rpms/policycoreutils
7
0
Fork 0
Code Issues Pull Requests Releases Activity

* Tue May 26 2009 Dan Walsh <dwalsh@redhat.com> 2.0.63-3

Browse Source 
- Fix sandbox to be able to execute files in homedir
This commit is contained in:
Daniel J Walsh 2009-05-26 16:58:40 +00:00
parent e785375a96
commit 61c2d77e4e
2 changed files with 40 additions and 48 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
policycoreutils-rhat.patch
View File

@ -1272,8 +1272,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
-mkdir -p $(MANDIR)/man8
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/sandbox policycoreutils-2.0.63/scripts/sandbox
--- nsapolicycoreutils/scripts/sandbox 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.63/scripts/sandbox 2009-05-22 13:59:22.000000000 -0400
@@ -0,0 +1,149 @@
+++ policycoreutils-2.0.63/scripts/sandbox 2009-05-26 12:30:25.000000000 -0400
@@ -0,0 +1,138 @@
+#!/usr/bin/python -E
+import os, sys, getopt, socket, random, fcntl
+import selinux
@ -1365,8 +1365,10 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
+
+ setype = "sandbox_t"
+ mount_ind = False
+ gopts, cmds = getopt.getopt(sys.argv[1:], "t:m",
+ ["type=",
+ try:
+ gopts, cmds = getopt.getopt(sys.argv[1:], "ht:m",
+ ["help",
+ "type=",
+ "mount"])
+ for o, a in gopts:
+ if o == "-t" or o == "--type":
@ -1374,15 +1376,14 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
+
+ if o == "-m" or o == "--mount":
+ mount_ind = True
+
+ if o == "-h" or o == "--help":
+ usage(_("Usage"));
+
+ if len(cmds) == 0:
+ usage(_("Command required"))
+
+ os.chdir("/")
+ execcon, filecon = gen_context(setype)
+ rc = -1
+ try:
+ if mount_ind:
+ mount(filecon)
+
@ -1393,27 +1394,13 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
+ cmds[0] = f
+ break
+
+ setype = selinux.getfilecon(cmds[0])[1].split(":")[2]
+ if setype == "user_home_t" or setype == "user_tmp_t":
+ error_exit(_("""
+Sandboxed applications can not read/execute files labeled as user content; (%s)
+Temporarily label '%s" as bin_t, if you want it to run it under a sandbox.
+
+chcon -t bin_t %s
+
+restorecon %s
+
+Will set the executable back to the correct context.
+""") % (setype, cmds[0], cmds[0], cmds[0]) )
+
+ selinux.setexeccon(execcon)
+ rc = os.spawnvp(os.P_WAIT, cmds[0], cmds)
+ selinux.setexeccon(None)
+
+ if mount_ind:
+ umount(filecon)
+
+ except getopt.error, error:
+ except getopt.GetoptError, error:
+ usage(_("Options Error %s ") % error.msg)
+ except ValueError, error:
+ error_exit(error.args[0])
@ -1421,6 +1408,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
+ error_exit(_("Invalid value %s") % error.args[0])
+ except IOError, error:
+ error_exit(error.args[1])
+ except OSError, error:
+ error_exit(error.args[1])
+
+ sys.exit(rc)
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/sandbox.8 policycoreutils-2.0.63/scripts/sandbox.8

5
policycoreutils.spec
View File

@ -6,7 +6,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.0.63
Release: 2%{?dist}
Release: 3%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
@ -226,6 +226,9 @@ else
fi
%changelog
* Tue May 26 2009 Dan Walsh <dwalsh@redhat.com> 2.0.63-3
- Fix sandbox to be able to execute files in homedir
* Fri May 22 2009 Dan Walsh <dwalsh@redhat.com> 2.0.63-2
- Change polgen.py to be able to generate policy