Viewing file:  se_user.tcl (131.01 KB) -rw-r--r--
Select action/file-type:
 (+) |  (+) |  (+) | Code (+) | Session (+) |  (+) | SDB (+) |  (+) |  (+) |  (+) |  (+) |  (+) |
#!/usr/bin/awish
##############################################################
#
# SEUser: SE Linux user management tool
#
# Copyright (C) 2003-2005 Tresys Technology, LLC
# see file 'COPYING' for use and warranty information
#
# Question/comments to: selinux@tresys.com
#
# See the assoicated help file for more information.
#
##############################################################
namespace eval SEUser_db {
variable roles_list
variable sysUsers_list
variable groups_list
variable selinuxUsers_list
variable generic_user "user_u"
variable system_user "system_u"
variable special_usr_type "Special"
variable generic_usr_type "Generic"
variable def_user_type "Defined"
variable undef_user_type "Undefined"
variable mod_cntr 0
variable passwd_file "/etc/passwd"
variable added_users ""
}
proc SEUser_db::reset_mod_cntr { } {
variable mod_cntr
set mod_cntr 0
return 0
}
proc SEUser_db::update_mod_cntr { } {
variable mod_cntr
set mod_cntr [expr $mod_cntr + 1]
return 0
}
proc SEUser_db::get_mod_cntr { } {
variable mod_cntr
return $mod_cntr
}
proc SEUser_db::is_system_user { user } {
set idx [lsearch -exact $SEUser_db::sysUsers_list $user]
if { $idx == -1 } {
return 0
}
return 1
}
proc SEUser_db::is_selinux_user { user } {
set idx [lsearch -exact $SEUser_db::selinuxUsers_list $user]
if { $idx == -1 } {
return 0
}
return 1
}
proc SEUser_db::is_generic_user_defined { } {
set idx [lsearch -exact $SEUser_db::selinuxUsers_list $SEUser_db::generic_user]
if { $idx == -1 } {
return 0
}
return 1
}
proc SEUser_db::set_sysUser_passwd { user passwd } {
set exec_files [auto_execok sadminpasswd]
if {$exec_files != ""} {
set rt [catch {exec echo "$passwd" | sadminpasswd --stdin $user} err]
} else {
set rt [catch {exec echo "$passwd" | passwd --stdin $user} err]
}
if {$rt != 0} {
return -code error $err
}
return 0
}
proc SEUser_db::add_selinuxUser {user roles dflt_login_cxt role_login type_login dflt_cron_cxt role_cron type_cron} {
set rt [catch {seuser_CheckCommitAccess} err]
if {$rt != 0 } {
return -code error $err
}
set rt [catch {seuser_EditUser add $user $roles $dflt_login_cxt $role_login $type_login $dflt_cron_cxt $role_cron $type_cron} err]
if {$rt != 0} {
return -code error $err
}
set rt [catch {seuser_Commit} err]
if {$rt != 0} {
return -code error $err
}
set SEUser_db::selinuxUsers_list [lappend $SEUser_db::selinuxUsers_list $user]
set SEUser_db::selinuxUsers_list [lsort $SEUser_db::selinuxUsers_list]
SEUser_db::update_mod_cntr
return 0
}
proc SEUser_db::add_sysUser { user useradd_args passwd } {
set exec_files [auto_execok suseradd]
if {$exec_files != ""} {
set cmd [list exec suseradd]
} else {
set cmd [list exec useradd]
}
foreach arg $useradd_args {
lappend cmd $arg
}
set rt [catch {eval [concat $cmd $user]} err]
if {$rt != 0} {
return -code error $err
}
if { $passwd != "" } {
set rt [catch {SEUser_db::set_sysUser_passwd $user $passwd} err]
if { $rt != 0 } {
return -code error $err
}
}
set SEUser_db::sysUsers_list [lappend SEUser_db::sysUsers_list $user]
return 0
}
proc SEUser_db::add_user { user generic_flag roles useradd_args passwd overwrite_policy } {
if { ![SEUser_db::is_system_user $user] } {
set rt [catch {SEUser_db::add_sysUser $user $useradd_args $passwd} err]
if {$rt != 0} {
return -code error $err
}
}
if { $generic_flag == 0 } {
if { $overwrite_policy && [SEUser_db::is_selinux_user $user] } {
set rt [catch {SEUser_db::change_selinuxUser $user $roles 0 "" "" 0 "" ""} err]
if { $rt != 0 } {
return -code error $err
}
} elseif { ![SEUser_db::is_selinux_user $user] } {
set rt [catch {SEUser_db::add_selinuxUser $user $roles 0 "" "" 0 "" ""} err]
if { $rt != 0 } {
return -code error $err
}
}
set SEUser_db::added_users [lappend SEUser_db::added_users $user]
}
return 0
}
proc SEUser_db::change_sysUser { user useradd_args } {
set exec_files [auto_execok susermod]
if {$exec_files != ""} {
set cmd [list exec susermod]
} else {
set cmd [list exec usermod]
}
foreach arg $useradd_args {
lappend cmd $arg
}
set rt [catch {eval [concat $cmd $user]} err]
if {$rt != 0} {
return -code error $err
}
return 0
}
proc SEUser_db::change_selinuxUser { user roles dflt_login_cxt role_login type_login dflt_cron_cxt role_cron type_cron } {
set rt [ catch {seuser_CheckCommitAccess } err]
if {$rt != 0 } {
return -code error $err
}
set rt [catch {seuser_EditUser change $user $roles \
$dflt_login_cxt $role_login $type_login $dflt_cron_cxt \
$role_cron $type_cron} err]
if {$rt != 0} {
return -code error $err
}
set rt [catch {seuser_Commit} err]
if {$rt != 0} {
return -code error $err
}
SEUser_db::update_mod_cntr
return 0
}
proc SEUser_db::change_user { user generic_flag roles useradd_args } {
if { [SEUser_db::is_system_user $user] } {
set rt [catch {SEUser_db::change_sysUser $user $useradd_args} err]
if {$rt != 0} {
return -code error $err
}
}
if { $generic_flag == 0 } {
if {[SEUser_db::is_selinux_user $user]} {
set rt [catch {SEUser_db::change_selinuxUser $user $roles 0 "" "" 0 "" ""} err]
if { $rt != 0 } {
return -code error $err
}
} else {
set rt [catch {SEUser_db::add_selinuxUser $user $roles 0 "" "" 0 "" ""} err]
if { $rt != 0 } {
return -code error $err
}
}
} else {
if {[SEUser_db::is_selinux_user $user]} {
set rt [catch {SEUser_db::remove_selinuxUser $user} err]
if { $rt != 0 } {
return -code error $err
}
}
}
return 0
}
proc SEUser_db::remove_sysUser { user remove_home_dir } {
set idx [lsearch -exact $SEUser_db::sysUsers_list $user]
if { $idx != -1 } {
set exec_files [auto_execok suserdel]
if {$exec_files != ""} {
if { $remove_home_dir } {
set rt [catch {exec suserdel -r $user} err]
} else {
set rt [catch {exec suserdel $user} err]
}
} else {
if { $remove_home_dir } {
set rt [catch {exec userdel -r $user} err]
} else {
set rt [catch {exec userdel $user} err]
}
}
if {$rt != 0} {
return -code error $err
}
set SEUser_db::sysUsers_list [lreplace $SEUser_db::sysUsers_list $idx $idx]
}
return 0
}
proc SEUser_db::remove_selinuxUser { user } {
set idx [lsearch -exact $SEUser_db::selinuxUsers_list $user]
if { $idx != -1 } {
set rt [ catch {seuser_CheckCommitAccess} err]
if {$rt != 0 } {
return -code error $err
}
set rt [catch {seuser_RemoveUser $user} err]
if {$rt != 0} {
return -code error $err
}
set rt [catch {seuser_Commit} err]
if {$rt != 0} {
return -code error $err
}
set SEUser_db::selinuxUsers_list [lreplace $SEUser_db::selinuxUsers_list $idx $idx]
SEUser_db::update_mod_cntr
}
return 0
}
proc SEUser_db::remove_user {user remove_home_dir} {
set rt [catch {SEUser_db::remove_sysUser $user $remove_home_dir} err]
if { $rt != 0 } {
return -code error $err
}
set rt [catch {SEUser_db::remove_selinuxUser $user} err]
if { $rt != 0 } {
return -code error $err
}
return 0
}
proc SEUser_db::get_sysUser_data_field {user field_descriptor} {
variable passwd_file
if { [SEUser_db::is_system_user $user] } {
set rt [catch {set data [exec grep "^$user:" $passwd_file]} err]
if { $rt != 0 } {
return -code error $err
}
set data [split $data ":"]
if { [llength $data] != 7 } {
return -code error "Cannot split field descriptors from the users' entry in $passwd_file"
}
switch $field_descriptor {
account {
return [lindex $data 0]
}
passwd {
return [lindex $data 1]
}
uid {
return [lindex $data 2]
}
gid {
return [lindex $data 3]
}
comment {
return [lindex $data 4]
}
directory {
return [lindex $data 5]
}
shell {
return [lindex $data 6]
}
default {
return -code err "Could not determine the field descriptor needed from the users' entry in $passwd_file"
}
}
}
return ""
}
proc SEUser_db::get_user_type { user } {
variable sysUsers_list
variable selinuxUsers_list
variable generic_user
variable system_user
if { [lsearch -exact $selinuxUsers_list $user] != -1 } {
if { $user == $generic_user || $user == $system_user } {
return $SEUser_db::special_usr_type
} else {
return $SEUser_db::def_user_type
}
} else {
if { [lsearch -exact $selinuxUsers_list $generic_user] != -1 } {
return $SEUser_db::generic_usr_type
} else {
return $SEUser_db::undef_user_type
}
}
return 0
}
proc SEUser_db::get_user_roles { username } {
variable selinuxUsers_list
variable generic_user
if { [lsearch -exact $selinuxUsers_list $username] != -1 } {
set rt [catch {set currentRoles [seuser_UserRoles $username]} err]
if {$rt != 0} {
return -code error $err
}
return [lsort $currentRoles]
} elseif { [SEUser_db::is_generic_user_defined] } {
set rt [catch {set currentRoles [seuser_UserRoles $generic_user]} err]
if {$rt != 0} {
return -code error $err
}
return [lsort $currentRoles]
}
return ""
}
proc SEUser_db::get_user_groups { user } {
variable sysUsers_list
if { [SEUser_db::is_system_user $user] } {
set rt [catch {set groups [exec groups $user]} err]
if {$rt != 0} {
return -code error $err
}
set groups [lreplace $groups 0 1]
return $groups
} elseif { [SEUser_db::is_selinux_user $user] } {
return ""
} else {
return -code error "User: $user is neither a system user nor defined in the selinux policy."
}
}
proc SEUser_db::get_list { which } {
variable roles_list
variable sysUsers_list
variable groups_list
variable all_users_list
variable selinuxUsers_list
switch $which {
roles {
return $roles_list
}
sysUsers {
return $sysUsers_list
}
groups {
return $groups_list
}
seUsers {
return $selinuxUsers_list
}
default {
return -code error "Cannot find the specified list: $which"
}
}
}
proc SEUser_db::free_db {} {
set SEUser_db::roles_list ""
set SEUser_db::sysUsers_list ""
set SEUser_db::groups_list ""
set SEUser_db::selinuxUsers_list ""
set SEUser_db::added_users ""
SEUser_db::reset_mod_cntr
return 0
}
proc SEUser_db::load_policy { } {
set rt [catch {seuser_ReinstallPolicy} err]
if { $rt != 0 } {
return -code error $err
}
foreach user $SEUser_db::added_users {
set rt [catch {seuser_LabelHomeDirectory $user} err]
if {$rt != 0 } {
return -code error $err
}
}
set SEUser_db::added_users ""
return 0
}
proc SEUser_db::init_db { } {
variable roles_list
variable sysUsers_list
variable groups_list
variable selinuxUsers_list
set rt [catch {set sysUsers_list_with_types [seuser_GetSysUsers 1]} err]
if {$rt != 0} {
return -code error $err
}
set rt [catch {set sysUsers_list [seuser_GetSysUsers]} err]
if {$rt != 0} {
return -code error $err
}
set sysUsers_list [lsort $sysUsers_list]
set rt [catch {set selinuxUsers_list [seuser_GetSeUserNames]} err]
if {$rt != 0} {
return -code error $err
}
set selinuxUsers_list [lsort $selinuxUsers_list]
set rt [catch {set roles_list [apol_GetNames roles]} err]
if {$rt != 0} {
return -code error $err
}
set roles_list [lsort $roles_list]
set rt [catch {set groups_list [seuser_GetSysGroups]} err]
if {$rt != 0} {
return -code error $err
}
set groups_list [lsort $groups_list]
return 0
}
namespace eval SEUser_Top {
variable mainframe
variable listbox_Users
variable helpDlg
set helpDlg .helpDlg
variable splashDlg
set splashDlg .splashDlg
variable delete_user_Dlg
set delete_user_Dlg .delete_user_Dlg
variable make_resultsDlg
set make_resultsDlg .make_resultsDlg
variable b_lbl_user
variable b_lbl_type
variable b_lbl_roles
variable b_lbl_groups
variable gui_ver 0.6
variable copyright_date "2002-2004"
variable bwidget_version ""
variable progressMsg ""
variable delete_user_ans
variable tmpfile
variable policy_changes_flag 0
variable generic_user "user_u"
variable system_user "system_u"
variable root_user "root"
variable remove_homeDir 0
variable home_dir ""
variable helpFilename ""
variable trace_vars ""
variable text_font "Courier 10"
variable curr_sort_type user_name
variable default_bg_color
variable tabName_prefix "SEUser_"
set default_bg_color [. cget -background]
}
proc SEUser_Top::set_trace_on_var { namespace trace_var } {
trace variable "${namespace}::${trace_var}" w SEUser_Top::denote_policy_changes
lappend SEUser_Top::trace_vars "${namespace}::${trace_var}"
return 0
}
proc SEUser_Top::remove_trace_on_vars { } {
variable trace_vars
foreach var $trace_vars {
trace vdelete $var w SEUser_Top::denote_policy_changes
}
return 0
}
proc SEUser_Top::denote_policy_changes { name1 name2 op } {
set SEUser_Top::policy_changes_flag 1
return 0
}
proc SEUser_Top::check_list_for_redundancy { target_list_name compare_list_name } {
upvar 1 $target_list_name target_list
upvar 1 $compare_list_name compare_list
set list_size [llength $target_list]
foreach compare_listValue $compare_list {
for { set idx 0 } { $idx != $list_size } { incr idx } {
set target_listValue [lindex $target_list $idx]
if { [string match $target_listValue "$compare_listValue"] } {
set target_list [lreplace $target_list $idx $idx]
}
}
}
return 0
}
proc SEUser_Top::select_added_user { new_user } {
variable listbox_Users
if {[$listbox_Users exists $new_user] } {
$listbox_Users selection set $new_user
}
return 0
}
proc SEUser_Top::viewMakeResults { } {
variable make_resultsDlg
if { [winfo exists $make_resultsDlg] } {
destroy $make_resultsDlg
}
toplevel $make_resultsDlg
wm protocol $make_resultsDlg WM_DELETE_WINDOW "destroy $make_resultsDlg"
wm withdraw $make_resultsDlg
wm title $make_resultsDlg "Make Results Output"
set resultsFrame [frame $make_resultsDlg.resultsFrame ]
set sw [ScrolledWindow $resultsFrame.sw -auto both]
set resultsbox [text [$sw getframe].text -bg white -wrap none]
$sw setwidget $resultsbox
set okButton [Button $resultsFrame.okButton -text "OK" -command "destroy $make_resultsDlg"]
pack $resultsFrame -expand yes -fill both -padx 5 -pady 5
pack $okButton -side bottom
pack $sw -side left -expand yes -fill both
wm deiconify $make_resultsDlg
set filename $SEUser_Top::tmpfile
set data [SEUser_Top::readFile $filename]
if { $data != "" } {
$resultsbox delete 0.0 end
$resultsbox insert end $data
} else {
tk_messageBox -icon error -type ok -title "Make Results Output Error" \
-parent $SEUser_Top::mainframe \
-message "Output file: $filename not readable!"
