* [PATCH] remove system_u and s0 hardcoded strings
@ 2016-09-06 13:48 Gary Tierney
2016-09-06 13:48 ` [PATCH] genhomedircon: remove hardcoded refpolicy strings Gary Tierney
0 siblings, 1 reply; 13+ messages in thread
From: Gary Tierney @ 2016-09-06 13:48 UTC (permalink / raw)
To: selinux
This patch removes the search and replacement for "system_u" and "s0" by instead
looking for a valid context and replacing the user and MLS/MCS range where
appropriate. This allows using genhomedircon with alternative policies that
don't name the system seuser "system_u" or declare users in a CIL namespace /
container.
This is also a slight behavior change, but should be functionally equivalent to
before for existing policies. In refpolicy we have no homedir contexts without
system_u as the user or s0 as the level:
> $ find . -name '*.fc' | xargs grep -h 'HOME_DIR' | grep -v 's0' | grep -Evc '^#'
0
> $ find . -name '*.fc' | xargs grep -h 'HOME_DIR' | grep -v 'system_u' | grep -Evc '^#'
0
Gary Tierney (1):
genhomedircon: remove hardcoded refpolicy strings
libsemanage/src/genhomedircon.c | 79 ++++++++++++++++++++++++++++++++++-------
1 file changed, 66 insertions(+), 13 deletions(-)
--
2.7.4
^ permalink raw reply [flat|nested] 13+ messages in thread
* [PATCH] genhomedircon: remove hardcoded refpolicy strings
2016-09-06 13:48 [PATCH] remove system_u and s0 hardcoded strings Gary Tierney
@ 2016-09-06 13:48 ` Gary Tierney
2016-09-06 19:13 ` Stephen Smalley
0 siblings, 1 reply; 13+ messages in thread
From: Gary Tierney @ 2016-09-06 13:48 UTC (permalink / raw)
To: selinux
Removes the "system_u" and "s0" string literals from refpolicy and
replaces the seuser and range in each homedir, uid, and username context
specification for every user.
Signed-off-by: Gary Tierney <gary.tierney@gmx.com>
---
libsemanage/src/genhomedircon.c | 79 ++++++++++++++++++++++++++++++++++-------
1 file changed, 66 insertions(+), 13 deletions(-)
diff --git a/libsemanage/src/genhomedircon.c b/libsemanage/src/genhomedircon.c
index cce3884..cca97f6 100644
--- a/libsemanage/src/genhomedircon.c
+++ b/libsemanage/src/genhomedircon.c
@@ -20,6 +20,7 @@
* 02110-1301 USA
*/
+#include <selinux/context.h>
#include <semanage/handle.h>
#include <semanage/seusers_policy.h>
#include <semanage/users_policy.h>
@@ -82,9 +83,6 @@
#define TEMPLATE_USERNAME "%{USERNAME}"
#define TEMPLATE_USERID "%{USERID}"
-#define TEMPLATE_SEUSER "system_u"
-#define TEMPLATE_LEVEL "s0"
-
#define FALLBACK_SENAME "user_u"
#define FALLBACK_PREFIX "user"
#define FALLBACK_LEVEL "s0"
@@ -92,6 +90,8 @@
#define FALLBACK_UIDGID "[0-9]+"
#define DEFAULT_LOGIN "__default__"
+#define CONTEXT_NONE "<<none>>"
+
typedef struct user_entry {
char *name;
char *uid;
@@ -599,14 +599,72 @@ static int write_replacements(genhomedircon_settings_t * s, FILE * out,
return STATUS_ERR;
}
+static int write_user_replacements(genhomedircon_settings_t *s, FILE *out,
+ semanage_list_t *tpl, const replacement_pair_t *repl,
+ const genhomedircon_user_entry_t *user)
+{
+ Ustr *line = USTR_NULL;
+ context_t context = NULL;
+
+ for (; tpl; tpl = tpl->next) {
+ line = replace_all(tpl->data, repl);
+ if (!line) {
+ goto fail;
+ }
+
+ const char *old_context_str = extract_context(line);
+ if (!old_context_str) {
+ goto fail;
+ }
+
+ if (strcmp(old_context_str, CONTEXT_NONE) == 0) {
+ if (check_line(s, line) &&
+ !ustr_io_putfileline(&line, out)) {
+ goto fail;
+ }
+
+ continue;
+ }
+
+ context = context_new(old_context_str);
+ if (!context) {
+ goto fail;
+ }
+
+ if (context_user_set(context, user->sename) != 0 ||
+ context_range_set(context, user->level) != 0) {
+ goto fail;
+ }
+
+ const char *new_context_str = context_str(context);
+ if (!ustr_replace_cstr(&line, old_context_str,
+ new_context_str, 1)) {
+ goto fail;
+ }
+
+ if (check_line(s, line) == STATUS_SUCCESS) {
+ if (!ustr_io_putfileline(&line, out)) {
+ goto fail;
+ }
+ }
+
+ ustr_sc_free(&line);
+ context_free(context);
+ }
+
+ return STATUS_SUCCESS;
+fail:
+ ustr_sc_free(&line);
+ context_free(context);
+ return STATUS_ERR;
+}
+
static int write_home_dir_context(genhomedircon_settings_t * s, FILE * out,
semanage_list_t * tpl, const genhomedircon_user_entry_t *user)
{
replacement_pair_t repl[] = {
- {.search_for = TEMPLATE_SEUSER,.replace_with = user->sename},
{.search_for = TEMPLATE_HOME_DIR,.replace_with = user->home},
{.search_for = TEMPLATE_ROLE,.replace_with = user->prefix},
- {.search_for = TEMPLATE_LEVEL,.replace_with = user->level},
{NULL, NULL}
};
@@ -618,7 +676,7 @@ static int write_home_dir_context(genhomedircon_settings_t * s, FILE * out,
return STATUS_ERR;
}
- return write_replacements(s, out, tpl, repl);
+ return write_user_replacements(s, out, tpl, repl, user);
}
static int write_home_root_context(genhomedircon_settings_t * s, FILE * out,
@@ -640,11 +698,10 @@ static int write_username_context(genhomedircon_settings_t * s, FILE * out,
{.search_for = TEMPLATE_USERNAME,.replace_with = user->name},
{.search_for = TEMPLATE_USERID,.replace_with = user->uid},
{.search_for = TEMPLATE_ROLE,.replace_with = user->prefix},
- {.search_for = TEMPLATE_SEUSER,.replace_with = user->sename},
{NULL, NULL}
};
- return write_replacements(s, out, tpl, repl);
+ return write_user_replacements(s, out, tpl, repl, user);
}
static int write_user_context(genhomedircon_settings_t * s, FILE * out,
@@ -653,11 +710,10 @@ static int write_user_context(genhomedircon_settings_t * s, FILE * out,
replacement_pair_t repl[] = {
{.search_for = TEMPLATE_USER,.replace_with = user->name},
{.search_for = TEMPLATE_ROLE,.replace_with = user->prefix},
- {.search_for = TEMPLATE_SEUSER,.replace_with = user->sename},
{NULL, NULL}
};
- return write_replacements(s, out, tpl, repl);
+ return write_user_replacements(s, out, tpl, repl, user);
}
static int seuser_sort_func(const void *arg1, const void *arg2)
@@ -1074,9 +1130,6 @@ static genhomedircon_user_entry_t *get_users(genhomedircon_settings_t * s,
if (strcmp(name, DEFAULT_LOGIN) == 0)
continue;
- if (strcmp(name, TEMPLATE_SEUSER) == 0)
- continue;
-
/* find the user structure given the name */
u = bsearch(seuname, user_list, nusers, sizeof(semanage_user_t *),
(int (*)(const void *, const void *))
--
2.7.4
^ permalink raw reply related [flat|nested] 13+ messages in thread
* Re: [PATCH] genhomedircon: remove hardcoded refpolicy strings
2016-09-06 13:48 ` [PATCH] genhomedircon: remove hardcoded refpolicy strings Gary Tierney
@ 2016-09-06 19:13 ` Stephen Smalley
2016-09-07 4:42 ` Gary Tierney
0 siblings, 1 reply; 13+ messages in thread
From: Stephen Smalley @ 2016-09-06 19:13 UTC (permalink / raw)
To: Gary Tierney, selinux
On 09/06/2016 09:48 AM, Gary Tierney wrote:
> Removes the "system_u" and "s0" string literals from refpolicy and
> replaces the seuser and range in each homedir, uid, and username context
> specification for every user.
