sandbox init script should always return 0
sandbox command needs to check range of categories and report error if not big enough
This commit is contained in:
parent
e71cb0d5d0
commit
35a1c24b59
@ -111,10 +111,56 @@ index 1c458f1..96c6795 100644
|
|||||||
install -m 4755 seunshare $(SBINDIR)/
|
install -m 4755 seunshare $(SBINDIR)/
|
||||||
-mkdir -p $(SHAREDIR)
|
-mkdir -p $(SHAREDIR)
|
||||||
diff --git a/policycoreutils/sandbox/sandbox b/policycoreutils/sandbox/sandbox
|
diff --git a/policycoreutils/sandbox/sandbox b/policycoreutils/sandbox/sandbox
|
||||||
index 486cd4e..cdd4293 100644
|
index 486cd4e..a21e508 100644
|
||||||
--- a/policycoreutils/sandbox/sandbox
|
--- a/policycoreutils/sandbox/sandbox
|
||||||
+++ b/policycoreutils/sandbox/sandbox
|
+++ b/policycoreutils/sandbox/sandbox
|
||||||
@@ -160,6 +160,17 @@ class Sandbox:
|
@@ -118,10 +118,30 @@ def reserve(level):
|
||||||
|
sock.bind("\0%s" % level)
|
||||||
|
fcntl.fcntl(sock.fileno(), fcntl.F_SETFD, fcntl.FD_CLOEXEC)
|
||||||
|
|
||||||
|
+def get_range():
|
||||||
|
+ try:
|
||||||
|
+ level =selinux.getcon_raw()[1].split(":")[4]
|
||||||
|
+ lowc,highc = level.split(".")
|
||||||
|
+ low = int(lowc[1:])
|
||||||
|
+ high = int(highc[1:])+1
|
||||||
|
+ if high - low < 100:
|
||||||
|
+ raise IndexError
|
||||||
|
+
|
||||||
|
+ return low,high
|
||||||
|
+ except IndexError:
|
||||||
|
+ raise ValueError(_("User account must be setup with an MCS Range with more then 100 categories"))
|
||||||
|
+
|
||||||
|
def gen_mcs():
|
||||||
|
- while True:
|
||||||
|
- i1 = random.randrange(0, 1024)
|
||||||
|
- i2 = random.randrange(0, 1024)
|
||||||
|
+ low, high = get_range()
|
||||||
|
+
|
||||||
|
+ level = None
|
||||||
|
+ ctr = 0
|
||||||
|
+ total = high-low
|
||||||
|
+ total = (total * total)/2 - total
|
||||||
|
+ while ctr < total:
|
||||||
|
+ ctr += 1
|
||||||
|
+ i1 = random.randrange(low, high)
|
||||||
|
+ i2 = random.randrange(low, high)
|
||||||
|
if i1 == i2:
|
||||||
|
continue
|
||||||
|
if i1 > i2:
|
||||||
|
@@ -134,7 +154,10 @@ def gen_mcs():
|
||||||
|
except socket.error:
|
||||||
|
continue
|
||||||
|
break
|
||||||
|
- return level
|
||||||
|
+ if level:
|
||||||
|
+ return level
|
||||||
|
+ raise ValueError(_("Failed to find any unused categories"))
|
||||||
|
+
|
||||||
|
|
||||||
|
def fullpath(cmd):
|
||||||
|
for i in [ "/", "./", "../" ]:
|
||||||
|
@@ -160,6 +183,17 @@ class Sandbox:
|
||||||
self.__level = None
|
self.__level = None
|
||||||
self.__homedir = None
|
self.__homedir = None
|
||||||
self.__tmpdir = None
|
self.__tmpdir = None
|
||||||
@ -132,7 +178,7 @@ index 486cd4e..cdd4293 100644
|
|||||||
|
|
||||||
def __validate_mount(self):
|
def __validate_mount(self):
|
||||||
if self.__options.level:
|
if self.__options.level:
|
||||||
@@ -278,6 +289,9 @@ sandbox [-h] [-c] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile
|
@@ -278,6 +312,9 @@ sandbox [-h] [-c] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile
|
||||||
action="callback", callback=self.__mount_callback,
|
action="callback", callback=self.__mount_callback,
|
||||||
help=_("mount new home and/or tmp directory"))
|
help=_("mount new home and/or tmp directory"))
|
||||||
|
|
||||||
@ -142,7 +188,7 @@ index 486cd4e..cdd4293 100644
|
|||||||
parser.add_option("-S", "--session", action="store_true", dest="session",
|
parser.add_option("-S", "--session", action="store_true", dest="session",
|
||||||
default=False, help=_("run complete desktop session within sandbox"))
|
default=False, help=_("run complete desktop session within sandbox"))
|
||||||
|
|
||||||
