diff -Nru gce-compute-image-packages-20170622/debian/changelog gce-compute-image-packages-20170718/debian/changelog --- gce-compute-image-packages-20170622/debian/changelog 2017-06-23 10:42:27.000000000 +0200 +++ gce-compute-image-packages-20170718/debian/changelog 2017-07-20 14:28:58.000000000 +0200 @@ -1,3 +1,10 @@ +gce-compute-image-packages (20170718-0ubuntu1) artful; urgency=medium + + * Update debian/copyright + * New upstream version 20170718 (LP: #1705448) + + -- Balint Reczey Thu, 20 Jul 2017 14:28:58 +0200 + gce-compute-image-packages (20170622-0ubuntu1) artful; urgency=medium * New upstream version 20170622 (LP: #1700027) diff -Nru gce-compute-image-packages-20170622/debian/copyright gce-compute-image-packages-20170718/debian/copyright --- gce-compute-image-packages-20170622/debian/copyright 2017-06-23 10:42:27.000000000 +0200 +++ gce-compute-image-packages-20170718/debian/copyright 2017-07-20 14:28:58.000000000 +0200 @@ -11,6 +11,11 @@ Copyright: 2017, Canonical Group, Ltd. License: Apache-2.0 +Files: debian/google-compute-engine-oslogin.postinst + debian/google-compute-engine-oslogin.prerm +Copyright: 2017, Google Inc. +License: Apache-2.0 + Files: disk_expand/third_party/dracut-modules-growroot/* Copyright: 2016, Red Hat, Inc. License: GPL-3 diff -Nru gce-compute-image-packages-20170622/google_compute_engine/accounts/accounts_utils.py gce-compute-image-packages-20170718/google_compute_engine/accounts/accounts_utils.py --- gce-compute-image-packages-20170622/google_compute_engine/accounts/accounts_utils.py 2017-06-22 22:15:22.000000000 +0200 +++ gce-compute-image-packages-20170718/google_compute_engine/accounts/accounts_utils.py 2017-07-18 18:43:14.000000000 +0200 @@ -295,8 +295,8 @@ # logins. This helps avoid problems caused by operator and root sharing # a home directory in CentOS and RHEL. pw_entry = self._GetUser(user) - if pw_entry and pw_entry.pw_shell == '/sbin/nologin': - message = 'Not updating user %s. User set /sbin/nologin as login shell.' + if pw_entry and os.path.basename(pw_entry.pw_shell) == 'nologin': + message = 'Not updating user %s. User set `nologin` as login shell.' self.logger.debug(message, user) return True diff -Nru gce-compute-image-packages-20170622/google_compute_engine/metadata_scripts/script_retriever.py gce-compute-image-packages-20170718/google_compute_engine/metadata_scripts/script_retriever.py --- gce-compute-image-packages-20170622/google_compute_engine/metadata_scripts/script_retriever.py 2017-06-22 22:15:22.000000000 +0200 +++ gce-compute-image-packages-20170718/google_compute_engine/metadata_scripts/script_retriever.py 2017-07-18 18:43:14.000000000 +0200 @@ -135,7 +135,9 @@ match = gs_regex.match(url) if match: gs_url = r'gs://%s/%s' % (match.group('bucket'), match.group('obj')) - return self._DownloadGsUrl(gs_url, dest_dir) + # In case gsutil is not installed, continue as a normal URL. + return (self._DownloadGsUrl(gs_url, dest_dir) or + self._DownloadUrl(url, dest_dir)) # Check for the other possible Google Storage URLs: # http://storage.googleapis.com// @@ -149,7 +151,9 @@ match = gs_regex.match(url) if match: gs_url = r'gs://%s/%s' % (match.group('bucket'), match.group('obj')) - return