* Wed Aug 26 2009 Dan Walsh <dwalsh@redhat.com> 2.0.71-11
- Add sandboxX
This commit is contained in:
parent
4b8a9749e9
commit
349a457593
@ -1,6 +1,6 @@
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/booleansPage.py policycoreutils-2.0.64/gui/booleansPage.py
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/booleansPage.py policycoreutils-2.0.71/gui/booleansPage.py
|
||||
--- nsapolicycoreutils/gui/booleansPage.py 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ policycoreutils-2.0.64/gui/booleansPage.py 2009-06-23 16:24:31.000000000 -0400
|
||||
+++ policycoreutils-2.0.71/gui/booleansPage.py 2009-08-20 12:53:16.000000000 -0400
|
||||
@@ -0,0 +1,247 @@
|
||||
+#
|
||||
+# booleansPage.py - GUI for Booleans page in system-config-securitylevel
|
||||
@ -249,9 +249,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/booleansPage.py poli
|
||||
+ self.load(self.filter)
|
||||
+ return True
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/domainsPage.py policycoreutils-2.0.64/gui/domainsPage.py
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/domainsPage.py policycoreutils-2.0.71/gui/domainsPage.py
|
||||
--- nsapolicycoreutils/gui/domainsPage.py 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ policycoreutils-2.0.64/gui/domainsPage.py 2009-06-23 16:24:31.000000000 -0400
|
||||
+++ policycoreutils-2.0.71/gui/domainsPage.py 2009-08-20 12:53:16.000000000 -0400
|
||||
@@ -0,0 +1,154 @@
|
||||
+## domainsPage.py - show selinux domains
|
||||
+## Copyright (C) 2009 Red Hat, Inc.
|
||||
@ -407,9 +407,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/domainsPage.py polic
|
||||
+
|
||||
+ except ValueError, e:
|
||||
+ self.error(e.args[0])
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/fcontextPage.py policycoreutils-2.0.64/gui/fcontextPage.py
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/fcontextPage.py policycoreutils-2.0.71/gui/fcontextPage.py
|
||||
--- nsapolicycoreutils/gui/fcontextPage.py 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ policycoreutils-2.0.64/gui/fcontextPage.py 2009-06-23 16:24:31.000000000 -0400
|
||||
+++ policycoreutils-2.0.71/gui/fcontextPage.py 2009-08-20 12:53:16.000000000 -0400
|
||||
@@ -0,0 +1,223 @@
|
||||
+## fcontextPage.py - show selinux mappings
|
||||
+## Copyright (C) 2006 Red Hat, Inc.
|
||||
@ -634,9 +634,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/fcontextPage.py poli
|
||||
+ self.store.set_value(iter, SPEC_COL, fspec)
|
||||
+ self.store.set_value(iter, FTYPE_COL, ftype)
|
||||
+ self.store.set_value(iter, TYPE_COL, "%s:%s" % (type, mls))
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/html_util.py policycoreutils-2.0.64/gui/html_util.py
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/html_util.py policycoreutils-2.0.71/gui/html_util.py
|
||||
--- nsapolicycoreutils/gui/html_util.py 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ policycoreutils-2.0.64/gui/html_util.py 2009-06-23 16:24:31.000000000 -0400
|
||||
+++ policycoreutils-2.0.71/gui/html_util.py 2009-08-20 12:53:16.000000000 -0400
|
||||
@@ -0,0 +1,164 @@
|
||||
+# Authors: John Dennis <jdennis@redhat.com>
|
||||
+#
|
||||
@ -802,9 +802,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/html_util.py policyc
|
||||
+ doc += tail
|
||||
+ return doc
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/lockdown.glade policycoreutils-2.0.64/gui/lockdown.glade
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/lockdown.glade policycoreutils-2.0.71/gui/lockdown.glade
|
||||
--- nsapolicycoreutils/gui/lockdown.glade 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ policycoreutils-2.0.64/gui/lockdown.glade 2009-06-23 16:24:31.000000000 -0400
|
||||
+++ policycoreutils-2.0.71/gui/lockdown.glade 2009-08-20 12:53:16.000000000 -0400
|
||||
@@ -0,0 +1,771 @@
|
||||
+<?xml version="1.0" standalone="no"?> <!--*- mode: xml -*-->
|
||||
+<!DOCTYPE glade-interface SYSTEM "http://glade.gnome.org/glade-2.0.dtd">
|
||||
@ -1577,9 +1577,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/lockdown.glade polic
|
||||
+</widget>
|
||||
+
|
||||
+</glade-interface>
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/lockdown.gladep policycoreutils-2.0.64/gui/lockdown.gladep
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/lockdown.gladep policycoreutils-2.0.71/gui/lockdown.gladep
|
||||
--- nsapolicycoreutils/gui/lockdown.gladep 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ policycoreutils-2.0.64/gui/lockdown.gladep 2009-06-23 16:24:31.000000000 -0400
|
||||
+++ policycoreutils-2.0.71/gui/lockdown.gladep 2009-08-20 12:53:16.000000000 -0400
|
||||
@@ -0,0 +1,7 @@
|
||||
+<?xml version="1.0" standalone="no"?> <!--*- mode: xml -*-->
|
||||
+<!DOCTYPE glade-project SYSTEM "http://glade.gnome.org/glade-project-2.0.dtd">
|
||||
@ -1588,9 +1588,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/lockdown.gladep poli
|
||||
+ <name></name>
|
||||
+ <program_name></program_name>
|
||||
+</glade-project>
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/lockdown.py policycoreutils-2.0.64/gui/lockdown.py
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/lockdown.py policycoreutils-2.0.71/gui/lockdown.py
|
||||
--- nsapolicycoreutils/gui/lockdown.py 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ policycoreutils-2.0.64/gui/lockdown.py 2009-06-23 16:24:31.000000000 -0400
|
||||
+++ policycoreutils-2.0.71/gui/lockdown.py 2009-08-20 12:53:16.000000000 -0400
|
||||
@@ -0,0 +1,382 @@
|
||||
+#!/usr/bin/python
|
||||
+#
|
||||
@ -1974,9 +1974,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/lockdown.py policyco
|
||||
+
|
||||
+ app = booleanWindow()
|
||||
+ app.stand_alone()
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/loginsPage.py policycoreutils-2.0.64/gui/loginsPage.py
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/loginsPage.py policycoreutils-2.0.71/gui/loginsPage.py
|
||||
--- nsapolicycoreutils/gui/loginsPage.py 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ policycoreutils-2.0.64/gui/loginsPage.py 2009-06-23 16:24:31.000000000 -0400
|
||||
+++ policycoreutils-2.0.71/gui/loginsPage.py 2009-08-20 12:53:16.000000000 -0400
|
||||
@@ -0,0 +1,185 @@
|
||||
+## loginsPage.py - show selinux mappings
|
||||
+## Copyright (C) 2006 Red Hat, Inc.
|
||||
@ -2163,9 +2163,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/loginsPage.py policy
|
||||
+ self.store.set_value(iter, 1, seuser)
|
||||
+ self.store.set_value(iter, 2, seobject.translate(serange))
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/Makefile policycoreutils-2.0.64/gui/Makefile
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/Makefile policycoreutils-2.0.71/gui/Makefile
|
||||
--- nsapolicycoreutils/gui/Makefile 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ policycoreutils-2.0.64/gui/Makefile 2009-06-23 16:24:31.000000000 -0400
|
||||
+++ policycoreutils-2.0.71/gui/Makefile 2009-08-20 12:53:16.000000000 -0400
|
||||
@@ -0,0 +1,41 @@
|
||||
+# Installation directories.
|
||||
+PREFIX ?= ${DESTDIR}/usr
|
||||
@ -2208,9 +2208,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/Makefile policycoreu
|
||||
+indent:
|
||||
+
|
||||
+relabel:
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/mappingsPage.py policycoreutils-2.0.64/gui/mappingsPage.py
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/mappingsPage.py policycoreutils-2.0.71/gui/mappingsPage.py
|
||||
--- nsapolicycoreutils/gui/mappingsPage.py 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ policycoreutils-2.0.64/gui/mappingsPage.py 2009-06-23 16:24:31.000000000 -0400
|
||||
+++ policycoreutils-2.0.71/gui/mappingsPage.py 2009-08-20 12:53:16.000000000 -0400
|
||||
@@ -0,0 +1,56 @@
|
||||
+## mappingsPage.py - show selinux mappings
|
||||
+## Copyright (C) 2006 Red Hat, Inc.
