* Wed Aug 26 2009 Dan Walsh <dwalsh@redhat.com> 2.0.71-11

- Add sandboxX
This commit is contained in:
Daniel J Walsh 2009-08-26 18:05:32 +00:00
parent 4b8a9749e9
commit 349a457593
3 changed files with 491 additions and 229 deletions

View File

@ -1,6 +1,6 @@
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/booleansPage.py policycoreutils-2.0.64/gui/booleansPage.py
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/booleansPage.py policycoreutils-2.0.71/gui/booleansPage.py
--- nsapolicycoreutils/gui/booleansPage.py 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.64/gui/booleansPage.py 2009-06-23 16:24:31.000000000 -0400
+++ policycoreutils-2.0.71/gui/booleansPage.py 2009-08-20 12:53:16.000000000 -0400
@@ -0,0 +1,247 @@
+#
+# booleansPage.py - GUI for Booleans page in system-config-securitylevel
@ -249,9 +249,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/booleansPage.py poli
+ self.load(self.filter)
+ return True
+
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/domainsPage.py policycoreutils-2.0.64/gui/domainsPage.py
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/domainsPage.py policycoreutils-2.0.71/gui/domainsPage.py
--- nsapolicycoreutils/gui/domainsPage.py 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.64/gui/domainsPage.py 2009-06-23 16:24:31.000000000 -0400
+++ policycoreutils-2.0.71/gui/domainsPage.py 2009-08-20 12:53:16.000000000 -0400
@@ -0,0 +1,154 @@
+## domainsPage.py - show selinux domains
+## Copyright (C) 2009 Red Hat, Inc.
@ -407,9 +407,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/domainsPage.py polic
+
+ except ValueError, e:
+ self.error(e.args[0])
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/fcontextPage.py policycoreutils-2.0.64/gui/fcontextPage.py
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/fcontextPage.py policycoreutils-2.0.71/gui/fcontextPage.py
--- nsapolicycoreutils/gui/fcontextPage.py 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.64/gui/fcontextPage.py 2009-06-23 16:24:31.000000000 -0400
+++ policycoreutils-2.0.71/gui/fcontextPage.py 2009-08-20 12:53:16.000000000 -0400
@@ -0,0 +1,223 @@
+## fcontextPage.py - show selinux mappings
+## Copyright (C) 2006 Red Hat, Inc.
@ -634,9 +634,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/fcontextPage.py poli
+ self.store.set_value(iter, SPEC_COL, fspec)
+ self.store.set_value(iter, FTYPE_COL, ftype)
+ self.store.set_value(iter, TYPE_COL, "%s:%s" % (type, mls))
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/html_util.py policycoreutils-2.0.64/gui/html_util.py
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/html_util.py policycoreutils-2.0.71/gui/html_util.py
--- nsapolicycoreutils/gui/html_util.py 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.64/gui/html_util.py 2009-06-23 16:24:31.000000000 -0400
+++ policycoreutils-2.0.71/gui/html_util.py 2009-08-20 12:53:16.000000000 -0400
@@ -0,0 +1,164 @@
+# Authors: John Dennis <jdennis@redhat.com>
+#
@ -802,9 +802,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/html_util.py policyc
+ doc += tail
+ return doc
+
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/lockdown.glade policycoreutils-2.0.64/gui/lockdown.glade
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/lockdown.glade policycoreutils-2.0.71/gui/lockdown.glade
--- nsapolicycoreutils/gui/lockdown.glade 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.64/gui/lockdown.glade 2009-06-23 16:24:31.000000000 -0400
+++ policycoreutils-2.0.71/gui/lockdown.glade 2009-08-20 12:53:16.000000000 -0400
@@ -0,0 +1,771 @@
+<?xml version="1.0" standalone="no"?> <!--*- mode: xml -*-->
+<!DOCTYPE glade-interface SYSTEM "http://glade.gnome.org/glade-2.0.dtd">
@ -1577,9 +1577,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/lockdown.glade polic
+</widget>
+
+</glade-interface>
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/lockdown.gladep policycoreutils-2.0.64/gui/lockdown.gladep
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/lockdown.gladep policycoreutils-2.0.71/gui/lockdown.gladep
--- nsapolicycoreutils/gui/lockdown.gladep 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.64/gui/lockdown.gladep 2009-06-23 16:24:31.000000000 -0400
+++ policycoreutils-2.0.71/gui/lockdown.gladep 2009-08-20 12:53:16.000000000 -0400
@@ -0,0 +1,7 @@
+<?xml version="1.0" standalone="no"?> <!--*- mode: xml -*-->
+<!DOCTYPE glade-project SYSTEM "http://glade.gnome.org/glade-project-2.0.dtd">
@ -1588,9 +1588,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/lockdown.gladep poli
+ <name></name>
+ <program_name></program_name>
+</glade-project>
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/lockdown.py policycoreutils-2.0.64/gui/lockdown.py
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/lockdown.py policycoreutils-2.0.71/gui/lockdown.py
--- nsapolicycoreutils/gui/lockdown.py 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.64/gui/lockdown.py 2009-06-23 16:24:31.000000000 -0400
+++ policycoreutils-2.0.71/gui/lockdown.py 2009-08-20 12:53:16.000000000 -0400
@@ -0,0 +1,382 @@
+#!/usr/bin/python
+#
@ -1974,9 +1974,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/lockdown.py policyco
+
+ app = booleanWindow()
+ app.stand_alone()
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/loginsPage.py policycoreutils-2.0.64/gui/loginsPage.py
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/loginsPage.py policycoreutils-2.0.71/gui/loginsPage.py
--- nsapolicycoreutils/gui/loginsPage.py 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.64/gui/loginsPage.py 2009-06-23 16:24:31.000000000 -0400
+++ policycoreutils-2.0.71/gui/loginsPage.py 2009-08-20 12:53:16.000000000 -0400
@@ -0,0 +1,185 @@
+## loginsPage.py - show selinux mappings
+## Copyright (C) 2006 Red Hat, Inc.
@ -2163,9 +2163,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/loginsPage.py policy
+ self.store.set_value(iter, 1, seuser)
+ self.store.set_value(iter, 2, seobject.translate(serange))
+
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/Makefile policycoreutils-2.0.64/gui/Makefile
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/Makefile policycoreutils-2.0.71/gui/Makefile
--- nsapolicycoreutils/gui/Makefile 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.64/gui/Makefile 2009-06-23 16:24:31.000000000 -0400
+++ policycoreutils-2.0.71/gui/Makefile 2009-08-20 12:53:16.000000000 -0400
@@ -0,0 +1,41 @@
+# Installation directories.
