Removes the "system_u" and "s0" string literals from refpolicy and
replaces the seuser and range in each homedir, uid, and username context
specification for every user.

Signed-off-by: Gary Tierney <gary.tier...@gmx.com>
---
 libsemanage/src/genhomedircon.c | 87 +++++++++++++++++++++++++++++++++++------
 1 file changed, 74 insertions(+), 13 deletions(-)

diff --git a/libsemanage/src/genhomedircon.c b/libsemanage/src/genhomedircon.c
index cce3884..3fc9e7a 100644
--- a/libsemanage/src/genhomedircon.c
+++ b/libsemanage/src/genhomedircon.c
@@ -82,9 +82,6 @@
 #define TEMPLATE_USERNAME "%{USERNAME}"
 #define TEMPLATE_USERID "%{USERID}"
 
-#define TEMPLATE_SEUSER "system_u"
-#define TEMPLATE_LEVEL "s0"
-
 #define FALLBACK_SENAME "user_u"
 #define FALLBACK_PREFIX "user"
 #define FALLBACK_LEVEL "s0"
@@ -92,6 +89,8 @@
 #define FALLBACK_UIDGID "[0-9]+"
 #define DEFAULT_LOGIN "__default__"
 
+#define CONTEXT_NONE "<<none>>"
+
 typedef struct user_entry {
        char *name;
        char *uid;
@@ -599,14 +598,81 @@ static int write_replacements(genhomedircon_settings_t * 
s, FILE * out,
        return STATUS_ERR;
 }
 
+static int write_contexts(genhomedircon_settings_t *s, FILE *out,
+                         semanage_list_t *tpl, const replacement_pair_t *repl,
+                         const genhomedircon_user_entry_t *user)
+{
+       Ustr *line = USTR_NULL;
+       sepol_context_t *context = NULL;
+       char *new_context_str = NULL;
+
+       for (; tpl; tpl = tpl->next) {
+               line = replace_all(tpl->data, repl);
+               if (!line) {
+                       goto fail;
+               }
+
+               const char *old_context_str = extract_context(line);
+               if (!old_context_str) {
+                       goto fail;
+               }
+
+               if (strcmp(old_context_str, CONTEXT_NONE) == 0) {
+                       if (check_line(s, line) == STATUS_SUCCESS &&
+                           !ustr_io_putfileline(&line, out)) {
+                               goto fail;
+                       }
+
+                       continue;
+               }
+
+               sepol_handle_t *sepolh = s->h_semanage->sepolh;
+
+               if (sepol_context_from_string(sepolh, old_context_str,
+                                             &context) < 0) {
+                       goto fail;
+               }
+
+               if (sepol_context_set_user(sepolh, context, user->sename) < 0 ||
+                   sepol_context_set_mls(sepolh, context, user->level) < 0) {
+                       goto fail;
+               }
+
+               if (sepol_context_to_string(sepolh, context,
+                                           &new_context_str) < 0) {
+                       goto fail;
+               }
+
+               if (!ustr_replace_cstr(&line, old_context_str,
+                                      new_context_str, 1)) {
+                       goto fail;
+               }
+
+               if (check_line(s, line) == STATUS_SUCCESS) {
+                       if (!ustr_io_putfileline(&line, out)) {
+                               goto fail;
+                       }
+               }
+
+               ustr_sc_free(&line);
+               sepol_context_free(context);
+               free(new_context_str);
+       }
+
+       return STATUS_SUCCESS;
+fail:
+       ustr_sc_free(&line);
+       sepol_context_free(context);
+       free(new_context_str);
+       return STATUS_ERR;
+}
+
 static int write_home_dir_context(genhomedircon_settings_t * s, FILE * out,
                                  semanage_list_t * tpl, const 
genhomedircon_user_entry_t *user)
 {
        replacement_pair_t repl[] = {
-               {.search_for = TEMPLATE_SEUSER,.replace_with = user->sename},
                {.search_for = TEMPLATE_HOME_DIR,.replace_with = user->home},
                {.search_for = TEMPLATE_ROLE,.replace_with = user->prefix},
-               {.search_for = TEMPLATE_LEVEL,.replace_with = user->level},
                {NULL, NULL}
        };
 
@@ -618,7 +684,7 @@ static int write_home_dir_context(genhomedircon_settings_t 
* s, FILE * out,
                        return STATUS_ERR;
        }
 
-       return write_replacements(s, out, tpl, repl);
+       return write_contexts(s, out, tpl, repl, user);
 }
 
 static int write_home_root_context(genhomedircon_settings_t * s, FILE * out,
@@ -640,11 +706,10 @@ static int 
write_username_context(genhomedircon_settings_t * s, FILE * out,
                {.search_for = TEMPLATE_USERNAME,.replace_with = user->name},
                {.search_for = TEMPLATE_USERID,.replace_with = user->uid},
                {.search_for = TEMPLATE_ROLE,.replace_with = user->prefix},
-               {.search_for = TEMPLATE_SEUSER,.replace_with = user->sename},
                {NULL, NULL}
        };
 
-       return write_replacements(s, out, tpl, repl);
+       return write_contexts(s, out, tpl, repl, user);
 }
 
 static int write_user_context(genhomedircon_settings_t * s, FILE * out,
@@ -653,11 +718,10 @@ static int write_user_context(genhomedircon_settings_t * 
s, FILE * out,
        replacement_pair_t repl[] = {
                {.search_for = TEMPLATE_USER,.replace_with = user->name},
                {.search_for = TEMPLATE_ROLE,.replace_with = user->prefix},
-               {.search_for = TEMPLATE_SEUSER,.replace_with = user->sename},
                {NULL, NULL}
        };
 
-       return write_replacements(s, out, tpl, repl);
+       return write_contexts(s, out, tpl, repl, user);
 }
 
 static int seuser_sort_func(const void *arg1, const void *arg2)
@@ -1074,9 +1138,6 @@ static genhomedircon_user_entry_t 
*get_users(genhomedircon_settings_t * s,
                if (strcmp(name, DEFAULT_LOGIN) == 0)
                        continue;
 
-               if (strcmp(name, TEMPLATE_SEUSER) == 0)
-                       continue;
-
                /* find the user structure given the name */
                u = bsearch(seuname, user_list, nusers, sizeof(semanage_user_t 
*),
                            (int (*)(const void *, const void *))
-- 
2.7.4

_______________________________________________
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Reply via email to