diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index 43b2bc2..fbe432f 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -1470,20 +1470,28 @@ index 23de6f6..171bb05 100644 export DISPLAY=:$D cat > ~/seremote << __EOF diff --git a/policycoreutils/sandbox/seunshare.c b/policycoreutils/sandbox/seunshare.c -index dbd5977..68a80c7 100644 +index dbd5977..b3f1275 100644 --- a/policycoreutils/sandbox/seunshare.c +++ b/policycoreutils/sandbox/seunshare.c -@@ -961,8 +961,9 @@ int main(int argc, char **argv) { +@@ -617,8 +617,8 @@ static int cleanup_tmpdir(const char *tmpdir, const char *src, + free(cmdbuf); cmdbuf = NULL; + + /* remove runtime temporary directory */ +- if ((uid_t)setfsuid(0) != pwd->pw_uid) { +- fprintf(stderr, _("Unable to switch to root to clear tmp dir\n")); ++ if ((uid_t)setfsuid(0) != 0) { ++ /* setfsuid does not return errror, but this check makes code checkers happy */ + rc++; + } + +@@ -961,6 +961,7 @@ int main(int argc, char **argv) { char *display = NULL; char *LANG = NULL; int rc = -1; + char *resolved_path = NULL; -- if (unshare(CLONE_NEWNS) < 0) { -+ if (unshare(CLONE_NEWNS | CLONE_NEWIPC) < 0) { + if (unshare(CLONE_NEWNS) < 0) { perror(_("Failed to unshare")); - goto childerr; - } @@ -977,8 +978,10 @@ int main(int argc, char **argv) { /* assume fsuid==ruid after this point */ if ((uid_t)setfsuid(uid) != 0) goto childerr; @@ -2359,7 +2367,7 @@ index b6abdf5..c05c943 100644 Generate an additional HTML man pages for the specified domain(s). diff --git a/policycoreutils/sepolicy/sepolicy.py b/policycoreutils/sepolicy/sepolicy.py -index b25d3b2..6e71f00 100755 +index b25d3b2..1146bb3 100755 --- a/policycoreutils/sepolicy/sepolicy.py +++ b/policycoreutils/sepolicy/sepolicy.py @@ -22,6 +22,8 @@ @@ -2551,7 +2559,7 @@ index b25d3b2..6e71f00 100755 if args.list_admin: for a in get_admin(): print a -@@ -328,7 +349,7 @@ def interface(args): +@@ -328,13 +349,13 @@ def interface(args): for a in get_user(): print a if args.list: @@ -2560,6 +2568,13 @@ index b25d3b2..6e71f00 100755 print m def generate(args): + from sepolicy.generate import policy, USERS, SANDBOX, APPLICATIONS, NEWTYPE + cmd = None +- if args.policytype not in USERS + [ SANDBOX, NEWTYPE]: ++ if args.policytype in APPLICATIONS: + if not args.command: + raise ValueError(_("Command required for this type of policy")) + cmd = os.path.realpath(args.command) @@ -368,10 +389,10 @@ def gen_interface_args(parser): help=_('List SELinux Policy interfaces')) group = itf.add_mutually_exclusive_group(required=True) @@ -2793,7 +2808,7 @@ index 5e7415c..5267ed9 100644 booleans_dict = None def gen_bool_dict(path="/usr/share/selinux/devel/policy.xml"): diff --git a/policycoreutils/sepolicy/sepolicy/generate.py b/policycoreutils/sepolicy/sepolicy/generate.py -index 26f8390..898ec43 100644 +index 26f8390..95b3ac0 100644 --- a/policycoreutils/sepolicy/sepolicy/generate.py +++ b/policycoreutils/sepolicy/sepolicy/generate.py @@ -63,20 +63,6 @@ except IOError: @@ -2817,6 +2832,15 @@ index 26f8390..898ec43 100644 def get_rpm_nvr_from_header(hdr): 'Given an RPM header return the package NVR as a string' name = hdr['name'] +@@ -164,7 +150,7 @@ def get_poltype_desc(): + return msg + + APPLICATIONS = [ DAEMON, DBUS, INETD, USER, CGI ] +-USERS = [ XUSER, TUSER, LUSER, AUSER, EUSER, RUSER] ++USERS = [ XUSER, TUSER, LUSER, AUSER, RUSER] + + def verify_ports(ports): + if ports == "": @@ -587,7 +573,7 @@ class policy: def generate_network_action(self, protocol, action, port_name): line = "" @@ -2826,7 +2850,15 @@ index 26f8390..898ec43 100644 line = "%s(%s_t)\n" % (method, self.name) else: line = """ -@@ -1037,7 +1023,8 @@ allow %s_t %s_t:%s_socket name_%s; +@@ -1030,14 +1016,15 @@ allow %s_t %s_t:%s_socket name_%s; + if len(self.DEFAULT_DIRS[d][1]) > 0: + # CGI scripts already have a rw_t + if self.type != CGI or d != "rw": +- newte += re.sub("TEMPLATETYPE", self.name, self.DEFAULT_DIRS[d][2].te_types) ++ newte += re.sub("TEMPLATETYPE", self.name, self.DEFAULT_DIRS[d][2].te_types) + + if self.type != EUSER: + newte +=""" ######################################## # # %s local policy @@ -2836,6 +2868,41 @@ index 26f8390..898ec43 100644 newte += self.generate_capabilities() newte += self.generate_process() newte += self.generate_network_types() +@@ -1048,11 +1035,20 @@ allow %s_t %s_t:%s_socket name_%s; + + for d in self.DEFAULT_KEYS: + if len(self.DEFAULT_DIRS[d][1]) > 0: +- newte += re.sub("TEMPLATETYPE", self.name, self.DEFAULT_DIRS[d][2].te_rules) +- for i in self.DEFAULT_DIRS[d][1]: +- if os.path.exists(i) and stat.S_ISSOCK(os.stat(i)[stat.ST_MODE]): +- newte += re.sub("TEMPLATETYPE", self.name, self.DEFAULT_DIRS[d][2].te_stream_rules) +- break ++ if self.type == EUSER: ++ for domain in self.existing_domains: ++ newte += re.sub("TEMPLATETYPE", domain[:-2], self.DEFAULT_DIRS[d][2].te_rules) ++ else: ++ newte += re.sub("TEMPLATETYPE", self.name, self.DEFAULT_DIRS[d][2].te_rules) ++ for i in self.DEFAULT_DIRS[d][1]: ++ if os.path.exists(i) and stat.S_ISSOCK(os.stat(i)[stat.ST_MODE]): ++ if self.type == EUSER: ++ for domain in self.existing_domains: ++ newte += re.sub("TEMPLATETYPE", domain[:-2], self.DEFAULT_DIRS[d][2].te_stream_rules) ++ ++ else: ++ newte += re.sub("TEMPLATETYPE", self.name, self.DEFAULT_DIRS[d][2].te_stream_rules) ++ break + + newte += self.generate_tmp_rules() + newte += self.generate_network_rules() +@@ -1079,7 +1075,7 @@ allow %s_t %s_t:%s_socket name_%s; + fclist = [] + if self.type in USERS + [ SANDBOX ]: + return executable.fc_user +- if self.type != NEWTYPE and not self.program: ++ if self.type not in [ EUSER, NEWTYPE ] and not self.program: + raise ValueError(_("You must enter the executable path for your confined process")) + + if self.program: diff --git a/policycoreutils/sepolicy/sepolicy/interface.py b/policycoreutils/sepolicy/sepolicy/interface.py index 8b063ca..c9036c3 100644 --- a/policycoreutils/sepolicy/sepolicy/interface.py diff --git a/policycoreutils.spec b/policycoreutils.spec index dc2c772..b9a0825 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -7,7 +7,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 2.1.14 -Release: 24%{?dist} +Release: 26%{?dist} License: GPLv2 Group: System Environment/Base # Based on git repository with tag 20101221 @@ -309,6 +309,13 @@ The policycoreutils-restorecond package contains the restorecond service. %{_bindir}/systemctl try-restart restorecond.service >/dev/null 2>&1 || : %changelog +* Mon Mar 25 2013 Dan Walsh - 2.1.14-25 +- Can not unshare IPC in sandbox, since it blows up Xephyr +- Remove bogus error message sandbox about reseting setfsuid + +* Thu Mar 21 2013 Dan Walsh - 2.1.14-24 +- Fix sepolicy generate --customize to generate policy with -w commands + * Thu Mar 21 2013 Dan Walsh - 2.1.14-24 - sepolgen-ifgen needs to handle filename transition rules containing ":"