@@ -322,7 +336,7 @@ sandbox [-h] [-c] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile
|
@@ -322,7 +359,7 @@ sandbox [-h] [-c] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile
|
||||||
|
|
||||||
if self.__options.X_ind:
|
if self.__options.X_ind:
|
||||||
self.setype = DEFAULT_X_TYPE
|
self.setype = DEFAULT_X_TYPE
|
||||||
@ -151,7 +197,7 @@ index 486cd4e..cdd4293 100644
|
|||||||
if self.__options.setype:
|
if self.__options.setype:
|
||||||
self.setype = self.__options.setype
|
self.setype = self.__options.setype
|
||||||
|
|
||||||
@@ -408,7 +422,7 @@ sandbox [-h] [-c] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile
|
@@ -408,7 +445,7 @@ sandbox [-h] [-c] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile
|
||||||
|
|
||||||
self.__setup_sandboxrc(self.__options.wm)
|
self.__setup_sandboxrc(self.__options.wm)
|
||||||
|
|
||||||
@ -281,7 +327,7 @@ index b3ee67d..0000000
|
|||||||
-This manual page was written by
|
-This manual page was written by
|
||||||
-.I Thomas Liu <tliu@fedoraproject.org>
|
-.I Thomas Liu <tliu@fedoraproject.org>
|
||||||
diff --git a/policycoreutils/sandbox/sandbox.init b/policycoreutils/sandbox/sandbox.init
|
diff --git a/policycoreutils/sandbox/sandbox.init b/policycoreutils/sandbox/sandbox.init
|
||||||
index d1ccdc2..11c391c 100644
|
index d1ccdc2..b3979bf 100644
|
||||||
--- a/policycoreutils/sandbox/sandbox.init
|
--- a/policycoreutils/sandbox/sandbox.init
|
||||||
+++ b/policycoreutils/sandbox/sandbox.init
|
+++ b/policycoreutils/sandbox/sandbox.init
|
||||||
@@ -19,6 +19,7 @@
|
@@ -19,6 +19,7 @@
|
||||||
@ -292,6 +338,15 @@ index d1ccdc2..11c391c 100644
|
|||||||
|
|
||||||
LOCKFILE=/var/lock/subsys/sandbox
|
LOCKFILE=/var/lock/subsys/sandbox
|
||||||
|
|
||||||
|
@@ -27,7 +28,7 @@ base=${0##*/}
|
||||||
|
start() {
|
||||||
|
echo -n "Starting sandbox"
|
||||||
|
|
||||||
|
- [ -f "$LOCKFILE" ] && return 1
|
||||||
|
+ [ -f "$LOCKFILE" ] && return 0
|
||||||
|
|
||||||
|
touch $LOCKFILE
|
||||||
|
mount --make-rshared / || return $?
|
||||||
diff --git a/policycoreutils/scripts/genhomedircon b/policycoreutils/scripts/genhomedircon
|
diff --git a/policycoreutils/scripts/genhomedircon b/policycoreutils/scripts/genhomedircon
|
||||||
index ab696a7..58b19cd 100644
|
index ab696a7..58b19cd 100644
|
||||||
--- a/policycoreutils/scripts/genhomedircon
|
--- a/policycoreutils/scripts/genhomedircon
|
||||||
|
@ -7,7 +7,7 @@
|
|||||||
Summary: SELinux policy core utilities
|
Summary: SELinux policy core utilities
|
||||||
Name: policycoreutils
|
Name: policycoreutils
|
||||||
Version: 2.1.8
|
Version: 2.1.8
|
||||||
Release: 3%{?dist}
|
Release: 4%{?dist}
|
||||||
License: GPLv2
|
License: GPLv2
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
# Based on git repository with tag 20101221
|
# Based on git repository with tag 20101221
|
||||||
@ -352,6 +352,10 @@ fi
|
|||||||
/bin/systemctl try-restart restorecond.service >/dev/null 2>&1 || :
|
/bin/systemctl try-restart restorecond.service >/dev/null 2>&1 || :
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Nov 11 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.8-4
|
||||||
|
- sandbox init script should always return 0
|
||||||
|
- sandbox command needs to check range of categories and report error if not big enough
|
||||||
|
|
||||||
* Mon Nov 7 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.8-3
|
* Mon Nov 7 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.8-3
|
||||||
- Allow user to specify DPI when running sandbox
|
- Allow user to specify DPI when running sandbox
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user