diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index 153e0a3..71c8c3f 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -1664,7 +1664,7 @@ index ff0ee7c..0c8a085 100644 test: @python test_sandbox.py -v diff --git a/policycoreutils/sandbox/sandbox b/policycoreutils/sandbox/sandbox -index 48a26c2..b1e683b 100644 +index 48a26c2..41a3204 100644 --- a/policycoreutils/sandbox/sandbox +++ b/policycoreutils/sandbox/sandbox @@ -1,5 +1,6 @@ @@ -1835,13 +1835,17 @@ index 48a26c2..b1e683b 100644 parser.add_option("-W", "--windowmanager", dest="wm", type="string", default="/usr/bin/matchbox-window-manager -use_titlebar no", -@@ -276,13 +309,17 @@ sandbox [-h] [-[X|M] [-l level ] [-H homedir] [-T tempdir]] [-I includefile ] [- +@@ -276,13 +309,21 @@ sandbox [-h] [-[X|M] [-l level ] [-H homedir] [-T tempdir]] [-I includefile ] [- parser.add_option("-l", "--level", dest="level", help=_("MCS/MLS level for the sandbox")) -+ parser.add_option("-C", "--cgroups", ++ parser.add_option("-c", "--cgroups", + action="store_true", dest="usecgroup", default=False, + help="Use cgroups to limit this sandbox.") ++ ++ parser.add_option("-C", "--capabilities", ++ action="store_true", dest="usecaps", default=False, ++ help="Allow apps requiring capabilities to run within the sandbox.") + self.__parser=parser @@ -1854,7 +1858,7 @@ index 48a26c2..b1e683b 100644 if self.__options.setype: self.setype = self.__options.setype -@@ -300,6 +337,10 @@ sandbox [-h] [-[X|M] [-l level ] [-H homedir] [-T tempdir]] [-I includefile ] [- +@@ -300,6 +341,10 @@ sandbox [-h] [-[X|M] [-l level ] [-H homedir] [-T tempdir]] [-I includefile ] [- self.__homedir = self.__options.homedir self.__tmpdir = self.__options.tmpdir else: @@ -1865,7 +1869,7 @@ index 48a26c2..b1e683b 100644 if len(cmds) == 0: self.usage(_("Command required")) cmds[0] = fullpath(cmds[0]) -@@ -329,44 +370,43 @@ sandbox [-h] [-[X|M] [-l level ] [-H homedir] [-T tempdir]] [-I includefile ] [- +@@ -329,44 +374,45 @@ sandbox [-h] [-[X|M] [-l level ] [-H homedir] [-T tempdir]] [-I includefile ] [- def __setup_dir(self): if self.__options.level or self.__options.session: return @@ -1908,6 +1912,8 @@ index 48a26c2..b1e683b 100644 + cmds = [ SEUNSHARE, "-Z", self.__execcon ] + if self.__options.usecgroup == True: + cmds.append('-c') ++ if self.__options.usecaps == True: ++ cmds.append('-C') if self.__mount: - cmds = [ '/usr/sbin/seunshare', "-t", self.__tmpdir, "-h", self.__homedir, "--", self.__execcon ] + self.__paths - rc = subprocess.Popen(cmds).wait() @@ -1929,7 +1935,7 @@ index 48a26c2..b1e683b 100644 selinux.setexeccon(self.__execcon) rc = subprocess.Popen(self.__cmds).wait() -@@ -404,7 +444,7 @@ if __name__ == '__main__': +@@ -404,7 +450,7 @@ if __name__ == '__main__': sandbox = Sandbox() rc = sandbox.main() except OSError, error: @@ -1939,7 +1945,7 @@ index 48a26c2..b1e683b 100644 error_exit(error.args[0]) except KeyError, error: diff --git a/policycoreutils/sandbox/sandbox.8 b/policycoreutils/sandbox/sandbox.8 -index 1479364..73d33b3 100644 +index 1479364..3deb4b2 100644 --- a/policycoreutils/sandbox/sandbox.8 +++ b/policycoreutils/sandbox/sandbox.8 @@ -1,10 +1,13 @@ @@ -1951,11 +1957,11 @@ index 1479364..73d33b3 100644 .B sandbox -[-l level ] [[-M | -X] -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [[-i file ]...] [ -t type ] cmd -[-l level ] [[-M | -X] -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [[-i file ]...] [ -t type ] -S -+[-l level ] [[-M | -X] -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [ -w windowsize ] [[-i file ]...] [ -t type ] cmd ++[-C] [-c] [-l level ] [[-M | -X] -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [ -w windowsize ] [[-i file ]...] [ -t type ] cmd + +.br +.B sandbox -+[-l