rpms/policycoreutils
7
0
Fork 0
Code Issues Pull Requests Releases Activity

* Wed May 20 2009 Dan Walsh <dwalsh@redhat.com> 2.0.63-1

Browse Source 
- Update to upstream
	* Fix transaction checking from Dan Walsh.
	* Make fixfiles -R (for rpm) recursive.
	* Make semanage permissive clean up after itself from Dan Walsh.
	* add /root/.ssh/* to restorecond.conf
This commit is contained in:
Daniel J Walsh 2009-05-22 18:00:00 +00:00
parent ff7a9e96a2
commit 7d0ef81ff4
4 changed files with 407 additions and 151 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.cvsignore
View File

@ -197,3 +197,4 @@ policycoreutils-2.0.61.tgz
sepolgen-1.0.15.tgz
policycoreutils-2.0.62.tgz
sepolgen-1.0.16.tgz
policycoreutils-2.0.63.tgz

543
policycoreutils-rhat.patch
View File

@ -1,6 +1,6 @@
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-2.0.62/audit2allow/audit2allow
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-2.0.63/audit2allow/audit2allow
--- nsapolicycoreutils/audit2allow/audit2allow 2009-01-13 08:45:35.000000000 -0500
+++ policycoreutils-2.0.62/audit2allow/audit2allow 2009-05-04 13:40:26.000000000 -0400
+++ policycoreutils-2.0.63/audit2allow/audit2allow 2009-05-22 13:40:04.000000000 -0400
@@ -126,6 +126,7 @@
elif self.__options.audit:
try:
@ -9,18 +9,18 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
except OSError, e:
sys.stderr.write('could not run ausearch - "%s"\n' % str(e))
sys.exit(1)
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/Makefile policycoreutils-2.0.62/Makefile
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/Makefile policycoreutils-2.0.63/Makefile
--- nsapolicycoreutils/Makefile 2008-08-28 09:34:24.000000000 -0400
+++ policycoreutils-2.0.62/Makefile 2009-05-04 13:40:26.000000000 -0400
+++ policycoreutils-2.0.63/Makefile 2009-05-22 13:40:04.000000000 -0400
@@ -1,4 +1,4 @@
-SUBDIRS = setfiles semanage load_policy newrole run_init secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po
+SUBDIRS = setfiles semanage load_policy newrole run_init secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po gui
INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null)
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/Makefile policycoreutils-2.0.62/restorecond/Makefile
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/Makefile policycoreutils-2.0.63/restorecond/Makefile
--- nsapolicycoreutils/restorecond/Makefile 2009-02-18 16:44:47.000000000 -0500
+++ policycoreutils-2.0.62/restorecond/Makefile 2009-05-12 15:17:52.000000000 -0400
+++ policycoreutils-2.0.63/restorecond/Makefile 2009-05-22 13:40:04.000000000 -0400
@@ -2,16 +2,23 @@
PREFIX ?= ${DESTDIR}/usr
SBINDIR ?= $(PREFIX)/sbin
@ -62,16 +62,16 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
relabel: install
/sbin/restorecon $(SBINDIR)/restorecond
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/org.selinux.Restorecond.service policycoreutils-2.0.62/restorecond/org.selinux.Restorecond.service
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/org.selinux.Restorecond.service policycoreutils-2.0.63/restorecond/org.selinux.Restorecond.service
--- nsapolicycoreutils/restorecond/org.selinux.Restorecond.service 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.62/restorecond/org.selinux.Restorecond.service 2009-05-04 13:40:26.000000000 -0400
+++ policycoreutils-2.0.63/restorecond/org.selinux.Restorecond.service 2009-05-22 13:40:04.000000000 -0400
@@ -0,0 +1,3 @@
+[D-BUS Service]
+Name=org.selinux.Restorecond
+Exec=/usr/sbin/restorecond -u
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.c policycoreutils-2.0.62/restorecond/restorecond.c
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.c policycoreutils-2.0.63/restorecond/restorecond.c
--- nsapolicycoreutils/restorecond/restorecond.c 2009-02-18 16:44:47.000000000 -0500
+++ policycoreutils-2.0.62/restorecond/restorecond.c 2009-05-12 15:18:05.000000000 -0400
+++ policycoreutils-2.0.63/restorecond/restorecond.c 2009-05-22 13:40:04.000000000 -0400
