SELinux userspace 3.7 release
Resolves: RHEL-40233
This commit is contained in:
parent
b408663be5
commit
07a392fef4
1
.gitignore
vendored
1
.gitignore
vendored
@ -355,3 +355,4 @@ policycoreutils-2.0.83.tgz
|
|||||||
/selinux-3.6-rc1.tar.gz
|
/selinux-3.6-rc1.tar.gz
|
||||||
/selinux-3.6-rc2.tar.gz
|
/selinux-3.6-rc2.tar.gz
|
||||||
/selinux-3.6.tar.gz
|
/selinux-3.6.tar.gz
|
||||||
|
/selinux-3.7.tar.gz
|
||||||
|
@ -1,4 +1,4 @@
|
|||||||
From 5dd7c8460230bd27170725bbb27014855652f356 Mon Sep 17 00:00:00 2001
|
From 7030465cd94d22aef6824e46df69f82b256195c8 Mon Sep 17 00:00:00 2001
|
||||||
From: Dan Walsh <dwalsh@redhat.com>
|
From: Dan Walsh <dwalsh@redhat.com>
|
||||||
Date: Fri, 14 Feb 2014 12:32:12 -0500
|
Date: Fri, 14 Feb 2014 12:32:12 -0500
|
||||||
Subject: [PATCH] Don't be verbose if you are not on a tty
|
Subject: [PATCH] Don't be verbose if you are not on a tty
|
||||||
@ -9,7 +9,7 @@ Content-type: text/plain
|
|||||||
1 file changed, 1 insertion(+)
|
1 file changed, 1 insertion(+)
|
||||||
|
|
||||||
diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
|
diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
|
||||||
index 166af6f360a2..ebe64563c7d7 100755
|
index cb50fef3ca65..13ac07414c14 100755
|
||||||
--- a/policycoreutils/scripts/fixfiles
|
--- a/policycoreutils/scripts/fixfiles
|
||||||
+++ b/policycoreutils/scripts/fixfiles
|
+++ b/policycoreutils/scripts/fixfiles
|
||||||
@@ -108,6 +108,7 @@ exclude_dirs_from_relabelling() {
|
@@ -108,6 +108,7 @@ exclude_dirs_from_relabelling() {
|
||||||
@ -21,5 +21,5 @@ index 166af6f360a2..ebe64563c7d7 100755
|
|||||||
THREADS=""
|
THREADS=""
|
||||||
RPMFILES=""
|
RPMFILES=""
|
||||||
--
|
--
|
||||||
2.41.0
|
2.44.0
|
||||||
|
|
@ -1,27 +0,0 @@
|
|||||||
From 10542b4fde99a089950126b008105c14b9452da1 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Petr Lautrbach <plautrba@redhat.com>
|
|
||||||
Date: Thu, 20 Aug 2015 12:58:41 +0200
|
|
||||||
Subject: [PATCH] sandbox: add -reset to Xephyr as it works better with it in
|
|
||||||
recent Fedoras
|
|
||||||
Content-type: text/plain
|
|
||||||
|
|
||||||
---
|
|
||||||
sandbox/sandboxX.sh | 2 +-
|
|
||||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/sandbox/sandboxX.sh b/sandbox/sandboxX.sh
|
|
||||||
index eaa500d08143..4774528027ef 100644
|
|
||||||
--- a/sandbox/sandboxX.sh
|
|
||||||
+++ b/sandbox/sandboxX.sh
|
|
||||||
@@ -20,7 +20,7 @@ cat > ~/.config/openbox/rc.xml << EOF
|
|
||||||
</openbox_config>
|
|
||||||
EOF
|
|
||||||
|
|
||||||
-(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do
|
|
||||||
+(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -reset -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do
|
|
||||||
export DISPLAY=:$D
|
|
||||||
cat > ~/seremote << __EOF
|
|
||||||
#!/bin/sh
|
|
||||||
--
|
|
||||||
2.41.0
|
|
||||||
|
|
@ -1,4 +1,4 @@
|
|||||||
From 6213773ec3a6364cac48eb39d8ecfb11b5addc12 Mon Sep 17 00:00:00 2001
|
From 856ac05345d8557a38e82d012a4d13b4d34efd6f Mon Sep 17 00:00:00 2001
|
||||||
From: Masatake YAMATO <yamato@redhat.com>
|
From: Masatake YAMATO <yamato@redhat.com>
|
||||||
Date: Thu, 14 Dec 2017 15:57:58 +0900
|
Date: Thu, 14 Dec 2017 15:57:58 +0900
|
||||||
Subject: [PATCH] sepolicy-generate: Handle more reserved port types
|
Subject: [PATCH] sepolicy-generate: Handle more reserved port types
|
||||||
@ -53,7 +53,7 @@ https://lore.kernel.org/selinux/20150610.190635.1866127952891120915.yamato@redha
|
|||||||
1 file changed, 3 insertions(+), 1 deletion(-)
|
1 file changed, 3 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
diff --git a/python/sepolicy/sepolicy/generate.py b/python/sepolicy/sepolicy/generate.py
|
diff --git a/python/sepolicy/sepolicy/generate.py b/python/sepolicy/sepolicy/generate.py