|
||||
@ -2268,9 +2268,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/mappingsPage.py poli
|
||||
+ for k in keys:
|
||||
+ print "%-25s %-25s %-25s" % (k, dict[k][0], translate(dict[k][1]))
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/modulesPage.py policycoreutils-2.0.64/gui/modulesPage.py
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/modulesPage.py policycoreutils-2.0.71/gui/modulesPage.py
|
||||
--- nsapolicycoreutils/gui/modulesPage.py 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ policycoreutils-2.0.64/gui/modulesPage.py 2009-06-23 16:24:31.000000000 -0400
|
||||
+++ policycoreutils-2.0.71/gui/modulesPage.py 2009-08-20 12:53:16.000000000 -0400
|
||||
@@ -0,0 +1,190 @@
|
||||
+## modulesPage.py - show selinux mappings
|
||||
+## Copyright (C) 2006-2009 Red Hat, Inc.
|
||||
@ -2462,9 +2462,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/modulesPage.py polic
|
||||
+
|
||||
+ except ValueError, e:
|
||||
+ self.error(e.args[0])
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policycoreutils-2.0.64/gui/polgen.glade
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policycoreutils-2.0.71/gui/polgen.glade
|
||||
--- nsapolicycoreutils/gui/polgen.glade 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ policycoreutils-2.0.64/gui/polgen.glade 2009-06-23 16:24:31.000000000 -0400
|
||||
+++ policycoreutils-2.0.71/gui/polgen.glade 2009-08-20 12:53:16.000000000 -0400
|
||||
@@ -0,0 +1,3305 @@
|
||||
+<?xml version="1.0" standalone="no"?> <!--*- mode: xml -*-->
|
||||
+<!DOCTYPE glade-interface SYSTEM "http://glade.gnome.org/glade-2.0.dtd">
|
||||
@ -5771,9 +5771,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policyc
|
||||
+</widget>
|
||||
+
|
||||
+</glade-interface>
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.gladep policycoreutils-2.0.64/gui/polgen.gladep
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.gladep policycoreutils-2.0.71/gui/polgen.gladep
|
||||
--- nsapolicycoreutils/gui/polgen.gladep 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ policycoreutils-2.0.64/gui/polgen.gladep 2009-06-23 16:24:31.000000000 -0400
|
||||
+++ policycoreutils-2.0.71/gui/polgen.gladep 2009-08-20 12:53:16.000000000 -0400
|
||||
@@ -0,0 +1,7 @@
|
||||
+<?xml version="1.0" standalone="no"?> <!--*- mode: xml -*-->
|
||||
+<!DOCTYPE glade-project SYSTEM "http://glade.gnome.org/glade-project-2.0.dtd">
|
||||
@ -5782,9 +5782,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.gladep policy
|
||||
+ <name></name>
|
||||
+ <program_name></program_name>
|
||||
+</glade-project>
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgengui.py policycoreutils-2.0.64/gui/polgengui.py
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgengui.py policycoreutils-2.0.71/gui/polgengui.py
|
||||
--- nsapolicycoreutils/gui/polgengui.py 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ policycoreutils-2.0.64/gui/polgengui.py 2009-06-23 16:24:31.000000000 -0400
|
||||
+++ policycoreutils-2.0.71/gui/polgengui.py 2009-08-20 12:53:16.000000000 -0400
|
||||
@@ -0,0 +1,627 @@
|
||||
+#!/usr/bin/python -E
|
||||
+#
|
||||
@ -6413,10 +6413,10 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgengui.py policyc
|
||||
+
|
||||
+ app = childWindow()
|
||||
+ app.stand_alone()
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycoreutils-2.0.64/gui/polgen.py
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycoreutils-2.0.71/gui/polgen.py
|
||||
--- nsapolicycoreutils/gui/polgen.py 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ policycoreutils-2.0.64/gui/polgen.py 2009-06-25 16:01:33.000000000 -0400
|
||||
@@ -0,0 +1,1179 @@
|
||||
+++ policycoreutils-2.0.71/gui/polgen.py 2009-08-26 10:47:54.000000000 -0400
|
||||
@@ -0,0 +1,1183 @@
|
||||
+#!/usr/bin/python
|
||||
+#
|
||||
+# Copyright (C) 2007, 2008, 2009 Red Hat
|
||||
@ -6747,6 +6747,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore
|
||||
+ self.need_udp_type=False
|
||||
+ self.admin_domains = []
|
||||
+ self.transition_domains = []
|
||||
+ self.transition_users = []
|
||||
+ self.roles = []
|
||||
+ self.all_roles = get_all_roles()
|
||||
+
|
||||
@ -7548,9 +7549,10 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore
|
||||
+
|
||||
+if __name__ == '__main__':
|
||||
+ setype = DAEMON
|
||||
+ gopts, cmds = getopt.getopt(sys.argv[1:], "t:m",
|
||||
+ gopts, cmds = getopt.getopt(sys.argv[1:], "ht:m",
|
||||
+ ["type=",
|
||||
+ "mount"])
|
||||
+ "mount",
|
||||
+ "help"])
|
||||
+ for o, a in gopts:
|
||||
+ if o == "-t" or o == "--type":
|
||||
+ try:
|
||||
@ -7564,6 +7566,8 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore
|
||||
+ if o == "-m" or o == "--mount":
|
||||
+ mount_ind = True
|
||||
+
|
||||
+ if o == "-h" or o == "--help":
|
||||
+ usage("");
|
||||
+
|
||||
+ if len(cmds) == 0:
|
||||
+ usage(_("Executable required"))
|
||||
@ -7596,9 +7600,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore
|
||||
+
|
||||
+ print mypolicy.generate()
|
||||
+ sys.exit(0)
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/portsPage.py policycoreutils-2.0.64/gui/portsPage.py
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/portsPage.py policycoreutils-2.0.71/gui/portsPage.py
|
||||
--- nsapolicycoreutils/gui/portsPage.py 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ policycoreutils-2.0.64/gui/portsPage.py 2009-06-23 16:24:31.000000000 -0400
|
||||
+++ policycoreutils-2.0.71/gui/portsPage.py 2009-08-20 12:53:16.000000000 -0400
|
||||
@@ -0,0 +1,259 @@
|
||||
+## portsPage.py - show selinux mappings
|
||||
+## Copyright (C) 2006 Red Hat, Inc.
|
||||
@ -7859,9 +7863,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/portsPage.py policyc
|
||||
+
|
||||
+ return True
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/selinux.tbl policycoreutils-2.0.64/gui/selinux.tbl
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/selinux.tbl policycoreutils-2.0.71/gui/selinux.tbl
|
||||
--- nsapolicycoreutils/gui/selinux.tbl 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ policycoreutils-2.0.64/gui/selinux.tbl 2009-06-23 16:24:31.000000000 -0400
|
||||
+++ policycoreutils-2.0.71/gui/selinux.tbl 2009-08-20 12:53:16.000000000 -0400
|
||||
@@ -0,0 +1,234 @@
|
||||
+acct_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for acct daemon")
|
||||
+allow_daemons_dump_core _("Admin") _("Allow all daemons to write corefiles to /")
|
||||
@ -8097,9 +8101,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/selinux.tbl policyco
|
||||
+webadm_manage_user_files _("HTTPD Service") _("Allow SELinux webadm user to manage unprivileged users home directories")
|
||||
+webadm_read_user_files _("HTTPD Service") _("Allow SELinux webadm user to read unprivileged users home directories")
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/semanagePage.py policycoreutils-2.0.64/gui/semanagePage.py
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/semanagePage.py policycoreutils-2.0.71/gui/semanagePage.py
|
||||
--- nsapolicycoreutils/gui/semanagePage.py 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ policycoreutils-2.0.64/gui/semanagePage.py 2009-06-23 16:24:31.000000000 -0400
|
||||
+++ policycoreutils-2.0.71/gui/semanagePage.py 2009-08-20 12:53:16.000000000 -0400
|
||||
@@ -0,0 +1,168 @@
|
||||
+## semanagePage.py - show selinux mappings
|
||||
+## Copyright (C) 2006 Red Hat, Inc.