@@ -48,294 +48,37 @@
#include <signal.h>
#include <string.h>
@ -540,19 +540,22 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
}
+
+
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.conf policycoreutils-2.0.62/restorecond/restorecond.conf
--- nsapolicycoreutils/restorecond/restorecond.conf 2009-02-18 16:44:47.000000000 -0500
+++ policycoreutils-2.0.62/restorecond/restorecond.conf 2009-05-04 13:40:26.000000000 -0400
@@ -4,4 +4,5 @@
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.conf policycoreutils-2.0.63/restorecond/restorecond.conf
--- nsapolicycoreutils/restorecond/restorecond.conf 2009-05-18 13:53:14.000000000 -0400
+++ policycoreutils-2.0.63/restorecond/restorecond.conf 2009-05-22 13:40:04.000000000 -0400
@@ -4,8 +4,5 @@
/etc/mtab
/var/run/utmp
/var/log/wtmp
-~/*
-/root/.ssh
+/root/*
+/root/.ssh/*
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.desktop policycoreutils-2.0.62/restorecond/restorecond.desktop
/root/.ssh/*
-
-
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.desktop policycoreutils-2.0.63/restorecond/restorecond.desktop
--- nsapolicycoreutils/restorecond/restorecond.desktop 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.62/restorecond/restorecond.desktop 2009-05-06 14:10:09.000000000 -0400
+++ policycoreutils-2.0.63/restorecond/restorecond.desktop 2009-05-22 13:40:04.000000000 -0400
@@ -0,0 +1,7 @@
+[Desktop Entry]
+Name=File Context maintainer
@ -561,9 +564,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
+Encoding=UTF-8
+Type=Application
+StartupNotify=false
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.h policycoreutils-2.0.62/restorecond/restorecond.h
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.h policycoreutils-2.0.63/restorecond/restorecond.h
--- nsapolicycoreutils/restorecond/restorecond.h 2008-08-28 09:34:24.000000000 -0400
+++ policycoreutils-2.0.62/restorecond/restorecond.h 2009-05-12 15:13:35.000000000 -0400
+++ policycoreutils-2.0.63/restorecond/restorecond.h 2009-05-22 13:40:04.000000000 -0400
@@ -24,7 +24,22 @@
#ifndef RESTORED_CONFIG_H
#define RESTORED_CONFIG_H
@ -589,15 +592,15 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
+extern void watch_list_free(int fd);
#endif
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond_user.conf policycoreutils-2.0.62/restorecond/restorecond_user.conf
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond_user.conf policycoreutils-2.0.63/restorecond/restorecond_user.conf
--- nsapolicycoreutils/restorecond/restorecond_user.conf 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.62/restorecond/restorecond_user.conf 2009-05-04 13:40:26.000000000 -0400
+++ policycoreutils-2.0.63/restorecond/restorecond_user.conf 2009-05-22 13:40:04.000000000 -0400
@@ -0,0 +1,2 @@
+~/*
+~/public_html/*
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/user.c policycoreutils-2.0.62/restorecond/user.c
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/user.c policycoreutils-2.0.63/restorecond/user.c
--- nsapolicycoreutils/restorecond/user.c 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.62/restorecond/user.c 2009-05-12 15:15:38.000000000 -0400
+++ policycoreutils-2.0.63/restorecond/user.c 2009-05-22 13:40:04.000000000 -0400
@@ -0,0 +1,220 @@
+/*
+ * restorecond
@ -819,9 +822,43 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
+ return 0;
+}
+
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/watch.c policycoreutils-2.0.62/restorecond/watch.c
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/walk.c policycoreutils-2.0.63/restorecond/walk.c
--- nsapolicycoreutils/restorecond/walk.c 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.63/restorecond/walk.c 2009-05-22 13:40:04.000000000 -0400
@@ -0,0 +1,30 @@
+#define _XOPEN_SOURCE 500
+#include <ftw.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+int ctr=0;
+static int
+display_info(const char *fpath, const struct stat *sb,
+ int tflag, struct FTW *ftwbuf)
+{
+ if (tflag == FTW_D) {
+ printf(" %-40s %d %s\n",
