Add umount code to seunshare to cleanup left over mounts of /var/tmp
This commit is contained in:
Dan Walsh
parent
414b6a904d
commit
6525007747
@ -63,27 +63,66 @@ index 89f5d97..dfd9629 100644
|
|||||||
|
|
||||||
restore_init(&r_opts);
|
restore_init(&r_opts);
|
||||||
diff --git a/policycoreutils/run_init/run_init.c b/policycoreutils/run_init/run_init.c
|
diff --git a/policycoreutils/run_init/run_init.c b/policycoreutils/run_init/run_init.c
|
||||||
index 9db766c..068e24c 100644
|
index 9db766c..92034be 100644
|
||||||
--- a/policycoreutils/run_init/run_init.c
|
--- a/policycoreutils/run_init/run_init.c
|
||||||
+++ b/policycoreutils/run_init/run_init.c
|
+++ b/policycoreutils/run_init/run_init.c
|
||||||
@@ -414,10 +414,17 @@ int main(int argc, char *argv[])
|
@@ -406,6 +406,13 @@ int main(int argc, char *argv[])
|
||||||
* execvp or using a exec(1) recycles pty's, and does not open a new
|
new_context);
|
||||||
* one.
|
|
||||||
*/
|
|
||||||
+#ifdef USE_OPEN_INIT_PTY
|
|
||||||
if (execvp("/usr/sbin/open_init_pty", argv)) {
|
|
||||||
perror("execvp");
|
|
||||||
exit(-1);
|
exit(-1);
|
||||||
}
|
}
|
||||||
+#else
|
+ if (! access("/usr/sbin/open_init_pty", X_OK)) {
|
||||||
+ if (execvp(argv[1], argv + 1)) {
|
+ if (execvp(argv[1], argv + 1)) {
|
||||||
+ perror("execvp");
|
+ perror("execvp");
|
||||||
+ exit(-1);
|
+ exit(-1);
|
||||||
|
+ }
|
||||||
|
+ return 0;
|
||||||
+ }
|
+ }
|
||||||
+#endif
|
/*
|
||||||
return 0;
|
* Do not execvp the command directly from run_init; since it would run
|
||||||
|
* under with a pty under sysadm_devpts_t. Instead, we call open_init_tty,
|
||||||
|
diff --git a/policycoreutils/sandbox/seunshare.c b/policycoreutils/sandbox/seunshare.c
|
||||||
|
index c493e98..0bc35f3 100644
|
||||||
|
--- a/policycoreutils/sandbox/seunshare.c
|
||||||
|
+++ b/policycoreutils/sandbox/seunshare.c
|
||||||
|
@@ -59,7 +59,7 @@ static int verbose = 0;
|
||||||
|
static int child = 0;
|
||||||
|
|
||||||
|
static capng_select_t cap_set = CAPNG_SELECT_BOTH;
|
||||||
|
-
|
||||||
|
+static int var_tmp_mounted = 0;
|
||||||
|
/**
|
||||||
|
* This function will drop all capabilities.
|
||||||
|
*/
|
||||||
|
@@ -292,6 +292,8 @@ static int seunshare_mount(const char *src, const char *dst, struct stat *src_st
|
||||||
|
fprintf(stderr, _("Failed to mount /var/tmp on /var/tmp: %s\n"), strerror(errno));
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
+ var_tmp_mounted = 1;
|
||||||
|
+
|
||||||
|
if (mount("/var/tmp", "/var/tmp", NULL, MS_PRIVATE | flags, NULL) < 0) {
|
||||||
|
fprintf(stderr, _("Failed to make /var/tmp private: %s\n"), strerror(errno));
|
||||||
|
return -1;
|
||||||
|
@@ -1031,12 +1033,18 @@ childerr:
|
||||||
|
exit(-1);
|
||||||
|
}
|
||||||
|
|
||||||
|
- drop_caps();
|
||||||
|
-
|
||||||
|
/* parent waits for child exit to do the cleanup */
|
||||||
|
waitpid(child, &status, 0);
|
||||||
|
status_to_retval(status, status);
|
||||||
|
|
||||||
|
+ if (var_tmp_mounted) {
|
||||||
|
+ /* attempt to umount /var/tmp twice on exit */
|
||||||
|
+ if (umount("/var/tmp") < 0) perror("umount /var/tmp");
|
||||||
|
+ if (umount("/var/tmp") < 0) perror("umount /var/tmp");
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ drop_caps();
|
||||||
|
+
|
||||||
|
/* Make sure all child processes exit */
|
||||||
|
kill(-child,SIGTERM);
|
||||||
|
|
||||||
} /* main() */
|
|
||||||
diff --git a/policycoreutils/scripts/genhomedircon b/policycoreutils/scripts/genhomedircon
|
diff --git a/policycoreutils/scripts/genhomedircon b/policycoreutils/scripts/genhomedircon
|
||||||
index ab696a7..58b19cd 100644