|
||||
@ -8269,9 +8273,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/semanagePage.py poli
|
||||
+ self.load(self.filter)
|
||||
+ return True
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/statusPage.py policycoreutils-2.0.64/gui/statusPage.py
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/statusPage.py policycoreutils-2.0.71/gui/statusPage.py
|
||||
--- nsapolicycoreutils/gui/statusPage.py 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ policycoreutils-2.0.64/gui/statusPage.py 2009-06-23 16:24:31.000000000 -0400
|
||||
+++ policycoreutils-2.0.71/gui/statusPage.py 2009-08-20 12:53:16.000000000 -0400
|
||||
@@ -0,0 +1,190 @@
|
||||
+# statusPage.py - show selinux status
|
||||
+## Copyright (C) 2006-2009 Red Hat, Inc.
|
||||
@ -8463,9 +8467,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/statusPage.py policy
|
||||
+ return self.types[self.selinuxTypeOptionMenu.get_active()]
|
||||
+
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/system-config-selinux.glade policycoreutils-2.0.64/gui/system-config-selinux.glade
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/system-config-selinux.glade policycoreutils-2.0.71/gui/system-config-selinux.glade
|
||||
--- nsapolicycoreutils/gui/system-config-selinux.glade 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ policycoreutils-2.0.64/gui/system-config-selinux.glade 2009-06-23 16:24:31.000000000 -0400
|
||||
+++ policycoreutils-2.0.71/gui/system-config-selinux.glade 2009-08-20 12:53:16.000000000 -0400
|
||||
@@ -0,0 +1,3403 @@
|
||||
+<?xml version="1.0" standalone="no"?> <!--*- mode: xml -*-->
|
||||
+<!DOCTYPE glade-interface SYSTEM "http://glade.gnome.org/glade-2.0.dtd">
|
||||
@ -11870,9 +11874,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/system-config-selinu
|
||||
+</widget>
|
||||
+
|
||||
+</glade-interface>
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/system-config-selinux.py policycoreutils-2.0.64/gui/system-config-selinux.py
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/system-config-selinux.py policycoreutils-2.0.71/gui/system-config-selinux.py
|
||||
--- nsapolicycoreutils/gui/system-config-selinux.py 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ policycoreutils-2.0.64/gui/system-config-selinux.py 2009-06-23 16:24:31.000000000 -0400
|
||||
+++ policycoreutils-2.0.71/gui/system-config-selinux.py 2009-08-20 12:53:16.000000000 -0400
|
||||
@@ -0,0 +1,189 @@
|
||||
+#!/usr/bin/python
|
||||
+#
|
||||
@ -12063,9 +12067,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/system-config-selinu
|
||||
+
|
||||
+ app = childWindow()
|
||||
+ app.stand_alone()
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/boolean.py policycoreutils-2.0.64/gui/templates/boolean.py
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/boolean.py policycoreutils-2.0.71/gui/templates/boolean.py
|
||||
--- nsapolicycoreutils/gui/templates/boolean.py 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ policycoreutils-2.0.64/gui/templates/boolean.py 2009-06-23 16:24:31.000000000 -0400
|
||||
+++ policycoreutils-2.0.71/gui/templates/boolean.py 2009-08-20 12:53:16.000000000 -0400
|
||||
@@ -0,0 +1,40 @@
|
||||
+# Copyright (C) 2007 Red Hat
|
||||
+# see file 'COPYING' for use and warranty information
|
||||
@ -12107,9 +12111,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/boolean.py
|
||||
+')
|
||||
+"""
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/etc_rw.py policycoreutils-2.0.64/gui/templates/etc_rw.py
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/etc_rw.py policycoreutils-2.0.71/gui/templates/etc_rw.py
|
||||
--- nsapolicycoreutils/gui/templates/etc_rw.py 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ policycoreutils-2.0.64/gui/templates/etc_rw.py 2009-06-23 16:24:31.000000000 -0400
|
||||
+++ policycoreutils-2.0.71/gui/templates/etc_rw.py 2009-08-20 12:53:16.000000000 -0400
|
||||
@@ -0,0 +1,129 @@
|
||||
+# Copyright (C) 2007 Red Hat
|
||||
+# see file 'COPYING' for use and warranty information
|
||||
@ -12240,10 +12244,10 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/etc_rw.py
|
||||
+fc_dir="""\
|
||||
+FILENAME(/.*)? gen_context(system_u:object_r:TEMPLATETYPE_etc_rw_t,s0)
|
||||
+"""
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/executable.py policycoreutils-2.0.64/gui/templates/executable.py
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/executable.py policycoreutils-2.0.71/gui/templates/executable.py
|
||||
--- nsapolicycoreutils/gui/templates/executable.py 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ policycoreutils-2.0.64/gui/templates/executable.py 2009-06-23 16:24:31.000000000 -0400
|
||||
@@ -0,0 +1,376 @@
|
||||
+++ policycoreutils-2.0.71/gui/templates/executable.py 2009-08-26 10:48:18.000000000 -0400
|
||||
@@ -0,0 +1,374 @@
|
||||
+# Copyright (C) 2007-2009 Red Hat
|
||||
+# see file 'COPYING' for use and warranty information
|
||||
+#
|
||||
@ -12356,7 +12360,6 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/executable
|
||||
+files_read_etc_files(TEMPLATETYPE_t)
|
||||
+
|
||||
+miscfiles_read_localization(TEMPLATETYPE_t)
|
||||
+
|
||||
+"""
|
||||
+
|
||||
+te_inetd_rules="""
|
||||
@ -12381,7 +12384,6 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/executable
|
||||
+libs_use_shared_libs(TEMPLATETYPE_t)
|
||||
+
|
||||
+miscfiles_read_localization(TEMPLATETYPE_t)
|
||||
+
|
||||
+"""
|
||||
+
|
||||
+te_cgi_rules="""
|
||||
@ -12620,9 +12622,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/executable
|
||||
+EXECUTABLE -- gen_context(system_u:object_r:TEMPLATETYPE_initrc_exec_t,s0)
|
||||
+"""
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/__init__.py policycoreutils-2.0.64/gui/templates/__init__.py
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/__init__.py policycoreutils-2.0.71/gui/templates/__init__.py
|
||||
--- nsapolicycoreutils/gui/templates/__init__.py 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ policycoreutils-2.0.64/gui/templates/__init__.py 2009-06-23 16:24:31.000000000 -0400
|
||||
+++ policycoreutils-2.0.71/gui/templates/__init__.py 2009-08-20 12:53:16.000000000 -0400
|
||||
@@ -0,0 +1,18 @@
|
||||
+#
|
||||
+# Copyright (C) 2007 Red Hat, Inc.
