Can not unshare IPC in sandbox, since it blows up Xephyr

- Remove bogus error message sandbox about reseting setfsuid

policycoreutils-rhat.patch

@@ -1470,20 +1470,28 @@ index 23de6f6..171bb05 100644
      export DISPLAY=:$D
      cat > ~/seremote << __EOF
 diff --git a/policycoreutils/sandbox/seunshare.c b/policycoreutils/sandbox/seunshare.c
-index dbd5977..68a80c7 100644
+index dbd5977..b3f1275 100644
 --- a/policycoreutils/sandbox/seunshare.c
 +++ b/policycoreutils/sandbox/seunshare.c
-@@ -961,8 +961,9 @@ int main(int argc, char **argv) {
+@@ -617,8 +617,8 @@ static int cleanup_tmpdir(const char *tmpdir, const char *src,
+ 	free(cmdbuf); cmdbuf = NULL;
+ 
+ 	/* remove runtime temporary directory */
+-	if ((uid_t)setfsuid(0) != pwd->pw_uid) {
+-		fprintf(stderr, _("Unable to switch to root to clear tmp dir\n"));
++	if ((uid_t)setfsuid(0) != 0) {
++		/* setfsuid does not return errror, but this check makes code checkers happy */
+ 		rc++;
+ 	}
+ 
+@@ -961,6 +961,7 @@ int main(int argc, char **argv) {
  		char *display = NULL;
  		char *LANG = NULL;
  		int rc = -1;
 +		char *resolved_path = NULL;
  
--		if (unshare(CLONE_NEWNS) < 0) {
+ 		if (unshare(CLONE_NEWNS) < 0) {
-+		if (unshare(CLONE_NEWNS | CLONE_NEWIPC) < 0) {
  			perror(_("Failed to unshare"));
- 			goto childerr;
- 		}
 @@ -977,8 +978,10 @@ int main(int argc, char **argv) {
  		/* assume fsuid==ruid after this point */
  		if ((uid_t)setfsuid(uid) != 0) goto childerr;
@@ -2359,7 +2367,7 @@ index b6abdf5..c05c943 100644
  Generate an additional HTML man pages for the specified domain(s).
  
 diff --git a/policycoreutils/sepolicy/sepolicy.py b/policycoreutils/sepolicy/sepolicy.py
-index b25d3b2..6e71f00 100755
+index b25d3b2..1146bb3 100755
 --- a/policycoreutils/sepolicy/sepolicy.py
 +++ b/policycoreutils/sepolicy/sepolicy.py
 @@ -22,6 +22,8 @@
@@ -2551,7 +2559,7 @@ index b25d3b2..6e71f00 100755
      if args.list_admin:
          for a in get_admin():
              print a
-@@ -328,7 +349,7 @@ def interface(args):
+@@ -328,13 +349,13 @@ def interface(args):
          for a in get_user():
              print a
      if args.list:
@@ -2560,6 +2568,13 @@ index b25d3b2..6e71f00 100755
              print m
  