|
||||||
index b6df3e91160b..36a3ea1196b1 100644
|
index adf65f27a822..f726ad51b775 100644
|
||||||
--- a/python/sepolicy/sepolicy/generate.py
|
--- a/python/sepolicy/sepolicy/generate.py
|
||||||
+++ b/python/sepolicy/sepolicy/generate.py
|
+++ b/python/sepolicy/sepolicy/generate.py
|
||||||
@@ -100,7 +100,9 @@ def get_all_ports():
|
@@ -100,7 +100,9 @@ def get_all_ports():
|
||||||
@ -68,5 +68,5 @@ index b6df3e91160b..36a3ea1196b1 100644
|
|||||||
dict[(p['low'], p['high'], p['protocol'])] = (p['type'], p.get('range'))
|
dict[(p['low'], p['high'], p['protocol'])] = (p['type'], p.get('range'))
|
||||||
return dict
|
return dict
|
||||||
--
|
--
|
||||||
2.41.0
|
2.44.0
|
||||||
|
|
@ -1,4 +1,4 @@
|
|||||||
From 7bf4ac2438df52b259b9d3d539b9a9e889cc7424 Mon Sep 17 00:00:00 2001
|
From 8f7a90cb77a79aaef2ceca75bc25679a7b17ff98 Mon Sep 17 00:00:00 2001
|
||||||
From: Petr Lautrbach <plautrba@redhat.com>
|
From: Petr Lautrbach <plautrba@redhat.com>
|
||||||
Date: Wed, 18 Jul 2018 09:09:35 +0200
|
Date: Wed, 18 Jul 2018 09:09:35 +0200
|
||||||
Subject: [PATCH] sandbox: Use matchbox-window-manager instead of openbox
|
Subject: [PATCH] sandbox: Use matchbox-window-manager instead of openbox
|
||||||
@ -11,7 +11,7 @@ Content-type: text/plain
|
|||||||
3 files changed, 3 insertions(+), 17 deletions(-)
|
3 files changed, 3 insertions(+), 17 deletions(-)
|
||||||
|
|
||||||
diff --git a/sandbox/sandbox b/sandbox/sandbox
|
diff --git a/sandbox/sandbox b/sandbox/sandbox
|
||||||
index a2762a7d215a..a32a33ea3cf6 100644
|
index e3fd6119ed4d..e01425f0c637 100644
|
||||||
--- a/sandbox/sandbox
|
--- a/sandbox/sandbox
|
||||||
+++ b/sandbox/sandbox
|
+++ b/sandbox/sandbox
|
||||||
@@ -270,7 +270,7 @@ class Sandbox:
|
@@ -270,7 +270,7 @@ class Sandbox:
|
||||||
@ -23,7 +23,7 @@ index a2762a7d215a..a32a33ea3cf6 100644
|
|||||||
execfile = self.__homedir + "/.sandboxrc"
|
execfile = self.__homedir + "/.sandboxrc"
|
||||||
fd = open(execfile, "w+")
|
fd = open(execfile, "w+")
|
||||||
if self.__options.session:
|
if self.__options.session:
|
||||||
@@ -369,7 +369,7 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-
|
@@ -370,7 +370,7 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-
|
||||||
|
|
||||||
parser.add_option("-W", "--windowmanager", dest="wm",
|
parser.add_option("-W", "--windowmanager", dest="wm",
|
||||||
type="string",
|
type="string",
|
||||||
@ -46,11 +46,11 @@ index 095b9e27042d..1c1870190e51 100644
|
|||||||
\fB\-X\fR
|
\fB\-X\fR
|
||||||
Create an X based Sandbox for gui apps, temporary files for
|
Create an X based Sandbox for gui apps, temporary files for
|
||||||
diff --git a/sandbox/sandboxX.sh b/sandbox/sandboxX.sh
|
diff --git a/sandbox/sandboxX.sh b/sandbox/sandboxX.sh
|
||||||
index 4774528027ef..c211ebc14549 100644
|
index 28169182ce42..e2a7ad9b2ac7 100644
|
||||||
--- a/sandbox/sandboxX.sh
|
--- a/sandbox/sandboxX.sh
|
||||||
+++ b/sandbox/sandboxX.sh
|
+++ b/sandbox/sandboxX.sh
|
||||||
@@ -6,20 +6,6 @@ export TITLE="Sandbox $context -- `grep ^#TITLE: ~/.sandboxrc | /usr/bin/cut -b8
|
@@ -7,20 +7,6 @@ export TITLE="Sandbox $context -- `grep ^#TITLE: ~/.sandboxrc | /usr/bin/cut -b8
|
||||||
[ -z $2 ] && export DPI="96" || export DPI="$2"
|
[ -z $3 ] && export DPI="96" || export DPI="$3"
|
||||||
trap "exit 0" HUP
|
trap "exit 0" HUP
|
||||||
|
|
||||||
-mkdir -p ~/.config/openbox
|
-mkdir -p ~/.config/openbox
|
||||||
@ -67,9 +67,9 @@ index 4774528027ef..c211ebc14549 100644
|
|||||||
-</openbox_config>
|
-</openbox_config>
|
||||||
-EOF
|
-EOF
|
||||||
-
|
-
|
||||||
(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -reset -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do