+ fpath, ftwbuf->base, fpath + ftwbuf->base);
+ ctr++;
+ }
+ return 0; /* To tell nftw() to continue */
+}
+
+int
+main(int argc, char *argv[])
+{
+ int flags = 0;
+
+ flags = FTW_PHYS | FTW_MOUNT;
+
+ nftw((argc < 2) ? "." : argv[1], display_info, 20, flags);
+ printf("Total Dirs %d\n",ctr);
+ exit(EXIT_SUCCESS);
+}
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/watch.c policycoreutils-2.0.63/restorecond/watch.c
--- nsapolicycoreutils/restorecond/watch.c 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.62/restorecond/watch.c 2009-05-12 15:12:28.000000000 -0400
+++ policycoreutils-2.0.63/restorecond/watch.c 2009-05-22 13:40:04.000000000 -0400
@@ -0,0 +1,346 @@
+#define _GNU_SOURCE
+#include <sys/inotify.h>
@ -1169,9 +1206,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
+ exitApp("Error watching config file.");
+}
+
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/chcat policycoreutils-2.0.62/scripts/chcat
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/chcat policycoreutils-2.0.63/scripts/chcat
--- nsapolicycoreutils/scripts/chcat 2009-01-13 08:45:35.000000000 -0500
+++ policycoreutils-2.0.62/scripts/chcat 2009-05-04 13:40:26.000000000 -0400
+++ policycoreutils-2.0.63/scripts/chcat 2009-05-22 13:46:01.000000000 -0400
@@ -281,14 +281,14 @@
def expandCats(cats):
newcats = []
@ -1195,9 +1232,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
if i not in newcats:
newcats.append(i)
if len(newcats) > 25:
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-2.0.62/scripts/fixfiles
--- nsapolicycoreutils/scripts/fixfiles 2009-02-18 16:44:47.000000000 -0500
+++ policycoreutils-2.0.62/scripts/fixfiles 2009-05-05 10:47:08.000000000 -0400
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-2.0.63/scripts/fixfiles
--- nsapolicycoreutils/scripts/fixfiles 2009-05-18 13:53:14.000000000 -0400
+++ policycoreutils-2.0.63/scripts/fixfiles 2009-05-22 13:40:04.000000000 -0400
@@ -89,7 +89,7 @@
fi; \
done | \
@ -1207,15 +1244,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
\( -wholename /home -o -wholename /root -o -wholename /tmp -wholename /dev \) -prune -o -print0"; \
done 2> /dev/null | \
${RESTORECON} $* -0 -f -
@@ -122,14 +122,14 @@
fi
if [ ! -z "$RPMFILES" ]; then
for i in `echo "$RPMFILES" | sed 's/,/ /g'`; do
- rpmlist $i | ${RESTORECON} ${OUTFILES} ${FORCEFLAG} $* -i -f - 2>&1 >> $LOGFILE
+ rpmlist $i | ${RESTORECON} ${OUTFILES} ${FORCEFLAG} $* -R -i -f - 2>&1 >> $LOGFILE
done
exit $?
fi
@@ -129,7 +129,7 @@
if [ ! -z "$FILEPATH" ]; then
if [ -x /usr/bin/find ]; then
/usr/bin/find "$FILEPATH" \
@ -1224,9 +1253,276 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
${RESTORECON} ${OUTFILES} ${FORCEFLAG} $* -0 -f - 2>&1 >> $LOGFILE
else
${RESTORECON} ${OUTFILES} ${FORCEFLAG} -R $* $FILEPATH 2>&1 >> $LOGFILE
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.62/semanage/semanage
--- nsapolicycoreutils/semanage/semanage 2009-02-18 16:44:47.000000000 -0500
+++ policycoreutils-2.0.62/semanage/semanage 2009-05-04 13:40:26.000000000 -0400
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/Makefile policycoreutils-2.0.63/scripts/Makefile
--- nsapolicycoreutils/scripts/Makefile 2008-08-28 09:34:24.000000000 -0400
+++ policycoreutils-2.0.63/scripts/Makefile 2009-05-22 13:43:33.000000000 -0400
@@ -5,11 +5,12 @@
MANDIR ?= $(PREFIX)/share/man
LOCALEDIR ?= /usr/share/locale
-all: fixfiles genhomedircon
+all: fixfiles genhomedircon sandbox chcat
install: all
-mkdir -p $(BINDIR)
install -m 755 chcat $(BINDIR)
+ install -m 755 sandbox $(BINDIR)
install -m 755 fixfiles $(DESTDIR)/sbin
install -m 755 genhomedircon $(SBINDIR)
-mkdir -p $(MANDIR)/man8
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/sandbox policycoreutils-2.0.63/scripts/sandbox
--- nsapolicycoreutils/scripts/sandbox 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.63/scripts/sandbox 2009-05-22 13:59:22.000000000 -0400
@@ -0,0 +1,149 @@
+#!/usr/bin/python -E
+import os, sys, getopt, socket, random, fcntl
+import selinux
+
+PROGNAME = "policycoreutils"
