From patchwork Wed Sep 21 23:52:27 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gary Tierney X-Patchwork-Id: 9344373 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 76F3F601C2 for ; Wed, 21 Sep 2016 23:53:26 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7C225286EC for ; Wed, 21 Sep 2016 23:53:26 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 6E3AA28C68; Wed, 21 Sep 2016 23:53:26 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00,FREEMAIL_FROM, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 Received: from emsm-gh1-uea11.nsa.gov (emsm-gh1-uea11.nsa.gov [8.44.101.9]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.wl.linuxfoundation.org (Postfix) with ESMTPS id 960EF286EC for ; Wed, 21 Sep 2016 23:53:25 +0000 (UTC) X-IronPort-AV: E=Sophos;i="5.30,375,1470700800"; d="scan'208";a="19451589" IronPort-PHdr: =?us-ascii?q?9a23=3AXa5ILBz1dIRwu5LXCy+O+j09IxM/srCxBDY+r6Qd?= =?us-ascii?q?0e4fIJqq85mqBkHD//Il1AaPBtSBraofwLCP+4nbGkU4qa6bt34DdJEeHzQksu?= =?us-ascii?q?4x2zIaPcieFEfgJ+TrZSFpVO5LVVti4m3peRMNQJW2WVTerzWI4CIIHV2nbEwu?= =?us-ascii?q?d76zQtWZ1Z3//tvx0qWbWx9Piju5bOE6BzSNhiKViPMrh5B/IL060BrDrygAUe?= =?us-ascii?q?1XwWR1OQDbxE6ktY+N5porzwB887JkrpYBAu3GePEjQLhZCik2G3wk783s8x/Y?= =?us-ascii?q?RE2A4WVPfH8Rl09nChLUpC37U433vzqy4uV0wjjcIcz7V7Y5SByt6rctQxjt3n?= =?us-ascii?q?RUfwUl+X3a35QjxJlQpwis8lkmm4M=3D?= X-IPAS-Result: =?us-ascii?q?A2HcBACIHONX/wHyM5BcAhwBAQQBAQoBARgBBQELAYMQAQE?= =?us-ascii?q?BAQEegVO6dSCHcUwBAQEBAQEBAQIBAlsngjIEAxMFghECBAECJBMUIA4DCQEBF?= =?us-ascii?q?yEICAgDAS0VEQ4LBRgEiA8BAxcEo2WUOwGEOoY3gzKDaYFPEQFkC4ULBY40i0G?= =?us-ascii?q?BZYQEiXuJe4VvkGNUgxkcgVFxhCZ4gScBAQE?= Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1]) by emsm-gh1-uea11.nsa.gov with ESMTP; 21 Sep 2016 23:53:23 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u8LNrDNd020789; Wed, 21 Sep 2016 19:53:15 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id u8LNqcpZ093530 for ; Wed, 21 Sep 2016 19:52:38 -0400 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u8LNqbVN020739 for ; Wed, 21 Sep 2016 19:52:38 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A1D/AAD7HONXhxMP49RcAhsBAQEDAQEBCQEBAYM7AQEBAQGBcaUpBJE8hBOGHgKBakwBAgEBAQEBAhMBAQEIDQkJGYURAgEDJ1IQORhXGYgwAQMbo2WUOwGECQEBAQcnhjeDMoNpgkULhQsFjjSLQYFlhASJe49qkGODbRELgVFxhCaCHwEBAQ X-IPAS-Result: A1D/AAD7HONXhxMP49RcAhsBAQEDAQEBCQEBAYM7AQEBAQGBcaUpBJE8hBOGHgKBakwBAgEBAQEBAhMBAQEIDQkJGYURAgEDJ1IQORhXGYgwAQMbo2WUOwGECQEBAQcnhjeDMoNpgkULhQsFjjSLQYFlhASJe49qkGODbRELgVFxhCaCHwEBAQ X-IronPort-AV: E=Sophos;i="5.30,375,1470715200"; d="scan'208";a="5720537" Received: from emsm-gh1-uea11.corp.nsa.gov (HELO emsm-gh1-uea11.nsa.gov) ([10.208.41.37]) by goalie.tycho.ncsc.mil with ESMTP; 21 Sep 2016 19:52:33 -0400 IronPort-PHdr: =?us-ascii?q?9a23=3AB0MZjRdmZllHrI+UuykOYUKelGMj4u6mDksu8pMi?