|
if [ "$WAYLAND_NATIVE" == "no" ]; then
|
||||||
export DISPLAY=:$D
|
if [ -z "$WAYLAND_DISPLAY" ]; then
|
||||||
cat > ~/seremote << __EOF
|
DISPLAY_COMMAND='/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null'
|
||||||
--
|
--
|
||||||
2.41.0
|
2.44.0
|
||||||
|
|
@ -1,4 +1,4 @@
|
|||||||
From 94859162dbf9d2ccd4ffb923720c654a4cb9150a Mon Sep 17 00:00:00 2001
|
From 4884c917237e53e34d3fc75dcf4f07217cfd7584 Mon Sep 17 00:00:00 2001
|
||||||
From: Petr Lautrbach <plautrba@redhat.com>
|
From: Petr Lautrbach <plautrba@redhat.com>
|
||||||
Date: Fri, 30 Jul 2021 14:14:37 +0200
|
Date: Fri, 30 Jul 2021 14:14:37 +0200
|
||||||
Subject: [PATCH] Use SHA-2 instead of SHA-1
|
Subject: [PATCH] Use SHA-2 instead of SHA-1
|
||||||
@ -174,5 +174,5 @@ index ee01725050bb..57c663a99d67 100644
|
|||||||
and provided the
|
and provided the
|
||||||
.B \-n
|
.B \-n
|
||||||
--
|
--
|
||||||
2.41.0
|
2.44.0
|
||||||
|
|
@ -1,4 +1,4 @@
|
|||||||
From f364324e66cb2bf014362c5c1d1b6a2bcf98d6ff Mon Sep 17 00:00:00 2001
|
From cb1b3bdca016edaa90e92b49d51544f8a38cba19 Mon Sep 17 00:00:00 2001
|
||||||
From: Vit Mojzis <vmojzis@redhat.com>
|
From: Vit Mojzis <vmojzis@redhat.com>
|
||||||
Date: Tue, 30 May 2023 09:07:28 +0200
|
Date: Tue, 30 May 2023 09:07:28 +0200
|
||||||
Subject: [PATCH] python/sepolicy: Fix spec file dependencies
|
Subject: [PATCH] python/sepolicy: Fix spec file dependencies
|
||||||
@ -44,5 +44,5 @@ index 433c298a17e0..a6d4508bb670 100644
|
|||||||
|
|
||||||
mid_section="""\
|
mid_section="""\
|
||||||
--
|
--
|
||||||
2.41.0
|
2.44.0
|
||||||
|
|
@ -1,30 +0,0 @@
|
|||||||
From daedef300edce80cf8ee20825292504104dc0221 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Petr Lautrbach <lautrbach@redhat.com>
|
|
||||||
Date: Thu, 9 May 2024 16:17:05 +0200
|
|
||||||
Subject: [PATCH] sandbox: do not fail without xmodmap
|
|
||||||
Content-type: text/plain
|
|
||||||
|
|
||||||
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
|
|
||||||
---
|
|
||||||
sandbox/sandbox | 5 ++++-
|
|
||||||
1 file changed, 4 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/sandbox/sandbox b/sandbox/sandbox
|
|
||||||
index 0dc25584dd98..be8722e3b8d3 100644
|
|
||||||
--- a/sandbox/sandbox
|
|
||||||
+++ b/sandbox/sandbox
|
|
||||||
@@ -479,7 +479,10 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-
|
|
||||||
|
|
||||||
xmodmapfile = self.__homedir + "/.xmodmap"
|
|
||||||
xd = open(xmodmapfile, "w")
|
|
||||||
- subprocess.Popen(["/usr/bin/xmodmap", "-pke"], stdout=xd).wait()
|
|
||||||
+ try:
|
|
||||||
+ subprocess.Popen(["/usr/bin/xmodmap", "-pke"], stdout=xd).wait()
|
|
||||||
+ except:
|
|
||||||
+ pass
|
|
||||||
xd.close()
|
|
||||||
|
|
||||||
self.__setup_sandboxrc(self.__options.wm)
|
|
||||||
--
|
|
||||||
2.44.0
|
|
||||||
|
|
@ -1,35 +0,0 @@
|
|||||||
From d6e533bde4a25e5cdbb9445dfef6080dcaa6f43e Mon Sep 17 00:00:00 2001
|
|
||||||
From: Petr Lautrbach <lautrbach@redhat.com>
|
|
||||||
Date: Tue, 20 Feb 2024 11:14:52 +0100
|
|
||||||
Subject: [PATCH] sandbox: do not run window manager if it's not a session
|
|
||||||
Content-type: text/plain
|
|
||||||
|
|
||||||
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
|
|
||||||
---
|
|
||||||
sandbox/sandbox | 5 +----
|
|
||||||
1 file changed, 1 insertion(+), 4 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/sandbox/sandbox b/sandbox/sandbox
|
|
||||||
index be8722e3b8d3..7ab98076fd2b 100644
|
|
||||||
--- a/sandbox/sandbox
|
|
||||||
+++ b/sandbox/sandbox
|
|
||||||
@@ -285,15 +285,12 @@ class Sandbox:
|
|
||||||
fd.write("""#! /bin/sh
|
|
||||||
#TITLE: %s
|
|
||||||
# /usr/bin/test -r ~/.xmodmap && /usr/bin/xmodmap ~/.xmodmap
|
|
||||||
-%s &
|
|
||||||
-WM_PID=$!