|
index ab696a7..58b19cd 100644
|
||||||
--- a/policycoreutils/scripts/genhomedircon
|
--- a/policycoreutils/scripts/genhomedircon
|
||||||
|
|||||||
@ -7,7 +7,7 @@
|
|||||||
Summary: SELinux policy core utilities
|
Summary: SELinux policy core utilities
|
||||||
Name: policycoreutils
|
Name: policycoreutils
|
||||||
Version: 2.1.10
|
Version: 2.1.10
|
||||||
Release: 1%{?dist}
|
Release: 3%{?dist}
|
||||||
License: GPLv2
|
License: GPLv2
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
# Based on git repository with tag 20101221
|
# Based on git repository with tag 20101221
|
||||||
@ -107,6 +107,10 @@ install -m 644 %{SOURCE4} %{buildroot}%{_sysconfdir}/pam.d/selinux-polgengui
|
|||||||
install -m 644 %{SOURCE5} %{buildroot}%{_sysconfdir}/security/console.apps/system-config-selinux
|
install -m 644 %{SOURCE5} %{buildroot}%{_sysconfdir}/security/console.apps/system-config-selinux
|
||||||
tar -jxf %{SOURCE8} -C %{buildroot}/
|
tar -jxf %{SOURCE8} -C %{buildroot}/
|
||||||
rm -f %{buildroot}/usr/share/man/ru/man8/genhomedircon.8.gz
|
rm -f %{buildroot}/usr/share/man/ru/man8/genhomedircon.8.gz
|
||||||
|
rm -f %{buildroot}/usr/share/man/ru/man8/open_init_pty.8.gz
|
||||||
|
rm -f %{buildroot}/usr/share/man/man8/open_init_pty.8
|
||||||
|
rm -f %{buildroot}/usr/sbin/open_init_pty
|
||||||
|
|
||||||
ln -sf consolehelper %{buildroot}%{_bindir}/system-config-selinux
|
ln -sf consolehelper %{buildroot}%{_bindir}/system-config-selinux
|
||||||
ln -sf /usr/share/system-config-selinux/polgengui.py %{buildroot}%{_bindir}/selinux-polgengui
|
ln -sf /usr/share/system-config-selinux/polgengui.py %{buildroot}%{_bindir}/selinux-polgengui
|
||||||
%{__mkdir} -p %{buildroot}%{_sysconfdir}/bash_completion.d/
|
%{__mkdir} -p %{buildroot}%{_sysconfdir}/bash_completion.d/
|
||||||
@ -267,7 +271,6 @@ rm -rf %{buildroot}
|
|||||||
%{_sbindir}/semodule
|
%{_sbindir}/semodule
|
||||||
%{_sbindir}/sestatus
|
%{_sbindir}/sestatus
|
||||||
%{_sbindir}/run_init
|
%{_sbindir}/run_init
|
||||||
%{_sbindir}/open_init_pty
|
|
||||||
%{_bindir}/secon
|
%{_bindir}/secon
|
||||||
%{_bindir}/semodule_deps
|
%{_bindir}/semodule_deps
|
||||||
%{_bindir}/semodule_expand
|
%{_bindir}/semodule_expand
|
||||||
@ -285,8 +288,6 @@ rm -rf %{buildroot}
|
|||||||
%{_mandir}/ru/man8/fixfiles.8*
|
%{_mandir}/ru/man8/fixfiles.8*
|
||||||
%{_mandir}/man8/load_policy.8*
|
%{_mandir}/man8/load_policy.8*
|
||||||
%{_mandir}/ru/man8/load_policy.8*
|
%{_mandir}/ru/man8/load_policy.8*
|
||||||
%{_mandir}/man8/open_init_pty.8*
|
|
||||||
%{_mandir}/ru/man8/open_init_pty.8*
|
|
||||||
%{_mandir}/man8/restorecon.8*
|
%{_mandir}/man8/restorecon.8*
|
||||||
%{_mandir}/ru/man8/restorecon.8*
|
%{_mandir}/ru/man8/restorecon.8*
|
||||||
%{_mandir}/man8/run_init.8*
|
%{_mandir}/man8/run_init.8*
|
||||||
@ -355,6 +356,12 @@ fi
|
|||||||
/bin/systemctl try-restart restorecond.service >/dev/null 2>&1 || :
|
/bin/systemctl try-restart restorecond.service >/dev/null 2>&1 || :
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Dec 22 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.10-3
|
||||||
|
- Add umount code to seunshare to cleanup left over mounts of /var/tmp
|
||||||
|
|
||||||
|
* Wed Dec 21 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.10-2
|
||||||
|
- Remove open_init_pty
|
||||||
|
|
||||||
* Wed Dec 21 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.10-1
|
* Wed Dec 21 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.10-1
|
||||||
-Update to upstream
|
-Update to upstream
|
||||||
- sepolgen
|
- sepolgen
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user