|
||||
@ -12642,9 +12644,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/__init__.p
|
||||
+# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
|
||||
+#
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/network.py policycoreutils-2.0.64/gui/templates/network.py
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/network.py policycoreutils-2.0.71/gui/templates/network.py
|
||||
--- nsapolicycoreutils/gui/templates/network.py 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ policycoreutils-2.0.64/gui/templates/network.py 2009-06-23 16:24:31.000000000 -0400
|
||||
+++ policycoreutils-2.0.71/gui/templates/network.py 2009-08-20 12:53:16.000000000 -0400
|
||||
@@ -0,0 +1,80 @@
|
||||
+te_port_types="""
|
||||
+type TEMPLATETYPE_port_t;
|
||||
@ -12726,9 +12728,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/network.py
|
||||
+corenet_udp_bind_all_unreserved_ports(TEMPLATETYPE_t)
|
||||
+"""
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/rw.py policycoreutils-2.0.64/gui/templates/rw.py
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/rw.py policycoreutils-2.0.71/gui/templates/rw.py
|
||||
--- nsapolicycoreutils/gui/templates/rw.py 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ policycoreutils-2.0.64/gui/templates/rw.py 2009-06-23 16:24:31.000000000 -0400
|
||||
+++ policycoreutils-2.0.71/gui/templates/rw.py 2009-08-20 12:53:16.000000000 -0400
|
||||
@@ -0,0 +1,128 @@
|
||||
+# Copyright (C) 2007 Red Hat
|
||||
+# see file 'COPYING' for use and warranty information
|
||||
@ -12858,9 +12860,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/rw.py poli
|
||||
+fc_dir="""
|
||||
+FILENAME(/.*)? gen_context(system_u:object_r:TEMPLATETYPE_rw_t,s0)
|
||||
+"""
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/script.py policycoreutils-2.0.64/gui/templates/script.py
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/script.py policycoreutils-2.0.71/gui/templates/script.py
|
||||
--- nsapolicycoreutils/gui/templates/script.py 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ policycoreutils-2.0.64/gui/templates/script.py 2009-06-25 16:00:57.000000000 -0400
|
||||
+++ policycoreutils-2.0.71/gui/templates/script.py 2009-08-20 12:53:16.000000000 -0400
|
||||
@@ -0,0 +1,99 @@
|
||||
+# Copyright (C) 2007 Red Hat
|
||||
+# see file 'COPYING' for use and warranty information
|
||||
@ -12961,9 +12963,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/script.py
|
||||
+# Adding roles to SELinux user USER
|
||||
+/usr/sbin/semanage user -m -R +TEMPLATETYPE_r USER
|
||||
+"""
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/semodule.py policycoreutils-2.0.64/gui/templates/semodule.py
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/semodule.py policycoreutils-2.0.71/gui/templates/semodule.py
|
||||
--- nsapolicycoreutils/gui/templates/semodule.py 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ policycoreutils-2.0.64/gui/templates/semodule.py 2009-06-23 16:24:31.000000000 -0400
|
||||
+++ policycoreutils-2.0.71/gui/templates/semodule.py 2009-08-20 12:53:16.000000000 -0400
|
||||
@@ -0,0 +1,41 @@
|
||||
+# Copyright (C) 2007 Red Hat
|
||||
+# see file 'COPYING' for use and warranty information
|
||||
@ -13006,9 +13008,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/semodule.p
|
||||
+semanage ports -a -t TEMPLATETYPE_port_t -p udp PORTNUM
|
||||
+"""
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/tmp.py policycoreutils-2.0.64/gui/templates/tmp.py
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/tmp.py policycoreutils-2.0.71/gui/templates/tmp.py
|
||||
--- nsapolicycoreutils/gui/templates/tmp.py 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ policycoreutils-2.0.64/gui/templates/tmp.py 2009-06-23 16:24:31.000000000 -0400
|
||||
+++ policycoreutils-2.0.71/gui/templates/tmp.py 2009-08-20 12:53:16.000000000 -0400
|
||||
@@ -0,0 +1,97 @@
|
||||
+# Copyright (C) 2007 Red Hat
|
||||
+# see file 'COPYING' for use and warranty information
|
||||
@ -13107,9 +13109,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/tmp.py pol
|
||||
+ TEMPLATETYPE_manage_tmp($1)
|
||||
+"""
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/user.py policycoreutils-2.0.64/gui/templates/user.py
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/user.py policycoreutils-2.0.71/gui/templates/user.py
|
||||
--- nsapolicycoreutils/gui/templates/user.py 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ policycoreutils-2.0.64/gui/templates/user.py 2009-06-23 16:24:31.000000000 -0400
|
||||
+++ policycoreutils-2.0.71/gui/templates/user.py 2009-08-20 12:53:16.000000000 -0400
|
||||
@@ -0,0 +1,182 @@
|
||||
+# Copyright (C) 2007 Red Hat
|
||||
+# see file 'COPYING' for use and warranty information
|
||||
@ -13293,9 +13295,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/user.py po
|
||||
+te_newrole_rules="""
|
||||
+seutil_run_newrole(TEMPLATETYPE_t,TEMPLATETYPE_r,{ TEMPLATETYPE_devpts_t TEMPLATETYPE_tty_device_t })
|
||||
+"""
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_lib.py policycoreutils-2.0.64/gui/templates/var_lib.py
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_lib.py policycoreutils-2.0.71/gui/templates/var_lib.py
|
||||
--- nsapolicycoreutils/gui/templates/var_lib.py 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ policycoreutils-2.0.64/gui/templates/var_lib.py 2009-06-23 16:24:31.000000000 -0400
|
||||
+++ policycoreutils-2.0.71/gui/templates/var_lib.py 2009-08-20 12:53:16.000000000 -0400
|
||||
@@ -0,0 +1,158 @@
|
||||
+# Copyright (C) 2007 Red Hat
|
||||
+# see file 'COPYING' for use and warranty information
|
||||
@ -13455,9 +13457,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_lib.py
|
||||
+fc_dir="""\
|
||||
+FILENAME(/.*)? gen_context(system_u:object_r:TEMPLATETYPE_var_lib_t,s0)
|
||||
+"""
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_log.py policycoreutils-2.0.64/gui/templates/var_log.py
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_log.py policycoreutils-2.0.71/gui/templates/var_log.py
|
||||
--- nsapolicycoreutils/gui/templates/var_log.py 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ policycoreutils-2.0.64/gui/templates/var_log.py 2009-06-23 16:24:31.000000000 -0400
|
||||
+++ policycoreutils-2.0.71/gui/templates/var_log.py 2009-08-20 12:53:16.000000000 -0400
|
||||
@@ -0,0 +1,110 @@
|
||||
+# Copyright (C) 2007 Red Hat
|
||||
+# see file 'COPYING' for use and warranty information
|
||||
@ -13569,9 +13571,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_log.py
|
||||
+fc_dir="""\
|
||||
+FILENAME(/.*)? gen_context(system_u:object_r:TEMPLATETYPE_log_t,s0)
|
||||
+"""
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_run.py policycoreutils-2.0.64/gui/templates/var_run.py
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_run.py policycoreutils-2.0.71/gui/templates/var_run.py
|
||||
--- nsapolicycoreutils/gui/templates/var_run.py 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ policycoreutils-2.0.64/gui/templates/var_run.py 2009-06-23 16:24:31.000000000 -0400
|
||||
+++ policycoreutils-2.0.71/gui/templates/var_run.py 2009-08-20 12:53:16.000000000 -0400
|
||||
@@ -0,0 +1,118 @@
|
||||
+# Copyright (C) 2007 Red Hat
|
||||
+# see file 'COPYING' for use and warranty information
|
||||
@ -13691,9 +13693,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_run.py
|
||||
+FILENAME(/.*)? gen_context(system_u:object_r:TEMPLATETYPE_var_run_t,s0)
|
||||
+"""
|
||||
+
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_spool.py policycoreutils-2.0.64/gui/templates/var_spool.py
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_spool.py policycoreutils-2.0.71/gui/templates/var_spool.py
|
||||
--- nsapolicycoreutils/gui/templates/var_spool.py 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ policycoreutils-2.0.64/gui/templates/var_spool.py 2009-06-23 16:24:31.000000000 -0400
|
||||
+++ policycoreutils-2.0.71/gui/templates/var_spool.py 2009-08-20 12:53:16.000000000 -0400
|
||||
@@ -0,0 +1,129 @@
|
||||
+# Copyright (C) 2007 Red Hat
|
||||
+# see file 'COPYING' for use and warranty information
|
||||
@ -13824,9 +13826,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_spool.
|
||||
+fc_dir="""\
|
||||
+FILENAME(/.*)? gen_context(system_u:object_r:TEMPLATETYPE_spool_t,s0)
|
||||
+"""
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/translationsPage.py policycoreutils-2.0.64/gui/translationsPage.py
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/translationsPage.py policycoreutils-2.0.71/gui/translationsPage.py
|
||||
--- nsapolicycoreutils/gui/translationsPage.py 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ policycoreutils-2.0.64/gui/translationsPage.py 2009-06-23 16:24:31.000000000 -0400
|
||||
+++ policycoreutils-2.0.71/gui/translationsPage.py 2009-08-20 12:53:16.000000000 -0400
|
||||
@@ -0,0 +1,118 @@
|
||||
+## translationsPage.py - show selinux translations
|
||||
+## Copyright (C) 2006 Red Hat, Inc.
|
||||
@ -13946,9 +13948,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/translationsPage.py
|
||||
+ store, iter = self.view.get_selection().get_selected()
|
||||
+ self.store.set_value(iter, 0, level)
|
||||
+ self.store.set_value(iter, 1, translation)
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/usersPage.py policycoreutils-2.0.64/gui/usersPage.py
|
||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/usersPage.py policycoreutils-2.0.71/gui/usersPage.py
|
||||
--- nsapolicycoreutils/gui/usersPage.py 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ policycoreutils-2.0.64/gui/usersPage.py 2009-06-23 16:24:31.000000000 -0400
|
||||
+++ policycoreutils-2.0.71/gui/usersPage.py 2009-08-20 12:53:16.000000000 -0400
|
||||
@@ -0,0 +1,150 @@
|
||||
+## usersPage.py - show selinux mappings
|
||||
+## Copyright (C) 2006,2007,2008 Red Hat, Inc.