}
tkwait window $make_resultsDlg
return 0
}
proc SEUser_Top::readFile { filename } {
set data ""
if { [file readable $filename] } {
set fileid [::open $filename "r"]
set data [::read $fileid]
::close $fileid
}
return $data
}
proc SEUser_Top::close {} {
SEUser_Top::remove_trace_on_vars
SEUser_Generic_Users::close
SEUser_SELinux_Users::close
SEUser_UserInfo::close
return 0
}
proc SEUser_Top::sort_listbox_items { sort_type } {
variable listbox_Users
variable curr_sort_type
switch -- $sort_type {
user_name {
set idx 0
}
user_type {
set idx 1
}
user_roles {
return
}
user_groups {
return
}
default {
return -code error
}
}
set list_items [$listbox_Users items]
if { $sort_type == "user_name" } {
set reordered_list [lsort -dictionary $list_items]
} else {
foreach item $list_items {
set data_list [$listbox_Users itemcget $item -data]
lappend new_list "{[lindex $data_list $idx]} {$item}"
}
set new_list [lsort -dictionary $new_list]
foreach item $new_list {
lappend reordered_list [lindex $item 1]
}
}
$listbox_Users reorder $reordered_list
set curr_sort_type $sort_type
return 0
}
proc SEUser_Top::disable_tkListbox { my_list_box } {
global tk_version
if {$tk_version >= "8.4"} {
$my_list_box configure -state disabled
} else {
set class_name [winfo class $my_list_box]
if {$class_name != ""} {
set idx [lsearch -exact [bindtags $my_list_box] $class_name]
if {$idx != -1} {
bindtags $my_list_box [lreplace [bindtags $my_list_box] $idx $idx]
} else {
return
}
} else {
tk_messageBox -parent $SEUser_Top::mainframe -icon error -type ok -title "Error" -message \
"Could not determine the class name of the widget."
return -1
}
}
return 0
}
proc SEUser_Top::enable_tkListbox { my_list_box } {
global tk_version
if {$tk_version >= "8.4"} {
$my_list_box configure -state normal
} else {
set class_name [winfo class $my_list_box]
if {$class_name != ""} {
set idx [lsearch -exact [bindtags $my_list_box] $class_name]
if {$idx != -1} {
return
}
bindtags $my_list_box [linsert [bindtags $my_list_box] 1 $class_name]
} else {
tk_messageBox -parent $SEUser_Top::mainframe -icon error -type ok -title "Error" -message \
"Could not determine the class name of the widget."
return -1
}
}
return 0
}
proc SEUser_Top::configure_ListBox { listbox_Users } {
variable generic_user
variable system_user
$listbox_Users delete [$listbox_Users items]
set all_users_list [SEUser_db::get_list sysUsers]
set seUsers [SEUser_db::get_list seUsers]
if { [lsearch -exact $seUsers $generic_user] != -1 } {
lappend all_users_list $generic_user
}
if { [lsearch -exact $seUsers $system_user] != -1 } {
lappend all_users_list $system_user
}
foreach user $all_users_list {
set rt [catch {set groups [SEUser_db::get_user_groups $user]} err]
if { $rt != 0 } {
return -code error $err
}
if { $groups == "" } {
set groups "<none>"
}
set rt [catch {set roles [SEUser_db::get_user_roles $user]} err]
if { $rt != 0 } {
return -code error $err
}
if { $roles == "" } {
set roles "<none>"
}
set data_list [list "$user" "[SEUser_db::get_user_type $user]" "$roles" "$groups"]
if { ![$listbox_Users exists $user] } {
$listbox_Users insert end "$user" \
-data $data_list \
-text [eval format {"%-20.20s %-14.14s %-25.25s %-20.20s"} $data_list]
}
}
$listbox_Users configure -redraw 1
return 0
}
proc SEUser_Top::add_user {} {
variable listbox_Users
SEUser_UserInfo::display add
return 0
}
proc SEUser_Top::change_user { user } {
variable listbox_Users
set user_selected [$listbox_Users selection get]
if { $user_selected != "" } {
SEUser_UserInfo::display change $user_selected
}
return 0
}
proc SEUser_Top::delete_user {} {
variable delete_user_ans
variable listbox_Users
variable generic_user
variable system_user
variable root_user
variable home_dir
set user_selected [$listbox_Users selection get]
if { $user_selected != "" } {
if { $user_selected == $generic_user } {
tk_messageBox -icon error -type ok -title "Error" \
-parent $SEUser_Top::mainframe \
-message "Cannot remove special user $generic_user. Please\
select the Advanced button if you wish to remove $generic_user."
return -1
} elseif { $user_selected == $system_user } {
tk_messageBox -icon error -type ok -title "Error" \
-parent $SEUser_Top::mainframe \
-message "Cannot remove special user $system_user"
return -1
} elseif { $user_selected == $root_user } {
tk_messageBox -icon error -type ok -title "Error" \
-parent $SEUser_Top::mainframe \
-message "Cannot remove user $root_user with this tool."
return -1
}
set rt [catch {set home_dir [SEUser_db::get_sysUser_data_field $user_selected directory]} err]
if { $rt != 0 } {
tk_messageBox -icon error -type ok -title "Error" \
-parent $SEUser_Top::mainframe \
-message "$err"
return -1
}
SEUser_Top::display_delete_user_Dlg $user_selected
if { $SEUser_Top::delete_user_ans == "yes" } {
set curr_mod_ctr [SEUser_db::get_mod_cntr]
set rt [catch {SEUser_db::remove_user [$listbox_Users selection get] $SEUser_Top::remove_homeDir} err]
if { $rt != 0 } {
tk_messageBox -icon error -type ok -title "Error" \
-parent $SEUser_Top::mainframe \
-message "$err"
return -1
}
set new_mod_ctr [SEUser_db::get_mod_cntr]
SEUser_Top::initialize
if { $new_mod_ctr > $curr_mod_ctr } {
set SEUser_Top::policy_changes_flag 1
}
}
}
return 0
}
proc SEUser_Top::display_advanced_Dlg {} {
SEUser_Advanced::display
return 0
}
proc SEUser_Top::load_policy {} {
variable progressmsg
if {$SEUser_Top::policy_changes_flag} {
set progressmsg "Loading policy..."
set progressBar [ ProgressDlg .progress -parent . -title "Load Progress..." \
-textvariable SEUser_Top::progressmsg]
update
set rt [catch {SEUser_db::load_policy} err]
if { $rt != 0 } {
destroy $progressBar
set answer [tk_messageBox -icon error -type yesno -title "Error: Policy not installed" \
-parent $SEUser_Top::mainframe \
-message "$err\n\nPress YES to view make results, NO to exit."]
switch -- $answer {
yes { SEUser_Top::viewMakeResults }
no { }
}
} else {
set progressmsg "Policy installed."
destroy $progressBar
}
SEUser_Top::initialize
}
return 0
}
proc SEUser_Top::update_environment_vars { } {
set new_value [append ::env(PATH) ":/sbin"]
set ::env(PATH) $new_value
set new_value [append ::env(PATH) ":/usr/sbin"]
set ::env(PATH) $new_value
return 0
}
proc SEUser_Top::initialize { } {
variable listbox_Users
set SEUser_Top::policy_changes_flag 0
SEUser_Top::update_environment_vars
set rt [catch {SEUser_db::init_db} err]
if { $rt != 0 } {
tk_messageBox -icon error -type ok -title "Error" \
-parent $SEUser_Top::mainframe \
-message "The following error occurred when initializing the virtual database: ${err}.\n\nNow exiting application..."
SEUser_Top::se_exit
}
set sel_user [$listbox_Users selection get]
set rt [catch {SEUser_Top::configure_ListBox $SEUser_Top::listbox_Users} err]
if { $rt != 0 } {
tk_messageBox -icon error -type ok -title "Error" \
-parent $SEUser_Top::mainframe \
-message "$err"
return
}
SEUser_Top::sort_listbox_items $SEUser_Top::curr_sort_type
$listbox_Users selection set $sel_user
return 0
}
proc SEUser_Top::se_exit { } {
variable progressmsg
if {$SEUser_Top::policy_changes_flag} {
set progressmsg "Loading policy..."
set progressBar [ ProgressDlg .progress -parent . -title "Load Progress..." \
-textvariable SEUser_Top::progressmsg]
update
set rt [catch {SEUser_db::load_policy} err]
if { $rt != 0 } {
destroy $progressBar
set answer [tk_messageBox -icon error -type yesno \
-parent $SEUser_Top::mainframe \
-title "Error: Policy not installed" \
-message "$err\n\nPress YES to view make results, NO to exit."]
switch -- $answer {
yes { SEUser_Top::viewMakeResults }
no { }
}
} else {
set progressmsg "Policy installed."
destroy $progressBar
}
}
SEUser_db::free_db
SEUser_Top::close
seuser_Exit
exit
}
proc SEUser_Top::get_tabname {tab} {
variable tabName_prefix
set idx [string last ":" $tab]
if {$idx != -1} {
set tab [string range $tab 0 [expr $idx - 1]]
}
set prefix_len [string length $tabName_prefix]
if {[string range $tab 0 $prefix_len] == $tabName_prefix} {
return $tab
}
set tmp $tabName_prefix
set idx [string first "_" $tab]
if {$idx == -1} {
return $tab
}
set tab_fixed [append tmp [string range $tab [expr $idx + 1] end]]
return $tab_fixed
}
proc SEUser_Top::display_delete_homeDir_Dlg { home_dir } {
if { $SEUser_Top::remove_homeDir } {
set ans [tk_messageBox -icon warning -type yesno -title "Remove home directory?" \
-parent $SEUser_Top::delete_user_Dlg \
-message "By turning this checkbutton ON, you will be deleting the directory $home_dir.\
Are you sure you want to delete this directory?"]
switch $ans {
yes { }
no {
set SEUser_Top::remove_homeDir 0
}
}
}
return 0
}
proc SEUser_Top::display_delete_user_Dlg { user_selected } {
variable delete_user_Dlg
variable remove_homeDir
global tcl_platform
if { [winfo exists $delete_user_Dlg] } {
destroy $delete_user_Dlg
}
set remove_homeDir 0
toplevel $delete_user_Dlg
wm protocol $delete_user_Dlg WM_DELETE_WINDOW "destroy $delete_user_Dlg"
wm withdraw $delete_user_Dlg
wm title $delete_user_Dlg "Delete User"
set inner_f [frame $delete_user_Dlg.inner_f]
set inner_f1 [frame $delete_user_Dlg.inner_f1]
set inner_f2 [frame $delete_user_Dlg.inner_f2]
set lbl_save [label $inner_f1.lbl_save -image [Bitmap::get warning]]
set lbl_save2 [label $inner_f2.lbl_save2 -text "User: $user_selected is about to be removed from the system.\n\
Are you sure you want to continue?"]
set b_yes [button $inner_f.b_yes -text "Yes" -width 6 -command {set SEUser_Top::delete_user_ans yes; destroy $SEUser_Top::delete_user_Dlg} -font {Helvetica 11 bold}]
set b_cancel [button $inner_f.b_cancel -text "Cancel" -width 6 -command {set SEUser_Top::delete_user_ans cancel; destroy $SEUser_Top::delete_user_Dlg} -font {Helvetica 11 bold}]
pack $inner_f -side bottom -anchor center
pack $inner_f1 -side left -anchor n -pady 10
pack $inner_f2 -side left -anchor n -pady 10
pack $lbl_save -side left -anchor center -padx 10
pack $lbl_save2 -side top -anchor center -padx 5
if { $SEUser_Top::home_dir != "" && [file exists $SEUser_Top::home_dir] } {
set cb_rm_homeDir [checkbutton $inner_f2.cb_rm_homeDir -text "Remove home directory and contents." \
-variable SEUser_Top::remove_homeDir \
-command { SEUser_Top::display_delete_homeDir_Dlg $SEUser_Top::home_dir }]
pack $cb_rm_homeDir -side bottom -anchor nw
}
pack $b_yes $b_cancel -side left -anchor center -padx 2
wm deiconify $delete_user_Dlg
focus -force $b_cancel
if {$tcl_platform(platform) == "windows"} {
wm resizable $SEUser_Top::::delete_user_Dlg 0 0
} else {
bind $SEUser_Top::::delete_user_Dlg <Configure> { wm geometry $SEUser_Top::::delete_user_Dlg {} }
}
::tk::SetFocusGrab $delete_user_Dlg
tkwait variable SEUser_Top::delete_user_ans
return 0
}
proc SEUser_Top::create_splashDialog { } {
variable gui_ver
variable splashDlg
variable copyright_date
set apol_ver [apol_GetVersion]
set seuser_ver [seuser_GetVersion]
set frm $splashDlg.top
frame $frm -bd 2 -relief groove
label $frm.guiVer -text "SE Linux User Manager $gui_ver"
label $frm.apolVer -text "Apol Lib Version: $apol_ver"
label $frm.seuserVer -text "SEUser Lib Version: $seuser_ver"
message $frm.copyright -text "Copyright (c) $copyright_date Tresys Technology, LLC\n" -width 4i
pack $frm.guiVer $frm.copyright $frm.apolVer $frm.seuserVer -fill x
pack $frm -side top -fill x -padx 8 -pady 8
set frm $splashDlg.bottom
frame $frm -bd 2 -relief groove
label $frm.msg -textvariable SEUser_Top::progressMsg -anchor w -width 40
pack $frm.msg -side left -ipadx 6 -ipady 4
pack $frm -side bottom -fill x -padx 8 -pady 8
return 0
}
proc SEUser_Top::destroy_splashScreen { } {
variable splashDlg
destroy $splashDlg
return 0
}
proc SEUser_Top::display_splashScreen { } {
variable splashDlg
if { [winfo exists $splashDlg] } {
destroy $splashDlg
}
toplevel $splashDlg
wm overrideredirect $splashDlg 0
wm withdraw $splashDlg
SEUser_Top::create_splashDialog
wm title $splashDlg "SE Linux User Manager"
::tk::PlaceWindow $splashDlg widget center
wm deiconify $splashDlg
update
return 0
}
proc SEUser_Top::aboutBox {} {
variable gui_ver
variable copyright_date
set apol_ver [apol_GetVersion]
set seuser_ver [seuser_GetVersion]
tk_messageBox -icon info -type ok -title "About SE Linux User Manager" \
-parent $SEUser_Top::mainframe \
-message \
"Security Enhanced Linux User Manager\n\n\Copyright (c) $copyright_date Tresys Technology, LLC\n\www.tresys.com/selinux\n\
GUI Version ($gui_ver)\nApol Lib Version ($apol_ver)\nSEUser Lib Version ($seuser_ver)"
return 0
}
proc SEUser_Top::helpDlg {} {
variable helpFilename
variable helpDlg
if { [winfo exists $helpDlg] } {
raise $helpDlg
return
}
toplevel $helpDlg
wm protocol $helpDlg WM_DELETE_WINDOW "destroy $helpDlg"
wm withdraw $helpDlg
wm title $helpDlg "Help"
set hbox [frame $helpDlg.hbox ]
set sw [ScrolledWindow $hbox.sw -auto both]
set resultsbox [text [$sw getframe].text -bg white -wrap none -font $SEUser_Top::text_font]
$sw setwidget $resultsbox
set okButton [Button $hbox.okButton -text "OK" \
-command "destroy $helpDlg"]
set script_dir [apol_GetScriptDir "seuser_help.txt"]
set helpFilename "$script_dir/seuser_help.txt"
pack $hbox -expand yes -fill both -padx 5 -pady 5
pack $okButton -side bottom
pack $sw -side left -expand yes -fill both
wm deiconify $helpDlg
set filename $helpFilename
set data [SEUser_Top:::readFile $filename]
if { $data != "" } {
$resultsbox delete 0.0 end
$resultsbox insert end $data
} else {
tk_messageBox -icon error -type ok -title "Help File Error" -parent $SEUser_Top::mainframe \
-message "Help file is not readable."
}
$resultsbox configure -state disabled
return 0
}
proc SEUser_Top::create_Main_ListBox { t_frame } {
set listbox_Users [ListBox $t_frame.listbox_Users -height 40 -width 80 \
-highlightthickness 2 -selectmode single \
-borderwidth 0 -bg white -redraw 0 -padx 0]
pack $listbox_Users -side left -fill both -expand yes -anchor nw
$listbox_Users bindText <Double-ButtonPress-1> { SEUser_Top::change_user }
return $listbox_Users
}
proc SEUser_Top::create_column_header_frame { parent } {
set tmp [frame $parent.column_frame]
pack $tmp -side top -fill x -anchor nw
return $tmp
}
proc SEUser_Top::create_listbox_frame { parent } {
set tmp [frame $parent.listbox_frame]
pack $tmp -side bottom -fill both -anchor nw -expand yes
return $tmp
}
proc SEUser_Top::create_TopLevel {} {
variable mainframe
variable b_lbl_user
variable b_lbl_type
variable b_lbl_roles
variable b_lbl_groups
variable listbox_Users
set descmenu {
"&Help" {} help 0 {
{command "&Help" {all option} "Display Help" {} -command SEUser_Top::helpDlg}
{command "&About" {all option} "Display About Box" {} -command SEUser_Top::aboutBox}
}
}
set mainframe [MainFrame .mainframe -menu $descmenu]
set frame [$mainframe getframe]
set t_frame [frame $frame.t_frame -relief flat -borderwidth 0]
set b_frame [frame $frame.b_frame -relief flat -borderwidth 0]
set users_frame [TitleFrame $t_frame.users_frame -text "System Users"]
set columns_f [SEUser_Top::create_column_header_frame [$users_frame getframe]]
set listbox_f [SEUser_Top::create_listbox_frame [$users_frame getframe]]
set b_lbl_user [Button $columns_f.b_lbl_user -text "User" \
-font $SEUser_Top::text_font -width 20 -pady 0 -padx 0 \
-command { SEUser_Top::sort_listbox_items user_name } -relief groove -bd 1]
set b_lbl_type [Button $columns_f.b_lbl_type -text "Policy Type" \
-font $SEUser_Top::text_font -width 14 -pady 0 -padx 0 \
-command { SEUser_Top::sort_listbox_items user_type } -relief groove -bd 1]
set b_lbl_roles [Button $columns_f.b_lbl_roles -text "Roles" \
-font $SEUser_Top::text_font -width 25 -pady 0 -padx 0 \
-command { SEUser_Top::sort_listbox_items user_roles } -relief groove -bd 1]
set b_lbl_groups [Button $columns_f.b_lbl_groups -text "Groups" \
-font $SEUser_Top::text_font -width 20 -pady 0 -padx 0 \
-command { SEUser_Top::sort_listbox_items user_groups } -relief groove -bd 1]
set user_sw [ScrolledWindow $listbox_f.user_sw -auto none -scrollbar vertical]
set listbox_Users [SEUser_Top::create_Main_ListBox $listbox_f]
$user_sw setwidget $listbox_Users
set b_add_user [Button $b_frame.b_add_user -text "Add" -width 10 -command { SEUser_Top::add_user } \
-helptext "Add user to selinux system."]
set b_change_user [Button $b_frame.b_change_user -text "View/Change" -width 10 -command { SEUser_Top::change_user [$SEUser_Top::listbox_Users selection get] } \
-helptext "Change user information"]
set b_del_user [Button $b_frame.b_del_user -text "Delete" -width 10 -command { SEUser_Top::delete_user } \
-helptext "Remove user from selinux system."]
set b_advanced [Button $b_frame.b_advanced -text "Advanced" -width 10 -command { SEUser_Top::display_advanced_Dlg} \
-helptext "Perform advanced policy user management tasks."]
set b_load_pol [Button $b_frame.b_load_pol -text "Update Policy" -width 10 -command { SEUser_Top::load_policy } \
-helptext "Load the selinux policy."]
set b_exit [Button $b_frame.b_exit -text "Exit" -width 10 -command { SEUser_Top::se_exit } \
-helptext "Exit SE Linux user manager tool."]
pack $user_sw -side left -anchor nw -fill both -expand yes
pack $b_frame -side bottom -padx 2 -anchor center
pack $t_frame -side top -fill both -expand yes
pack $users_frame -padx 2 -side bottom -fill both -expand yes
pack $b_lbl_user $b_lbl_type $b_lbl_roles -side left -anchor nw
pack $b_lbl_groups -side left -anchor center -fill x -expand yes
pack $b_add_user $b_change_user $b_del_user $b_advanced $b_load_pol $b_exit -side left -pady 2 -padx 4 -anchor center
pack $mainframe -side left -fill both -expand yes
bind [winfo parent $mainframe] <KeyPress-Delete> { SEUser_Top::delete_user }
update idletasks
return 0
}
proc SEUser_Top::main {} {
variable progressMsg
variable splashDlg
variable tmpfile
global tcl_platform
global tk_version
global tk_patchLevel
variable bwidget_version
rename send {}
set rt [catch {set bwidget_version [package require BWidget]} err]
if {$rt != 0 } {
tk_messageBox -icon error -type ok -title "Missing BWidgets package" \
-parent . \
-message \
"Missing BWidgets package. Ensure that your installed version of \n\
TCL/TK includes BWidgets, which can be found at\n\n\
http://sourceforge.net/projects/tcllib"
exit
}
if {[package vcompare $bwidget_version "1.4.1"] == -1} {
tk_messageBox -icon warning -type ok -title "Package Version" -parent . \
-message \
"This tool requires BWidgets 1.4.1 or later. You may experience problems\
while running the application. It is recommended that you upgrade your BWidgets\
package to version 1.4.1 or greater. See 'Help' for more information."