>
> Signed-off-by: Gary Tierney <gary.tierney@gmx.com>
> ---
> libsemanage/src/genhomedircon.c | 79 ++++++++++++++++++++++++++++++++++-------
> 1 file changed, 66 insertions(+), 13 deletions(-)
>
> diff --git a/libsemanage/src/genhomedircon.c b/libsemanage/src/genhomedircon.c
> index cce3884..cca97f6 100644
> --- a/libsemanage/src/genhomedircon.c
> +++ b/libsemanage/src/genhomedircon.c
> @@ -20,6 +20,7 @@
> * 02110-1301 USA
> */
>
> +#include <selinux/context.h>
I think we likely want to use the sepol/context_record.h (already
included here) functions instead. Those are already in use by
libsemanage. I agree it is confusing and not helped by the fact that we
lack man pages for most sepol functions. Sorry.
> #include <semanage/handle.h>
> #include <semanage/seusers_policy.h>
> #include <semanage/users_policy.h>
> @@ -82,9 +83,6 @@
> #define TEMPLATE_USERNAME "%{USERNAME}"
> #define TEMPLATE_USERID "%{USERID}"
>
> -#define TEMPLATE_SEUSER "system_u"
> -#define TEMPLATE_LEVEL "s0"
> -
> #define FALLBACK_SENAME "user_u"
> #define FALLBACK_PREFIX "user"
> #define FALLBACK_LEVEL "s0"
> @@ -92,6 +90,8 @@
> #define FALLBACK_UIDGID "[0-9]+"
> #define DEFAULT_LOGIN "__default__"
>
> +#define CONTEXT_NONE "<<none>>"
> +
> typedef struct user_entry {
> char *name;
> char *uid;
> @@ -599,14 +599,72 @@ static int write_replacements(genhomedircon_settings_t * s, FILE * out,
> return STATUS_ERR;
> }
>
> +static int write_user_replacements(genhomedircon_settings_t *s, FILE *out,
> + semanage_list_t *tpl, const replacement_pair_t *repl,
> + const genhomedircon_user_entry_t *user)
> +{
> + Ustr *line = USTR_NULL;
> + context_t context = NULL;
> +
> + for (; tpl; tpl = tpl->next) {
> + line = replace_all(tpl->data, repl);
> + if (!line) {
> + goto fail;
> + }
> +
> + const char *old_context_str = extract_context(line);
> + if (!old_context_str) {
> + goto fail;
> + }
> +
> + if (strcmp(old_context_str, CONTEXT_NONE) == 0) {
> + if (check_line(s, line) &&
> + !ustr_io_putfileline(&line, out)) {
> + goto fail;
> + }
> +
> + continue;
> + }
> +
> + context = context_new(old_context_str);
sepol_context_from_string()
> + if (!context) {
> + goto fail;
> + }
> +
> + if (context_user_set(context, user->sename) != 0 ||
sepol_context_set_user()
> + context_range_set(context, user->level) != 0) {
sepol_context_set_mls()
> + goto fail;
> + }
> +
> + const char *new_context_str = context_str(context);
sepol_context_to_string()
> + if (!ustr_replace_cstr(&line, old_context_str,
> + new_context_str, 1)) {
> + goto fail;
> + }
> +
> + if (check_line(s, line) == STATUS_SUCCESS) {
> + if (!ustr_io_putfileline(&line, out)) {
> + goto fail;
> + }
> + }
> +
> + ustr_sc_free(&line);
> + context_free(context);
sepol_context_free()
> + }
> +
> + return STATUS_SUCCESS;
> +fail:
> + ustr_sc_free(&line);
> + context_free(context);
> + return STATUS_ERR;
> +}
> +
> static int write_home_dir_context(genhomedircon_settings_t * s, FILE * out,
> semanage_list_t * tpl, const genhomedircon_user_entry_t *user)
> {
> replacement_pair_t repl[] = {
> - {.search_for = TEMPLATE_SEUSER,.replace_with = user->sename},
> {.search_for = TEMPLATE_HOME_DIR,.replace_with = user->home},
> {.search_for = TEMPLATE_ROLE,.replace_with = user->prefix},
> - {.search_for = TEMPLATE_LEVEL,.replace_with = user->level},
> {NULL, NULL}
> };
>
> @@ -618,7 +676,7 @@ static int write_home_dir_context(genhomedircon_settings_t * s, FILE * out,
> return STATUS_ERR;
> }
>
> - return write_replacements(s, out, tpl, repl);
> + return write_user_replacements(s, out, tpl, repl, user);
> }
>
> static int write_home_root_context(genhomedircon_settings_t * s, FILE * out,
> @@ -640,11 +698,10 @@ static int write_username_context(genhomedircon_settings_t * s, FILE * out,
> {.search_for = TEMPLATE_USERNAME,.replace_with = user->name},
> {.search_for = TEMPLATE_USERID,.replace_with = user->uid},
> {.search_for = TEMPLATE_ROLE,.replace_with = user->prefix},
> - {.search_for = TEMPLATE_SEUSER,.replace_with = user->sename},
> {NULL, NULL}
> };
>
> - return write_replacements(s, out, tpl, repl);
> + return write_user_replacements(s, out, tpl, repl, user);
> }
>
> static int write_user_context(genhomedircon_settings_t * s, FILE * out,
> @@ -653,11 +710,10 @@ static int write_user_context(genhomedircon_settings_t * s, FILE * out,
> replacement_pair_t repl[] = {
> {.search_for = TEMPLATE_USER,.replace_with = user->name},
> {.search_for = TEMPLATE_ROLE,.replace_with = user->prefix},
> - {.search_for = TEMPLATE_SEUSER,.replace_with = user->sename},
> {NULL, NULL}
> };
>
> - return write_replacements(s, out, tpl, repl);
> + return write_user_replacements(s, out, tpl, repl, user);
> }
>
> static int seuser_sort_func(const void *arg1, const void *arg2)
> @@ -1074,9 +1130,6 @@ static genhomedircon_user_entry_t *get_users(genhomedircon_settings_t * s,
> if (strcmp(name, DEFAULT_LOGIN) == 0)
> continue;
>
> - if (strcmp(name, TEMPLATE_SEUSER) == 0)
> - continue;
> -
This yields a warning/error on Fedora:
$ sudo semodule -B
libsemanage.add_user: user system_u not in password file
And I end up with a slightly different file_contexts.homedirs:
@@ -39,7 +39,6 @@
/home/[^/]+/\.xauth.* -- unconfined_u:object_r:xauth_home_t:s0
/home/[^/]+/\.Xauth.* -- unconfined_u:object_r:xauth_home_t:s0
/home/[^/]+/\.local.* unconfined_u:object_r:gconf_home_t:s0
-/home/[^/]+/\.gvfs/.* <<none>>
/home/[^/]+/\.cache(/.*)? unconfined_u:object_r:cache_home_t:s0
/home/[^/]+/\.gnupg(/.+)? unconfined_u:object_r:gpg_secret_t:s0
/home/[^/]+/\.irssi(/.*)? unconfined_u:object_r:irc_home_t:s0
@@ -51,7 +50,6 @@
/home/[^/]+/\.pyzor(/.*)? unconfined_u:object_r:spamc_home_t:s0
/home/[^/]+/\.razor(/.*)? unconfined_u:object_r:spamc_home_t:s0
/home/[^/]+/\.spamd(/.*)? unconfined_u:object_r:spamc_home_t:s0
-/home/[^/]+/\.debug(/.*)? <<none>>
/home/[^/]+/vmware(/.*)? unconfined_u:object_r:vmware_file_t:s0
/home/[^/]+/\.fonts(/.*)? unconfined_u:object_r:user_fonts_t:s0
/home/[^/]+/\.gconf(d)?(/.*)? unconfined_u:object_r:gconf_home_t:s0
The homedir_template has:
...
