* Fri Dec 18 2009 Dan Walsh <dwalsh@redhat.com> 2.0.78-7

- Fixes to sandbox man page
This commit is contained in:
Daniel J Walsh 2009-12-21 21:56:27 +00:00
parent beaed6f629
commit 29b74ccd7d
2 changed files with 92 additions and 31 deletions

View File

@ -1681,12 +1681,33 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
+relabel: +relabel:
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox policycoreutils-2.0.78/sandbox/sandbox diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox policycoreutils-2.0.78/sandbox/sandbox
--- nsapolicycoreutils/sandbox/sandbox 1969-12-31 19:00:00.000000000 -0500 --- nsapolicycoreutils/sandbox/sandbox 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.78/sandbox/sandbox 2009-12-14 09:35:48.000000000 -0500 +++ policycoreutils-2.0.78/sandbox/sandbox 2009-12-17 13:50:15.000000000 -0500
@@ -0,0 +1,272 @@ @@ -0,0 +1,318 @@
+#!/usr/bin/python -E +#! /usr/bin/python -E
+# Authors: Dan Walsh <dwalsh@redhat.com>
+# Authors: Josh Cogliati
+#
+# Copyright (C) 2009 Red Hat
+# see file 'COPYING' for use and warranty information
+#
+# This program is free software; you can redistribute it and/or
+# modify it under the terms of the GNU General Public License as
+# published by the Free Software Foundation; version 2 only
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
+#
+
+import os, sys, getopt, socket, random, fcntl, shutil, re +import os, sys, getopt, socket, random, fcntl, shutil, re
+import selinux +import selinux
+import signal +import signal
+from tempfile import mkdtemp
+ +
+PROGNAME = "policycoreutils" +PROGNAME = "policycoreutils"
+ +
@ -1819,7 +1840,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
+ +
+ def usage(message = ""): + def usage(message = ""):
+ text = _(""" + text = _("""
+sandbox [-h] [-X] [-M][-I includefile ] [[-i file ] ...] [ -t type ] command +sandbox [-h] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [[-i file ] ...] [ -t type ] command
+""") +""")
+ error_exit("%s\n%s" % (message, text)) + error_exit("%s\n%s" % (message, text))
+ +
@ -1827,13 +1848,19 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
+ X_ind = False + X_ind = False
+ home_and_temp = False + home_and_temp = False
+ level=None + level=None
+ newhomedir = None
+ newtmpdir = None
+ existing_home = False
+ existing_temp = False
+ try: + try:
+ gopts, cmds = getopt.getopt(sys.argv[1:], "l:i:ht:XI:M", + gopts, cmds = getopt.getopt(sys.argv[1:], "l:i:ht:XI:MH:T:",
+ ["help", + ["help",
+ "include=", + "include=",
+ "includefile=", + "includefile=",
+ "type=", + "type=",
+ "mount", + "mount",
+ "homedir=",
+ "tmpdir=",
+ "level=" + "level="
+ ]) + ])
+ for o, a in gopts: + for o, a in gopts:
@ -1866,12 +1893,20 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
+ if o == "-M" or o == "--mount": + if o == "-M" or o == "--mount":
+ home_and_temp = True + home_and_temp = True
+ +
+ if o == "-H" or o == "--homedir":
+ existing_home = True
+ newhomedir = a
+ if o == "-T" or o == "--tmpdir":
+ existing_temp = True
+ newtempdir = a
+ if o == "-h" or o == "--help": + if o == "-h" or o == "--help":
+ usage(_("Usage")); + usage(_("Usage"));
+ +
+ if len(cmds) == 0: + if len(cmds) == 0:
+ usage(_("Command required")) + usage(_("Command required"))
+ +
+ if (existing_home or existing_temp) and not home_and_temp:
+ usage(_("-M required when specifying home directory or temp directory"))
+ execcon, filecon = gen_context(setype, level) + execcon, filecon = gen_context(setype, level)
+ rc = -1 + rc = -1
+ +
@ -1883,20 +1918,34 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
+ break + break
+ +
+ try: + try:
+ newhomedir = None
+ newtmpdir = None
+ if home_and_temp: + if home_and_temp:
+ if not os.path.exists("/usr/sbin/seunshare"): + if not os.path.exists("/usr/sbin/seunshare"):
+ raise ValueError("""/usr/sbin/seunshare required for sandbox -M, to install you need to execute + raise ValueError("""/usr/sbin/seunshare required for sandbox -M, to install you need to execute
+#yum install /usr/sbin/seunshare""") +#yum install /usr/sbin/seunshare""")
+ import warnings + import warnings
+ warnings.simplefilter("ignore") + warnings.simplefilter("ignore")
+ newhomedir = os.tempnam(".", ".sandbox%s") + if existing_home:
+ os.mkdir(newhomedir) + if not os.path.isdir(newhomedir):
+ newtmpdir = os.tempnam("/tmp", ".sandbox") + raise IOError("Home directory "+newhomedir+" not found")
+ os.mkdir(newtmpdir) + if not level:
+ chcon = ("/usr/bin/chcon %s %s %s" % (filecon, newhomedir, newtmpdir)).split() + chcon = ("/usr/bin/chcon -R %s %s" % (filecon, newhomedir)).split()
+ rc = os.spawnvp(os.P_WAIT, chcon[0], chcon) + rc = os.spawnvp(os.P_WAIT, chcon[0], chcon)
+ else:
+ newhomedir = mkdtemp(dir=".", prefix=".sandbox")
+ chcon = ("/usr/bin/chcon %s %s" % (filecon, newhomedir)).split()
+ rc = os.spawnvp(os.P_WAIT, chcon[0], chcon)
+
+ if existing_temp:
+ if not os.path.isdir(newtempdir):
+ raise IOError("Temp directory "+newtempdir+" not found")
+ if not level:
+ chcon = ("/usr/bin/chcon -R %s %s" % (filecon, newtmpdir)).split()
+ rc = os.spawnvp(os.P_WAIT, chcon[0], chcon)
+ else:
+ newtmpdir = mkdtemp(dir="/tmp", prefix=".sandbox")
+ chcon = ("/usr/bin/chcon %s %s" % (filecon, newtmpdir)).split()
+ rc = os.spawnvp(os.P_WAIT, chcon[0], chcon)
+
+ warnings.resetwarnings() + warnings.resetwarnings()
+ paths = [] + paths = []
+ for i in cmds: + for i in cmds:
@ -1907,22 +1956,19 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
+ paths.append(i) + paths.append(i)
+ +
+ copyfiles(newhomedir, newtmpdir, init_files + paths) + copyfiles(newhomedir, newtmpdir, init_files + paths)
+ execfile = newhomedir + "/.sandboxrc" + if X_ind:
+ fd = open(execfile, "w+") + execfile = newhomedir + "/.sandboxrc"
+ fd.write("""#! /bin/sh + fd = open(execfile, "w+")
+ fd.write("""#! /bin/sh
+%s +%s
+""" % " ".join(paths)) +""" % " ".join(paths))
+ fd.close() + fd.close()
+ os.chmod(execfile, 0700) + os.chmod(execfile, 0700)
+ if X_ind:
+ cmds = ("/usr/sbin/seunshare -t %s -h %s -- %s /usr/share/sandbox/sandboxX.sh" % (newtmpdir, newhomedir, execcon)).split() + cmds = ("/usr/sbin/seunshare -t %s -h %s -- %s /usr/share/sandbox/sandboxX.sh" % (newtmpdir, newhomedir, execcon)).split()
+ rc = os.spawnvp(os.P_WAIT, cmds[0], cmds) + rc = os.spawnvp(os.P_WAIT, cmds[0], cmds)
+ else: + else:
+ cmds = ("/usr/sbin/seunshare -t %s -h %s -- %s " % (newtmpdir, newhomedir, execcon)).split()+cmds + cmds = ("/usr/sbin/seunshare -t %s -h %s -- %s " % (newtmpdir, newhomedir, execcon)).split()+cmds
+ rc = os.spawnvp(os.P_WAIT, cmds[0], cmds) + rc = os.spawnvp(os.P_WAIT, cmds[0], cmds)
+ selinux.setexeccon(execcon)
+ rc = os.spawnvp(os.P_WAIT, cmds[0], cmds)
+ selinux.setexeccon(None)
+ for i in paths: + for i in paths:
+ if i not in X_FILES: + if i not in X_FILES:
+ continue + continue
@ -1935,9 +1981,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
+ selinux.setexeccon(None) + selinux.setexeccon(None)
+ finally: + finally:
+ if home_and_temp: + if home_and_temp:
+ if newhomedir: + if newhomedir and not existing_home:
+ shutil.rmtree(newhomedir) + shutil.rmtree(newhomedir)
+ if newtmpdir: + if newtmpdir and not existing_temp:
+ shutil.rmtree(newtmpdir) + shutil.rmtree(newtmpdir)
+ +
+ except getopt.GetoptError, error: + except getopt.GetoptError, error:
@ -1957,26 +2003,28 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
+ +
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.8 policycoreutils-2.0.78/sandbox/sandbox.8 diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.8 policycoreutils-2.0.78/sandbox/sandbox.8
--- nsapolicycoreutils/sandbox/sandbox.8 1969-12-31 19:00:00.000000000 -0500 --- nsapolicycoreutils/sandbox/sandbox.8 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.78/sandbox/sandbox.8 2009-12-14 09:37:40.000000000 -0500 +++ policycoreutils-2.0.78/sandbox/sandbox.8 2009-12-18 07:37:35.000000000 -0500
@@ -0,0 +1,39 @@ @@ -0,0 +1,50 @@
+.TH SANDBOX "8" "May 2009" "chcat" "User Commands" +.TH SANDBOX "8" "May 2009" "chcat" "User Commands"
+.SH NAME +.SH NAME
+sandbox \- Run cmd under an SELinux sandbox +sandbox \- Run cmd under an SELinux sandbox
+.SH SYNOPSIS +.SH SYNOPSIS
+.B sandbox +.B sandbox
+[-M] [-X] [-I includefile ] [[-i file ]...] [ -t type ] cmd +[-l level ] [[-M | -X] -H homedir -T tmpdir ] [-I includefile ] [[-i file ]...] [ -t type ] cmd
+.br +.br
+.SH DESCRIPTION +.SH DESCRIPTION
+.PP +.PP
+Run the +Run the
+.I cmd +.I cmd
+application within a tightly confined SELinux domain. The default sandbox domain only allows applications the ability to read and write stdin, stdout and any other file descriptors handed to it. It is not allowed to open any other files. +application within a tightly confined SELinux domain. The default sandbox domain only allows applications the ability to read and write stdin, stdout and any other file descriptors handed to it. It is not allowed to open any other files. The -M option will mount an alternate homedir and tmpdir to be used by the sandbox.
+ +
+If you have the +If you have the
+.I policycoreutils-sandbox +.I policycoreutils-sandbox
+package installed, you can use the -X option. +package installed, you can use the -X option and the -M option.
+.B sandbox -X +.B sandbox -X
+allows you to run sandboxed X applications. These applications will start up their own X Server and create a temporary homedir and /tmp. The default policy does not allow any capabilities or network access. It also prevents all access to the users other processes and files. Any file specified on the command line will be copied into the sandbox. +allows you to run sandboxed X applications. These applications will start up their own X Server and create a temporary homedir and /tmp. The default policy does not allow any capabilities or network access. It also prevents all access to the users other processes and files. Any file specified on the command line will be copied into the sandbox.
+
+If directories are specified with -H or -T the directory will have its context modified with chcon(1) unless a level is specified with -l. If the MLS/MCS security level is specified, the directories need to have a matching label.
+.PP +.PP
+.TP +.TP
+\fB\-t type\fR +\fB\-t type\fR
@ -1988,12 +2036,21 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
+\fB\-I inputfile\fR +\fB\-I inputfile\fR
+Copy all files listed in inputfile into the appropriate temporary sandbox direcories. +Copy all files listed in inputfile into the appropriate temporary sandbox direcories.
+.TP +.TP
+\fB\-l\fR
+Specify the MLS/MCS Security Level to run the sandbox in. Defaults to random.
+.TP
+\fB\-X\fR +\fB\-X\fR
+Create an X based Sandbox for gui apps, temporary files for $HOME and /tmp, seconday Xserver, defaults to sandbox_x_t +Create an X based Sandbox for gui apps, temporary files for $HOME and /tmp, seconday Xserver, defaults to sandbox_x_t
+.TP +.TP
+\fB\-M\fR +\fB\-M\fR
+Create a Sandbox with temporary files for $HOME and /tmp, defaults to sandbox_t +Create a Sandbox with temporary files for $HOME and /tmp, defaults to sandbox_t
+.TP +.TP
+\fB\-H\ homedir
+Use alternate homedir to mount. Defaults to temporary. Requires -X or -M.
+.TP
+\fB\-T\ tmpdir
+Use alternate tempdir to mount. Defaults to temporary. Requires -X or -M.
+.PP
+.SH "SEE ALSO" +.SH "SEE ALSO"
+.TP +.TP
+runcon(1) +runcon(1)

