sandbox init script should always return 0
sandbox command needs to check range of categories and report error if not big enough
This commit is contained in:
parent
e71cb0d5d0
commit
35a1c24b59
@ -111,10 +111,56 @@ index 1c458f1..96c6795 100644
|
||||
install -m 4755 seunshare $(SBINDIR)/
|
||||
-mkdir -p $(SHAREDIR)
|
||||
diff --git a/policycoreutils/sandbox/sandbox b/policycoreutils/sandbox/sandbox
|
||||
index 486cd4e..cdd4293 100644
|
||||
index 486cd4e..a21e508 100644
|
||||
--- a/policycoreutils/sandbox/sandbox
|
||||
+++ b/policycoreutils/sandbox/sandbox
|
||||
@@ -160,6 +160,17 @@ class Sandbox:
|
||||
@@ -118,10 +118,30 @@ def reserve(level):
|
||||
sock.bind("\0%s" % level)
|
||||
fcntl.fcntl(sock.fileno(), fcntl.F_SETFD, fcntl.FD_CLOEXEC)
|
||||
|
||||
+def get_range():
|
||||
+ try:
|
||||
+ level =selinux.getcon_raw()[1].split(":")[4]
|
||||
+ lowc,highc = level.split(".")
|
||||
+ low = int(lowc[1:])
|
||||
+ high = int(highc[1:])+1
|
||||
+ if high - low < 100:
|
||||
+ raise IndexError
|
||||
+
|
||||
+ return low,high
|
||||
+ except IndexError:
|
||||
+ raise ValueError(_("User account must be setup with an MCS Range with more then 100 categories"))
|
||||
+
|
||||
def gen_mcs():
|
||||
- while True:
|
||||
- i1 = random.randrange(0, 1024)
|
||||
- i2 = random.randrange(0, 1024)
|
||||
+ low, high = get_range()
|
||||
+
|
||||
+ level = None
|
||||
+ ctr = 0
|
||||
+ total = high-low
|
||||
+ total = (total * total)/2 - total
|
||||
+ while ctr < total:
|
||||
+ ctr += 1
|
||||
+ i1 = random.randrange(low, high)
|
||||
+ i2 = random.randrange(low, high)
|
||||
if i1 == i2:
|
||||
continue
|
||||
if i1 > i2:
|
||||
@@ -134,7 +154,10 @@ def gen_mcs():
|
||||
except socket.error:
|
||||
continue
|
||||
break
|
||||
- return level
|
||||
+ if level:
|
||||
+ return level
|
||||
+ raise ValueError(_("Failed to find any unused categories"))
|
||||
+
|
||||
|
||||
def fullpath(cmd):
|
||||
for i in [ "/", "./", "../" ]:
|
||||
@@ -160,6 +183,17 @@ class Sandbox:
|
||||
self.__level = None
|
||||
self.__homedir = None
|
||||
self.__tmpdir = None
|
||||
@ -132,7 +178,7 @@ index 486cd4e..cdd4293 100644
|
||||
|
||||
def __validate_mount(self):
|
||||
if self.__options.level:
|
||||
@@ -278,6 +289,9 @@ sandbox [-h] [-c] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile
|
||||
@@ -278,6 +312,9 @@ sandbox [-h] [-c] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile
|
||||
action="callback", callback=self.__mount_callback,
|
||||
help=_("mount new home and/or tmp directory"))
|
||||
|
||||
@ -142,7 +188,7 @@ index 486cd4e..cdd4293 100644
|
||||
parser.add_option("-S", "--session", action="store_true", dest="session",
|
||||
default=False, help=_("run complete desktop session within sandbox"))
|
||||
|
||||
@@ -322,7 +336,7 @@ sandbox [-h] [-c] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile
|
||||
@@ -322,7 +359,7 @@ sandbox [-h] [-c] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile
|
||||
|
||||
if self.__options.X_ind:
|
||||
self.setype = DEFAULT_X_TYPE
|
||||
@ -151,7 +197,7 @@ index 486cd4e..cdd4293 100644
|
||||
if self.__options.setype:
|
||||
self.setype = self.__options.setype
|
||||
|
||||
@@ -408,7 +422,7 @@ sandbox [-h] [-c] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile
|
||||
@@ -408,7 +445,7 @@ sandbox [-h] [-c] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile
|
||||
|
||||
self.__setup_sandboxrc(self.__options.wm)
|
||||
|
||||
@ -281,7 +327,7 @@ index b3ee67d..0000000
|
||||
-This manual page was written by
|
||||
-.I Thomas Liu <tliu@fedoraproject.org>
|
||||
diff --git a/policycoreutils/sandbox/sandbox.init b/policycoreutils/sandbox/sandbox.init
|
||||
index d1ccdc2..11c391c 100644
|
||||
index d1ccdc2..b3979bf 100644
|
||||
--- a/policycoreutils/sandbox/sandbox.init
|
||||
+++ b/policycoreutils/sandbox/sandbox.init
|
||||
@@ -19,6 +19,7 @@
|
||||
@ -292,6 +338,15 @@ index d1ccdc2..11c391c 100644
|
||||
|
||||
LOCKFILE=/var/lock/subsys/sandbox
|
||||
|
||||
@@ -27,7 +28,7 @@ base=${0##*/}
|
||||
start() {
|
||||
echo -n "Starting sandbox"
|
||||
|
||||
- [ -f "$LOCKFILE" ] && return 1
|
||||
+ [ -f "$LOCKFILE" ] && return 0
|
||||
|
||||
touch $LOCKFILE
|
||||
mount --make-rshared / || return $?
|
||||
diff --git a/policycoreutils/scripts/genhomedircon b/policycoreutils/scripts/genhomedircon
|
||||
index ab696a7..58b19cd 100644
|
||||
--- a/policycoreutils/scripts/genhomedircon
|
||||
|
@ -7,7 +7,7 @@
|
||||
Summary: SELinux policy core utilities
|
||||
Name: policycoreutils
|
||||
Version: 2.1.8
|
||||
Release: 3%{?dist}
|
||||
Release: 4%{?dist}
|
||||
License: GPLv2
|
||||
Group: System Environment/Base
|
||||
# Based on git repository with tag 20101221
|
||||
@ -352,6 +352,10 @@ fi
|
||||
/bin/systemctl try-restart restorecond.service >/dev/null 2>&1 || :
|
||||
|
||||
%changelog
|
||||
* Fri Nov 11 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.8-4
|
||||
- sandbox init script should always return 0
|
||||
- sandbox command needs to check range of categories and report error if not big enough
|
||||
|
||||
* Mon Nov 7 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.8-3
|
||||
- Allow user to specify DPI when running sandbox
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user