From patchwork Thu Oct  6 11:09:41 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gary Tierney <gary.tierney@gmx.com>
X-Patchwork-Id: 9364589
Return-Path: <selinux-bounces@tycho.nsa.gov>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	77D57607D3 for <patchwork-selinux@patchwork.kernel.org>;
	Thu,  6 Oct 2016 11:13:43 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5E3CB28F27
	for <patchwork-selinux@patchwork.kernel.org>;
	Thu,  6 Oct 2016 11:13:43 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 50D6328F29; Thu,  6 Oct 2016 11:13:43 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=2.0 tests=BAYES_00,FREEMAIL_FROM,
	RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1
Received: from emsm-gh1-uea11.nsa.gov (emsm-gh1-uea11.nsa.gov [8.44.101.9])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 1664928F27
	for <patchwork-selinux@patchwork.kernel.org>;
	Thu,  6 Oct 2016 11:13:39 +0000 (UTC)
X-IronPort-AV: E=Sophos;i="5.31,453,1473120000"; d="scan'208";a="19847270"
IronPort-PHdr: =?us-ascii?q?9a23=3AX+P9oBP/+7eriPA8cqkl6mtUPXoX/o7sNwtQ0KIM?=
	=?us-ascii?q?zox0KPX8rarrMEGX3/hxlliBBdydsKMezbGM+Pu7EUU7or+5+EgYd5JNUxJXwe?=
	=?us-ascii?q?43pCcHRPC/NEvgMfTxZDY7FskRHHVs/nW8LFQHUJ2mPw6anHS+4HYoFwnlMkIt?=
	=?us-ascii?q?f6KuS9SU1J78jLv60qaQSj0AvCC6b7J2IUf+hiTqne5Sv7FfLL0swADCuHpCdr?=
	=?us-ascii?q?ce72ppIVWOg0S0vZ/or9Ze6SAYh9YNv44FCP27LJICY5cdSRQqKSUO+dbzuBLf?=
	=?us-ascii?q?CA+I+TNcDyRFpCBmKE2AzB3gG6zsqTP3vfY1mHPCfJ6+cbdhQjmm7qF2WDf0mS?=
	=?us-ascii?q?wHMHg/62iRhctu34xBpxf0iBVl0sboYYyPMvdvNvfSdMkLA3ZAU9xXWj1pDYas?=
	=?us-ascii?q?KYAICrxSbq5js4Dhqg5W/lOFDg62Cba2lzI=3D?=
X-IPAS-Result: =?us-ascii?q?A2FWBAAlMfZX/wHyM5BeGwEBAQMBAQEJAQEBFwEBBAEBCgE?=
	=?us-ascii?q?BgxIBAQEBAR6BU7phIogDTAEBAQEBAQEBAgECWyeCMgQDAxWCEQIEAQIkExQgD?=
	=?us-ascii?q?gMJAQEXIQEFAggIAwEtFREOCwUYBIgSAQMXBKVglC8BhGSGPIIFhReBUhEBZAG?=
	=?us-ascii?q?FFgWOOotFgWWKO41bhXSQdlQ/gnccgVRxhhMNF2GBKAEBAQ?=
Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1])
	by emsm-gh1-uea11.nsa.gov with ESMTP; 06 Oct 2016 11:13:37 +0000
Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u96BDZ5R027623;
	Thu, 6 Oct 2016 07:13:36 -0400
Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil
	[144.51.242.1])
	by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id
	u96BA00Z172583 for <selinux@prometheus.infosec.tycho.ncsc.mil>;
	Thu, 6 Oct 2016 07:10:00 -0400
Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250])
	by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u96BA01s027130
	for <selinux@tycho.nsa.gov>; Thu, 6 Oct 2016 07:10:00 -0400
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: 
 A1CXAQC3L/ZXhxQR49ReHAEBBAEBCgEBgz0BAQEBAYFxpH4EkUyEGoYgAoF7TAECAQEBAQECEwEBAQgNCQkZhRECAQMnYjkBBRJXGYgzAQMbpV6ULwGEMgELJoY8ggWFF4JIAYIDC4MIBY46i0WBZYo7k0+QdoETgncRC4FUcYYTDReCCQEBAQ
X-IPAS-Result: 
 A1CXAQC3L/ZXhxQR49ReHAEBBAEBCgEBgz0BAQEBAYFxpH4EkUyEGoYgAoF7TAECAQEBAQECEwEBAQgNCQkZhRECAQMnYjkBBRJXGYgzAQMbpV6ULwGEMgELJoY8ggWFF4JIAYIDC4MIBY46i0WBZYo7k0+QdoETgncRC4FUcYYTDReCCQEBAQ
X-IronPort-AV: E=Sophos;i="5.31,453,1473134400"; d="scan'208";a="5747869"
Received: from emsm-gh1-uea11.corp.nsa.gov (HELO emsm-gh1-uea11.nsa.gov)
	([10.208.41.37])
	by goalie.tycho.ncsc.mil with ESMTP; 06 Oct 2016 07:09:59 -0400
IronPort-PHdr: =?us-ascii?q?9a23=3AntcvWRbUcgzQZ7c+klPhBDv/LSx+4OfEezUN459i?=
	=?us-ascii?q?sYplN5qZpcS5bnLW6fgltlLVR4KTs6sC0LuM9fu6Ejdbqb+681k6OKRWUBEEjc?=
	=?us-ascii?q?hE1ycBO+WiTXPBEfjxciYhF95DXlI2t1uyMExSBdqsLwaK+i760zceF13FOBZv?=