|
|
||||||
if which dbus-run-session >/dev/null 2>&1; then
|
|
||||||
dbus-run-session -- %s
|
|
||||||
else
|
|
||||||
dbus-launch --exit-with-session %s
|
|
||||||
fi
|
|
||||||
-kill -TERM $WM_PID 2> /dev/null
|
|
||||||
-""" % (command, wm, command, command))
|
|
||||||
+""" % (command, command, command))
|
|
||||||
fd.close()
|
|
||||||
os.chmod(execfile, 0o700)
|
|
||||||
|
|
||||||
--
|
|
||||||
2.44.0
|
|
||||||
|
|
@ -1,232 +0,0 @@
|
|||||||
From dde02ec582db3daa50ef09fdcfde025750f0575e Mon Sep 17 00:00:00 2001
|
|
||||||
From: Petr Lautrbach <lautrbach@redhat.com>
|
|
||||||
Date: Tue, 20 Feb 2024 11:11:56 +0100
|
|
||||||
Subject: [PATCH] seunshare: Add [ -P pipewiresocket ] [ -W waylandsocket ]
|
|
||||||
options
|
|
||||||
Content-type: text/plain
|
|
||||||
|
|
||||||
Mount /run/user/UID/<waylandsocket> or /run/user/UID/<pipewiresocket>
|
|
||||||
inside unshared /run/user/UID directory
|
|
||||||
|
|
||||||
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
|
|
||||||
---
|
|
||||||
sandbox/seunshare.c | 120 +++++++++++++++++++++++++++++++++++++++++---
|
|
||||||
1 file changed, 113 insertions(+), 7 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/sandbox/seunshare.c b/sandbox/seunshare.c
|
|
||||||
index 1d38ea92b9ae..106f625fcba5 100644
|
|
||||||
--- a/sandbox/seunshare.c
|
|
||||||
+++ b/sandbox/seunshare.c
|
|
||||||
@@ -52,7 +52,8 @@
|
|
||||||
|
|
||||||
#define BUF_SIZE 1024
|
|
||||||
#define DEFAULT_PATH "/usr/bin:/bin"
|
|
||||||
-#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -C ] [ -k ] [ -t tmpdir ] [ -h homedir ] [ -r runuserdir ] [ -Z CONTEXT ] -- executable [args] ")
|
|
||||||
+#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -C ] [ -k ] [ -t tmpdir ] [ -h homedir ] \
|
|
||||||
+[ -r runuserdir ] [ -P pipewiresocket ] [ -W waylandsocket ] [ -Z CONTEXT ] -- executable [args] ")
|
|
||||||
|
|
||||||
static int verbose = 0;
|
|
||||||
static int child = 0;
|
|
||||||
@@ -265,6 +266,10 @@ static int seunshare_mount(const char *src, const char *dst, struct stat *src_st
|
|
||||||
is_tmp = 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if (strncmp("/run/user", dst, 9) == 0) {
|
|
||||||
+ flags = flags | MS_REC;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
/* mount directory */
|
|
||||||
if (mount(src, dst, NULL, MS_BIND | flags, NULL) < 0) {
|
|
||||||
fprintf(stderr, _("Failed to mount %s on %s: %s\n"), src, dst, strerror(errno));
|
|
||||||
@@ -289,6 +294,31 @@ static int seunshare_mount(const char *src, const char *dst, struct stat *src_st
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
+/**
|
|
||||||
+ * Mount directory and check that we mounted the right directory.
|
|
||||||
+ */
|
|
||||||
+static int seunshare_mount_file(const char *src, const char *dst)
|
|
||||||
+{
|
|
||||||
+ int flags = 0;
|
|
||||||
+
|
|
||||||
+ if (verbose)
|
|
||||||
+ printf(_("Mounting %s on %s\n"), src, dst);
|
|
||||||
+
|
|
||||||
+ if (access(dst, F_OK) == -1) {
|
|
||||||
+ FILE *fptr;
|
|
||||||
+ fptr = fopen(dst, "w");
|
|
||||||
+ fclose(fptr);
|
|
||||||
+ }
|
|
||||||
+ /* mount file */
|
|
||||||
+ if (mount(src, dst, NULL, MS_BIND | flags, NULL) < 0) {
|
|
||||||
+ fprintf(stderr, _("Failed to mount %s on %s: %s\n"), src, dst, strerror(errno));
|
|
||||||
+ return -1;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ return 0;
|
|
||||||
+
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
/*
|
|
||||||
If path is empty or ends with "/." or "/.. return -1 else return 0;
|
|
||||||
*/
|
|
||||||
@@ -616,6 +646,8 @@ killall (const char *execcon)
|
|
||||||
int main(int argc, char **argv) {
|
|
||||||
int status = -1;
|
|
||||||
const char *execcon = NULL;
|
|
||||||
+ const char *pipewire_socket = NULL;
|
|
||||||
+ const char *wayland_display = NULL;
|
|
||||||
|
|
||||||
int clflag; /* holds codes for command line flags */
|
|
||||||
int kill_all = 0;
|
|
||||||
@@ -641,6 +673,8 @@ int main(int argc, char **argv) {
|
|
||||||
{"verbose", 1, 0, 'v'},
|
|
||||||
{"context", 1, 0, 'Z'},
|
|
||||||
{"capabilities", 1, 0, 'C'},
|
|
||||||
+ {"wayland", 1, 0, 'W'},
|
|
||||||
+ {"pipewire", 1, 0, 'P'},
|
|
||||||
{NULL, 0, 0, 0}
|
|
||||||
};
|
|
||||||
|
|
||||||