= =?us-ascii?q?zoh2WeGdxc65YB7h7PlgxGXEQZ/co6odzbGH6ea4AidauN6oizMrSNR0TRgLiM?= =?us-ascii?q?EbzUQLIfWuLgnFFsPsdDEwB89YVVVorDmROElRH9viNRWJ+iXhpQAbFhi3Dwdp?= =?us-ascii?q?POO9QteU1JXtkbjpsMeKKyxzxxOFKYtoKxu3qQiD/uI3uqBFbpgL9x3Sv3FTcP?= =?us-ascii?q?5Xz247bXianhL7+9vitMU7q3cY6Lod8JtbXKH7ebkoZaBJBzQhdWYu7YvksgeQ?= =?us-ascii?q?YxGI4y4zW38H2iZJDhLD4QCyCpj4qDq8qutwwi+XLOX5SKByUjOnufQ4ACT0gT?= =?us-ascii?q?sKYmZquFrcjdZ92fpW?= X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0HMAQCIHONXhxMP49RcAhsBAQEDAQEBC?= =?us-ascii?q?QEBARgGDIMRAQEBAQGBcaUpBJE8hBOGHgKBakwBAQEBAQEBAQIBAhABAQEIDQk?= =?us-ascii?q?JGS+CMhiCGAIBAydSEDkYVxmIMAEDG6NllDsBhAkBAQEHJ4Y3gzKDaYJFC4ULB?= =?us-ascii?q?Y40i0GBZYQEiXuPapBjg20RC4FRcYQmgh8BAQE?= X-IPAS-Result: =?us-ascii?q?A0HMAQCIHONXhxMP49RcAhsBAQEDAQEBCQEBARgGDIMRAQE?= =?us-ascii?q?BAQGBcaUpBJE8hBOGHgKBakwBAQEBAQEBAQIBAhABAQEIDQkJGS+CMhiCGAIBA?= =?us-ascii?q?ydSEDkYVxmIMAEDG6NllDsBhAkBAQEHJ4Y3gzKDaYJFC4ULBY40i0GBZYQEiXu?= =?us-ascii?q?PapBjg20RC4FRcYQmgh8BAQE?= X-IronPort-AV: E=Sophos;i="5.30,375,1470700800"; d="scan'208";a="19451570" Received: from mout.gmx.net ([212.227.15.19]) by emsm-gh1-uea11.nsa.gov with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 21 Sep 2016 23:52:32 +0000 Received: from home-pc ([79.71.36.116]) by mail.gmx.com (mrgmx002) with ESMTPA (Nemesis) id 0MDyil-1bkwHw2Cjv-00HMMG; Thu, 22 Sep 2016 01:52:31 +0200 From: Gary Tierney To: selinux@tycho.nsa.gov Subject: [PATCH v2 1/1] genhomedircon: remove hardcoded refpolicy strings Date: Thu, 22 Sep 2016 00:52:27 +0100 Message-Id: <1474501947-7314-2-git-send-email-gary.tierney@gmx.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1474501947-7314-1-git-send-email-gary.tierney@gmx.com> References: <1474501947-7314-1-git-send-email-gary.tierney@gmx.com> X-Provags-ID: V03:K0:y8+XAguo4V5ir/yrZzZbQs6ptMvrDr/fLbL+BFqNvfLw6bWcyLo CrvjEZRy3gfHpjnK6k0dRpSd8F/hwdzsIC5iuDZ2LU+0oSBKXhEJURlAQO2JYL1bgY/gt1o GuD7R5EyVLvq3SIEX8R8ZZTnwQEcoaDFvzh+65L4tVfm5cOfqgAygcD2ahizqAXmnw6fsCm BWccN0u0Q+HrRSyTjBG4A== X-UI-Out-Filterresults: notjunk:1; V01:K0:1HaFzhhuH8s=:GR9IQSYHsl9cpAtpzAFUJR nJM0LxzWRq+IR+AjueAl93V2tALZD0c/zg0uNdB9lkf9WkI1eKJJ3PYk24RsFm7S3dbFy6/oI QaMhj6bTZOsq3rrryk7rB5QD3/B08P1gMsVtc/xEbA0J+4L6WBuLleL7PX36G7TSWC6+LMpKE qM/yA27CqER905D9ba9b2e06UEytPB6bP8oBvXx79tcj3Xl6Ds8LQiX1s/3gTpoYXDEfTlMfw ron228NvFiGeqMOu6hLkh/dHVMjfQvOAEqNsWLoOcid1/f947XkLxjUDf+urReGJ5iIsZhndK