+
+import gettext
+gettext.bindtextdomain(PROGNAME, "/usr/share/locale")
+gettext.textdomain(PROGNAME)
+
+try:
+ gettext.install(PROGNAME,
+ localedir = "/usr/share/locale",
+ unicode=False,
+ codeset = 'utf-8')
+except IOError:
+ import __builtin__
+ __builtin__.__dict__['_'] = unicode
+
+
+random.seed(None)
+
+def error_exit(msg):
+ sys.stderr.write("%s: " % sys.argv[0])
+ sys.stderr.write("%s\n" % msg)
+ sys.stderr.flush()
+ sys.exit(1)
+
+def mount(context):
+ if os.getuid() != 0:
+ usage(_("Mount options require root privileges"))
+ destdir = "/mnt/%s" % context
+ os.mkdir(destdir)
+ rc = os.system('/bin/mount -t tmpfs tmpfs %s' % (destdir))
+ selinux.setfilecon(destdir, context)
+ if rc != 0:
+ sys.exit(rc)
+ os.chdir(destdir)
+
+def umount(dest):
+ os.chdir("/")
+ destdir = "/mnt/%s" % dest
+ os.system('/bin/umount %s' % (destdir))
+ os.rmdir(destdir)
+
+
+def reserve(mcs):
+ sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
+ sock.bind("\0%s" % mcs)
+ fcntl.fcntl(sock.fileno(), fcntl.F_SETFD, fcntl.FD_CLOEXEC)
+
+def gen_context(setype):
+ while True:
+ i1 = random.randrange(0, 1024)
+ i2 = random.randrange(0, 1024)
+ if i1 == i2:
+ continue
+ if i1 > i2:
+ tmp = i1
+ i1 = i2
+ i2 = tmp
+ mcs = "s0:c%d,c%d" % (i1, i2)
+ reserve(mcs)
+ try:
+ reserve(mcs)
+ except:
+ continue
+ break
+ con = selinux.getcon()[1].split(":")
+
+ execcon = "%s:%s:%s:%s" % (con[0], con[1], setype, mcs)
+
+ filecon = "%s:%s:%s:%s" % (con[0],
+ "object_r",
+ "%s_file_t" % setype[:-2],
+ mcs)
+ return execcon, filecon
+
+
+if __name__ == '__main__':
+ if selinux.is_selinux_enabled() != 1:
+ error_exit("Requires an SELinux enabled system")
+
+ def usage(message = ""):
+ text = _("""
+sandbox [ -m ] [ -t type ] command
+""")
+ error_exit("%s\n%s" % (message, text))
+
+ setype = "sandbox_t"
+ mount_ind = False
+ gopts, cmds = getopt.getopt(sys.argv[1:], "t:m",
+ ["type=",
+ "mount"])
+ for o, a in gopts:
+ if o == "-t" or o == "--type":
+ setype = a
+
+ if o == "-m" or o == "--mount":
+ mount_ind = True
+
+
+ if len(cmds) == 0:
+ usage(_("Command required"))
+
+ os.chdir("/")
+ execcon, filecon = gen_context(setype)
+ rc = -1
+ try:
+ if mount_ind:
+ mount(filecon)
+
+ if cmds[0][0] != "/" and cmds[0][:2] != "./" and cmds[0][:3] != "../":
+ for i in os.environ["PATH"].split(':'):
+ f = "%s/%s" % (i, cmds[0])
+ if os.access(f, os.X_OK):
+ cmds[0] = f
+ break
+
+ setype = selinux.getfilecon(cmds[0])[1].split(":")[2]
+ if setype == "user_home_t" or setype == "user_tmp_t":
+ error_exit(_("""
+Sandboxed applications can not read/execute files labeled as user content; (%s)
+Temporarily label '%s" as bin_t, if you want it to run it under a sandbox.
+
+chcon -t bin_t %s
+
+restorecon %s
+
+Will set the executable back to the correct context.
+""") % (setype, cmds[0], cmds[0], cmds[0]) )
+
+ selinux.setexeccon(execcon)
+ rc = os.spawnvp(os.P_WAIT, cmds[0], cmds)
+ selinux.setexeccon(None)
+
+ if mount_ind:
+ umount(filecon)
+
+ except getopt.error, error:
+ usage(_("Options Error %s ") % error.msg)
+ except ValueError, error:
+ error_exit(error.args[0])
+ except KeyError, error:
+ error_exit(_("Invalid value %s") % error.args[0])
+ except IOError, error:
+ error_exit(error.args[1])
+
+ sys.exit(rc)
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/sandbox.8 policycoreutils-2.0.63/scripts/sandbox.8
--- nsapolicycoreutils/scripts/sandbox.8 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.63/scripts/sandbox.8 2009-05-22 13:43:03.000000000 -0400
@@ -0,0 +1,22 @@
+.TH SANDBOX "8" "May 2009" "chcat" "User Commands"
+.SH NAME
+sandbox \- Run cmd under an SELinux sandbox
+.SH SYNOPSIS
+.B sandbox
+[ -M ] [ -t type ] cmd
+.br
+.SH DESCRIPTION
+.PP
+Run application within a tightly confined SELinux domain, This application can only read and write stdin and stdout along with files handled to it by the shell.
+.PP
+.TP
+\fB\-m\fR
+Mount a temporary file system and change working directory to it, files will be removed when job completes.