}
if {[package vcompare $bwidget_version "1.4.1"] && $tk_version == "8.3"} {
tk_messageBox -icon error -type ok -title "Warning" -parent . -message \
"Your installed Tk version $tk_version includes an incompatible BWidgets $bwidget_version package version. \
This has been known to cause a tk application to crash.\n\nIt is recommended that you either upgrade your \
Tk library to version 8.4 or greater or use BWidgets 1.4.1 instead. See the README for more information."
exit
}
set rt [catch {package require apol}]
if {$rt != 0 } {
tk_messageBox -icon error -type ok -title "Missing SE Linux package" \
-parent . \
-message \
"Missing the SE Linux package. This script will not\n\
work correctly using the generic TK wish program. You\n\
must either use the apol executable or the awish\n\
interpreter."
exit
}
option add *Font "Helvetica 10"
option add *TitleFrame.l.font "Helvetica 10 bold italic"
option add *Dialog*font "Helvetica 10"
option add *ListBox*font $SEUser_Top::text_font
option add *text*font $SEUser_Top::text_font
wm withdraw .
wm title . "SE Linux User Manager"
wm protocol . WM_DELETE_WINDOW "SEUser_Top::se_exit"
SEUser_Top::display_splashScreen
set progressMsg "Loading policy..."
update idletasks
set rt [catch {seuser_InitUserdb} err]
if {$rt != 0} {
tk_messageBox -icon error -type ok -title "Error" \
-parent . \
-message "$err\n\nCheck seuser.conf file for correct configuration"
exit
}
if { [seuser_Use_Old_Login_Contexts] == "1" } {
tk_messageBox -icon error -type ok -title "Error" \
-parent . \
-message "Cannot find /etc/security/default_contexts file."
exit
}
set rt [catch {set tmpfile [seuser_GetTmpMakeFileName]} err]
if {$rt != 0} {
tk_messageBox -icon error -type ok -title "Error" \
-parent . \
-message "$err"
return
}
set progressMsg "Initializing interface..."
SEUser_Top::create_TopLevel
update idletasks
SEUser_Top::initialize
SEUser_Top::destroy_splashScreen
set progressMsg ""
set width 740
set height 550
wm geom . ${width}x${height}
wm resizable . 1 1
wm deiconify .
raise .
focus -force .
return 0
}
namespace eval SEUser_Advanced {
variable notebook
variable b_exit
variable b_cancel
variable b_commit
variable advanced_Dlg
set advanced_Dlg .advanced_Dlg
variable generic_users_tabID "SEUser_Generic_Users"
variable usr_polMgnt_tabID "SEUser_SELinux_Users"
variable policy_changes_flag 0
SEUser_Top::set_trace_on_var "SEUser_Advanced" "policy_changes_flag"
}
proc SEUser_Advanced::change_buttons_state { changes } {
if { $changes == 1 } {
$SEUser_Advanced::b_exit configure -state disabled
$SEUser_Advanced::b_commit configure -state normal
$SEUser_Advanced::b_cancel configure -state normal
} else {
$SEUser_Advanced::b_exit configure -state normal
$SEUser_Advanced::b_commit configure -state disabled
$SEUser_Advanced::b_cancel configure -state disabled
}
return 0
}
proc SEUser_Advanced::display {} {
variable notebook
variable advanced_Dlg
global tcl_platform
if { [winfo exists $advanced_Dlg] } {
raise $advanced_Dlg
return
}
toplevel $advanced_Dlg
wm protocol $advanced_Dlg WM_DELETE_WINDOW "destroy $advanced_Dlg"
wm withdraw $advanced_Dlg
wm title $advanced_Dlg "Advanced Management"
set topf [frame $advanced_Dlg.topf -width 100 -height 200]
set botf [frame $advanced_Dlg.botf -width 100 -height 200]
pack $topf -side top -fill both -expand yes
pack $botf -side bottom -fill x -padx 5
set notebook [NoteBook $topf.notebook]
$notebook bindtabs <Button-1> { SEUser_Advanced::switch_tab }
SEUser_Advanced::createMainButtons $botf
SEUser_Generic_Users::create_GenericUsers_Tab $notebook
SEUser_SELinux_Users::create_UserPolicyMgnt_Tab $notebook
$notebook compute_size
pack $notebook -fill both -expand yes -padx 4 -pady 4
$notebook raise [$notebook page 0]
update idletasks
wm deiconify $advanced_Dlg
grab $advanced_Dlg
if {$tcl_platform(platform) == "windows"} {
wm resizable $SEUser_Advanced::::advanced_Dlg 0 0
} else {
bind $SEUser_Advanced::::advanced_Dlg <Configure> { wm geometry $SEUser_Advanced::::advanced_Dlg {} }
}
SEUser_Advanced::initialize
return 0
}
proc SEUser_Advanced::createMainButtons { b_frame } {
variable b_exit
variable b_cancel
variable b_commit
set b_commit [Button $b_frame.commit -text "Commit" -width 6 -command { [$SEUser_Advanced::notebook raise]::commit } \
-helptext "Permanently record changes to current user record."]
set b_cancel [Button $b_frame.cancel -text "Cancel" -width 6 -command { [$SEUser_Advanced::notebook raise]::cancel } \
-helptext "Discard changes made to current user record."]
set b_exit [Button $b_frame.exit -text "Exit" -width 6 -command { SEUser_Advanced::exit_advancedDlg } \
-helptext "Exit Advanced Management dialog."]
pack $b_commit $b_cancel -side left -pady 2 -padx 2
pack $b_exit -side right -pady 2 -padx 2
return 0
}
proc SEUser_Advanced::switch_tab { tabID } {
variable notebook
set tabID [SEUser_Top::get_tabname $tabID]
set raisedPage [$notebook raise]
if { $raisedPage == $tabID } {
return 0
}
${raisedPage}::leave_tab
${tabID}::enter_tab
$SEUser_Advanced::notebook raise $tabID
return 0
}
proc SEUser_Advanced::exit_advancedDlg { } {
variable policy_changes_flag
if {$SEUser_SELinux_Users::state(users_changed) > 0 || $SEUser_Generic_Users::state(roles_changed) > 0 || $SEUser_Generic_Users::state(user_u_changed) > 0 } {
set policy_changes_flag 1
}
destroy $SEUser_Advanced::advanced_Dlg
return 0
}
proc SEUser_Advanced::change_tab_state { state } {
variable notebook
variable generic_users_tabID
variable usr_polMgnt_tabID
set raisedPage [$notebook raise]
if { $raisedPage == $generic_users_tabID } {
$notebook itemconfigure $usr_polMgnt_tabID -state $state
} elseif { $raisedPage == $usr_polMgnt_tabID } {
$notebook itemconfigure $generic_users_tabID -state $state
} else {
puts "Cannot determine tab to disable/enable"
return -1
}
return 0
}
proc SEUser_Advanced::initialize { } {
SEUser_Generic_Users::initialize
SEUser_SELinux_Users::initialize
return 0
}
namespace eval SEUser_UserInfo {
variable notebook
variable userInfoDlg
set userInfoDlg .userInfoDlg
variable listbox_availRoles
variable listbox_assignedRoles
variable listbox_availableGroups
variable listbox_assignedGroups
variable g_add
variable g_remove
variable r_add
variable r_remove
variable b_add_change
variable b_cancel
variable b_exit
variable r_defined
variable r_generic
variable cb_newGroup
variable entry_userName
variable entry_comment
variable combo_initGroup
variable usr_type_lbl
variable lb_assignGroups
variable user_info_tabID "UserInfoTab"
variable adv_opts_tabID "AdvancedOptsTab"
variable special_usr_type "Special"
variable generic_usr_type "Generic"
variable def_user_type "Defined"
variable undef_user_type "Undefined"
variable useradd_args
set useradd_args(create_new_userGroup) 1
set useradd_args(create_systemAcct) 0
set useradd_args(do_not_create_home_dir) 0
set useradd_args(initGroup) ""
set useradd_args(comment) ""
set useradd_args(uid) ""
set useradd_args(passwd) ""
set useradd_args(passwd_expDays) ""
set useradd_args(account_expDate) ""
set useradd_args(login_shell) ""
set useradd_args(home_dir) ""
variable passwd_confirm ""
variable usr_type ""
variable usr_type_sel Defined
variable curr_policy_type ""
variable usr_name ""
variable current_user ""
variable mode ""
variable generic_user "user_u"
variable availGroups_list ""
variable assignedGroups_list ""
variable availRoles_list ""
variable assignedRoles_list ""
variable allGroups_list ""
variable allRoles_list ""
variable state
set state(edit) 0
set state(edit_type) "none"
set state(users_changed) 0
variable policy_changes_flag 0
SEUser_Top::set_trace_on_var "SEUser_UserInfo" "policy_changes_flag"
}
proc SEUser_UserInfo::change_user { } {
variable assignedGroups_list
variable assignedRoles_list
variable usr_name
variable useradd_args
variable state
if { $state(edit_type) != "change" } {
return
}
set command_args ""
set generic_flag 0
lappend command_args "-c"
lappend command_args "$useradd_args(comment)"
set command_args [lreplace $command_args 1 1 "[lindex $command_args 1]"]
lappend command_args "-g"
lappend command_args "$useradd_args(initGroup)"
lappend command_args "-G"
set groups_str ""
foreach group $assignedGroups_list {
append groups_str "$group,"
}
if { $groups_str != "" } {
set groups_str [string trimright $groups_str ","]
}
lappend command_args "$groups_str"
if { $SEUser_UserInfo::usr_type == "Generic" } {
set generic_flag 1
} elseif { $SEUser_UserInfo::usr_type == "Defined" || $SEUser_UserInfo::usr_type == "Special"} {
if { $assignedRoles_list == "" } {
tk_messageBox -icon error -type ok -parent $SEUser_UserInfo::userInfoDlg \
-title "Error" -message "Users must have at least one role defined for them."
return -1
}
set generic_flag 0
} else {
set generic_flag 1
}
set rt [catch {SEUser_db::change_user $usr_name $generic_flag $assignedRoles_list $command_args } err]
if { $rt != 0 } {
tk_messageBox -icon error -type ok -title "Error" -message "$err" -parent $SEUser_UserInfo::userInfoDlg
return -1
}
SEUser_Top::initialize
SEUser_UserInfo::set_UserInfo $usr_name
return 0
}
proc SEUser_UserInfo::add_user { } {
variable assignedGroups_list
variable assignedRoles_list
variable usr_type_sel
variable usr_name
variable useradd_args
if { $usr_name == "" } {
tk_messageBox -icon error -type ok -parent $SEUser_UserInfo::userInfoDlg \
-title "Error" -message "Must provide a user name."
return -1
}
if { [SEUser_db::is_system_user $usr_name] } {
tk_messageBox -icon error -type ok -parent $SEUser_UserInfo::userInfoDlg \
-title "Error" -message "User: $usr_name already exists on the system\
and will not be added. Select the user from\
the system users list to make changes."
return -1
}
if { ![SEUser_UserInfo::confirm_password] } {
tk_messageBox -icon error -type ok -parent $SEUser_UserInfo::userInfoDlg \
-title "Error" -message "Passwords do not match."
return -1
}
set command_args ""
if { $useradd_args(comment) != "" } {
lappend command_args "-c"
lappend command_args "$useradd_args(comment)"
set command_args [lreplace $command_args end end "[lindex $command_args end]"]
}
if { $useradd_args(home_dir) != "" } {
lappend command_args "-d"
lappend command_args "$useradd_args(home_dir)"
}
if { $useradd_args(account_expDate) != "" } {
lappend command_args "-e"
lappend command_args "$useradd_args(account_expDate)"
}
if { $useradd_args(passwd_expDays) != "" } {
lappend command_args "-f"
lappend command_args "$useradd_args(passwd_expDays)"
}
set init_group_idx [lsearch -exact $SEUser_UserInfo::allGroups_list $useradd_args(initGroup)]
if { $useradd_args(initGroup) != "" && $useradd_args(create_new_userGroup) == 0 } {
lappend command_args "-g"
lappend command_args "$useradd_args(initGroup)"
} elseif { $useradd_args(initGroup) != "" && $useradd_args(create_new_userGroup) == 1 && \
$init_group_idx != -1 } {
lappend command_args "-g"
lappend command_args "$useradd_args(initGroup)"
}
if { $assignedGroups_list != "" } {
lappend command_args "-G"
foreach group $assignedGroups_list {
append groups_str "$group,"
}
set groups_str [string trimright $groups_str ","]
lappend command_args "$groups_str"
}
if { $useradd_args(do_not_create_home_dir) } {
lappend command_args "-M"
} else {
lappend command_args "-m"
}
if { $useradd_args(login_shell) != "" } {
lappend command_args "-s"
lappend command_args "$useradd_args(login_shell)"
}
if { $useradd_args(uid) != "" } {
lappend command_args "-u"
lappend command_args "$useradd_args(uid)"
}
if { $useradd_args(create_new_userGroup) == 1 && $init_group_idx != -1 } {
lappend command_args "-n"
} elseif { $useradd_args(create_new_userGroup) == 0 } {
lappend command_args "-n"
}
if { $useradd_args(create_systemAcct) } {
lappend command_args "-r"
}
if { $usr_type_sel == "Generic" } {
set generic_flag 1
} elseif { $usr_type_sel == "Defined" } {
if { $assignedRoles_list == "" } {
tk_messageBox -icon error -type ok -parent $SEUser_UserInfo::userInfoDlg \
-title "Error" -message "Users must have at least one role defined for them."
return -1
}
set generic_flag 0
} else {
set generic_flag 1
}
set overwrite_policy 0
if { [SEUser_db::is_selinux_user $usr_name] } {
set ans [tk_messageBox -icon warning -type yesnocancel -parent $SEUser_UserInfo::userInfoDlg \
-title "Existing user" -message "User: $usr_name already exists in the policy. Do you wish to overwrite\
the current roles for $usr_name."]
