From: "Jason Zaman" <perfinion@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: support/
Date: Sun, 7 Feb 2021 03:20:04 +0000 (UTC) [thread overview]
Message-ID: <1612644851.c7d0c5c923977ecd27f6e3464d12b296151c17ad.perfinion@gentoo> (raw)
commit: c7d0c5c923977ecd27f6e3464d12b296151c17ad
Author: Christian Göttsche <cgzones <AT> googlemail <DOT> com>
AuthorDate: Sun Jan 31 20:50:11 2021 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 6 20:54:11 2021 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c7d0c5c9
genhomedircon: drop backwards compatibility section
Signed-off-by: Christian Göttsche <cgzones <AT> googlemail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
support/genhomedircon.py | 162 +----------------------------------------------
1 file changed, 1 insertion(+), 161 deletions(-)
diff --git a/support/genhomedircon.py b/support/genhomedircon.py
index bb4e5061..e9d72067 100644
--- a/support/genhomedircon.py
+++ b/support/genhomedircon.py
@@ -40,7 +40,7 @@
# are always "real" (including root, in the default configuration).
#
-import sys, os, pwd, getopt, re
+import sys, pwd, getopt, re
from subprocess import getstatusoutput
EXCLUDE_LOGINS=["/sbin/nologin", "/bin/false"]
@@ -69,162 +69,6 @@ def getStartingUID():
starting_uid = 500
return starting_uid
-#############################################################################
-#
-# This section is just for backwards compatibility
-#
-#############################################################################
-def getPrefixes():
- ulist = pwd.getpwall()
- STARTING_UID=getStartingUID()
- prefixes = {}
- for u in ulist:
- if u[2] >= STARTING_UID and \
- not u[6] in EXCLUDE_LOGINS and \
- u[5] != "/" and \
- u[5].count("/") > 1:
- prefix = u[5][:u[5].rfind("/")]
- if not prefix in prefixes:
- prefixes[prefix] = ""
- return prefixes
-
-def getUsers(filecontextdir):
- rc = getstatusoutput("grep ^user %s/users" % filecontextdir)
- udict = {}
- if rc[0] == 0:
- ulist = rc[1].strip().split("\n")
- for u in ulist:
- user = u.split()
- try:
- if user[1] == "user_u" or user[1] == "system_u":
- continue
- # !!! chooses first role in the list to use in the file context !!!
- role = user[3]
- if role == "{":
- role = user[4]
- role = role.split("_r")[0]
- home = pwd.getpwnam(user[1])[5]
- if home == "/":
- continue
- prefs = {}
- prefs["role"] = role
- prefs["home"] = home
- udict[user[1]] = prefs
- except KeyError:
- sys.stderr.write("The user \"%s\" is not present in the passwd file, skipping...\n" % user[1])
- return udict
-
-def update(filecontext, user, prefs):
- rc=getstatusoutput("grep -h '^HOME_DIR' %s | grep -v vmware | sed -e 's|HOME_DIR|%s|' -e 's/ROLE/%s/' -e 's/system_u/%s/'" % (filecontext, prefs["home"], prefs["role"], user))
- if rc[0] == 0:
- print(rc[1])
- else:
- errorExit("grep/sed error " + rc[1])
- return rc
-
-def oldgenhomedircon(filecontextdir, filecontext):
- sys.stderr.flush()
-
- if os.path.isdir(filecontextdir) == 0:
- sys.stderr.write("New usage is the following\n")
- usage()
- #We are going to define home directory used by libuser and show-utils as a home directory root
- prefixes = {}
- rc=getstatusoutput("grep -h '^HOME' /etc/default/useradd")
- if rc[0] == 0:
- homedir = rc[1].split("=")[1]
- homedir = homedir.split("#")[0]
- homedir = homedir.strip()
- if not homedir in prefixes:
- prefixes[homedir] = ""
- else:
- #rc[0] == 256 means the file was there, we read it, but the grep didn't match
- if rc[0] != 256:
- sys.stderr.write("%s\n" % rc[1])
- sys.stderr.write("You do not have access to /etc/default/useradd HOME=\n")
- sys.stderr.flush()
-
-
- rc=getstatusoutput("grep -h '^LU_HOMEDIRECTORY' /etc/libuser.conf")
- if rc[0] == 0:
- homedir = rc[1].split("=")[1]
- homedir = homedir.split("#")[0]
- homedir = homedir.strip()
- homedir = re.sub(r"[^/a-zA-Z0-9].*$", "", homedir)
- if not homedir in prefixes:
- prefixes[homedir] = ""
-
- #the idea is that we need to find all of the home_root_t directories we do this by just accepting
- #any default home directory defined by either /etc/libuser.conf or /etc/default/useradd
- #we then get the potential home directory roots from /etc/passwd or nis or wherever and look at
- #the defined homedir for all users with UID > STARTING_UID. This list of possible root homedirs
- #is then checked to see if it has an explicit context defined in the file_contexts. Explicit
- #is any regex that would match it which does not end with .*$ or .+$ since those are general
- #recursive matches. We then take any regex which ends with [pattern](/.*)?$ and just check against
- #[pattern]