+.TP
+\fB\-t type\fR
+Use alternate sandbox type, defaults to sandbox_t
+.TP
+.SH "SEE ALSO"
+.TP
+runcon(1)
+.PP
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/sandbox.py policycoreutils-2.0.63/scripts/sandbox.py
--- nsapolicycoreutils/scripts/sandbox.py 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.63/scripts/sandbox.py 2009-05-22 13:40:04.000000000 -0400
@@ -0,0 +1,67 @@
+#!/usr/bin/python
+import os, sys, getopt, socket, random, fcntl
+import selinux
+
+random.seed(None)
+
+def mount(src, context):
+ destdir="/mnt/%s" % context
+ os.mkdir(destdir)
+ print 'mount -n -o "context=%s" %s %s' % (context, src, destdir)
+ os.chdir(destdir)
+
+def umount(dest):
+ os.chdir("/")
+ destdir="/mnt/%s" % dest
+ print ('umount -n %s' % destdir)
+ os.rmdir(destdir)
+
+
+def reserve(mcs):
+ sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
+ sock.bind("\0%s" % mcs)
+ fcntl.fcntl(sock.fileno(), fcntl.F_SETFD, fcntl.FD_CLOEXEC)
+
+def gen_context(type):
+ while True:
+ i1 = random.randrange(0,1024)
+ i2 = random.randrange(0,1024)
+ if i1 == i2:
+ continue
+ if i1 > i2:
+ tmp = i1
+ i1 = i2
+ i2 = tmp
+ mcs = "s0:c%d,c%d" % (i1, i2)
+ reserve(mcs)
+ try:
+ reserve(mcs)
+ except:
+ continue
+ break
+ con = selinux.getcon()[1].split(":")
+
+ execcon="%s:%s:%s:%s" % (con[0], con[1], type, mcs)
+
+ filecon="%s:%s:%s:%s" % (con[0], "object_r", "%s_file_t" % type[:-2], mcs)
+ return execcon, filecon
+
+
+type = "sandbox_t"
+mount_src = None
+gopts, cmds = getopt.getopt(sys.argv[1:],"t:m:",
+ ["type",
+ "mount"])
+for o, a in gopts:
+ if o == "-t" or o == "--type":
+ type = a
+ if o == "-m" or o == "--mount":
+ mount_src = a
+
+execcon, filecon = gen_context(type)
+selinux.setexeccon(execcon)
+
+if mount_src != None:
+ mount(mount_src, filecon)
+ umount(filecon)
+os.execvp(cmds[0], cmds)
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.63/semanage/semanage
--- nsapolicycoreutils/semanage/semanage 2009-05-18 13:53:14.000000000 -0400
+++ policycoreutils-2.0.63/semanage/semanage 2009-05-22 13:40:04.000000000 -0400
@@ -44,16 +44,17 @@
text = _("""
semanage [ -S store ] -i [ input_file | - ]
@ -1405,22 +1701,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
elif object == "node":
OBJECT.delete(target, mask, proto)
@@ -464,10 +505,10 @@
else:
fd = open(input, 'r')
trans = seobject.semanageRecords(store)
- trans.begin()
+ trans.start()
for l in fd.readlines():
process_args(mkargv(l))
- trans.commit()
+ trans.finish()
else:
process_args(sys.argv[1:])
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage.8 policycoreutils-2.0.62/semanage/semanage.8
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage.8 policycoreutils-2.0.63/semanage/semanage.8
--- nsapolicycoreutils/semanage/semanage.8 2008-08-28 09:34:24.000000000 -0400
+++ policycoreutils-2.0.62/semanage/semanage.8 2009-05-04 13:40:26.000000000 -0400
+++ policycoreutils-2.0.63/semanage/semanage.8 2009-05-22 13:40:04.000000000 -0400
@@ -21,6 +21,8 @@
.br
.B semanage permissive \-{a|d} type
@ -1430,9 +1713,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
.B semanage translation \-{a|d|m} [\-T] level
.P
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.62/semanage/seobject.py
--- nsapolicycoreutils/semanage/seobject.py 2008-11-14 17:10:15.000000000 -0500
+++ policycoreutils-2.0.62/semanage/seobject.py 2009-05-05 16:49:09.000000000 -0400
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.63/semanage/seobject.py
--- nsapolicycoreutils/semanage/seobject.py 2009-05-18 13:53:14.000000000 -0400
+++ policycoreutils-2.0.63/semanage/seobject.py 2009-05-22 13:40:04.000000000 -0400
@@ -1,5 +1,5 @@
#! /usr/bin/python -E
-# Copyright (C) 2005, 2006, 2007, 2008 Red Hat
@ -1535,40 +1818,19 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
os.rename(newfilename, self.filename)
os.system("/sbin/service mcstrans reload > /dev/null")
@@ -281,15 +282,20 @@
global handle
@@ -283,7 +284,7 @@
if handle != None:
- self.transaction = True
self.sh = handle
else:
- self.sh=get_handle(store)
- self.transaction = False
+ self.sh = get_handle(store)
+ self.transaction = False
self.transaction = False