switch -- $ans {
yes {
set overwrite_policy 1
}
cancel {
return
}
no { }
default { return -code error }
}
}
set rt [catch {SEUser_db::add_user $usr_name $generic_flag $assignedRoles_list $command_args $useradd_args(passwd) $overwrite_policy} err]
if { $rt != 0 } {
tk_messageBox -icon error -type ok -title "Error" -message "$err" -parent $SEUser_UserInfo::userInfoDlg
return -1
}
SEUser_Top::initialize
SEUser_Top::select_added_user $usr_name
SEUser_UserInfo::set_to_initial_add_state
raise $SEUser_UserInfo::userInfoDlg
focus -force $SEUser_UserInfo::entry_userName
return 0
}
proc SEUser_UserInfo::add_Role { idx } {
variable listbox_availRoles
variable listbox_assignedRoles
variable availRoles_list
variable assignedRoles_list
if { $idx == "" } {
return
}
set role [$listbox_availRoles get $idx]
set idx [lsearch -exact $availRoles_list $role]
set availRoles_list [lreplace $availRoles_list $idx $idx]
set assignedRoles_list [lappend assignedRoles_list $role]
set assignedRoles_list [lsort $assignedRoles_list]
set new_idx [lsearch -exact $assignedRoles_list $role]
$listbox_availRoles selection clear 0 end
$listbox_assignedRoles selection set $new_idx
$listbox_assignedRoles see $new_idx
SEUser_UserInfo::SetEditMode change
return 0
}
proc SEUser_UserInfo::remove_Role { idx } {
variable listbox_availRoles
variable listbox_assignedRoles
variable availRoles_list
variable assignedRoles_list
if { $idx == "" } {
return
}
set role [$listbox_assignedRoles get $idx]
set idx [lsearch -exact $assignedRoles_list $role]
set assignedRoles_list [lreplace $assignedRoles_list $idx $idx]
set availRoles_list [lappend availRoles_list $role]
set availRoles_list [lsort $availRoles_list]
set assignedRoles_list [lsort $assignedRoles_list]
set new_idx [lsearch -exact $availRoles_list $role]
$listbox_assignedRoles selection clear 0 end
$listbox_availRoles selection set $new_idx
$listbox_availRoles see $new_idx
SEUser_UserInfo::SetEditMode change
return 0
}
proc SEUser_UserInfo::add_Group { idx } {
variable listbox_assignedGroups
variable listbox_availableGroups
variable availGroups_list
variable assignedGroups_list
if { $idx == "" } {
return
}
set group [$listbox_availableGroups get $idx]
set idx [lsearch -exact $availGroups_list $group]
set availGroups_list [lreplace $availGroups_list $idx $idx]
set assignedGroups_list [lappend assignedGroups_list $group]
set assignedGroups_list [lsort $assignedGroups_list]
set new_idx [lsearch -exact $assignedGroups_list $group]
$listbox_availableGroups selection clear 0 end
$listbox_assignedGroups selection set $new_idx
$listbox_assignedGroups see $new_idx
SEUser_UserInfo::SetEditMode change
return 0
}
proc SEUser_UserInfo::remove_Group { idx } {
variable listbox_assignedGroups
variable listbox_availableGroups
variable availGroups_list
variable assignedGroups_list
if { $idx == "" } {
return
}
set group [$listbox_assignedGroups get $idx]
set idx [lsearch -exact $assignedGroups_list $group]
set assignedGroups_list [lreplace $assignedGroups_list $idx $idx]
set availGroups_list [lappend availGroups_list $group]
set availGroups_list [lsort $availGroups_list]
set assignedGroups_list [lsort $assignedGroups_list]
set new_idx [lsearch -exact $availGroups_list $group]
$listbox_assignedGroups selection clear 0 end
$listbox_availableGroups selection set $new_idx
$listbox_availableGroups see $new_idx
SEUser_UserInfo::SetEditMode change
return 0
}
proc SEUser_UserInfo::exit_userInfoDlg { } {
variable policy_changes_flag
if { $SEUser_UserInfo::state(users_changed) > 0 } {
set policy_changes_flag 1
}
destroy $SEUser_UserInfo::userInfoDlg
return 0
}
proc SEUser_UserInfo::change_init_group { } {
variable combo_initGroup
selection clear -displayof $combo_initGroup
SEUser_UserInfo::SetEditMode change
return 0
}
proc SEUser_UserInfo::cancel { } {
variable state
variable userInfoDlg
if { $state(edit) != 1 } {
return
}
switch -- $state(edit_type) {
add {
SEUser_UserInfo::unadd
}
change {
SEUser_UserInfo::unchange
}
default {
return -code error
}
}
raise $userInfoDlg
focus -force $SEUser_UserInfo::entry_userName
return 0
}
proc SEUser_UserInfo::commit { } {
variable state
variable userInfoDlg
if { $state(edit) != 1 } {
tk_messageBox -icon info -type ok -title "Commit Info" \
-message "There are no changes to commit!" \
-parent $SEUser_UserInfo::userInfoDlg
return
}
switch -- $state(edit_type) {
add {
set rt [SEUser_UserInfo::add_user]
}
change {
set rt [SEUser_UserInfo::change_user]
}
default {
return -code error
}
}
if { $rt != 0 } {
return -1
}
SEUser_UserInfo::SetEditMode commit
raise $userInfoDlg
focus -force $SEUser_UserInfo::entry_userName
return 0
}
proc SEUser_UserInfo::change_homeDir_state { entry_box } {
if { $SEUser_UserInfo::useradd_args(do_not_create_home_dir) } {
$entry_box configure -state disabled -bg $SEUser_Top::default_bg_color
} else {
$entry_box configure -state normal -bg white
}
return 0
}
proc SEUser_UserInfo::create_new_user_group { } {
variable combo_initGroup
selection clear -displayof $combo_initGroup
set user [$SEUser_UserInfo::entry_userName cget -text]
$SEUser_UserInfo::combo_initGroup configure -state disabled
set SEUser_UserInfo::useradd_args(initGroup) $user
return 0
}
proc SEUser_UserInfo::change_init_group_state { } {
if { $SEUser_UserInfo::useradd_args(create_new_userGroup) } {
$SEUser_UserInfo::combo_initGroup configure -state disabled -entrybg $SEUser_Top::default_bg_color
bind UserName_Entry_Tag <KeyPress> { SEUser_UserInfo::create_new_user_group }
SEUser_UserInfo::create_new_user_group
} else {
$SEUser_UserInfo::combo_initGroup configure -state normal -entrybg white
set SEUser_UserInfo::useradd_args(initGroup) ""
bind UserName_Entry_Tag <KeyPress> " "
}
return 0
}
proc SEUser_UserInfo::configure_on_type_sel { } {
variable userInfoDlg
variable curr_policy_type
variable mode
if { $curr_policy_type == $SEUser_UserInfo::usr_type_sel } {
return
}
SEUser_UserInfo::enable_default_tab_widgets
selection clear -displayof $userInfoDlg
set SEUser_UserInfo::availRoles_list $SEUser_UserInfo::allRoles_list
set SEUser_UserInfo::assignedRoles_list ""
switch $SEUser_UserInfo::usr_type_sel {
Defined {
set SEUser_UserInfo::usr_type $SEUser_UserInfo::def_user_type
}
Generic {
set SEUser_UserInfo::usr_type $SEUser_UserInfo::generic_usr_type
SEUser_UserInfo::disable_role_widgets
SEUser_UserInfo::set_role_info $SEUser_UserInfo::generic_user
}
Undefined {
set SEUser_UserInfo::usr_type $SEUser_db::undef_user_type
SEUser_UserInfo::disable_role_widgets
}
default {
return -code error
}
}
if { $mode == "add" } {
SEUser_UserInfo::change_init_group_state
}
set curr_policy_type $SEUser_UserInfo::usr_type_sel
SEUser_UserInfo::SetEditMode change
return 0
}
proc SEUser_UserInfo::populate_initGroups_list { combo group_list } {
update idletasks
$combo configure -values $group_list
return 0
}
proc SEUser_UserInfo::reset_option_variables { } {
set SEUser_UserInfo::useradd_args(create_new_userGroup) 1
set SEUser_UserInfo::useradd_args(create_systemAcct) 0
set SEUser_UserInfo::useradd_args(do_not_create_home_dir) 0
set SEUser_UserInfo::usr_type $SEUser_UserInfo::def_user_type
set SEUser_UserInfo::usr_type_sel Defined
set SEUser_UserInfo::curr_policy_type ""
set SEUser_UserInfo::usr_name ""
set SEUser_UserInfo::useradd_args(initGroup) ""
set SEUser_UserInfo::useradd_args(comment) ""
set SEUser_UserInfo::useradd_args(uid) ""
set SEUser_UserInfo::useradd_args(passwd) ""
set SEUser_UserInfo::passwd_confirm ""
set SEUser_UserInfo::useradd_args(passwd_expDays) ""
set SEUser_UserInfo::useradd_args(account_expDate) ""
set SEUser_UserInfo::useradd_args(login_shell) ""
set SEUser_UserInfo::useradd_args(home_dir) ""
set SEUser_UserInfo::availGroups_list $SEUser_UserInfo::allGroups_list
set SEUser_UserInfo::availRoles_list $SEUser_UserInfo::allRoles_list
set SEUser_UserInfo::assignedGroups_list ""
set SEUser_UserInfo::assignedRoles_list ""
return 0
}
proc SEUser_UserInfo::unchange { } {
variable state
variable current_user
if { $state(edit_type) != "change" } {
puts stderr "Cannot unchange a user because edit_type is $state(edit_type)"
return
}
SEUser_UserInfo::set_to_initial_change_state
SEUser_UserInfo::set_UserInfo $current_user
bind UserName_Entry_Tag <KeyPress> {SEUser_UserInfo::change_to_edit_mode %A %K}
bind Comment_Entry_Tag <KeyPress> {SEUser_UserInfo::change_to_edit_mode %A %K}
SEUser_UserInfo::SetEditMode unchange
return 0
}
proc SEUser_UserInfo::unadd { } {
variable state
if { $state(edit_type) != "add" } {
puts stderr "Cannot unadd a user because edit_type is $state(edit_type)"
return
}
SEUser_UserInfo::set_to_initial_add_state
SEUser_UserInfo::SetEditMode unadd
return 0
}
proc SEUser_UserInfo::close { } {
variable state
variable useradd_args
set SEUser_UserInfo::usr_type ""
set SEUser_UserInfo::usr_type_sel Defined
set SEUser_UserInfo::usr_name ""
set SEUser_UserInfo::passwd_confirm ""
set SEUser_UserInfo::availGroups_list ""
set SEUser_UserInfo::assignedGroups_list ""
set SEUser_UserInfo::availRoles_list ""
set SEUser_UserInfo::assignedRoles_list ""
set SEUser_UserInfo::allGroups_list ""
set SEUser_UserInfo::allRoles_list ""
set SEUser_UserInfo::current_user ""
set SEUser_UserInfo::mode ""
array unset state
array unset useradd_args
return 0
}
proc SEUser_UserInfo::disable_group_widgets { } {
$SEUser_UserInfo::combo_initGroup configure -state disabled -entrybg $SEUser_Top::default_bg_color
$SEUser_UserInfo::g_add configure -state disabled
$SEUser_UserInfo::g_remove configure -state disabled
$SEUser_UserInfo::listbox_availableGroups configure -bg $SEUser_Top::default_bg_color
$SEUser_UserInfo::listbox_assignedGroups configure -bg $SEUser_Top::default_bg_color
SEUser_Top::disable_tkListbox $SEUser_UserInfo::listbox_availableGroups
SEUser_Top::disable_tkListbox $SEUser_UserInfo::listbox_assignedGroups
set SEUser_UserInfo::availGroups_list $SEUser_UserInfo::allGroups_list
set SEUser_UserInfo::assignedGroups_list ""
return 0
}
proc SEUser_UserInfo::disable_role_widgets { } {
$SEUser_UserInfo::r_add configure -state disabled
$SEUser_UserInfo::r_remove configure -state disabled
$SEUser_UserInfo::listbox_availRoles configure -bg $SEUser_Top::default_bg_color
$SEUser_UserInfo::listbox_assignedRoles configure -bg $SEUser_Top::default_bg_color
SEUser_Top::disable_tkListbox $SEUser_UserInfo::listbox_availRoles
SEUser_Top::disable_tkListbox $SEUser_UserInfo::listbox_assignedRoles
set SEUser_UserInfo::availRoles_list $SEUser_UserInfo::allRoles_list
set SEUser_UserInfo::assignedRoles_list ""
return 0
}
proc SEUser_UserInfo::set_to_default_state { event_type {user_selected ""} } {
switch $event_type {
add {
SEUser_UserInfo::set_to_initial_add_state
}
change {
SEUser_UserInfo::set_to_initial_change_state
SEUser_UserInfo::set_UserInfo $user_selected
}
default {
return -code error
}
}
return 0
}
proc SEUser_UserInfo::initialize { event_type user_selected } {
set SEUser_UserInfo::mode $event_type
set SEUser_UserInfo::availGroups_list ""
set SEUser_UserInfo::assignedGroups_list ""
set SEUser_UserInfo::availRoles_list ""
set SEUser_UserInfo::assignedRoles_list ""
set SEUser_UserInfo::allGroups_list [SEUser_db::get_list groups]
set SEUser_UserInfo::allRoles_list [SEUser_db::get_list roles]
SEUser_UserInfo::set_to_default_state $event_type $user_selected
SEUser_UserInfo::SetEditMode init
return 0
}
proc SEUser_UserInfo::set_to_initial_add_state { } {
SEUser_UserInfo::reset_option_variables
SEUser_UserInfo::disable_default_option_widgets
SEUser_UserInfo::disable_advanced_tab_widgets
$SEUser_UserInfo::lb_assignGroups configure -text "Additional Groups"
$SEUser_UserInfo::b_add_change configure -text "Add"
if {![SEUser_db::is_generic_user_defined]} {
$SEUser_UserInfo::r_generic configure -text "$SEUser_UserInfo::undef_user_type" -value Undefined
}
bind UserName_Entry_Tag <KeyPress> { SEUser_UserInfo::change_to_edit_mode %A %K}
return 0
}
proc SEUser_UserInfo::set_to_initial_change_state { } {
SEUser_UserInfo::reset_option_variables
SEUser_UserInfo::enable_default_tab_widgets
destroy $SEUser_UserInfo::cb_newGroup
$SEUser_UserInfo::entry_userName configure -state disabled -bg $SEUser_Top::default_bg_color
$SEUser_UserInfo::lb_assignGroups configure -text "Additional Groups"
bind UserName_Entry_Tag <KeyPress> { SEUser_UserInfo::change_to_edit_mode %A %K}
bind Comment_Entry_Tag <KeyPress> { SEUser_UserInfo::change_to_edit_mode %A %K}
return 0
}
proc SEUser_UserInfo::disable_default_option_widgets { } {
$SEUser_UserInfo::r_defined configure -state disabled
$SEUser_UserInfo::r_generic configure -state disabled
$SEUser_UserInfo::g_add configure -state disabled
$SEUser_UserInfo::g_remove configure -state disabled
$SEUser_UserInfo::entry_comment configure -state disabled -bg $SEUser_Top::default_bg_color
$SEUser_UserInfo::lbl_type configure -state disabled
$SEUser_UserInfo::usr_type_lbl configure -state disabled
$SEUser_UserInfo::lbl_initGroup configure -state disabled
$SEUser_UserInfo::lbl_comment configure -state disabled
$SEUser_UserInfo::combo_initGroup configure -state disabled -entrybg $SEUser_Top::default_bg_color
$SEUser_UserInfo::entry_userName configure -state normal -bg white
focus -force $SEUser_UserInfo::entry_userName
SEUser_UserInfo::disable_group_widgets
SEUser_UserInfo::disable_role_widgets
set SEUser_UserInfo::usr_type_sel Defined
set SEUser_UserInfo::curr_policy_type $SEUser_UserInfo::usr_type_sel
return 0
}
proc SEUser_UserInfo::disable_advanced_tab_widgets { } {
$SEUser_UserInfo::cb_newGroup configure -state disabled
$SEUser_UserInfo::cb_home_dir configure -state disabled
$SEUser_UserInfo::cb_systemAcct configure -state disabled
$SEUser_UserInfo::entry_uid configure -state disabled -bg $SEUser_Top::default_bg_color
$SEUser_UserInfo::entry_passwd configure -state disabled -bg $SEUser_Top::default_bg_color
$SEUser_UserInfo::entry_passwd_confirm configure -state disabled -bg $SEUser_Top::default_bg_color
$SEUser_UserInfo::entry_passwd_expDays configure -state disabled -bg $SEUser_Top::default_bg_color
$SEUser_UserInfo::entry_account_expDate configure -state disabled -bg $SEUser_Top::default_bg_color
$SEUser_UserInfo::entry_login_shell configure -state disabled -bg $SEUser_Top::default_bg_color
$SEUser_UserInfo::entry_home_dir configure -state disabled -bg $SEUser_Top::default_bg_color
$SEUser_UserInfo::lbl_uid configure -state disabled
$SEUser_UserInfo::lbl_passwd configure -state disabled
$SEUser_UserInfo::lbl_passwd_confirm configure -state disabled
$SEUser_UserInfo::lbl_passwd_expDays configure -state disabled
$SEUser_UserInfo::lbl_account_expDate configure -state disabled
$SEUser_UserInfo::lbl_login_shell configure -state disabled
$SEUser_UserInfo::lbl_home_dir configure -state disabled
return 0
}
proc SEUser_UserInfo::enable_advanced_tab_widgets { } {
$SEUser_UserInfo::cb_newGroup configure -state normal
$SEUser_UserInfo::cb_home_dir configure -state normal
$SEUser_UserInfo::cb_systemAcct configure -state normal
$SEUser_UserInfo::entry_uid configure -state normal -bg white
$SEUser_UserInfo::entry_passwd configure -state normal -bg white
$SEUser_UserInfo::entry_passwd_confirm configure -state normal -bg white
$SEUser_UserInfo::entry_passwd_expDays configure -state normal -bg white
$SEUser_UserInfo::entry_account_expDate configure -state normal -bg white
$SEUser_UserInfo::entry_login_shell configure -state normal -bg white
$SEUser_UserInfo::entry_home_dir configure -state normal -bg white
$SEUser_UserInfo::lbl_uid configure -state normal
$SEUser_UserInfo::lbl_passwd configure -state normal
$SEUser_UserInfo::lbl_passwd_confirm configure -state normal
$SEUser_UserInfo::lbl_passwd_expDays configure -state normal
$SEUser_UserInfo::lbl_account_expDate configure -state normal
$SEUser_UserInfo::lbl_login_shell configure -state normal
$SEUser_UserInfo::lbl_home_dir configure -state normal
return 0
}
proc SEUser_UserInfo::change_buttons_state { changes } {
if { $changes == 1 } {
$SEUser_UserInfo::b_add_change configure -state normal
$SEUser_UserInfo::b_cancel configure -state normal
$SEUser_UserInfo::b_exit configure -state disabled
} else {
$SEUser_UserInfo::b_add_change configure -state disabled
$SEUser_UserInfo::b_cancel configure -state disabled
$SEUser_UserInfo::b_exit configure -state normal
}
return 0
}
proc SEUser_UserInfo::change_to_edit_mode { key_pressed keySym } {
set len [string length $key_pressed]
set bool1 [expr {[string is alnum $key_pressed] && $len == 1}]
set bool2 [expr {[string is punct $key_pressed] && $len == 1}]
set bool3 [expr {[string is space $key_pressed] && $keySym == "space"}]
set bool [expr {$bool1 || $bool2 || $bool3 || $keySym == "BackSpace"}]
if { $bool } {
bind UserName_Entry_Tag <KeyPress> " "
bind Comment_Entry_Tag <KeyPress> " "
if { $SEUser_UserInfo::mode == "add" } {
SEUser_UserInfo::enable_default_tab_widgets
SEUser_UserInfo::change_init_group_state
SEUser_UserInfo::create_new_user_group
SEUser_UserInfo::enable_advanced_tab_widgets
SEUser_UserInfo::SetEditMode add
} else {
SEUser_UserInfo::SetEditMode change
}
}
return 0
}
proc SEUser_UserInfo::enable_default_tab_widgets { } {
$SEUser_UserInfo::r_defined configure -state normal
$SEUser_UserInfo::r_generic configure -state normal
$SEUser_UserInfo::g_add configure -state normal
$SEUser_UserInfo::g_remove configure -state normal
$SEUser_UserInfo::r_add configure -state normal
$SEUser_UserInfo::r_remove configure -state normal
$SEUser_UserInfo::entry_comment configure -state normal -bg white
$SEUser_UserInfo::combo_initGroup configure -state normal -entrybg white
$SEUser_UserInfo::lbl_type configure -state normal
$SEUser_UserInfo::usr_type_lbl configure -state normal
$SEUser_UserInfo::lbl_comment configure -state normal
$SEUser_UserInfo::lbl_initGroup configure -state normal
SEUser_Top::enable_tkListbox $SEUser_UserInfo::listbox_availRoles
SEUser_Top::enable_tkListbox $SEUser_UserInfo::listbox_assignedRoles
SEUser_Top::enable_tkListbox $SEUser_UserInfo::listbox_availableGroups