+PREFIX ?= ${DESTDIR}/usr
@ -2208,9 +2208,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/Makefile policycoreu
+indent:
+
+relabel:
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/mappingsPage.py policycoreutils-2.0.64/gui/mappingsPage.py
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/mappingsPage.py policycoreutils-2.0.71/gui/mappingsPage.py
--- nsapolicycoreutils/gui/mappingsPage.py 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.64/gui/mappingsPage.py 2009-06-23 16:24:31.000000000 -0400
+++ policycoreutils-2.0.71/gui/mappingsPage.py 2009-08-20 12:53:16.000000000 -0400
@@ -0,0 +1,56 @@
+## mappingsPage.py - show selinux mappings
+## Copyright (C) 2006 Red Hat, Inc.
@ -2268,9 +2268,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/mappingsPage.py poli
+ for k in keys:
+ print "%-25s %-25s %-25s" % (k, dict[k][0], translate(dict[k][1]))
+
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/modulesPage.py policycoreutils-2.0.64/gui/modulesPage.py
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/modulesPage.py policycoreutils-2.0.71/gui/modulesPage.py
--- nsapolicycoreutils/gui/modulesPage.py 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.64/gui/modulesPage.py 2009-06-23 16:24:31.000000000 -0400
+++ policycoreutils-2.0.71/gui/modulesPage.py 2009-08-20 12:53:16.000000000 -0400
@@ -0,0 +1,190 @@
+## modulesPage.py - show selinux mappings
+## Copyright (C) 2006-2009 Red Hat, Inc.
@ -2462,9 +2462,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/modulesPage.py polic
+
+ except ValueError, e:
+ self.error(e.args[0])
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policycoreutils-2.0.64/gui/polgen.glade
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policycoreutils-2.0.71/gui/polgen.glade
--- nsapolicycoreutils/gui/polgen.glade 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.64/gui/polgen.glade 2009-06-23 16:24:31.000000000 -0400
+++ policycoreutils-2.0.71/gui/polgen.glade 2009-08-20 12:53:16.000000000 -0400
@@ -0,0 +1,3305 @@
+<?xml version="1.0" standalone="no"?> <!--*- mode: xml -*-->
+<!DOCTYPE glade-interface SYSTEM "http://glade.gnome.org/glade-2.0.dtd">
@ -5771,9 +5771,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policyc
+</widget>
+
+</glade-interface>
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.gladep policycoreutils-2.0.64/gui/polgen.gladep
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.gladep policycoreutils-2.0.71/gui/polgen.gladep
--- nsapolicycoreutils/gui/polgen.gladep 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.64/gui/polgen.gladep 2009-06-23 16:24:31.000000000 -0400
+++ policycoreutils-2.0.71/gui/polgen.gladep 2009-08-20 12:53:16.000000000 -0400
@@ -0,0 +1,7 @@
+<?xml version="1.0" standalone="no"?> <!--*- mode: xml -*-->
+<!DOCTYPE glade-project SYSTEM "http://glade.gnome.org/glade-project-2.0.dtd">
@ -5782,9 +5782,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.gladep policy
+ <name></name>
+ <program_name></program_name>
+</glade-project>
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgengui.py policycoreutils-2.0.64/gui/polgengui.py
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgengui.py policycoreutils-2.0.71/gui/polgengui.py
--- nsapolicycoreutils/gui/polgengui.py 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.64/gui/polgengui.py 2009-06-23 16:24:31.000000000 -0400
+++ policycoreutils-2.0.71/gui/polgengui.py 2009-08-20 12:53:16.000000000 -0400
@@ -0,0 +1,627 @@
+#!/usr/bin/python -E
+#
@ -6413,10 +6413,10 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgengui.py policyc
+
+ app = childWindow()
+ app.stand_alone()
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycoreutils-2.0.64/gui/polgen.py
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycoreutils-2.0.71/gui/polgen.py
--- nsapolicycoreutils/gui/polgen.py 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.64/gui/polgen.py 2009-06-25 16:01:33.000000000 -0400
@@ -0,0 +1,1179 @@
+++ policycoreutils-2.0.71/gui/polgen.py 2009-08-26 10:47:54.000000000 -0400
@@ -0,0 +1,1183 @@
+#!/usr/bin/python
+#
+# Copyright (C) 2007, 2008, 2009 Red Hat
@ -6747,6 +6747,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore
+ self.need_udp_type=False
+ self.admin_domains = []
+ self.transition_domains = []
+ self.transition_users = []
+ self.roles = []
+ self.all_roles = get_all_roles()
+
@ -7548,9 +7549,10 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore
+
+if __name__ == '__main__':
+ setype = DAEMON
+ gopts, cmds = getopt.getopt(sys.argv[1:], "t:m",
+ gopts, cmds = getopt.getopt(sys.argv[1:], "ht:m",
+ ["type=",
+ "mount"])
+ "mount",
+ "help"])
+ for o, a in gopts:
+ if o == "-t" or o == "--type":
+ try:
@ -7564,6 +7566,8 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore
+ if o == "-m" or o == "--mount":
+ mount_ind = True
+
+ if o == "-h" or o == "--help":
+ usage("");
+
+ if len(cmds) == 0:
+ usage(_("Executable required"))
@ -7596,9 +7600,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore
+
+ print mypolicy.generate()
+ sys.exit(0)
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/portsPage.py policycoreutils-2.0.64/gui/portsPage.py
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/portsPage.py policycoreutils-2.0.71/gui/portsPage.py
--- nsapolicycoreutils/gui/portsPage.py 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.64/gui/portsPage.py 2009-06-23 16:24:31.000000000 -0400
+++ policycoreutils-2.0.71/gui/portsPage.py 2009-08-20 12:53:16.000000000 -0400
@@ -0,0 +1,259 @@
+## portsPage.py - show selinux mappings
+## Copyright (C) 2006 Red Hat, Inc.
@ -7859,9 +7863,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/portsPage.py policyc
+
+ return True
+
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/selinux.tbl policycoreutils-2.0.64/gui/selinux.tbl
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/selinux.tbl policycoreutils-2.0.71/gui/selinux.tbl
--- nsapolicycoreutils/gui/selinux.tbl 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.64/gui/selinux.tbl 2009-06-23 16:24:31.000000000 -0400
+++ policycoreutils-2.0.71/gui/selinux.tbl 2009-08-20 12:53:16.000000000 -0400
@@ -0,0 +1,234 @@
+acct_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for acct daemon")
+allow_daemons_dump_core _("Admin") _("Allow all daemons to write corefiles to /")
@ -8097,9 +8101,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/selinux.tbl policyco
+webadm_manage_user_files _("HTTPD Service") _("Allow SELinux webadm user to manage unprivileged users home directories")
+webadm_read_user_files _("HTTPD Service") _("Allow SELinux webadm user to read unprivileged users home directories")
+
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/semanagePage.py policycoreutils-2.0.64/gui/semanagePage.py
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/semanagePage.py policycoreutils-2.0.71/gui/semanagePage.py
--- nsapolicycoreutils/gui/semanagePage.py 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.64/gui/semanagePage.py 2009-06-23 16:24:31.000000000 -0400
+++ policycoreutils-2.0.71/gui/semanagePage.py 2009-08-20 12:53:16.000000000 -0400
@@ -0,0 +1,168 @@
+## semanagePage.py - show selinux mappings
+## Copyright (C) 2006 Red Hat, Inc.