@@ -670,7 +704,7 @@ int main(int argc, char **argv) {
|
|
||||||
}
|
|
||||||
|
|
||||||
while (1) {
|
|
||||||
- clflag = getopt_long(argc, argv, "Ccvh:r:t:Z:", long_options, NULL);
|
|
||||||
+ clflag = getopt_long(argc, argv, "Ccvh:r:t:W:Z:", long_options, NULL);
|
|
||||||
if (clflag == -1)
|
|
||||||
break;
|
|
||||||
|
|
||||||
@@ -693,6 +727,12 @@ int main(int argc, char **argv) {
|
|
||||||
case 'C':
|
|
||||||
cap_set = CAPNG_SELECT_CAPS;
|
|
||||||
break;
|
|
||||||
+ case 'P':
|
|
||||||
+ pipewire_socket = optarg;
|
|
||||||
+ break;
|
|
||||||
+ case 'W':
|
|
||||||
+ wayland_display = optarg;
|
|
||||||
+ break;
|
|
||||||
case 'Z':
|
|
||||||
execcon = optarg;
|
|
||||||
break;
|
|
||||||
@@ -767,8 +807,14 @@ int main(int argc, char **argv) {
|
|
||||||
char *display = NULL;
|
|
||||||
char *LANG = NULL;
|
|
||||||
char *RUNTIME_DIR = NULL;
|
|
||||||
+ char *XDG_SESSION_TYPE = NULL;
|
|
||||||
int rc = -1;
|
|
||||||
char *resolved_path = NULL;
|
|
||||||
+ char *wayland_path_s = NULL; /* /tmp/.../wayland-0 */
|
|
||||||
+ char *wayland_path = NULL; /* /run/user/UID/wayland-0 */
|
|
||||||
+ char *pipewire_path_s = NULL; /* /tmp/.../pipewire-0 */
|
|
||||||
+ char *pipewire_path = NULL; /* /run/user/UID/pipewire-0 */
|
|
||||||
+
|
|
||||||
|
|
||||||
if (unshare(CLONE_NEWNS) < 0) {
|
|
||||||
perror(_("Failed to unshare"));
|
|
||||||
@@ -805,6 +851,42 @@ int main(int argc, char **argv) {
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
+ if ((XDG_SESSION_TYPE = getenv("XDG_SESSION_TYPE")) != NULL) {
|
|
||||||
+ if ((XDG_SESSION_TYPE = strdup(XDG_SESSION_TYPE)) == NULL) {
|
|
||||||
+ perror(_("Out of memory"));
|
|
||||||
+ goto childerr;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (runuserdir_s && (wayland_display || pipewire_socket)) {
|
|
||||||
+ if (wayland_display) {
|
|
||||||
+ if (asprintf(&wayland_path_s, "%s/%s", runuserdir_s, wayland_display) == -1) {
|
|
||||||
+ perror(_("Out of memory"));
|
|
||||||
+ goto childerr;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (asprintf(&wayland_path, "%s/%s", RUNTIME_DIR, wayland_display) == -1) {
|
|
||||||
+ perror(_("Out of memory"));
|
|
||||||
+ goto childerr;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (seunshare_mount_file(wayland_path, wayland_path_s) == -1)
|
|
||||||
+ goto childerr;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (pipewire_socket) {
|
|
||||||
+ if (asprintf(&pipewire_path_s, "%s/%s", runuserdir_s, pipewire_socket) == -1) {
|
|
||||||
+ perror(_("Out of memory"));
|
|
||||||
+ goto childerr;
|
|
||||||
+ }
|
|
||||||
+ if (asprintf(&pipewire_path, "%s/pipewire-0", RUNTIME_DIR) == -1) {
|
|
||||||
+ perror(_("Out of memory"));
|
|
||||||
+ goto childerr;
|
|
||||||
+ }
|
|
||||||
+ seunshare_mount_file(pipewire_path, pipewire_path_s);
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
/* mount homedir, runuserdir and tmpdir, in this order */
|
|
||||||
if (runuserdir_s && seunshare_mount(runuserdir_s, RUNTIME_DIR,
|
|
||||||
&st_runuserdir_s) != 0) goto childerr;
|
|
||||||
@@ -816,10 +898,21 @@ int main(int argc, char **argv) {
|
|
||||||
if (drop_privs(uid) != 0) goto childerr;
|
|
||||||
|
|
||||||
/* construct a new environment */
|
|
||||||
- if ((display = getenv("DISPLAY")) != NULL) {
|
|
||||||
- if ((display = strdup(display)) == NULL) {
|
|
||||||
- perror(_("Out of memory"));
|
|
||||||
- goto childerr;
|
|
||||||
+
|
|
||||||
+ if (XDG_SESSION_TYPE && strcmp(XDG_SESSION_TYPE, "wayland") == 0) {
|
|
||||||
+ if (wayland_display == NULL && (wayland_display = getenv("WAYLAND_DISPLAY")) != NULL) {
|
|
||||||
+ if ((wayland_display = strdup(wayland_display)) == NULL) {
|
|
||||||
+ perror(_("Out of memory"));
|
|
||||||
+ goto childerr;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ else {
|
|
||||||
+ if ((display = getenv("DISPLAY")) != NULL) {
|
|
||||||
+ if ((display = strdup(display)) == NULL) {
|
|
||||||
+ perror(_("Out of memory"));
|
|
||||||
+ goto childerr;
|
|
||||||
+ }
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -835,8 +928,16 @@ int main(int argc, char **argv) {
|
|
||||||
perror(_("Failed to clear environment"));
|
|
||||||
goto childerr;
|
|
||||||
}
|
|
||||||
- if (display)