|
||||
|
@ -40,10 +40,10 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
||||
f = sys.stdin
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/Makefile policycoreutils-2.0.71/Makefile
|
||||
--- nsapolicycoreutils/Makefile 2008-08-28 09:34:24.000000000 -0400
|
||||
+++ policycoreutils-2.0.71/Makefile 2009-08-20 12:53:16.000000000 -0400
|
||||
+++ policycoreutils-2.0.71/Makefile 2009-08-26 10:04:47.000000000 -0400
|
||||
@@ -1,4 +1,4 @@
|
||||
-SUBDIRS = setfiles semanage load_policy newrole run_init secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po
|
||||
+SUBDIRS = setfiles semanage load_policy newrole run_init secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po gui
|
||||
+SUBDIRS = setfiles semanage load_policy newrole run_init sandbox secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po gui
|
||||
|
||||
INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null)
|
||||
|
||||
@ -1152,41 +1152,47 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
||||
+ exitApp("Error watching config file.");
|
||||
+}
|
||||
+
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/chcat policycoreutils-2.0.71/scripts/chcat
|
||||
--- nsapolicycoreutils/scripts/chcat 2009-06-23 15:36:07.000000000 -0400
|
||||
+++ policycoreutils-2.0.71/scripts/chcat 2009-08-20 12:53:16.000000000 -0400
|
||||
@@ -435,6 +435,8 @@
|
||||
continue
|
||||
except ValueError, e:
|
||||
error(e)
|
||||
+ except OSError, e:
|
||||
+ error(e)
|
||||
|
||||
sys.exit(errors)
|
||||
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/Makefile policycoreutils-2.0.71/scripts/Makefile
|
||||
--- nsapolicycoreutils/scripts/Makefile 2008-08-28 09:34:24.000000000 -0400
|
||||
+++ policycoreutils-2.0.71/scripts/Makefile 2009-08-20 12:53:16.000000000 -0400
|
||||
@@ -5,11 +5,12 @@
|
||||
MANDIR ?= $(PREFIX)/share/man
|
||||
LOCALEDIR ?= /usr/share/locale
|
||||
|
||||
-all: fixfiles genhomedircon
|
||||
+all: fixfiles genhomedircon sandbox chcat
|
||||
|
||||
install: all
|
||||
-mkdir -p $(BINDIR)
|
||||
install -m 755 chcat $(BINDIR)
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/Makefile policycoreutils-2.0.71/sandbox/Makefile
|
||||
--- nsapolicycoreutils/sandbox/Makefile 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ policycoreutils-2.0.71/sandbox/Makefile 2009-08-26 10:50:50.000000000 -0400
|
||||
@@ -0,0 +1,31 @@
|
||||
+# Installation directories.
|
||||
+PREFIX ?= ${DESTDIR}/usr
|
||||
+BINDIR ?= $(PREFIX)/bin
|
||||
+SBINDIR ?= $(PREFIX)/sbin
|
||||
+MANDIR ?= $(PREFIX)/share/man
|
||||
+LOCALEDIR ?= /usr/share/locale
|
||||
+SHAREDIR ?= $(PREFIX)/share/sandbox
|
||||
+override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="\"policycoreutils\""
|
||||
+LDLIBS += -lselinux -lcap-ng
|
||||
+
|
||||
+all: sandbox seunshare sandboxX.sh
|
||||
+
|
||||
+seunshare: seunshare.o $(EXTRA_OBJS)
|
||||
+ $(CC) $(LDFLAGS) -o $@ $^ $(LDLIBS)
|
||||
+
|
||||
+install: all
|
||||
+ -mkdir -p $(BINDIR)
|
||||
+ install -m 755 sandbox $(BINDIR)
|
||||
install -m 755 fixfiles $(DESTDIR)/sbin
|
||||
install -m 755 genhomedircon $(SBINDIR)
|
||||
-mkdir -p $(MANDIR)/man8
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/sandbox policycoreutils-2.0.71/scripts/sandbox
|
||||
--- nsapolicycoreutils/scripts/sandbox 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ policycoreutils-2.0.71/scripts/sandbox 2009-08-20 12:53:16.000000000 -0400
|
||||
@@ -0,0 +1,139 @@
|
||||
+ -mkdir -p $(MANDIR)/man8
|
||||
+ install -m 644 sandbox.8 $(MANDIR)/man8/
|
||||
+ install -m 4755 seunshare $(SBINDIR)/
|
||||
+ -mkdir -p $(SHAREDIR)
|
||||
+ install -m 755 sandboxX.sh $(SHAREDIR)
|
||||
+
|
||||
+clean:
|
||||
+ -rm -f seunshare *.o *~
|
||||
+
|
||||
+indent:
|
||||
+ ../../scripts/Lindent $(wildcard *.[ch])
|
||||
+
|
||||
+relabel:
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox policycoreutils-2.0.71/sandbox/sandbox
|
||||
--- nsapolicycoreutils/sandbox/sandbox 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ policycoreutils-2.0.71/sandbox/sandbox 2009-08-26 10:03:24.000000000 -0400
|
||||
@@ -0,0 +1,193 @@
|
||||
+#!/usr/bin/python -E
|
||||
+import os, sys, getopt, socket, random, fcntl
|
||||
+import os, sys, getopt, socket, random, fcntl, shutil
|
||||
+import selinux
|
||||
+
|
||||
+PROGNAME = "policycoreutils"
|
||||
@ -1205,6 +1211,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
||||
+ __builtin__.__dict__['_'] = unicode
|
||||
+
|
||||
+
|
||||
+DEFAULT_TYPE = "sandbox_t"
|
||||
+DEFAULT_X_TYPE = "sandbox_x_t"
|
||||
+
|
||||
+random.seed(None)
|
||||
+
|
||||
+def error_exit(msg):
|
||||
@ -1213,24 +1222,6 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
||||
+ sys.stderr.flush()
|
||||
+ sys.exit(1)
|
||||
+
|
||||
+def mount(context):
|
||||
+ if os.getuid() != 0:
|
||||
+ usage(_("Mount options require root privileges"))
|
||||
+ destdir = "/mnt/%s" % context
|
||||
+ os.mkdir(destdir)
|
||||
+ rc = os.system('/bin/mount -t tmpfs tmpfs %s' % (destdir))
|
||||
+ selinux.setfilecon(destdir, context)
|
||||
+ if rc != 0:
|
||||
+ sys.exit(rc)
|
||||
+ os.chdir(destdir)
|
||||
+
|
||||
+def umount(dest):
|
||||
+ os.chdir("/")
|
||||
+ destdir = "/mnt/%s" % dest
|
||||
+ os.system('/bin/umount %s' % (destdir))
|
||||
+ os.rmdir(destdir)
|
||||
+
|
||||
+
|
||||
+def reserve(mcs):
|
||||
+ sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
|
||||
+ sock.bind("\0%s" % mcs)
|
||||
@ -1263,30 +1254,75 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
||||
+ mcs)
|
||||
+ return execcon, filecon
|
||||
+
|
||||
+def copyfile(file, dir, dest):
|
||||
+ import re
|
||||
+ if file.startswith(dir):
|
||||
+ dname = os.path.dirname(file)
|
||||
+ bname = os.path.basename(file)
|
||||
+ if dname == dir:
|
||||
+ dest = dest + "/" + bname
|
||||
+ else:
|
||||
+ newdir = re.sub(dir, dest, dname)
|
||||
+ os.makedirs(newdir)
|
||||
+ dest = newdir + "/" + bname
|
||||
+
|
||||
+ if os.path.isdir(file):
|
||||
+ shutil.copytree(file, dest)
|
||||
+ else:
|
||||
+ shutil.copy2(file, dest)
|
||||
+
|
||||
+def copyfiles(newhomedir, newtmpdir, files):
|
||||
+ import pwd
|
||||
+ homedir=pwd.getpwuid(os.getuid()).pw_dir
|
||||
+
|
||||
+ for f in files:
|
||||
+ copyfile(f,homedir, newhomedir)
|
||||
+ copyfile(f,"/tmp", newtmpdir)
|
||||
+
|
||||
+if __name__ == '__main__':
|
||||
+ if selinux.is_selinux_enabled() != 1:
|
||||
+ error_exit("Requires an SELinux enabled system")
|
||||
+
|
||||
+ init_files = []
|
||||
+
|
||||
+ def usage(message = ""):
|
||||
+ text = _("""
|
||||
+sandbox [ -m ] [ -t type ] command
|
||||
+sandbox [-h] [-I includefile ] [[-i file ] ...] [ -t type ] command
