From 349a457593d5fe768f928844cba0ad23bfde5148 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Wed, 26 Aug 2009 18:05:32 +0000 Subject: [PATCH] * Wed Aug 26 2009 Dan Walsh 2.0.71-11 - Add sandboxX --- policycoreutils-gui.patch | 162 ++++++------ policycoreutils-rhat.patch | 524 ++++++++++++++++++++++++++----------- policycoreutils.spec | 34 ++- 3 files changed, 491 insertions(+), 229 deletions(-) diff --git a/policycoreutils-gui.patch b/policycoreutils-gui.patch index de99cf9..5b15c9e 100644 --- a/policycoreutils-gui.patch +++ b/policycoreutils-gui.patch @@ -1,6 +1,6 @@ -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/booleansPage.py policycoreutils-2.0.64/gui/booleansPage.py +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/booleansPage.py policycoreutils-2.0.71/gui/booleansPage.py --- nsapolicycoreutils/gui/booleansPage.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.64/gui/booleansPage.py 2009-06-23 16:24:31.000000000 -0400 ++++ policycoreutils-2.0.71/gui/booleansPage.py 2009-08-20 12:53:16.000000000 -0400 @@ -0,0 +1,247 @@ +# +# booleansPage.py - GUI for Booleans page in system-config-securitylevel @@ -249,9 +249,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/booleansPage.py poli + self.load(self.filter) + return True + -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/domainsPage.py policycoreutils-2.0.64/gui/domainsPage.py +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/domainsPage.py policycoreutils-2.0.71/gui/domainsPage.py --- nsapolicycoreutils/gui/domainsPage.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.64/gui/domainsPage.py 2009-06-23 16:24:31.000000000 -0400 ++++ policycoreutils-2.0.71/gui/domainsPage.py 2009-08-20 12:53:16.000000000 -0400 @@ -0,0 +1,154 @@ +## domainsPage.py - show selinux domains +## Copyright (C) 2009 Red Hat, Inc. @@ -407,9 +407,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/domainsPage.py polic + + except ValueError, e: + self.error(e.args[0]) -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/fcontextPage.py policycoreutils-2.0.64/gui/fcontextPage.py +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/fcontextPage.py policycoreutils-2.0.71/gui/fcontextPage.py --- nsapolicycoreutils/gui/fcontextPage.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.64/gui/fcontextPage.py 2009-06-23 16:24:31.000000000 -0400 ++++ policycoreutils-2.0.71/gui/fcontextPage.py 2009-08-20 12:53:16.000000000 -0400 @@ -0,0 +1,223 @@ +## fcontextPage.py - show selinux mappings +## Copyright (C) 2006 Red Hat, Inc. @@ -634,9 +634,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/fcontextPage.py poli + self.store.set_value(iter, SPEC_COL, fspec) + self.store.set_value(iter, FTYPE_COL, ftype) + self.store.set_value(iter, TYPE_COL, "%s:%s" % (type, mls)) -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/html_util.py policycoreutils-2.0.64/gui/html_util.py +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/html_util.py policycoreutils-2.0.71/gui/html_util.py --- nsapolicycoreutils/gui/html_util.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.64/gui/html_util.py 2009-06-23 16:24:31.000000000 -0400 ++++ policycoreutils-2.0.71/gui/html_util.py 2009-08-20 12:53:16.000000000 -0400 @@ -0,0 +1,164 @@ +# Authors: John Dennis +# @@ -802,9 +802,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/html_util.py policyc + doc += tail + return doc + -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/lockdown.glade policycoreutils-2.0.64/gui/lockdown.glade +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/lockdown.glade policycoreutils-2.0.71/gui/lockdown.glade --- nsapolicycoreutils/gui/lockdown.glade 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.64/gui/lockdown.glade 2009-06-23 16:24:31.000000000 -0400 ++++ policycoreutils-2.0.71/gui/lockdown.glade 2009-08-20 12:53:16.000000000 -0400 @@ -0,0 +1,771 @@ + + @@ -1577,9 +1577,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/lockdown.glade polic + + + -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/lockdown.gladep policycoreutils-2.0.64/gui/lockdown.gladep +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/lockdown.gladep policycoreutils-2.0.71/gui/lockdown.gladep --- nsapolicycoreutils/gui/lockdown.gladep 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.64/gui/lockdown.gladep 2009-06-23 16:24:31.000000000 -0400 ++++ policycoreutils-2.0.71/gui/lockdown.gladep 2009-08-20 12:53:16.000000000 -0400 @@ -0,0 +1,7 @@ + + @@ -1588,9 +1588,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/lockdown.gladep poli + + + -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/lockdown.py policycoreutils-2.0.64/gui/lockdown.py +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/lockdown.py policycoreutils-2.0.71/gui/lockdown.py --- nsapolicycoreutils/gui/lockdown.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.64/gui/lockdown.py 2009-06-23 16:24:31.000000000 -0400 ++++ policycoreutils-2.0.71/gui/lockdown.py 2009-08-20 12:53:16.000000000 -0400 @@ -0,0 +1,382 @@ +#!/usr/bin/python +# @@ -1974,9 +1974,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/lockdown.py policyco + + app = booleanWindow() + app.stand_alone() -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/loginsPage.py policycoreutils-2.0.64/gui/loginsPage.py +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/loginsPage.py policycoreutils-2.0.71/gui/loginsPage.py --- nsapolicycoreutils/gui/loginsPage.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.64/gui/loginsPage.py 2009-06-23 16:24:31.000000000 -0400 ++++ policycoreutils-2.0.71/gui/loginsPage.py 2009-08-20 12:53:16.000000000 -0400 @@ -0,0 +1,185 @@ +## loginsPage.py - show selinux mappings +## Copyright (C) 2006 Red Hat, Inc. @@ -2163,9 +2163,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/loginsPage.py policy + self.store.set_value(iter, 1, seuser) + self.store.set_value(iter, 2, seobject.translate(serange)) + -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/Makefile policycoreutils-2.0.64/gui/Makefile +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/Makefile policycoreutils-2.0.71/gui/Makefile --- nsapolicycoreutils/gui/Makefile 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.64/gui/Makefile 2009-06-23 16:24:31.000000000 -0400 ++++ policycoreutils-2.0.71/gui/Makefile 2009-08-20 12:53:16.000000000 -0400 @@ -0,0 +1,41 @@ +# Installation directories. +PREFIX ?