HOME_DIR/\.gvfs/.* <<none>>
HOME_DIR/\.cache(/.*)? system_u:object_r:cache_home_t:s0
HOME_DIR/\.gnupg(/.+)? system_u:object_r:gpg_secret_t:s0
HOME_DIR/\.irssi(/.*)? system_u:object_r:irc_home_t:s0
HOME_DIR/irclog(/.*)? system_u:object_r:irc_home_t:s0
HOME_DIR/\.adobe(/.*)? system_u:object_r:mozilla_home_t:s0
HOME_DIR/\.gnash(/.*)? system_u:object_r:mozilla_home_t:s0
HOME_DIR/\.webex(/.*)? system_u:object_r:mozilla_home_t:s0
HOME_DIR/\.pulse(/.*)? system_u:object_r:pulseaudio_home_t:s0
HOME_DIR/\.pyzor(/.*)? system_u:object_r:spamc_home_t:s0
HOME_DIR/\.razor(/.*)? system_u:object_r:spamc_home_t:s0
HOME_DIR/\.spamd(/.*)? system_u:object_r:spamc_home_t:s0
HOME_DIR/\.debug(/.*)? <<none>>
...
> /* find the user structure given the name */
> u = bsearch(seuname, user_list, nusers, sizeof(semanage_user_t *),
> (int (*)(const void *, const void *))
>
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH] genhomedircon: remove hardcoded refpolicy strings
2016-09-06 19:13 ` Stephen Smalley
@ 2016-09-07 4:42 ` Gary Tierney
2016-09-07 7:15 ` Dominick Grift
2016-09-07 12:36 ` Stephen Smalley
0 siblings, 2 replies; 13+ messages in thread
From: Gary Tierney @ 2016-09-07 4:42 UTC (permalink / raw)
To: selinux
[-- Attachment #1: Type: text/plain, Size: 8155 bytes --]
On Tue, Sep 06, 2016 at 03:13:17PM -0400, Stephen Smalley wrote:
>On 09/06/2016 09:48 AM, Gary Tierney wrote:
>> Removes the "system_u" and "s0" string literals from refpolicy and
>> replaces the seuser and range in each homedir, uid, and username context
>> specification for every user.
>>
>> Signed-off-by: Gary Tierney <gary.tierney@gmx.com>
>> ---
>> libsemanage/src/genhomedircon.c | 79 ++++++++++++++++++++++++++++++++++-------
>> 1 file changed, 66 insertions(+), 13 deletions(-)
>>
>> diff --git a/libsemanage/src/genhomedircon.c b/libsemanage/src/genhomedircon.c
>> index cce3884..cca97f6 100644
>> --- a/libsemanage/src/genhomedircon.c
>> +++ b/libsemanage/src/genhomedircon.c
>> @@ -20,6 +20,7 @@
>> * 02110-1301 USA
>> */
>>
>> +#include <selinux/context.h>
>
>I think we likely want to use the sepol/context_record.h (already
>included here) functions instead. Those are already in use by
>libsemanage. I agree it is confusing and not helped by the fact that we
>lack man pages for most sepol functions. Sorry.
>
>
Thanks, wasn't aware of those. Will update to use the libsepol API.
>> #include <semanage/handle.h>
>> #include <semanage/seusers_policy.h>
>> #include <semanage/users_policy.h>
>> @@ -82,9 +83,6 @@
>> #define TEMPLATE_USERNAME "%{USERNAME}"
>> #define TEMPLATE_USERID "%{USERID}"
>>
>> -#define TEMPLATE_SEUSER "system_u"
>> -#define TEMPLATE_LEVEL "s0"
>> -
>> #define FALLBACK_SENAME "user_u"
>> #define FALLBACK_PREFIX "user"
>> #define FALLBACK_LEVEL "s0"
>> @@ -92,6 +90,8 @@
>> #define FALLBACK_UIDGID "[0-9]+"
>> #define DEFAULT_LOGIN "__default__"
>>
>> +#define CONTEXT_NONE "<<none>>"
>> +
>> typedef struct user_entry {
>> char *name;
>> char *uid;
>> @@ -599,14 +599,72 @@ static int write_replacements(genhomedircon_settings_t * s, FILE * out,
>> return STATUS_ERR;
>> }
>>
>> +static int write_user_replacements(genhomedircon_settings_t *s, FILE *out,
>> + semanage_list_t *tpl, const replacement_pair_t *repl,
>> + const genhomedircon_user_entry_t *user)
>> +{
>> + Ustr *line = USTR_NULL;
>> + context_t context = NULL;
>> +
>> + for (; tpl; tpl = tpl->next) {
>> + line = replace_all(tpl->data, repl);
>> + if (!line) {
>> + goto fail;
>> + }
>> +
>> + const char *old_context_str = extract_context(line);
>> + if (!old_context_str) {
>> + goto fail;
>> + }
>> +
>> + if (strcmp(old_context_str, CONTEXT_NONE) == 0) {
>> + if (check_line(s, line) &&
>> + !ustr_io_putfileline(&line, out)) {
>> + goto fail;
>> + }
>> +
>> + continue;
>> + }
>> +
>> + context = context_new(old_context_str);
>
>sepol_context_from_string()
>
>> + if (!context) {
>> + goto fail;
>> + }
>> +
>> + if (context_user_set(context, user->sename) != 0 ||
>
>sepol_context_set_user()
>
>> + context_range_set(context, user->level) != 0) {
>
>sepol_context_set_mls()
>
>> + goto fail;
>> + }
>> +
>> + const char *new_context_str = context_str(context);
>
>sepol_context_to_string()
>
>> + if (!ustr_replace_cstr(&line, old_context_str,
>> + new_context_str, 1)) {
>> + goto fail;
>> + }
>> +
>> + if (check_line(s, line) == STATUS_SUCCESS) {
>> + if (!ustr_io_putfileline(&line, out)) {
>> + goto fail;
>> + }
>> + }
>> +
>> + ustr_sc_free(&line);
>> + context_free(context);
>
>sepol_context_free()
>
>> + }
>> +
>> + return STATUS_SUCCESS;
>> +fail:
>> + ustr_sc_free(&line);
>> + context_free(context);
>> + return STATUS_ERR;
>> +}
>> +
>> static int write_home_dir_context(genhomedircon_settings_t * s, FILE * out,
>> semanage_list_t * tpl, const genhomedircon_user_entry_t *user)
>> {
>> replacement_pair_t repl[] = {
>> - {.search_for = TEMPLATE_SEUSER,.replace_with = user->sename},