def deleteall(self):
raise ValueError(_("Not yet implemented"))
@@ -314,6 +315,49 @@
self.transaction = False
self.commit()
+ def start(self):
+ if self.transaction:
+ raise ValueError(_("Semanage transaction already in progress"))
+ self.begin()
+ self.transaction = True
+
def begin(self):
if self.transaction:
return
@@ -303,6 +309,55 @@
if rc < 0:
raise ValueError(_("Could not commit semanage transaction"))
+ def finish(self):
+ if not self.transaction:
+ raise ValueError(_("Semanage transaction not in progress"))
+ self.transaction = False
+ self.commit()
+
+class moduleRecords(semanageRecords):
+ def __init__(self, store):
+ semanageRecords.__init__(self, store)
@ -1615,7 +1877,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
class permissiveRecords(semanageRecords):
def __init__(self, store):
semanageRecords.__init__(self, store)
@@ -320,7 +375,7 @@
@@ -331,7 +375,7 @@
l.append(name.split("permissive_")[1])
return l
@ -1624,15 +1886,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
if heading:
print "\n%-25s\n" % (_("Permissive Types"))
for t in self.get_all():
@@ -328,6 +383,7 @@
def add(self, type):
+ import glob
name = "permissive_%s" % type
dirname = "/var/lib/selinux"
os.chdir(dirname)
@@ -341,7 +397,7 @@
@@ -353,7 +397,7 @@
permissive %s;
""" % (name, type, type)
@ -1641,32 +1895,16 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
fd.write(modtxt)
fd.close()
mc = module.ModuleCompiler()
@@ -351,16 +407,19 @@
fd.close()
rc = semanage_module_install(self.sh, data, len(data));
- if rc < 0:
- raise ValueError(_("Could not set permissive domain %s (module installation failed)") % name)
-
- self.commit()
+ if rc >= 0:
+ self.commit()
@@ -366,7 +410,7 @@
if rc >= 0:
self.commit()
- for root, dirs, files in os.walk("tmp", topdown=False):
+ for root, dirs, files in os.walk("tmp", topdown = False):
for name in files:
os.remove(os.path.join(root, name))
for name in dirs:
os.rmdir(os.path.join(root, name))
+ os.removedirs("tmp")
+ for i in glob.glob("permissive_%s.*" % type):
+ os.remove(i)
+ if rc < 0:
+ raise ValueError(_("Could not set permissive domain %s (module installation failed)") % name)
def delete(self, name):
for n in name.split():
@@ -390,11 +449,11 @@
@@ -405,11 +449,11 @@
if sename == "":
sename = "user_u"
@ -1680,7 +1918,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
if rc < 0:
raise ValueError(_("Could not check if login mapping for %s is defined") % name)
if exists:
@@ -410,7 +469,7 @@
@@ -425,7 +469,7 @@
except:
raise ValueError(_("Linux User %s does not exist") % name)
@ -1689,7 +1927,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
if rc < 0:
raise ValueError(_("Could not create login mapping for %s") % name)
@@ -450,17 +509,17 @@
@@ -465,17 +509,17 @@
if sename == "" and serange == "":
raise ValueError(_("Requires seuser or serange"))
@ -1710,7 +1948,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
if rc < 0:
raise ValueError(_("Could not query seuser for %s") % name)
@@ -483,7 +542,7 @@
@@ -498,7 +542,7 @@
semanage_seuser_key_free(k)
semanage_seuser_free(u)
@ -1719,7 +1957,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
def modify(self, name, sename = "", serange = ""):
try:
@@ -492,21 +551,21 @@
@@ -507,21 +551,21 @@
self.commit()
except ValueError, error:
@ -1745,7 +1983,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
if rc < 0:
raise ValueError(_("Could not check if login mapping for %s is defined") % name)
if not exists:
@@ -525,10 +584,10 @@
@@ -540,10 +584,10 @@
self.commit()
except ValueError, error:
@ -1758,7 +1996,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
def get_all(self, locallist = 0):
ddict = {}
@@ -578,17 +637,17 @@
@@ -593,17 +637,17 @@
if len(roles) < 1:
raise ValueError(_("You must add at least one role for %s") % name)
@ -1779,7 +2017,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
if rc < 0:
raise ValueError(_("Could not create SELinux user for %s") % name)
@@ -612,7 +671,7 @@
@@ -627,7 +671,7 @@
rc = semanage_user_set_prefix(self.sh, u, prefix)
if rc < 0:
raise ValueError(_("Could not add prefix %s for %s") % (r, prefix))
