rsynccmd should run outside of execcon

This commit is contained in:
Dan Walsh 2011-03-30 14:42:36 -04:00
parent be38aa471e
commit 1da0399e25
3 changed files with 873 additions and 426 deletions

View File

@ -12745,7 +12745,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/__init__.p
+ +
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/network.py policycoreutils-2.0.85/gui/templates/network.py diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/network.py policycoreutils-2.0.85/gui/templates/network.py
--- nsapolicycoreutils/gui/templates/network.py 1969-12-31 19:00:00.000000000 -0500 --- nsapolicycoreutils/gui/templates/network.py 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.85/gui/templates/network.py 2011-02-23 14:40:42.636005375 -0500 +++ policycoreutils-2.0.85/gui/templates/network.py 2011-03-16 17:00:52.485669534 -0400
@@ -0,0 +1,80 @@ @@ -0,0 +1,80 @@
+te_port_types=""" +te_port_types="""
+type TEMPLATETYPE_port_t; +type TEMPLATETYPE_port_t;
@ -12759,13 +12759,13 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/network.py
+ +
+te_tcp="""\ +te_tcp="""\
+allow TEMPLATETYPE_t self:tcp_socket create_stream_socket_perms; +allow TEMPLATETYPE_t self:tcp_socket create_stream_socket_perms;
+corenet_tcp_sendrecv_all_if(TEMPLATETYPE_t) +corenet_tcp_sendrecv_generic_if(TEMPLATETYPE_t)
+corenet_tcp_sendrecv_all_nodes(TEMPLATETYPE_t) +corenet_tcp_sendrecv_generic_node(TEMPLATETYPE_t)
+corenet_tcp_sendrecv_all_ports(TEMPLATETYPE_t) +corenet_tcp_sendrecv_all_ports(TEMPLATETYPE_t)
+""" +"""
+ +
+te_in_tcp="""\ +te_in_tcp="""\
+corenet_tcp_bind_all_nodes(TEMPLATETYPE_t) +corenet_tcp_bind_generic_node(TEMPLATETYPE_t)
+""" +"""
+ +
+te_in_need_port_tcp="""\ +te_in_need_port_tcp="""\
@ -12778,13 +12778,13 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/network.py
+ +
+te_udp="""\ +te_udp="""\
+allow TEMPLATETYPE_t self:udp_socket { create_socket_perms listen }; +allow TEMPLATETYPE_t self:udp_socket { create_socket_perms listen };
+corenet_udp_sendrecv_all_if(TEMPLATETYPE_t) +corenet_udp_sendrecv_generic_if(TEMPLATETYPE_t)
+corenet_udp_sendrecv_all_nodes(TEMPLATETYPE_t) +corenet_udp_sendrecv_generic_node(TEMPLATETYPE_t)
+corenet_udp_sendrecv_all_ports(TEMPLATETYPE_t) +corenet_udp_sendrecv_all_ports(TEMPLATETYPE_t)
+""" +"""
+ +
+te_in_udp="""\ +te_in_udp="""\
+corenet_udp_bind_all_nodes(TEMPLATETYPE_t) +corenet_udp_bind_generic_node(TEMPLATETYPE_t)
+""" +"""
+ +
+te_in_need_port_udp="""\ +te_in_need_port_udp="""\

