#! /usr/bin/env python
# Copyright (C) 2004 Tresys Technology, LLC
# see file 'COPYING' for use and warranty information
#
# genhomedircon - this script is used to generate file context
# configuration entries for user home directories based on their
# default roles and is run when building the policy. Specifically, we
# replace HOME_ROOT, HOME_DIR, and ROLE macros in .fc files with
# generic and user-specific values.
#
# Based off original script by Dan Walsh, <dwalsh@redhat.com>
#
# ASSUMPTIONS:
#
# The file CONTEXTDIR/files/homedir_template exists.  This file is used to
# set up the home directory context for each real user.
# 
# If a user has more than one role, genhomedircon uses the first role in the list.
#
# If a user is not listed in CONTEXTDIR/seusers, he will default to user_u, role user
#
# "Real" users (as opposed to system users) are those whose UID is greater than
#  or equal STARTING_UID (usually 500) and whose login is not a member of
#  EXCLUDE_LOGINS.  Users who are explicitly defined in CONTEXTDIR/seusers
#  are always "real" (including root, in the default configuration).
#
#  

import commands, sys, os, pwd, string, getopt, re
from semanage import *;

fd=open("/etc/shells", 'r')
VALID_SHELLS=fd.read().split('\n')
fd.close()
if "/sbin/nologin" in VALID_SHELLS:
	VALID_SHELLS.remove("/sbin/nologin")

def getStartingUID():
	starting_uid = sys.maxint
	rc=commands.getstatusoutput("grep -h '^UID_MIN' /etc/login.defs")
	if rc[0] == 0:
		uid_min = re.sub("^UID_MIN[^0-9]*", "", rc[1])
		#stip any comment from the end of the line
		uid_min = uid_min.split("#")[0]
		uid_min = uid_min.strip()
		if int(uid_min) < starting_uid:
			starting_uid = int(uid_min)
	rc=commands.getstatusoutput("grep -h '^LU_UIDNUMBER' /etc/libuser.conf")
	if rc[0] == 0:
		lu_uidnumber = re.sub("^LU_UIDNUMBER[^0-9]*", "", rc[1])
		#stip any comment from the end of the line
		lu_uidnumber = re.sub("[ \t].*", "", lu_uidnumber)
		lu_uidnumber = lu_uidnumber.split("#")[0]
		lu_uidnumber = lu_uidnumber.strip()
		if int(lu_uidnumber) < starting_uid:
			starting_uid = int(lu_uidnumber)
	if starting_uid == sys.maxint:
		starting_uid = 500
	return starting_uid

def getDefaultHomeDir():
	ret = []
	rc=commands.getstatusoutput("grep -h '^HOME' /etc/default/useradd")
	if rc[0] == 0:
		homedir = rc[1].split("=")[1]
		homedir = homedir.split("#")[0]
		homedir = homedir.strip()
		if not homedir in ret:
			ret.append(homedir)

	rc=commands.getstatusoutput("grep -h '^LU_HOMEDIRECTORY' /etc/libuser.conf")
	if rc[0] == 0:
		homedir = rc[1].split("=")[1]
		homedir = homedir.split("#")[0]
		homedir = homedir.strip()
		if not homedir in ret:
			ret.append(homedir)

	if ret == []:
		ret.append("/home")
	return ret

def getSELinuxType(directory):
	rc=commands.getstatusoutput("grep ^SELINUXTYPE= %s/config" % directory)
	if rc[0]==0:
		return rc[1].split("=")[-1].strip()
	return "targeted"

def usage(error = ""):
	if error != "":
		sys.stderr.write("%s\n" % error)
	sys.stderr.write("Usage: %s [ -d selinuxdir ] [-n | --nopasswd] [-t selinuxtype ]\n" % sys.argv[0])
	sys.stderr.flush()
	sys.exit(1)

def warning(warning = ""):
	sys.stderr.write("%s\n" % warning)
	sys.stderr.flush()
	
def errorExit(error):
	sys.stderr.write("%s exiting for: " % sys.argv[0])
	sys.stderr.write("%s\n" % error)
	sys.stderr.flush()
	sys.exit(1)