|
|
||||||
+ if (display) {
|
|
||||||
rc |= setenv("DISPLAY", display, 1);
|
|
||||||
+ }
|
|
||||||
+ if (wayland_display) {
|
|
||||||
+ rc |= setenv("WAYLAND_DISPLAY", wayland_display, 1);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ if (XDG_SESSION_TYPE)
|
|
||||||
+ rc |= setenv("XDG_SESSION_TYPE", XDG_SESSION_TYPE, 1);
|
|
||||||
+
|
|
||||||
if (LANG)
|
|
||||||
rc |= setenv("LANG", LANG, 1);
|
|
||||||
if (RUNTIME_DIR)
|
|
||||||
@@ -874,9 +975,14 @@ int main(int argc, char **argv) {
|
|
||||||
fprintf(stderr, _("Failed to execute command %s: %s\n"), argv[optind], strerror(errno));
|
|
||||||
childerr:
|
|
||||||
free(resolved_path);
|
|
||||||
+ free(wayland_path);
|
|
||||||
+ free(wayland_path_s);
|
|
||||||
+ free(pipewire_path);
|
|
||||||
+ free(pipewire_path_s);
|
|
||||||
free(display);
|
|
||||||
free(LANG);
|
|
||||||
free(RUNTIME_DIR);
|
|
||||||
+ free(XDG_SESSION_TYPE);
|
|
||||||
exit(-1);
|
|
||||||
}
|
|
||||||
|
|
||||||
--
|
|
||||||
2.44.0
|
|
||||||
|
|
@ -1,133 +0,0 @@
|
|||||||
From 5d1224b87ea10f3026ecf53c4c448ac4655add04 Mon Sep 17 00:00:00 2001
|
|
||||||
From: Petr Lautrbach <lautrbach@redhat.com>
|
|
||||||
Date: Tue, 20 Feb 2024 11:17:20 +0100
|
|
||||||
Subject: [PATCH] sandbox: Add support for Wayland
|
|
||||||
Content-type: text/plain
|
|
||||||
|
|
||||||
- use XWayland for X application if it's run in Wayland session
|
|
||||||
- run Wayland apps directly if it's run in Wayland session
|
|
||||||
- add sandbox -Y option to run run Wayland application
|
|
||||||
|
|
||||||
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
|
|
||||||
---
|
|
||||||
sandbox/sandbox | 26 ++++++++++++++++++++++++--
|
|
||||||
sandbox/sandboxX.sh | 36 ++++++++++++++++++++++++------------
|
|
||||||
2 files changed, 48 insertions(+), 14 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/sandbox/sandbox b/sandbox/sandbox
|
|
||||||
index 7ab98076fd2b..009b5f4df8f2 100644
|
|
||||||
--- a/sandbox/sandbox
|
|
||||||
+++ b/sandbox/sandbox
|
|
||||||
@@ -344,6 +344,10 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-
|
|
||||||
action="callback", callback=self.__x_callback,
|
|
||||||
default=False, help=_("run X application within a sandbox"))
|
|
||||||
|
|
||||||
+ parser.add_option("-Y", dest="Y_ind",
|
|
||||||
+ action="callback", callback=self.__x_callback,
|
|
||||||
+ default=False, help=_("run Wayland application within a sandbox"))
|
|
||||||
+
|
|
||||||
parser.add_option("-H", "--homedir",
|
|
||||||
action="callback", callback=self.__validdir,
|
|
||||||
type="string",
|
|
||||||
@@ -457,6 +461,16 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-
|
|
||||||
selinux.chcon(self.__runuserdir, self.__filecon, recursive=True)
|
|
||||||
selinux.setfscreatecon(None)
|
|
||||||
|
|
||||||
+ def __is_wayland_app(self):
|
|
||||||
+ binary = shutil.which(self.__paths[0])
|
|
||||||
+ if binary is None:
|
|
||||||
+ return True
|
|
||||||
+ output = subprocess.run(['ldd', binary], capture_output=True)
|
|
||||||
+ for line in str(output.stdout, "utf-8").split('\n'):
|
|
||||||
+ if line.find("libwayland") != -1:
|
|
||||||
+ return "yes"
|
|
||||||
+ return False
|
|
||||||
+
|
|
||||||
def __execute(self):
|
|
||||||
try:
|
|
||||||
cmds = [SEUNSHARE, "-Z", self.__execcon]
|
|
||||||
@@ -465,7 +479,7 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-
|
|
||||||
if self.__mount:
|
|
||||||
cmds += ["-t", self.__tmpdir, "-h", self.__homedir, "-r", self.__runuserdir]
|
|
||||||
|
|
||||||
- if self.__options.X_ind:
|
|
||||||
+ if self.__options.X_ind or self.__options.Y_ind:
|
|
||||||
if self.__options.dpi:
|
|
||||||
dpi = self.__options.dpi
|
|
||||||
else:
|
|
||||||
@@ -474,6 +488,9 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-
|
|
||||||
from gi.repository import Gtk
|
|
||||||
dpi = str(Gtk.Settings.get_default().props.gtk_xft_dpi / 1024)
|
|
||||||
|
|
||||||
+ if os.environ.get('WAYLAND_DISPLAY') is not None:
|
|
||||||
+ cmds += ["-W", os.environ["WAYLAND_DISPLAY"]]
|
|
||||||
+
|
|
||||||
xmodmapfile = self.__homedir + "/.xmodmap"
|
|
||||||
xd = open(xmodmapfile, "w")
|
|
||||||
try:
|
|
||||||
@@ -484,7 +501,12 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-
|