@ -8269,9 +8273,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/semanagePage.py poli
+ self.load(self.filter)
+ return True
+
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/statusPage.py policycoreutils-2.0.64/gui/statusPage.py
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/statusPage.py policycoreutils-2.0.71/gui/statusPage.py
--- nsapolicycoreutils/gui/statusPage.py 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.64/gui/statusPage.py 2009-06-23 16:24:31.000000000 -0400
+++ policycoreutils-2.0.71/gui/statusPage.py 2009-08-20 12:53:16.000000000 -0400
@@ -0,0 +1,190 @@
+# statusPage.py - show selinux status
+## Copyright (C) 2006-2009 Red Hat, Inc.
@ -8463,9 +8467,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/statusPage.py policy
+ return self.types[self.selinuxTypeOptionMenu.get_active()]
+
+
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/system-config-selinux.glade policycoreutils-2.0.64/gui/system-config-selinux.glade
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/system-config-selinux.glade policycoreutils-2.0.71/gui/system-config-selinux.glade
--- nsapolicycoreutils/gui/system-config-selinux.glade 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.64/gui/system-config-selinux.glade 2009-06-23 16:24:31.000000000 -0400
+++ policycoreutils-2.0.71/gui/system-config-selinux.glade 2009-08-20 12:53:16.000000000 -0400
@@ -0,0 +1,3403 @@
+<?xml version="1.0" standalone="no"?> <!--*- mode: xml -*-->
+<!DOCTYPE glade-interface SYSTEM "http://glade.gnome.org/glade-2.0.dtd">
@ -11870,9 +11874,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/system-config-selinu
+</widget>
+
+</glade-interface>
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/system-config-selinux.py policycoreutils-2.0.64/gui/system-config-selinux.py
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/system-config-selinux.py policycoreutils-2.0.71/gui/system-config-selinux.py
--- nsapolicycoreutils/gui/system-config-selinux.py 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.64/gui/system-config-selinux.py 2009-06-23 16:24:31.000000000 -0400
+++ policycoreutils-2.0.71/gui/system-config-selinux.py 2009-08-20 12:53:16.000000000 -0400
@@ -0,0 +1,189 @@
+#!/usr/bin/python
+#
@ -12063,9 +12067,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/system-config-selinu
+
+ app = childWindow()
+ app.stand_alone()
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/boolean.py policycoreutils-2.0.64/gui/templates/boolean.py
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/boolean.py policycoreutils-2.0.71/gui/templates/boolean.py
--- nsapolicycoreutils/gui/templates/boolean.py 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.64/gui/templates/boolean.py 2009-06-23 16:24:31.000000000 -0400
+++ policycoreutils-2.0.71/gui/templates/boolean.py 2009-08-20 12:53:16.000000000 -0400
@@ -0,0 +1,40 @@
+# Copyright (C) 2007 Red Hat
+# see file 'COPYING' for use and warranty information
@ -12107,9 +12111,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/boolean.py
+')
+"""
+
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/etc_rw.py policycoreutils-2.0.64/gui/templates/etc_rw.py
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/etc_rw.py policycoreutils-2.0.71/gui/templates/etc_rw.py
--- nsapolicycoreutils/gui/templates/etc_rw.py 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.64/gui/templates/etc_rw.py 2009-06-23 16:24:31.000000000 -0400
+++ policycoreutils-2.0.71/gui/templates/etc_rw.py 2009-08-20 12:53:16.000000000 -0400
@@ -0,0 +1,129 @@
+# Copyright (C) 2007 Red Hat
+# see file 'COPYING' for use and warranty information
@ -12240,10 +12244,10 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/etc_rw.py
+fc_dir="""\
+FILENAME(/.*)? gen_context(system_u:object_r:TEMPLATETYPE_etc_rw_t,s0)
+"""
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/executable.py policycoreutils-2.0.64/gui/templates/executable.py
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/executable.py policycoreutils-2.0.71/gui/templates/executable.py
--- nsapolicycoreutils/gui/templates/executable.py 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.64/gui/templates/executable.py 2009-06-23 16:24:31.000000000 -0400
@@ -0,0 +1,376 @@
+++ policycoreutils-2.0.71/gui/templates/executable.py 2009-08-26 10:48:18.000000000 -0400
@@ -0,0 +1,374 @@
+# Copyright (C) 2007-2009 Red Hat
+# see file 'COPYING' for use and warranty information
+#
@ -12356,7 +12360,6 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/executable
+files_read_etc_files(TEMPLATETYPE_t)
+
+miscfiles_read_localization(TEMPLATETYPE_t)
+
+"""
+
+te_inetd_rules="""
@ -12381,7 +12384,6 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/executable
+libs_use_shared_libs(TEMPLATETYPE_t)
+
+miscfiles_read_localization(TEMPLATETYPE_t)
+
+"""
+
+te_cgi_rules="""
@ -12620,9 +12622,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/executable
+EXECUTABLE -- gen_context(system_u:object_r:TEMPLATETYPE_initrc_exec_t,s0)
+"""
+
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/__init__.py policycoreutils-2.0.64/gui/templates/__init__.py
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/__init__.py policycoreutils-2.0.71/gui/templates/__init__.py
--- nsapolicycoreutils/gui/templates/__init__.py 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.64/gui/templates/__init__.py 2009-06-23 16:24:31.000000000 -0400
+++ policycoreutils-2.0.71/gui/templates/__init__.py 2009-08-20 12:53:16.000000000 -0400
@@ -0,0 +1,18 @@
+#
+# Copyright (C) 2007 Red Hat, Inc.