class selinuxConfig:
	def __init__(self, selinuxdir="/etc/selinux", type="targeted", usepwd=1):
		self.semanageHandle=semanage_handle_create()
		self.semanaged=semanage_is_managed(self.semanageHandle)
		if self.semanaged:
			semanage_connect(self.semanageHandle)
			(status, self.ulist, self.usize) = semanage_user_list(self.semanageHandle)
		self.type=type
		self.selinuxdir=selinuxdir +"/"
		self.contextdir="/contexts"
		self.filecontextdir=self.contextdir+"/files"
		self.usepwd=usepwd

	def getFileContextDir(self):
		return self.selinuxdir+self.type+self.filecontextdir

	def getFileContextFile(self):
		return self.getFileContextDir()+"/file_contexts"
	
	def getContextDir(self):
		return self.selinuxdir+self.type+self.contextdir

	def getHomeDirTemplate(self):
		return self.getFileContextDir()+"/homedir_template"

	def getHomeRootContext(self, homedir):
		rc=commands.getstatusoutput("grep HOME_ROOT  %s | sed -e \"s|^HOME_ROOT|%s|\"" % ( self.getHomeDirTemplate(), homedir))
		if rc[0] == 0:
			return rc[1]+"\n"
		else:
			errorExit("sed error %s" % rc[1])

	def heading(self):
		ret = "\n#\n#\n# User-specific file contexts, generated via %s\n" % sys.argv[0]
		if self.semanaged:
			ret += "# use seusers command to manage system users in order to change the file_context\n#\n#\n"
		else:
			ret += "# edit %s to change file_context\n#\n#\n" % (self.selinuxdir+self.type+"/seusers")
		return ret

	def defaultrole(self, name):
		for idx in range(self.usize):
			user = semanage_user_by_idx(self.ulist, idx)
			if semanage_user_get_name(user) == name:
				#role=semanage_user_get_defrole(user)
				#return role
				return "user_r"
		return name
	def getOldRole(self, role):
		rc = commands.getstatusoutput('grep "^user %s" %s' % (role, self.selinuxdir+self.type+"/users/system.users"))
		if rc[0] != 0:					    
			rc = commands.getstatusoutput('grep "^user %s" %s' % (role, self.selinuxdir+self.type+"/users/local.users"))
		if rc[0] == 0:
			user=rc[1].split()
			role = user[3]
			if role == "{":
				role = user[4]
		return role
		
	def adduser(self, udict, user, seuser, role):
		try:
			if seuser == "user_u" or user == "__default__":
				return
			# !!! chooses first role in the list to use in the file context !!!
			if role[-2:] == "_r" or role[-2:] == "_u":
				role = role[:-2]
			home = pwd.getpwnam(user)[5]
			if home == "/":
				return
			prefs = {}
			prefs["role"] = role
			prefs["home"] = home
			udict[seuser] = prefs
		except KeyError:
			sys.stderr.write("The user \"%s\" is not present in the passwd file, skipping...\n" % user)

	def getUsers(self):
		udict = {}
		if self.semanaged:
			(status, list, lsize) = semanage_seuser_list(self.semanageHandle)
			for idx in range(lsize):
				user=[]
				seuser = semanage_seuser_by_idx(list, idx)
				seusername=semanage_seuser_get_sename(seuser)
				self.adduser(udict, semanage_seuser_get_name(seuser), seusername, self.defaultrole(seusername))
				
		else:
			rc = commands.getstatusoutput("grep -v '^ *#' %s" % self.selinuxdir+self.type+"/seusers")
			if rc[0] == 0 and rc[1] != "":
				ulist = rc[1].split("\n")
				for u in ulist:
					if len(u)==0:
						continue
					user = u.split(":")
					if len(user) < 3:
						continue
					role=self.getOldRole(user[1])
					self.adduser(udict, user[0], user[1], role)
		return udict

	def getHomeDirContext(self, user, home, role):
		ret="\n\n#\n# Home Context for user %s\n#\n\n" % user
		rc=commands.getstatusoutput("grep '^HOME_DIR' %s | sed -e 's|HOME_DIR|%s|' -e 's/ROLE/%s/' -e 's/system_u/%s/'" % (self.getHomeDirTemplate(), home, role, user))
		return ret + rc[1] + "\n"

	def getUserContext(self, user, sel_user, role):
		rc=commands.getstatusoutput("grep 'USER' %s | sed -e 's/USER/%s/' -e 's/ROLE/%s/' -e 's/system_u/%s/'" % (self.getHomeDirTemplate(), user, role, sel_user))
		return rc[1] + "\n"