>> {.search_for = TEMPLATE_HOME_DIR,.replace_with = user->home},
>> {.search_for = TEMPLATE_ROLE,.replace_with = user->prefix},
>> - {.search_for = TEMPLATE_LEVEL,.replace_with = user->level},
>> {NULL, NULL}
>> };
>>
>> @@ -618,7 +676,7 @@ static int write_home_dir_context(genhomedircon_settings_t * s, FILE * out,
>> return STATUS_ERR;
>> }
>>
>> - return write_replacements(s, out, tpl, repl);
>> + return write_user_replacements(s, out, tpl, repl, user);
>> }
>>
>> static int write_home_root_context(genhomedircon_settings_t * s, FILE * out,
>> @@ -640,11 +698,10 @@ static int write_username_context(genhomedircon_settings_t * s, FILE * out,
>> {.search_for = TEMPLATE_USERNAME,.replace_with = user->name},
>> {.search_for = TEMPLATE_USERID,.replace_with = user->uid},
>> {.search_for = TEMPLATE_ROLE,.replace_with = user->prefix},
>> - {.search_for = TEMPLATE_SEUSER,.replace_with = user->sename},
>> {NULL, NULL}
>> };
>>
>> - return write_replacements(s, out, tpl, repl);
>> + return write_user_replacements(s, out, tpl, repl, user);
>> }
>>
>> static int write_user_context(genhomedircon_settings_t * s, FILE * out,
>> @@ -653,11 +710,10 @@ static int write_user_context(genhomedircon_settings_t * s, FILE * out,
>> replacement_pair_t repl[] = {
>> {.search_for = TEMPLATE_USER,.replace_with = user->name},
>> {.search_for = TEMPLATE_ROLE,.replace_with = user->prefix},
>> - {.search_for = TEMPLATE_SEUSER,.replace_with = user->sename},
>> {NULL, NULL}
>> };
>>
>> - return write_replacements(s, out, tpl, repl);
>> + return write_user_replacements(s, out, tpl, repl, user);
>> }
>>
>> static int seuser_sort_func(const void *arg1, const void *arg2)
>> @@ -1074,9 +1130,6 @@ static genhomedircon_user_entry_t *get_users(genhomedircon_settings_t * s,
>> if (strcmp(name, DEFAULT_LOGIN) == 0)
>> continue;
>>
>> - if (strcmp(name, TEMPLATE_SEUSER) == 0)
>> - continue;
>> -
>
>This yields a warning/error on Fedora:
>$ sudo semodule -B
>libsemanage.add_user: user system_u not in password file
>
I can re-add this conditional to prevent outputting the warning, though
is there a reason for a login named "system_u" ?
>And I end up with a slightly different file_contexts.homedirs:
>@@ -39,7 +39,6 @@
> /home/[^/]+/\.xauth.* -- unconfined_u:object_r:xauth_home_t:s0
> /home/[^/]+/\.Xauth.* -- unconfined_u:object_r:xauth_home_t:s0
> /home/[^/]+/\.local.* unconfined_u:object_r:gconf_home_t:s0
>-/home/[^/]+/\.gvfs/.* <<none>>
> /home/[^/]+/\.cache(/.*)? unconfined_u:object_r:cache_home_t:s0
> /home/[^/]+/\.gnupg(/.+)? unconfined_u:object_r:gpg_secret_t:s0
> /home/[^/]+/\.irssi(/.*)? unconfined_u:object_r:irc_home_t:s0
>@@ -51,7 +50,6 @@
> /home/[^/]+/\.pyzor(/.*)? unconfined_u:object_r:spamc_home_t:s0
> /home/[^/]+/\.razor(/.*)? unconfined_u:object_r:spamc_home_t:s0
> /home/[^/]+/\.spamd(/.*)? unconfined_u:object_r:spamc_home_t:s0
>-/home/[^/]+/\.debug(/.*)? <<none>>
> /home/[^/]+/vmware(/.*)? unconfined_u:object_r:vmware_file_t:s0
> /home/[^/]+/\.fonts(/.*)? unconfined_u:object_r:user_fonts_t:s0
> /home/[^/]+/\.gconf(d)?(/.*)? unconfined_u:object_r:gconf_home_t:s0
>
>The homedir_template has:
>...
>HOME_DIR/\.gvfs/.* <<none>>
>HOME_DIR/\.cache(/.*)? system_u:object_r:cache_home_t:s0
>HOME_DIR/\.gnupg(/.+)? system_u:object_r:gpg_secret_t:s0
>HOME_DIR/\.irssi(/.*)? system_u:object_r:irc_home_t:s0
>HOME_DIR/irclog(/.*)? system_u:object_r:irc_home_t:s0
>HOME_DIR/\.adobe(/.*)? system_u:object_r:mozilla_home_t:s0
>HOME_DIR/\.gnash(/.*)? system_u:object_r:mozilla_home_t:s0
>HOME_DIR/\.webex(/.*)? system_u:object_r:mozilla_home_t:s0
>HOME_DIR/\.pulse(/.*)? system_u:object_r:pulseaudio_home_t:s0
>HOME_DIR/\.pyzor(/.*)? system_u:object_r:spamc_home_t:s0
>HOME_DIR/\.razor(/.*)? system_u:object_r:spamc_home_t:s0
>HOME_DIR/\.spamd(/.*)? system_u:object_r:spamc_home_t:s0
>HOME_DIR/\.debug(/.*)? <<none>>
>...
>
>
Ah, sorry, missed a comparison in a check_line() call. Will send a v2
with this fixed.
>> /* find the user structure given the name */
>> u = bsearch(seuname, user_list, nusers, sizeof(semanage_user_t *),
>> (int (*)(const void *, const void *))
>>
>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 455 bytes --]
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH] genhomedircon: remove hardcoded refpolicy strings
2016-09-07 4:42 ` Gary Tierney
@ 2016-09-07 7:15 ` Dominick Grift
2016-09-07 12:45 ` Stephen Smalley
2016-09-07 12:36 ` Stephen Smalley
1 sibling, 1 reply; 13+ messages in thread
From: Dominick Grift @ 2016-09-07 7:15 UTC (permalink / raw)
To: selinux
[-- Attachment #1.1: Type: text/plain, Size: 9820 bytes --]
On 09/07/2016 06:42 AM, Gary Tierney wrote:
> On Tue, Sep 06, 2016 at 03:13:17PM -0400, Stephen Smalley wrote:
>> On 09/06/2016 09:48 AM, Gary Tierney wrote:
>>> Removes the "system_u" and "s0" string literals from refpolicy and
>>> replaces the seuser and range in each homedir, uid, and username context
>>> specification for every user.
