Package: libsemanage1 Version: 2.0.25-2 Severity: normal File: /lib/libsemanage.so.1 Tags: patch
Some debian packages like qmail or any other services sometimes prefer to create it's users not below MIN_UID, but rather above MAX_UID. It is also found, that qmail installation script creates qmail users with SHELL=/bin/sh (i don't know whether it is a bug). genhomedircon.c:gethomedirs() checks pwent.pw_uid against MIN_UID in /etc/login.defs to exclude system users from generating homedir contexts. But unfortunately it does not check it against MAX_UID setting from the same file. Installing qmail package on selinux system exhibits behaviour, described in http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=510125 Patch attached to add checking uid value againt MAX_UID too. PS: Default value for MAX_UID is set to 60000, correct it if what. Thanks. -- System Information: Debian Release: 5.0 APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Kernel: Linux 2.6.26-1-xen-686 (SMP w/1 CPU core) Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) Shell: /bin/sh linked to /bin/bash Versions of packages libsemanage1 depends on: ii libc6 2.7-16 GNU C Library: Shared libraries ii libselinux1 2.0.65-5 SELinux shared libraries ii libsepol1 2.0.30-2 Security Enhanced Linux policy lib ii libustr-1.0-1 1.0.4-1 Micro string library: shared libra libsemanage1 recommends no packages. libsemanage1 suggests no packages. -- no debconf information
--- genhomedircon.c~ 2008-02-06 19:08:20.000000000 +0400 +++ genhomedircon.c 2008-12-29 20:26:10.000000000 +0400 @@ -219,8 +219,8 @@ char *rbuf = NULL; char *path = NULL; long rbuflen; - uid_t temp, minuid = 0; - int minuid_set = 0; + uid_t temp, minuid = 0, maxuid = 0; + int minuid_set = 0, maxuid_set = 0; struct passwd pwstorage, *pwbuf; struct stat buf; int retval; @@ -270,6 +270,16 @@ } free(path); path = NULL; + path = semanage_findval(PATH_ETC_LOGIN_DEFS, "UID_MAX", NULL); + if (path && *path) { + temp = atoi(path); + if (!maxuid_set || temp > maxuid) { + maxuid = temp; + maxuid_set = 1; + } + } + free(path); + path = NULL; path = semanage_findval(PATH_ETC_LIBUSER, "LU_UIDNUMBER", "="); if (path && *path) { @@ -286,6 +296,10 @@ minuid = 500; minuid_set = 1; } + if (!maxuid_set) { + maxuid = 60000; + maxuid_set = 1; + } rbuflen = sysconf(_SC_GETPW_R_SIZE_MAX); if (rbuflen <= 0) @@ -295,7 +309,7 @@ goto fail; setpwent(); while ((retval = getpwent_r(&pwstorage, rbuf, rbuflen, &pwbuf)) == 0) { - if (pwbuf->pw_uid < minuid) + if (pwbuf->pw_uid < minuid || pwbuf->pw_uid > maxuid) continue; if (!semanage_list_find(shells, pwbuf->pw_shell)) continue; @@ -322,7 +336,7 @@ /* NOTE: old genhomedircon printed a warning on match */ if (hand.matched) { - WARN(s->h_semanage, "%s homedir %s or its parent directory conflicts with a file context already specified in the policy. This usually indicates an incorrectly defined system account. If it is a system account please make sure its uid is less than %u or its login shell is /sbin/nologin.", pwbuf->pw_name, pwbuf->pw_dir, minuid); + WARN(s->h_semanage, "%s homedir %s or its parent directory conflicts with a file context already specified in the policy. This usually indicates an incorrectly defined system account. If it is a system account please make sure its uid is less than %u or greater than %u or its login shell is /sbin/nologin.", pwbuf->pw_name, pwbuf->pw_dir, minuid, maxuid); } else { if (semanage_list_push(&homedir_list, path)) goto fail;