	def genHomeDirContext(self):
		if commands.getstatusoutput("grep -q 'ROLE' %s" % self.getHomeDirTemplate())[0] == 0 and self.semanaged:
			warning("genhomedircon:  Warning!  No support yet for expanding ROLE macros in the %s file when using libsemanage." % self.getHomeDirTemplate());
			warning("genhomedircon:  You must manually update file_contexts.homedirs for any non-user_r users (including root).");
		users = self.getUsers()
		ret=""
		# Fill in HOME and ROLE for users that are defined
		for u in users.keys():
			ret += self.getHomeDirContext (u, users[u]["home"], users[u]["role"])
			ret += self.getUserContext (u, u, users[u]["role"])
		return ret+"\n"

	def checkExists(self, home):
		if commands.getstatusoutput("grep -E '^%s[^[:alnum:]_-]' %s" % (home, self.getFileContextFile()))[0] == 0:
			return 0
		#this works by grepping the file_contexts for
		# 1. ^/ makes sure this is not a comment
		# 2. prints only the regex in the first column first cut on \t then on space
		rc=commands.getstatusoutput("grep \"^/\" %s | cut -f 1 | cut -f 1 -d \" \" " %  self.getFileContextFile() )
		if rc[0] == 0:
			prefix_regex = rc[1].split("\n")
		else:
			warning("%s\nYou do not have access to read %s\n" % (rc[1], self.getFileContextFile()))

		exists=1
		for regex in prefix_regex:
			#match a trailing (/*)? which is actually a bug in rpc_pipefs
			regex = re.sub("\(/\*\)\?$", "", regex)
			#match a trailing .+
			regex = re.sub("\.+$", "", regex)
			#match a trailing .*
			regex = re.sub("\.\*$", "", regex)
			#strip a (/.*)? which matches anything trailing to a /*$ which matches trailing /'s
			regex = re.sub("\(\/\.\*\)\?", "", regex)
			regex = regex + "/*$"
			if re.search(regex, home, 0):
				exists = 0
				break
		if exists == 1:
			return 1
		else:
			return 0


	def getHomeDirs(self):
		homedirs = []
		homedirs = homedirs + getDefaultHomeDir()
		starting_uid=getStartingUID()
		if self.usepwd==0:
			return homedirs
		ulist = pwd.getpwall()
		for u in ulist:
			if u[2] >= starting_uid and \
					u[6] in VALID_SHELLS and \
					u[5] != "/" and \
					string.count(u[5], "/") > 1:
				homedir = u[5][:string.rfind(u[5], "/")]
				if not homedir in homedirs:
					if self.checkExists(homedir)==0:
						warning("%s homedir %s or its parent directoy conflicts with a\ndefined context in %s,\n%s will not create a new context." % (u[0], u[5], self.getFileContextFile(), sys.argv[0]))
					else:
						homedirs.append(homedir)

		homedirs.sort()
		return homedirs
 
	def genoutput(self):
		ret= self.heading()
		for h in self.getHomeDirs():
			ret += self.getHomeDirContext ("user_u" , h+'/[^/]*', "user")
			ret += self.getHomeRootContext(h)
		ret += self.getUserContext(".*", "user_u", "user") + "\n"
		ret += self.genHomeDirContext()
		return ret

	def printout(self):
		print self.genoutput()

	def write(self):
		try:
			fd = open(self.getFileContextDir()+"/file_contexts.homedirs", "w")
			fd.write(self.genoutput())
			fd.close()
		except IOError, error:
			sys.stderr.write("%s: %s\n" % ( sys.argv[0], error ))



#
# This script will generate home dir file context
# based off the homedir_template file, entries in the password file, and
#
try:
	usepwd=1
	directory="/etc/selinux"
	type=None
	gopts, cmds = getopt.getopt(sys.argv[1:], 'nd:t:', ['help',
						'type=',
						'nopasswd',
						'dir='])
	for o,a in gopts:
		if o == '--type' or o == "-t":
			type=a
		if o == '--nopasswd'  or o == "-n":
			usepwd=0
		if o == '--dir'  or o == "-d":
			directory=a
		if o == '--help':
			usage()


	if type==None:
		type=getSELinuxType(directory)

	if len(cmds) != 0:
		usage()
	selconf=selinuxConfig(directory, type, usepwd)
	selconf.write()

except getopt.error, error:
	errorExit("Options Error %s " % error)
except ValueError, error:
	errorExit("ValueError %s" % error)
except IndexError, error:
	errorExit("IndexError")
