From: jwcart2@tycho.nsa.gov (James Carter) Date: Wed, 25 Aug 2010 10:30:04 -0400 Subject: [refpolicy] [m4-isms patch 6/6] Remove use of gen_user in users In-Reply-To: <4C751676.7020009@tresys.com> References: <1282679449.14992.36.camel@moss-lions.epoch.ncsc.mil> <4C751676.7020009@tresys.com> Message-ID: <1282746604.25778.36.camel@moss-lions.epoch.ncsc.mil> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Wed, 2010-08-25 at 09:11 -0400, Christopher J. PeBenito wrote: > On 08/24/10 15:50, James Carter wrote: > > I can't parse the following either manually or with the help of a > > computer: > > > > define(`gen_user',`dnl > > ifdef(`users_extra',`dnl > > ifelse(`$2',,,`user $1 prefix $2;') > > ',`dnl > > user $1 roles { $3 }`'ifdef(`enable_mls', ` level $4 range $5')`'ifdef(`enable_mcs',` level s0 range s0`'ifelse(`$6',,,` - s0:$6')'); > > ')dnl > > ') > > > > I am not sure what the right solution is here. I could implement > > something that does the job of gen_user (I sort of do that for > > gen_context), but I can't deal with ifdef's in macro call arguments and > > I don't want MCS specific parts built in, so I haven't done that. > > > > This is very ugly. > > The main reason for this is that so much stuff goes on one line, and > some of it is optional. Additionally, the users_extra file is generated > out of gen_user(), so this breaks that support. > I don't expect you to take these changes. I expected that I would probably just build in understanding of gen_user. I have done that with gen_context already. > > > > --- > > policy/users | 55 +++++++++++++++++++++++++++++++++++++++++++++++-------- > > 1 file changed, 47 insertions(+), 8 deletions(-) > > > > --- a/policy/users > > +++ b/policy/users > > @@ -15,7 +15,7 @@ > > # and a user process should never be assigned the system user > > # identity. > > # > > -gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats) > > +# gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats) > > > > # > > # user_u is a generic user identity for Linux users who have no > > @@ -24,12 +24,12 @@ gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats) > > # SELinux user identity for a Linux user. If you do not want to > > # permit any access to such users, then remove this entry. > > # > > -gen_user(user_u, user, user_r, s0, s0) > > -gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) > > -gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) > > +# gen_user(user_u, user, user_r, s0, s0) > > +# gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) > > +# gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats) > > > > # Until order dependence is fixed for users: > > -gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) > > +# gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats) > > > > # > > # The following users correspond to Unix identities. > > @@ -38,8 +38,47 @@ gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_al > > # role should use the staff_r role instead of the user_r role when > > # not in the sysadm_r. > > # > > -ifdef(`direct_sysadm_daemon',` > > - gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats) > > +#ifdef(`direct_sysadm_daemon',` > > +# gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats) > > +#',` > > +# gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) > > +#') > > + > > +ifdef(`enable_mls',` > > + user system_u roles system_r level s0 range s0 - mls_systemhigh; > > + user user_u roles user_r level s0 range s0; > > + user staff_u roles { staff_r sysadm_r secadm_r auditadm_r } level s0 range s0 - mls_systemhigh; > > + user sysadm_u roles sysadm_r level s0 range s0 - mls_systemhigh; > > + user unconfined_u roles unconfined_r level s0 range s0 - mls_systemhigh; > > + ifdef(`direct_sysadm_daemon',` > > + user root roles { sysadm_r staff_r secadm_r auditadm_r system_r } level s0 range s0 - mls_systemhigh; > > + ',` > > + user root roles { sysadm_r staff_r secadm_r auditadm_r } level s0 range s0 - mls_systemhigh; > > + ') > > ',` > > - gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats) > > + ifdef(`enable_mcs',` > > + user system_u roles system_r level s0 range s0 - s0:mcs_allcats; > > + user user_u roles user_r level s0 range s0; > > + user staff_u roles { staff_r sysadm_r } level s0 range s0 - s0:mcs_allcats; > > + user sysadm_u roles sysadm_r level s0 range s0 - s0:mcs_allcats; > > + user unconfined_u roles unconfined_r level s0 range s0 - s0:mcs_allcats; > > + ifdef(`direct_sysadm_daemon',` > > + user root roles { sysadm_r staff_r system_r } level s0 range s0 - s0:mcs_allcats; > > + ',` > > + user root roles { sysadm_r staff_r } level s0 range s0 - s0:mcs_allcats; > > + ') > > + ',` > > + # No MLS > > + # Not supporting MCS > > + user system_u roles system_r; > > + user user_u roles user_r; > > + user staff_u roles { staff_r sysadm_r }; > > + user sysadm_u roles sysadm_r; > > + user unconfined_u roles unconfined_r; > > + ifdef(`direct_sysadm_daemon',` > > + user root roles { sysadm_r staff_r system_r }; > > + ',` > > + user root roles { sysadm_r staff_r }; > > + ') > > + ') > > ') > > > > -- James Carter National Security Agency