File diff suppressed because it is too large Load Diff

View File

@ -1,5 +1,5 @@
%define libauditver 1.4.2-1 %define libauditver 1.4.2-1
%define libsepolver 2.0.41-3 %define libsepolver 2.0.42-3
%define libsemanagever 2.0.43-4 %define libsemanagever 2.0.43-4
%define libselinuxver 2.0.90-3 %define libselinuxver 2.0.90-3
%define sepolgenver 1.0.23 %define sepolgenver 1.0.23
@ -7,7 +7,7 @@
Summary: SELinux policy core utilities Summary: SELinux policy core utilities
Name: policycoreutils Name: policycoreutils
Version: 2.0.85 Version: 2.0.85
Release: 12%{?dist} Release: 28%{?dist}
License: GPLv2 License: GPLv2
Group: System Environment/Base Group: System Environment/Base
# Based on git repository with tag 20101221 # Based on git repository with tag 20101221
@ -119,6 +119,7 @@ Requires: /usr/bin/make
Requires(pre): python >= 2.6 Requires(pre): python >= 2.6
Obsoletes: policycoreutils < 2.0.61-2 Obsoletes: policycoreutils < 2.0.61-2
Requires: setools-libs-python >= 3.3.7-6 Requires: setools-libs-python >= 3.3.7-6
Requires: python-IPy
%description python %description python
The policycoreutils-python package contains the management tools use to manage an SELinux environment. The policycoreutils-python package contains the management tools use to manage an SELinux environment.
@ -156,7 +157,7 @@ exit 0
Summary: SELinux sandbox utilities Summary: SELinux sandbox utilities
Group: System Environment/Base Group: System Environment/Base
Requires: policycoreutils-python = %{version}-%{release} Requires: policycoreutils-python = %{version}-%{release}
Requires: xorg-x11-server-Xephyr Requires: xorg-x11-server-Xephyr /usr/bin/rsync /usr/bin/xmodmap
Requires: matchbox-window-manager Requires: matchbox-window-manager
Requires(post): /sbin/chkconfig Requires(post): /sbin/chkconfig
BuildRequires: libcap-ng-devel BuildRequires: libcap-ng-devel
@ -168,7 +169,7 @@ The policycoreutils-python package contains the scripts to create graphical sand
%defattr(-,root,root,-) %defattr(-,root,root,-)
%{_datadir}/sandbox/sandboxX.sh %{_datadir}/sandbox/sandboxX.sh
%{_datadir}/sandbox/start %{_datadir}/sandbox/start
%attr(0755,root,root) %caps(cap_setpcap,cap_fowner,cap_dac_override,cap_sys_admin,cap_sys_nice=pe) %{_sbindir}/seunshare %attr(0755,root,root) %caps(cap_setpcap,cap_setuid,cap_fowner,cap_dac_override,cap_sys_admin,cap_sys_nice=pe) %{_sbindir}/seunshare
%{_mandir}/man8/seunshare.8* %{_mandir}/man8/seunshare.8*
%{_mandir}/man5/sandbox.conf.5* %{_mandir}/man5/sandbox.conf.5*
@ -180,6 +181,7 @@ exit 0
if [ $1 -eq 1 ]; then if [ $1 -eq 1 ]; then
/sbin/chkconfig sandbox --add /sbin/chkconfig sandbox --add
fi fi
%preun sandbox %preun sandbox
if [ $1 -eq 0 ]; then if [ $1 -eq 0 ]; then
/sbin/chkconfig sandbox --del /sbin/chkconfig sandbox --del
@ -329,8 +331,67 @@ fi
exit 0 exit 0
%changelog %changelog
* Wed Feb 23 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-12 * Tue Mar 29 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-28
- rsynccmd should run outside of execcon
* Thu Mar 24 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-27
- Fix semange node handling of ipv6 addresses
* Wed Mar 23 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-26
- Fix sepolgen-ifgen call, add -p option
* Wed Mar 23 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-25
- Fix sepolgen-ifgen call
* Fri Mar 18 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-24
- Fix rsync command to work if the directory is old.
- Fix all tests
* Wed Mar 16 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-23
- Fix sepolgen to generate network polcy using generic_if and genric_node versus all_if and all_node
* Wed Mar 16 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-22
- Return to original seunshare man page
* Fri Mar 11 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-21
- change default location of HOMEDIR in sandbox to /tmp/.sandbox_home_*
- This will allow default sandboxes to work on NFS homedirs without allowing
access to homedir data
* Fri Mar 11 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-20
- Change sepolgen-ifgen to search all available policy files
- Exit in restorecond if it can not find a UID in the passwd database
* Wed Mar 9 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-19
- Fix portspage in system-config-selinux to not crash
- More fixes for seunshare from Tomas Hoger
* Tue Mar 8 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-18
- put back in old handling of -T in sandbox command
- Put back setsid in seunshare
- Fix rsync to maintain times
* Tue Mar 8 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-17
- Use rewritten seunshare from thoger
* Mon Mar 7 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-16
- Require python-IPy for policycoreutils-python package
- Fixes for sepologen
- Usage statement needs -n name
- Names with _ are being prevented
- dbus apps should get _chat interface
* Thu Mar 3 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-15
- Fix error message in seunshare, check for tmpdir existance before unlink.
* Fri Feb 25 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-13
- Rewrite seunshare to make sure /tmp is mounted stickybit owned by root - Rewrite seunshare to make sure /tmp is mounted stickybit owned by root
- Only allow names in polgengui that contain letters and numbers
- Fix up node handling in semanage command
- Update translations
* Wed Feb 09 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.0.85-12
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
* Thu Feb 3 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-11 * Thu Feb 3 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-11
- Fix sandbox policy creation with udp connect ports - Fix sandbox policy creation with udp connect ports