Package: libsemanage1
Version: 2.0.25-2
Severity: normal
File: /lib/libsemanage.so.1
Tags: patch
Some debian packages like qmail or any other services sometimes
prefer to create it's users not below MIN_UID, but rather above
MAX_UID.
It is also found, that qmail installation script creates qmail users
with SHELL=/bin/sh (i don't know whether it is a bug).
genhomedircon.c:gethomedirs() checks pwent.pw_uid against MIN_UID in
/etc/login.defs to exclude system users from generating homedir contexts.
But unfortunately it does not check it against MAX_UID setting from the same
file.
Installing qmail package on selinux system exhibits behaviour, described in
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510125
Patch attached to add checking uid value againt MAX_UID too.
PS: Default value for MAX_UID is set to 60000, correct it if what.
Thanks.
-- System Information:
Debian Release: 5.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-1-xen-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash
Versions of packages libsemanage1 depends on:
ii libc6 2.7-16 GNU C Library: Shared libraries
ii libselinux1 2.0.65-5 SELinux shared libraries
ii libsepol1 2.0.30-2 Security Enhanced Linux policy lib
ii libustr-1.0-1 1.0.4-1 Micro string library: shared libra
libsemanage1 recommends no packages.
libsemanage1 suggests no packages.
-- no debconf information
--- genhomedircon.c~ 2008-02-06 19:08:20.000000000 +0400
+++ genhomedircon.c 2008-12-29 20:26:10.000000000 +0400
@@ -219,8 +219,8 @@
char *rbuf = NULL;
char *path = NULL;
long rbuflen;
- uid_t temp, minuid = 0;
- int minuid_set = 0;
+ uid_t temp, minuid = 0, maxuid = 0;
+ int minuid_set = 0, maxuid_set = 0;
struct passwd pwstorage, *pwbuf;
struct stat buf;
int retval;
@@ -270,6 +270,16 @@
}
free(path);
path = NULL;
+ path = semanage_findval(PATH_ETC_LOGIN_DEFS, "UID_MAX", NULL);
+ if (path && *path) {
+ temp = atoi(path);
+ if (!maxuid_set || temp > maxuid) {
+ maxuid = temp;
+ maxuid_set = 1;
+ }
+ }
+ free(path);
+ path = NULL;
path = semanage_findval(PATH_ETC_LIBUSER, "LU_UIDNUMBER", "=");
if (path && *path) {
@@ -286,6 +296,10 @@
minuid = 500;
minuid_set = 1;
}
+ if (!maxuid_set) {
+ maxuid = 60000;
+ maxuid_set = 1;
+ }
rbuflen = sysconf(_SC_GETPW_R_SIZE_MAX);
if (rbuflen <= 0)
@@ -295,7 +309,7 @@
goto fail;
setpwent();
while ((retval = getpwent_r(&pwstorage, rbuf, rbuflen, &pwbuf)) == 0) {
- if (pwbuf->pw_uid < minuid)
+ if (pwbuf->pw_uid < minuid || pwbuf->pw_uid > maxuid)
continue;
if (!semanage_list_find(shells, pwbuf->pw_shell))
continue;
@@ -322,7 +336,7 @@
/* NOTE: old genhomedircon printed a warning on match */
if (hand.matched) {
- WARN(s->h_semanage, "%s homedir %s or its parent directory conflicts with a file context already specified in the policy. This usually indicates an incorrectly defined system account. If it is a system account please make sure its uid is less than %u or its login shell is /sbin/nologin.", pwbuf->pw_name, pwbuf->pw_dir, minuid);
+ WARN(s->h_semanage, "%s homedir %s or its parent directory conflicts with a file context already specified in the policy. This usually indicates an incorrectly defined system account. If it is a system account please make sure its uid is less than %u or greater than %u or its login shell is /sbin/nologin.", pwbuf->pw_name, pwbuf->pw_dir, minuid, maxuid);
} else {
if (semanage_list_push(&homedir_list, path))
goto fail;