	=?us-ascii?q?IaytQ8iJ3p7xjLr5oMabSj4LrQL1Wal1IhSyoFeZnegtqqwmFJwMzADUqGBDYe?=
	=?us-ascii?q?VcyDAgD1uSmxHh+pX4p8Y7oGxmgdwKsotgXb+/RLkjVbFTEHEiNH99pJCq5i/5?=
	=?us-ascii?q?YyDKo1sQSCAtjwFQDgPZpFGgBtai+hf94/Fw3CicIN3eUaE/WTPk6bxiDhDvln?=
	=?us-ascii?q?QpLTk8pU7ekN04sKNWuhSstlQrzIfOcceJNfdkeK7MVdwfVSxKWcMHBH8JOZ+1?=
	=?us-ascii?q?c4ZaV7lJBu1ftYSo/QYD?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0GzAQD4L/ZXhxQR49ReHAEBBAEBCgEBG?=
	=?us-ascii?q?AEFAQsBgxIBAQEBAYFxpH4EkUyEGoYgAoF7TAEBAQEBAQEBAgECEAEBAQgNCQk?=
	=?us-ascii?q?ZL4IyBAMDFYIRAgEDJ2I5AQUSVxmIMwEDG6VdlC8BhDIBCyaGPIIFhReCSAGCA?=
	=?us-ascii?q?wuDCAWOOotFgWWKO5NPkHaBE4J3EQuBVHGGEw0XSQMBgTwBAQE?=
X-IPAS-Result: =?us-ascii?q?A0GzAQD4L/ZXhxQR49ReHAEBBAEBCgEBGAEFAQsBgxIBAQE?=
	=?us-ascii?q?BAYFxpH4EkUyEGoYgAoF7TAEBAQEBAQEBAgECEAEBAQgNCQkZL4IyBAMDFYIRA?=
	=?us-ascii?q?gEDJ2I5AQUSVxmIMwEDG6VdlC8BhDIBCyaGPIIFhReCSAGCAwuDCAWOOotFgWW?=
	=?us-ascii?q?KO5NPkHaBE4J3EQuBVHGGEw0XSQMBgTwBAQE?=
X-IronPort-AV: E=Sophos;i="5.31,453,1473120000"; d="scan'208";a="19847187"
Received: from mout.gmx.net ([212.227.17.20])
	by emsm-gh1-uea11.nsa.gov with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384;
	06 Oct 2016 11:09:58 +0000
Received: from workstation.fluency.net.uk ([185.34.9.224]) by mail.gmx.com
	(mrgmx103) with ESMTPSA (Nemesis) id 0LsD9n-1atWKg08ml-013tmT for
	<selinux@tycho.nsa.gov>; Thu, 06 Oct 2016 13:09:57 +0200
From: Gary Tierney <gary.tierney@gmx.com>
To: selinux@tycho.nsa.gov
Subject: [PATCH v2 1/1] genhomedircon: use userprefix as the role for homedir
	content
Date: Thu,  6 Oct 2016 12:09:41 +0100
Message-Id: 
 <638048b6d79a18861e58155ca14012706af5b445.1475590141.git.gary.tierney@gmx.com>
X-Mailer: git-send-email 2.4.11
In-Reply-To: <cover.1475590141.git.gary.tierney@gmx.com>
References: <cover.1475590141.git.gary.tierney@gmx.com>
In-Reply-To: <cover.1475590141.git.gary.tierney@gmx.com>
References: <cover.1475590141.git.gary.tierney@gmx.com>
X-Provags-ID: V03:K0:ysedG0Iuen2W0Da6rj/+m4UBcY+8/dXYBVNjofzDYV2Fslt2Jnn
	lKIfyq/v0R8Ny17XGyZy0uN8Q/yGnuWeO4JU+QL+Wbqw9+LX2CPKSeNAvjD5a3Xd0UTJwX+
	ywoBYl2CzaWNnh266oYTFbedlM92IvXJ5qkO++LoR/Enu2DnZJHfM1ELb6SRSSQA3OIDjBj
	iynoEz+KiZiWfxisiIMUQ==
X-UI-Out-Filterresults: notjunk:1; V01:K0:TxAuS4JUczw=:g6d2butWPxo/EEK0JtvGHd
	5xZVDLJt1ps9RsT/Kj2dIdK+qew1XLttnnP6dI15vr+9O2jOL0oawZ2fljP6JIBLZTYzJ8x2I
	FliuUbRPniZFQTw7JkDn1+SnSAfC7uBVoEFZVtnjXzsMxtzE/7P4iVD0wSJRetEpGm75iraKL
	NoBW9jtaEaDc9xJySB1SGNlxQNUujJLJ2uGrarL2oeClWa20WPRIli9qraxL/XwiC4fxOQQuY
	DK5A2UUVq2zwwIks3R6MQRwC9aEi1CEHzgih3RMzyfGBCxhkZIAqeqwcPEhu+hIpqQp+YGdIX
	zCtrFdnnMdggaOyYzliJp+zM2a6tq7Mq4Sn9pvxh9jNho4I2FoftDAIfwR2xllFVxlrDnf5lL
	qtGxWLmVZXnTYU2qALJCKQoWq+jTtzdOluvsQL+6Fmzjz/SvQMzhvjPWzhOdVEWNuj+vuCWiR
	lpdgr8QHojCiS4MksA6L8Jswgv5mD2dFYHUJTQ3I7VlPKv5OyJQGT3/TJnqt9cJtgNJOB1yc2
	9S590LfJ+sTHnImqB98l1jNjy5ch7VyLM5ORy+ZGybHANV+rW7UXZW0FrTHYBh0zZ//ylz8Cx
	XHpd5KoymIRWZ8E94QofdS+aDMqIHCANLYGT8rG0OfVwonQ8RQYmlZytlTaV8cptdfDAvK7Mu
	nQMYLa2KZbdf7IpSTJoPek/qlF3EKIjoiwXqNMZghsQFk8EyudZjvK3vyBu1A4Slf51SZ63qt
	AMTOMXYMnZYxy068SbqOGCDj2cmTz3s8X5n9tYLq+CEatv6nb/2EjuyQaXU=
X-BeenThere: selinux@tycho.nsa.gov
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: "Security-Enhanced Linux \(SELinux\) mailing list"
	<selinux.tycho.nsa.gov>
List-Post: <mailto:selinux@tycho.nsa.gov>
List-Help: <mailto:selinux-request@tycho.nsa.gov?subject=help>
MIME-Version: 1.0
Errors-To: selinux-bounces@tycho.nsa.gov
Sender: "Selinux" <selinux-bounces@tycho.nsa.gov>
X-Virus-Scanned: ClamAV using ClamSMTP