View File

@ -6,7 +6,7 @@
Summary: SELinux policy core utilities Summary: SELinux policy core utilities
Name: policycoreutils Name: policycoreutils
Version: 2.0.78 Version: 2.0.78
Release: 6%{?dist} Release: 7%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
@ -108,6 +108,7 @@ Requires: audit-libs-python >= %{libauditver}
Requires: /usr/bin/make Requires: /usr/bin/make
Requires(pre): python >= 2.6 Requires(pre): python >= 2.6
Obsoletes: policycoreutils < 2.0.61-2 Obsoletes: policycoreutils < 2.0.61-2
Requires: setools-libs-python
%description python %description python
The policycoreutils-python package contains the management tools use to manage an SELinux environment. The policycoreutils-python package contains the management tools use to manage an SELinux environment.
@ -189,7 +190,7 @@ Group: System Environment/Base
Requires: policycoreutils-python = %{version}-%{release} Requires: policycoreutils-python = %{version}-%{release}
Requires: gnome-python2-gnome, pygtk2, pygtk2-libglade, gnome-python2-canvas Requires: gnome-python2-gnome, pygtk2, pygtk2-libglade, gnome-python2-canvas
Requires: usermode-gtk Requires: usermode-gtk
Requires: setools-console setools-libs-python Requires: setools-console
Requires: selinux-policy Requires: selinux-policy
Requires: python >= 2.6 Requires: python >= 2.6
BuildRequires: desktop-file-utils BuildRequires: desktop-file-utils
@ -296,6 +297,9 @@ fi
exit 0 exit 0
%changelog %changelog
* Fri Dec 18 2009 Dan Walsh <dwalsh@redhat.com> 2.0.78-7
- Fixes to sandbox man page
* Thu Dec 17 2009 Dan Walsh <dwalsh@redhat.com> 2.0.78-6 * Thu Dec 17 2009 Dan Walsh <dwalsh@redhat.com> 2.0.78-6
- Add setools-libs-python to requires for gui - Add setools-libs-python to requires for gui