= ${DESTDIR}/usr @@ -2208,9 +2208,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/Makefile policycoreu +indent: + +relabel: -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/mappingsPage.py policycoreutils-2.0.64/gui/mappingsPage.py +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/mappingsPage.py policycoreutils-2.0.71/gui/mappingsPage.py --- nsapolicycoreutils/gui/mappingsPage.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.64/gui/mappingsPage.py 2009-06-23 16:24:31.000000000 -0400 ++++ policycoreutils-2.0.71/gui/mappingsPage.py 2009-08-20 12:53:16.000000000 -0400 @@ -0,0 +1,56 @@ +## mappingsPage.py - show selinux mappings +## Copyright (C) 2006 Red Hat, Inc. @@ -2268,9 +2268,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/mappingsPage.py poli + for k in keys: + print "%-25s %-25s %-25s" % (k, dict[k][0], translate(dict[k][1])) + -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/modulesPage.py policycoreutils-2.0.64/gui/modulesPage.py +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/modulesPage.py policycoreutils-2.0.71/gui/modulesPage.py --- nsapolicycoreutils/gui/modulesPage.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.64/gui/modulesPage.py 2009-06-23 16:24:31.000000000 -0400 ++++ policycoreutils-2.0.71/gui/modulesPage.py 2009-08-20 12:53:16.000000000 -0400 @@ -0,0 +1,190 @@ +## modulesPage.py - show selinux mappings +## Copyright (C) 2006-2009 Red Hat, Inc. @@ -2462,9 +2462,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/modulesPage.py polic + + except ValueError, e: + self.error(e.args[0]) -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policycoreutils-2.0.64/gui/polgen.glade +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policycoreutils-2.0.71/gui/polgen.glade --- nsapolicycoreutils/gui/polgen.glade 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.64/gui/polgen.glade 2009-06-23 16:24:31.000000000 -0400 ++++ policycoreutils-2.0.71/gui/polgen.glade 2009-08-20 12:53:16.000000000 -0400 @@ -0,0 +1,3305 @@ + + @@ -5771,9 +5771,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policyc + + + -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.gladep policycoreutils-2.0.64/gui/polgen.gladep +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.gladep policycoreutils-2.0.71/gui/polgen.gladep --- nsapolicycoreutils/gui/polgen.gladep 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.64/gui/polgen.gladep 2009-06-23 16:24:31.000000000 -0400 ++++ policycoreutils-2.0.71/gui/polgen.gladep 2009-08-20 12:53:16.000000000 -0400 @@ -0,0 +1,7 @@ + + @@ -5782,9 +5782,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.gladep policy + + + -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgengui.py policycoreutils-2.0.64/gui/polgengui.py +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgengui.py policycoreutils-2.0.71/gui/polgengui.py --- nsapolicycoreutils/gui/polgengui.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.64/gui/polgengui.py 2009-06-23 16:24:31.000000000 -0400 ++++ policycoreutils-2.0.71/gui/polgengui.py 2009-08-20 12:53:16.000000000 -0400 @@ -0,0 +1,627 @@ +#!/usr/bin/python -E +# @@ -6413,10 +6413,10 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgengui.py policyc + + app = childWindow() + app.stand_alone() -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycoreutils-2.0.64/gui/polgen.py +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycoreutils-2.0.71/gui/polgen.py --- nsapolicycoreutils/gui/polgen.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.64/gui/polgen.py 2009-06-25 16:01:33.000000000 -0400 -@@ -0,0 +1,1179 @@ ++++ policycoreutils-2.0.71/gui/polgen.py 2009-08-26 10:47:54.000000000 -0400 +@@ -0,0 +1,1183 @@ +#!/usr/bin/python +# +# Copyright (C) 2007, 2008, 2009 Red Hat @@ -6747,6 +6747,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore + self.need_udp_type=False + self.admin_domains = [] + self.transition_domains = [] ++ self.transition_users = [] + self.roles = [] + self.all_roles = get_all_roles() + @@ -7548,9 +7549,10 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore + +if __name__ == '__main__': + setype = DAEMON -+ gopts, cmds = getopt.getopt(sys.argv[1:], "t:m", ++ gopts, cmds = getopt.getopt(sys.argv[1:], "ht:m", + ["type=", -+ "mount"]) ++ "mount", ++ "help"]) + for o, a in gopts: + if o == "-t" or o == "--type": + try: @@ -7564,6 +7566,8 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore + if o == "-m" or o == "--mount": + mount_ind = True + ++ if o == "-h" or o == "--help": ++ usage(""); + + if len(cmds) == 0: + usage(_("Executable required")) @@ -7596,9 +7600,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore + + print mypolicy.generate() + sys.exit(0) -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/portsPage.py policycoreutils-2.0.64/gui/portsPage.py +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/portsPage.py policycoreutils-2.0.71/gui/portsPage.py --- nsapolicycoreutils/gui/portsPage.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.64/gui/portsPage.py 2009-06-23 16:24:31.000000000 -0400 ++++ policycoreutils-2.0.71/gui/portsPage.py 2009-08-20 12:53:16.000000000 -0400 @@ -0,0 +1,259 @@ +## portsPage.py - show selinux mappings +## Copyright (C) 2006 Red Hat, Inc. @@ -7859,9 +7863,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/portsPage.py policyc + + return True + -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/selinux.tbl policycoreutils-2.0.64/gui/selinux.tbl +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/selinux.tbl policycoreutils-2.0.71/gui/selinux.tbl --- nsapolicycoreutils/gui/selinux.tbl 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.64/gui/selinux.tbl 2009-06-23 16:24:31.000000000 -0400 ++++ policycoreutils-2.0.71/gui/selinux.tbl 2009-08-20 12:53:16.000000000 -0400 @@ -0,0 +1,234 @@ +acct_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for acct daemon") +allow_daemons_dump_core _("Admin") _("Allow all daemons to write corefiles to /") @@ -8097,9 +8101,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/selinux.tbl policyco +webadm_manage_user_files _("HTTPD Service") _("Allow SELinux webadm user to manage unprivileged users home directories") +webadm_read_user_files _("HTTPD Service") _("Allow SELinux webadm user to read unprivileged users home directories") + -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/semanagePage.py policycoreutils-2.0.64/gui/semanagePage.py +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/semanagePage.py policycoreutils-2.0.71/gui/semanagePage.py --- nsapolicycoreutils/gui/semanagePage.