self._DownloadGsUrl(gs_url, dest_dir) + # In case gsutil is not installed, continue as a normal URL. + return (self._DownloadGsUrl(gs_url, dest_dir) or + self._DownloadUrl(url, dest_dir)) # Unauthenticated download of the object. return self._DownloadUrl(url, dest_dir) diff -Nru gce-compute-image-packages-20170622/google_compute_engine/metadata_scripts/tests/script_retriever_test.py gce-compute-image-packages-20170718/google_compute_engine/metadata_scripts/tests/script_retriever_test.py --- gce-compute-image-packages-20170622/google_compute_engine/metadata_scripts/tests/script_retriever_test.py 2017-06-22 22:15:22.000000000 +0200 +++ gce-compute-image-packages-20170718/google_compute_engine/metadata_scripts/tests/script_retriever_test.py 2017-07-18 18:43:14.000000000 +0200 @@ -181,6 +181,16 @@ self.retriever._DownloadScript(url, self.dest_dir) mock_download_gs.assert_called_once_with(gs_url, self.dest_dir) + for url, gs_url in download_gs_urls.items(): + if url.startswith('gs://'): + continue + mock_download_gs.reset_mock() + mock_download_gs.return_value = None + mock_download.reset_mock() + self.retriever._DownloadScript(url, self.dest_dir) + mock_download_gs.assert_called_once_with(gs_url, self.dest_dir) + mock_download.assert_called_once_with(url, self.dest_dir) + @mock.patch('google_compute_engine.metadata_scripts.script_retriever.tempfile.NamedTemporaryFile') def testGetAttributeScripts(self, mock_tempfile): script = 'echo Hello World.\n' diff -Nru gce-compute-image-packages-20170622/google_compute_engine_oslogin/bin/google_oslogin_control gce-compute-image-packages-20170718/google_compute_engine_oslogin/bin/google_oslogin_control --- gce-compute-image-packages-20170622/google_compute_engine_oslogin/bin/google_oslogin_control 2017-06-22 22:15:22.000000000 +0200 +++ gce-compute-image-packages-20170718/google_compute_engine_oslogin/bin/google_oslogin_control 2017-07-18 18:43:14.000000000 +0200 @@ -18,13 +18,15 @@ pam_config="/etc/pam.d/sshd" sshd_config="/etc/ssh/sshd_config" el_release_file="/etc/redhat-release" +sudoers_dir="/var/google-sudoers.d" +sudoers_file="/etc/sudoers.d/google-oslogin" usage() { - echo "Usage: ${script_name} {activate|deactivate} [--norestartsshd]" - echo "This script will activate or deactivate the features for" - echo "Google Compute Engine OS Login." - echo "This script must be run as root." - exit 1 + echo "Usage: ${script_name} {activate|deactivate} [--norestartsshd]" + echo "This script will activate or deactivate the features for" + echo "Google Compute Engine OS Login." + echo "This script must be run as root." + exit 1 } added_comment="# Added by Google Compute Engine OS Login." @@ -35,148 +37,166 @@ pam_homedir="session optional pam_mkhomedir.so" # Update AuthorizedKeysCommand to work on EL 6. -if [ -f ${el_release_file} ] -then - if grep -q "release 6" "/etc/redhat-release" - then +if [ -f ${el_release_file} ]; then + if grep -q "release 6" "/etc/redhat-release"; then sshd_user="AuthorizedKeysCommandRunAs root" fi fi # User must be root to edit config files. -if [ $(id -u) -ne 0 ] -then - usage +if [ $(id -u) -ne 0 ]; then + usage fi -if [ $# -lt 1 ] -then - usage +if [ $# -lt 1 ]; then + usage fi copy_file() { - config=$1 - cp ${config} ${config}.new + config=$1 + cp ${config} ${config}.new } overwrite_file() { - config=$1 - mv ${config}.new ${config} + config=$1 + mv ${config}.new ${config} } remove_from_config() { - config=$1 - sed -i "/${added_comment}/,+1d" ${config}.new + config=$1 + sed -i "/${added_comment}/,+1d" ${config}.new } remove_from_nss_config() { - sed -i '/^passwd:/ s/ oslogin//' ${nss_config}.new + sed -i '/^passwd:/ s/ oslogin//' ${nss_config}.new } add_to_sshd_config() { - remove_from_config ${sshd_config} - sed -i "\$a${added_comment}\n${sshd_command}" ${sshd_config}.new - sed -i "\$a${added_comment}\n${sshd_user}" ${sshd_config}.new + remove_from_config ${sshd_config} + sed -i "\$a${added_comment}\n${sshd_command}" ${sshd_config}.new + sed -i "\$a${added_comment}\n${sshd_user}" ${sshd_config}.new } add_to_nss_config() { - remove_from_nss_config - sed -i '/^passwd:/ s/$/ oslogin/' ${nss_config}.new + remove_from_nss_config + sed -i '/^passwd:/ s/$/ oslogin/' ${nss_config}.new } add_to_pam_config() { - remove_from_config ${pam_config} - sed -i "/pam_nologin.so/ a${added_comment}\n${pam_admin}" ${pam_config}.new - sed -i "/pam_nologin.so/ a${added_comment}\n${pam_login}" ${pam_config}.new - sed -i "/pam_selinux.so close/ a${pam_homedir}" ${pam_config}.new + remove_from_config ${pam_config} + sed -i "/pam_nologin.so/ a${added_comment}\n${pam_admin}" ${pam_config}.new + sed -i "/pam_nologin.so/ a${added_comment}\n${pam_login}" ${pam_config}.new + sed -i "/pam_selinux.so close/ a${pam_homedir}" ${pam_config}.new } +restart_service() { + service=$1 + if which systemctl > /dev/null 2>&1; then + if systemctl status ${service} >/dev/null 2>&1; then + echo "Restarting ${service}." + systemctl restart ${service} + return $? + fi + elif which service > /dev/null 2>&1; then + if service --status-all | grep -Fq ${service}; then + echo "Restarting ${service}." + service ${service} restart + return $? + fi + elif which invoke-rc.d > /dev/null 2>&1; then + if invoke-rc.d ${service} status > /dev/null 2>&1; then + echo "Restarting ${service}." + invoke-rc.d ${service} restart + return $? + fi + elif which /etc/init.d/${service} > /dev/null 2>&1; then + if /etc/init.d/${service} status > /dev/null 2>&1; then + echo "Restarting ${service}." + /etc/init.d/${service} restart + return $? + fi + fi + return 1 +} restart_sshd() { - echo "Restarting sshd." - if which service >/dev/null 2>&1 - then - service sshd restart - elif which invoke-rc.d >/dev/null 2>&1 - then - invoke-rc.d sshd restart - else - /etc/init.d/sshd restart - fi + restart_service sshd || restart_service ssh +} + +restart_nscd() { + restart_service nscd || restart_service unscd } activate_sshd() { - copy_file ${sshd_config} - add_to_sshd_config - overwrite_file ${sshd_config} + copy_file ${sshd_config} + add_to_sshd_config + overwrite_file ${sshd_config} } deactivate_sshd() { - copy_file ${sshd_config} - remove_from_config ${sshd_config} - overwrite_file ${sshd_config} + copy_file ${sshd_config} + remove_from_config ${sshd_config} + overwrite_file ${sshd_config} } activate_nss() { - copy_file ${nss_config} - add_to_nss_config - overwrite_file ${nss_config} + copy_file ${nss_config} + add_to_nss_config + overwrite_file ${nss_config} + restart_nscd } deactivate_nss() { - copy_file ${nss_config} - remove_from_nss_config - overwrite_file ${nss_config} + copy_file ${nss_config} + remove_from_nss_config + overwrite_file ${nss_config} + restart_nscd } activate_pam() { - copy_file ${pam_config} - add_to_pam_config - overwrite_file ${pam_config} + copy_file ${pam_config} + add_to_pam_config + overwrite_file ${pam_config} } deactivate_pam() { - copy_file ${pam_config} - remove_from_config ${pam_config} - overwrite_file ${pam_config} + copy_file ${pam_config} + remove_from_config ${pam_config} + overwrite_file ${pam_config} } activate_sudoers() { - mkdir -p /etc/google-sudoers.d - echo "#includedir /etc/google-sudoers.d" > /etc/sudoers.d/google-oslogin + mkdir -p ${sudoers_dir} + chmod 750 ${sudoers_dir} + echo "#includedir ${sudoers_dir}" > ${sudoers_file} } deactivate_sudoers() { - rm -f /etc/sudoers.d/google-oslogin - rm -rf /etc/google-sudoers.d + rm -f ${sudoers_file} + rm -rf ${sudoers_dir} } case "$1" in - - activate) - echo "Activating Google Compute Engine OS Login." - activate_sshd - activate_nss - activate_pam - activate_sudoers - ;; - - deactivate) - echo "Deactivating Google Compute Engine OS Login." - deactivate_sshd - deactivate_nss - deactivate_pam - deactivate_sudoers - ;; - - *) - usage - ;; - + activate) + echo "Activating Google Compute Engine OS Login." + activate_sshd + activate_nss + activate_pam + activate_sudoers + ;; + deactivate) + echo "Deactivating Google Compute Engine OS Login." + deactivate_sshd + deactivate_nss + deactivate_pam + deactivate_sudoers + ;; + *) + usage + ;; esac # Restart sshd unless --norestartsshd flag is set. -if [ $# -lt 2 ] || [ "$2" != "--norestartsshd" ] -then - restart_sshd +if [ $# -lt 2 ] || [ "$2" != "--norestartsshd" ]; then + restart_sshd fi diff -Nru gce-compute-image-packages-20170622/google_compute_engine_oslogin/Makefile gce-compute-image-packages-20170718/google_compute_engine_oslogin/Makefile --- gce-compute-image-packages-20170622/google_compute_engine_oslogin/Makefile 2017-06-22 22:15:22.000000000 +0200 +++ gce-compute-image-packages-20170718/google_compute_engine_oslogin/Makefile 2017-07-18 18:43:14.000000000 +0200 @@ -4,7 +4,7 @@ NAME = google-compute-engine-$(BASENAME) MAJOR = 1 MINOR = 0 -REVISION = 0 +REVISION = 1 NSS_LIBRARY_NAME = libnss_$(NAME)-$(MAJOR).$(MINOR).$(REVISION).so NSS_LIBRARY_SONAME = libnss_$(BASENAME).so.2 @@ -52,6 +52,8 @@ # SELINUX POLICY INSTALL_SELINUX = POLICY_DIR = policy +SELINUX_MODULE_SRC = $(POLICY_DIR)/oslogin$(DIST).te +SELINUX_MOD_FILE = $(POLICY_DIR)/oslogin$(DIST).mod SELINUX_MODULE = $(POLICY_DIR)/oslogin$(DIST).pp SELINUX_INSTALL_NAME = oslogin.pp SELINUX_INSTALL_PATH = /usr/share/selinux/packages @@ -59,7 +61,11 @@ LIBS = -lcurl -ljson-c PAM_LIBS = -lpam $(LIBS) +ifdef INSTALL_SELINUX +all: $(NSS) $(PAM) $(AUTHKEYS_BIN) $(SELINUX_MODULE) +else all: $(NSS) $(PAM) $(AUTHKEYS_BIN) +endif $(NSS): $(NSS_LIBRARY_SOURCE) $(UTILS) $(CXX) $(CXXFLAGS) $(NSSFLAGS) -o $(NSS_LIBRARY_NAME) \ @@ -85,7 +91,18 @@ $(UTILS): $(UTILS_SRC) $(CXX) $(CXXFLAGS) -c $(UTILS_SRC) -o $(UTILS) +$(SELINUX_MOD_FILE): $(SELINUX_MODULE_SRC) + checkmodule -M -m -o $(SELINUX_MOD_FILE) $(SELINUX_MODULE_SRC) + +$(SELINUX_MODULE): $(SELINUX_MOD_FILE) + semodule_package -o $(SELINUX_MODULE) -m $(SELINUX_MOD_FILE) + + +ifdef INSTALL_SELINUX +install: $(NSS_LIBRARY_NAME) $(PAM_ADMIN_MOD) $(PAM_LOGIN_MOD) $(AUTHKEYS_BIN) $(SELINUX_MODULE) +else install: $(NSS_LIBRARY_NAME) $(PAM_ADMIN_MOD) $(PAM_LOGIN_MOD) $(AUTHKEYS_BIN) +endif mkdir -p $(DESTDIR)$(PREFIX)$(NSS_INSTALL_PATH) mkdir -p $(DESTDIR)$(PREFIX)$(PAM_INSTALL_PATH) mkdir -p $(DESTDIR)$(PREFIX)$(AUTHKEYS_INSTALL_PATH) diff -Nru gce-compute-image-packages-20170622/google_compute_engine_oslogin/packaging/debian8/changelog gce-compute-image-packages-20170718/google_compute_engine_oslogin/packaging/debian8/changelog --- gce-compute-image-packages-20170622/google_compute_engine_oslogin/packaging/debian8/changelog 2017-06-22 22:15:22.000000000 +0200 +++ gce-compute-image-packages-20170718/google_compute_engine_oslogin/packaging/debian8/changelog 2017-07-18 18:43:14.000000000 +0200 @@ -1,3 +1,9 @@ +google-compute-engine-oslogin (1.0.1-1+deb8) unstable; urgency=low + + * Fix for restarting sshd and nscd. + + -- MAINTAINER Mon, 17 Jul 2017 12:00:00 -0700 + google-compute-engine-oslogin (1.0.0-1+deb8) unstable; urgency=low * Team Upload. diff -Nru gce-compute-image-packages-20170622/google_compute_engine_oslogin/packaging/debian8/google-compute-engine-oslogin.links gce-compute-image-packages-20170718/google_compute_engine_oslogin/packaging/debian8/google-compute-engine-oslogin.links --- gce-compute-image-packages-20170622/google_compute_engine_oslogin/packaging/debian8/google-compute-engine-oslogin.links 2017-06-22 22:15:22.000000000 +0200 +++ gce-compute-image-packages-20170718/google_compute_engine_oslogin/packaging/debian8/google-compute-engine-oslogin.links 2017-07-18 18:43:14.000000000 +0200 @@ -1 +1 @@ -/lib/libnss_google-compute-engine-oslogin-1.0.0.so /lib/libnss_oslogin.so.2 +/lib/libnss_google-compute-engine-oslogin-1.0.1.so /lib/libnss_oslogin.so.2 diff -Nru gce-compute-image-packages-20170622/google_compute_engine_oslogin/packaging/debian9/changelog gce-compute-image-packages-20170718/google_compute_engine_oslogin/packaging/debian9/changelog --- gce-compute-image-packages-20170622/google_compute_engine_oslogin/packaging/debian9/changelog 2017-06-22 22:15:22.000000000 +0200 +++ gce-compute-image-packages-20170718/google_compute_engine_oslogin/packaging/debian9/changelog 2017-07-18 18:43:14.000000000 +0200 @@ -1,3 +1,9 @@ +google-compute-engine-oslogin (1.0.1-1+deb9) unstable; urgency=low + + * Fix for restarting sshd and nscd. + + -- MAINTAINER Mon, 17 Jul 2017 12:00:00 -0700 + google-compute-engine-oslogin (1.0.0-1+deb9) unstable; urgency=low * Team Upload. diff -Nru gce-compute-image-packages-20170622/google_compute_engine_oslogin/packaging/debian9/google-compute-engine-oslogin.links gce-compute-image-packages-20170718/google_compute_engine_oslogin/packaging/debian9/google-compute-engine-oslogin.links --- gce-compute-image-packages-20170622/google_compute_engine_oslogin/packaging/debian9/google-compute-engine-oslogin.links 2017-06-22 22:15:22.000000000 +0200 +++ gce-compute-image-packages-20170718/google_compute_engine_oslogin/packaging/debian9/google-compute-engine-oslogin.links 2017-07-18 18:43:14.000000000 +0200 @@ -1 +1 @@ -/lib/libnss_google-compute-engine-oslogin-1.0.0.so /lib/libnss_oslogin.so.2 +/lib/libnss_google-compute-engine-oslogin-1.0.1.so /lib/libnss_oslogin.so.2 diff -Nru gce-compute-image-packages-20170622/google_compute_engine_oslogin/packaging/rpmbuild/SPECS/google-compute-engine-oslogin.spec gce-compute-image-packages-20170718/google_compute_engine_oslogin/packaging/rpmbuild/SPECS/google-compute-engine-oslogin.spec --- gce-compute-image-packages-20170622/google_compute_engine_oslogin/packaging/rpmbuild/SPECS/google-compute-engine-oslogin.spec 2017-06-22 22:15:22.000000000 +0200 +++ gce-compute-image-packages-20170718/google_compute_engine_oslogin/packaging/rpmbuild/SPECS/google-compute-engine-oslogin.spec 2017-07-18 18:43:14.000000000 +0200 @@ -13,7 +13,7 @@ # limitations under the License. Name: google-compute-engine-oslogin -Version: 1.0.0 +Version: 1.0.1 Release: 1%{?dist} Summary: OS Login Functionality for Google Compute Engine @@ -25,6 +25,7 @@ BuildRequires: libcurl BuildRequires: json-c BuildRequires: pam-devel +BuildRequires: policycoreutils-python Requires: policycoreutils-python %define pam_install_path /%{_lib}/security diff -Nru gce-compute-image-packages-20170622/google_compute_engine_oslogin/packaging/setup_deb.sh gce-compute-image-packages-20170718/google_compute_engine_oslogin/packaging/setup_deb.sh --- gce-compute-image-packages-20170622/google_compute_engine_oslogin/packaging/setup_deb.sh 2017-06-22 22:15:22.000000000 +0200 +++ gce-compute-image-packages-20170718/google_compute_engine_oslogin/packaging/setup_deb.sh 2017-07-18 18:43:14.000000000 +0200 @@ -20,7 +20,7 @@ # Run from the top of the source directory. NAME="google-compute-engine-oslogin" -VERSION="1.0.0" +VERSION="1.0.1" working_dir=${PWD} diff -Nru gce-compute-image-packages-20170622/google_compute_engine_oslogin/packaging/setup_rpm.sh gce-compute-image-packages-20170718/google_compute_engine_oslogin/packaging/setup_rpm.sh --- gce-compute-image-packages-20170622/google_compute_engine_oslogin/packaging/setup_rpm.sh 2017-06-22 22:15:22.000000000 +0200 +++ gce-compute-image-packages-20170718/google_compute_engine_oslogin/packaging/setup_rpm.sh 2017-07-18 18:43:14.000000000 +0200 @@ -20,7 +20,7 @@ # Run from the top of the source directory. NAME="google-compute-engine-oslogin" -VERSION="1.0.0" +VERSION="1.0.1" working_dir=${PWD} rpm_working_dir=/tmp/rpmpackage/${NAME}-${VERSION} diff -Nru gce-compute-image-packages-20170622/google_compute_engine_oslogin/pam_module/pam_oslogin_admin.cc gce-compute-image-packages-20170718/google_compute_engine_oslogin/pam_module/pam_oslogin_admin.cc --- gce-compute-image-packages-20170622/google_compute_engine_oslogin/pam_module/pam_oslogin_admin.cc 2017-06-22 22:15:22.000000000 +0200 +++ gce-compute-image-packages-20170718/google_compute_engine_oslogin/pam_module/pam_oslogin_admin.cc 2017-07-18 18:43:14.000000000 +0200 @@ -36,7 +36,7 @@ using oslogin_utils::UrlEncode; using oslogin_utils::kMetadataServerUrl; -static const char kSudoersDir[] = "/etc/google-sudoers.d/"; +static const char kSudoersDir[] = "/var/google-sudoers.d/"; extern "C" { @@ -84,6 +84,7 @@ << "\n"; sudoers_file.close(); chown(filename.c_str(), 0, 0); + chmod(filename.c_str(), S_IRUSR | S_IWUSR | S_IRGRP); } } else if (file_exists) { remove(filename.c_str()); Binary files /tmp/B2KjKmI7f_/gce-compute-image-packages-20170622/google_compute_engine_oslogin/policy/oslogin.el6.pp and /tmp/Pm9c4RMZyc/gce-compute-image-packages-20170718/google_compute_engine_oslogin/policy/oslogin.el6.pp differ diff -Nru gce-compute-image-packages-20170622/google_compute_engine_oslogin/policy/oslogin.el6.te gce-compute-image-packages-20170718/google_compute_engine_oslogin/policy/oslogin.el6.te --- gce-compute-image-packages-20170622/google_compute_engine_oslogin/policy/oslogin.el6.te 2017-06-22 22:15:22.000000000 +0200 +++ gce-compute-image-packages-20170718/google_compute_engine_oslogin/policy/oslogin.el6.te 2017-07-18 18:43:14.000000000 +0200 @@ -4,22 +4,20 @@ require { type home_root_t; type etc_t; + type var_t; type sshd_t; class dir { write remove_name create add_name setattr }; - class file { setattr create write unlink open }; + class file { setattr getattr create open write unlink open }; } -#============= sshd_t ============== -#!!!! The source type 'sshd_t' can write to a 'dir' of the following types: -# gitosis_var_lib_t, sshd_tmpfs_t, openshift_tmp_t, ssh_home_t, var_auth_t, tmpfs_t, tmp_t, var_t, user_tmp_t, auth_cache_t, admin_home_t, faillog_t, var_run_t, user_home_dir_t, pcscd_var_run_t, pam_var_run_t, root_t, krb5_host_rcache_t, cluster_conf_t, tmp_t, cluster_var_lib_t, cluster_var_run_t - +# The NSS module needs to manipulate files in /etc and /var for sudo permissions allow sshd_t etc_t:dir { write remove_name add_name }; allow sshd_t etc_t:file { write create unlink setattr }; -#!!!! This avc can be allowed using the boolean 'allow_polyinstantiation' +allow sshd_t var_t:dir { write remove_name add_name }; +allow sshd_t var_t:file { write create open unlink setattr getattr }; + allow sshd_t home_root_t:dir { write add_name }; allow sshd_t home_root_t:dir { create setattr }; -#!!!! The source type 'sshd_t' can write to a 'file' of the following types: -# gitosis_var_lib_t, sshd_tmpfs_t, openshift_tmp_t, ssh_home_t, var_auth_t, user_tmp_t, auth_cache_t, faillog_t, pcscd_var_run_t, sshd_var_run_t, pam_var_run_t, root_t, krb5_host_rcache_t, cluster_conf_t, cluster_var_lib_t, cluster_var_run_t allow sshd_t home_root_t:file { write create open setattr }; Binary files /tmp/B2KjKmI7f_/gce-compute-image-packages-20170622/google_compute_engine_oslogin/policy/oslogin.el7.pp and /tmp/Pm9c4RMZyc/gce-compute-image-packages-20170718/google_compute_engine_oslogin/policy/oslogin.el7.pp differ diff -Nru gce-compute-image-packages-20170622/google_compute_engine_oslogin/policy/oslogin.el7.te gce-compute-image-packages-20170718/google_compute_engine_oslogin/policy/oslogin.el7.te --- gce-compute-image-packages-20170622/google_compute_engine_oslogin/policy/oslogin.el7.te 2017-06-22 22:15:22.000000000 +0200 +++ gce-compute-image-packages-20170718/google_compute_engine_oslogin/policy/oslogin.el7.te 2017-07-18 18:43:14.000000000 +0200 @@ -1,25 +1,20 @@ -module oslogin 1.0; +module oslogin.el7 1.0; require { type oddjob_mkhomedir_t; type etc_t; + type var_t; type http_port_t; type sshd_t; class tcp_socket name_connect; - class file { create setattr unlink write }; + class file { create setattr getattr open unlink write }; } -#============= oddjob_mkhomedir_t ============== - -#!!!! This avc can be allowed using the boolean 'nis_enabled' +# These two could also be set with the nis_enabled_boolean allow oddjob_mkhomedir_t http_port_t:tcp_socket name_connect; +allow sshd_t http_port_t:tcp_socket name_connect; -#============= sshd_t ============== - -#!!!! WARNING: 'etc_t' is a base type. +# The NSS module needs to manipulate files in /etc and /var for sudo permissions allow sshd_t etc_t:file { create setattr unlink write }; - -#!!!! This avc can be allowed using one of the these booleans: -# authlogin_yubikey, nis_enabled -allow sshd_t http_port_t:tcp_socket name_connect; +allow sshd_t var_t:file { create setattr getattr open unlink write }; diff -Nru gce-compute-image-packages-20170622/google_compute_engine_oslogin/utils/oslogin_utils.cc gce-compute-image-packages-20170718/google_compute_engine_oslogin/utils/oslogin_utils.cc --- gce-compute-image-packages-20170622/google_compute_engine_oslogin/utils/oslogin_utils.cc 2017-06-22 22:15:22.000000000 +0200 +++ gce-compute-image-packages-20170718/google_compute_engine_oslogin/utils/oslogin_utils.cc 2017-07-18 18:43:14.000000000 +0200 @@ -26,6 +26,9 @@ using std::string; +// Maximum number of retries for HTTP requests. +const int kMaxRetries = 1; + namespace oslogin_utils { BufferManager::BufferManager(char* buf, size_t buflen) @@ -146,6 +149,8 @@ curl_global_init(CURL_GLOBAL_ALL); CURL* curl = curl_easy_init(); std::ostringstream response; + int retry_count = 0; + long http_code = 0; if (curl) { struct curl_slist* header_list = NULL; header_list = curl_slist_append(header_list, "Metadata-Flavor: Google"); @@ -153,13 +158,18 @@ curl_global_cleanup(); return ""; } - curl_easy_setopt(curl, CURLOPT_HTTPHEADER, header_list); - curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, &OnCurlWrite); - curl_easy_setopt(curl, CURLOPT_FILE, &response); - curl_easy_setopt(curl, CURLOPT_TIMEOUT, 5); - curl_easy_setopt(curl, CURLOPT_URL, url.c_str()); - code = curl_easy_perform(curl); - + do { + response.str(""); + response.clear(); + curl_easy_setopt(curl, CURLOPT_HTTPHEADER, header_list); + curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, &OnCurlWrite); + curl_easy_setopt(curl, CURLOPT_FILE, &response); + curl_easy_setopt(curl, CURLOPT_TIMEOUT, 5); + curl_easy_setopt(curl, CURLOPT_URL, url.c_str()); + + code = curl_easy_perform(curl); + curl_easy_getinfo(curl, CURLINFO_RESPONSE_CODE, &http_code); + } while (retry_count++ < kMaxRetries && http_code == 500); curl_slist_free_all(header_list); curl_global_cleanup(); } diff -Nru gce-compute-image-packages-20170622/setup.py gce-compute-image-packages-20170718/setup.py --- gce-compute-image-packages-20170622/setup.py 2017-06-22 22:15:22.000000000 +0200 +++ gce-compute-image-packages-20170718/setup.py 2017-07-18 18:43:14.000000000 +0200 @@ -32,7 +32,7 @@ packages=setuptools.find_packages(), scripts=glob.glob('scripts/*'), url='https://github.com/GoogleCloudPlatform/compute-image-packages', - version='2.4.0', + version='2.4.1', # Entry points create scripts in /usr/bin that call a function. entry_points={ 'console_scripts': [