@ -1788,7 +2026,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
if rc < 0:
raise ValueError(_("Could not extract key for %s") % name)
@@ -645,17 +704,17 @@
@@ -660,17 +704,17 @@
else:
raise ValueError(_("Requires prefix or roles"))
@ -1809,7 +2047,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
if rc < 0:
raise ValueError(_("Could not query user for %s") % name)
@@ -703,17 +762,17 @@
@@ -718,17 +762,17 @@
raise error
def __delete(self, name):
@ -1830,7 +2068,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
if rc < 0:
raise ValueError(_("Could not check if SELinux user %s is defined") % name)
if not exists:
@@ -795,7 +854,7 @@
@@ -810,7 +854,7 @@
low = int(ports[0])
high = int(ports[1])
@ -1839,7 +2077,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
if rc < 0:
raise ValueError(_("Could not create a key for %s/%s") % (proto, port))
return ( k, proto_d, low, high )
@@ -812,13 +871,13 @@
@@ -827,13 +871,13 @@
( k, proto_d, low, high ) = self.__genkey(port, proto)
@ -1855,7 +2093,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
if rc < 0:
raise ValueError(_("Could not create port for %s/%s") % (proto, port))
@@ -871,13 +930,13 @@
@@ -886,13 +930,13 @@
( k, proto_d, low, high ) = self.__genkey(port, proto)
@ -1871,7 +2109,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
if rc < 0:
raise ValueError(_("Could not query port %s/%s") % (proto, port))
@@ -926,13 +985,13 @@
@@ -941,13 +985,13 @@
def __delete(self, port, proto):
( k, proto_d, low, high ) = self.__genkey(port, proto)
@ -1887,7 +2125,16 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
if rc < 0:
raise ValueError(_("Could not check if port %s/%s is defined") % (proto, port))
if not exists:
@@ -1038,17 +1097,17 @@
@@ -983,7 +1027,7 @@
proto_str = semanage_port_get_proto_str(proto)
low = semanage_port_get_low(port)
high = semanage_port_get_high(port)
- ddict[(low, high)] = (ctype, proto_str, level)
+ ddict[(low, high, proto_str)] = (ctype, level)
return ddict
def get_all_by_type(self, locallist = 0):
@@ -1053,17 +1097,17 @@
if ctype == "":
raise ValueError(_("SELinux Type is required"))
@ -1908,7 +2155,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
if rc < 0:
raise ValueError(_("Could not create addr for %s") % addr)
@@ -1113,17 +1172,17 @@
@@ -1128,17 +1172,17 @@
if serange == "" and setype == "":
raise ValueError(_("Requires setype or serange"))
@ -1929,7 +2176,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
if rc < 0:
raise ValueError(_("Could not query addr %s") % addr)
@@ -1160,17 +1219,17 @@
@@ -1175,17 +1219,17 @@
else:
raise ValueError(_("Unknown or missing protocol"))
@ -1950,7 +2197,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
if rc < 0:
raise ValueError(_("Could not check if addr %s is defined") % addr)
if not exists:
@@ -1240,17 +1299,17 @@
@@ -1255,17 +1299,17 @@
if ctype == "":
raise ValueError(_("SELinux Type is required"))
@ -1971,7 +2218,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
if rc < 0:
raise ValueError(_("Could not create interface for %s") % interface)
@@ -1301,17 +1360,17 @@
@@ -1316,17 +1360,17 @@
if serange == "" and setype == "":
raise ValueError(_("Requires setype or serange"))
@ -1992,7 +2239,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
if rc < 0:
raise ValueError(_("Could not query interface %s") % interface)
@@ -1335,17 +1394,17 @@
@@ -1350,17 +1394,17 @@
self.commit()
def __delete(self, interface):
@ -2013,7 +2260,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
if rc < 0:
raise ValueError(_("Could not check if interface %s is defined") % interface)
if not exists:
@@ -1393,6 +1452,48 @@
@@ -1408,6 +1452,48 @@
class fcontextRecords(semanageRecords):
def __init__(self, store = ""):
semanageRecords.__init__(self, store)
@ -2062,7 +2309,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
def createcon(self, target, seuser = "system_u"):
(rc, con) = semanage_context_create(self.sh)
@@ -1429,23 +1530,23 @@
@@ -1444,23 +1530,23 @@
if type == "":
raise ValueError(_("SELinux Type is required"))
@ -2090,7 +2337,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
if rc < 0:
raise ValueError(_("Could not create file context for %s") % target)