>>>
>>> Signed-off-by: Gary Tierney <gary.tierney@gmx.com>
>>> ---
>>> libsemanage/src/genhomedircon.c | 79
>>> ++++++++++++++++++++++++++++++++++-------
>>> 1 file changed, 66 insertions(+), 13 deletions(-)
>>>
>>> diff --git a/libsemanage/src/genhomedircon.c
>>> b/libsemanage/src/genhomedircon.c
>>> index cce3884..cca97f6 100644
>>> --- a/libsemanage/src/genhomedircon.c
>>> +++ b/libsemanage/src/genhomedircon.c
>>> @@ -20,6 +20,7 @@
>>> * 02110-1301 USA
>>> */
>>>
>>> +#include <selinux/context.h>
>>
>> I think we likely want to use the sepol/context_record.h (already
>> included here) functions instead. Those are already in use by
>> libsemanage. I agree it is confusing and not helped by the fact that we
>> lack man pages for most sepol functions. Sorry.
>>
>>
> Thanks, wasn't aware of those. Will update to use the libsepol API.
>
>>> #include <semanage/handle.h>
>>> #include <semanage/seusers_policy.h>
>>> #include <semanage/users_policy.h>
>>> @@ -82,9 +83,6 @@
>>> #define TEMPLATE_USERNAME "%{USERNAME}"
>>> #define TEMPLATE_USERID "%{USERID}"
>>>
>>> -#define TEMPLATE_SEUSER "system_u"
>>> -#define TEMPLATE_LEVEL "s0"
>>> -
>>> #define FALLBACK_SENAME "user_u"
>>> #define FALLBACK_PREFIX "user"
>>> #define FALLBACK_LEVEL "s0"
>>> @@ -92,6 +90,8 @@
>>> #define FALLBACK_UIDGID "[0-9]+"
>>> #define DEFAULT_LOGIN "__default__"
>>>
>>> +#define CONTEXT_NONE "<<none>>"
>>> +
>>> typedef struct user_entry {
>>> char *name;
>>> char *uid;
>>> @@ -599,14 +599,72 @@ static int
>>> write_replacements(genhomedircon_settings_t * s, FILE * out,
>>> return STATUS_ERR;
>>> }
>>>
>>> +static int write_user_replacements(genhomedircon_settings_t *s, FILE
>>> *out,
>>> + semanage_list_t *tpl, const replacement_pair_t *repl,
>>> + const genhomedircon_user_entry_t *user)
>>> +{
>>> + Ustr *line = USTR_NULL;
>>> + context_t context = NULL;
>>> +
>>> + for (; tpl; tpl = tpl->next) {
>>> + line = replace_all(tpl->data, repl);
>>> + if (!line) {
>>> + goto fail;
>>> + }
>>> +
>>> + const char *old_context_str = extract_context(line);
>>> + if (!old_context_str) {
>>> + goto fail;
>>> + }
>>> +
>>> + if (strcmp(old_context_str, CONTEXT_NONE) == 0) {
>>> + if (check_line(s, line) &&
>>> + !ustr_io_putfileline(&line, out)) {
>>> + goto fail;
>>> + }
>>> +
>>> + continue;
>>> + }
>>> +
>>> + context = context_new(old_context_str);
>>
>> sepol_context_from_string()
>>
>>> + if (!context) {
>>> + goto fail;
>>> + }
>>> +
>>> + if (context_user_set(context, user->sename) != 0 ||
>>
>> sepol_context_set_user()
>>
>>> + context_range_set(context, user->level) != 0) {
>>
>> sepol_context_set_mls()
>>
>>> + goto fail;
>>> + }
>>> +
>>> + const char *new_context_str = context_str(context);
>>
>> sepol_context_to_string()
>>
>>> + if (!ustr_replace_cstr(&line, old_context_str,
>>> + new_context_str, 1)) {
>>> + goto fail;
>>> + }
>>> +
>>> + if (check_line(s, line) == STATUS_SUCCESS) {
>>> + if (!ustr_io_putfileline(&line, out)) {
>>> + goto fail;
>>> + }
>>> + }
>>> +
>>> + ustr_sc_free(&line);
>>> + context_free(context);
>>
>> sepol_context_free()
>>
>>> + }
>>> +
>>> + return STATUS_SUCCESS;
>>> +fail:
>>> + ustr_sc_free(&line);
>>> + context_free(context);
>>> + return STATUS_ERR;
>>> +}
>>> +
>>> static int write_home_dir_context(genhomedircon_settings_t * s, FILE
>>> * out,
>>> semanage_list_t * tpl, const
>>> genhomedircon_user_entry_t *user)
>>> {
>>> replacement_pair_t repl[] = {
>>> - {.search_for = TEMPLATE_SEUSER,.replace_with = user->sename},
>>> {.search_for = TEMPLATE_HOME_DIR,.replace_with = user->home},
>>> {.search_for = TEMPLATE_ROLE,.replace_with = user->prefix},
>>> - {.search_for = TEMPLATE_LEVEL,.replace_with = user->level},
>>> {NULL, NULL}
>>> };
>>>
>>> @@ -618,7 +676,7 @@ static int
>>> write_home_dir_context(genhomedircon_settings_t * s, FILE * out,
>>> return STATUS_ERR;
>>> }
>>>
>>> - return write_replacements(s, out, tpl, repl);
>>> + return write_user_replacements(s, out, tpl, repl, user);
>>> }
>>>
>>> static int write_home_root_context(genhomedircon_settings_t * s,
>>> FILE * out,
>>> @@ -640,11 +698,10 @@ static int
>>> write_username_context(genhomedircon_settings_t * s, FILE * out,
>>> {.search_for = TEMPLATE_USERNAME,.replace_with = user->name},
>>> {.search_for = TEMPLATE_USERID,.replace_with = user->uid},
>>> {.search_for = TEMPLATE_ROLE,.replace_with = user->prefix},
>>> - {.search_for = TEMPLATE_SEUSER,.replace_with = user->sename},
>>> {NULL, NULL}
>>> };
>>>
>>> - return write_replacements(s, out, tpl, repl);
>>> + return write_user_replacements(s, out, tpl, repl, user);
>>> }
>>>
>>> static int write_user_context(genhomedircon_settings_t * s, FILE * out,
>>> @@ -653,11 +710,10 @@ static int
>>> write_user_context(genhomedircon_settings_t * s, FILE * out,
>>> replacement_pair_t repl[] = {
>>> {.search_for = TEMPLATE_USER,.replace_with = user->name},
>>> {.search_for = TEMPLATE_ROLE,.replace_with = user->prefix},
>>> - {.search_for = TEMPLATE_SEUSER,.replace_with = user->sename},
>>> {NULL, NULL}
>>> };
>>>
>>> - return write_replacements(s, out, tpl, repl);
>>> + return write_user_replacements(s, out, tpl, repl, user);
>>> }
>>>
>>> static int seuser_sort_func(const void *arg1, const void *arg2)
>>> @@ -1074,9 +1130,6 @@ static genhomedircon_user_entry_t
>>> *get_users(genhomedircon_settings_t * s,
>>> if (strcmp(name, DEFAULT_LOGIN) == 0)
>>> continue;
>>>
>>> - if (strcmp(name, TEMPLATE_SEUSER) == 0)
>>> - continue;
>>> -
>>
>> This yields a warning/error on Fedora:
>> $ sudo semodule -B
>> libsemanage.add_user: user system_u not in password file
>>
>
> I can re-add this conditional to prevent outputting the warning, though
> is there a reason for a login named "system_u" ?
