From: jwcart2@tycho.nsa.gov (James Carter)
Date: Tue, 24 Aug 2010 15:50:49 -0400
Subject: [refpolicy] [m4-isms patch 6/6] Remove use of gen_user in users
Message-ID: <1282679449.14992.36.camel@moss-lions.epoch.ncsc.mil>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

I can't parse the following either manually or with the help of a
computer:

define(`gen_user',`dnl
ifdef(`users_extra',`dnl
ifelse(`$2',,,`user $1 prefix $2;')
',`dnl
user $1 roles { $3 }`'ifdef(`enable_mls', ` level $4 range $5')`'ifdef(`enable_mcs',` level s0 range s0`'ifelse(`$6',,,` - s0:$6')');
')dnl
')

I am not sure what the right solution is here.  I could implement
something that does the job of gen_user (I sort of do that for
gen_context), but I can't deal with ifdef's in macro call arguments and
I don't want MCS specific parts built in, so I haven't done that.

This is very ugly.

---
 policy/users |   55 +++++++++++++++++++++++++++++++++++++++++++++++--------
 1 file changed, 47 insertions(+), 8 deletions(-)

--- a/policy/users
+++ b/policy/users
@@ -15,7 +15,7 @@
 # and a user process should never be assigned the system user
 # identity.
 #
-gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+# gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
 
 #
 # user_u is a generic user identity for Linux users who have no
@@ -24,12 +24,12 @@ gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
 # SELinux user identity for a Linux user.  If you do not want to
 # permit any access to such users, then remove this entry.
 #
-gen_user(user_u, user, user_r, s0, s0)
-gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
-gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
+# gen_user(user_u, user, user_r, s0, s0)
+# gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
+# gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
 
 # Until order dependence is fixed for users:
-gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
+# gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
 
 #
 # The following users correspond to Unix identities.
@@ -38,8 +38,47 @@ gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_al
 # role should use the staff_r role instead of the user_r role when
 # not in the sysadm_r.
 #
-ifdef(`direct_sysadm_daemon',`
-       gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+#ifdef(`direct_sysadm_daemon',`
+#      gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+#',`
+#      gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
+#')
+
+ifdef(`enable_mls',`
+       user system_u roles system_r level s0 range s0 - mls_systemhigh;
+       user user_u roles user_r level s0 range s0;
+       user staff_u roles { staff_r sysadm_r secadm_r auditadm_r } level s0 range s0 - mls_systemhigh;
+       user sysadm_u roles sysadm_r level s0 range s0 - mls_systemhigh;
+       user unconfined_u roles unconfined_r level s0 range s0 - mls_systemhigh;
+       ifdef(`direct_sysadm_daemon',`
+               user root roles { sysadm_r staff_r secadm_r auditadm_r system_r } level s0 range s0 - mls_systemhigh;
+       ',`
+               user root roles { sysadm_r staff_r secadm_r auditadm_r } level s0 range s0 - mls_systemhigh;
+       ')              
 ',`
-       gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
+       ifdef(`enable_mcs',`
+               user system_u roles system_r level s0 range s0 - s0:mcs_allcats;
+               user user_u roles user_r level s0 range s0;
+               user staff_u roles { staff_r sysadm_r } level s0 range s0 - s0:mcs_allcats;
+               user sysadm_u roles sysadm_r level s0 range s0 - s0:mcs_allcats;
+               user unconfined_u roles unconfined_r level s0 range s0 - s0:mcs_allcats;
+               ifdef(`direct_sysadm_daemon',`
+                       user root roles { sysadm_r staff_r system_r } level s0 range s0 - s0:mcs_allcats;
+               ',`
+                       user root roles { sysadm_r staff_r } level s0 range s0 - s0:mcs_allcats;
+               ')
+       ',`     
+               # No MLS
+               # Not supporting MCS
+               user system_u roles system_r;
+               user user_u roles user_r;
+               user staff_u roles { staff_r sysadm_r };
+               user sysadm_u roles sysadm_r;
+               user unconfined_u roles unconfined_r;
+               ifdef(`direct_sysadm_daemon',`
+                       user root roles { sysadm_r staff_r system_r };
+               ',`
+                       user root roles { sysadm_r staff_r };
+               ')
+       ')
 ')

-- 
James Carter <jwcart2@tycho.nsa.gov>
National Security Agency