@ -12642,9 +12644,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/__init__.p
+# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+#
+
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/network.py policycoreutils-2.0.64/gui/templates/network.py
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/network.py policycoreutils-2.0.71/gui/templates/network.py
--- nsapolicycoreutils/gui/templates/network.py 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.64/gui/templates/network.py 2009-06-23 16:24:31.000000000 -0400
+++ policycoreutils-2.0.71/gui/templates/network.py 2009-08-20 12:53:16.000000000 -0400
@@ -0,0 +1,80 @@
+te_port_types="""
+type TEMPLATETYPE_port_t;
@ -12726,9 +12728,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/network.py
+corenet_udp_bind_all_unreserved_ports(TEMPLATETYPE_t)
+"""
+
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/rw.py policycoreutils-2.0.64/gui/templates/rw.py
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/rw.py policycoreutils-2.0.71/gui/templates/rw.py
--- nsapolicycoreutils/gui/templates/rw.py 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.64/gui/templates/rw.py 2009-06-23 16:24:31.000000000 -0400
+++ policycoreutils-2.0.71/gui/templates/rw.py 2009-08-20 12:53:16.000000000 -0400
@@ -0,0 +1,128 @@
+# Copyright (C) 2007 Red Hat
+# see file 'COPYING' for use and warranty information
@ -12858,9 +12860,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/rw.py poli
+fc_dir="""
+FILENAME(/.*)? gen_context(system_u:object_r:TEMPLATETYPE_rw_t,s0)
+"""
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/script.py policycoreutils-2.0.64/gui/templates/script.py
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/script.py policycoreutils-2.0.71/gui/templates/script.py
--- nsapolicycoreutils/gui/templates/script.py 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.64/gui/templates/script.py 2009-06-25 16:00:57.000000000 -0400
+++ policycoreutils-2.0.71/gui/templates/script.py 2009-08-20 12:53:16.000000000 -0400
@@ -0,0 +1,99 @@
+# Copyright (C) 2007 Red Hat
+# see file 'COPYING' for use and warranty information
@ -12961,9 +12963,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/script.py
+# Adding roles to SELinux user USER
+/usr/sbin/semanage user -m -R +TEMPLATETYPE_r USER
+"""
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/semodule.py policycoreutils-2.0.64/gui/templates/semodule.py
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/semodule.py policycoreutils-2.0.71/gui/templates/semodule.py
--- nsapolicycoreutils/gui/templates/semodule.py 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.64/gui/templates/semodule.py 2009-06-23 16:24:31.000000000 -0400
+++ policycoreutils-2.0.71/gui/templates/semodule.py 2009-08-20 12:53:16.000000000 -0400
@@ -0,0 +1,41 @@
+# Copyright (C) 2007 Red Hat
+# see file 'COPYING' for use and warranty information
@ -13006,9 +13008,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/semodule.p
+semanage ports -a -t TEMPLATETYPE_port_t -p udp PORTNUM
+"""
+
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/tmp.py policycoreutils-2.0.64/gui/templates/tmp.py
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/tmp.py policycoreutils-2.0.71/gui/templates/tmp.py
--- nsapolicycoreutils/gui/templates/tmp.py 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.64/gui/templates/tmp.py 2009-06-23 16:24:31.000000000 -0400
+++ policycoreutils-2.0.71/gui/templates/tmp.py 2009-08-20 12:53:16.000000000 -0400
@@ -0,0 +1,97 @@
+# Copyright (C) 2007 Red Hat
+# see file 'COPYING' for use and warranty information
@ -13107,9 +13109,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/tmp.py pol
+ TEMPLATETYPE_manage_tmp($1)
+"""
+
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/user.py policycoreutils-2.0.64/gui/templates/user.py
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/user.py policycoreutils-2.0.71/gui/templates/user.py
--- nsapolicycoreutils/gui/templates/user.py 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.64/gui/templates/user.py 2009-06-23 16:24:31.000000000 -0400
+++ policycoreutils-2.0.71/gui/templates/user.py 2009-08-20 12:53:16.000000000 -0400
@@ -0,0 +1,182 @@
+# Copyright (C) 2007 Red Hat
+# see file 'COPYING' for use and warranty information
@ -13293,9 +13295,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/user.py po
+te_newrole_rules="""
+seutil_run_newrole(TEMPLATETYPE_t,TEMPLATETYPE_r,{ TEMPLATETYPE_devpts_t TEMPLATETYPE_tty_device_t })
+"""
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_lib.py policycoreutils-2.0.64/gui/templates/var_lib.py
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_lib.py policycoreutils-2.0.71/gui/templates/var_lib.py
--- nsapolicycoreutils/gui/templates/var_lib.py 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.64/gui/templates/var_lib.py 2009-06-23 16:24:31.000000000 -0400
+++ policycoreutils-2.0.71/gui/templates/var_lib.py 2009-08-20 12:53:16.000000000 -0400
@@ -0,0 +1,158 @@
+# Copyright (C) 2007 Red Hat
+# see file 'COPYING' for use and warranty information
@ -13455,9 +13457,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_lib.py
+fc_dir="""\
+FILENAME(/.*)? gen_context(system_u:object_r:TEMPLATETYPE_var_lib_t,s0)
+"""
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_log.py policycoreutils-2.0.64/gui/templates/var_log.py
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_log.py policycoreutils-2.0.71/gui/templates/var_log.py
--- nsapolicycoreutils/gui/templates/var_log.py 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.64/gui/templates/var_log.py 2009-06-23 16:24:31.000000000 -0400
+++ policycoreutils-2.0.71/gui/templates/var_log.py 2009-08-20 12:53:16.000000000 -0400
@@ -0,0 +1,110 @@
+# Copyright (C) 2007 Red Hat
+# see file 'COPYING' for use and warranty information
@ -13569,9 +13571,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_log.py
+fc_dir="""\
+FILENAME(/.*)? gen_context(system_u:object_r:TEMPLATETYPE_log_t,s0)
+"""
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_run.py policycoreutils-2.0.64/gui/templates/var_run.py
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_run.py policycoreutils-2.0.71/gui/templates/var_run.py
--- nsapolicycoreutils/gui/templates/var_run.py 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.64/gui/templates/var_run.py 2009-06-23 16:24:31.000000000 -0400
+++ policycoreutils-2.0.71/gui/templates/var_run.py 2009-08-20 12:53:16.000000000 -0400
@@ -0,0 +1,118 @@
+# Copyright (C) 2007 Red Hat
+# see file 'COPYING' for use and warranty information
@ -13691,9 +13693,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_run.py
+FILENAME(/.*)? gen_context(system_u:object_r:TEMPLATETYPE_var_run_t,s0)
+"""
+
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_spool.py policycoreutils-2.0.64/gui/templates/var_spool.py
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_spool.py policycoreutils-2.0.71/gui/templates/var_spool.py
--- nsapolicycoreutils/gui/templates/var_spool.py 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.64/gui/templates/var_spool.py 2009-06-23 16:24:31.000000000 -0400
+++ policycoreutils-2.0.71/gui/templates/var_spool.py 2009-08-20 12:53:16.000000000 -0400
@@ -0,0 +1,129 @@
+# Copyright (C) 2007 Red Hat
+# see file 'COPYING' for use and warranty information
@ -13824,9 +13826,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_spool.