  def generate(args):
+     from sepolicy.generate import policy, USERS, SANDBOX, APPLICATIONS, NEWTYPE
+     cmd = None
+-    if args.policytype not in USERS +  [ SANDBOX, NEWTYPE]:
++    if args.policytype in APPLICATIONS:
+         if not args.command:
+             raise ValueError(_("Command required for this type of policy"))
+         cmd = os.path.realpath(args.command)
 @@ -368,10 +389,10 @@ def gen_interface_args(parser):
                              help=_('List SELinux Policy interfaces'))
      group = itf.add_mutually_exclusive_group(required=True)
@@ -2793,7 +2808,7 @@ index 5e7415c..5267ed9 100644
  booleans_dict = None
  def gen_bool_dict(path="/usr/share/selinux/devel/policy.xml"):
 diff --git a/policycoreutils/sepolicy/sepolicy/generate.py b/policycoreutils/sepolicy/sepolicy/generate.py
-index 26f8390..898ec43 100644
+index 26f8390..95b3ac0 100644
 --- a/policycoreutils/sepolicy/sepolicy/generate.py
 +++ b/policycoreutils/sepolicy/sepolicy/generate.py
 @@ -63,20 +63,6 @@ except IOError:
@@ -2817,6 +2832,15 @@ index 26f8390..898ec43 100644
  def get_rpm_nvr_from_header(hdr):
      'Given an RPM header return the package NVR as a string'
      name    = hdr['name']
+@@ -164,7 +150,7 @@ def get_poltype_desc():
+     return msg
+         
+ APPLICATIONS = [ DAEMON, DBUS, INETD, USER, CGI ]
+-USERS = [ XUSER, TUSER, LUSER, AUSER, EUSER, RUSER]
++USERS = [ XUSER, TUSER, LUSER, AUSER, RUSER]
+ 
+ def verify_ports(ports):
+     if ports == "":
 @@ -587,7 +573,7 @@ class policy:
          def generate_network_action(self, protocol, action, port_name):
              line = ""
@@ -2826,7 +2850,15 @@ index 26f8390..898ec43 100644
                  line = "%s(%s_t)\n" % (method, self.name)
              else:
                  line = """
-@@ -1037,7 +1023,8 @@ allow %s_t %s_t:%s_socket name_%s;
+@@ -1030,14 +1016,15 @@ allow %s_t %s_t:%s_socket name_%s;
+ 			if len(self.DEFAULT_DIRS[d][1]) > 0:
+ 				# CGI scripts already have a rw_t
+ 				if self.type != CGI or d != "rw":
+-					newte += re.sub("TEMPLATETYPE", self.name, self.DEFAULT_DIRS[d][2].te_types)
++                                    newte += re.sub("TEMPLATETYPE", self.name, self.DEFAULT_DIRS[d][2].te_types)
+ 
+                 if self.type != EUSER:
+                     newte +="""
  ########################################
  #
  # %s local policy
@@ -2836,6 +2868,41 @@ index 26f8390..898ec43 100644
                  newte += self.generate_capabilities()
                  newte += self.generate_process()
  		newte += self.generate_network_types()
+@@ -1048,11 +1035,20 @@ allow %s_t %s_t:%s_socket name_%s;
+ 
+                 for d in self.DEFAULT_KEYS:
+ 			if len(self.DEFAULT_DIRS[d][1]) > 0:
+-				newte += re.sub("TEMPLATETYPE", self.name, self.DEFAULT_DIRS[d][2].te_rules)
+-                                for i in self.DEFAULT_DIRS[d][1]:
+-                                        if os.path.exists(i) and stat.S_ISSOCK(os.stat(i)[stat.ST_MODE]):
+-                                            newte += re.sub("TEMPLATETYPE", self.name, self.DEFAULT_DIRS[d][2].te_stream_rules)
+-                                            break
++                            if self.type == EUSER:
++                                for domain in self.existing_domains:
++                                    newte += re.sub("TEMPLATETYPE", domain[:-2], self.DEFAULT_DIRS[d][2].te_rules)
++                            else:
++                                newte += re.sub("TEMPLATETYPE", self.name, self.DEFAULT_DIRS[d][2].te_rules)
++                            for i in self.DEFAULT_DIRS[d][1]:
++                                if os.path.exists(i) and stat.S_ISSOCK(os.stat(i)[stat.ST_MODE]):
++                                    if self.type == EUSER:
++                                        for domain in self.existing_domains:
++                                            newte += re.sub("TEMPLATETYPE", domain[:-2], self.DEFAULT_DIRS[d][2].te_stream_rules)
++                                        
++                                    else:
++                                        newte += re.sub("TEMPLATETYPE", self.name, self.DEFAULT_DIRS[d][2].te_stream_rules)
++                                    break
+ 
+ 		newte += self.generate_tmp_rules()
+ 		newte += self.generate_network_rules()
+@@ -1079,7 +1075,7 @@ allow %s_t %s_t:%s_socket name_%s;
+                 fclist = []
+                 if self.type in USERS +  [ SANDBOX ]:
+                     return executable.fc_user
+-                if self.type != NEWTYPE and not self.program:
++                if self.type not in [ EUSER,  NEWTYPE ] and not self.program:
+                     raise ValueError(_("You must enter the executable path for your confined process"))
+ 
+                 if self.program:
 diff --git a/policycoreutils/sepolicy/sepolicy/interface.py b/policycoreutils/sepolicy/sepolicy/interface.py
 index 8b063ca..c9036c3 100644
 --- a/policycoreutils/sepolicy/sepolicy/interface.py

policycoreutils.spec

@@ -7,7 +7,7 @@
 Summary: SELinux policy core utilities
 Name:	 policycoreutils
 Version: 2.1.14
-Release: 24%{?dist}
+Release: 26%{?dist}
 License: GPLv2
 Group:	 System Environment/Base
 # Based on git repository with tag 20101221
@@ -309,6 +309,13 @@ The policycoreutils-restorecond package contains the restorecond service.
 %{_bindir}/systemctl try-restart restorecond.service >/dev/null 2>&1 || :
 
 %changelog
+* Mon Mar 25 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-25
+- Can not unshare IPC in sandbox, since it blows up Xephyr
+- Remove bogus error message sandbox about reseting setfsuid
+
+* Thu Mar 21 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-24
+- Fix sepolicy generate --customize to generate policy with -w commands
+
 * Thu Mar 21 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-24
 - sepolgen-ifgen needs to handle filename transition rules containing ":"