|
||||
+""")
|
||||
+ error_exit("%s\n%s" % (message, text))
|
||||
+
|
||||
+ setype = "sandbox_t"
|
||||
+ mount_ind = False
|
||||
+ setype = DEFAULT_TYPE
|
||||
+ X_ind = False
|
||||
+ try:
|
||||
+ gopts, cmds = getopt.getopt(sys.argv[1:], "ht:m",
|
||||
+ gopts, cmds = getopt.getopt(sys.argv[1:], "i:ht:XI:",
|
||||
+ ["help",
|
||||
+ "type=",
|
||||
+ "mount"])
|
||||
+ "include=",
|
||||
+ "includefile=",
|
||||
+ "type="
|
||||
+ ])
|
||||
+ for o, a in gopts:
|
||||
+ if o == "-t" or o == "--type":
|
||||
+ setype = a
|
||||
+
|
||||
+ if o == "-m" or o == "--mount":
|
||||
+ mount_ind = True
|
||||
+ if o == "-i" or o == "--include":
|
||||
+ rp = os.path.realpath(a)
|
||||
+ if rp not in init_files:
|
||||
+ init_files.append(rp)
|
||||
+
|
||||
+ if o == "-I" or o == "--includefile":
|
||||
+ fd = open(a, "r")
|
||||
+ for i in fd.read().split("\n"):
|
||||
+ if os.path.exists(i):
|
||||
+ rp = os.path.realpath(i)
|
||||
+ if rp not in init_files:
|
||||
+ init_files.append(rp)
|
||||
+
|
||||
+ fd.close
|
||||
+
|
||||
+ if o == "-X":
|
||||
+ if DEFAULT_TYPE == setype:
|
||||
+ setype = DEFAULT_X_TYPE
|
||||
+ X_ind = True
|
||||
+
|
||||
+ if o == "-h" or o == "--help":
|
||||
+ usage(_("Usage"));
|
||||
@ -1296,8 +1332,6 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
||||
+
|
||||
+ execcon, filecon = gen_context(setype)
|
||||
+ rc = -1
|
||||
+ if mount_ind:
|
||||
+ mount(filecon)
|
||||
+
|
||||
+ if cmds[0][0] != "/" and cmds[0][:2] != "./" and cmds[0][:3] != "../":
|
||||
+ for i in os.environ["PATH"].split(':'):
|
||||
@ -1306,121 +1340,315 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
|
||||
+ cmds[0] = f
|
||||
+ break
|
||||
+
|
||||
+ try:
|
||||
+ if X_ind:
|
||||
+ import warnings
|
||||
+ warnings.simplefilter("ignore")
|
||||
+ newhomedir = os.tempnam(".", ".sandbox%s")
|
||||
+ os.mkdir(newhomedir)
|
||||
+ selinux.setfilecon(newhomedir, filecon)
|
||||
+ newtmpdir = os.tempnam("/tmp", ".sandbox")
|
||||
+ os.mkdir(newtmpdir)
|
||||
+ selinux.setfilecon(newtmpdir, filecon)
|
||||
+ warnings.resetwarnings()
|
||||
+ copyfiles(newhomedir, newtmpdir, init_files + cmds)
|
||||
+ execfile = newhomedir + "/.sandboxrc"
|
||||
+ fd = open(execfile, "w+")
|
||||
+ fd.write("""#! /bin/sh
|
||||
+%s
|
||||
+""" % " ".join(cmds))
|
||||
+ fd.close()
|
||||
+ os.chmod(execfile, 0700)
|
||||
+
|
||||
+ cmds = ("/usr/sbin/seunshare -t %s -h %s -- %s /usr/share/sandbox/sandboxX.sh" % (newtmpdir, newhomedir, execcon)).split()
|
||||
+ rc = os.spawnvp(os.P_WAIT, cmds[0], cmds)
|
||||
+ else:
|
||||
+ selinux.setexeccon(execcon)
|
||||
+ rc = os.spawnvp(os.P_WAIT, cmds[0], cmds)
|
||||
+ selinux.setexeccon(None)
|
||||
+ finally:
|
||||
+ if X_ind:
|
||||
+ shutil.rmtree(newhomedir)
|
||||
+ shutil.rmtree(newtmpdir)
|
||||
+
|
||||
+ if mount_ind:
|
||||
+ umount(filecon)
|
||||
+ except getopt.GetoptError, error:
|
||||
+ usage(_("Options Error %s ") % error.msg)
|
||||
+ except OSError, error:
|
||||
+ error_exit(error.args[1])
|
||||
+ except ValueError, error:
|
||||
+ error_exit(error.args[0])
|
||||
+ except KeyError, error:
|
||||
+ error_exit(_("Invalid value %s") % error.args[0])
|
||||
+ except IOError, error:
|
||||
+ error_exit(error.args[1])
|
||||
+ except OSError, error:
|
||||
+ error_exit(error.args[1])
|
||||
+
|
||||
+ sys.exit(rc)
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/sandbox.8 policycoreutils-2.0.71/scripts/sandbox.8
|
||||
--- nsapolicycoreutils/scripts/sandbox.8 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ policycoreutils-2.0.71/scripts/sandbox.8 2009-08-20 12:53:16.000000000 -0400
|
||||
@@ -0,0 +1,22 @@
|
||||
+
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.8 policycoreutils-2.0.71/sandbox/sandbox.8
|
||||
--- nsapolicycoreutils/sandbox/sandbox.8 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ policycoreutils-2.0.71/sandbox/sandbox.8 2009-08-26 10:03:24.000000000 -0400
|
||||
@@ -0,0 +1,26 @@
|
||||
+.TH SANDBOX "8" "May 2009" "chcat" "User Commands"
|
||||
+.SH NAME
|
||||
+sandbox \- Run cmd under an SELinux sandbox
|
||||
+.SH SYNOPSIS
|
||||
+.B sandbox
|
||||
+[ -M ] [ -t type ] cmd
|
||||
+[-X] [[-i file ]...] [ -t type ] cmd
|
||||
+.br
|
||||
+.SH DESCRIPTION
|
||||
+.PP
|
||||
+Run application within a tightly confined SELinux domain, This application can only read and write stdin and stdout along with files handled to it by the shell.
|
||||
+Run application within a tightly confined SELinux domain, The default sandbox allows the application to only read and write stdin and stdout along with files handled to it by the shell.
|
||||
+Additionaly a -X qualifier allows you to run sandboxed X applications. These apps will start up their own X Server and create a temporary homedir and /tmp. The default policy does not allow any capabilities or network access. Also prevents all access to the users other processes and files. Any file specified on the command line will be copied into the sandbox.
|
||||
+.PP
|
||||
+.TP
|
||||
+\fB\-m\fR
|
||||
+Mount a temporary file system and change working directory to it, files will be removed when job completes.
|
||||
+.TP
|
||||
+\fB\-t type\fR
|
||||
+Use alternate sandbox type, defaults to sandbox_t
|
||||
+Use alternate sandbox type, defaults to sandbox_t or sandbox_x_t for -X.
|
||||
+.TP
|
||||
+\fB\-i file\fR
|
||||
+Copy this file into the temporary sandbox homedir. Command can be repeated.
|
||||
+.TP
|
||||
+\fB\-X\fR
|
||||
+Create an X based Sandbox for gui apps, temporary files for $HOME and /tmp, seconday Xserver, defaults to sandbox_x_t
|
||||
+.TP
|
||||
+.SH "SEE ALSO"
|
||||
+.TP
|
||||
+runcon(1)
|
||||
+.PP
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/sandbox.py policycoreutils-2.0.71/scripts/sandbox.py
|
||||
--- nsapolicycoreutils/scripts/sandbox.py 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ policycoreutils-2.0.71/scripts/sandbox.py 2009-08-20 12:53:16.000000000 -0400
|
||||
@@ -0,0 +1,67 @@
|
||||
+#!/usr/bin/python
|
||||
+import os, sys, getopt, socket, random, fcntl
|
||||
+import selinux
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandboxX.sh policycoreutils-2.0.71/sandbox/sandboxX.sh
|
||||
--- nsapolicycoreutils/sandbox/sandboxX.sh 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ policycoreutils-2.0.71/sandbox/sandboxX.sh 2009-08-26 10:03:24.000000000 -0400
|
||||
@@ -0,0 +1,13 @@
|
||||
+#!/bin/bash
|
||||
+(Xephyr -terminate -screen 1000x700 -displayfd 5 5>&1 2>/dev/null) | while read D; do
|
||||
+export DISPLAY=:$D
|
||||
+matchbox-window-manager -use_titlebar no &
|
||||
+WM_PID=$!