SEUser_Top::enable_tkListbox $SEUser_UserInfo::listbox_assignedGroups
$SEUser_UserInfo::listbox_availRoles configure -bg white
$SEUser_UserInfo::listbox_assignedRoles configure -bg white
$SEUser_UserInfo::listbox_availableGroups configure -bg white
$SEUser_UserInfo::listbox_assignedGroups configure -bg white
return 0
}
proc SEUser_UserInfo::confirm_password { } {
if { $SEUser_UserInfo::useradd_args(passwd) == $SEUser_UserInfo::passwd_confirm } {
return 1
}
return 0
}
proc SEUser_UserInfo::set_role_info { user } {
set rt [catch {set SEUser_UserInfo::assignedRoles_list [SEUser_db::get_user_roles $user]} err]
if { $rt != 0 } {
tk_messageBox -icon error -type ok -title "Error" -message "$err" -parent $SEUser_UserInfo::userInfoDlg
return -1
}
SEUser_Top::check_list_for_redundancy "SEUser_UserInfo::availRoles_list" "SEUser_UserInfo::assignedRoles_list"
return 0
}
proc SEUser_UserInfo::set_group_info { user } {
variable assignedGroups_list
set SEUser_UserInfo::availGroups_list $SEUser_UserInfo::allGroups_list
set rt [catch {set SEUser_UserInfo::assignedGroups_list [SEUser_db::get_user_groups $user]} err]
if { $rt != 0 } {
tk_messageBox -icon error -type ok -title "Groups Error" \
-parent $SEUser_UserInfo::userInfoDlg \
-message "$err"
return
}
if {$assignedGroups_list != ""} {
set SEUser_UserInfo::useradd_args(initGroup) [lindex $assignedGroups_list 0]
set idx [lsearch -exact $SEUser_UserInfo::assignedGroups_list $SEUser_UserInfo::useradd_args(initGroup)]
if { $idx != -1 } {
set SEUser_UserInfo::assignedGroups_list [lreplace $SEUser_UserInfo::assignedGroups_list $idx $idx]
}
SEUser_Top::check_list_for_redundancy "SEUser_UserInfo::availGroups_list" "SEUser_UserInfo::assignedGroups_list"
}
return 0
}
proc SEUser_UserInfo::set_UserInfo { user } {
variable usr_type_sel
variable r_defined
variable r_generic
variable current_user
variable entry_comment
variable useradd_args
if {![SEUser_db::is_generic_user_defined]} {
$r_generic configure -text "$SEUser_UserInfo::undef_user_type" -value Undefined
}
set SEUser_UserInfo::usr_name $user
set SEUser_UserInfo::current_user $user
set SEUser_UserInfo::usr_type [SEUser_db::get_user_type $user]
switch $SEUser_UserInfo::usr_type \
$SEUser_UserInfo::def_user_type {
set usr_type_sel Defined
if { ![SEUser_db::is_system_user $user] } {
$entry_comment configure -state disabled -state disabled -bg $SEUser_Top::default_bg_color
SEUser_UserInfo::disable_group_widgets
}
} \
$SEUser_UserInfo::generic_usr_type {
set usr_type_sel Generic
SEUser_UserInfo::disable_role_widgets
} \
$SEUser_UserInfo::special_usr_type {
set usr_type_sel Defined
$r_defined configure -state disabled
$r_generic configure -state disabled
if { ![SEUser_db::is_system_user $user] } {
$entry_comment configure -state disabled -state disabled -bg $SEUser_Top::default_bg_color
SEUser_UserInfo::disable_group_widgets
}
} \
$SEUser_UserInfo::undef_user_type {
set usr_type_sel Undefined
SEUser_UserInfo::disable_role_widgets
} \
default {
return -code error
}
SEUser_UserInfo::set_role_info $user
set SEUser_UserInfo::curr_policy_type $usr_type_sel
set rt [catch {set SEUser_UserInfo::useradd_args(comment) [SEUser_db::get_sysUser_data_field $user comment]} err]
if { $rt != 0 } {
tk_messageBox -icon error -type ok -title "Error" -message "$err" -parent $SEUser_UserInfo::userInfoDlg
set useradd_args(comment) ""
$entry_comment configure -state disabled -bg $SEUser_Top::default_bg_color
}
SEUser_UserInfo::set_group_info $user
return 0
}
proc SEUser_UserInfo::SetEditMode { mode } {
variable state
switch -- $mode {
add {
set state(edit) 1
set state(edit_type) "add"
set state(users_changed) [expr $state(users_changed) + 1]
}
commit {
set state(edit) 0
set state(edit_type) "none"
}
init {
set state(edit) 0
set state(edit_type) "none"
set state(users_changed) 0
}
change {
if { $state(edit) == 1 && $state(edit_type) == "add" } {
return
}
if { $state(edit) == 1 && $state(edit_type) == "change" } {
return
}
set state(edit) 1
set state(edit_type) "change"
set state(users_changed) 1
}
unchange {
set state(edit) 0
set state(edit_type) "none"
set state(users_changed) [expr $state(users_changed) - 1]
}
unadd {
set state(edit) 0
set state(edit_type) "none"
set state(users_changed) [expr $state(users_changed) - 1]
}
default {
return -code error
}
}
SEUser_UserInfo::change_buttons_state $state(edit)
return 0
}
proc SEUser_UserInfo::create_AdvancedOpts_Frame { mainframe } {
variable cb_home_dir
variable cb_systemAcct
variable entry_uid
variable entry_passwd
variable entry_passwd_confirm
variable entry_passwd_expDays
variable entry_account_expDate
variable entry_login_shell
variable entry_home_dir
variable lbl_uid
variable lbl_passwd
variable lbl_passwd_confirm
variable lbl_passwd_expDays
variable lbl_account_expDate
variable lbl_login_shell
variable lbl_home_dir
set top_f [TitleFrame $mainframe.top_f]
set mid_f [TitleFrame $mainframe.mid_f]
set bot_f [TitleFrame $mainframe.bot_f]
set top_in_t [frame [$top_f getframe].top_in_t -relief flat -borderwidth 0]
set top_in_b [frame [$top_f getframe].top_in_b -relief flat -borderwidth 0]
set top_in_bl [frame $top_in_b.top_in_bl -relief flat -borderwidth 0]
set top_in_br [frame $top_in_b.top_in_br -relief flat -borderwidth 0]
set mid_in_t [frame [$mid_f getframe].mid_in_t -relief flat -borderwidth 0]
set mid_in_b [frame [$mid_f getframe].mid_in_b -relief flat -borderwidth 0]
set mid_in_bl [frame $mid_in_b.mid_in_bl -relief flat -borderwidth 0]
set mid_in_bc [frame $mid_in_b.mid_in_bc -relief flat -borderwidth 0]
set mid_in_br [frame $mid_in_b.mid_in_br -relief flat -borderwidth 0]
set bot_in_f [frame [$bot_f getframe].bot_in_f -relief flat -borderwidth 0]
set bot_in_l [frame $bot_in_f.bot_in_l -relief flat -borderwidth 0]
set bot_in_r [frame $bot_in_f.bot_in_r -relief flat -borderwidth 0]
set lbl_uid [Label $top_in_t.lbl_uid -text "UID:"]
set entry_uid [Entry $top_in_t.entry_uid -textvariable SEUser_UserInfo::useradd_args(uid) -width 15]
set lbl_passwd_expDays [Label $top_in_bl.lbl_passwd_expDays -text "Days before account inactive (-1 to disable):"]
set cb_systemAcct [checkbutton $top_in_t.cb_systemAcct -text "Create System Account" \
-variable SEUser_UserInfo::useradd_args(create_systemAcct)]
set entry_passwd_expDays [Entry $top_in_br.entry_passwd_expDays -textvariable SEUser_UserInfo::useradd_args(passwd_expDays) -width 15]
set lbl_account_expDate [Label $top_in_bl.lbl_account_expDate -text "Account Expires on date (YYYY-MM-DD):"]
set entry_account_expDate [Entry $top_in_br.entry_account_expDate -textvariable SEUser_UserInfo::useradd_args(account_expDate) -width 15]
set lbl_home_dir [Label $mid_in_bl.lbl_home_dir -text "Home Directory:"]
set entry_home_dir [Entry $mid_in_bc.entry_home_dir -textvariable SEUser_UserInfo::useradd_args(home_dir) -width 15]
set cb_home_dir [checkbutton $mid_in_br.cb_home_dir -text "Do not create home directory" \
-variable SEUser_UserInfo::useradd_args(do_not_create_home_dir) \
-command { SEUser_UserInfo::change_homeDir_state $SEUser_UserInfo::entry_home_dir}]
set lbl_login_shell [Label $mid_in_bl.lbl_login_shell -text "Log-in shell:"]
set entry_login_shell [Entry $mid_in_bc.entry_login_shell -textvariable SEUser_UserInfo::useradd_args(login_shell) -width 15]
set lbl_passwd [Label $bot_in_l.lbl_passwd -text "Password:"]
set lbl_passwd_confirm [Label $bot_in_l.lbl_passwd_confirm -text "Confirm Password:"]
set entry_passwd [Entry $bot_in_r.entry_passwd -textvariable SEUser_UserInfo::useradd_args(passwd) -width 15 -show "*"]
set entry_passwd_confirm [Entry $bot_in_r.entry_passwd_confirm -textvariable SEUser_UserInfo::passwd_confirm -width 15 -show "*"]
pack $top_f $mid_f -side top -anchor nw -fill x
pack $bot_f -side top -anchor nw -fill both -expand yes
pack $top_in_t $top_in_b -side top -anchor nw -fill x -padx 2 -pady 2
pack $top_in_bl $top_in_br -side left -anchor nw -fill x -expand yes
pack $mid_in_t $mid_in_b -side top -anchor nw -fill x -padx 2 -pady 2
pack $mid_in_bl $mid_in_bc $mid_in_br -side left -anchor nw -fill x
pack $bot_in_f -side top -anchor nw -fill x -padx 2 -pady 2
pack $bot_in_l $bot_in_r -side left -anchor nw -fill x
pack $lbl_uid -side left -anchor nw -fill x
pack $entry_uid -side left -anchor nw -fill x -expand yes -padx 2
pack $cb_systemAcct -side right -anchor ne
pack $lbl_passwd_expDays $lbl_account_expDate -side top -anchor nw -pady 4
pack $entry_passwd_expDays $entry_account_expDate -side top -fill x -expand yes -anchor nw -pady 4
pack $lbl_home_dir $lbl_login_shell -side top -anchor nw -pady 4
pack $entry_home_dir $entry_login_shell -side top -anchor nw -fill x -expand yes -pady 4
pack $cb_home_dir -side left -anchor nw -pady 4
pack $lbl_passwd $lbl_passwd_confirm -side top -anchor nw -pady 4
pack $entry_passwd $entry_passwd_confirm -side top -anchor nw -fill x -pady 4
return 0
}
proc SEUser_UserInfo::createUserInfoFrame { mainframe } {
variable entry_userName
variable usr_type_lbl
variable r_defined
variable r_generic
variable entry_comment
variable lbl_type
variable usr_type_lbl
variable lbl_comment
set userInfo_f [TitleFrame $mainframe.userInfo_f]
set t_frame [frame [$userInfo_f getframe].t_frame -relief flat -borderwidth 0]
set t_frame_t [frame $t_frame.t_frame_t -relief flat -borderwidth 0]
set t_frame_m [frame $t_frame.t_frame_m -relief flat -borderwidth 0]
set t_frame_lm [frame $t_frame_m.t_frame_ml -relief flat -borderwidth 0]
set t_frame_rm [frame $t_frame_m.t_frame_mr -relief flat -borderwidth 0]
set t_frame_b [frame $t_frame.t_frame_b -relief flat -borderwidth 0]
set b_frame [frame [$userInfo_f getframe].b_frame -relief flat -borderwidth 0]
set b_frame_t [frame $b_frame.b_frame_t -relief flat -borderwidth 0]
set b_frame_b [frame $b_frame.b_frame_b -relief flat -borderwidth 0]
pack $t_frame -side top -anchor n -fill x
pack $t_frame_t -side top -anchor nw -fill x
pack $t_frame_m -side top -anchor nw -pady 4
pack $t_frame_lm -side left -anchor nw -fill x -expand yes -ipadx 20
pack $t_frame_rm -side left -anchor nw -padx 30
pack $t_frame_b -side top -anchor nw -fill x -expand yes -pady 2
pack $b_frame -side bottom -after $t_frame -anchor s -fill x
pack $b_frame_t -side left -anchor sw
pack $b_frame_b -side left -anchor se -padx 5
pack $userInfo_f -side top -fill both -expand yes -padx 5 -pady 2
set lbl_usr [Label $t_frame_t.lbl_usr -text "User Name:"]
set lbl_type [Label $t_frame_t.lbl_type -text "Type:"]
set usr_type_lbl [Label $t_frame_t.usr_type_lbl -textvariable SEUser_UserInfo::usr_type]
set entry_userName [Entry $t_frame_t.entry_user_login -textvariable SEUser_UserInfo::usr_name -width 28]
pack $lbl_usr -side left -anchor nw
pack $entry_userName -anchor nw -side left -expand yes
pack $lbl_type -side left -anchor ne
pack $usr_type_lbl -side left -after $lbl_type -anchor ne
set lbl_comment [Label $t_frame_b.lbl_comment -text "Comment:"]
set entry_comment [Entry $t_frame_b.entry_comment -textvariable SEUser_UserInfo::useradd_args(comment) -width 15]
pack $lbl_comment -side left -anchor nw
pack $entry_comment -side left -anchor nw -fill x -expand yes -padx 6
set r_defined [radiobutton $t_frame_rm.r_defined -text "Defined" \
-variable SEUser_UserInfo::usr_type_sel -value Defined \
-command { SEUser_UserInfo::configure_on_type_sel }]
set r_generic [radiobutton $t_frame_rm.r_generic -text "Generic" \
-variable SEUser_UserInfo::usr_type_sel -value Generic \
-command { SEUser_UserInfo::configure_on_type_sel }]
pack $r_defined $r_generic -side left -anchor nw
bindtags $entry_userName { $entry_userName Entry UserName_Entry_Tag \
[winfo toplevel $entry_userName] all }
bindtags $entry_comment { $entry_comment Entry Comment_Entry_Tag \
[winfo toplevel $entry_comment] all }
return 0
}
proc SEUser_UserInfo::createGroupsFrame { mainframe } {
variable listbox_availableGroups
variable listbox_assignedGroups
variable g_add
variable g_remove
variable lbl_initGroup
variable lb_assignGroups
variable combo_initGroup
variable cb_newGroup
set groups_f [TitleFrame $mainframe.groups_f -text "Groups"]
set t_frame [frame [$groups_f getframe].t_frame -relief flat -borderwidth 0]
set b_frame [frame [$groups_f getframe].b_frame -relief flat -borderwidth 0]
set lf [LabelFrame $b_frame.lf -relief flat -borderwidth 0]
set cf [frame $b_frame.cf -relief flat -borderwidth 0]
set rf [LabelFrame $b_frame.rf -relief flat -borderwidth 0]
set lf_inner_top [frame [$lf getframe].in_top]
set lf_inner_bot [ScrolledWindow [$lf getframe].in_bot]
set rf_inner_top [frame [$rf getframe].in_top]
set rf_inner_bot [ScrolledWindow [$rf getframe].in_bot]
pack $groups_f -side top -fill x -anchor n -expand yes -padx 5 -pady 2
pack $t_frame -side top -fill x -anchor nw -expand yes -pady 2
pack $b_frame -side bottom -fill x -anchor nw -expand yes -pady 4
pack $lf -side left -anchor w -expand yes
pack $lf_inner_top -side top -anchor n -fill x
pack $lf_inner_bot -side bottom -anchor s -fill x -expand yes
pack $cf -side left -anchor center -expand yes
pack $rf -side right -anchor e -expand yes
pack $rf_inner_top -side top -anchor n -fill x
pack $rf_inner_bot -side bottom -anchor s -fill x -expand yes
set lbl_initGroup [Label $t_frame.lbl_initGroup -text "Initial Group:" -justify left]
set combo_initGroup [ComboBox $t_frame.combo_initGroup -textvariable SEUser_UserInfo::useradd_args(initGroup) -width 15 \
-postcommand {SEUser_UserInfo::populate_initGroups_list $SEUser_UserInfo::combo_initGroup $SEUser_UserInfo::allGroups_list} \
-modifycmd {SEUser_UserInfo::change_init_group} -editable 0]
set cb_newGroup [checkbutton $t_frame.cb_newGroup -text "Create New Group" \
-variable SEUser_UserInfo::useradd_args(create_new_userGroup) \
-command { SEUser_UserInfo::change_init_group_state }]
pack $lbl_initGroup -side left -anchor nw
pack $combo_initGroup -side left -anchor ne -padx 5
pack $cb_newGroup -side left -anchor ne -padx 5
set lb_availGroups [Label $lf_inner_top.lb_availGroups -text "Available Groups"]
set lb_assignGroups [Label $rf_inner_top.lb_assignGroups -text ""]
set listbox_availableGroups [listbox [$lf_inner_bot getframe].listbox_availableGroups -height 6 \
-width 20 -highlightthickness 0 \
-listvar SEUser_UserInfo::availGroups_list]
set listbox_assignedGroups [listbox [$rf_inner_bot getframe].listbox_assignedGroups -height 6 \
-width 20 -highlightthickness 0 \
-listvar SEUser_UserInfo::assignedGroups_list]
$lf_inner_bot setwidget $listbox_availableGroups
$rf_inner_bot setwidget $listbox_assignedGroups
bindtags $listbox_availableGroups [linsert [bindtags $listbox_availableGroups] 3 AvailGroups_Tag]
bindtags $listbox_assignedGroups [linsert [bindtags $listbox_assignedGroups] 3 CurrGroups_Tag]
set g_add [Button $cf.add -text "-->" -width 6 \
-command { SEUser_UserInfo::add_Group [$SEUser_UserInfo::listbox_availableGroups curselection] } \
-helptext "Add group"]
set g_remove [Button $cf.remove -text "<--" -width 6 -command \
{ SEUser_UserInfo::remove_Group [$SEUser_UserInfo::listbox_assignedGroups curselection] } \
-helptext "Remove group"]
pack $lb_availGroups -side top
pack $lb_assignGroups -side top
pack $g_add $g_remove -side top -anchor center -pady 5 -padx 5
return 0
}
proc SEUser_UserInfo::createRolesFrame { mainframe } {
variable listbox_availRoles
variable listbox_assignedRoles
variable r_add
variable r_remove
set roles_f [TitleFrame $mainframe.roles_f -text "Roles"]
set lf [LabelFrame [$roles_f getframe].lf -relief flat -borderwidth 0]
set cf [frame [$roles_f getframe].cf -relief flat -borderwidth 0]
set rf [LabelFrame [$roles_f getframe].rf -relief flat -borderwidth 0]
set lf_inner_top [frame [$lf getframe].in_top]
set lf_inner_bot [ScrolledWindow [$lf getframe].in_bot]
set rf_inner_top [frame [$rf getframe].in_top]
set rf_inner_bot [ScrolledWindow [$rf getframe].in_bot]
pack $roles_f -side top -fill both -expand yes -padx 5 -pady 2
pack $lf -side left -anchor w -expand yes
pack $lf_inner_top -side top -anchor n -fill x
pack $lf_inner_bot -side bottom -anchor s -fill x -expand yes
pack $cf -side left -anchor center -expand yes
pack $rf -side right -anchor e -expand yes
pack $rf_inner_top -side top -anchor n -fill x
pack $rf_inner_bot -side bottom -anchor s -fill x -expand yes
set lb_availRoles [Label $lf_inner_top.lb_availRoles -text "Available Roles"]
set lb_currentRoles [Label $rf_inner_top.lb_currentRoles -text "Assigned Roles"]
set listbox_availRoles [listbox [$lf_inner_bot getframe].listbox_availRoles \
-height 6 -width 20 -highlightthickness 0 \
-listvar SEUser_UserInfo::availRoles_list]
set listbox_assignedRoles [listbox [$rf_inner_bot getframe].listbox_availableGroups \
-height 6 -width 20 -highlightthickness 0 \
-listvar SEUser_UserInfo::assignedRoles_list]
$lf_inner_bot setwidget $listbox_availRoles
$rf_inner_bot setwidget $listbox_assignedRoles
bindtags $listbox_availRoles [linsert [bindtags $listbox_availRoles] 3 AvailRoles_Tag]
bindtags $listbox_assignedRoles [linsert [bindtags $listbox_assignedRoles] 3 CurrRoles_Tag]
set r_add [Button $cf.add -text "-->" -width 6 \
-command { SEUser_UserInfo::add_Role [$SEUser_UserInfo::listbox_availRoles curselection] } \
-helptext "Add a new role to the user account"]
set r_remove [Button $cf.remove -text "<--" -width 6 \
-command { SEUser_UserInfo::remove_Role [$SEUser_UserInfo::listbox_assignedRoles curselection]} \
-helptext "Remove a role from the user account"]
pack $lb_availRoles -side top
pack $r_add $r_remove -side top -anchor center -pady 5 -padx 5
pack $lb_currentRoles -side top
return 0
}
proc SEUser_UserInfo::create_UserInfo_Tab { notebook } {
set frame [$notebook insert end $SEUser_UserInfo::user_info_tabID -text "Properties"]
set mainframe [frame $frame.topf -width 100 -height 200]
pack $mainframe -fill both -expand yes
SEUser_UserInfo::createUserInfoFrame $mainframe
SEUser_UserInfo::createGroupsFrame $mainframe
SEUser_UserInfo::createRolesFrame $mainframe
return 0
}
proc SEUser_UserInfo::create_AdvancedOpts_Tab { notebook } {