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.64/gui/semanagePage.py 2009-06-23 16:24:31.000000000 -0400 ++++ policycoreutils-2.0.71/gui/semanagePage.py 2009-08-20 12:53:16.000000000 -0400 @@ -0,0 +1,168 @@ +## semanagePage.py - show selinux mappings +## Copyright (C) 2006 Red Hat, Inc. @@ -8269,9 +8273,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/semanagePage.py poli + self.load(self.filter) + return True + -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/statusPage.py policycoreutils-2.0.64/gui/statusPage.py +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/statusPage.py policycoreutils-2.0.71/gui/statusPage.py --- nsapolicycoreutils/gui/statusPage.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.64/gui/statusPage.py 2009-06-23 16:24:31.000000000 -0400 ++++ policycoreutils-2.0.71/gui/statusPage.py 2009-08-20 12:53:16.000000000 -0400 @@ -0,0 +1,190 @@ +# statusPage.py - show selinux status +## Copyright (C) 2006-2009 Red Hat, Inc. @@ -8463,9 +8467,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/statusPage.py policy + return self.types[self.selinuxTypeOptionMenu.get_active()] + + -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/system-config-selinux.glade policycoreutils-2.0.64/gui/system-config-selinux.glade +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/system-config-selinux.glade policycoreutils-2.0.71/gui/system-config-selinux.glade --- nsapolicycoreutils/gui/system-config-selinux.glade 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.64/gui/system-config-selinux.glade 2009-06-23 16:24:31.000000000 -0400 ++++ policycoreutils-2.0.71/gui/system-config-selinux.glade 2009-08-20 12:53:16.000000000 -0400 @@ -0,0 +1,3403 @@ + + @@ -11870,9 +11874,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/system-config-selinu + + + -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/system-config-selinux.py policycoreutils-2.0.64/gui/system-config-selinux.py +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/system-config-selinux.py policycoreutils-2.0.71/gui/system-config-selinux.py --- nsapolicycoreutils/gui/system-config-selinux.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.64/gui/system-config-selinux.py 2009-06-23 16:24:31.000000000 -0400 ++++ policycoreutils-2.0.71/gui/system-config-selinux.py 2009-08-20 12:53:16.000000000 -0400 @@ -0,0 +1,189 @@ +#!/usr/bin/python +# @@ -12063,9 +12067,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/system-config-selinu + + app = childWindow() + app.stand_alone() -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/boolean.py policycoreutils-2.0.64/gui/templates/boolean.py +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/boolean.py policycoreutils-2.0.71/gui/templates/boolean.py --- nsapolicycoreutils/gui/templates/boolean.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.64/gui/templates/boolean.py 2009-06-23 16:24:31.000000000 -0400 ++++ policycoreutils-2.0.71/gui/templates/boolean.py 2009-08-20 12:53:16.000000000 -0400 @@ -0,0 +1,40 @@ +# Copyright (C) 2007 Red Hat +# see file 'COPYING' for use and warranty information @@ -12107,9 +12111,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/boolean.py +') +""" + -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/etc_rw.py policycoreutils-2.0.64/gui/templates/etc_rw.py +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/etc_rw.py policycoreutils-2.0.71/gui/templates/etc_rw.py --- nsapolicycoreutils/gui/templates/etc_rw.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.64/gui/templates/etc_rw.py 2009-06-23 16:24:31.000000000 -0400 ++++ policycoreutils-2.0.71/gui/templates/etc_rw.py 2009-08-20 12:53:16.000000000 -0400 @@ -0,0 +1,129 @@ +# Copyright (C) 2007 Red Hat +# see file 'COPYING' for use and warranty information @@ -12240,10 +12244,10 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/etc_rw.py +fc_dir="""\ +FILENAME(/.*)? gen_context(system_u:object_r:TEMPLATETYPE_etc_rw_t,s0) +""" -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/executable.py policycoreutils-2.0.64/gui/templates/executable.py +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/executable.py policycoreutils-2.0.71/gui/templates/executable.py --- nsapolicycoreutils/gui/templates/executable.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.64/gui/templates/executable.py 2009-06-23 16:24:31.000000000 -0400 -@@ -0,0 +1,376 @@ ++++ policycoreutils-2.0.71/gui/templates/executable.py 2009-08-26 10:48:18.000000000 -0400 +@@ -0,0 +1,374 @@ +# Copyright (C) 2007-2009 Red Hat +# see file 'COPYING' for use and warranty information +# @@ -12356,7 +12360,6 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/executable +files_read_etc_files(TEMPLATETYPE_t) + +miscfiles_read_localization(TEMPLATETYPE_t) -+ +""" + +te_inetd_rules=""" @@ -12381,7 +12384,6 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/executable +libs_use_shared_libs(TEMPLATETYPE_t) + +miscfiles_read_localization(TEMPLATETYPE_t) -+ +""" + +te_cgi_rules=""" @@ -12620,9 +12622,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/executable +EXECUTABLE -- gen_context(system_u:object_r:TEMPLATETYPE_initrc_exec_t,s0) +""" + -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/__init__.py policycoreutils-2.0.64/gui/templates/__init__.py +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/__init__.py policycoreutils-2.0.71/gui/templates/__init__.py --- nsapolicycoreutils/gui/templates/__init__.