[sabayon] I have made some changes to sabayon to work in an SELinux environment

From: Daniel J Walsh <dwalsh redhat com>
To: sabayon-list gnome org
Subject: [sabayon] I have made some changes to sabayon to work in an SELinux environment
Date: Sat, 13 Oct 2007 10:03:27 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have created a login account for Linux that can be used for kiosk
systems.  I call it the xguest account.

It is futher described below.

http://danwalsh.livejournal.com/13376.html

One of the problems with this limited privs account is that the default
X Windows account runs lots of applications that require privs.  So I
need a way to not run these applications for this UID.  Finally the home
directory for this user gets recreated (tmpfs) every time the user logs
in.  Currently the pam_namespace copies the contents of /etc/skel each
time a user logs in.  I don't want to put these changes in /etc/skel,
since the admin might create an account for another user and would want
the default.  So sabayon is the perfect application to use for the
xguest account.

I had to make several changes to sabayon to make it work with SELinux
and to work well with the xguest account.  I think these changes are all
upstreamable.  And would be useful to others.

SELinux fix to label created file correctly
 - When sabayon creates the DOMAIN.zip file it creates it in /tmp and
then "mv"s it to /etc/desktop-profiles/  This results in the file with a
bad SELinux label unconfined_tmp_t instead of etc_t.  So most user
accounts that are not unconfined would not be able to read the file.  So
the SELinux code will change the context to be the system default.  The
SELinux code should be a noop on machines that do not support selinux


If all the directories did not exist in the unzip file sabayon-apply was
failing,  So I changes os.mkdir to os.makedirs fix to create all
subdirectories on install


sabayon-apply was writing bad data in the .xsession-errors file when a
user did not have a user profile, I Fixed to to not fail if a user is
not using a sabayon file.  Although sabayon-apply should be less noicy
still.

One of the things I need for the xguest is the ability to remove
autostart files,   This is done through the .config/auostart directory
so I re-added .config directory so that I can remove autostart executables.

I noticed lots of other noice being added to the zip file so I removed
.tomboy, .redhat and other files that should not be collected.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFHENAurlYvE4MpobMRApObAKCHQU2IyGyHQftZWPEKQmko2hYkBgCaA+Al
7cjHAIggwg+gbRXsExeLDaE=
=wydL
-----END PGP SIGNATURE-----

diff -up sabayon-2.20.1/lib/config.py.in.selinux sabayon-2.20.1/lib/config.py.in
--- sabayon-2.20.1/lib/config.py.in.selinux	2007-10-12 15:43:14.000000000 -0400
+++ sabayon-2.20.1/lib/config.py.in	2007-10-12 15:44:31.000000000 -0400
@@ -82,6 +82,7 @@ PASSTHROUGH_ENVIRONMENT = [
 # Files which we don't want to see change notifications for
 #
 FILES_TO_IGNORE = [
+    ".dbus",
     ".ICEauthority*",
     ".esd_auth",
     ".fonts.cache-1*",
@@ -96,7 +97,11 @@ FILES_TO_IGNORE = [
     ".recently-used",
     ".xsession-errors",
     ".local",
-    ".config"
+    ".redhat",
+    ".config/user-dirs.dirs",
+    ".config/user-dirs.locale",
+    ".tomboy",
+    ".tomboy*",
 ]
 
 #
diff -up sabayon-2.20.1/lib/userdb.py.selinux sabayon-2.20.1/lib/userdb.py
--- sabayon-2.20.1/lib/userdb.py.selinux	2007-09-19 20:21:09.000000000 -0400
+++ sabayon-2.20.1/lib/userdb.py	2007-10-13 09:47:38.000000000 -0400
@@ -28,6 +28,11 @@ import random
 import ldap
 import socket
 import debuglog
+try:
+  import selinux
+  USE_SELINUX=selinux.is_selinux_enabled() > 0
+except ImportError:
+  USE_SELINUX=False
 
 defaultConf="""<profiles>
   <default profile=""/>
@@ -353,7 +358,12 @@ class UserDatabase:
 