|
||||
+~/.sandboxrc &
|
||||
+CLIENT_PID=$!
|
||||
+wait $CLIENT_PID
|
||||
+export EXITCODE=$?
|
||||
+kill -TERM $WM_PID
|
||||
+exit $EXITCODE
|
||||
+break
|
||||
+done
|
||||
Binary files nsapolicycoreutils/sandbox/seunshare and policycoreutils-2.0.71/sandbox/seunshare differ
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/seunshare.c policycoreutils-2.0.71/sandbox/seunshare.c
|
||||
--- nsapolicycoreutils/sandbox/seunshare.c 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ policycoreutils-2.0.71/sandbox/seunshare.c 2009-08-26 10:06:05.000000000 -0400
|
||||
@@ -0,0 +1,188 @@
|
||||
+#include <signal.h>
|
||||
+#include <sys/types.h>
|
||||
+#include <sys/wait.h>
|
||||
+#include <sys/mount.h>
|
||||
+#include <pwd.h>
|
||||
+#define _GNU_SOURCE
|
||||
+#include <sched.h>
|
||||
+#include <string.h>
|
||||
+#include <stdio.h>
|
||||
+#include <unistd.h>
|
||||
+#include <stdlib.h>
|
||||
+#include <cap-ng.h>
|
||||
+#include <getopt.h> /* for getopt_long() form of getopt() */
|
||||
+
|
||||
+random.seed(None)
|
||||
+#include <selinux/selinux.h>
|
||||
+#include <selinux/context.h> /* for context-mangling functions */
|
||||
+
|
||||
+def mount(src, context):
|
||||
+ destdir="/mnt/%s" % context
|
||||
+ os.mkdir(destdir)
|
||||
+ print 'mount -n -o "context=%s" %s %s' % (context, src, destdir)
|
||||
+ os.chdir(destdir)
|
||||
+/**
|
||||
+ * This function will drop the capabilities so that we are left
|
||||
+ * only with access to the audit system and the ability to raise
|
||||
+ * CAP_SYS_ADMIN, CAP_DAC_OVERRIDE, CAP_FOWNER and CAP_CHOWN,
|
||||
+ * before invoking unshare and mounting a couple of directories.
|
||||
+ * These capabilities are needed for performing bind mounts/unmounts
|
||||
+ * and to create potential new instance directories with appropriate
|
||||
+ * DAC attributes.
|
||||
+ *
|
||||
+ * Returns zero on success, non-zero otherwise
|
||||
+ */
|
||||
+static int drop_capabilities(int all)
|
||||
+{
|
||||
+ capng_clear(CAPNG_SELECT_BOTH);
|
||||
+
|
||||
+def umount(dest):
|
||||
+ os.chdir("/")
|
||||
+ destdir="/mnt/%s" % dest
|
||||
+ print ('umount -n %s' % destdir)
|
||||
+ os.rmdir(destdir)
|
||||
+ if (all) {
|
||||
+ if ((getuid() == 0) && (capng_lock() < 0))
|
||||
+ return -1;
|
||||
+ } else {
|
||||
+ if (capng_updatev(CAPNG_ADD, CAP_DAC_OVERRIDE|CAPNG_EFFECTIVE|CAPNG_PERMITTED, CAP_SYS_ADMIN, -1) < 0)
|
||||
+ return -1;
|
||||
+
|
||||
+ }
|
||||
+
|
||||
+def reserve(mcs):
|
||||
+ sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
|
||||
+ sock.bind("\0%s" % mcs)
|
||||
+ fcntl.fcntl(sock.fileno(), fcntl.F_SETFD, fcntl.FD_CLOEXEC)
|
||||
+ return capng_apply(CAPNG_SELECT_BOTH);
|
||||
+}
|
||||
+
|
||||
+def gen_context(type):
|
||||
+ while True:
|
||||
+ i1 = random.randrange(0,1024)
|
||||
+ i2 = random.randrange(0,1024)
|
||||
+ if i1 == i2:
|
||||
+ continue
|
||||
+ if i1 > i2:
|
||||
+ tmp = i1
|
||||
+ i1 = i2
|
||||
+ i2 = tmp
|
||||
+ mcs = "s0:c%d,c%d" % (i1, i2)
|
||||
+ reserve(mcs)
|
||||
+ try:
|
||||
+ reserve(mcs)
|
||||
+ except:
|
||||
+ continue
|
||||
+ break
|
||||
+ con = selinux.getcon()[1].split(":")
|
||||
+#define DEFAULT_PATH "/usr/bin:/bin"
|
||||
+#define TRUE 1
|
||||
+#define FALSE 0
|
||||
+
|
||||
+ execcon="%s:%s:%s:%s" % (con[0], con[1], type, mcs)
|
||||
+/**
|
||||
+ * Take care of any signal setup
|
||||
+ */
|
||||
+static int set_signal_handles()
|
||||
+{
|
||||
+ sigset_t empty;
|
||||
+
|
||||
+ filecon="%s:%s:%s:%s" % (con[0], "object_r", "%s_file_t" % type[:-2], mcs)
|
||||
+ return execcon, filecon
|
||||
+ /* Empty the signal mask in case someone is blocking a signal */
|
||||
+ if (sigemptyset(&empty)) {
|
||||
+ fprintf(stderr, "Unable to obtain empty signal set\n");
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ (void)sigprocmask(SIG_SETMASK, &empty, NULL);
|
||||
+
|
||||
+type = "sandbox_t"
|
||||
+mount_src = None
|
||||
+gopts, cmds = getopt.getopt(sys.argv[1:],"t:m:",
|
||||
+ ["type",
|
||||
+ "mount"])
|
||||
+for o, a in gopts:
|
||||
+ if o == "-t" or o == "--type":
|
||||
+ type = a
|
||||
+ if o == "-m" or o == "--mount":
|
||||
+ mount_src = a
|
||||
+ /* Terminate on SIGHUP. */
|
||||
+ if (signal(SIGHUP, SIG_DFL) == SIG_ERR) {
|
||||
+ perror("Unable to set SIGHUP handler");
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+execcon, filecon = gen_context(type)
|
||||
+selinux.setexeccon(execcon)
|
||||
+ return 0;
|
||||
+}
|
||||
+#define USAGE_STRING "USAGE: seunshare [ -t tmpdir ] [ -h homedir ] -- CONTEXT executable [args] "
|
||||
+
|
||||
+if mount_src != None:
|
||||
+ mount(mount_src, filecon)
|
||||
+ umount(filecon)
|
||||
+os.execvp(cmds[0], cmds)
|
||||
+int main(int argc, char **argv) {
|
||||
+ int rc;
|
||||
+ int status = -1;
|
||||
+
|
||||
+ struct passwd *pwd=getpwuid(getuid());
|
||||
+ security_context_t scontext;
|
||||
+
|
||||
+ int flag_index; /* flag index in argv[] */
|
||||
+ int clflag; /* holds codes for command line flags */
|
||||
+ char *tmpdir_s = NULL; /* tmpdir spec'd by user in argv[] */
|
||||
+ char *homedir_s = NULL; /* homedir spec'd by user in argv[] */
|
||||
+
|
||||
+ const struct option long_options[] = {
|
||||
+ {"homedir", 1, 0, 'h'},
|
||||
+ {"tmpdir", 1, 0, 't'},
|
||||
+ {NULL, 0, 0, 0}
|
||||
+ };
|
||||
+
|
||||
+ if (drop_capabilities(FALSE)) {
|
||||
+ perror("Failed to drop capabilities");
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ while (1) {
|
||||
+ clflag = getopt_long(argc, argv, "h:t:", long_options,
|
||||
+ &flag_index);
|
||||
+ if (clflag == -1)
|
||||
+ break;
|
||||
+
|
||||
+ switch (clflag) {
|
||||
+ case 't':
|
||||
+ tmpdir_s = optarg;
|
||||
+ break;
|
||||
+ case 'h':
|
||||
+ homedir_s = optarg;
|
||||
+ break;
|
||||
+ default:
|
||||
+ fprintf(stderr, "%s\n", USAGE_STRING);
|
||||
+ return -1;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (! homedir_s && ! tmpdir_s) {
|
||||
+ fprintf(stderr, "Error: tmpdir and/or homedir required \n"
|
||||
+ "%s\n", USAGE_STRING);