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.64/gui/templates/__init__.py 2009-06-23 16:24:31.000000000 -0400 ++++ policycoreutils-2.0.71/gui/templates/__init__.py 2009-08-20 12:53:16.000000000 -0400 @@ -0,0 +1,18 @@ +# +# Copyright (C) 2007 Red Hat, Inc. @@ -12642,9 +12644,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/__init__.p +# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +# + -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/network.py policycoreutils-2.0.64/gui/templates/network.py +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/network.py policycoreutils-2.0.71/gui/templates/network.py --- nsapolicycoreutils/gui/templates/network.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.64/gui/templates/network.py 2009-06-23 16:24:31.000000000 -0400 ++++ policycoreutils-2.0.71/gui/templates/network.py 2009-08-20 12:53:16.000000000 -0400 @@ -0,0 +1,80 @@ +te_port_types=""" +type TEMPLATETYPE_port_t; @@ -12726,9 +12728,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/network.py +corenet_udp_bind_all_unreserved_ports(TEMPLATETYPE_t) +""" + -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/rw.py policycoreutils-2.0.64/gui/templates/rw.py +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/rw.py policycoreutils-2.0.71/gui/templates/rw.py --- nsapolicycoreutils/gui/templates/rw.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.64/gui/templates/rw.py 2009-06-23 16:24:31.000000000 -0400 ++++ policycoreutils-2.0.71/gui/templates/rw.py 2009-08-20 12:53:16.000000000 -0400 @@ -0,0 +1,128 @@ +# Copyright (C) 2007 Red Hat +# see file 'COPYING' for use and warranty information @@ -12858,9 +12860,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/rw.py poli +fc_dir=""" +FILENAME(/.*)? gen_context(system_u:object_r:TEMPLATETYPE_rw_t,s0) +""" -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/script.py policycoreutils-2.0.64/gui/templates/script.py +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/script.py policycoreutils-2.0.71/gui/templates/script.py --- nsapolicycoreutils/gui/templates/script.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.64/gui/templates/script.py 2009-06-25 16:00:57.000000000 -0400 ++++ policycoreutils-2.0.71/gui/templates/script.py 2009-08-20 12:53:16.000000000 -0400 @@ -0,0 +1,99 @@ +# Copyright (C) 2007 Red Hat +# see file 'COPYING' for use and warranty information @@ -12961,9 +12963,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/script.py +# Adding roles to SELinux user USER +/usr/sbin/semanage user -m -R +TEMPLATETYPE_r USER +""" -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/semodule.py policycoreutils-2.0.64/gui/templates/semodule.py +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/semodule.py policycoreutils-2.0.71/gui/templates/semodule.py --- nsapolicycoreutils/gui/templates/semodule.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.64/gui/templates/semodule.py 2009-06-23 16:24:31.000000000 -0400 ++++ policycoreutils-2.0.71/gui/templates/semodule.py 2009-08-20 12:53:16.000000000 -0400 @@ -0,0 +1,41 @@ +# Copyright (C) 2007 Red Hat +# see file 'COPYING' for use and warranty information @@ -13006,9 +13008,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/semodule.p +semanage ports -a -t TEMPLATETYPE_port_t -p udp PORTNUM +""" + -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/tmp.py policycoreutils-2.0.64/gui/templates/tmp.py +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/tmp.py policycoreutils-2.0.71/gui/templates/tmp.py --- nsapolicycoreutils/gui/templates/tmp.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.64/gui/templates/tmp.py 2009-06-23 16:24:31.000000000 -0400 ++++ policycoreutils-2.0.71/gui/templates/tmp.py 2009-08-20 12:53:16.000000000 -0400 @@ -0,0 +1,97 @@ +# Copyright (C) 2007 Red Hat +# see file 'COPYING' for use and warranty information @@ -13107,9 +13109,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/tmp.py pol + TEMPLATETYPE_manage_tmp($1) +""" + -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/user.py policycoreutils-2.0.64/gui/templates/user.py +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/user.py policycoreutils-2.0.71/gui/templates/user.py --- nsapolicycoreutils/gui/templates/user.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.64/gui/templates/user.py 2009-06-23 16:24:31.000000000 -0400 ++++ policycoreutils-2.0.71/gui/templates/user.py 2009-08-20 12:53:16.000000000 -0400 @@ -0,0 +1,182 @@ +# Copyright (C) 2007 Red Hat +# see file 'COPYING' for use and warranty information @@ -13293,9 +13295,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/user.py po +te_newrole_rules=""" +seutil_run_newrole(TEMPLATETYPE_t,TEMPLATETYPE_r,{ TEMPLATETYPE_devpts_t TEMPLATETYPE_tty_device_t }) +""" -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_lib.py policycoreutils-2.0.64/gui/templates/var_lib.py +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_lib.py policycoreutils-2.0.71/gui/templates/var_lib.py --- nsapolicycoreutils/gui/templates/var_lib.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.64/gui/templates/var_lib.py 2009-06-23 16:24:31.000000000 -0400 ++++ policycoreutils-2.0.71/gui/templates/var_lib.py 2009-08-20 12:53:16.000000000 -0400 @@ -0,0 +1,158 @@ +# Copyright (C) 2007 Red Hat +# see file 'COPYING' for use and warranty information @@ -13455,9 +13457,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_lib.py +fc_dir="""\ +FILENAME(/.*)? gen_context(system_u:object_r:TEMPLATETYPE_var_lib_t,s0) +""" -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_log.py policycoreutils-2.0.64/gui/templates/var_log.py +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_log.py policycoreutils-2.0.71/gui/templates/var_log.py --- nsapolicycoreutils/gui/templates/var_log.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.64/gui/templates/var_log.py 2009-06-23 16:24:31.000000000 -0400 ++++ policycoreutils-2.0.71/gui/templates/var_log.py 2009-08-20 12:53:16.000000000 -0400 @@ -0,0 +1,110 @@ +# Copyright (C) 2007 Red Hat +# see file 'COPYING' for use and warranty information @@ -13569,9 +13571,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_log.py +fc_dir="""\ +FILENAME(/.