Treat a users prefix like a mapping to the role for file context
specifications in users homedirs.  This behavior is only applicable when
the users prefix is the identifier of a role which is valid for the
given user.  If the prefix is not a valid role, then genhomedircon will
write contexts out as normal.

Additionally, this commit enables configuring RBACSEP in policy:

(tunableif enable_rbacsep
    (true
        (userprefix user_u user_r)
    (false
        (userprefix user_u object_r))))

Signed-off-by: Gary Tierney <gary.tierney@gmx.com>
---
 libsemanage/src/genhomedircon.c | 38 +++++++++++++++++++++++++++++++++++---
 1 file changed, 35 insertions(+), 3 deletions(-)

diff --git a/libsemanage/src/genhomedircon.c b/libsemanage/src/genhomedircon.c
index 3fc9e7a..0dd2b29 100644
--- a/libsemanage/src/genhomedircon.c
+++ b/libsemanage/src/genhomedircon.c
@@ -100,6 +100,7 @@ typedef struct user_entry {
 	char *home;
 	char *level;
 	char *login;
+	char *homedir_role;
 	struct user_entry *next;
 } genhomedircon_user_entry_t;
 
@@ -177,6 +178,13 @@ static int ignore(const char *homedir) {
 	return 0;
 }
 
+static int prefix_is_homedir_role(const semanage_user_t *user,
+				  const char *prefix)
+{
+	return strcmp(OBJECT_R, prefix) == 0 ||
+		semanage_user_has_role(user, prefix);
+}
+
 static semanage_list_t *default_shell_list(void)
 {
 	semanage_list_t *list = NULL;
@@ -638,6 +646,11 @@ static int write_contexts(genhomedircon_settings_t *s, FILE *out,
 			goto fail;
 		}
 