- potential_prefixes = getPrefixes()
- prefix_regex = {}
- #this works by grepping the file_contexts for
- # 1. ^/ makes sure this is not a comment
- # 2. prints only the regex in the first column first cut on \t then on space
- rc=getstatusoutput("grep \"^/\" %s | cut -f 1 | cut -f 1 -d \" \" " % (sys.argv[2]) )
- if rc[0] == 0:
- prefix_regex = rc[1].split("\n")
- else:
- sys.stderr.write("%s\n" % rc[1])
- sys.stderr.write("You do not have access to grep/cut/the file contexts\n")
- sys.stderr.flush()
- for potential in potential_prefixes.keys():
- addme = 1
- for regex in prefix_regex:
- #match a trailing (/*)? which is actually a bug in rpc_pipefs
- regex = re.sub(r"\(/\*\)\?$", "", regex)
- #match a trailing .+
- regex = re.sub(r"\.+$", "", regex)
- #match a trailing .*
- regex = re.sub(r"\.\*$", "", regex)
- #strip a (/.*)? which matches anything trailing to a /*$ which matches trailing /'s
- regex = re.sub(r"\(\/\.\*\)\?", "", regex)
- regex = regex + "/*$"
- if re.search(regex, potential, 0):
- addme = 0
- if addme == 1:
- if not potential in prefixes:
- prefixes[potential] = ""
-
-
- if prefixes.__eq__({}):
- sys.stderr.write("LU_HOMEDIRECTORY not set in /etc/libuser.conf\n")
- sys.stderr.write("HOME= not set in /etc/default/useradd\n")
- sys.stderr.write("And no users with a reasonable homedir found in passwd/nis/ldap/etc...\n")
- sys.stderr.write("Assuming /home is the root of home directories\n")
- sys.stderr.flush()
- prefixes["/home"] = ""
-
- # There may be a more elegant sed script to expand a macro to multiple lines, but this works
- sed_root = "h; s|^HOME_ROOT|%s|" % (prefixes.keys() + "|; p; g; s|^HOME_ROOT|")
- sed_dir = "h; s|^HOME_DIR|%s/[^/]+|; s|ROLE_|user_|" % (prefixes.keys() + "/[^/]+|; s|ROLE_|user_|; p; g; s|^HOME_DIR|")
-
- # Fill in HOME_ROOT, HOME_DIR, and ROLE for users not explicitly defined in /etc/security/selinux/src/policy/users
- rc=getstatusoutput("sed -e \"/^HOME_ROOT/{%s}\" -e \"/^HOME_DIR/{%s}\" %s" % (sed_root, sed_dir, filecontext))
- if rc[0] == 0:
- print(rc[1])
- else:
- errorExit("sed error " + rc[1])
-
- users = getUsers(filecontextdir)
- print("\n#\n# User-specific file contexts\n#\n")
-
- # Fill in HOME and ROLE for users that are defined
- for u in users.keys():
- update(filecontext, u, users[u])
-
-#############################################################################
-#
-# End of backwards compatibility section
-#
-#############################################################################
-
def getDefaultHomeDir():
ret = []
rc=getstatusoutput("grep -h '^HOME' /etc/default/useradd")
@@ -466,10 +310,6 @@ try:
if setype is None:
setype=getSELinuxType(directory)
- if len(cmds) == 2:
- oldgenhomedircon(cmds[0], cmds[1])
- sys.exit(0)
-
if len(cmds) != 0:
usage()
selconf=selinuxConfig(directory, setype, usepwd)
next reply other threads:[~2021-02-07 3:20 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-07 3:20 Jason Zaman [this message]
-- strict thread matches above, loose matches on Subject: below --
2025-09-02 22:15 [gentoo-commits] proj/hardened-refpolicy:master commit in: support/ Jason Zaman
2024-03-01 19:56 Kenton Groombridge
2023-02-13 15:35 Kenton Groombridge
2021-02-07 3:20 Jason Zaman
2021-02-07 3:20 Jason Zaman
2021-02-07 3:20 Jason Zaman
2021-02-07 3:20 Jason Zaman
2021-02-07 3:20 Jason Zaman
2019-12-16 17:48 Jason Zaman
2019-12-16 17:48 Jason Zaman
2019-03-26 10:17 Jason Zaman
2017-10-29 20:42 Jason Zaman
2017-10-29 20:42 Jason Zaman
2017-06-13 8:25 Jason Zaman
2017-04-10 16:59 Sven Vermeulen
2017-02-21 7:11 Jason Zaman
2016-10-24 16:03 [gentoo-commits] proj/hardened-refpolicy:next " Sven Vermeulen
2016-10-24 16:02 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2016-10-24 16:03 [gentoo-commits] proj/hardened-refpolicy:next " Sven Vermeulen
2016-10-24 16:02 ` [gentoo-commits] proj/hardened-refpolicy:master " Sven Vermeulen
2016-10-24 16:02 Sven Vermeulen
2016-01-30 17:21 Jason Zaman
2014-12-03 12:54 Jason Zaman
2014-05-16 18:43 Sven Vermeulen
2014-05-16 18:43 Sven Vermeulen
2014-04-08 16:02 Sven Vermeulen
2014-04-08 16:01 Sven Vermeulen
2014-04-08 16:01 Sven Vermeulen
2013-09-24 17:10 Sven Vermeulen
2013-03-04 20:15 Sven Vermeulen
2012-07-04 16:57 Sven Vermeulen
2012-06-27 19:12 Sven Vermeulen
2012-05-01 11:43 Sven Vermeulen
2012-05-01 11:07 Sven Vermeulen
2012-05-01 10:18 Sven Vermeulen
2012-04-30 18:29 Sven Vermeulen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1612644851.c7d0c5c923977ecd27f6e3464d12b296151c17ad.perfinion@gentoo \
--to=perfinion@gentoo.org \
--cc=gentoo-commits@lists.gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox