SELinux userspace 3.7 release

Resolves: RHEL-40233
This commit is contained in:
Petr Lautrbach 2024-06-27 17:47:47 +02:00
parent b408663be5
commit 07a392fef4
13 changed files with 37 additions and 495 deletions

1
.gitignore vendored
View File

@ -355,3 +355,4 @@ policycoreutils-2.0.83.tgz
/selinux-3.6-rc1.tar.gz /selinux-3.6-rc1.tar.gz
/selinux-3.6-rc2.tar.gz /selinux-3.6-rc2.tar.gz
/selinux-3.6.tar.gz /selinux-3.6.tar.gz
/selinux-3.7.tar.gz

View File

@ -1,4 +1,4 @@
From 5dd7c8460230bd27170725bbb27014855652f356 Mon Sep 17 00:00:00 2001 From 7030465cd94d22aef6824e46df69f82b256195c8 Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@redhat.com> From: Dan Walsh <dwalsh@redhat.com>
Date: Fri, 14 Feb 2014 12:32:12 -0500 Date: Fri, 14 Feb 2014 12:32:12 -0500
Subject: [PATCH] Don't be verbose if you are not on a tty Subject: [PATCH] Don't be verbose if you are not on a tty
@ -9,7 +9,7 @@ Content-type: text/plain
1 file changed, 1 insertion(+) 1 file changed, 1 insertion(+)
diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
index 166af6f360a2..ebe64563c7d7 100755 index cb50fef3ca65..13ac07414c14 100755
--- a/policycoreutils/scripts/fixfiles --- a/policycoreutils/scripts/fixfiles
+++ b/policycoreutils/scripts/fixfiles +++ b/policycoreutils/scripts/fixfiles
@@ -108,6 +108,7 @@ exclude_dirs_from_relabelling() { @@ -108,6 +108,7 @@ exclude_dirs_from_relabelling() {
@ -21,5 +21,5 @@ index 166af6f360a2..ebe64563c7d7 100755
THREADS="" THREADS=""
RPMFILES="" RPMFILES=""
-- --
2.41.0 2.44.0

View File

@ -1,27 +0,0 @@
From 10542b4fde99a089950126b008105c14b9452da1 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Thu, 20 Aug 2015 12:58:41 +0200
Subject: [PATCH] sandbox: add -reset to Xephyr as it works better with it in
recent Fedoras
Content-type: text/plain
---
sandbox/sandboxX.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sandbox/sandboxX.sh b/sandbox/sandboxX.sh
index eaa500d08143..4774528027ef 100644
--- a/sandbox/sandboxX.sh
+++ b/sandbox/sandboxX.sh
@@ -20,7 +20,7 @@ cat > ~/.config/openbox/rc.xml << EOF
</openbox_config>
EOF
-(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do
+(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -reset -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do
export DISPLAY=:$D
cat > ~/seremote << __EOF
#!/bin/sh
--
2.41.0

View File

@ -1,4 +1,4 @@
From 6213773ec3a6364cac48eb39d8ecfb11b5addc12 Mon Sep 17 00:00:00 2001 From 856ac05345d8557a38e82d012a4d13b4d34efd6f Mon Sep 17 00:00:00 2001
From: Masatake YAMATO <yamato@redhat.com> From: Masatake YAMATO <yamato@redhat.com>
Date: Thu, 14 Dec 2017 15:57:58 +0900 Date: Thu, 14 Dec 2017 15:57:58 +0900
Subject: [PATCH] sepolicy-generate: Handle more reserved port types Subject: [PATCH] sepolicy-generate: Handle more reserved port types
@ -53,7 +53,7 @@ https://lore.kernel.org/selinux/20150610.190635.1866127952891120915.yamato@redha
1 file changed, 3 insertions(+), 1 deletion(-) 1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/python/sepolicy/sepolicy/generate.py b/python/sepolicy/sepolicy/generate.py diff --git a/python/sepolicy/sepolicy/generate.py b/python/sepolicy/sepolicy/generate.py
index b6df3e91160b..36a3ea1196b1 100644 index adf65f27a822..f726ad51b775 100644
--- a/python/sepolicy/sepolicy/generate.py --- a/python/sepolicy/sepolicy/generate.py
+++ b/python/sepolicy/sepolicy/generate.py +++ b/python/sepolicy/sepolicy/generate.py
@@ -100,7 +100,9 @@ def get_all_ports(): @@ -100,7 +100,9 @@ def get_all_ports():
@ -68,5 +68,5 @@ index b6df3e91160b..36a3ea1196b1 100644
dict[(p['low'], p['high'], p['protocol'])] = (p['type'], p.get('range')) dict[(p['low'], p['high'], p['protocol'])] = (p['type'], p.get('range'))
return dict return dict
-- --
2.41.0 2.44.0

View File

@ -1,4 +1,4 @@
From 7bf4ac2438df52b259b9d3d539b9a9e889cc7424 Mon Sep 17 00:00:00 2001 From 8f7a90cb77a79aaef2ceca75bc25679a7b17ff98 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com> From: Petr Lautrbach <plautrba@redhat.com>
Date: Wed, 18 Jul 2018 09:09:35 +0200 Date: Wed, 18 Jul 2018 09:09:35 +0200
Subject: [PATCH] sandbox: Use matchbox-window-manager instead of openbox Subject: [PATCH] sandbox: Use matchbox-window-manager instead of openbox
@ -11,7 +11,7 @@ Content-type: text/plain
3 files changed, 3 insertions(+), 17 deletions(-) 3 files changed, 3 insertions(+), 17 deletions(-)
diff --git a/sandbox/sandbox b/sandbox/sandbox diff --git a/sandbox/sandbox b/sandbox/sandbox
index a2762a7d215a..a32a33ea3cf6 100644 index e3fd6119ed4d..e01425f0c637 100644
--- a/sandbox/sandbox --- a/sandbox/sandbox
+++ b/sandbox/sandbox +++ b/sandbox/sandbox
@@ -270,7 +270,7 @@ class Sandbox: @@ -270,7 +270,7 @@ class Sandbox:
@ -23,7 +23,7 @@ index a2762a7d215a..a32a33ea3cf6 100644
execfile = self.__homedir + "/.sandboxrc" execfile = self.__homedir + "/.sandboxrc"
fd = open(execfile, "w+") fd = open(execfile, "w+")
if self.__options.session: if self.__options.session:
@@ -369,7 +369,7 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [- @@ -370,7 +370,7 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-
parser.add_option("-W", "--windowmanager", dest="wm", parser.add_option("-W", "--windowmanager", dest="wm",
type="string", type="string",
@ -46,11 +46,11 @@ index 095b9e27042d..1c1870190e51 100644
\fB\-X\fR \fB\-X\fR
Create an X based Sandbox for gui apps, temporary files for Create an X based Sandbox for gui apps, temporary files for
diff --git a/sandbox/sandboxX.sh b/sandbox/sandboxX.sh diff --git a/sandbox/sandboxX.sh b/sandbox/sandboxX.sh
index 4774528027ef..c211ebc14549 100644 index 28169182ce42..e2a7ad9b2ac7 100644
--- a/sandbox/sandboxX.sh --- a/sandbox/sandboxX.sh
+++ b/sandbox/sandboxX.sh +++ b/sandbox/sandboxX.sh
@@ -6,20 +6,6 @@ export TITLE="Sandbox $context -- `grep ^#TITLE: ~/.sandboxrc | /usr/bin/cut -b8 @@ -7,20 +7,6 @@ export TITLE="Sandbox $context -- `grep ^#TITLE: ~/.sandboxrc | /usr/bin/cut -b8
[ -z $2 ] && export DPI="96" || export DPI="$2" [ -z $3 ] && export DPI="96" || export DPI="$3"
trap "exit 0" HUP trap "exit 0" HUP
-mkdir -p ~/.config/openbox -mkdir -p ~/.config/openbox
@ -67,9 +67,9 @@ index 4774528027ef..c211ebc14549 100644
-</openbox_config> -</openbox_config>
-EOF -EOF
- -
(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -reset -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do if [ "$WAYLAND_NATIVE" == "no" ]; then
export DISPLAY=:$D if [ -z "$WAYLAND_DISPLAY" ]; then
cat > ~/seremote << __EOF DISPLAY_COMMAND='/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null'
-- --
2.41.0 2.44.0

View File

@ -1,4 +1,4 @@
From 94859162dbf9d2ccd4ffb923720c654a4cb9150a Mon Sep 17 00:00:00 2001 From 4884c917237e53e34d3fc75dcf4f07217cfd7584 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com> From: Petr Lautrbach <plautrba@redhat.com>
Date: Fri, 30 Jul 2021 14:14:37 +0200 Date: Fri, 30 Jul 2021 14:14:37 +0200
Subject: [PATCH] Use SHA-2 instead of SHA-1 Subject: [PATCH] Use SHA-2 instead of SHA-1
@ -174,5 +174,5 @@ index ee01725050bb..57c663a99d67 100644
and provided the and provided the
.B \-n .B \-n
-- --
2.41.0 2.44.0

View File

@ -1,4 +1,4 @@
From f364324e66cb2bf014362c5c1d1b6a2bcf98d6ff Mon Sep 17 00:00:00 2001 From cb1b3bdca016edaa90e92b49d51544f8a38cba19 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com> From: Vit Mojzis <vmojzis@redhat.com>
Date: Tue, 30 May 2023 09:07:28 +0200 Date: Tue, 30 May 2023 09:07:28 +0200
Subject: [PATCH] python/sepolicy: Fix spec file dependencies Subject: [PATCH] python/sepolicy: Fix spec file dependencies
@ -44,5 +44,5 @@ index 433c298a17e0..a6d4508bb670 100644
mid_section="""\ mid_section="""\
-- --
2.41.0 2.44.0

View File

@ -1,30 +0,0 @@
From daedef300edce80cf8ee20825292504104dc0221 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <lautrbach@redhat.com>
Date: Thu, 9 May 2024 16:17:05 +0200
Subject: [PATCH] sandbox: do not fail without xmodmap
Content-type: text/plain
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
---
sandbox/sandbox | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/sandbox/sandbox b/sandbox/sandbox
index 0dc25584dd98..be8722e3b8d3 100644
--- a/sandbox/sandbox
+++ b/sandbox/sandbox
@@ -479,7 +479,10 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-
xmodmapfile = self.__homedir + "/.xmodmap"
xd = open(xmodmapfile, "w")
- subprocess.Popen(["/usr/bin/xmodmap", "-pke"], stdout=xd).wait()
+ try:
+ subprocess.Popen(["/usr/bin/xmodmap", "-pke"], stdout=xd).wait()
+ except:
+ pass
xd.close()
self.__setup_sandboxrc(self.__options.wm)
--
2.44.0

View File

@ -1,35 +0,0 @@
From d6e533bde4a25e5cdbb9445dfef6080dcaa6f43e Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <lautrbach@redhat.com>
Date: Tue, 20 Feb 2024 11:14:52 +0100
Subject: [PATCH] sandbox: do not run window manager if it's not a session
Content-type: text/plain
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
---
sandbox/sandbox | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/sandbox/sandbox b/sandbox/sandbox
index be8722e3b8d3..7ab98076fd2b 100644
--- a/sandbox/sandbox
+++ b/sandbox/sandbox
@@ -285,15 +285,12 @@ class Sandbox:
fd.write("""#! /bin/sh
#TITLE: %s
# /usr/bin/test -r ~/.xmodmap && /usr/bin/xmodmap ~/.xmodmap
-%s &
-WM_PID=$!
if which dbus-run-session >/dev/null 2>&1; then
dbus-run-session -- %s
else
dbus-launch --exit-with-session %s
fi
-kill -TERM $WM_PID 2> /dev/null
-""" % (command, wm, command, command))
+""" % (command, command, command))
fd.close()
os.chmod(execfile, 0o700)
--
2.44.0

View File

@ -1,232 +0,0 @@
From dde02ec582db3daa50ef09fdcfde025750f0575e Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <lautrbach@redhat.com>
Date: Tue, 20 Feb 2024 11:11:56 +0100
Subject: [PATCH] seunshare: Add [ -P pipewiresocket ] [ -W waylandsocket ]
options
Content-type: text/plain
Mount /run/user/UID/<waylandsocket> or /run/user/UID/<pipewiresocket>
inside unshared /run/user/UID directory
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
---
sandbox/seunshare.c | 120 +++++++++++++++++++++++++++++++++++++++++---
1 file changed, 113 insertions(+), 7 deletions(-)
diff --git a/sandbox/seunshare.c b/sandbox/seunshare.c
index 1d38ea92b9ae..106f625fcba5 100644
--- a/sandbox/seunshare.c
+++ b/sandbox/seunshare.c
@@ -52,7 +52,8 @@
#define BUF_SIZE 1024
#define DEFAULT_PATH "/usr/bin:/bin"
-#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -C ] [ -k ] [ -t tmpdir ] [ -h homedir ] [ -r runuserdir ] [ -Z CONTEXT ] -- executable [args] ")
+#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -C ] [ -k ] [ -t tmpdir ] [ -h homedir ] \
+[ -r runuserdir ] [ -P pipewiresocket ] [ -W waylandsocket ] [ -Z CONTEXT ] -- executable [args] ")
static int verbose = 0;
static int child = 0;
@@ -265,6 +266,10 @@ static int seunshare_mount(const char *src, const char *dst, struct stat *src_st
is_tmp = 1;
}
+ if (strncmp("/run/user", dst, 9) == 0) {
+ flags = flags | MS_REC;
+ }
+
/* mount directory */
if (mount(src, dst, NULL, MS_BIND | flags, NULL) < 0) {
fprintf(stderr, _("Failed to mount %s on %s: %s\n"), src, dst, strerror(errno));
@@ -289,6 +294,31 @@ static int seunshare_mount(const char *src, const char *dst, struct stat *src_st
}
+/**
+ * Mount directory and check that we mounted the right directory.
+ */
+static int seunshare_mount_file(const char *src, const char *dst)
+{
+ int flags = 0;
+
+ if (verbose)
+ printf(_("Mounting %s on %s\n"), src, dst);
+
+ if (access(dst, F_OK) == -1) {
+ FILE *fptr;
+ fptr = fopen(dst, "w");
+ fclose(fptr);
+ }
+ /* mount file */
+ if (mount(src, dst, NULL, MS_BIND | flags, NULL) < 0) {
+ fprintf(stderr, _("Failed to mount %s on %s: %s\n"), src, dst, strerror(errno));
+ return -1;
+ }
+
+ return 0;
+
+}
+
/*
If path is empty or ends with "/." or "/.. return -1 else return 0;
*/
@@ -616,6 +646,8 @@ killall (const char *execcon)
int main(int argc, char **argv) {
int status = -1;
const char *execcon = NULL;
+ const char *pipewire_socket = NULL;
+ const char *wayland_display = NULL;
int clflag; /* holds codes for command line flags */
int kill_all = 0;
@@ -641,6 +673,8 @@ int main(int argc, char **argv) {
{"verbose", 1, 0, 'v'},
{"context", 1, 0, 'Z'},
{"capabilities", 1, 0, 'C'},
+ {"wayland", 1, 0, 'W'},
+ {"pipewire", 1, 0, 'P'},
{NULL, 0, 0, 0}
};
@@ -670,7 +704,7 @@ int main(int argc, char **argv) {
}
while (1) {
- clflag = getopt_long(argc, argv, "Ccvh:r:t:Z:", long_options, NULL);
+ clflag = getopt_long(argc, argv, "Ccvh:r:t:W:Z:", long_options, NULL);
if (clflag == -1)
break;
@@ -693,6 +727,12 @@ int main(int argc, char **argv) {
case 'C':
cap_set = CAPNG_SELECT_CAPS;
break;
+ case 'P':
+ pipewire_socket = optarg;
+ break;
+ case 'W':
+ wayland_display = optarg;
+ break;
case 'Z':
execcon = optarg;
break;
@@ -767,8 +807,14 @@ int main(int argc, char **argv) {
char *display = NULL;
char *LANG = NULL;
char *RUNTIME_DIR = NULL;
+ char *XDG_SESSION_TYPE = NULL;
int rc = -1;
char *resolved_path = NULL;
+ char *wayland_path_s = NULL; /* /tmp/.../wayland-0 */
+ char *wayland_path = NULL; /* /run/user/UID/wayland-0 */
+ char *pipewire_path_s = NULL; /* /tmp/.../pipewire-0 */
+ char *pipewire_path = NULL; /* /run/user/UID/pipewire-0 */
+
if (unshare(CLONE_NEWNS) < 0) {
perror(_("Failed to unshare"));
@@ -805,6 +851,42 @@ int main(int argc, char **argv) {
}
}
+ if ((XDG_SESSION_TYPE = getenv("XDG_SESSION_TYPE")) != NULL) {
+ if ((XDG_SESSION_TYPE = strdup(XDG_SESSION_TYPE)) == NULL) {
+ perror(_("Out of memory"));
+ goto childerr;
+ }
+ }
+
+ if (runuserdir_s && (wayland_display || pipewire_socket)) {
+ if (wayland_display) {
+ if (asprintf(&wayland_path_s, "%s/%s", runuserdir_s, wayland_display) == -1) {
+ perror(_("Out of memory"));
+ goto childerr;
+ }
+
+ if (asprintf(&wayland_path, "%s/%s", RUNTIME_DIR, wayland_display) == -1) {
+ perror(_("Out of memory"));
+ goto childerr;
+ }
+
+ if (seunshare_mount_file(wayland_path, wayland_path_s) == -1)
+ goto childerr;
+ }
+
+ if (pipewire_socket) {
+ if (asprintf(&pipewire_path_s, "%s/%s", runuserdir_s, pipewire_socket) == -1) {
+ perror(_("Out of memory"));
+ goto childerr;
+ }
+ if (asprintf(&pipewire_path, "%s/pipewire-0", RUNTIME_DIR) == -1) {
+ perror(_("Out of memory"));
+ goto childerr;
+ }
+ seunshare_mount_file(pipewire_path, pipewire_path_s);
+ }
+ }
+
/* mount homedir, runuserdir and tmpdir, in this order */
if (runuserdir_s && seunshare_mount(runuserdir_s, RUNTIME_DIR,
&st_runuserdir_s) != 0) goto childerr;
@@ -816,10 +898,21 @@ int main(int argc, char **argv) {
if (drop_privs(uid) != 0) goto childerr;
/* construct a new environment */
- if ((display = getenv("DISPLAY")) != NULL) {
- if ((display = strdup(display)) == NULL) {
- perror(_("Out of memory"));
- goto childerr;
+
+ if (XDG_SESSION_TYPE && strcmp(XDG_SESSION_TYPE, "wayland") == 0) {
+ if (wayland_display == NULL && (wayland_display = getenv("WAYLAND_DISPLAY")) != NULL) {
+ if ((wayland_display = strdup(wayland_display)) == NULL) {
+ perror(_("Out of memory"));
+ goto childerr;
+ }
+ }
+ }
+ else {
+ if ((display = getenv("DISPLAY")) != NULL) {
+ if ((display = strdup(display)) == NULL) {
+ perror(_("Out of memory"));
+ goto childerr;
+ }
}
}
@@ -835,8 +928,16 @@ int main(int argc, char **argv) {
perror(_("Failed to clear environment"));
goto childerr;
}
- if (display)
+ if (display) {
rc |= setenv("DISPLAY", display, 1);
+ }
+ if (wayland_display) {
+ rc |= setenv("WAYLAND_DISPLAY", wayland_display, 1);
+ }
+
+ if (XDG_SESSION_TYPE)
+ rc |= setenv("XDG_SESSION_TYPE", XDG_SESSION_TYPE, 1);
+
if (LANG)
rc |= setenv("LANG", LANG, 1);
if (RUNTIME_DIR)
@@ -874,9 +975,14 @@ int main(int argc, char **argv) {
fprintf(stderr, _("Failed to execute command %s: %s\n"), argv[optind], strerror(errno));
childerr:
free(resolved_path);
+ free(wayland_path);
+ free(wayland_path_s);
+ free(pipewire_path);
+ free(pipewire_path_s);
free(display);
free(LANG);
free(RUNTIME_DIR);
+ free(XDG_SESSION_TYPE);
exit(-1);
}
--
2.44.0

View File

@ -1,133 +0,0 @@
From 5d1224b87ea10f3026ecf53c4c448ac4655add04 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <lautrbach@redhat.com>
Date: Tue, 20 Feb 2024 11:17:20 +0100
Subject: [PATCH] sandbox: Add support for Wayland
Content-type: text/plain
- use XWayland for X application if it's run in Wayland session
- run Wayland apps directly if it's run in Wayland session
- add sandbox -Y option to run run Wayland application
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
---
sandbox/sandbox | 26 ++++++++++++++++++++++++--
sandbox/sandboxX.sh | 36 ++++++++++++++++++++++++------------
2 files changed, 48 insertions(+), 14 deletions(-)
diff --git a/sandbox/sandbox b/sandbox/sandbox
index 7ab98076fd2b..009b5f4df8f2 100644
--- a/sandbox/sandbox
+++ b/sandbox/sandbox
@@ -344,6 +344,10 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-
action="callback", callback=self.__x_callback,
default=False, help=_("run X application within a sandbox"))
+ parser.add_option("-Y", dest="Y_ind",
+ action="callback", callback=self.__x_callback,
+ default=False, help=_("run Wayland application within a sandbox"))
+
parser.add_option("-H", "--homedir",
action="callback", callback=self.__validdir,
type="string",
@@ -457,6 +461,16 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-
selinux.chcon(self.__runuserdir, self.__filecon, recursive=True)
selinux.setfscreatecon(None)
+ def __is_wayland_app(self):
+ binary = shutil.which(self.__paths[0])
+ if binary is None:
+ return True
+ output = subprocess.run(['ldd', binary], capture_output=True)
+ for line in str(output.stdout, "utf-8").split('\n'):
+ if line.find("libwayland") != -1:
+ return "yes"
+ return False
+
def __execute(self):
try:
cmds = [SEUNSHARE, "-Z", self.__execcon]
@@ -465,7 +479,7 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-
if self.__mount:
cmds += ["-t", self.__tmpdir, "-h", self.__homedir, "-r", self.__runuserdir]
- if self.__options.X_ind:
+ if self.__options.X_ind or self.__options.Y_ind:
if self.__options.dpi:
dpi = self.__options.dpi
else:
@@ -474,6 +488,9 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-
from gi.repository import Gtk
dpi = str(Gtk.Settings.get_default().props.gtk_xft_dpi / 1024)
+ if os.environ.get('WAYLAND_DISPLAY') is not None:
+ cmds += ["-W", os.environ["WAYLAND_DISPLAY"]]
+
xmodmapfile = self.__homedir + "/.xmodmap"
xd = open(xmodmapfile, "w")
try:
@@ -484,7 +501,12 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-
self.__setup_sandboxrc(self.__options.wm)
- cmds += ["--", SANDBOXSH, self.__options.windowsize, dpi]
+ if self.__options.Y_ind or self.__is_wayland_app():
+ WN = "yes"
+ else:
+ WN = "no"
+
+ cmds += ["--", SANDBOXSH, WN, self.__options.windowsize, dpi]
else:
cmds += ["--"] + self.__paths
return subprocess.Popen(cmds).wait()
diff --git a/sandbox/sandboxX.sh b/sandbox/sandboxX.sh
index c211ebc14549..e2a7ad9b2ac7 100644
--- a/sandbox/sandboxX.sh
+++ b/sandbox/sandboxX.sh
@@ -2,20 +2,32 @@
trap "" TERM
context=`id -Z | secon -t -l -P`
export TITLE="Sandbox $context -- `grep ^#TITLE: ~/.sandboxrc | /usr/bin/cut -b8-80`"
-[ -z $1 ] && export SCREENSIZE="1000x700" || export SCREENSIZE="$1"
-[ -z $2 ] && export DPI="96" || export DPI="$2"
+[ -z $1 ] && export WAYLAND_NATIVE="no" || export WAYLAND_NATIVE="$1"
+[ -z $2 ] && export SCREENSIZE="1000x700" || export SCREENSIZE="$2"
+[ -z $3 ] && export DPI="96" || export DPI="$3"
trap "exit 0" HUP
-(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -reset -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do
- export DISPLAY=:$D
- cat > ~/seremote << __EOF
-#!/bin/sh
-DISPLAY=$DISPLAY "\$@"
+if [ "$WAYLAND_NATIVE" == "no" ]; then
+ if [ -z "$WAYLAND_DISPLAY" ]; then
+ DISPLAY_COMMAND='/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null'
+ else
+ DISPLAY_COMMAND='/usr/bin/Xwayland -terminate -dpi $DPI -retro -geometry $SCREENSIZE -decorate -displayfd 5 5>&1 2>/dev/null'
+ fi
+ eval $DISPLAY_COMMAND | while read D; do
+ export DISPLAY=:$D
+ cat > ~/seremote << __EOF
+#!/bin/bash -x
+export DISPLAY=$DISPLAY
+export WAYLAND_DISPLAY=$WAYLAND_DISPLAY
+"\$@"
__EOF
- chmod +x ~/seremote
+ chmod +x ~/seremote
+ /usr/share/sandbox/start $HOME/.sandboxrc
+ export EXITCODE=$?
+ kill -TERM 0
+ break
+ done
+else
/usr/share/sandbox/start $HOME/.sandboxrc
- export EXITCODE=$?
- kill -TERM 0
- break
-done
+fi
exit 0
--
2.44.0

View File

@ -1,7 +1,7 @@
%global libauditver 3.0 %global libauditver 3.0
%global libsepolver 3.6-1 %global libsepolver 3.7-1
%global libsemanagever 3.6-1 %global libsemanagever 3.7-1
%global libselinuxver 3.6-1 %global libselinuxver 3.7-1
%global generatorsdir %{_prefix}/lib/systemd/system-generators %global generatorsdir %{_prefix}/lib/systemd/system-generators
@ -10,11 +10,11 @@
Summary: SELinux policy core utilities Summary: SELinux policy core utilities
Name: policycoreutils Name: policycoreutils
Version: 3.6 Version: 3.7
Release: 5%{?dist} Release: 1%{?dist}
License: GPL-2.0-or-later License: GPL-2.0-or-later
# https://github.com/SELinuxProject/selinux/wiki/Releases # https://github.com/SELinuxProject/selinux/wiki/Releases
Source0: https://github.com/SELinuxProject/selinux/releases/download/3.6/selinux-3.6.tar.gz Source0: https://github.com/SELinuxProject/selinux/releases/download/3.7/selinux-3.7.tar.gz
URL: https://github.com/SELinuxProject/selinux URL: https://github.com/SELinuxProject/selinux
Source13: system-config-selinux.png Source13: system-config-selinux.png
Source14: sepolicy-icons.tgz Source14: sepolicy-icons.tgz
@ -33,19 +33,14 @@ Source22: selinux-gui.zip
# wlc --key <apikey> --url https://translate.fedoraproject.org/api/ download selinux/sandbox --output ./ # wlc --key <apikey> --url https://translate.fedoraproject.org/api/ download selinux/sandbox --output ./
Source23: selinux-sandbox.zip Source23: selinux-sandbox.zip
# https://github.com/fedora-selinux/selinux # https://github.com/fedora-selinux/selinux
# $ git format-patch -N 3.6 -- policycoreutils python gui sandbox dbus semodule-utils restorecond # $ git format-patch -N 3.7 -- policycoreutils python gui sandbox dbus semodule-utils restorecond
# $ for j in [0-9]*.patch; do printf "Patch%s: %s\n" ${j/-*/} $j; done # $ for j in [0-9]*.patch; do printf "Patch%s: %s\n" ${j/-*/} $j; done
# Patch list start # Patch list start
Patch0001: 0001-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch Patch0001: 0001-Don-t-be-verbose-if-you-are-not-on-a-tty.patch
Patch0002: 0002-Don-t-be-verbose-if-you-are-not-on-a-tty.patch Patch0002: 0002-sepolicy-generate-Handle-more-reserved-port-types.patch
Patch0003: 0003-sepolicy-generate-Handle-more-reserved-port-types.patch Patch0003: 0003-sandbox-Use-matchbox-window-manager-instead-of-openb.patch
Patch0004: 0004-sandbox-Use-matchbox-window-manager-instead-of-openb.patch Patch0004: 0004-Use-SHA-2-instead-of-SHA-1.patch
Patch0005: 0005-Use-SHA-2-instead-of-SHA-1.patch Patch0005: 0005-python-sepolicy-Fix-spec-file-dependencies.patch
Patch0006: 0006-python-sepolicy-Fix-spec-file-dependencies.patch
Patch0007: 0007-sandbox-do-not-fail-without-xmodmap.patch
Patch0008: 0008-sandbox-do-not-run-window-manager-if-it-s-not-a-sess.patch
Patch0009: 0009-seunshare-Add-P-pipewiresocket-W-waylandsocket-optio.patch
Patch0010: 0010-sandbox-Add-support-for-Wayland.patch
# Patch list end # Patch list end
Obsoletes: policycoreutils < 2.0.61-2 Obsoletes: policycoreutils < 2.0.61-2
@ -427,6 +422,9 @@ The policycoreutils-restorecond package contains the restorecond service.
%systemd_postun_with_restart restorecond.service %systemd_postun_with_restart restorecond.service
%changelog %changelog
* Thu Jun 27 2024 Petr Lautrbach <lautrbach@redhat.com> - 3.7-1
- SELinux userspace 3.7 release
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 3.6-5 * Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 3.6-5
- Bump release for June 2024 mass rebuild - Bump release for June 2024 mass rebuild

View File

@ -1,5 +1,5 @@
SHA512 (selinux-3.6.tar.gz) = 15ba9c5901ec4dc1e9e24374ffe61216301335fb07c0d653692251a59f210628775852f22d7c5eb784a43b65c133fad983ba1e6159d72fd3fd16e87f9a335fb6
SHA512 (selinux-policycoreutils.zip) = 0df9dc274e0d1a2e4e2467f95a18a5bf7b6de2428ac90a0a73d7f3bd766a897062af142ba3cf39cdb79565ba78af960bcd2e35865cc26e14bf2305321780c918 SHA512 (selinux-policycoreutils.zip) = 0df9dc274e0d1a2e4e2467f95a18a5bf7b6de2428ac90a0a73d7f3bd766a897062af142ba3cf39cdb79565ba78af960bcd2e35865cc26e14bf2305321780c918
SHA512 (selinux-python.zip) = 35d209f8bcff498f66465499fcc4cef0780781276a4ba060b2d1d56eed1dd72d253f6b0eae5f679d46cf426b967a7aadac909363513be5d483c95a31249eacdd SHA512 (selinux-python.zip) = 35d209f8bcff498f66465499fcc4cef0780781276a4ba060b2d1d56eed1dd72d253f6b0eae5f679d46cf426b967a7aadac909363513be5d483c95a31249eacdd
SHA512 (selinux-sandbox.zip) = ecbc0c8280eb6c013b039a2e63ee5a361cd84807613962a012ac0a98092357e9809bea23c3c71bd8ae4745b1dd12a4fce43db5e1cab31614f386a2a8db88b733 SHA512 (selinux-sandbox.zip) = ecbc0c8280eb6c013b039a2e63ee5a361cd84807613962a012ac0a98092357e9809bea23c3c71bd8ae4745b1dd12a4fce43db5e1cab31614f386a2a8db88b733
SHA512 (selinux-gui.zip) = 3ae41eba5dd6d34e10dfdb97f4194d170ace2f3044e984077db7d26d05bdaad86625e48e5694e3e8680487ad99a50861d4bea30c4bf08e2820e3b7a8671270c7 SHA512 (selinux-gui.zip) = 3ae41eba5dd6d34e10dfdb97f4194d170ace2f3044e984077db7d26d05bdaad86625e48e5694e3e8680487ad99a50861d4bea30c4bf08e2820e3b7a8671270c7
SHA512 (selinux-3.7.tar.gz) = f16c3731e27a09306147ffd5b929f55357642da663326edf5837885b36e8fe763ba6a1d18e8ae4001f6091545d06bb11f2d9ed78d69711c0211fbb406bc52345