*)? gen_context(system_u:object_r:TEMPLATETYPE_log_t,s0) +""" -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_run.py policycoreutils-2.0.64/gui/templates/var_run.py +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_run.py policycoreutils-2.0.71/gui/templates/var_run.py --- nsapolicycoreutils/gui/templates/var_run.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.64/gui/templates/var_run.py 2009-06-23 16:24:31.000000000 -0400 ++++ policycoreutils-2.0.71/gui/templates/var_run.py 2009-08-20 12:53:16.000000000 -0400 @@ -0,0 +1,118 @@ +# Copyright (C) 2007 Red Hat +# see file 'COPYING' for use and warranty information @@ -13691,9 +13693,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_run.py +FILENAME(/.*)? gen_context(system_u:object_r:TEMPLATETYPE_var_run_t,s0) +""" + -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_spool.py policycoreutils-2.0.64/gui/templates/var_spool.py +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_spool.py policycoreutils-2.0.71/gui/templates/var_spool.py --- nsapolicycoreutils/gui/templates/var_spool.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.64/gui/templates/var_spool.py 2009-06-23 16:24:31.000000000 -0400 ++++ policycoreutils-2.0.71/gui/templates/var_spool.py 2009-08-20 12:53:16.000000000 -0400 @@ -0,0 +1,129 @@ +# Copyright (C) 2007 Red Hat +# see file 'COPYING' for use and warranty information @@ -13824,9 +13826,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_spool. +fc_dir="""\ +FILENAME(/.*)? gen_context(system_u:object_r:TEMPLATETYPE_spool_t,s0) +""" -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/translationsPage.py policycoreutils-2.0.64/gui/translationsPage.py +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/translationsPage.py policycoreutils-2.0.71/gui/translationsPage.py --- nsapolicycoreutils/gui/translationsPage.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.64/gui/translationsPage.py 2009-06-23 16:24:31.000000000 -0400 ++++ policycoreutils-2.0.71/gui/translationsPage.py 2009-08-20 12:53:16.000000000 -0400 @@ -0,0 +1,118 @@ +## translationsPage.py - show selinux translations +## Copyright (C) 2006 Red Hat, Inc. @@ -13946,9 +13948,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/translationsPage.py + store, iter = self.view.get_selection().get_selected() + self.store.set_value(iter, 0, level) + self.store.set_value(iter, 1, translation) -diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/usersPage.py policycoreutils-2.0.64/gui/usersPage.py +diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/usersPage.py policycoreutils-2.0.71/gui/usersPage.py --- nsapolicycoreutils/gui/usersPage.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.64/gui/usersPage.py 2009-06-23 16:24:31.000000000 -0400 ++++ policycoreutils-2.0.71/gui/usersPage.py 2009-08-20 12:53:16.000000000 -0400 @@ -0,0 +1,150 @@ +## usersPage.py - show selinux mappings +## Copyright (C) 2006,2007,2008 Red Hat, Inc. diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index 103e63e..1d559d3 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -40,10 +40,10 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po f = sys.stdin diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/Makefile policycoreutils-2.0.71/Makefile --- nsapolicycoreutils/Makefile 2008-08-28 09:34:24.000000000 -0400 -+++ policycoreutils-2.0.71/Makefile 2009-08-20 12:53:16.000000000 -0400 ++++ policycoreutils-2.0.71/Makefile 2009-08-26 10:04:47.000000000 -0400 @@ -1,4 +1,4 @@ -SUBDIRS = setfiles semanage load_policy newrole run_init secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po -+SUBDIRS = setfiles semanage load_policy newrole run_init secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po gui ++SUBDIRS = setfiles semanage load_policy newrole run_init sandbox secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po gui INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null) @@ -1152,41 +1152,47 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po + exitApp("Error watching config file."); +} + -diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/chcat policycoreutils-2.0.71/scripts/chcat ---- nsapolicycoreutils/scripts/chcat 2009-06-23 15:36:07.000000000 -0400 -+++ policycoreutils-2.0.71/scripts/chcat 2009-08-20 12:53:16.000000000 -0400 -@@ -435,6 +435,8 @@ - continue - except ValueError, e: - error(e) -+ except OSError, e: -+ error(e) - - sys.exit(errors) - -diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/Makefile policycoreutils-2.0.71/scripts/Makefile ---- nsapolicycoreutils/scripts/Makefile 2008-08-28 09:34:24.000000000 -0400 -+++ policycoreutils-2.0.71/scripts/Makefile 2009-08-20 12:53:16.000000000 -0400 -@@ -5,11 +5,12 @@ - MANDIR ?= $(PREFIX)/share/man - LOCALEDIR ?= /usr/share/locale - --all: fixfiles genhomedircon -+all: fixfiles genhomedircon sandbox chcat - - install: all - -mkdir -p $(BINDIR) - install -m 755 chcat $(BINDIR) +diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/Makefile policycoreutils-2.0.71/sandbox/Makefile +--- nsapolicycoreutils/sandbox/Makefile 1969-12-31 19:00:00.000000000 -0500 ++++ policycoreutils-2.0.71/sandbox/Makefile 2009-08-26 10:50:50.000000000 -0400 +@@ -0,0 +1,31 @@ ++# Installation directories. ++PREFIX ?= ${DESTDIR}/usr ++BINDIR ?= $(PREFIX)/bin ++SBINDIR ?= $(PREFIX)/sbin ++MANDIR ?= $(PREFIX)/share/man ++LOCALEDIR ?= /usr/share/locale ++SHAREDIR ?= $(PREFIX)/share/sandbox ++override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="\"policycoreutils\"" ++LDLIBS += -lselinux -lcap-ng ++ ++all: sandbox seunshare sandboxX.sh ++ ++seunshare: seunshare.o $(EXTRA_OBJS) ++ $(CC) $(LDFLAGS) -o $@ $^ $(LDLIBS) ++ ++install: all ++ -mkdir -p $(BINDIR) + install -m 755 sandbox $(BINDIR) - install -m 755 fixfiles $(DESTDIR)/sbin - install -m 755 genhomedircon $(SBINDIR) - -mkdir -p $(MANDIR)/man8 -diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/sandbox policycoreutils-2.0.71/scripts/sandbox ---- nsapolicycoreutils/scripts/sandbox 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.71/scripts/sandbox 2009-08-20 12:53:16.000000000 -0400 -@@ -0,0 +1,139 @@ ++ -mkdir -p $(MANDIR)/man8 ++ install -m 644 sandbox.8 $(MANDIR)/man8/ ++ install -m 4755 seunshare $(SBINDIR)/ ++ -mkdir -p $(SHAREDIR) ++ install -m 755 sandboxX.sh $(SHAREDIR) ++ ++clean: ++ -rm -f seunshare *.o *~ ++ ++indent: ++ ../../scripts/Lindent $(wildcard *.