index 2a89416..6cce9a3 100644 --- a/refpolicy/Changelog +++ b/refpolicy/Changelog @@ -1,3 +1,4 @@ +- Add users_extra support. - Postfix fixes from Serge Hallyn. - Run python and shell directly to interpret scripts so policy sources need not be executable. diff --git a/refpolicy/Makefile b/refpolicy/Makefile index 00f3235..356a6ee 100644 --- a/refpolicy/Makefile +++ b/refpolicy/Makefile @@ -112,6 +112,7 @@ GLOBALTUN = $(POLDIR)/global_tunables GLOBALBOOL = $(POLDIR)/global_booleans TUNABLES = $(POLDIR)/tunables.conf ROLEMAP = $(POLDIR)/rolemap +USER_FILES := $(POLDIR)/users # local config file paths ifndef LOCAL_ROOT @@ -215,7 +216,6 @@ APPCONF := config/appconfig-$(TYPE) APPDIR := $(CONTEXTPATH) APPFILES := $(addprefix $(APPDIR)/,default_contexts default_type initrc_context failsafe_context userhelper_context removable_context dbus_contexts customizable_types) $(CONTEXTPATH)/files/media CONTEXTFILES += $(wildcard $(APPCONF)/*_context*) $(APPCONF)/media -USER_FILES := $(POLDIR)/users ALL_LAYERS := $(filter-out $(MODDIR)/CVS,$(shell find $(wildcard $(MODDIR)/*) -maxdepth 0 -type d)) ifdef LOCAL_ROOT @@ -251,7 +251,7 @@ BASE_MODS := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if MOD_MODS := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODMOD)") print $$1 }' $(MOD_CONF) 2> /dev/null) $(APPS_MODS))) OFF_MODS := $(addsuffix .te,$(sort $(shell awk '/^[[:blank:]]*[[:alpha:]]/{ if ($$3 == "$(MODUNUSED)") print $$1 }' $(MOD_CONF) 2> /dev/null) $(APPS_OFF))) -# filesystems to be labeled +# filesystems to be used in labeling targets FILESYSTEMS = $(shell mount | grep -v "context=" | egrep -v '\((|.*,)bind(,.*|)\)' | awk '/(ext[23]| xfs| jfs).*rw/{print $$3}';) ######################################## diff --git a/refpolicy/Rules.modular b/refpolicy/Rules.modular index 18e29e9..02e6d36 100644 --- a/refpolicy/Rules.modular +++ b/refpolicy/Rules.modular @@ -11,6 +11,8 @@ BASE_FC := $(BUILDDIR)/base.fc BASE_CONF := $(BUILDDIR)/base.conf BASE_MOD := $(TMPDIR)/base.mod +USERS_EXTRA := $(TMPDIR)/users_extra + BASE_SECTIONS := $(TMPDIR)/pre_te_files.conf $(TMPDIR)/generated_definitions.conf $(TMPDIR)/all_interfaces.conf $(TMPDIR)/all_attrs_types.conf $(GLOBALBOOL) $(GLOBALTUN) $(TMPDIR)/only_te_rules.conf $(TMPDIR)/all_post.conf BASE_PRE_TE_FILES := $(SECCLASS) $(ISIDS) $(AVS) $(M4SUPPORT) $(POLDIR)/mls $(POLDIR)/mcs @@ -86,15 +88,20 @@ $(BUILDDIR)/%.pp: $(TMPDIR)/%.mod $(TMPDIR)/%.mod.fc # # Create a base module package # -$(BASE_PKG): $(BASE_MOD) $(BASE_FC) +$(BASE_PKG): $(BASE_MOD) $(BASE_FC) $(USERS_EXTRA) @echo "Creating $(NAME) base module package" @test -d $(BUILDDIR) || mkdir -p $(BUILDDIR) - $(verbose) $(SEMOD_PKG) -o $@ -m $(BASE_MOD) -f $(BASE_FC) + $(verbose) $(SEMOD_PKG) -o $@ -m $(BASE_MOD) -f $(BASE_FC) -u $(USERS_EXTRA) $(BASE_MOD): $(BASE_CONF) @echo "Compiling $(NAME) base module" $(verbose) $(CHECKMODULE) $^ -o $@ +$(USERS_EXTRA): $(M4SUPPORT) $(USER_FILES) + @test -d $(TMPDIR) || mkdir -p $(TMPDIR) + $(verbose) $(M4) $(M4PARAM) -D users_extra $^ | \ + $(SED) -r -n -e 's/^[[:blank:]]*//g' -e '/^user/p' > $@ + ######################################## # # Construct a base.conf diff --git a/refpolicy/policy/support/misc_macros.spt b/refpolicy/policy/support/misc_macros.spt index f854137..1e57e33 100644 --- a/refpolicy/policy/support/misc_macros.spt +++ b/refpolicy/policy/support/misc_macros.spt @@ -23,9 +23,15 @@ define(`__endline__',` ######################################## # -# gen_user(username, role_set, mls_defaultlevel, mls_range, [mcs_categories]) -# -define(`gen_user',`user $1 roles { $2 }`'ifdef(`enable_mls', ` level $3 range $4')`'ifdef(`enable_mcs',` level s0 range s0`'ifelse(`$5',,,` - s0:$5')');') +# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_categories]) +# +define(`gen_user',`dnl +ifdef(`users_extra',`dnl +ifelse(`$2',,,`user $1 prefix $2;') +',`dnl +user $1 roles { $3 }`'ifdef(`enable_mls', ` level $4 range $5')`'ifdef(`enable_mcs',` level s0 range s0`'ifelse(`$6',,,` - s0:$6')'); +')dnl +') ######################################## # diff --git a/refpolicy/policy/users b/refpolicy/policy/users index 351bd00..820504f 100644 --- a/refpolicy/policy/users +++ b/refpolicy/policy/users @@ -5,8 +5,10 @@ # # -# gen_user(username, role_set, mls_defaultlevel, mls_range, [mcs_catetories]) +# gen_user(username, prefix, role_set, mls_defaultlevel, mls_range, [mcs_catetories]) # +# Note: Identities without a prefix wil not be listed +# in the users_extra file used by genhomedircon. # # system_u is the user identity for system processes and objects. @@ -14,7 +16,7 @@ # and a user process should never be assigned the system user # identity. # -gen_user(system_u, system_r, s0, s0 - s15:c0.c255, c0.c255) +gen_user(system_u,, system_r, s0, s0 - s15:c0.c255, c0.c255) # # user_u is a generic user identity for Linux users who have no @@ -24,11 +26,11 @@ gen_user(system_u, system_r, s0, s0 - s15:c0.c255, c0.c255) # permit any access to such users, then remove this entry. # ifdef(`targeted_policy',` -gen_user(user_u, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255) +gen_user(user_u, user, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255) ',` -gen_user(user_u, user_r, s0, s0) -gen_user(staff_u, staff_r sysadm_r ifdef(`enable_mls',`secadm_r'), s0, s0 - s15:c0.c255, c0.c255) -gen_user(sysadm_u, sysadm_r, s0, s0 - s15:c0.c255, c0.c255) +gen_user(user_u, user, user_r, s0, s0) +gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r'), s0, s0 - s15:c0.c255, c0.c255) +gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - s15:c0.c255, c0.c255) ') # @@ -39,11 +41,11 @@ gen_user(sysadm_u, sysadm_r, s0, s0 - s15:c0.c255, c0.c255) # not in the sysadm_r. # ifdef(`targeted_policy',` - gen_user(root, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255) + gen_user(root, user, user_r sysadm_r system_r, s0, s0 - s15:c0.c255, c0.c255) ',` ifdef(`direct_sysadm_daemon',` - gen_user(root, sysadm_r staff_r ifdef(`enable_mls',`secadm_r') system_r, s0, s0 - s15:c0.c255, c0.c255) + gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r') system_r, s0, s0 - s15:c0.c255, c0.c255) ',` - gen_user(root, sysadm_r staff_r ifdef(`enable_mls',`secadm_r'), s0, s0 - s15:c0.c255, c0.c255) + gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r'), s0, s0 - s15:c0.c255, c0.c255) ') ')