+fc_dir="""\
+FILENAME(/.*)? gen_context(system_u:object_r:TEMPLATETYPE_spool_t,s0)
+"""
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/translationsPage.py policycoreutils-2.0.64/gui/translationsPage.py
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/translationsPage.py policycoreutils-2.0.71/gui/translationsPage.py
--- nsapolicycoreutils/gui/translationsPage.py 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.64/gui/translationsPage.py 2009-06-23 16:24:31.000000000 -0400
+++ policycoreutils-2.0.71/gui/translationsPage.py 2009-08-20 12:53:16.000000000 -0400
@@ -0,0 +1,118 @@
+## translationsPage.py - show selinux translations
+## Copyright (C) 2006 Red Hat, Inc.
@ -13946,9 +13948,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/translationsPage.py
+ store, iter = self.view.get_selection().get_selected()
+ self.store.set_value(iter, 0, level)
+ self.store.set_value(iter, 1, translation)
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/usersPage.py policycoreutils-2.0.64/gui/usersPage.py
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/usersPage.py policycoreutils-2.0.71/gui/usersPage.py
--- nsapolicycoreutils/gui/usersPage.py 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.64/gui/usersPage.py 2009-06-23 16:24:31.000000000 -0400
+++ policycoreutils-2.0.71/gui/usersPage.py 2009-08-20 12:53:16.000000000 -0400
@@ -0,0 +1,150 @@
+## usersPage.py - show selinux mappings
+## Copyright (C) 2006,2007,2008 Red Hat, Inc.

View File

@ -40,10 +40,10 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
f = sys.stdin
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/Makefile policycoreutils-2.0.71/Makefile
--- nsapolicycoreutils/Makefile 2008-08-28 09:34:24.000000000 -0400
+++ policycoreutils-2.0.71/Makefile 2009-08-20 12:53:16.000000000 -0400
+++ policycoreutils-2.0.71/Makefile 2009-08-26 10:04:47.000000000 -0400
@@ -1,4 +1,4 @@
-SUBDIRS = setfiles semanage load_policy newrole run_init secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po
+SUBDIRS = setfiles semanage load_policy newrole run_init secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po gui
+SUBDIRS = setfiles semanage load_policy newrole run_init sandbox secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po gui
INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null)
@ -1152,41 +1152,47 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
+ exitApp("Error watching config file.");
+}
+
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/chcat policycoreutils-2.0.71/scripts/chcat
--- nsapolicycoreutils/scripts/chcat 2009-06-23 15:36:07.000000000 -0400
+++ policycoreutils-2.0.71/scripts/chcat 2009-08-20 12:53:16.000000000 -0400
@@ -435,6 +435,8 @@
continue
except ValueError, e:
error(e)
+ except OSError, e:
+ error(e)
sys.exit(errors)
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/Makefile policycoreutils-2.0.71/scripts/Makefile
--- nsapolicycoreutils/scripts/Makefile 2008-08-28 09:34:24.000000000 -0400
+++ policycoreutils-2.0.71/scripts/Makefile 2009-08-20 12:53:16.000000000 -0400
@@ -5,11 +5,12 @@
MANDIR ?= $(PREFIX)/share/man
LOCALEDIR ?= /usr/share/locale
-all: fixfiles genhomedircon
+all: fixfiles genhomedircon sandbox chcat
install: all
-mkdir -p $(BINDIR)
install -m 755 chcat $(BINDIR)
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/Makefile policycoreutils-2.0.71/sandbox/Makefile
--- nsapolicycoreutils/sandbox/Makefile 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.71/sandbox/Makefile 2009-08-26 10:50:50.000000000 -0400
@@ -0,0 +1,31 @@
+# Installation directories.
+PREFIX ?= ${DESTDIR}/usr
+BINDIR ?= $(PREFIX)/bin
+SBINDIR ?= $(PREFIX)/sbin
+MANDIR ?= $(PREFIX)/share/man
+LOCALEDIR ?= /usr/share/locale
+SHAREDIR ?= $(PREFIX)/share/sandbox
+override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="\"policycoreutils\""
+LDLIBS += -lselinux -lcap-ng
+
+all: sandbox seunshare sandboxX.sh
+
+seunshare: seunshare.o $(EXTRA_OBJS)
+ $(CC) $(LDFLAGS) -o $@ $^ $(LDLIBS)
+
+install: all
+ -mkdir -p $(BINDIR)
+ install -m 755 sandbox $(BINDIR)
install -m 755 fixfiles $(DESTDIR)/sbin
install -m 755 genhomedircon $(SBINDIR)
-mkdir -p $(MANDIR)/man8
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/sandbox policycoreutils-2.0.71/scripts/sandbox
--- nsapolicycoreutils/scripts/sandbox 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.71/scripts/sandbox 2009-08-20 12:53:16.000000000 -0400
@@ -0,0 +1,139 @@
+ -mkdir -p $(MANDIR)/man8
+ install -m 644 sandbox.8 $(MANDIR)/man8/
+ install -m 4755 seunshare $(SBINDIR)/
+ -mkdir -p $(SHAREDIR)
+ install -m 755 sandboxX.sh $(SHAREDIR)
+
+clean:
+ -rm -f seunshare *.o *~
+
+indent:
+ ../../scripts/Lindent $(wildcard *.[ch])
+
+relabel:
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox policycoreutils-2.0.71/sandbox/sandbox
--- nsapolicycoreutils/sandbox/sandbox 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.71/sandbox/sandbox 2009-08-26 10:03:24.000000000 -0400
@@ -0,0 +1,193 @@
+#!/usr/bin/python -E
+import os, sys, getopt, socket, random, fcntl
+import os, sys, getopt, socket, random, fcntl, shutil
+import selinux
+
+PROGNAME = "policycoreutils"
@ -1205,6 +1211,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
+ __builtin__.__dict__['_'] = unicode
+
+
+DEFAULT_TYPE = "sandbox_t"
+DEFAULT_X_TYPE = "sandbox_x_t"
+
+random.seed(None)
+
+def error_exit(msg):
@ -1213,24 +1222,6 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
+ sys.stderr.flush()
+ sys.exit(1)
+
+def mount(context):
+ if os.getuid() != 0:
+ usage(_("Mount options require root privileges"))
+ destdir = "/mnt/%s" % context
+ os.mkdir(destdir)
+ rc = os.system('/bin/mount -t tmpfs tmpfs %s' % (destdir))
+ selinux.setfilecon(destdir, context)
+ if rc != 0:
+ sys.exit(rc)
+ os.chdir(destdir)
+
+def umount(dest):
+ os.chdir("/")
+ destdir = "/mnt/%s" % dest
+ os.system('/bin/umount %s' % (destdir))
+ os.rmdir(destdir)
+
+
+def reserve(mcs):
+ sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
+ sock.bind("\0%s" % mcs)
@ -1263,30 +1254,75 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
+ mcs)
+ return execcon, filecon
+
+def copyfile(file, dir, dest):
+ import re
+ if file.startswith(dir):
+ dname = os.path.dirname(file)
+ bname = os.path.basename(file)
+ if dname == dir:
+ dest = dest + "/" + bname
+ else:
+ newdir = re.sub(dir, dest, dname)
+ os.makedirs(newdir)
+ dest = newdir + "/" + bname
+
+ if os.path.isdir(file):
+ shutil.copytree(file, dest)
+ else:
+ shutil.copy2(file, dest)
+
+def copyfiles(newhomedir, newtmpdir, files):
+ import pwd
+ homedir=pwd.getpwuid(os.getuid()).pw_dir
+
+ for f in files:
+ copyfile(f,homedir, newhomedir)
+ copyfile(f,"/tmp", newtmpdir)
+
+if __name__ == '__main__':
+ if selinux.is_selinux_enabled() != 1:
+ error_exit("Requires an SELinux enabled system")
+
+ init_files = []
+
+ def usage(message = ""):
+ text = _("""
+sandbox [ -m ] [ -t type ] command
+sandbox [-h] [-I includefile ] [[-i file ] ...] [ -t type ] command
+""")
+ error_exit("%s\n%s" % (message, text))
+
+ setype = "sandbox_t"
+ mount_ind = False
+ setype = DEFAULT_TYPE
+ X_ind = False
+ try:
+ gopts, cmds = getopt.getopt(sys.argv[1:], "ht:m",
+ gopts, cmds = getopt.getopt(sys.argv[1:], "i:ht:XI:",
+ ["help",
+ "type=",
+ "mount"])
+ "include=",
+ "includefile=",
+ "type="
+ ])
+ for o, a in gopts:
+ if o == "-t" or o == "--type":
+ setype = a
+
+ if o == "-m" or o == "--mount":
+ mount_ind = True
+ if o == "-i" or o == "--include":
+ rp = os.path.realpath(a)
+ if rp not in init_files:
+ init_files.append(rp)
+
+ if o == "-I" or o == "--includefile":
+ fd = open(a, "r")
+ for i in fd.read().split("\n"):
+ if os.path.exists(i):
+ rp = os.path.realpath(i)
+ if rp not in init_files:
+ init_files.append(rp)
+
+ fd.close
+
+ if o == "-X":
+ if DEFAULT_TYPE == setype:
+ setype = DEFAULT_X_TYPE
+ X_ind = True
+
+ if o == "-h" or o == "--help":
+ usage(_("Usage"));
@ -1296,8 +1332,6 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
+
+ execcon, filecon = gen_context(setype)
+ rc = -1
+ if mount_ind:
+ mount(filecon)
+
+ if cmds[0][0] != "/" and cmds[0][:2] != "./" and cmds[0][:3] != "../":
+ for i in os.environ["PATH"].split(':'):
@ -1306,121 +1340,315 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
+ cmds[0] = f
+ break
+
+ try:
+ if X_ind:
+ import warnings
+ warnings.simplefilter("ignore")
+ newhomedir = os.tempnam(".", ".sandbox%s")
+ os.mkdir(newhomedir)
+ selinux.setfilecon(newhomedir, filecon)
+ newtmpdir = os.tempnam("/tmp", ".sandbox")
+ os.mkdir(newtmpdir)
+ selinux.setfilecon(newtmpdir, filecon)
+ warnings.resetwarnings()
+ copyfiles(newhomedir, newtmpdir, init_files + cmds)
+ execfile = newhomedir + "/.sandboxrc"
+ fd = open(execfile, "w+")
+ fd.write("""#! /bin/sh
+%s
+""" % " ".join(cmds))
+ fd.close()
+ os.chmod(execfile, 0700)
+
+ cmds = ("/usr/sbin/seunshare -t %s -h %s -- %s /usr/share/sandbox/sandboxX.sh" % (newtmpdir, newhomedir, execcon)).split()
+ rc = os.spawnvp(os.P_WAIT, cmds[0], cmds)
+ else:
+ selinux.setexeccon(execcon)
+ rc = os.spawnvp(os.P_WAIT, cmds[0], cmds)
+ selinux.setexeccon(None)
+ finally:
+ if X_ind:
+ shutil.rmtree(newhomedir)
+ shutil.rmtree(newtmpdir)
+
+ if mount_ind:
+ umount(filecon)
+ except getopt.GetoptError, error:
+ usage(_("Options Error %s ") % error.msg)
+ except OSError, error:
+ error_exit(error.args[1])
+ except ValueError, error:
+ error_exit(error.args[0])
+ except KeyError, error:
+ error_exit(_("Invalid value %s") % error.args[0])
+ except IOError, error:
+ error_exit(error.args[1])
+ except OSError, error:
+ error_exit(error.args[1])
+
+ sys.exit(rc)
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/sandbox.8 policycoreutils-2.0.71/scripts/sandbox.8
--- nsapolicycoreutils/scripts/sandbox.8 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.71/scripts/sandbox.8 2009-08-20 12:53:16.000000000 -0400
@@ -0,0 +1,22 @@
+
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.8 policycoreutils-2.0.71/sandbox/sandbox.8
--- nsapolicycoreutils/sandbox/sandbox.8 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.71/sandbox/sandbox.8 2009-08-26 10:03:24.000000000 -0400
@@ -0,0 +1,26 @@
+.TH SANDBOX "8" "May 2009" "chcat" "User Commands"
+.SH NAME
+sandbox \- Run cmd under an SELinux sandbox
+.SH SYNOPSIS
+.B sandbox
+[ -M ] [ -t type ] cmd
+[-X] [[-i file ]...] [ -t type ] cmd
+.br
+.SH DESCRIPTION
+.PP
+Run application within a tightly confined SELinux domain, This application can only read and write stdin and stdout along with files handled to it by the shell.
+Run application within a tightly confined SELinux domain, The default sandbox allows the application to only read and write stdin and stdout along with files handled to it by the shell.
+Additionaly a -X qualifier allows you to run sandboxed X applications. These apps will start up their own X Server and create a temporary homedir and /tmp. The default policy does not allow any capabilities or network access. Also prevents all access to the users other processes and files. Any file specified on the command line will be copied into the sandbox.
+.PP
+.TP
+\fB\-m\fR
+Mount a temporary file system and change working directory to it, files will be removed when job completes.
+.TP
+\fB\-t type\fR
+Use alternate sandbox type, defaults to sandbox_t
+Use alternate sandbox type, defaults to sandbox_t or sandbox_x_t for -X.
+.TP
+\fB\-i file\fR
+Copy this file into the temporary sandbox homedir. Command can be repeated.
+.TP
+\fB\-X\fR
+Create an X based Sandbox for gui apps, temporary files for $HOME and /tmp, seconday Xserver, defaults to sandbox_x_t
+.TP
+.SH "SEE ALSO"
+.TP
+runcon(1)
+.PP
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/sandbox.py policycoreutils-2.0.71/scripts/sandbox.py
--- nsapolicycoreutils/scripts/sandbox.py 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.71/scripts/sandbox.py 2009-08-20 12:53:16.000000000 -0400
@@ -0,0 +1,67 @@
+#!/usr/bin/python
+import os, sys, getopt, socket, random, fcntl
+import selinux
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandboxX.sh policycoreutils-2.0.71/sandbox/sandboxX.sh
--- nsapolicycoreutils/sandbox/sandboxX.sh 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.71/sandbox/sandboxX.sh 2009-08-26 10:03:24.000000000 -0400
@@ -0,0 +1,13 @@
+#!/bin/bash
+(Xephyr -terminate -screen 1000x700 -displayfd 5 5>&1 2>/dev/null) | while read D; do
+export DISPLAY=:$D
+matchbox-window-manager -use_titlebar no &
+WM_PID=$!
+~/.sandboxrc &
+CLIENT_PID=$!
+wait $CLIENT_PID
+export EXITCODE=$?
+kill -TERM $WM_PID
+exit $EXITCODE
+break
+done
Binary files nsapolicycoreutils/sandbox/seunshare and policycoreutils-2.0.71/sandbox/seunshare differ
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/seunshare.c policycoreutils-2.0.71/sandbox/seunshare.c
--- nsapolicycoreutils/sandbox/seunshare.c 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.71/sandbox/seunshare.c 2009-08-26 10:06:05.000000000 -0400
@@ -0,0 +1,188 @@
+#include <signal.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <sys/mount.h>
+#include <pwd.h>
+#define _GNU_SOURCE
+#include <sched.h>
+#include <string.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <cap-ng.h>
+#include <getopt.h> /* for getopt_long() form of getopt() */
+
+random.seed(None)
+#include <selinux/selinux.h>
+#include <selinux/context.h> /* for context-mangling functions */
+
+def mount(src, context):
+ destdir="/mnt/%s" % context
+ os.mkdir(destdir)
+ print 'mount -n -o "context=%s" %s %s' % (context, src, destdir)
+ os.chdir(destdir)
+/**
+ * This function will drop the capabilities so that we are left
+ * only with access to the audit system and the ability to raise
+ * CAP_SYS_ADMIN, CAP_DAC_OVERRIDE, CAP_FOWNER and CAP_CHOWN,
+ * before invoking unshare and mounting a couple of directories.
+ * These capabilities are needed for performing bind mounts/unmounts
+ * and to create potential new instance directories with appropriate
+ * DAC attributes.
+ *
+ * Returns zero on success, non-zero otherwise
+ */
+static int drop_capabilities(int all)
+{
+ capng_clear(CAPNG_SELECT_BOTH);
+
+def umount(dest):
+ os.chdir("/")
+ destdir="/mnt/%s" % dest
+ print ('umount -n %s' % destdir)
+ os.rmdir(destdir)
+ if (all) {
+ if ((getuid() == 0) && (capng_lock() < 0))
+ return -1;
+ } else {
+ if (capng_updatev(CAPNG_ADD, CAP_DAC_OVERRIDE|CAPNG_EFFECTIVE|CAPNG_PERMITTED, CAP_SYS_ADMIN, -1) < 0)
+ return -1;
+
+ }
+
+def reserve(mcs):
+ sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
+ sock.bind("\0%s" % mcs)
+ fcntl.fcntl(sock.fileno(), fcntl.F_SETFD, fcntl.FD_CLOEXEC)
+ return capng_apply(CAPNG_SELECT_BOTH);
+}
+
+def gen_context(type):
+ while True:
+ i1 = random.randrange(0,1024)
+ i2 = random.randrange(0,1024)
+ if i1 == i2:
+ continue
+ if i1 > i2:
+ tmp = i1
+ i1 = i2
+ i2 = tmp
+ mcs = "s0:c%d,c%d" % (i1, i2)
+ reserve(mcs)
+ try:
+ reserve(mcs)
+ except:
+ continue
+ break
+ con = selinux.getcon()[1].split(":")
+#define DEFAULT_PATH "/usr/bin:/bin"
+#define TRUE 1
+#define FALSE 0
+
+ execcon="%s:%s:%s:%s" % (con[0], con[1], type, mcs)
+/**
+ * Take care of any signal setup
+ */
+static int set_signal_handles()
+{
+ sigset_t empty;
+
+ filecon="%s:%s:%s:%s" % (con[0], "object_r", "%s_file_t" % type[:-2], mcs)
+ return execcon, filecon
+ /* Empty the signal mask in case someone is blocking a signal */
+ if (sigemptyset(&empty)) {
+ fprintf(stderr, "Unable to obtain empty signal set\n");
+ return -1;
+ }
+
+ (void)sigprocmask(SIG_SETMASK, &empty, NULL);
+
+type = "sandbox_t"
+mount_src = None
+gopts, cmds = getopt.getopt(sys.argv[1:],"t:m:",
+ ["type",
+ "mount"])
+for o, a in gopts:
+ if o == "-t" or o == "--type":
+ type = a
+ if o == "-m" or o == "--mount":
+ mount_src = a
+ /* Terminate on SIGHUP. */
+ if (signal(SIGHUP, SIG_DFL) == SIG_ERR) {
+ perror("Unable to set SIGHUP handler");
+ return -1;
+ }
+
+execcon, filecon = gen_context(type)
+selinux.setexeccon(execcon)
+ return 0;
+}
+#define USAGE_STRING "USAGE: seunshare [ -t tmpdir ] [ -h homedir ] -- CONTEXT executable [args] "
+
+if mount_src != None:
+ mount(mount_src, filecon)
+ umount(filecon)
+os.execvp(cmds[0], cmds)
+int main(int argc, char **argv) {
+ int rc;
+ int status = -1;
+
+ struct passwd *pwd=getpwuid(getuid());
+ security_context_t scontext;
+
+ int flag_index; /* flag index in argv[] */
+ int clflag; /* holds codes for command line flags */
+ char *tmpdir_s = NULL; /* tmpdir spec'd by user in argv[] */
+ char *homedir_s = NULL; /* homedir spec'd by user in argv[] */
+
+ const struct option long_options[] = {
+ {"homedir", 1, 0, 'h'},
+ {"tmpdir", 1, 0, 't'},
+ {NULL, 0, 0, 0}
+ };
+
+ if (drop_capabilities(FALSE)) {
+ perror("Failed to drop capabilities");