|
||||||
|
|
||||||
self.__setup_sandboxrc(self.__options.wm)
|
|
||||||
|
|
||||||
- cmds += ["--", SANDBOXSH, self.__options.windowsize, dpi]
|
|
||||||
+ if self.__options.Y_ind or self.__is_wayland_app():
|
|
||||||
+ WN = "yes"
|
|
||||||
+ else:
|
|
||||||
+ WN = "no"
|
|
||||||
+
|
|
||||||
+ cmds += ["--", SANDBOXSH, WN, self.__options.windowsize, dpi]
|
|
||||||
else:
|
|
||||||
cmds += ["--"] + self.__paths
|
|
||||||
return subprocess.Popen(cmds).wait()
|
|
||||||
diff --git a/sandbox/sandboxX.sh b/sandbox/sandboxX.sh
|
|
||||||
index c211ebc14549..e2a7ad9b2ac7 100644
|
|
||||||
--- a/sandbox/sandboxX.sh
|
|
||||||
+++ b/sandbox/sandboxX.sh
|
|
||||||
@@ -2,20 +2,32 @@
|
|
||||||
trap "" TERM
|
|
||||||
context=`id -Z | secon -t -l -P`
|
|
||||||
export TITLE="Sandbox $context -- `grep ^#TITLE: ~/.sandboxrc | /usr/bin/cut -b8-80`"
|
|
||||||
-[ -z $1 ] && export SCREENSIZE="1000x700" || export SCREENSIZE="$1"
|
|
||||||
-[ -z $2 ] && export DPI="96" || export DPI="$2"
|
|
||||||
+[ -z $1 ] && export WAYLAND_NATIVE="no" || export WAYLAND_NATIVE="$1"
|
|
||||||
+[ -z $2 ] && export SCREENSIZE="1000x700" || export SCREENSIZE="$2"
|
|
||||||
+[ -z $3 ] && export DPI="96" || export DPI="$3"
|
|
||||||
trap "exit 0" HUP
|
|
||||||
|
|
||||||
-(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -reset -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do
|
|
||||||
- export DISPLAY=:$D
|
|
||||||
- cat > ~/seremote << __EOF
|
|
||||||
-#!/bin/sh
|
|
||||||
-DISPLAY=$DISPLAY "\$@"
|
|
||||||
+if [ "$WAYLAND_NATIVE" == "no" ]; then
|
|
||||||
+ if [ -z "$WAYLAND_DISPLAY" ]; then
|
|
||||||
+ DISPLAY_COMMAND='/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null'
|
|
||||||
+ else
|
|
||||||
+ DISPLAY_COMMAND='/usr/bin/Xwayland -terminate -dpi $DPI -retro -geometry $SCREENSIZE -decorate -displayfd 5 5>&1 2>/dev/null'
|
|
||||||
+ fi
|
|
||||||
+ eval $DISPLAY_COMMAND | while read D; do
|
|
||||||
+ export DISPLAY=:$D
|
|
||||||
+ cat > ~/seremote << __EOF
|
|
||||||
+#!/bin/bash -x
|
|
||||||
+export DISPLAY=$DISPLAY
|
|
||||||
+export WAYLAND_DISPLAY=$WAYLAND_DISPLAY
|
|
||||||
+"\$@"
|
|
||||||
__EOF
|
|
||||||
- chmod +x ~/seremote
|
|
||||||
+ chmod +x ~/seremote
|
|
||||||
+ /usr/share/sandbox/start $HOME/.sandboxrc
|
|
||||||
+ export EXITCODE=$?
|
|
||||||
+ kill -TERM 0
|
|
||||||
+ break
|
|
||||||
+ done
|
|
||||||
+else
|
|
||||||
/usr/share/sandbox/start $HOME/.sandboxrc
|
|
||||||
- export EXITCODE=$?
|
|
||||||
- kill -TERM 0
|
|
||||||
- break
|
|
||||||
-done
|
|
||||||
+fi
|
|
||||||
exit 0
|
|
||||||
--
|
|
||||||
2.44.0
|
|
||||||
|
|
@ -1,7 +1,7 @@
|
|||||||
%global libauditver 3.0
|
%global libauditver 3.0
|
||||||
%global libsepolver 3.6-1
|
%global libsepolver 3.7-1
|
||||||
%global libsemanagever 3.6-1
|
%global libsemanagever 3.7-1
|
||||||
%global libselinuxver 3.6-1
|
%global libselinuxver 3.7-1
|
||||||
|
|
||||||
%global generatorsdir %{_prefix}/lib/systemd/system-generators
|
%global generatorsdir %{_prefix}/lib/systemd/system-generators
|
||||||
|
|
||||||
@ -10,11 +10,11 @@
|
|||||||
|
|
||||||
Summary: SELinux policy core utilities
|
Summary: SELinux policy core utilities
|
||||||
Name: policycoreutils
|
Name: policycoreutils
|
||||||
Version: 3.6
|
Version: 3.7
|
||||||
Release: 5%{?dist}
|
Release: 1%{?dist}
|
||||||
License: GPL-2.0-or-later
|
License: GPL-2.0-or-later
|
||||||
# https://github.com/SELinuxProject/selinux/wiki/Releases
|
# https://github.com/SELinuxProject/selinux/wiki/Releases
|
||||||
Source0: https://github.com/SELinuxProject/selinux/releases/download/3.6/selinux-3.6.tar.gz
|
Source0: https://github.com/SELinuxProject/selinux/releases/download/3.7/selinux-3.7.tar.gz
|
||||||
URL: https://github.com/SELinuxProject/selinux
|
URL: https://github.com/SELinuxProject/selinux
|
||||||
Source13: system-config-selinux.png
|
Source13: system-config-selinux.png
|
||||||
Source14: sepolicy-icons.tgz
|
Source14: sepolicy-icons.tgz
|
||||||
@ -33,19 +33,14 @@ Source22: selinux-gui.zip
|
|||||||
# wlc --key <apikey> --url https://translate.fedoraproject.org/api/ download selinux/sandbox --output ./
|
# wlc --key <apikey> --url https://translate.fedoraproject.org/api/ download selinux/sandbox --output ./
|