>
Is that warning really useful in the first place though? My requirement
to create a gdm selinux id also causes these messages for user gdm when
ever semodule -B is run on systems that do not have the gdm user.
Can we not just print that message only when semodule is run with -v
instead?
>> And I end up with a slightly different file_contexts.homedirs:
>> @@ -39,7 +39,6 @@
>> /home/[^/]+/\.xauth.* -- unconfined_u:object_r:xauth_home_t:s0
>> /home/[^/]+/\.Xauth.* -- unconfined_u:object_r:xauth_home_t:s0
>> /home/[^/]+/\.local.* unconfined_u:object_r:gconf_home_t:s0
>> -/home/[^/]+/\.gvfs/.* <<none>>
>> /home/[^/]+/\.cache(/.*)? unconfined_u:object_r:cache_home_t:s0
>> /home/[^/]+/\.gnupg(/.+)? unconfined_u:object_r:gpg_secret_t:s0
>> /home/[^/]+/\.irssi(/.*)? unconfined_u:object_r:irc_home_t:s0
>> @@ -51,7 +50,6 @@
>> /home/[^/]+/\.pyzor(/.*)? unconfined_u:object_r:spamc_home_t:s0
>> /home/[^/]+/\.razor(/.*)? unconfined_u:object_r:spamc_home_t:s0
>> /home/[^/]+/\.spamd(/.*)? unconfined_u:object_r:spamc_home_t:s0
>> -/home/[^/]+/\.debug(/.*)? <<none>>
>> /home/[^/]+/vmware(/.*)? unconfined_u:object_r:vmware_file_t:s0
>> /home/[^/]+/\.fonts(/.*)? unconfined_u:object_r:user_fonts_t:s0
>> /home/[^/]+/\.gconf(d)?(/.*)? unconfined_u:object_r:gconf_home_t:s0
>>
>> The homedir_template has:
>> ...
>> HOME_DIR/\.gvfs/.* <<none>>
>> HOME_DIR/\.cache(/.*)? system_u:object_r:cache_home_t:s0
>> HOME_DIR/\.gnupg(/.+)? system_u:object_r:gpg_secret_t:s0
>> HOME_DIR/\.irssi(/.*)? system_u:object_r:irc_home_t:s0
>> HOME_DIR/irclog(/.*)? system_u:object_r:irc_home_t:s0
>> HOME_DIR/\.adobe(/.*)? system_u:object_r:mozilla_home_t:s0
>> HOME_DIR/\.gnash(/.*)? system_u:object_r:mozilla_home_t:s0
>> HOME_DIR/\.webex(/.*)? system_u:object_r:mozilla_home_t:s0
>> HOME_DIR/\.pulse(/.*)? system_u:object_r:pulseaudio_home_t:s0
>> HOME_DIR/\.pyzor(/.*)? system_u:object_r:spamc_home_t:s0
>> HOME_DIR/\.razor(/.*)? system_u:object_r:spamc_home_t:s0
>> HOME_DIR/\.spamd(/.*)? system_u:object_r:spamc_home_t:s0
>> HOME_DIR/\.debug(/.*)? <<none>>
>> ...
>>
>>
>
> Ah, sorry, missed a comparison in a check_line() call. Will send a v2
> with this fixed.
>
>>> /* find the user structure given the name */
>>> u = bsearch(seuname, user_list, nusers,
>>> sizeof(semanage_user_t *),
>>> (int (*)(const void *, const void *))
>>>
>>
>
>
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
>
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 648 bytes --]
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH] genhomedircon: remove hardcoded refpolicy strings
2016-09-07 4:42 ` Gary Tierney
2016-09-07 7:15 ` Dominick Grift
@ 2016-09-07 12:36 ` Stephen Smalley
2016-09-07 12:47 ` Dominick Grift
1 sibling, 1 reply; 13+ messages in thread
From: Stephen Smalley @ 2016-09-07 12:36 UTC (permalink / raw)
To: selinux
On 09/07/2016 12:42 AM, Gary Tierney wrote:
> On Tue, Sep 06, 2016 at 03:13:17PM -0400, Stephen Smalley wrote:
>> On 09/06/2016 09:48 AM, Gary Tierney wrote:
>>> static int seuser_sort_func(const void *arg1, const void
>>> *arg2) @@ -1074,9 +1130,6 @@ static genhomedircon_user_entry_t
>>> *get_users(genhomedircon_settings_t * s, if (strcmp(name,
>>> DEFAULT_LOGIN) == 0) continue;
>>>
>>> - if (strcmp(name, TEMPLATE_SEUSER) == 0) -
>>> continue; -
>>
>> This yields a warning/error on Fedora: $ sudo semodule -B
>> libsemanage.add_user: user system_u not in password file
>>
>
> I can re-add this conditional to prevent outputting the warning,
> though is there a reason for a login named "system_u" ?
crond used to require one in order to look up the context for system
cron jobs; I'm not sure if that is still required, but it is still
present in Fedora.
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH] genhomedircon: remove hardcoded refpolicy strings
2016-09-07 7:15 ` Dominick Grift
@ 2016-09-07 12:45 ` Stephen Smalley
2016-09-07 12:45 ` Dominick Grift
0 siblings, 1 reply; 13+ messages in thread
From: Stephen Smalley @ 2016-09-07 12:45 UTC (permalink / raw)
To: Dominick Grift, selinux
On 09/07/2016 03:15 AM, Dominick Grift wrote:
> On 09/07/2016 06:42 AM, Gary Tierney wrote:
>> On Tue, Sep 06, 2016 at 03:13:17PM -0400, Stephen Smalley wrote:
>>> On 09/06/2016 09:48 AM, Gary Tierney wrote:
>>>> @@ -1074,9 +1130,6 @@ static genhomedircon_user_entry_t
>>>> *get_users(genhomedircon_settings_t * s, if (strcmp(name,
>>>> DEFAULT_LOGIN) == 0) continue;
>>>>
>>>> - if (strcmp(name, TEMPLATE_SEUSER) == 0) -
>>>> continue; -
>>>
>>> This yields a warning/error on Fedora: $ sudo semodule -B
>>> libsemanage.add_user: user system_u not in password file
>>>
>>
>> I can re-add this conditional to prevent outputting the warning,
>> though is there a reason for a login named "system_u" ?
>>
>
> Is that warning really useful in the first place though? My
> requirement to create a gdm selinux id also causes these messages
> for user gdm when ever semodule -B is run on systems that do not
> have the gdm user.
Why do you need a gdm selinux id?