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ if (argc - optind < 2) {
|
||||
+ fprintf(stderr, "Error: executable required \n"
|
||||
+ "%s\n", USAGE_STRING);
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ scontext = argv[optind++];
|
||||
+
|
||||
+ if (set_signal_handles())
|
||||
+ return -1;
|
||||
+
|
||||
+ if (unshare(CLONE_NEWNS) < 0) {
|
||||
+ perror("Failed to unshare");
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ if (homedir_s && mount(homedir_s, pwd->pw_dir, NULL, MS_BIND, NULL) < 0) {
|
||||
+ perror("Failed to mount HOMEDIR");
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ if (tmpdir_s && mount(tmpdir_s, "/tmp", NULL, MS_BIND, NULL) < 0) {
|
||||
+ perror("Failed to mount /tmp");
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ if (drop_capabilities(TRUE)) {
|
||||
+ perror("Failed to drop all capabilities");
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ int child = fork();
|
||||
+ if (!child) {
|
||||
+ /* Construct a new environment */
|
||||
+ char *display = strdup(getenv("DISPLAY"));
|
||||
+ if (!display) {
|
||||
+ perror("Out of memory");
|
||||
+ exit(-1);
|
||||
+ }
|
||||
+ if ((rc = clearenv())) {
|
||||
+ perror("Unable to clear environment");
|
||||
+ exit(-1);
|
||||
+ }
|
||||
+
|
||||
+ if (setexeccon(scontext)) {
|
||||
+ fprintf(stderr, "Could not set exec context to %s.\n",
|
||||
+ scontext);
|
||||
+ exit(-1);
|
||||
+ }
|
||||
+
|
||||
+ rc |= setenv("DISPLAY", display, 1);
|
||||
+ rc |= setenv("HOME", pwd->pw_dir, 1);
|
||||
+ rc |= setenv("SHELL", pwd->pw_shell, 1);
|
||||
+ rc |= setenv("USER", pwd->pw_name, 1);
|
||||
+ rc |= setenv("LOGNAME", pwd->pw_name, 1);
|
||||
+ rc |= setenv("PATH", DEFAULT_PATH, 1);
|
||||
+
|
||||
+ chdir(pwd->pw_dir);
|
||||
+ execv(argv[optind], argv + optind);
|
||||
+ perror("execv");
|
||||
+ exit(-1);
|
||||
+ } else {
|
||||
+ waitpid(child, &status, 0);
|
||||
+ }
|
||||
+
|
||||
+ return status;
|
||||
+}
|
||||
Binary files nsapolicycoreutils/sandbox/seunshare.o and policycoreutils-2.0.71/sandbox/seunshare.o differ
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/chcat policycoreutils-2.0.71/scripts/chcat
|
||||
--- nsapolicycoreutils/scripts/chcat 2009-06-23 15:36:07.000000000 -0400
|
||||
+++ policycoreutils-2.0.71/scripts/chcat 2009-08-20 12:53:16.000000000 -0400
|
||||
@@ -435,6 +435,8 @@
|
||||
continue
|
||||
except ValueError, e:
|
||||
error(e)
|
||||
+ except OSError, e:
|
||||
+ error(e)
|
||||
|
||||
sys.exit(errors)
|
||||
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/Makefile policycoreutils-2.0.71/scripts/Makefile
|
||||
--- nsapolicycoreutils/scripts/Makefile 2008-08-28 09:34:24.000000000 -0400
|
||||
+++ policycoreutils-2.0.71/scripts/Makefile 2009-08-26 10:04:11.000000000 -0400
|
||||
@@ -5,7 +5,7 @@
|
||||
MANDIR ?= $(PREFIX)/share/man
|
||||
LOCALEDIR ?= /usr/share/locale
|
||||
|
||||
-all: fixfiles genhomedircon
|
||||
+all: fixfiles genhomedircon chcat
|
||||
|
||||
install: all
|
||||
-mkdir -p $(BINDIR)
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.71/semanage/semanage
|
||||
--- nsapolicycoreutils/semanage/semanage 2009-08-19 16:35:03.000000000 -0400
|
||||
+++ policycoreutils-2.0.71/semanage/semanage 2009-08-20 12:53:16.000000000 -0400
|
||||
|
@ -6,7 +6,7 @@
|
||||
Summary: SELinux policy core utilities
|
||||
Name: policycoreutils
|
||||
Version: 2.0.71
|
||||
Release: 10%{?dist}
|
||||
Release: 11%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
|
||||
@ -19,6 +19,7 @@ Source5: system-config-selinux.console
|
||||
Source6: selinux-polgengui.desktop
|
||||
Source7: selinux-polgengui.console
|
||||
Source8: policycoreutils_man_ru2.tar.bz2
|
||||
Source9: sandbox.init
|
||||
Patch: policycoreutils-rhat.patch
|
||||
Patch1: policycoreutils-po.patch
|
||||
Patch3: policycoreutils-gui.patch
|
||||
@ -72,6 +73,8 @@ mkdir -p %{buildroot}%{_mandir}/man1
|
||||
mkdir -p %{buildroot}%{_mandir}/man8
|
||||
mkdir -p %{buildroot}%{_sysconfdir}/pam.d
|
||||
mkdir -p %{buildroot}%{_sysconfdir}/security/console.apps
|
||||
%{__mkdir} -p %{buildroot}/%{_sysconfdir}/rc.d/init.d
|
||||
install -m0755 %{SOURCE9} %{buildroot}/%{_sysconfdir}/rc.d/init.d/sandbox
|
||||
|
||||
make LSPP_PRIV=y DESTDIR="%{buildroot}" LIBDIR="%{buildroot}%{_libdir}" install
|
||||
make -C sepolgen-%{sepolgenver} DESTDIR="%{buildroot}" LIBDIR="%{buildroot}%{_libdir}" install
|
||||
@ -137,10 +140,36 @@ The policycoreutils-python package contains the management tools use to manage a
|
||||
[ -f /usr/share/selinux/devel/include/build.conf ] && /usr/bin/sepolgen-ifgen
|
||||
exit 0
|
||||
|
||||
%package sandbox
|
||||
Summary: SELinux sandbox utilities
|
||||
Group: System Environment/Base
|
||||
Requires: policycoreutils-python = %{version}-%{release}
|
||||
Requires: xorg-x11-server-Xephyr
|
||||
Requires: matchbox-window-manager
|
||||
Requiers(post): /sbin/chkconfig
|
||||
|
||||
%description sandbox
|
||||
The policycoreutils-python package contains the scripts to create graphical sandboxes
|
||||
|
||||
%files sandbox
|
||||
%{_sysconfdir}/rc.d/init.d/sandbox
|
||||
%{_mandir}/man8/sandbox.8*
|
||||
%{_sbindir}/seunshare
|
||||
%{_datadir}/sandbox/sandboxX.sh
|
||||
|
||||
%triggerin python -- selinux-policy
|
||||
[ -f /usr/share/selinux/devel/include/build.conf ] && /usr/bin/sepolgen-ifgen
|
||||
exit 0
|
||||
|
||||
%post sandbox
|
||||
if [ $1 -eq 1 ]; then
|
||||
/sbin/chkconfig sanbox --add
|
||||
fi
|
||||
%preun sandbox
|
||||
if [ $1 -eq 0 ]; then
|
||||
/sbin/chkconfig sanbox --del
|
||||
fi
|
||||
|
||||
%package newrole
|
||||
Summary: The newrole application for RBAC/MLS
|
||||
Group: System Environment/Base
|
||||
@ -265,6 +294,9 @@ fi
|
||||
exit 0
|
||||
|
||||
%changelog
|
||||
* Wed Aug 26 2009 Dan Walsh <dwalsh@redhat.com> 2.0.71-11
|
||||
- Add sandboxX
|
||||
|
||||
* Sat Aug 22 2009 Dan Walsh <dwalsh@redhat.com> 2.0.71-10
|
||||
- Fix realpath usage to only happen on argv input from user
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user