DKxjbctBaq2urcJ4jHQwPWQHxB+Y+nRa8geocnP7Yf+eB7nJbzFgGqs9Go6Lh4nqOIWmYMrMV 1A5rXL+ct15K2tUcdo+tF4EgoL28nsh/Adq8dcZomrc9Mb6PSiGSJvR/GmaxAFy84L8PQS1bf 2JfgErHodS0FaIYTKebDMS79vYk26BgghQeSXox9xEpPZ4DgstAaEnq/Q9MCHtZn/EZpd8H81 nL2U9AfWA4Are4mIDrPTUYWb4P1muykQdfwiIDr3pXBtuDTdV9bjpeA3p4r0X8VEQ4r/2fphZ oLhF06r5U0Vtbig6uZTnMbrwuQy4hiGmlyjx4IoNUM3FpaZWPziRDtyS6fEMmPLC8+1hjhDuG g+dv9rVcasbk/AH8EmDXlyK99py5bUg8h5tolblSiX+qxIsAFahWK3ufhUxW+aLeQpJQLKTzD kDPtTJFJM9XrwTFAELmiQgDlgcRaQGiDL5xrXJsK6yJG9icG925+O+KRfe8= X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: MIME-Version: 1.0 Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP Removes the "system_u" and "s0" string literals from refpolicy and replaces the seuser and range in each homedir, uid, and username context specification for every user. Signed-off-by: Gary Tierney --- libsemanage/src/genhomedircon.c | 87 +++++++++++++++++++++++++++++++++++------ 1 file changed, 74 insertions(+), 13 deletions(-) diff --git a/libsemanage/src/genhomedircon.c b/libsemanage/src/genhomedircon.c index cce3884..3fc9e7a 100644 --- a/libsemanage/src/genhomedircon.c +++ b/libsemanage/src/genhomedircon.c @@ -82,9 +82,6 @@ #define TEMPLATE_USERNAME "%{USERNAME}" #define TEMPLATE_USERID "%{USERID}" -#define TEMPLATE_SEUSER "system_u" -#define TEMPLATE_LEVEL "s0" - #define FALLBACK_SENAME "user_u" #define FALLBACK_PREFIX "user" #define FALLBACK_LEVEL "s0" @@ -92,6 +89,8 @@ #define FALLBACK_UIDGID "[0-9]+" #define DEFAULT_LOGIN "__default__" +#define CONTEXT_NONE "<>" + typedef struct user_entry { char *name; char *uid; @@ -599,14 +598,81 @@ static int write_replacements(genhomedircon_settings_t * s, FILE * out, return STATUS_ERR; } +static int write_contexts(genhomedircon_settings_t *s, FILE *out, + semanage_list_t *tpl, const replacement_pair_t *repl, + const genhomedircon_user_entry_t *user) +{ + Ustr *line = USTR_NULL; + sepol_context_t *context = NULL; + char *new_context_str = NULL; + + for (; tpl; tpl = tpl->next) { + line = replace_all(tpl->data, repl); + if (!line) { + goto fail; + } + + const char *old_context_str = extract_context(line); + if (!old_context_str) { + goto fail; + } + + if (strcmp(old_context_str, CONTEXT_NONE) == 0) { + if (check_line(s, line) == STATUS_SUCCESS && + !ustr_io_putfileline(&line, out)) { + goto fail; + } + + continue; + } + + sepol_handle_t *sepolh = s->h_semanage->sepolh; + + if (sepol_context_from_string(sepolh, old_context_str, + &context) < 0) { + goto fail; + } + + if (sepol_context_set_user(sepolh, context, user->sename) < 0 || + sepol_context_set_mls(sepolh, context, user->level) < 0) { + goto fail; + } + + if (sepol_context_to_string(sepolh, context, + &new_context_str) < 0) { + goto fail; + } + + if (!ustr_replace_cstr(&line, old_context_str, + new_context_str, 1)) { + goto fail; + } + + if (check_line(s, line) == STATUS_SUCCESS) { + if (!ustr_io_putfileline(&line, out)) { + goto fail; + } + } + + ustr_sc_free(&line); + sepol_context_free(context); + free(new_context_str); + } + + return STATUS_SUCCESS; +fail: + ustr_sc_free(&line); + sepol_context_free(context); + free(new_context_str); + return STATUS_ERR; +} + static int write_home_dir_context(genhomedircon_settings_t * s, FILE * out, semanage_list_t * tpl, const genhomedircon_user_entry_t *user) { replacement_pair_t repl[] = { - {.search_for = TEMPLATE_SEUSER,.replace_with = user->sename}, {.search_for = TEMPLATE_HOME_DIR,.replace_with = user->home}, {.search_for = TEMPLATE_ROLE,.replace_with = user->prefix}, - {.search_for = TEMPLATE_LEVEL,.replace_with = user->level}, {NULL, NULL} }; @@ -618,7 +684,7 @@ static int write_home_dir_context(genhomedircon_settings_t * s, FILE * out, return STATUS_ERR; } - return write_replacements(s, out, tpl, repl); + return write_contexts(s, out, tpl, repl, user); } static int write_home_root_context(genhomedircon_settings_t * s, FILE * out, @@ -640,11 +706,10 @@ static int write_username_context(genhomedircon_settings_t * s, FILE * out, {.search_for = TEMPLATE_USERNAME,.replace_with = user->name}, {.search_for = TEMPLATE_USERID,.replace_with = user->uid}, {.search_for = TEMPLATE_ROLE,.replace_with = user->prefix}, - {.search_for = TEMPLATE_SEUSER,.replace_with = user->sename}, {NULL, NULL} }; - return write_replacements(s, out, tpl, repl); + return write_contexts(s, out, tpl, repl, user); } static int write_user_context(genhomedircon_settings_t * s, FILE * out, @@ -653,11 +718,10 @@ static int write_user_context(genhomedircon_settings_t * s, FILE * out, replacement_pair_t repl[] = { {.search_for = TEMPLATE_USER,.replace_with = user->name}, {.search_for = TEMPLATE_ROLE,.replace_with = user->prefix}, - {.search_for = TEMPLATE_SEUSER,.replace_with = user->sename}, {NULL, NULL} }; - return write_replacements(s, out, tpl, repl); + return write_contexts(s, out, tpl, repl, user); } static int seuser_sort_func(const void *arg1, const void *arg2) @@ -1074,9 +1138,6 @@ static genhomedircon_user_entry_t *get_users(genhomedircon_settings_t * s, if (strcmp(name, DEFAULT_LOGIN) == 0) continue; - if (strcmp(name, TEMPLATE_SEUSER) == 0) - continue; - /* find the user structure given the name */ u = bsearch(seuname, user_list, nusers, sizeof(semanage_user_t *), (int (*)(const void *, const void *))