 	    raise UserDatabaseException(
 	              _("Failed to save UserDatabase to %s") % filename)
-	
+
+        if USE_SELINUX:
+            rc, con = selinux.matchpathcon(filename, 0)
+            if rc == 0:
+                selinux.setfilecon(filename, con)
+
 	self.modified = 0
 
     def set_default_profile (self, profile):
diff -up sabayon-2.20.1/lib/storage.py.selinux sabayon-2.20.1/lib/storage.py
--- sabayon-2.20.1/lib/storage.py.selinux	2007-09-19 20:19:29.000000000 -0400
+++ sabayon-2.20.1/lib/storage.py	2007-10-12 15:43:14.000000000 -0400
@@ -52,7 +52,7 @@ def copy_tree (dst_base, src_base, dst_n
     
     try:
         dprint ("Making dir %s", os.path.join (dst_base, dst_name))
-        os.mkdir (os.path.join (dst_base, dst_name))
+        os.makedirs (os.path.join (dst_base, dst_name))
     except OSError, err:
         if err.errno != errno.EEXIST:
             raise err
diff -up sabayon-2.20.1/admin-tool/profilesdialog.py.selinux sabayon-2.20.1/admin-tool/profilesdialog.py
--- sabayon-2.20.1/admin-tool/profilesdialog.py.selinux	2007-09-19 20:19:27.000000000 -0400
+++ sabayon-2.20.1/admin-tool/profilesdialog.py	2007-10-13 09:46:59.000000000 -0400
@@ -34,6 +34,11 @@ import protosession
 import debuglog
 import errors
 from config import *
+try:
+  import selinux
+  USE_SELINUX=selinux.is_selinux_enabled() > 0
+except ImportError:
+  USE_SELINUX=False
 
 def dprint (fmt, *args):
     debuglog.debug_log (False, debuglog.DEBUG_LOG_DOMAIN_ADMIN_TOOL, fmt % args)
@@ -110,6 +115,11 @@ class Session (gobject.GObject):
     def __copy_from_user (self, user_path, profile_path):
         os.chown (user_path, os.geteuid (), os.getegid ())
         shutil.move (user_path, profile_path)
+        if USE_SELINUX:
+            rc, con = selinux.matchpathcon(profile_path, 0)
+            if rc == 0:
+                selinux.setfilecon(profile_path, con)
+        
         dprint ("Moved %s back from %s", user_path, profile_path)
 
     @errors.checked_callback (debuglog.DEBUG_LOG_DOMAIN_ADMIN_TOOL)
diff -up sabayon-2.20.1/admin-tool/sabayon-apply.selinux sabayon-2.20.1/admin-tool/sabayon-apply
--- sabayon-2.20.1/admin-tool/sabayon-apply.selinux	2007-09-19 20:19:27.000000000 -0400
+++ sabayon-2.20.1/admin-tool/sabayon-apply	2007-10-12 15:43:14.000000000 -0400
@@ -94,23 +94,21 @@ if __name__ == '__main__':
         num_args = len (args)
         if num_args == 0:
             profile_name = userdb.get_database().get_profile (user_name)
-            if not profile_name:
-                sys.stderr.write (_("No profile for user '%s' found\n") % user_name)
-                sys.exit (util.EXIT_CODE_FATAL)
         elif num_args == 1:
             profile_name = args[0]
         else:
             sys.stderr.write (_("Please use -h for usage options"))
             sys.exit (util.EXIT_CODE_FATAL)
 
-        mprint ("Applying profile '%s' for user '%s'",
-                profile_name, util.get_user_name ())
+        if profile_name:
+            mprint ("Applying profile '%s' for user '%s'",
+                    profile_name, util.get_user_name ())
 
-        profile = userprofile.UserProfile (profile_name)
-        profile.apply (is_sabayon_session)
+            profile = userprofile.UserProfile (profile_name)
+            profile.apply (is_sabayon_session)
 
-        mprint ("Finished applying profile '%s' for user '%s'",
-                profile_name, util.get_user_name ())
+            mprint ("Finished applying profile '%s' for user '%s'",
+                    profile_name, util.get_user_name ())
 
         if errors.errors_have_recoverable_error ():
             mprint ("There were recoverable errors while applying the profile.")

Attachment: sabayon-2.20.1-selinux.patch.sig
Description: Binary data

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]