set frame [$notebook insert end $SEUser_UserInfo::adv_opts_tabID -text "Advanced Options"]
set mainframe [frame $frame.topf -width 100 -height 200]
pack $mainframe -fill both -expand yes
SEUser_UserInfo::create_AdvancedOpts_Frame $mainframe
return 0
}
proc SEUser_UserInfo::display { event_type { user_selected "" } } {
variable notebook
variable userInfoDlg
variable b_add_change
variable b_cancel
variable b_exit
global tcl_platform
if { [winfo exists $userInfoDlg] } {
raise $userInfoDlg
return
}
toplevel $userInfoDlg
wm protocol $userInfoDlg WM_DELETE_WINDOW "destroy $userInfoDlg"
wm withdraw $userInfoDlg
set topf [frame $userInfoDlg.topf -width 100 -height 200]
set botf [frame $userInfoDlg.botf -width 100 -height 200]
pack $topf -side top -fill both -expand yes
pack $botf -side bottom -anchor center -fill x -expand yes -padx 4
set notebook [NoteBook $topf.notebook]
set b_add_change [button $botf.b_add_change -text "Commit" -width 6 -command {SEUser_UserInfo::commit}]
set b_cancel [button $botf.b_cancel -text "Cancel" -width 6 -command { SEUser_UserInfo::cancel }]
set b_exit [button $botf.b_exit -text "Exit" -width 6 -command { SEUser_UserInfo::exit_userInfoDlg }]
pack $b_add_change $b_cancel -side left -anchor nw -padx 2
pack $b_exit -side right -anchor ne
if { $event_type == "add" } {
wm title $userInfoDlg "Add new user"
SEUser_UserInfo::create_UserInfo_Tab $notebook
SEUser_UserInfo::create_AdvancedOpts_Tab $notebook
} elseif { $event_type == "change" } {
wm title $userInfoDlg "User Information"
SEUser_UserInfo::create_UserInfo_Tab $notebook
} else {
return -code error
}
$notebook compute_size
pack $notebook -fill both -expand yes -padx 4 -pady 4
$notebook raise [$notebook page 0]
update idletasks
if {$tcl_platform(platform) == "windows"} {
wm resizable $SEUser_UserInfo::::userInfoDlg 0 0
} else {
bind $SEUser_UserInfo::::userInfoDlg <Configure> { wm geometry $SEUser_UserInfo::::userInfoDlg {} }
}
wm deiconify $userInfoDlg
grab $userInfoDlg
SEUser_UserInfo::initialize $event_type $user_selected
return 0
}
namespace eval SEUser_Generic_Users {
variable listbox_availRoles_generic
variable listbox_currentRoles_generic
variable b_generic
variable r_add_generic
variable r_remove_generic
variable tabframe
variable current_GenericRoles_list ""
variable avail_GenericRoles_list ""
variable roles_to_be_added ""
variable roles_to_be_removed ""
variable state
set state(edit) 0
set state(edit_type) "none"
set state(roles_changed) 0
set state(user_u_changed) 0
variable generic_user "user_u"
variable b_generic_label_text ""
variable generic_user_defined 0
variable generic_user_mcntr 0
variable status_text ""
variable status ""
}
proc SEUser_Generic_Users::createGenericUserWidgets { tabframe } {
variable listbox_availRoles_generic
variable listbox_currentRoles_generic
variable b_generic
variable r_add_generic
variable r_remove_generic
set t_frame [TitleFrame $tabframe.t_frame -text "Enable/Disable"]
set t_frame_l [frame [$t_frame getframe].t_frame_l]
set t_frame_r [frame [$t_frame getframe].t_frame_r]
set b_frame [frame $tabframe.b_frame -relief flat -borderwidth 0]
set roles_f [TitleFrame $b_frame.roles_f -text "Roles"]
set lf [LabelFrame [$roles_f getframe].lf -relief flat -borderwidth 0]
set cf [frame [$roles_f getframe].cf -relief flat -borderwidth 0]
set rf [LabelFrame [$roles_f getframe].rf -relief flat -borderwidth 0]
set lf_inner_top [frame [$lf getframe].in_top]
set lf_inner_bot [ScrolledWindow [$lf getframe].in_bot]
set rf_inner_top [frame [$rf getframe].in_top]
set rf_inner_bot [ScrolledWindow [$rf getframe].in_bot]
set lb_status [Label $t_frame_l.lb_status -textvariable SEUser_Generic_Users::status]
set lb_status_text [Label $t_frame_r.lb_textInfo -justify left \
-textvariable SEUser_Generic_Users::status_text]
set lb_availRoles [Label $lf_inner_top.lb_availRoles -text "Available Roles"]
set lb_currentRoles [Label $rf_inner_top.lb_currentRoles -text "Assigned Roles"]
set listbox_availRoles_generic [listbox [$lf_inner_bot getframe].listbox_availRoles_generic \
-height 6 -width 20 -highlightthickness 0 \
-listvar SEUser_Generic_Users::avail_GenericRoles_list \
-bg white]
set listbox_currentRoles_generic [listbox [$rf_inner_bot getframe].listbox_currentRoles_generic \
-height 6 -width 20 -highlightthickness 0 \
-listvar SEUser_Generic_Users::current_GenericRoles_list \
-bg white]
$lf_inner_bot setwidget $listbox_availRoles_generic
$rf_inner_bot setwidget $listbox_currentRoles_generic
bindtags $listbox_availRoles_generic [linsert [bindtags $listbox_availRoles_generic] 3 AvailRoles_Tag]
bindtags $listbox_currentRoles_generic [linsert [bindtags $listbox_currentRoles_generic] 3 CurrRoles_Tag]
set b_generic [Button $t_frame_l.b_generic -textvariable SEUser_Generic_Users::b_generic_label_text \
-width 6 \
-command { \
if { $SEUser_Generic_Users::generic_user_defined } {
SEUser_Generic_Users::disable_generic_users
} else {
SEUser_Generic_Users::enable_generic_users
}}]
set r_add_generic [Button $cf.add -text "-->" -width 6 \
-command { SEUser_Generic_Users::add_genericRole [$SEUser_Generic_Users::listbox_availRoles_generic curselection] } \
-helptext "Add a new role to the generic user account"]
set r_remove_generic [Button $cf.remove -text "<--" -width 6 \
-command { SEUser_Generic_Users::remove_genericRole [$SEUser_Generic_Users::listbox_currentRoles_generic curselection] } \
-helptext "Remove a role from the generic user account"]
pack $t_frame -side top -anchor nw -fill x
pack $t_frame_l -side left -anchor nw
pack $t_frame_r -side left -anchor nw -fill x -expand yes
pack $b_frame -side bottom -after $t_frame -anchor n -fill both -pady 5 -expand yes
pack $roles_f -side top -fill both -expand yes -padx 5 -pady 2
pack $lf -side left -anchor w -expand yes -fill y
pack $lf_inner_top -side top -anchor n -fill x
pack $lf_inner_bot -side bottom -anchor s -fill both -expand yes
pack $cf -side left -anchor center -expand yes
pack $rf -side right -anchor e -expand yes -fill y
pack $rf_inner_top -side top -anchor n -fill x
pack $rf_inner_bot -side bottom -anchor s -fill both -expand yes
pack $lb_status $b_generic -side top -anchor nw -pady 2
pack $lb_status_text -side left -anchor center -padx 2 -fill x -expand yes
pack $lb_availRoles -side top
pack $r_add_generic $r_remove_generic -side top -anchor center -pady 5 -padx 5
pack $lb_currentRoles -side top
return 0
}
proc SEUser_Generic_Users::create_GenericUsers_Tab { notebook } {
variable tabframe
set tabframe [$notebook insert end $SEUser_Advanced::generic_users_tabID -text "Generic Users"]
set topf [frame $tabframe.topf -width 100 -height 200]
pack $topf -fill both -expand yes -anchor nw
SEUser_Generic_Users::createGenericUserWidgets $topf
return 0
}
proc SEUser_Generic_Users::unadd_genericRoles { } {
variable state
variable listbox_currentRoles_generic
variable current_GenericRoles_list
variable avail_GenericRoles_list
variable roles_to_be_added
if { $state(edit_type) != "add" } {
puts stderr "Cannot unadd a user because edit_type is $state(edit_type)"
return
}
if { $roles_to_be_added == "" } {
puts stderr "There were no roles added."
return
}
foreach role $roles_to_be_added {
if { [lsearch -exact $avail_GenericRoles_list $role] != -1 } {
puts stderr "Already exists in the available generic roles list."
continue
} else {
set avail_GenericRoles_list [lappend avail_GenericRoles_list $role]
set avail_GenericRoles_list [lsort $avail_GenericRoles_list]
}
set idx [lsearch -exact $current_GenericRoles_list $role]
set current_GenericRoles_list [lreplace $current_GenericRoles_list $idx $idx]
}
$listbox_currentRoles_generic selection clear 0 end
SEUser_Generic_Users::SetEditMode unadd
return 0
}
proc SEUser_Generic_Users::add_genericRole { idx } {
variable listbox_availRoles_generic
variable listbox_currentRoles_generic
variable current_GenericRoles_list
variable avail_GenericRoles_list
variable roles_to_be_added
variable roles_to_be_removed
if { $idx == "" } {
return
}
set role [$listbox_availRoles_generic get $idx]
set idx [lsearch -exact $avail_GenericRoles_list $role]
set avail_GenericRoles_list [lreplace $avail_GenericRoles_list $idx $idx]
set current_GenericRoles_list [lappend current_GenericRoles_list $role]
set current_GenericRoles_list [lsort $current_GenericRoles_list]
set new_idx [lsearch -exact $current_GenericRoles_list $role]
if { [set idx [lsearch -exact $roles_to_be_removed $role]] != -1 } {
set roles_to_be_removed [lreplace $SEUser_Generic_Users::roles_to_be_removed $idx $idx]
} else {
set roles_to_be_added [lappend roles_to_be_added $role]
}
$listbox_currentRoles_generic selection set $new_idx
$listbox_currentRoles_generic see $new_idx
SEUser_Generic_Users::SetEditMode add
return 0
}
proc SEUser_Generic_Users::unremove_genericRole { } {
variable listbox_availRoles_generic
variable roles_to_be_removed
variable current_GenericRoles_list
variable avail_GenericRoles_list
variable state
if { $state(edit_type) != "delete" } {
puts stderr "Cannot unremove a user because edit_type is $state(edit_type)"
return
}
if { $roles_to_be_removed == "" } {
puts stderr "There were no roles removed."
return
}
foreach role $roles_to_be_removed {
if { [lsearch -exact $current_GenericRoles_list $role] != -1 } {
puts stderr "Already exists in the current generic roles list."
continue
} else {
set current_GenericRoles_list [lappend current_GenericRoles_list $role]
set current_GenericRoles_list [lsort $current_GenericRoles_list]
}
set idx [lsearch -exact $avail_GenericRoles_list $role]
set avail_GenericRoles_list [lreplace $avail_GenericRoles_list $idx $idx]
}
$listbox_availRoles_generic selection clear 0 end
SEUser_Generic_Users::SetEditMode undelete
return 0
}
proc SEUser_Generic_Users::remove_genericRole { idx } {
variable listbox_currentRoles_generic
variable listbox_availRoles_generic
variable current_GenericRoles_list
variable avail_GenericRoles_list
variable roles_to_be_added
variable roles_to_be_removed
if { $idx == "" } {
return
}
set role [$listbox_currentRoles_generic get $idx]
set idx [lsearch -exact $current_GenericRoles_list $role]
set current_GenericRoles_list [lreplace $current_GenericRoles_list $idx $idx]
set avail_GenericRoles_list [lappend avail_GenericRoles_list $role]
set avail_GenericRoles_list [lsort $avail_GenericRoles_list]
set new_idx [lsearch -exact $avail_GenericRoles_list $role]
if { [set idx [lsearch -exact $roles_to_be_added $role]] != -1 } {
set roles_to_be_added [lreplace $SEUser_Generic_Users::roles_to_be_added $idx $idx]
} else {
set roles_to_be_removed [lappend roles_to_be_removed $role]
}
$listbox_availRoles_generic selection set $new_idx
$listbox_availRoles_generic see $new_idx
SEUser_Generic_Users::SetEditMode delete
return 0
}
proc SEUser_Generic_Users::enable_generic_users { } {
variable generic_user
set ans [tk_messageBox -icon warning -type yesno -title "Adding Special user: $generic_user" \
-message \
"Warning: Adding the special user $generic_user will \n\
mean that any user not explicitly defined to the \n\
policy will be able to login to the system.\n\n\
Do you wish to continue?" \
-parent $SEUser_Generic_Users::tabframe]
if { $ans == "yes" } {
SEUser_Generic_Users::SetEditMode enable_generic
}
return 0
}
proc SEUser_Generic_Users::disable_generic_users { } {
variable generic_user
set ans [tk_messageBox -icon warning -type yesno -title "Removing Special user: $generic_user" \
-message \
"Warning: Removing the special user $generic_user will \n\
mean that any user not explicitly defined to the \n\
policy will not be able to login to the system.\n\n\
Do you wish to continue?" \
-parent $SEUser_Generic_Users::tabframe]
if { $ans == "yes" } {
SEUser_Generic_Users::SetEditMode disable_generic
}
return 0
}
proc SEUser_Generic_Users::cancel { } {
variable state
if { $state(edit) != 1 } {
return
}
switch -- $state(edit_type) {
delete {
SEUser_Generic_Users::unremove_genericRole
}
add {
SEUser_Generic_Users::unadd_genericRoles
}
disable_generic {
SEUser_Generic_Users::undo_disabled_state
}
enable_generic {
SEUser_Generic_Users::undo_enabled_state
}
default {
return -code error
}
}
return 0
}
proc SEUser_Generic_Users::commit { } {
variable generic_user
variable current_GenericRoles_list
variable state
variable generic_user_defined
if { $state(edit) != 1 } {
tk_messageBox -icon info -type ok -title "Commit info" \
-message "There are no changes to commit!" \
-parent $SEUser_Generic_Users::tabframe
return
}
switch -- $state(edit_type) {
delete {
set rt [catch {SEUser_db::change_selinuxUser $generic_user $current_GenericRoles_list 0 \
"" "" 0 "" ""} err]
if {$rt != 0} {
tk_messageBox -icon error -type ok -title "Error" \
-message "$err" \
-parent $SEUser_Generic_Users::tabframe
return -1
}
}
add {
set rt [catch {SEUser_db::change_selinuxUser $generic_user $current_GenericRoles_list 0 \
"" "" 0 "" ""} err]
if {$rt != 0} {
tk_messageBox -icon error -type ok -title "Error" \
-message "$err" \
-parent $SEUser_Generic_Users::tabframe
return -1
}
}
disable_generic {
set rt [catch {SEUser_db::remove_selinuxUser $generic_user} err]
if { $rt != 0 } {
tk_messageBox -icon error -type ok -title "Error" \
-message "$err" \
-parent $SEUser_Generic_Users::tabframe
return -1
}
set generic_user_defined 0
}
enable_generic {
set rt [catch {SEUser_db::add_selinuxUser $generic_user $current_GenericRoles_list 0 "" "" 0 "" ""} err]
if { $rt != 0 } {
tk_messageBox -icon error -type ok -title "Error" \
-message "$err" \
-parent $SEUser_Generic_Users::tabframe
return -1
}
set generic_user_defined 1
}
default {
return -code error
}
}
SEUser_Generic_Users::SetEditMode commit
SEUser_Top::initialize
return 0
}
proc SEUser_Generic_Users::initialize { } {
variable avail_GenericRoles_list
variable generic_user
variable current_GenericRoles_list
variable generic_user_defined
SEUser_Generic_Users::reset_variables
set selinuxUsers_list [SEUser_db::get_list seUsers]
set avail_GenericRoles_list [SEUser_db::get_list roles]
if { [lsearch -exact $selinuxUsers_list $generic_user] != -1 } {
set generic_user_defined 1
set current_GenericRoles_list [SEUser_db::get_user_roles $generic_user]
SEUser_Top::check_list_for_redundancy "avail_GenericRoles_list" "current_GenericRoles_list"
} else {
set generic_user_defined 0
}
SEUser_Generic_Users::SetEditMode init
return 0
}
proc SEUser_Generic_Users::SetEditMode { mode } {
variable state
variable roles_to_be_added
variable roles_to_be_removed
switch -- $mode {
delete {
set state(edit) 1
set state(edit_type) "delete"
set state(roles_changed) [expr $state(roles_changed) + 1]
}
undelete {
set state(edit) 0
set state(edit_type) "none"
set state(roles_changed) [expr $state(roles_changed) - 1]
set roles_to_be_removed ""
}
add {
if { $state(edit_type) == "enable_generic" } {
return
}
set state(edit) 1
set state(edit_type) "add"
set state(roles_changed) [expr $state(roles_changed) + 1]
}
unadd {
set state(edit) 0
set state(edit_type) "none"
set state(roles_changed) [expr $state(roles_changed) - 1]
set roles_to_be_added ""
}
commit {
set state(edit) 0
set state(edit_type) "none"
set roles_to_be_added ""
set roles_to_be_removed ""
}
init {
set state(edit) 0
set state(edit_type) "none"
set state(roles_changed) 0
}
disable_generic {
set state(edit) 1
set state(edit_type) "disable_generic"
set state(user_u_changed) 1
}
enable_generic {
set state(edit) 1
set state(edit_type) "enable_generic"
set state(user_u_changed) 1
}
default {
return -code error
}
}
SEUser_Generic_Users::configure_widget_states
return 0
}
proc SEUser_Generic_Users::disable_genericWidgets { } {
variable r_add_generic
variable r_remove_generic
variable listbox_availRoles_generic
variable listbox_currentRoles_generic
$listbox_availRoles_generic selection clear 0 end
$listbox_currentRoles_generic selection clear 0 end
$r_add_generic configure -state disabled
$r_remove_generic configure -state disabled
SEUser_Top::disable_tkListbox $listbox_availRoles_generic
SEUser_Top::disable_tkListbox $listbox_currentRoles_generic
$listbox_availRoles_generic configure -bg $SEUser_Top::default_bg_color
$listbox_currentRoles_generic configure -bg $SEUser_Top::default_bg_color
return 0
}
proc SEUser_Generic_Users::enable_genericWidgets { } {
variable r_add_generic
variable r_remove_generic
variable listbox_availRoles_generic
variable listbox_currentRoles_generic
variable current_GenericRoles_list
variable avail_GenericRoles_list
$r_add_generic configure -state normal
$r_remove_generic configure -state normal
SEUser_Top::enable_tkListbox $listbox_availRoles_generic
SEUser_Top::enable_tkListbox $listbox_currentRoles_generic
$listbox_availRoles_generic configure -bg white
$listbox_currentRoles_generic configure -bg white
return 0
}
proc SEUser_Generic_Users::undo_disabled_state { } {
variable b_generic
variable status_text
variable roles_to_be_removed
variable current_GenericRoles_list
variable avail_GenericRoles_list
SEUser_Generic_Users::enable_genericWidgets
foreach role $roles_to_be_removed {
set idx [lsearch -exact $avail_GenericRoles_list $role]
set avail_GenericRoles_list [lreplace $avail_GenericRoles_list $idx $idx]
set current_GenericRoles_list [lappend current_GenericRoles_list $role]
set current_GenericRoles_list [lsort $current_GenericRoles_list]
}
set status_text "Press 'Disable' button to disable generic users"
$b_generic configure -state normal
SEUser_Advanced::change_tab_state normal
SEUser_Advanced::change_buttons_state 0
return 0
}
proc SEUser_Generic_Users::undo_enabled_state { } {
variable b_generic
variable status_text
SEUser_Generic_Users::disable_genericWidgets
set status_text "Press 'Enable' button to enable generic users"
$b_generic configure -state normal
SEUser_Advanced::change_tab_state normal
SEUser_Advanced::change_buttons_state 0
return 0
}
proc SEUser_Generic_Users::change_to_enabled_state { } {
variable b_generic
variable status_text
SEUser_Generic_Users::enable_genericWidgets
set status_text "Press 'Commit' button to commit changes\nor 'Cancel' to undo changes."