level ] [[-M | -X] -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [ -w windowsize ] [[-i file ]...] [ -t type ] -S ++[-C] [-c] [-l level ] [[-M | -X] -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [ -w windowsize ] [[-i file ]...] [ -t type ] -S .br .SH DESCRIPTION .PP @@ -1972,13 +1978,16 @@ index 1479364..73d33b3 100644 \fB\-W windowmanager\fR Select alternative window manager to run within .B sandbox -X. -@@ -50,8 +59,17 @@ Default to /usr/bin/matchbox-window-manager. +@@ -50,8 +59,20 @@ Default to /usr/bin/matchbox-window-manager. \fB\-X\fR Create an X based Sandbox for gui apps, temporary files for $HOME and /tmp, secondary Xserver, defaults to sandbox_x_t +.TP -+\fB\-C\fR ++\fB\-c\fR +Use control groups to control this copy of sandbox. Specify parameters in /etc/sysconfig/sandbox. Max memory usage and cpu usage are to be specified in percent. You can specify which CPUs to use by numbering them 0,1,2... etc. ++.TP ++\fB\-C\fR ++Use capabilities within the sandbox. By default applications executed within the sandbox will not be allowed to use capabilities (setuid apps), with the -C flag, you can use programs requiring capabilities. .PP .SH "SEE ALSO" .TP @@ -2123,16 +2132,16 @@ index 8338203..9648100 100644 break diff --git a/policycoreutils/sandbox/seunshare.8 b/policycoreutils/sandbox/seunshare.8 new file mode 100644 -index 0000000..e7b8991 +index 0000000..eeb2218 --- /dev/null +++ b/policycoreutils/sandbox/seunshare.8 -@@ -0,0 +1,37 @@ +@@ -0,0 +1,40 @@ +.TH SEUNSHARE "8" "May 2010" "seunshare" "User Commands" +.SH NAME +seunshare \- Run cmd with alternate homedir, tmpdir and/or SELinux context +.SH SYNOPSIS +.B seunshare -+[ -v ] [ -t tmpdir ] [ -h homedir ] [ -Z context ] -- executable [args] ++[ -v ] [-c] [-C] [ -t tmpdir ] [ -h homedir ] [ -Z context ] -- executable [args] +.br +.SH DESCRIPTION +.PP @@ -2147,9 +2156,12 @@ index 0000000..e7b8991 +\fB\-t\ tmpdir +Use alternate tempory directory to mount on /tmp. tmpdir must be owned by the user. +.TP -+\fB\-c cgroups\fR ++\fB\-c --cgroups\fR +Use cgroups to control this copy of seunshare. Specify parameters in /etc/sysconfig/sandbox. Max memory usage and cpu usage are to be specified in percent. You can specify which CPUs to use by numbering them 0,1,2... etc. +.TP ++\fB\-C --capabilities\fR ++Allow apps executed within the namespace to use capabilities. Default is no capabilities. ++.TP +\fB\-Z\ context +Use alternate SELinux context while runing the executable. +.TP @@ -2165,7 +2177,7 @@ index 0000000..e7b8991 +and +.I Thomas Liu diff --git a/policycoreutils/sandbox/seunshare.c b/policycoreutils/sandbox/seunshare.c -index ec692e7..52362e0 100644 +index ec692e7..ff61262 100644 --- a/policycoreutils/sandbox/seunshare.c +++ b/policycoreutils/sandbox/seunshare.c @@ -1,28 +1,35 @@ @@ -2209,7 +2221,7 @@ index ec692e7..52362e0 100644 #ifdef USE_NLS #include /* for setlocale() */ #include /* for gettext() */ -@@ -39,29 +46,47 @@ +@@ -39,29 +46,48 @@ #define MS_PRIVATE 1<<18 #endif @@ -2220,10 +2232,11 @@ index ec692e7..52362e0 100644 +#define BUF_SIZE 1024 +#define DEFAULT_PATH "/usr/bin:/bin" + -+#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -c ] -t tmpdir -h homedir [-Z context] -- executable [args]") ++#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -c ] -C -t tmpdir -h homedir [-Z context] -- executable [args]") + +static int verbose = 0; + ++static capng_select_t cap_set = CAPNG_SELECT_BOTH; + /** - * This function will drop all capabilities @@ -2240,10 +2253,10 @@ index ec692e7..52362e0 100644 - /* Change uid */ - if (setresuid(uid, uid, uid)) { - fprintf(stderr, _("Error changing uid, aborting.