[ch]) ++ ++relabel: +diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox policycoreutils-2.0.71/sandbox/sandbox +--- nsapolicycoreutils/sandbox/sandbox 1969-12-31 19:00:00.000000000 -0500 ++++ policycoreutils-2.0.71/sandbox/sandbox 2009-08-26 10:03:24.000000000 -0400 +@@ -0,0 +1,193 @@ +#!/usr/bin/python -E -+import os, sys, getopt, socket, random, fcntl ++import os, sys, getopt, socket, random, fcntl, shutil +import selinux + +PROGNAME = "policycoreutils" @@ -1205,6 +1211,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po + __builtin__.__dict__['_'] = unicode + + ++DEFAULT_TYPE = "sandbox_t" ++DEFAULT_X_TYPE = "sandbox_x_t" ++ +random.seed(None) + +def error_exit(msg): @@ -1213,24 +1222,6 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po + sys.stderr.flush() + sys.exit(1) + -+def mount(context): -+ if os.getuid() != 0: -+ usage(_("Mount options require root privileges")) -+ destdir = "/mnt/%s" % context -+ os.mkdir(destdir) -+ rc = os.system('/bin/mount -t tmpfs tmpfs %s' % (destdir)) -+ selinux.setfilecon(destdir, context) -+ if rc != 0: -+ sys.exit(rc) -+ os.chdir(destdir) -+ -+def umount(dest): -+ os.chdir("/") -+ destdir = "/mnt/%s" % dest -+ os.system('/bin/umount %s' % (destdir)) -+ os.rmdir(destdir) -+ -+ +def reserve(mcs): + sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) + sock.bind("\0%s" % mcs) @@ -1263,30 +1254,75 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po + mcs) + return execcon, filecon + ++def copyfile(file, dir, dest): ++ import re ++ if file.startswith(dir): ++ dname = os.path.dirname(file) ++ bname = os.path.basename(file) ++ if dname == dir: ++ dest = dest + "/" + bname ++ else: ++ newdir = re.sub(dir, dest, dname) ++ os.makedirs(newdir) ++ dest = newdir + "/" + bname ++ ++ if os.path.isdir(file): ++ shutil.copytree(file, dest) ++ else: ++ shutil.copy2(file, dest) ++ ++def copyfiles(newhomedir, newtmpdir, files): ++ import pwd ++ homedir=pwd.getpwuid(os.getuid()).pw_dir ++ ++ for f in files: ++ copyfile(f,homedir, newhomedir) ++ copyfile(f,"/tmp", newtmpdir) + +if __name__ == '__main__': + if selinux.is_selinux_enabled() != 1: + error_exit("Requires an SELinux enabled system") + ++ init_files = [] ++ + def usage(message = ""): + text = _(""" -+sandbox [ -m ] [ -t type ] command ++sandbox [-h] [-I includefile ] [[-i file ] ...] [ -t type ] command +""") + error_exit("%s\n%s" % (message, text)) + -+ setype = "sandbox_t" -+ mount_ind = False ++ setype = DEFAULT_TYPE ++ X_ind = False + try: -+ gopts, cmds = getopt.getopt(sys.argv[1:], "ht:m", ++ gopts, cmds = getopt.getopt(sys.argv[1:], "i:ht:XI:", + ["help", -+ "type=", -+ "mount"]) ++ "include=", ++ "includefile=", ++ "type=" ++ ]) + for o, a in gopts: + if o == "-t" or o == "--type": + setype = a + -+ if o == "-m" or o == "--mount": -+ mount_ind = True ++ if o == "-i" or o == "--include": ++ rp = os.path.realpath(a) ++ if rp not in init_files: ++ init_files.append(rp) ++ ++ if o == "-I" or o == "--includefile": ++ fd = open(a, "r") ++ for i in fd.read().split("\n"): ++ if os.path.exists(i): ++ rp = os.path.realpath(i) ++ if rp not in init_files: ++ init_files.append(rp) ++ ++ fd.close ++ ++ if o == "-X": ++ if DEFAULT_TYPE == setype: ++ setype = DEFAULT_X_TYPE ++ X_ind = True + + if o == "-h" or o == "--help": + usage(_("Usage")); @@ -1296,8 +1332,6 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po + + execcon, filecon = gen_context(setype) + rc = -1 -+ if mount_ind: -+ mount(filecon) + + if cmds[0][0] != "/" and cmds[0][:2] != "./" and cmds[0][:3] != "../": + for i in os.environ["PATH"].split(':'): @@ -1306,121 +1340,315 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po + cmds[0] = f + break + -+ selinux.setexeccon(execcon) -+ rc = os.spawnvp(os.P_WAIT, cmds[0], cmds) -+ selinux.setexeccon(None) -+ -+ if mount_ind: -+ umount(filecon) ++ try: ++ if X_ind: ++ import warnings ++ warnings.simplefilter("ignore") ++ newhomedir = os.tempnam(".", ".sandbox%s") ++ os.mkdir(newhomedir) ++ selinux.setfilecon(newhomedir, filecon) ++ newtmpdir = os.tempnam("/tmp", ".sandbox") ++ os.mkdir(newtmpdir) ++ selinux.setfilecon(newtmpdir, filecon) ++ warnings.resetwarnings() ++ copyfiles(newhomedir, newtmpdir, init_files + cmds) ++ execfile = newhomedir + "/.sandboxrc" ++ fd = open(execfile, "w+") ++ fd.write("""#! /bin/sh ++%s ++""" % " ".join(cmds)) ++ fd.close() ++ os.chmod(execfile, 0700) ++ ++ cmds = ("/usr/sbin/seunshare -t %s -h %s -- %s /usr/share/sandbox/sandboxX.sh" % (newtmpdir, newhomedir, execcon)).split() ++ rc = os.spawnvp(os.P_WAIT, cmds[0], cmds) ++ else: ++ selinux.setexeccon(execcon) ++ rc = os.spawnvp(os.P_WAIT, cmds[0], cmds) ++ selinux.setexeccon(None) ++ finally: ++ if X_ind: ++ shutil.rmtree(newhomedir) ++ shutil.rmtree(newtmpdir) ++ + except getopt.GetoptError, error: -+ usage(_("Options Error %s ") % error.msg) -+ except ValueError, error: -+ error_exit(error.args[0]) -+ except KeyError, error: -+ error_exit(_("Invalid value %s") % error.args[0]) -+ except IOError, error: -+ error_exit(error.args[1]) ++ usage(_("Options Error %s ") % error.msg) + except OSError, error: -+ error_exit(error.args[1]) ++ error_exit(error.args[1]) ++ except ValueError, error: ++ error_exit(error.args[0]) ++ except KeyError, error: ++ error_exit(_("Invalid value %s") % error.args[0]) ++ except IOError, error: ++ error_exit(error.args[1]) + + sys.exit(rc) -diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/sandbox.8 policycoreutils-2.0.71/scripts/sandbox.8 ---- nsapolicycoreutils/scripts/sandbox.8 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.71/scripts/sandbox.8 2009-08-20 12:53:16.000000000 -0400 -@@ -0,0 +1,22 @@ ++ +diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.8 policycoreutils-2.0.71/sandbox/sandbox.8 +--- nsapolicycoreutils/sandbox/sandbox.8 1969-12-31 