+ return -1;
+ }
+
+ while (1) {
+ clflag = getopt_long(argc, argv, "h:t:", long_options,
+ &flag_index);
+ if (clflag == -1)
+ break;
+
+ switch (clflag) {
+ case 't':
+ tmpdir_s = optarg;
+ break;
+ case 'h':
+ homedir_s = optarg;
+ break;
+ default:
+ fprintf(stderr, "%s\n", USAGE_STRING);
+ return -1;
+ }
+ }
+
+ if (! homedir_s && ! tmpdir_s) {
+ fprintf(stderr, "Error: tmpdir and/or homedir required \n"
+ "%s\n", USAGE_STRING);
+ return -1;
+ }
+
+ if (argc - optind < 2) {
+ fprintf(stderr, "Error: executable required \n"
+ "%s\n", USAGE_STRING);
+ return -1;
+ }
+
+ scontext = argv[optind++];
+
+ if (set_signal_handles())
+ return -1;
+
+ if (unshare(CLONE_NEWNS) < 0) {
+ perror("Failed to unshare");
+ return -1;
+ }
+
+ if (homedir_s && mount(homedir_s, pwd->pw_dir, NULL, MS_BIND, NULL) < 0) {
+ perror("Failed to mount HOMEDIR");
+ return -1;
+ }
+
+ if (tmpdir_s && mount(tmpdir_s, "/tmp", NULL, MS_BIND, NULL) < 0) {
+ perror("Failed to mount /tmp");
+ return -1;
+ }
+
+ if (drop_capabilities(TRUE)) {
+ perror("Failed to drop all capabilities");
+ return -1;
+ }
+
+ int child = fork();
+ if (!child) {
+ /* Construct a new environment */
+ char *display = strdup(getenv("DISPLAY"));
+ if (!display) {
+ perror("Out of memory");
+ exit(-1);
+ }
+ if ((rc = clearenv())) {
+ perror("Unable to clear environment");
+ exit(-1);
+ }
+
+ if (setexeccon(scontext)) {
+ fprintf(stderr, "Could not set exec context to %s.\n",
+ scontext);
+ exit(-1);
+ }
+
+ rc |= setenv("DISPLAY", display, 1);
+ rc |= setenv("HOME", pwd->pw_dir, 1);
+ rc |= setenv("SHELL", pwd->pw_shell, 1);
+ rc |= setenv("USER", pwd->pw_name, 1);
+ rc |= setenv("LOGNAME", pwd->pw_name, 1);
+ rc |= setenv("PATH", DEFAULT_PATH, 1);
+
+ chdir(pwd->pw_dir);
+ execv(argv[optind], argv + optind);
+ perror("execv");
+ exit(-1);
+ } else {
+ waitpid(child, &status, 0);
+ }
+
+ return status;
+}
Binary files nsapolicycoreutils/sandbox/seunshare.o and policycoreutils-2.0.71/sandbox/seunshare.o differ
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/chcat policycoreutils-2.0.71/scripts/chcat
--- nsapolicycoreutils/scripts/chcat 2009-06-23 15:36:07.000000000 -0400
+++ policycoreutils-2.0.71/scripts/chcat 2009-08-20 12:53:16.000000000 -0400
@@ -435,6 +435,8 @@
continue
except ValueError, e:
error(e)
+ except OSError, e:
+ error(e)
sys.exit(errors)
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/Makefile policycoreutils-2.0.71/scripts/Makefile
--- nsapolicycoreutils/scripts/Makefile 2008-08-28 09:34:24.000000000 -0400
+++ policycoreutils-2.0.71/scripts/Makefile 2009-08-26 10:04:11.000000000 -0400
@@ -5,7 +5,7 @@
MANDIR ?= $(PREFIX)/share/man
LOCALEDIR ?= /usr/share/locale
-all: fixfiles genhomedircon
+all: fixfiles genhomedircon chcat
install: all
-mkdir -p $(BINDIR)
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.71/semanage/semanage
--- nsapolicycoreutils/semanage/semanage 2009-08-19 16:35:03.000000000 -0400
+++ policycoreutils-2.0.71/semanage/semanage 2009-08-20 12:53:16.000000000 -0400

View File

@ -6,7 +6,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.0.71
Release: 10%{?dist}
Release: 11%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
@ -19,6 +19,7 @@ Source5: system-config-selinux.console
Source6: selinux-polgengui.desktop
Source7: selinux-polgengui.console
Source8: policycoreutils_man_ru2.tar.bz2
Source9: sandbox.init
Patch: policycoreutils-rhat.patch
Patch1: policycoreutils-po.patch
Patch3: policycoreutils-gui.patch
@ -72,6 +73,8 @@ mkdir -p %{buildroot}%{_mandir}/man1
mkdir -p %{buildroot}%{_mandir}/man8
mkdir -p %{buildroot}%{_sysconfdir}/pam.d
mkdir -p %{buildroot}%{_sysconfdir}/security/console.apps
%{__mkdir} -p %{buildroot}/%{_sysconfdir}/rc.d/init.d
install -m0755 %{SOURCE9} %{buildroot}/%{_sysconfdir}/rc.d/init.d/sandbox
make LSPP_PRIV=y DESTDIR="%{buildroot}" LIBDIR="%{buildroot}%{_libdir}" install
make -C sepolgen-%{sepolgenver} DESTDIR="%{buildroot}" LIBDIR="%{buildroot}%{_libdir}" install
@ -137,10 +140,36 @@ The policycoreutils-python package contains the management tools use to manage a
[ -f /usr/share/selinux/devel/include/build.conf ] && /usr/bin/sepolgen-ifgen
exit 0
%package sandbox
Summary: SELinux sandbox utilities
Group: System Environment/Base
Requires: policycoreutils-python = %{version}-%{release}
Requires: xorg-x11-server-Xephyr
Requires: matchbox-window-manager
Requiers(post): /sbin/chkconfig
%description sandbox
The policycoreutils-python package contains the scripts to create graphical sandboxes
%files sandbox
%{_sysconfdir}/rc.d/init.d/sandbox
%{_mandir}/man8/sandbox.8*
%{_sbindir}/seunshare
%{_datadir}/sandbox/sandboxX.sh
%triggerin python -- selinux-policy
[ -f /usr/share/selinux/devel/include/build.conf ] && /usr/bin/sepolgen-ifgen
exit 0
%post sandbox
if [ $1 -eq 1 ]; then
/sbin/chkconfig sanbox --add
fi
%preun sandbox
if [ $1 -eq 0 ]; then
/sbin/chkconfig sanbox --del
fi
%package newrole
Summary: The newrole application for RBAC/MLS
Group: System Environment/Base
@ -265,6 +294,9 @@ fi
exit 0
%changelog
* Wed Aug 26 2009 Dan Walsh <dwalsh@redhat.com> 2.0.71-11
- Add sandboxX
* Sat Aug 22 2009 Dan Walsh <dwalsh@redhat.com> 2.0.71-10
- Fix realpath usage to only happen on argv input from user