> Can we not just print that message only when semodule is run with
> -v instead?
Presently -v only affects output from semodule itself; it isn't
propagated to libsemanage in any way. And libsemanage logging only
defines three levels presently: error, warning, info. So we don't
presently have the support for making a libsemanage log message
verbose-only, even if we wanted to do so.
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH] genhomedircon: remove hardcoded refpolicy strings
2016-09-07 12:45 ` Stephen Smalley
@ 2016-09-07 12:45 ` Dominick Grift
0 siblings, 0 replies; 13+ messages in thread
From: Dominick Grift @ 2016-09-07 12:45 UTC (permalink / raw)
To: Stephen Smalley, selinux
[-- Attachment #1.1: Type: text/plain, Size: 1970 bytes --]
On 09/07/2016 02:45 PM, Stephen Smalley wrote:
> On 09/07/2016 03:15 AM, Dominick Grift wrote:
>> On 09/07/2016 06:42 AM, Gary Tierney wrote:
>>> On Tue, Sep 06, 2016 at 03:13:17PM -0400, Stephen Smalley wrote:
>>>> On 09/06/2016 09:48 AM, Gary Tierney wrote:
>>>>> @@ -1074,9 +1130,6 @@ static genhomedircon_user_entry_t
>>>>> *get_users(genhomedircon_settings_t * s, if (strcmp(name,
>>>>> DEFAULT_LOGIN) == 0) continue;
>>>>>
>>>>> - if (strcmp(name, TEMPLATE_SEUSER) == 0) -
>>>>> continue; -
>>>>
>>>> This yields a warning/error on Fedora: $ sudo semodule -B
>>>> libsemanage.add_user: user system_u not in password file
>>>>
>>>
>>> I can re-add this conditional to prevent outputting the warning,
>>> though is there a reason for a login named "system_u" ?
>>>
>>
>> Is that warning really useful in the first place though? My
>> requirement to create a gdm selinux id also causes these messages
>> for user gdm when ever semodule -B is run on systems that do not
>> have the gdm user.
>
> Why do you need a gdm selinux id?
>
PAM related
Because systemd spawns a --user instance for gdm and that in turn runs a
gdm --session bus.
In order to run the gdm --session bus in gdm.subj this was needed.
Basically gdm is sort of treated as a real user in some ways. E.g. It
has a /run/user/42 and it has a systemd --user instance
>> Can we not just print that message only when semodule is run with
>> -v instead?
>
> Presently -v only affects output from semodule itself; it isn't
> propagated to libsemanage in any way. And libsemanage logging only
> defines three levels presently: error, warning, info. So we don't
> presently have the support for making a libsemanage log message
> verbose-only, even if we wanted to do so.
>
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 648 bytes --]
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH] genhomedircon: remove hardcoded refpolicy strings
2016-09-07 12:36 ` Stephen Smalley
@ 2016-09-07 12:47 ` Dominick Grift
2016-09-07 12:55 ` Dominick Grift
2016-09-07 13:00 ` Stephen Smalley
0 siblings, 2 replies; 13+ messages in thread
From: Dominick Grift @ 2016-09-07 12:47 UTC (permalink / raw)
To: selinux
[-- Attachment #1.1: Type: text/plain, Size: 1486 bytes --]
On 09/07/2016 02:36 PM, Stephen Smalley wrote:
> On 09/07/2016 12:42 AM, Gary Tierney wrote:
>> On Tue, Sep 06, 2016 at 03:13:17PM -0400, Stephen Smalley wrote:
>>> On 09/06/2016 09:48 AM, Gary Tierney wrote:
>>>> static int seuser_sort_func(const void *arg1, const void
>>>> *arg2) @@ -1074,9 +1130,6 @@ static genhomedircon_user_entry_t
>>>> *get_users(genhomedircon_settings_t * s, if (strcmp(name,
>>>> DEFAULT_LOGIN) == 0) continue;
>>>>
>>>> - if (strcmp(name, TEMPLATE_SEUSER) == 0) -
>>>> continue; -
>>>
>>> This yields a warning/error on Fedora: $ sudo semodule -B
>>> libsemanage.add_user: user system_u not in password file
>>>
>>
>> I can re-add this conditional to prevent outputting the warning,
>> though is there a reason for a login named "system_u" ?
>
> crond used to require one in order to look up the context for system
> cron jobs; I'm not sure if that is still required, but it is still
> present in Fedora.
https://git.fedorahosted.org/cgit/cronie.git/commit/?id=e5280235809844f54d5956ec281472b63dcfc3f4
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
>
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 648 bytes --]
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH] genhomedircon: remove hardcoded refpolicy strings
2016-09-07 12:47 ` Dominick Grift
@ 2016-09-07 12:55 ` Dominick Grift
2016-09-07 13:00 ` Stephen Smalley
1 sibling, 0 replies; 13+ messages in thread
From: Dominick Grift @ 2016-09-07 12:55 UTC (permalink / raw)
To: selinux
[-- Attachment #1.1: Type: text/plain, Size: 1740 bytes --]
On 09/07/2016 02:47 PM, Dominick Grift wrote:
> On 09/07/2016 02:36 PM, Stephen Smalley wrote:
>> On 09/07/2016 12:42 AM, Gary Tierney wrote:
>>> On Tue, Sep 06, 2016 at 03:13:17PM -0400, Stephen Smalley wrote:
>>>> On 09/06/2016 09:48 AM, Gary Tierney wrote:
>>>>> static int seuser_sort_func(const void *arg1, const void
>>>>> *arg2) @@ -1074,9 +1130,6 @@ static genhomedircon_user_entry_t
>>>>> *get_users(genhomedircon_settings_t * s, if (strcmp(name,
>>>>> DEFAULT_LOGIN) == 0) continue;
>>>>>
>>>>> - if (strcmp(name, TEMPLATE_SEUSER) == 0) -
>>>>> continue; -
>>>>
>>>> This yields a warning/error on Fedora: $ sudo semodule -B
>>>> libsemanage.add_user: user system_u not in password file
>>>>
>>>
>>> I can re-add this conditional to prevent outputting the warning,
>>> though is there a reason for a login named "system_u" ?
>>
>> crond used to require one in order to look up the context for system
>> cron jobs; I'm not sure if that is still required, but it is still
>> present in Fedora.