@@ -1486,21 +1587,21 @@
@@ -1501,21 +1587,21 @@
raise ValueError(_("Requires setype, serange or seuser"))
self.validate(target)
@ -2117,7 +2364,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
if rc < 0:
raise ValueError(_("Could not query file context for %s") % target)
@@ -1550,7 +1651,7 @@
@@ -1565,7 +1651,7 @@
target = semanage_fcontext_get_expr(fcontext)
ftype = semanage_fcontext_get_type(fcontext)
ftype_str = semanage_fcontext_get_type_str(ftype)
@ -2126,7 +2373,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
if rc < 0:
raise ValueError(_("Could not create a key for %s") % target)
@@ -1558,19 +1659,26 @@
@@ -1573,19 +1659,26 @@
if rc < 0:
raise ValueError(_("Could not delete the file context %s") % target)
semanage_fcontext_key_free(k)
@ -2157,7 +2404,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
if rc < 0:
raise ValueError(_("Could not check if file context for %s is defined") % target)
if exists:
@@ -1617,11 +1725,11 @@
@@ -1632,11 +1725,11 @@
return ddict
def list(self, heading = 1, locallist = 0 ):
@ -2171,7 +2418,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
for k in keys:
if fcon_dict[k]:
if is_mls_enabled:
@@ -1630,11 +1738,17 @@
@@ -1645,11 +1738,17 @@
print "%-50s %-18s %s:%s:%s " % (k[0], k[1], fcon_dict[k][0], fcon_dict[k][1],fcon_dict[k][2])
else:
print "%-50s %-18s <<None>>" % (k[0], k[1])
@ -2190,7 +2437,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
self.dict["TRUE"] = 1
self.dict["FALSE"] = 0
self.dict["ON"] = 1
@@ -1643,16 +1757,16 @@
@@ -1658,16 +1757,16 @@
self.dict["0"] = 0
def __mod(self, name, value):
@ -2210,7 +2457,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
if rc < 0:
raise ValueError(_("Could not query file context %s") % name)
@@ -1670,7 +1784,7 @@
@@ -1685,7 +1784,7 @@
semanage_bool_key_free(k)
semanage_bool_free(b)
@ -2219,7 +2466,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
self.begin()
@@ -1694,16 +1808,16 @@
@@ -1709,16 +1808,16 @@
def __delete(self, name):
@ -2239,7 +2486,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
if rc < 0:
raise ValueError(_("Could not check if boolean %s is defined") % name)
if not exists:
@@ -1762,7 +1876,7 @@
@@ -1777,7 +1876,7 @@
return _("unknown")
def list(self, heading = True, locallist = False, use_file = False):
@ -2248,9 +2495,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
if use_file:
ddict = self.get_all(locallist)
keys = ddict.keys()
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/setfiles.c policycoreutils-2.0.62/setfiles/setfiles.c
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/setfiles.c policycoreutils-2.0.63/setfiles/setfiles.c
--- nsapolicycoreutils/setfiles/setfiles.c 2008-08-28 09:34:24.000000000 -0400
+++ policycoreutils-2.0.62/setfiles/setfiles.c 2009-05-04 13:40:26.000000000 -0400
+++ policycoreutils-2.0.63/setfiles/setfiles.c 2009-05-22 13:40:04.000000000 -0400
@@ -29,6 +29,8 @@
static int mass_relabel;
static int mass_relabel_errs;

12
policycoreutils.spec
View File

@ -5,8 +5,8 @@
%define sepolgenver 1.0.16
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.0.62
Release: 14%{?dist}
Version: 2.0.63
Release: 1%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
@ -113,6 +113,7 @@ The policycoreutils-python package contains the management tools use to manage a
%{_bindir}/audit2allow
%{_bindir}/audit2why
%{_bindir}/chcat
%{_bindir}/sandbox
%{_bindir}/sepolgen-ifgen
%{_libdir}/python?.?/site-packages/seobject.py*
%{_libdir}/python?.?/site-packages/sepolgen/*
@ -225,6 +226,13 @@ else
fi
%changelog
* Wed May 20 2009 Dan Walsh <dwalsh@redhat.com> 2.0.63-1
- Update to upstream
* Fix transaction checking from Dan Walsh.
* Make fixfiles -R (for rpm) recursive.
* Make semanage permissive clean up after itself from Dan Walsh.
* add /root/.ssh/* to restorecond.conf
* Wed Apr 22 2009 Dan Walsh <dwalsh@redhat.com> 2.0.62-14
- Fix audit2allow -a to retun /var/log/messages

2
sources
View File

@ -1,2 +1,2 @@
7163e6b815bb45eb4f6a620cd8240690 policycoreutils-2.0.62.tgz
e1b5416c3e0d76e5d702b3f54f4def45 sepolgen-1.0.16.tgz
6a45dc84a2291dc2722fc60f18fb8393 policycoreutils-2.0.63.tgz