||||||
Source23: selinux-sandbox.zip
|
Source23: selinux-sandbox.zip
|
||||||
# https://github.com/fedora-selinux/selinux
|
# https://github.com/fedora-selinux/selinux
|
||||||
# $ git format-patch -N 3.6 -- policycoreutils python gui sandbox dbus semodule-utils restorecond
|
# $ git format-patch -N 3.7 -- policycoreutils python gui sandbox dbus semodule-utils restorecond
|
||||||
# $ for j in [0-9]*.patch; do printf "Patch%s: %s\n" ${j/-*/} $j; done
|
# $ for j in [0-9]*.patch; do printf "Patch%s: %s\n" ${j/-*/} $j; done
|
||||||
# Patch list start
|
# Patch list start
|
||||||
Patch0001: 0001-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch
|
Patch0001: 0001-Don-t-be-verbose-if-you-are-not-on-a-tty.patch
|
||||||
Patch0002: 0002-Don-t-be-verbose-if-you-are-not-on-a-tty.patch
|
Patch0002: 0002-sepolicy-generate-Handle-more-reserved-port-types.patch
|
||||||
Patch0003: 0003-sepolicy-generate-Handle-more-reserved-port-types.patch
|
Patch0003: 0003-sandbox-Use-matchbox-window-manager-instead-of-openb.patch
|
||||||
Patch0004: 0004-sandbox-Use-matchbox-window-manager-instead-of-openb.patch
|
Patch0004: 0004-Use-SHA-2-instead-of-SHA-1.patch
|
||||||
Patch0005: 0005-Use-SHA-2-instead-of-SHA-1.patch
|
Patch0005: 0005-python-sepolicy-Fix-spec-file-dependencies.patch
|
||||||
Patch0006: 0006-python-sepolicy-Fix-spec-file-dependencies.patch
|
|
||||||
Patch0007: 0007-sandbox-do-not-fail-without-xmodmap.patch
|
|
||||||
Patch0008: 0008-sandbox-do-not-run-window-manager-if-it-s-not-a-sess.patch
|
|
||||||
Patch0009: 0009-seunshare-Add-P-pipewiresocket-W-waylandsocket-optio.patch
|
|
||||||
Patch0010: 0010-sandbox-Add-support-for-Wayland.patch
|
|
||||||
# Patch list end
|
# Patch list end
|
||||||
|
|
||||||
Obsoletes: policycoreutils < 2.0.61-2
|
Obsoletes: policycoreutils < 2.0.61-2
|
||||||
@ -427,6 +422,9 @@ The policycoreutils-restorecond package contains the restorecond service.
|
|||||||
%systemd_postun_with_restart restorecond.service
|
%systemd_postun_with_restart restorecond.service
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Jun 27 2024 Petr Lautrbach <lautrbach@redhat.com> - 3.7-1
|
||||||
|
- SELinux userspace 3.7 release
|
||||||
|
|
||||||
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 3.6-5
|
* Mon Jun 24 2024 Troy Dawson <tdawson@redhat.com> - 3.6-5
|
||||||
- Bump release for June 2024 mass rebuild
|
- Bump release for June 2024 mass rebuild
|
||||||
|
|
||||||
|
2
sources
2
sources
@ -1,5 +1,5 @@
|
|||||||
SHA512 (selinux-3.6.tar.gz) = 15ba9c5901ec4dc1e9e24374ffe61216301335fb07c0d653692251a59f210628775852f22d7c5eb784a43b65c133fad983ba1e6159d72fd3fd16e87f9a335fb6
|
|
||||||
SHA512 (selinux-policycoreutils.zip) = 0df9dc274e0d1a2e4e2467f95a18a5bf7b6de2428ac90a0a73d7f3bd766a897062af142ba3cf39cdb79565ba78af960bcd2e35865cc26e14bf2305321780c918
|
SHA512 (selinux-policycoreutils.zip) = 0df9dc274e0d1a2e4e2467f95a18a5bf7b6de2428ac90a0a73d7f3bd766a897062af142ba3cf39cdb79565ba78af960bcd2e35865cc26e14bf2305321780c918
|
||||||
SHA512 (selinux-python.zip) = 35d209f8bcff498f66465499fcc4cef0780781276a4ba060b2d1d56eed1dd72d253f6b0eae5f679d46cf426b967a7aadac909363513be5d483c95a31249eacdd
|
SHA512 (selinux-python.zip) = 35d209f8bcff498f66465499fcc4cef0780781276a4ba060b2d1d56eed1dd72d253f6b0eae5f679d46cf426b967a7aadac909363513be5d483c95a31249eacdd
|
||||||
SHA512 (selinux-sandbox.zip) = ecbc0c8280eb6c013b039a2e63ee5a361cd84807613962a012ac0a98092357e9809bea23c3c71bd8ae4745b1dd12a4fce43db5e1cab31614f386a2a8db88b733
|
SHA512 (selinux-sandbox.zip) = ecbc0c8280eb6c013b039a2e63ee5a361cd84807613962a012ac0a98092357e9809bea23c3c71bd8ae4745b1dd12a4fce43db5e1cab31614f386a2a8db88b733
|
||||||
SHA512 (selinux-gui.zip) = 3ae41eba5dd6d34e10dfdb97f4194d170ace2f3044e984077db7d26d05bdaad86625e48e5694e3e8680487ad99a50861d4bea30c4bf08e2820e3b7a8671270c7
|
SHA512 (selinux-gui.zip) = 3ae41eba5dd6d34e10dfdb97f4194d170ace2f3044e984077db7d26d05bdaad86625e48e5694e3e8680487ad99a50861d4bea30c4bf08e2820e3b7a8671270c7
|
||||||
|
SHA512 (selinux-3.7.tar.gz) = f16c3731e27a09306147ffd5b929f55357642da663326edf5837885b36e8fe763ba6a1d18e8ae4001f6091545d06bb11f2d9ed78d69711c0211fbb406bc52345
|
||||||
|
Loading…
Reference in New Issue
Block a user