[refpolicy] [m4-isms patch 6/6] Remove use of gen_user in users

James Carter jwcart2 at tycho.nsa.gov
Wed Aug 25 09:30:04 CDT 2010 

On Wed, 2010-08-25 at 09:11 -0400, Christopher J. PeBenito wrote:
> On 08/24/10 15:50, James Carter wrote:
> > I can't parse the following either manually or with the help of a
> > computer:
> >
> > define(`gen_user',`dnl
> > ifdef(`users_extra',`dnl
> > ifelse(`$2',,,`user $1 prefix $2;')
> > ',`dnl
> > user $1 roles { $3 }`'ifdef(`enable_mls', ` level $4 range $5')`'ifdef(`enable_mcs',` level s0 range s0`'ifelse(`$6',,,` - s0:$6')');
> > ')dnl
> > ')
> >
> > I am not sure what the right solution is here.  I could implement
> > something that does the job of gen_user (I sort of do that for
> > gen_context), but I can't deal with ifdef's in macro call arguments and
> > I don't want MCS specific parts built in, so I haven't done that.
> >
> > This is very ugly.
> 
> The main reason for this is that so much stuff goes on one line, and 
> some of it is optional.  Additionally, the users_extra file is generated 
> out of gen_user(), so this breaks that support.
> 

I don't expect you to take these changes.

I expected that I would probably just build in understanding of
gen_user.  I have done that with gen_context already.


> >
> > ---
> >   policy/users |   55 +++++++++++++++++++++++++++++++++++++++++++++++--------
> >   1 file changed, 47 insertions(+), 8 deletions(-)
> >
> > --- a/policy/users
> > +++ b/policy/users
> > @@ -15,7 +15,7 @@
> >   # and a user process should never be assigned the system user
> >   # identity.
> >   #
> > -gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
> > +# gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
> >
> >   #
> >   # user_u is a generic user identity for Linux users who have no
> > @@ -24,12 +24,12 @@ gen_user(system_u,, system_r, s0, s0 - mls_systemhigh, mcs_allcats)
> >   # SELinux user identity for a Linux user.  If you do not want to
> >   # permit any access to such users, then remove this entry.
> >   #
> > -gen_user(user_u, user, user_r, s0, s0)
> > -gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
> > -gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
> > +# gen_user(user_u, user, user_r, s0, s0)
> > +# gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
> > +# gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
> >
> >   # Until order dependence is fixed for users:
> > -gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
> > +# gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
> >
> >   #
> >   # The following users correspond to Unix identities.
> > @@ -38,8 +38,47 @@ gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_al
> >   # role should use the staff_r role instead of the user_r role when
> >   # not in the sysadm_r.
> >   #
> > -ifdef(`direct_sysadm_daemon',`
> > -       gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
> > +#ifdef(`direct_sysadm_daemon',`
> > +#      gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r') system_r, s0, s0 - mls_systemhigh, mcs_allcats)
> > +#',`
> > +#      gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
> > +#')
> > +
> > +ifdef(`enable_mls',`
> > +       user system_u roles system_r level s0 range s0 - mls_systemhigh;
> > +       user user_u roles user_r level s0 range s0;
> > +       user staff_u roles { staff_r sysadm_r secadm_r auditadm_r } level s0 range s0 - mls_systemhigh;
> > +       user sysadm_u roles sysadm_r level s0 range s0 - mls_systemhigh;
> > +       user unconfined_u roles unconfined_r level s0 range s0 - mls_systemhigh;
> > +       ifdef(`direct_sysadm_daemon',`
> > +               user root roles { sysadm_r staff_r secadm_r auditadm_r system_r } level s0 range s0 - mls_systemhigh;
> > +       ',`
> > +               user root roles { sysadm_r staff_r secadm_r auditadm_r } level s0 range s0 - mls_systemhigh;
> > +       ')
> >   ',`
> > -       gen_user(root, sysadm, sysadm_r staff_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
> > +       ifdef(`enable_mcs',`
> > +               user system_u roles system_r level s0 range s0 - s0:mcs_allcats;
> > +               user user_u roles user_r level s0 range s0;
> > +               user staff_u roles { staff_r sysadm_r } level s0 range s0 - s0:mcs_allcats;
> > +               user sysadm_u roles sysadm_r level s0 range s0 - s0:mcs_allcats;
> > +               user unconfined_u roles unconfined_r level s0 range s0 - s0:mcs_allcats;
> > +               ifdef(`direct_sysadm_daemon',`
> > +                       user root roles { sysadm_r staff_r system_r } level s0 range s0 - s0:mcs_allcats;
> > +               ',`
> > +                       user root roles { sysadm_r staff_r } level s0 range s0 - s0:mcs_allcats;
> > +               ')
> > +       ',`
> > +               # No MLS
> > +               # Not supporting MCS
> > +               user system_u roles system_r;
> > +               user user_u roles user_r;
> > +               user staff_u roles { staff_r sysadm_r };
> > +               user sysadm_u roles sysadm_r;
> > +               user unconfined_u roles unconfined_r;
> > +               ifdef(`direct_sysadm_daemon',`
> > +                       user root roles { sysadm_r staff_r system_r };
> > +               ',`
> > +                       user root roles { sysadm_r staff_r };
> > +               ')
> > +       ')
> >   ')
> >
> 
> 

-- 
James Carter <jwcart2 at tycho.nsa.gov>
National Security Agency

More information about the refpolicy mailing list