+		if (user->homedir_role &&
+		    sepol_context_set_role(sepolh, context, user->homedir_role) < 0) {
+			goto fail;
+		}
+
 		if (sepol_context_to_string(sepolh, context,
 					    &new_context_str) < 0) {
 			goto fail;
@@ -756,7 +769,7 @@ static int name_user_cmp(char *key, semanage_user_t ** val)
 static int push_user_entry(genhomedircon_user_entry_t ** list, const char *n,
 			   const char *u, const char *g, const char *sen,
 			   const char *pre, const char *h, const char *l,
-			   const char *ln)
+			   const char *ln, const char *hd_role)
 {
 	genhomedircon_user_entry_t *temp = NULL;
 	char *name = NULL;
@@ -767,6 +780,7 @@ static int push_user_entry(genhomedircon_user_entry_t ** list, const char *n,
 	char *home = NULL;
 	char *level = NULL;
 	char *lname = NULL;
+	char *homedir_role = NULL;
 
 	temp = malloc(sizeof(genhomedircon_user_entry_t));
 	if (!temp)
@@ -795,6 +809,11 @@ static int push_user_entry(genhomedircon_user_entry_t ** list, const char *n,
 	lname = strdup(ln);
 	if (!lname)
 		goto cleanup;
+	if (hd_role) {
+		homedir_role = strdup(hd_role);
+		if (!homedir_role)
+			goto cleanup;
+	}
 
 	temp->name = name;
 	temp->uid = uid;
@@ -804,6 +823,7 @@ static int push_user_entry(genhomedircon_user_entry_t ** list, const char *n,
 	temp->home = home;
 	temp->level = level;
 	temp->login = lname;
+	temp->homedir_role = homedir_role;
 	temp->next = (*list);
 	(*list) = temp;
 
@@ -818,6 +838,7 @@ static int push_user_entry(genhomedircon_user_entry_t ** list, const char *n,
 	free(home);
 	free(level);
 	free(lname);
+	free(homedir_role);
 	free(temp);
 	return STATUS_ERR;
 }
@@ -839,6 +860,7 @@ static void pop_user_entry(genhomedircon_user_entry_t ** list)
 	free(temp->home);
 	free(temp->level);
 	free(temp->login);
+	free(temp->homedir_role);
 	free(temp);
 }
 
@@ -852,6 +874,7 @@ static int setup_fallback_user(genhomedircon_settings_t * s)
 	const char *seuname = NULL;
 	const char *prefix = NULL;
 	const char *level = NULL;
+	const char *homedir_role = NULL;
 	unsigned int i;
 	int retval;
 	int errors = 0;
@@ -886,10 +909,14 @@ static int setup_fallback_user(genhomedircon_settings_t * s)
 					level = FALLBACK_LEVEL;
 			}
 
+			if (prefix_is_homedir_role(u, prefix)) {
+				homedir_role = prefix;
+			}
+
 			if (push_user_entry(&(s->fallback), FALLBACK_NAME,
 					    FALLBACK_UIDGID, FALLBACK_UIDGID,
 					    seuname, prefix, "", level,
-					    FALLBACK_NAME) != 0)
+					    FALLBACK_NAME, homedir_role) != 0)
 				errors = STATUS_ERR;
 			semanage_user_key_free(key);
 			if (u)
@@ -946,6 +973,7 @@ static int add_user(genhomedircon_settings_t * s,
 	struct passwd pwstorage, *pwent = NULL;
 	const char *prefix = NULL;
 	const char *level = NULL;
+	const char *homedir_role = NULL;
 	char uid[11];
 	char gid[11];
 
@@ -969,6 +997,10 @@ static int add_user(genhomedircon_settings_t * s,
 		level = FALLBACK_LEVEL;
 	}
 
+	if (prefix_is_homedir_role(user, prefix)) {
+		homedir_role = prefix;
+	}
+
 	retval = getpwnam_r(name, &pwstorage, rbuf, rbuflen, &pwent);
 	if (retval != 0 || pwent == NULL) {
 		if (retval != 0 && retval != ENOENT) {
@@ -1010,7 +1042,7 @@ static int add_user(genhomedircon_settings_t * s,
 	}
 
 	retval = push_user_entry(head, name, uid, gid, sename, prefix,
-				pwent->pw_dir, level, selogin);
+				pwent->pw_dir, level, selogin, homedir_role);
 cleanup:
 	free(rbuf);
 	return retval;