>
> https://git.fedorahosted.org/cgit/cronie.git/commit/?id=e5280235809844f54d5956ec281472b63dcfc3f4
>
Basically crond is always associated with system_u because we now have
systemd to start it. So we no longer have this id issue that we had with
upstart/sysv
>
>> _______________________________________________
>> Selinux mailing list
>> Selinux@tycho.nsa.gov
>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
>>
>
>
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 648 bytes --]
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH] genhomedircon: remove hardcoded refpolicy strings
2016-09-07 12:47 ` Dominick Grift
2016-09-07 12:55 ` Dominick Grift
@ 2016-09-07 13:00 ` Stephen Smalley
2016-09-07 13:04 ` Dominick Grift
1 sibling, 1 reply; 13+ messages in thread
From: Stephen Smalley @ 2016-09-07 13:00 UTC (permalink / raw)
To: Dominick Grift, selinux
On 09/07/2016 08:47 AM, Dominick Grift wrote:
> On 09/07/2016 02:36 PM, Stephen Smalley wrote:
>> On 09/07/2016 12:42 AM, Gary Tierney wrote:
>>> On Tue, Sep 06, 2016 at 03:13:17PM -0400, Stephen Smalley
>>> wrote:
>>>> On 09/06/2016 09:48 AM, Gary Tierney wrote:
>>>>> static int seuser_sort_func(const void *arg1, const void
>>>>> *arg2) @@ -1074,9 +1130,6 @@ static
>>>>> genhomedircon_user_entry_t
>>>>> *get_users(genhomedircon_settings_t * s, if (strcmp(name,
>>>>> DEFAULT_LOGIN) == 0) continue;
>>>>>
>>>>> - if (strcmp(name, TEMPLATE_SEUSER) == 0) -
>>>>> continue; -
>>>>
>>>> This yields a warning/error on Fedora: $ sudo semodule -B
>>>> libsemanage.add_user: user system_u not in password file
>>>>
>>>
>>> I can re-add this conditional to prevent outputting the
>>> warning, though is there a reason for a login named "system_u"
>>> ?
>>
>> crond used to require one in order to look up the context for
>> system cron jobs; I'm not sure if that is still required, but it
>> is still present in Fedora.
>
> https://git.fedorahosted.org/cgit/cronie.git/commit/?id=e5280235809844f54d5956ec281472b63dcfc3f4
Ok,
>
so maybe someone should file a bug on policy to remove system_u
from seusers? After first testing that it doesn't break anything.
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH] genhomedircon: remove hardcoded refpolicy strings
2016-09-07 13:00 ` Stephen Smalley
@ 2016-09-07 13:04 ` Dominick Grift
2016-09-07 13:08 ` Stephen Smalley
0 siblings, 1 reply; 13+ messages in thread
From: Dominick Grift @ 2016-09-07 13:04 UTC (permalink / raw)
To: Stephen Smalley, selinux
[-- Attachment #1.1: Type: text/plain, Size: 1651 bytes --]
On 09/07/2016 03:00 PM, Stephen Smalley wrote:
> On 09/07/2016 08:47 AM, Dominick Grift wrote:
>> On 09/07/2016 02:36 PM, Stephen Smalley wrote:
>>> On 09/07/2016 12:42 AM, Gary Tierney wrote:
>>>> On Tue, Sep 06, 2016 at 03:13:17PM -0400, Stephen Smalley
>>>> wrote:
>>>>> On 09/06/2016 09:48 AM, Gary Tierney wrote:
>>>>>> static int seuser_sort_func(const void *arg1, const void
>>>>>> *arg2) @@ -1074,9 +1130,6 @@ static
>>>>>> genhomedircon_user_entry_t
>>>>>> *get_users(genhomedircon_settings_t * s, if (strcmp(name,
>>>>>> DEFAULT_LOGIN) == 0) continue;
>>>>>>
>>>>>> - if (strcmp(name, TEMPLATE_SEUSER) == 0) -
>>>>>> continue; -
>>>>>
>>>>> This yields a warning/error on Fedora: $ sudo semodule -B
>>>>> libsemanage.add_user: user system_u not in password file
>>>>>
>>>>
>>>> I can re-add this conditional to prevent outputting the
>>>> warning, though is there a reason for a login named "system_u"
>>>> ?
>>>
>>> crond used to require one in order to look up the context for
>>> system cron jobs; I'm not sure if that is still required, but it
>>> is still present in Fedora.
>>
>> https://git.fedorahosted.org/cgit/cronie.git/commit/?id=e5280235809844f54d5956ec281472b63dcfc3f4
>
> Ok,
>>
> so maybe someone should file a bug on policy to remove system_u
> from seusers? After first testing that it doesn't break anything.
>
>
>
https://github.com/DefenSec/dssp/commit/08b73d7c79945bec0307aec76c04fccda9e336a6
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 648 bytes --]
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH] genhomedircon: remove hardcoded refpolicy strings
2016-09-07 13:04 ` Dominick Grift
@ 2016-09-07 13:08 ` Stephen Smalley
0 siblings, 0 replies; 13+ messages in thread
From: Stephen Smalley @ 2016-09-07 13:08 UTC (permalink / raw)
To: Dominick Grift, selinux
On 09/07/2016 09:04 AM, Dominick Grift wrote:
> On 09/07/2016 03:00 PM, Stephen Smalley wrote:
>> On 09/07/2016 08:47 AM, Dominick Grift wrote:
>>> On 09/07/2016 02:36 PM, Stephen Smalley wrote:
>>>> On 09/07/2016 12:42 AM, Gary Tierney wrote:
>>>>> On Tue, Sep 06, 2016 at 03:13:17PM -0400, Stephen Smalley
>>>>> wrote:
>>>>>> On 09/06/2016 09:48 AM, Gary Tierney wrote:
>>>>>>> static int seuser_sort_func(const void *arg1, const
>>>>>>> void *arg2) @@ -1074,9 +1130,6 @@ static
>>>>>>> genhomedircon_user_entry_t
>>>>>>> *get_users(genhomedircon_settings_t * s, if
>>>>>>> (strcmp(name, DEFAULT_LOGIN) == 0) continue;
>>>>>>>
>>>>>>> - if (strcmp(name, TEMPLATE_SEUSER) == 0) -
>>>>>>> continue; -
>>>>>>
>>>>>> This yields a warning/error on Fedora: $ sudo semodule -B
>>>>>> libsemanage.add_user: user system_u not in password
>>>>>> file
>>>>>>
>>>>>
>>>>> I can re-add this conditional to prevent outputting the
>>>>> warning, though is there a reason for a login named
>>>>> "system_u" ?
>>>>
>>>> crond used to require one in order to look up the context
>>>> for system cron jobs; I'm not sure if that is still required,
>>>> but it is still present in Fedora.
>>>
>>> https://git.fedorahosted.org/cgit/cronie.git/commit/?id=e5280235809844f54d5956ec281472b63dcfc3f4
>>
>>
>>>
Ok,
>>>
>> so maybe someone should file a bug on policy to remove system_u
>> from seusers? After first testing that it doesn't break
>> anything.
>>
>>
>>
>
> https://github.com/DefenSec/dssp/commit/08b73d7c79945bec0307aec76c04fccda9e336a6
Ok,
>
but I meant a bug against fedora policy to remove it.
^ permalink raw reply [flat|nested] 13+ messages in thread
end of thread, other threads:[~2016-09-07 13:08 UTC | newest]
Thread overview: 13+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-09-06 13:48 [PATCH] remove system_u and s0 hardcoded strings Gary Tierney
2016-09-06 13:48 ` [PATCH] genhomedircon: remove hardcoded refpolicy strings Gary Tierney
2016-09-06 19:13 ` Stephen Smalley
2016-09-07 4:42 ` Gary Tierney
2016-09-07 7:15 ` Dominick Grift
2016-09-07 12:45 ` Stephen Smalley
2016-09-07 12:45 ` Dominick Grift
2016-09-07 12:36 ` Stephen Smalley
2016-09-07 12:47 ` Dominick Grift
2016-09-07 12:55 ` Dominick Grift
2016-09-07 13:00 ` Stephen Smalley
2016-09-07 13:04 ` Dominick Grift
2016-09-07 13:08 ` Stephen Smalley
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).