\n")); -+ if (capng_have_capabilities(CAPNG_SELECT_CAPS) == CAPNG_NONE) ++ if (capng_have_capabilities(cap_set) == CAPNG_NONE) + return 0; -+ capng_clear(CAPNG_SELECT_CAPS); -+ if (capng_lock() == -1 || capng_apply(CAPNG_SELECT_CAPS) == -1) { ++ capng_clear(cap_set); ++ if (capng_lock() == -1 || capng_apply(cap_set) == -1) { + fprintf(stderr, _("Failed to drop all capabilities\n")); return -1; } @@ -2271,7 +2284,7 @@ index ec692e7..52362e0 100644 */ static int set_signal_handles(void) { -@@ -75,8 +100,8 @@ static int set_signal_handles(void) +@@ -75,8 +101,8 @@ static int set_signal_handles(void) (void)sigprocmask(SIG_SETMASK, &empty, NULL); @@ -2282,7 +2295,7 @@ index ec692e7..52362e0 100644 perror("Unable to set SIGHUP handler"); return -1; } -@@ -84,23 +109,103 @@ static int set_signal_handles(void) +@@ -84,23 +110,103 @@ static int set_signal_handles(void) return 0; } @@ -2396,7 +2409,7 @@ index ec692e7..52362e0 100644 return 0; } -@@ -123,7 +228,7 @@ static int verify_shell(const char *shell_name) +@@ -123,7 +229,7 @@ static int verify_shell(const char *shell_name) /* check the shell skipping newline char */ if (!strcmp(shell_name, buf)) { @@ -2405,7 +2418,7 @@ index ec692e7..52362e0 100644 break; } } -@@ -131,45 +236,525 @@ static int verify_shell(const char *shell_name) +@@ -131,45 +237,530 @@ static int verify_shell(const char *shell_name) return rc; } @@ -2515,6 +2528,7 @@ index ec692e7..52362e0 100644 + char buf[BUF_SIZE]; + char *tok = NULL; + int rc = -1; ++ char *str = NULL; + const char* fname = "/etc/sysconfig/sandbox"; + + if ((fp = fopen(fname, "rt")) == NULL) { @@ -2527,7 +2541,8 @@ index ec692e7..52362e0 100644 + + /* Copy the string, ignoring whitespace */ + int len = strlen(buf); -+ char *str = malloc((len + 1) * sizeof(char)); ++ free(str); ++ str = malloc((len + 1) * sizeof(char)); + + int ind = 0; + int i; @@ -2668,6 +2683,8 @@ index ec692e7..52362e0 100644 + + rc = 0; +err: ++ fclose(fp) ++ free(str); + free(mem); + free(cgroupname); + free(cpus); @@ -2756,9 +2773,8 @@ index ec692e7..52362e0 100644 + free(buf); buf = NULL; + globfree(&fglob); + return rc; - } - --#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -t tmpdir ] [ -h homedir ] -- CONTEXT executable [args] ") ++} ++ +/** + * Clean up runtime temporary directory. Returns 0 if no problem was detected, + * >0 if some error was detected, but errors here are treated as non-fatal and @@ -2801,8 +2817,9 @@ index ec692e7..52362e0 100644 + setfsuid(pwd->pw_uid); + + return 0; -+} -+ + } + +-#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -t tmpdir ] [ -h homedir ] -- CONTEXT executable [args] ") +/** + * seunshare will create a tmpdir in /tmp, with root ownership. The parent + * process waits for it child to exit to attempt to remove the directory. If @@ -2942,10 +2959,11 @@ index ec692e7..52362e0 100644 {"verbose", 1, 0, 'v'}, + {"cgroups", 1, 0, 'c'}, + {"context", 1, 0, 'Z'}, ++ {"capabilities", 1, 0, 'C'}, {NULL, 0, 0, 0} }; -@@ -180,6 +765,12 @@ int main(int argc, char **argv) { +@@ -180,6 +771,12 @@ int main(int argc, char **argv) { return -1; } @@ -2958,7 +2976,7 @@ index ec692e7..52362e0 100644 struct passwd *pwd=getpwuid(uid); if (!pwd) { perror(_("getpwduid failed")); -@@ -187,34 +778,30 @@ int main(int argc, char **argv) { +@@ -187,34 +784,33 @@ int main(int argc, char **argv) { } if (verify_shell(pwd->pw_shell) < 0) { @@ -2970,7 +2988,7 @@ index ec692e7..52362e0 100644 while (1) { - clflag = getopt_long(argc, argv, "h:t:", long_options, - &flag_index); -+ clflag = getopt_long(argc, argv, "cvh:t:Z:", long_options, NULL); ++ clflag = getopt_long(argc, argv, "Ccvh:t:Z:", long_options, NULL); if (clflag == -1) break; @@ -2999,12 +3017,15 @@ index ec692e7..52362e0 100644 + case 'c': + usecgroups = 1; + break; ++ case 'C': ++ cap_set = CAPNG_SELECT_CAPS; ++ break; + case 'Z': + execcon = optarg; break; default: fprintf(stderr, "%s\n", USAGE_STRING); -@@ -223,76 +810,84 @@ int main(int argc, char **argv) { +@@ -223,76 +819,84 @@ int main(int argc, char **argv) { } if (! homedir_s && ! tmpdir_s) { @@ -3138,7 +3159,7 @@ index ec692e7..52362e0 100644 if (display) rc |= setenv("DISPLAY", display, 1); rc |= setenv("HOME", pwd->pw_dir, 1); -@@ -300,22 +895,41 @@ int main(int argc, char **argv) { +@@ -300,22 +904,41 @@ int main(int argc, char **argv) { rc |= setenv("USER", pwd->pw_name, 1); rc |= setenv("LOGNAME", pwd->pw_name, 1); rc |= setenv("PATH", DEFAULT_PATH, 1); @@ -5123,6 +5144,41 @@ index 059f629..81d6a3c 100644 case 'u': set_mode(UPGRADE_M, optarg); break; +diff --git a/policycoreutils/semodule_expand/semodule_expand.8 b/policycoreutils/semodule_expand/semodule_expand.8 +index 22ad3be..35df2ed 100644 +--- a/policycoreutils/semodule_expand/semodule_expand.8 ++++ b/policycoreutils/semodule_expand/semodule_expand.8 +@@ -3,7 +3,7 @@ + semodule_expand \- Expand a SELinux policy module package. + + .SH SYNOPSIS +-.B semodule_expand [-V -c [version]] basemodpkg outputfile ++.B semodule_expand [-V ] [ -a ] [ -c [version]] basemodpkg outputfile + .br + .SH DESCRIPTION + .PP +@@ -22,6 +22,9 @@ show version + .TP + .B \-c [version] + policy version to create ++.TP ++.B \-a ++Check assertions. This will cause the policy to check all neverallow rules. + + .SH SEE ALSO + .B checkmodule(8), semodule_package(8), semodule(8), semodule_link(8) +diff --git a/policycoreutils/semodule_package/semodule_package.8 b/policycoreutils/semodule_package/semodule_package.8 +index fb41480..29c9eb2 100644 +--- a/policycoreutils/semodule_package/semodule_package.8 ++++ b/policycoreutils/semodule_package/semodule_package.8 +@@ -45,7 +45,6 @@ netfilter context file to be included in the package. + + .SH SEE ALSO + .B checkmodule(8), semodule(8) +-(8), + .SH AUTHORS + .nf + This manual page was written by Dan Walsh . diff --git a/policycoreutils/sepolgen-ifgen/Makefile b/policycoreutils/sepolgen-ifgen/Makefile new file mode 100644 index 0000000..211580d diff --git a/policycoreutils.spec b/policycoreutils.spec index b0d58f9..1293c5d 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -7,7 +7,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 2.0.86 -Release: 14%{?dist} +Release: 15%{?dist} License: GPLv2 Group: System Environment/Base # Based on git repository with tag 20101221 @@ -336,6 +336,12 @@ fi exit 0 %changelog +* Mon Jul 5 2011 Dan Walsh 2.0.86-15 +- Add -C option to sandbox and seunshare to maintain capabilities, otherwise +the bounding set will be dropped. +- Change --cgroups short name -c rather then -C for consistancy +- Fix memory and fd leaks in seunshare + * Mon Jun 13 2011 Dan Walsh 2.0.86-14 - Do not drop capability bounding set in seunshare, this allows sandbox to - run setuid apps. diff --git a/semanage-bash-completion.sh b/semanage-bash-completion.sh index 221eae2..ff1285a 100644 --- a/semanage-bash-completion.sh +++ b/semanage-bash-completion.sh @@ -59,7 +59,7 @@ __get_user_opts () { echo '$ALL_OPTS $MANAGED_OPTS -L -r -R --role '; } __get_login_opts () { echo '$ALL_OPTS $MANAGED_OPTS -s -r '; } __get_port_opts () { echo '$ALL_OPTS $MANAGED_OPTS -t -type -r --range -p --proto'; } __get_interface_opts () { echo '$ALL_OPTS $MANAGED_OPTS -t --type '; } -__get_node_opts () { echo '$ALL_OPTS $MANAGED_OPTS -t --type '; } +__get_node_opts () { echo '$ALL_OPTS $MANAGED_OPTS -t --type -M --mask -p --proto'; } __get_fcontext_opts () { echo '$ALL_OPTS $MANAGED_OPTS -t --type -e --equal -f --ftype '; } __get_module_opts () { echo '$ALL_OPTS --enable --disable '; } __get_dontaudit_opts () { echo '-S on off' ; }