$b_generic configure -state disabled
SEUser_Advanced::change_tab_state disabled
SEUser_Advanced::change_buttons_state 1
return 0
}
proc SEUser_Generic_Users::change_to_disabled_state { } {
variable b_generic
variable status_text
variable roles_to_be_removed
variable current_GenericRoles_list
variable avail_GenericRoles_list
SEUser_Generic_Users::disable_genericWidgets
foreach role $current_GenericRoles_list {
set idx [lsearch -exact $current_GenericRoles_list $role]
set current_GenericRoles_list [lreplace $current_GenericRoles_list $idx $idx]
set avail_GenericRoles_list [lappend avail_GenericRoles_list $role]
set avail_GenericRoles_list [lsort $avail_GenericRoles_list]
lappend roles_to_be_removed $role
}
set status_text "Press 'Commit' button to commit changes\nor 'Cancel' to undo changes."
$b_generic configure -state disabled
SEUser_Advanced::change_tab_state disabled
SEUser_Advanced::change_buttons_state 1
return 0
}
proc SEUser_Generic_Users::configure_widget_states { } {
variable state
variable generic_user_defined
variable b_generic
variable status_text
switch $state(edit_type) {
delete {
$b_generic configure -state disabled
SEUser_Advanced::change_tab_state disabled
SEUser_Advanced::change_buttons_state 1
}
add {
$b_generic configure -state disabled
SEUser_Advanced::change_tab_state disabled
SEUser_Advanced::change_buttons_state 1
}
disable_generic {
SEUser_Generic_Users::change_to_disabled_state
}
enable_generic {
SEUser_Generic_Users::change_to_enabled_state
}
none {
if { $generic_user_defined } {
$b_generic configure -state normal -helptext "Disable generic users"
set SEUser_Generic_Users::b_generic_label_text "Disable"
set SEUser_Generic_Users::status "Status: Enabled"
set status_text "Press 'Disable' button to disable generic users"
SEUser_Generic_Users::enable_genericWidgets
} else {
$b_generic configure -state normal -helptext "Enable generic users"
set SEUser_Generic_Users::b_generic_label_text "Enable"
set SEUser_Generic_Users::status "Status: Disabled"
set status_text "Press 'Enable' button to enable generic users"
SEUser_Generic_Users::disable_genericWidgets
}
SEUser_Advanced::change_tab_state normal
SEUser_Advanced::change_buttons_state 0
}
default {
return -code error
}
}
return 0
}
proc SEUser_Generic_Users::reset_variables { } {
set SEUser_Generic_Users::current_GenericRoles_list ""
set SEUser_Generic_Users::avail_GenericRoles_list ""
set SEUser_Generic_Users::roles_to_be_added ""
set SEUser_Generic_Users::roles_to_be_removed ""
set SEUser_Generic_Users::state(edit) 0
set SEUser_Generic_Users::state(edit_type) "none"
set SEUser_Generic_Users::state(roles_changed) 0
set SEUser_Generic_Users::state(user_u_changed) 0
set SEUser_Generic_Users::b_generic_label_text ""
set SEUser_Generic_Users::generic_user_defined 0
return 0
}
proc SEUser_Generic_Users::close { } {
SEUser_Generic_Users::reset_variables
array unset SEUser_Generic_Users::state
return 0
}
proc SEUser_Generic_Users::leave_tab { } {
variable generic_user_mcntr
set generic_user_mcntr [SEUser_db::get_mod_cntr]
return 0
}
proc SEUser_Generic_Users::enter_tab { } {
variable generic_user_mcntr
if { [SEUser_db::get_mod_cntr] != $generic_user_mcntr } {
SEUser_Generic_Users::initialize
}
return 0
}
namespace eval SEUser_SELinux_Users {
variable main_frame
variable listbox_sysUsers
variable listbox_SEUsers
variable listbox_availRoles
variable listbox_currentRoles
variable u_add
variable u_remove
variable r_add
variable r_remove
variable opts
variable sysUsers_list ""
variable selinuxUsers_list ""
variable currentRoles_list ""
variable type_list
variable availRoles_list ""
variable allRoles_list ""
variable all_sysUsers_list ""
variable user_to_add ""
variable user_to_del ""
variable modified_user "none"
variable empty_string "<none>"
variable state
set state(edit) 0
set state(users_changed) 0
set state(edit_type) "none"
set state(roles_changed) 0
variable mcntr 0
}
proc SEUser_SELinux_Users::SetEditMode { mode } {
variable state
variable modified_user
switch -- $mode {
delete {
set state(edit) 1
set state(edit_type) "delete"
set state(users_changed) [expr $state(users_changed) + 1]
}
undelete {
set state(edit) 0
set state(edit_type) "none"
set state(users_changed) [expr $state(users_changed) - 1]
}
add {
set state(edit) 1
set state(edit_type) "add"
set state(users_changed) [expr $state(users_changed) + 1]
}
unadd {
set state(edit) 0
set state(edit_type) "none"
set state(users_changed) [expr $state(users_changed) - 1]
}
change {
if { $state(edit) == 1 && $state(edit_type) == "add" } {
return
}
if { $state(edit) == 0 } {
set idx [$SEUser_SELinux_Users::listbox_SeLinuxUsers curselection]
set modified_user [$SEUser_SELinux_Users::listbox_SeLinuxUsers get $idx]
}
set state(edit) 1
set state(edit_type) "change"
}
unchange {
set state(edit) 0
set state(edit_type) "none"
}
commit {
set state(edit) 0
set state(edit_type) "none"
}
init {
set state(edit) 0
set state(users_changed) 0
set state(edit_type) "none"
set state(roles_changed) 0
}
default {
tk_messageBox -icon error -type ok -title "Error" -message "Invalid Edit Mode!" \
-parent $SEUser_SELinux_Users::main_frame
return
}
}
SEUser_SELinux_Users::edit_type_disable_enable
SEUser_SELinux_Users::CheckSeUserHighlights
return 0
}
proc SEUser_SELinux_Users::initialize { } {
variable all_sysUsers_list
variable sysUsers_list
variable selinuxUsers_list
variable availRoles_list
variable allRoles_list
SEUser_SELinux_Users::reset_variables
set all_sysUsers_list [SEUser_db::get_list sysUsers]
set sysUsers_list $all_sysUsers_list
set selinuxUsers_list [SEUser_db::get_list seUsers]
set selinuxUsers_list [lsort $selinuxUsers_list]
set allRoles_list [SEUser_db::get_list roles]
set allRoles_list [lsort $allRoles_list]
set availRoles_list $allRoles_list
SEUser_Top::check_list_for_redundancy "sysUsers_list" "selinuxUsers_list"
SEUser_SELinux_Users::SetEditMode init
return 0
}
proc SEUser_SELinux_Users::addUser { idx } {
variable modified_user
variable listbox_sysUsers
variable listbox_SeLinuxUsers
variable selinuxUsers_list
if { $idx == "" } {
return
}
set modified_user [$listbox_sysUsers get $idx]
if { $modified_user == "user_u" } {
set answer [tk_messageBox -icon warning -type yesno \
-title "Adding Special user_u user" -parent $SEUser_SELinux_Users::main_frame \
-message \
"Warning: Adding the special user user_u will \n\
mean that any user not explicity defined to the \n\
policy can login with the roles and default \n\
contexts defined for user_u, and need not be \n\
explictly defined to the policy.\n\n\
Do you wish to continue?"]
switch -- $answer {
yes {
}
no {
return
}
}
}
$listbox_sysUsers delete $idx
set selinuxUsers_list [lappend selinuxUsers_list $modified_user]
set selinuxUsers_list [lsort $selinuxUsers_list]
set newidx [lsearch -exact $selinuxUsers_list $modified_user]
$listbox_SeLinuxUsers selection set $newidx
$listbox_SeLinuxUsers see $newidx
SEUser_SELinux_Users::ClearCurrUserInfo
SEUser_SELinux_Users::SetEditMode add
return 0
}
proc SEUser_SELinux_Users::addRole { idx } {
variable listbox_availRoles
variable listbox_currentRoles
variable currentRoles_list
variable state
if { $idx == "" } {
return
}
set role [$listbox_availRoles get $idx]
$listbox_availRoles delete $idx
set currentRoles_list [lappend currentRoles_list $role]
set currentRoles_list [lsort $currentRoles_list]
set newidx [lsearch -exact $currentRoles_list $role]
$listbox_currentRoles selection set $newidx
$listbox_currentRoles see $newidx
set state(roles_changed) 1
SEUser_SELinux_Users::SetEditMode change
return 0
}
proc SEUser_SELinux_Users::removeRole { idx } {
variable listbox_availRoles
variable listbox_currentRoles
variable availRoles_list
variable state
if { $idx == "" } {
return
}
set role [$listbox_currentRoles get $idx]
$listbox_currentRoles delete $idx
set availRoles_list [lappend availRoles_list $role]
set availRoles_list [lsort $availRoles_list]
set newidx [lsearch -exact $availRoles_list $role]
$listbox_availRoles selection set $newidx
$listbox_availRoles see $newidx
set state(roles_changed) 1
SEUser_SELinux_Users::SetEditMode change
return 0
}
proc SEUser_SELinux_Users::ShowUserInfo { username } {
variable availRoles_list
variable currentRoles_list
variable allRoles_list
set no_login_context 0
set rt [catch { set currentRoles_list [seuser_UserRoles $username] } err]
if {$rt != 0} {
tk_messageBox -icon error -type ok -title "Error" -message "$err" \
-parent $SEUser_SELinux_Users::main_frame
return
}
set currentRoles_list [lsort $currentRoles_list]
set rt [catch {seuser_IsUserValid $username} err]
if {$rt != 0} {
tk_messageBox -icon warning -type ok -title "Warning: Problem with user record" -message "$err" \
-parent $SEUser_SELinux_Users::main_frame
}
set allRoles_list [lsort $allRoles_list]
set availRoles_list $allRoles_list
SEUser_Top::check_list_for_redundancy "availRoles_list" "currentRoles_list"
return 0
}
proc SEUser_SELinux_Users::commit { } {
variable modified_user
variable state
if { $state(edit) != 1 } {
tk_messageBox -icon warning -type ok -title "Warning" \
-message "There are no changes to commit!" \
-parent $SEUser_SELinux_Users::main_frame
return
}
set rt [ catch {seuser_CheckCommitAccess } err ]
if {$rt != 0 } {
tk_messageBox -icon error -type ok -title "Access Error" -message "$err" \
-parent $SEUser_SELinux_Users::main_frame
return
}
switch -- $state(edit_type) {
delete {
set rt [catch {SEUser_db::remove_selinuxUser $modified_user} err]
if {$rt != 0} {
tk_messageBox -icon error -type ok -title "Error" -message "$err" \
-parent $SEUser_SELinux_Users::main_frame
return
}
}
add {
set rt [catch {SEUser_db::add_selinuxUser $modified_user $SEUser_SELinux_Users::currentRoles_list 0 \
"" "" 0 "" ""} err]
if {$rt != 0} {
tk_messageBox -icon error -type ok -title "Error" -message "$err" \
-parent $SEUser_SELinux_Users::main_frame
return
}
}
change {
set rt [catch {SEUser_db::change_selinuxUser $modified_user $SEUser_SELinux_Users::currentRoles_list 0 \
"" "" 0 "" ""} err]
if {$rt != 0} {
tk_messageBox -icon error -type ok -title "Error" -message "$err" \
-parent $SEUser_SELinux_Users::main_frame
return
}
if {$state(roles_changed) != 0 } {
set state(users_changed) [expr $state(users_changed) + 1]
set state(roles_changed) 0
}
}
default {
tk_messageBox -icon warning -type ok -title "Warning" \
-message "There are no changes to commit!" \
-parent $SEUser_SELinux_Users::main_frame
return
}
}
set rt [catch {seuser_Commit} err]
if {$rt != 0} {
tk_messageBox -icon error -type ok -title "Error" -message "$err" \
-parent $SEUser_SELinux_Users::main_frame
return
}
SEUser_SELinux_Users::SetEditMode commit
SEUser_Top::initialize
return 0
}
proc SEUser_SELinux_Users::cancel { } {
variable state
if { $state(edit) != 1 } {
return
}
switch -- $state(edit_type) {
delete {
SEUser_SELinux_Users::unremoveUser
}
add {
SEUser_SELinux_Users::unaddUser
}
change {
SEUser_SELinux_Users::unchangeUser
}
default {
return
}
}
return 0
}
proc SEUser_SELinux_Users::remove_SELinux_User { idx } {
variable modified_user
variable listbox_SeLinuxUsers
variable listbox_sysUsers
variable sysUsers_list
variable all_sysUsers_list
variable state
if { $idx == "" } {
return
}
set modified_user [$listbox_SeLinuxUsers get $idx]
if { $modified_user == "system_u" } {
tk_messageBox -icon error -type ok -title "Remove User Error" -message \
"The special user: system_u cannot be removed." \
-parent $SEUser_SELinux_Users::main_frame
return
} elseif { $modified_user == "user_u" } {
set answer [tk_messageBox -icon warning -type yesno -title "Removing Special user_u user" -message \
"Warning: Removing the special user user_u will \n\
mean that any user not explicity defined to the \n\
policy will not be able to login to the system.\n\n\
Do you wish to continue?" \
-parent $SEUser_SELinux_Users::main_frame]
switch -- $answer {
yes {
$listbox_SeLinuxUsers delete $idx
}
no {
return
}
}
} else {
$listbox_SeLinuxUsers delete $idx
}
SEUser_SELinux_Users::ClearCurrUserInfo
if { [lsearch -exact $all_sysUsers_list "$modified_user"] != -1 } {
set sysUsers_list [lappend sysUsers_list $modified_user]
set sysUsers_list [lsort $sysUsers_list]
set newidx [lsearch -exact $sysUsers_list $modified_user]
$listbox_sysUsers selection set $newidx
$listbox_sysUsers see $newidx
}
set state(roles_changed) 1
SEUser_SELinux_Users::SetEditMode delete
return 0
}
proc SEUser_SELinux_Users::unaddUser { } {
variable modified_user
variable sysUsers_list
variable selinuxUsers_list
variable all_sysUsers_list
variable state
if { $state(edit_type) != "add" } {
puts stderr "Cannot unadd a user because edit_type is $state(edit_type)"
return
}
if { [lsearch -exact $all_sysUsers_list $modified_user] != -1 } {
set sysUsers_list [lappend sysUsers_list $modified_user]
set sysUsers_list [lsort $sysUsers_list]
set newidx [lsearch -exact $sysUsers_list $modified_user]
$SEUser_SELinux_Users::listbox_sysUsers selection set $newidx
}
set idx [lsearch -exact $selinuxUsers_list $modified_user]
$SEUser_SELinux_Users::listbox_SeLinuxUsers delete $idx
SEUser_SELinux_Users::ClearCurrUserInfo
SEUser_SELinux_Users::SetEditMode unadd
return 0
}
proc SEUser_SELinux_Users::unchangeUser { } {
variable state
if { $state(edit_type) != "change" } {
puts stderr "Cannot unchange a user because edit_type is $state(edit_type)"
return
}
SEUser_SELinux_Users::ClearCurrUserInfo
SEUser_SELinux_Users::SetEditMode unchange
return 0
}
proc SEUser_SELinux_Users::edit_type_disable_enable { } {
variable state
switch $state(edit_type) {
delete {
SEUser_SELinux_Users::delete_disable_enable
}
add {
SEUser_SELinux_Users::add_change_disable_enable
}
change {
SEUser_SELinux_Users::add_change_disable_enable
}
none {
SEUser_SELinux_Users::view_mode_enable_disable
}
}
return 0
}
proc SEUser_SELinux_Users::add_change_disable_enable { } {
variable state
variable listbox_SeLinuxUsers
variable listbox_sysUsers
if { $state(edit) == 1 } {
SEUser_Advanced::change_tab_state disabled
$SEUser_SELinux_Users::u_add configure -state disabled
$SEUser_SELinux_Users::u_remove configure -state disabled
$SEUser_SELinux_Users::r_add configure -state normal
$SEUser_SELinux_Users::r_remove configure -state normal
SEUser_Advanced::change_buttons_state 1
SEUser_Top::enable_tkListbox $SEUser_SELinux_Users::listbox_availRoles