19:00:00.000000000 -0500 ++++ policycoreutils-2.0.71/sandbox/sandbox.8 2009-08-26 10:03:24.000000000 -0400 +@@ -0,0 +1,26 @@ +.TH SANDBOX "8" "May 2009" "chcat" "User Commands" +.SH NAME +sandbox \- Run cmd under an SELinux sandbox +.SH SYNOPSIS +.B sandbox -+[ -M ] [ -t type ] cmd ++[-X] [[-i file ]...] [ -t type ] cmd +.br +.SH DESCRIPTION +.PP -+Run application within a tightly confined SELinux domain, This application can only read and write stdin and stdout along with files handled to it by the shell. ++Run application within a tightly confined SELinux domain, The default sandbox allows the application to only read and write stdin and stdout along with files handled to it by the shell. ++Additionaly a -X qualifier allows you to run sandboxed X applications. These apps will start up their own X Server and create a temporary homedir and /tmp. The default policy does not allow any capabilities or network access. Also prevents all access to the users other processes and files. Any file specified on the command line will be copied into the sandbox. +.PP +.TP -+\fB\-m\fR -+Mount a temporary file system and change working directory to it, files will be removed when job completes. -+.TP +\fB\-t type\fR -+Use alternate sandbox type, defaults to sandbox_t ++Use alternate sandbox type, defaults to sandbox_t or sandbox_x_t for -X. ++.TP ++\fB\-i file\fR ++Copy this file into the temporary sandbox homedir. Command can be repeated. ++.TP ++\fB\-X\fR ++Create an X based Sandbox for gui apps, temporary files for $HOME and /tmp, seconday Xserver, defaults to sandbox_x_t +.TP +.SH "SEE ALSO" +.TP +runcon(1) +.PP -diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/sandbox.py policycoreutils-2.0.71/scripts/sandbox.py ---- nsapolicycoreutils/scripts/sandbox.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.71/scripts/sandbox.py 2009-08-20 12:53:16.000000000 -0400 -@@ -0,0 +1,67 @@ -+#!/usr/bin/python -+import os, sys, getopt, socket, random, fcntl -+import selinux +diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandboxX.sh policycoreutils-2.0.71/sandbox/sandboxX.sh +--- nsapolicycoreutils/sandbox/sandboxX.sh 1969-12-31 19:00:00.000000000 -0500 ++++ policycoreutils-2.0.71/sandbox/sandboxX.sh 2009-08-26 10:03:24.000000000 -0400 +@@ -0,0 +1,13 @@ ++#!/bin/bash ++(Xephyr -terminate -screen 1000x700 -displayfd 5 5>&1 2>/dev/null) | while read D; do ++export DISPLAY=:$D ++matchbox-window-manager -use_titlebar no & ++WM_PID=$! ++~/.sandboxrc & ++CLIENT_PID=$! ++wait $CLIENT_PID ++export EXITCODE=$? ++kill -TERM $WM_PID ++exit $EXITCODE ++break ++done +Binary files nsapolicycoreutils/sandbox/seunshare and policycoreutils-2.0.71/sandbox/seunshare differ +diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/seunshare.c policycoreutils-2.0.71/sandbox/seunshare.c +--- nsapolicycoreutils/sandbox/seunshare.c 1969-12-31 19:00:00.000000000 -0500 ++++ policycoreutils-2.0.71/sandbox/seunshare.c 2009-08-26 10:06:05.000000000 -0400 +@@ -0,0 +1,188 @@ ++#include ++#include ++#include ++#include ++#include ++#define _GNU_SOURCE ++#include ++#include ++#include ++#include ++#include ++#include ++#include /* for getopt_long() form of getopt() */ + -+random.seed(None) ++#include ++#include /* for context-mangling functions */ + -+def mount(src, context): -+ destdir="/mnt/%s" % context -+ os.mkdir(destdir) -+ print 'mount -n -o "context=%s" %s %s' % (context, src, destdir) -+ os.chdir(destdir) ++/** ++ * This function will drop the capabilities so that we are left ++ * only with access to the audit system and the ability to raise ++ * CAP_SYS_ADMIN, CAP_DAC_OVERRIDE, CAP_FOWNER and CAP_CHOWN, ++ * before invoking unshare and mounting a couple of directories. ++ * These capabilities are needed for performing bind mounts/unmounts ++ * and to create potential new instance directories with appropriate ++ * DAC attributes. ++ * ++ * Returns zero on success, non-zero otherwise ++ */ ++static int drop_capabilities(int all) ++{ ++ capng_clear(CAPNG_SELECT_BOTH); + -+def umount(dest): -+ os.chdir("/") -+ destdir="/mnt/%s" % dest -+ print ('umount -n %s' % destdir) -+ os.rmdir(destdir) ++ if (all) { ++ if ((getuid() == 0) && (capng_lock() < 0)) ++ return -1; ++ } else { ++ if (capng_updatev(CAPNG_ADD, CAP_DAC_OVERRIDE|CAPNG_EFFECTIVE|CAPNG_PERMITTED, CAP_SYS_ADMIN, -1) < 0) ++ return -1; ++ ++ } + ++ return capng_apply(CAPNG_SELECT_BOTH); ++} + -+def reserve(mcs): -+ sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) -+ sock.bind("\0%s" % mcs) -+ fcntl.fcntl(sock.fileno(), fcntl.F_SETFD, fcntl.FD_CLOEXEC) ++#define DEFAULT_PATH "/usr/bin:/bin" ++#define TRUE 1 ++#define FALSE 0 + -+def gen_context(type): -+ while True: -+ i1 = random.randrange(0,1024) -+ i2 = random.randrange(0,1024) -+ if i1 == i2: -+ continue -+ if i1 > i2: -+ tmp = i1 -+ i1 = i2 -+ i2 = tmp -+ mcs = "s0:c%d,c%d" % (i1, i2) -+ reserve(mcs) -+ try: -+ reserve(mcs) -+ except: -+ continue -+ break -+ con = selinux.getcon()[1].split(":") ++/** ++ * Take care of any signal setup ++ */ ++static int set_signal_handles() ++{ ++ sigset_t empty; + -+ execcon="%s:%s:%s:%s" % (con[0], con[1], type, mcs) -+ -+ filecon="%s:%s:%s:%s" % (con[0], "object_r", "%s_file_t" % type[:-2], mcs) -+ return execcon, filecon ++ /* Empty the signal mask in case someone is blocking a signal */ ++ if (sigemptyset(&empty)) { ++ fprintf(stderr, "Unable to obtain empty signal set\n"); ++ return -1; ++ } + ++ (void)sigprocmask(SIG_SETMASK, &empty, NULL); + -+type = "sandbox_t" -+mount_src = None -+gopts, cmds = getopt.getopt(sys.argv[1:],"t:m:", -+ ["type", -+ "mount"]) -+for o, a in gopts: -+ if o == "-t" or o == "--type": -+ type = a -+ if o == "-m" or o == "--mount": -+ mount_src = a ++ /* Terminate on SIGHUP. */ ++ if (signal(SIGHUP, SIG_DFL) == SIG_ERR) { ++ perror("Unable to set SIGHUP handler"); ++ return -1; ++ } + -+execcon, filecon = gen_context(type) -+selinux.setexeccon(execcon) -+ -+if mount_src != None: -+ mount(mount_src, filecon) -+ umount(filecon) -+os.execvp(cmds[0], cmds) ++ return 0; ++} ++#define USAGE_STRING "USAGE: seunshare [ -t tmpdir ] [ -h homedir ] -- CONTEXT executable [args] " ++ ++int main(int argc, char **argv) { ++ int rc; ++ int status = -1; ++ ++ struct passwd *pwd=getpwuid(getuid()); ++ security_context_t scontext; ++ ++ int flag_index; /* flag index in argv[] */ ++ int clflag; /* holds codes for command line flags */ ++ char *tmpdir_s = NULL; /* tmpdir spec'd by user in argv[] */ ++ char *homedir_s = NULL; /* homedir spec'd by user in argv[] */ ++ ++ const struct option long_options[] = { ++ {"homedir", 1, 0, 'h'}, ++ {"tmpdir", 1, 0, 't'}, ++ {NULL, 0, 0, 0} ++ }; ++ ++ if (drop_capabilities(FALSE)) { ++ perror("Failed to drop capabilities"); ++ return -1; ++ } ++ ++ while (1) { ++ clflag = getopt_long(argc, argv, "h:t:", long_options, ++ &flag_index); ++ if (clflag == -1) ++ break; ++ ++ switch (clflag) { ++ case 't': ++ tmpdir_s = optarg; ++ break; ++ case 'h': ++ homedir_s = optarg; ++ break; ++ default: ++ fprintf(stderr, "%s\n", USAGE_STRING); ++ return -1; ++ } ++ } ++ ++ if (! homedir_s && ! tmpdir_s) { ++ fprintf(stderr, "Error: tmpdir and/or homedir required \n" ++ "%s\n", USAGE_STRING); ++ return -1; ++ } ++ ++ if (argc - optind < 2) { ++ fprintf(stderr, "Error: executable required \n" ++ "%s\n", USAGE_STRING); ++ return -1; ++ } ++ ++ scontext = argv[optind++]; ++ ++ if (set_signal_handles()) ++ return -1; ++ ++ if (unshare(CLONE_NEWNS) < 0) { ++ perror("Failed to unshare"); ++ return -1; ++ } ++ ++ if (homedir_s && mount(homedir_s, pwd->pw_dir, NULL, MS_BIND, NULL) < 0) { ++ perror("Failed to mount HOMEDIR"); ++ return -1; ++ } ++ ++ if (tmpdir_s && mount(tmpdir_s, "/tmp", NULL, MS_BIND, NULL) < 0) { ++ perror("Failed to mount /tmp"); ++ return -1; ++ } ++ ++ if (drop_capabilities(TRUE)) { ++ perror("Failed to drop all capabilities"); ++ return -1; ++ } ++ ++ int child = fork(); ++ if (!child) { ++ /* Construct a new environment */ ++ char *display = strdup(getenv("DISPLAY")); ++ if (!display) { ++ perror("Out of memory"); ++ exit(-1); ++ } ++ if ((rc = clearenv())) { ++ perror("Unable to clear environment"); ++ exit(-1); ++ } ++ ++ if (setexeccon(scontext)) { ++ fprintf(stderr, "Could not set exec context to %s.\n", ++ scontext); ++ exit(-1); ++ } ++ ++ rc |= setenv("DISPLAY", display, 1); ++ rc |= setenv("HOME", pwd->pw_dir, 1); ++ rc |= setenv("SHELL", pwd->pw_shell, 1); ++ rc |= setenv("USER", pwd->pw_name, 1); ++ rc |= setenv("LOGNAME", pwd->pw_name, 1); ++ rc |= setenv("PATH", DEFAULT_PATH, 1); ++ ++ chdir(pwd->pw_dir); ++ execv(argv[optind], argv + optind); ++ perror("execv"); ++ exit(-1); ++ } else { ++ waitpid(child, &status, 0); ++ } ++ ++ return status; ++} +Binary files nsapolicycoreutils/sandbox/seunshare.o and policycoreutils-2.0.71/sandbox/seunshare.o differ +diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/chcat policycoreutils-2.0.71/scripts/chcat +--- nsapolicycoreutils/scripts/chcat 2009-06-23 15:36:07.000000000 -0400 ++++ policycoreutils-2.0.71/scripts/chcat 2009-08-20 12:53:16.000000000 -0400 +@@ -435,6 +435,8 @@ + continue + except ValueError, e: + error(e) ++ except OSError, e: ++ error(e) + + sys.exit(errors) + +diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/Makefile policycoreutils-2.0.71/scripts/Makefile +--- nsapolicycoreutils/scripts/Makefile 2008-08-28 09:34:24.000000000 -0400 ++++ policycoreutils-2.0.71/scripts/Makefile 2009-08-26 10:04:11.000000000 -0400 +@@ -5,7 +5,7 @@ + MANDIR ?= $(PREFIX)/share/man + LOCALEDIR ?= /usr/share/locale + +-all: fixfiles genhomedircon ++all: fixfiles genhomedircon chcat + + install: all + -mkdir -p $(BINDIR) diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.71/semanage/semanage --- nsapolicycoreutils/semanage/semanage 2009-08-19 16:35:03.000000000 -0400 +++ policycoreutils-2.0.71/semanage/semanage 2009-08-20 12:53:16.000000000 -0400 diff --git a/policycoreutils.spec b/policycoreutils.spec index 438aec2..e5f362b 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -6,7 +6,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 2.0.71 -Release: 10%{?dist} +Release: 11%{?dist} License: GPLv2+ Group: System Environment/Base Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz @@ -19,6 +19,7 @@ Source5: system-config-selinux.console Source6: selinux-polgengui.desktop Source7: selinux-polgengui.console Source8: policycoreutils_man_ru2.tar.bz2 +Source9: sandbox.init Patch: policycoreutils-rhat.patch Patch1: policycoreutils-po.patch Patch3: policycoreutils-gui.patch @@ -72,6 +73,8 @@ mkdir -p %{buildroot}%{_mandir}/man1 mkdir -p %{buildroot}%{_mandir}/man8 mkdir -p %{buildroot}%{_sysconfdir}/pam.d mkdir -p %{buildroot}%{_sysconfdir}/security/console.apps +%{__mkdir} -p %{buildroot}/%{_sysconfdir}/rc.d/init.d +install -m0755 %{SOURCE9} %{buildroot}/%{_sysconfdir}/rc.d/init.d/sandbox make LSPP_PRIV=y DESTDIR="%{buildroot}" LIBDIR="%{buildroot}%{_libdir}" install make -C sepolgen-%{sepolgenver} DESTDIR="%{buildroot}" LIBDIR="%{buildroot}%{_libdir}" install @@ -137,10 +140,36 @@ The policycoreutils-python package contains the management tools use to manage a [ -f /usr/share/selinux/devel/include/build.conf ] && /usr/bin/sepolgen-ifgen exit 0 +%package sandbox +Summary: SELinux sandbox utilities +Group: System Environment/Base +Requires: policycoreutils-python = %{version}-%{release} +Requires: xorg-x11-server-Xephyr +Requires: matchbox-window-manager +Requiers(post): /sbin/chkconfig + +%description sandbox +The policycoreutils-python package contains the scripts to create graphical sandboxes + +%files sandbox +%{_sysconfdir}/rc.d/init.d/sandbox +%{_mandir}/man8/sandbox.8* +%{_sbindir}/seunshare +%{_datadir}/sandbox/sandboxX.sh + %triggerin python -- selinux-policy [ -f /usr/share/selinux/devel/include/build.conf ] && /usr/bin/sepolgen-ifgen exit 0 +%post sandbox +if [ $1 -eq 1 ]; then + /sbin/chkconfig sanbox --add +fi +%preun sandbox +if [ $1 -eq 0 ]; then + /sbin/chkconfig sanbox --del +fi + %package newrole Summary: The newrole application for RBAC/MLS Group: System Environment/Base @@ -265,6 +294,9 @@ fi exit 0 %changelog +* Wed Aug 26 2009 Dan Walsh 2.0.71-11 +- Add sandboxX + * Sat Aug 22 2009 Dan Walsh 2.0.71-10 - Fix realpath usage to only happen on argv input from user