rsynccmd should run outside of execcon

This commit is contained in:
Dan Walsh 2011-03-30 14:42:36 -04:00
parent be38aa471e
commit 1da0399e25
3 changed files with 873 additions and 426 deletions

View File

@ -12745,7 +12745,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/__init__.p
+
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/network.py policycoreutils-2.0.85/gui/templates/network.py
--- nsapolicycoreutils/gui/templates/network.py 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.85/gui/templates/network.py 2011-02-23 14:40:42.636005375 -0500
+++ policycoreutils-2.0.85/gui/templates/network.py 2011-03-16 17:00:52.485669534 -0400
@@ -0,0 +1,80 @@
+te_port_types="""
+type TEMPLATETYPE_port_t;
@ -12759,13 +12759,13 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/network.py
+
+te_tcp="""\
+allow TEMPLATETYPE_t self:tcp_socket create_stream_socket_perms;
+corenet_tcp_sendrecv_all_if(TEMPLATETYPE_t)
+corenet_tcp_sendrecv_all_nodes(TEMPLATETYPE_t)
+corenet_tcp_sendrecv_generic_if(TEMPLATETYPE_t)
+corenet_tcp_sendrecv_generic_node(TEMPLATETYPE_t)
+corenet_tcp_sendrecv_all_ports(TEMPLATETYPE_t)
+"""
+
+te_in_tcp="""\
+corenet_tcp_bind_all_nodes(TEMPLATETYPE_t)
+corenet_tcp_bind_generic_node(TEMPLATETYPE_t)
+"""
+
+te_in_need_port_tcp="""\
@ -12778,13 +12778,13 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/network.py
+
+te_udp="""\
+allow TEMPLATETYPE_t self:udp_socket { create_socket_perms listen };
+corenet_udp_sendrecv_all_if(TEMPLATETYPE_t)
+corenet_udp_sendrecv_all_nodes(TEMPLATETYPE_t)
+corenet_udp_sendrecv_generic_if(TEMPLATETYPE_t)
+corenet_udp_sendrecv_generic_node(TEMPLATETYPE_t)
+corenet_udp_sendrecv_all_ports(TEMPLATETYPE_t)
+"""
+
+te_in_udp="""\
+corenet_udp_bind_all_nodes(TEMPLATETYPE_t)
+corenet_udp_bind_generic_node(TEMPLATETYPE_t)
+"""
+
+te_in_need_port_udp="""\

File diff suppressed because it is too large Load Diff

View File

@ -1,5 +1,5 @@
%define libauditver 1.4.2-1
%define libsepolver 2.0.41-3
%define libsepolver 2.0.42-3
%define libsemanagever 2.0.43-4
%define libselinuxver 2.0.90-3
%define sepolgenver 1.0.23
@ -7,7 +7,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.0.85
Release: 12%{?dist}
Release: 28%{?dist}
License: GPLv2
Group: System Environment/Base
# Based on git repository with tag 20101221
@ -119,6 +119,7 @@ Requires: /usr/bin/make
Requires(pre): python >= 2.6
Obsoletes: policycoreutils < 2.0.61-2
Requires: setools-libs-python >= 3.3.7-6
Requires: python-IPy
%description python
The policycoreutils-python package contains the management tools use to manage an SELinux environment.
@ -156,7 +157,7 @@ exit 0
Summary: SELinux sandbox utilities
Group: System Environment/Base
Requires: policycoreutils-python = %{version}-%{release}
Requires: xorg-x11-server-Xephyr
Requires: xorg-x11-server-Xephyr /usr/bin/rsync /usr/bin/xmodmap
Requires: matchbox-window-manager
Requires(post): /sbin/chkconfig
BuildRequires: libcap-ng-devel
@ -168,7 +169,7 @@ The policycoreutils-python package contains the scripts to create graphical sand
%defattr(-,root,root,-)
%{_datadir}/sandbox/sandboxX.sh
%{_datadir}/sandbox/start
%attr(0755,root,root) %caps(cap_setpcap,cap_fowner,cap_dac_override,cap_sys_admin,cap_sys_nice=pe) %{_sbindir}/seunshare
%attr(0755,root,root) %caps(cap_setpcap,cap_setuid,cap_fowner,cap_dac_override,cap_sys_admin,cap_sys_nice=pe) %{_sbindir}/seunshare
%{_mandir}/man8/seunshare.8*
%{_mandir}/man5/sandbox.conf.5*
@ -180,6 +181,7 @@ exit 0
if [ $1 -eq 1 ]; then
/sbin/chkconfig sandbox --add
fi
%preun sandbox
if [ $1 -eq 0 ]; then
/sbin/chkconfig sandbox --del
@ -329,8 +331,67 @@ fi
exit 0
%changelog
* Wed Feb 23 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-12
* Tue Mar 29 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-28
- rsynccmd should run outside of execcon
* Thu Mar 24 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-27
- Fix semange node handling of ipv6 addresses
* Wed Mar 23 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-26
- Fix sepolgen-ifgen call, add -p option
* Wed Mar 23 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-25
- Fix sepolgen-ifgen call
* Fri Mar 18 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-24
- Fix rsync command to work if the directory is old.
- Fix all tests
* Wed Mar 16 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-23
- Fix sepolgen to generate network polcy using generic_if and genric_node versus all_if and all_node
* Wed Mar 16 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-22
- Return to original seunshare man page
* Fri Mar 11 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-21
- change default location of HOMEDIR in sandbox to /tmp/.sandbox_home_*
- This will allow default sandboxes to work on NFS homedirs without allowing
access to homedir data
* Fri Mar 11 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-20
- Change sepolgen-ifgen to search all available policy files
- Exit in restorecond if it can not find a UID in the passwd database
* Wed Mar 9 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-19
- Fix portspage in system-config-selinux to not crash
- More fixes for seunshare from Tomas Hoger
* Tue Mar 8 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-18
- put back in old handling of -T in sandbox command
- Put back setsid in seunshare
- Fix rsync to maintain times
* Tue Mar 8 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-17
- Use rewritten seunshare from thoger
* Mon Mar 7 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-16
- Require python-IPy for policycoreutils-python package
- Fixes for sepologen
- Usage statement needs -n name
- Names with _ are being prevented
- dbus apps should get _chat interface
* Thu Mar 3 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-15
- Fix error message in seunshare, check for tmpdir existance before unlink.
* Fri Feb 25 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-13
- Rewrite seunshare to make sure /tmp is mounted stickybit owned by root
- Only allow names in polgengui that contain letters and numbers
- Fix up node handling in semanage command
- Update translations
* Wed Feb 09 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.0.85-12
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
* Thu Feb 3 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-11
- Fix sandbox policy creation with udp connect ports