SEUser_Top::enable_tkListbox $SEUser_SELinux_Users::listbox_currentRoles
bind sysUsers_Tag <<ListboxSelect>> " "
bind SeLinuxUsers_Tag <<ListboxSelect>> " "
SEUser_Top::disable_tkListbox $SEUser_SELinux_Users::listbox_SeLinuxUsers
SEUser_Top::disable_tkListbox $SEUser_SELinux_Users::listbox_sysUsers
$SEUser_SELinux_Users::listbox_availRoles configure -bg white
$SEUser_SELinux_Users::listbox_currentRoles configure -bg white
}
return 0
}
proc SEUser_SELinux_Users::delete_disable_enable { } {
variable state
variable listbox_SeLinuxUsers
variable listbox_sysUsers
if { $state(edit) == 1 } {
SEUser_Advanced::change_tab_state disabled
$SEUser_SELinux_Users::u_add configure -state disabled
$SEUser_SELinux_Users::u_remove configure -state disabled
$SEUser_SELinux_Users::r_add configure -state disabled
$SEUser_SELinux_Users::r_remove configure -state disabled
SEUser_Advanced::change_buttons_state 1
$SEUser_SELinux_Users::listbox_availRoles configure -bg $SEUser_Top::default_bg_color
$SEUser_SELinux_Users::listbox_currentRoles configure -bg $SEUser_Top::default_bg_color
bind sysUsers_Tag <<ListboxSelect>> " "
bind SeLinuxUsers_Tag <<ListboxSelect>> " "
SEUser_Top::disable_tkListbox $SEUser_SELinux_Users::listbox_SeLinuxUsers
SEUser_Top::disable_tkListbox $SEUser_SELinux_Users::listbox_sysUsers
SEUser_Top::disable_tkListbox $SEUser_SELinux_Users::listbox_availRoles
SEUser_Top::disable_tkListbox $SEUser_SELinux_Users::listbox_currentRoles
}
return 0
}
proc SEUser_SELinux_Users::view_mode_enable_disable { } {
variable state
if { $state(edit) == 0 } {
$SEUser_SELinux_Users::u_add configure -state normal
$SEUser_SELinux_Users::u_remove configure -state normal
$SEUser_SELinux_Users::r_add configure -state disabled
$SEUser_SELinux_Users::r_remove configure -state disabled
SEUser_Advanced::change_buttons_state 0
$SEUser_SELinux_Users::listbox_SeLinuxUsers selection clear 0 end
$SEUser_SELinux_Users::listbox_sysUsers selection clear 0 end
$SEUser_SELinux_Users::listbox_availRoles selection clear 0 end
$SEUser_SELinux_Users::listbox_currentRoles selection clear 0 end
bind SeLinuxUsers_Tag <<ListboxSelect>> { SEUser_SELinux_Users::SeLinuxUsers_Selection %W %x %y }
bind sysUsers_Tag <<ListboxSelect>> { SEUser_SELinux_Users::sysUsers_Selection %W %x %y }
SEUser_Top::enable_tkListbox $SEUser_SELinux_Users::listbox_SeLinuxUsers
SEUser_Top::enable_tkListbox $SEUser_SELinux_Users::listbox_sysUsers
SEUser_Top::disable_tkListbox $SEUser_SELinux_Users::listbox_availRoles
SEUser_Top::disable_tkListbox $SEUser_SELinux_Users::listbox_currentRoles
$SEUser_SELinux_Users::listbox_availRoles configure -bg $SEUser_Top::default_bg_color
$SEUser_SELinux_Users::listbox_currentRoles configure -bg $SEUser_Top::default_bg_color
SEUser_Advanced::change_tab_state normal
}
return 0
}
proc SEUser_SELinux_Users::SeLinuxUsers_Selection { path x y } {
SEUser_Top::enable_tkListbox $SEUser_SELinux_Users::listbox_SeLinuxUsers
$SEUser_SELinux_Users::listbox_sysUsers selection clear 0 end
$SEUser_SELinux_Users::listbox_availRoles selection clear 0 end
$SEUser_SELinux_Users::listbox_currentRoles selection clear 0 end
set user [$path get [$path curselection ]]
SEUser_SELinux_Users::ShowUserInfo $user
set SEUser_SELinux_Users::user_to_del $user
$SEUser_SELinux_Users::r_add configure -state normal
$SEUser_SELinux_Users::r_remove configure -state normal
SEUser_Advanced::change_buttons_state 0
SEUser_Top::enable_tkListbox $SEUser_SELinux_Users::listbox_availRoles
SEUser_Top::enable_tkListbox $SEUser_SELinux_Users::listbox_currentRoles
$SEUser_SELinux_Users::listbox_availRoles configure -bg white
$SEUser_SELinux_Users::listbox_currentRoles configure -bg white
return 0
}
proc SEUser_SELinux_Users::sysUsers_Selection { path x y } {
SEUser_Top::enable_tkListbox $SEUser_SELinux_Users::listbox_sysUsers
$SEUser_SELinux_Users::listbox_SeLinuxUsers selection clear 0 end
SEUser_SELinux_Users::ClearCurrUserInfo
set user [$path get [$path curselection ]]
set SEUser_SELinux_Users::user_to_del $user
$SEUser_SELinux_Users::r_add configure -state disabled
$SEUser_SELinux_Users::r_remove configure -state disabled
SEUser_Advanced::change_buttons_state 0
SEUser_Top::disable_tkListbox $SEUser_SELinux_Users::listbox_availRoles
SEUser_Top::disable_tkListbox $SEUser_SELinux_Users::listbox_currentRoles
$SEUser_SELinux_Users::listbox_availRoles configure -bg $SEUser_Top::default_bg_color
$SEUser_SELinux_Users::listbox_currentRoles configure -bg $SEUser_Top::default_bg_color
return 0
}
proc SEUser_SELinux_Users::ClearCurrUserInfo { } {
set SEUser_SELinux_Users::currentRoles_list ""
set SEUser_SELinux_Users::user_to_add ""
set SEUser_SELinux_Users::user_to_del ""
set SEUser_SELinux_Users::allRoles_list [lsort $SEUser_SELinux_Users::allRoles_list]
set SEUser_SELinux_Users::availRoles_list $SEUser_SELinux_Users::allRoles_list
return 0
}
proc SEUser_SELinux_Users::ClearView { } {
SEUser_SELinux_Users::ClearCurrUserInfo
set SEUser_SELinux_Users::sysUsers_list ""
set SEUser_SELinux_Users::selinuxUsers_list ""
set SEUser_SELinux_Users::availRoles_list ""
return 0
}
proc SEUser_SELinux_Users::CheckSeUserHighlights { } {
variable all_sysUsers_list
variable listbox_SeLinuxUsers
variable selinuxUsers_list
foreach user $selinuxUsers_list {
set index [lsearch -exact $selinuxUsers_list "$user"]
$listbox_SeLinuxUsers itemconfigure $index -background ""
}
foreach user $selinuxUsers_list {
set rt [catch {seuser_IsUserValid $user} err]
if {$rt != 0 } {
set index [lsearch -exact $selinuxUsers_list "$user"]
$listbox_SeLinuxUsers itemconfigure $index -background red
continue
} elseif {$user == "system_u"} {
continue
} elseif {$user == "user_u" } {
continue
} else {
set index [lsearch -exact $selinuxUsers_list "$user"]
$listbox_SeLinuxUsers itemconfigure $index -background ""
}
if { [lsearch -exact $all_sysUsers_list "$user"] == -1 } {
set index [lsearch -exact $selinuxUsers_list "$user"]
$listbox_SeLinuxUsers itemconfigure $index -background yellow
}
}
return 0
}
proc SEUser_SELinux_Users::PopulateTypeContextList { role combo } {
variable empty_string
variable type_list
set type_list ""
if {$role != $empty_string } {
set rt [catch { set type_list [apol_RoleTypes $role] } err]
if {$rt != 0} {
set type_list ""
} else {
set type_list [lsort $type_list]
}
}
$combo configure -values $type_list
return 0
}
proc SEUser_SELinux_Users::PopulateRoleContextList { combo } {
variable currentRoles_list
$combo configure -values $currentRoles_list
return 0
}
proc SEUser_SELinux_Users::unremoveUser { } {
variable modified_user
variable selinuxUsers_list
variable sysUsers_list
variable all_sysUsers_list
variable listbox_SeLinuxUsers
variable listbox_sysUsers
variable state
if { $state(edit_type) != "delete" } {
puts stderr "Cannot unremove a user because edit_type is $state(edit_type)"
return
}
set index [lsearch -exact $sysUsers_list "$modified_user"]
$listbox_sysUsers delete $index
set selinuxUsers_list [lappend selinuxUsers_list $modified_user]
set selinuxUsers_list [lsort $selinuxUsers_list]
SEUser_Top::check_list_for_redundancy "sysUsers_list" "selinuxUsers_list"
$listbox_sysUsers selection clear 0 end
SEUser_SELinux_Users::SetEditMode undelete
return 0
}
proc SEUser_SELinux_Users::reset_variables { } {
set SEUser_SELinux_Users::sysUsers_list ""
set SEUser_SELinux_Users::selinuxUsers_list ""
set SEUser_SELinux_Users::currentRoles_list ""
set SEUser_SELinux_Users::type_list ""
set SEUser_SELinux_Users::availRoles_list ""
set SEUser_SELinux_Users::allRoles_list ""
set SEUser_SELinux_Users::all_sysUsers_list ""
set SEUser_SELinux_Users::user_to_add ""
set SEUser_SELinux_Users::user_to_del ""
set SEUser_SELinux_Users::modified_user "none"
set SEUser_SELinux_Users::empty_string "<none>"
set SEUser_SELinux_Users::state(edit) 0
set SEUser_SELinux_Users::state(users_changed) 0
set SEUser_SELinux_Users::state(edit_type) "none"
set SEUser_SELinux_Users::state(roles_changed) 0
return 0
}
proc SEUser_SELinux_Users::close { } {
set SEUser_SELinux_Users::sysUsers_list ""
set SEUser_SELinux_Users::selinuxUsers_list ""
set SEUser_SELinux_Users::currentRoles_list ""
set SEUser_SELinux_Users::type_list ""
set SEUser_SELinux_Users::availRoles_list ""
set SEUser_SELinux_Users::allRoles_list ""
set SEUser_SELinux_Users::all_sysUsers_list ""
set SEUser_SELinux_Users::user_to_add ""
set SEUser_SELinux_Users::user_to_del ""
set SEUser_SELinux_Users::modified_user ""
set SEUser_SELinux_Users::empty_string ""
array unset SEUser_SELinux_Users::state
array unset SEUser_SELinux_Users::opts
return 0
}
proc SEUser_SELinux_Users::enter_tab { } {
variable mcntr
if { [SEUser_db::get_mod_cntr] != $mcntr } {
SEUser_SELinux_Users::initialize
}
return 0
}
proc SEUser_SELinux_Users::leave_tab { } {
variable mcntr
set mcntr [SEUser_db::get_mod_cntr]
return 0
}
proc SEUser_SELinux_Users::create_UserPolicyMgnt_Tab { notebook } {
variable main_frame
set main_frame [$notebook insert end $SEUser_Advanced::usr_polMgnt_tabID -text "SE Linux Users"]
set topf [frame $main_frame.topf -width 100 -height 200]
set lb_desc [label $topf.lb_desc -text "This tab allows you to directly add/remove \
users from the policy\nwithout adding/removing users from the system." \
-justify left]
pack $topf -side top -fill both
pack $lb_desc -side top -fill x -expand yes -anchor nw -pady 4
SEUser_SELinux_Users::createUsersFrame $topf
SEUser_SELinux_Users::createRolesFrame $topf
return 0
}
proc SEUser_SELinux_Users::createUsersFrame { mainframe } {
variable listbox_SeLinuxUsers
variable listbox_sysUsers
variable u_add
variable u_remove
set user_f [TitleFrame $mainframe.user_f -text "Users"]
set lf [LabelFrame [$user_f getframe].lf -relief flat -borderwidth 0]
set cf [frame [$user_f getframe].cf -relief flat -borderwidth 0]
set rf [LabelFrame [$user_f getframe].rf -relief flat -borderwidth 0]
set lf_inner_top [frame [$lf getframe].in_top]
set lf_inner_bot [ScrolledWindow [$lf getframe].in_bot]
set rf_inner_top [frame [$rf getframe].in_top]
set rf_inner_bot [ScrolledWindow [$rf getframe].in_bot]
set lb_sysUsers [Label $lf_inner_top.lb_sysUsers -text "System Users"]
set lb_linuxUsers [Label $rf_inner_top.lb_linuxUsers -text "SE Linux Users"]
set listbox_sysUsers [listbox [$lf_inner_bot getframe].listbox_sysUsers -height 6 -width 20 \
-highlightthickness 0 \
-listvar SEUser_SELinux_Users::sysUsers_list -bg white \
-selectmode single]
set listbox_SeLinuxUsers [listbox [$rf_inner_bot getframe].listbox_SeLinuxUsers -height 6 \
-width 20 -highlightthickness 0 \
-listvar SEUser_SELinux_Users::selinuxUsers_list \
-exportselection no -bg white -selectmode single]
$lf_inner_bot setwidget $listbox_sysUsers
$rf_inner_bot setwidget $listbox_SeLinuxUsers
set u_add [Button $cf.add -text "-->" -width 6 \
-command { SEUser_SELinux_Users::addUser [$SEUser_SELinux_Users::listbox_sysUsers curselection]} \
-helptext "Add the selected system user to SE Linunx policy"]
set u_remove [Button $cf.remove -text "<--" -width 6 -command \
{ SEUser_SELinux_Users::remove_SELinux_User [$SEUser_SELinux_Users::listbox_SeLinuxUsers curselection]} \
-helptext "Remove the selected user from the SE Linux policy"]
bindtags $listbox_SeLinuxUsers [linsert [bindtags $listbox_SeLinuxUsers] 3 SeLinuxUsers_Tag]
bindtags $listbox_sysUsers [linsert [bindtags $listbox_sysUsers] 3 sysUsers_Tag]
pack $user_f -side top -fill both -anchor n -expand yes -padx 5 -pady 2
pack $lf -side left -anchor w -expand yes
pack $lf_inner_top -side top -anchor n -fill x
pack $lf_inner_bot -side bottom -anchor s -fill x -expand yes
pack $cf -side left -anchor center -expand yes
pack $rf -side right -anchor e -expand yes
pack $rf_inner_top -side top -anchor n -fill x
pack $rf_inner_bot -side bottom -anchor s -fill x -expand yes
pack $lb_sysUsers -side top
pack $u_add $u_remove -side top -anchor center -pady 5 -padx 5
pack $lb_linuxUsers -side top -fill y -expand yes
return 0
}
proc SEUser_SELinux_Users::createRolesFrame { mainframe } {
variable listbox_availRoles
variable listbox_currentRoles
variable r_add
variable r_remove
set roles_f [TitleFrame $mainframe.roles_f -text "Roles"]
set lf [LabelFrame [$roles_f getframe].lf -relief flat -borderwidth 0]
set cf [frame [$roles_f getframe].cf -relief flat -borderwidth 0]
set rf [LabelFrame [$roles_f getframe].rf -relief flat -borderwidth 0]
set lf_inner_top [frame [$lf getframe].in_top]
set lf_inner_bot [ScrolledWindow [$lf getframe].in_bot]
set rf_inner_top [frame [$rf getframe].in_top]
set rf_inner_bot [ScrolledWindow [$rf getframe].in_bot]
set lb_availRoles [Label $lf_inner_top.lb_availRoles -text "Available Roles"]
set lb_currentRoles [Label $rf_inner_top.lb_currentRoles -text "Assigned Roles"]
set listbox_availRoles [listbox [$lf_inner_bot getframe].listbox_availRoles -height 6 -width 20 -highlightthickness 0 \
-listvar SEUser_SELinux_Users::availRoles_list -bg white]
set listbox_currentRoles [listbox [$rf_inner_bot getframe].listbox_SeLinuxUsers -height 6 -width 20 -highlightthickness 0 \
-listvar SEUser_SELinux_Users::currentRoles_list -bg white]
$lf_inner_bot setwidget $listbox_availRoles
$rf_inner_bot setwidget $listbox_currentRoles
set r_add [Button $cf.add -text "-->" -width 6 \
-command { SEUser_SELinux_Users::addRole [$SEUser_SELinux_Users::listbox_availRoles curselection]} \
-helptext "Add a new role to the user account"]
set r_remove [Button $cf.remove -text "<--" -width 6 \
-command { SEUser_SELinux_Users::removeRole [$SEUser_SELinux_Users::listbox_currentRoles curselection]} \
-helptext "Remove a role from the user account"]
bindtags $listbox_currentRoles [linsert [bindtags $listbox_currentRoles] 3 currentRoles_Tag]
bindtags $listbox_availRoles [linsert [bindtags $listbox_availRoles] 3 availRoles_Tag]
pack $roles_f -side top -fill both -expand yes -padx 5 -pady 2
pack $lf -side left -anchor w -expand yes
pack $lf_inner_top -side top -anchor n -fill x
pack $lf_inner_bot -side bottom -anchor s -fill x -expand yes
pack $cf -side left -anchor center -expand yes
pack $rf -side right -anchor e -expand yes
pack $rf_inner_top -side top -anchor n -fill x
pack $rf_inner_bot -side bottom -anchor s -fill x -expand yes
pack $lb_availRoles -side top
pack $r_add $r_remove -side top -anchor center -pady 5 -padx 5
pack $lb_currentRoles -side top -fill y -expand yes
return 0
}
SEUser_Top::main
|