Can not unshare IPC in sandbox, since it blows up Xephyr
- Remove bogus error message sandbox about reseting setfsuid
This commit is contained in:
		
							parent
							
								
									c1e35cdc89
								
							
						
					
					
						commit
						98c418def3
					
				| @ -1470,20 +1470,28 @@ index 23de6f6..171bb05 100644 | ||||
|      export DISPLAY=:$D | ||||
|      cat > ~/seremote << __EOF | ||||
| diff --git a/policycoreutils/sandbox/seunshare.c b/policycoreutils/sandbox/seunshare.c
 | ||||
| index dbd5977..68a80c7 100644
 | ||||
| index dbd5977..b3f1275 100644
 | ||||
| --- a/policycoreutils/sandbox/seunshare.c
 | ||||
| +++ b/policycoreutils/sandbox/seunshare.c
 | ||||
| @@ -961,8 +961,9 @@ int main(int argc, char **argv) {
 | ||||
| @@ -617,8 +617,8 @@ static int cleanup_tmpdir(const char *tmpdir, const char *src,
 | ||||
|  	free(cmdbuf); cmdbuf = NULL; | ||||
|   | ||||
|  	/* remove runtime temporary directory */ | ||||
| -	if ((uid_t)setfsuid(0) != pwd->pw_uid) {
 | ||||
| -		fprintf(stderr, _("Unable to switch to root to clear tmp dir\n"));
 | ||||
| +	if ((uid_t)setfsuid(0) != 0) {
 | ||||
| +		/* setfsuid does not return errror, but this check makes code checkers happy */
 | ||||
|  		rc++; | ||||
|  	} | ||||
|   | ||||
| @@ -961,6 +961,7 @@ int main(int argc, char **argv) {
 | ||||
|  		char *display = NULL; | ||||
|  		char *LANG = NULL; | ||||
|  		int rc = -1; | ||||
| +		char *resolved_path = NULL;
 | ||||
|   | ||||
| -		if (unshare(CLONE_NEWNS) < 0) {
 | ||||
| +		if (unshare(CLONE_NEWNS | CLONE_NEWIPC) < 0) {
 | ||||
|  		if (unshare(CLONE_NEWNS) < 0) { | ||||
|  			perror(_("Failed to unshare")); | ||||
|  			goto childerr; | ||||
|  		} | ||||
| @@ -977,8 +978,10 @@ int main(int argc, char **argv) {
 | ||||
|  		/* assume fsuid==ruid after this point */ | ||||
|  		if ((uid_t)setfsuid(uid) != 0) goto childerr; | ||||
| @ -2359,7 +2367,7 @@ index b6abdf5..c05c943 100644 | ||||
|  Generate an additional HTML man pages for the specified domain(s). | ||||
|   | ||||
| diff --git a/policycoreutils/sepolicy/sepolicy.py b/policycoreutils/sepolicy/sepolicy.py
 | ||||
| index b25d3b2..6e71f00 100755
 | ||||
| index b25d3b2..1146bb3 100755
 | ||||
| --- a/policycoreutils/sepolicy/sepolicy.py
 | ||||
| +++ b/policycoreutils/sepolicy/sepolicy.py
 | ||||
| @@ -22,6 +22,8 @@
 | ||||
| @ -2551,7 +2559,7 @@ index b25d3b2..6e71f00 100755 | ||||
|      if args.list_admin: | ||||
|          for a in get_admin(): | ||||
|              print a | ||||
| @@ -328,7 +349,7 @@ def interface(args):
 | ||||
| @@ -328,13 +349,13 @@ def interface(args):
 | ||||
|          for a in get_user(): | ||||
|              print a | ||||
|      if args.list: | ||||
| @ -2560,6 +2568,13 @@ index b25d3b2..6e71f00 100755 | ||||
|              print m | ||||
|   | ||||
|  def generate(args): | ||||
|      from sepolicy.generate import policy, USERS, SANDBOX, APPLICATIONS, NEWTYPE | ||||
|      cmd = None | ||||
| -    if args.policytype not in USERS +  [ SANDBOX, NEWTYPE]:
 | ||||
| +    if args.policytype in APPLICATIONS:
 | ||||
|          if not args.command: | ||||
|              raise ValueError(_("Command required for this type of policy")) | ||||
|          cmd = os.path.realpath(args.command) | ||||
| @@ -368,10 +389,10 @@ def gen_interface_args(parser):
 | ||||
|                              help=_('List SELinux Policy interfaces')) | ||||
|      group = itf.add_mutually_exclusive_group(required=True) | ||||
| @ -2793,7 +2808,7 @@ index 5e7415c..5267ed9 100644 | ||||
|  booleans_dict = None | ||||
|  def gen_bool_dict(path="/usr/share/selinux/devel/policy.xml"): | ||||
| diff --git a/policycoreutils/sepolicy/sepolicy/generate.py b/policycoreutils/sepolicy/sepolicy/generate.py
 | ||||
| index 26f8390..898ec43 100644
 | ||||
| index 26f8390..95b3ac0 100644
 | ||||
| --- a/policycoreutils/sepolicy/sepolicy/generate.py
 | ||||
| +++ b/policycoreutils/sepolicy/sepolicy/generate.py
 | ||||
| @@ -63,20 +63,6 @@ except IOError:
 | ||||
| @ -2817,6 +2832,15 @@ index 26f8390..898ec43 100644 | ||||
|  def get_rpm_nvr_from_header(hdr): | ||||
|      'Given an RPM header return the package NVR as a string' | ||||
|      name    = hdr['name'] | ||||
| @@ -164,7 +150,7 @@ def get_poltype_desc():
 | ||||
|      return msg | ||||
|           | ||||
|  APPLICATIONS = [ DAEMON, DBUS, INETD, USER, CGI ] | ||||
| -USERS = [ XUSER, TUSER, LUSER, AUSER, EUSER, RUSER]
 | ||||
| +USERS = [ XUSER, TUSER, LUSER, AUSER, RUSER]
 | ||||
|   | ||||
|  def verify_ports(ports): | ||||
|      if ports == "": | ||||
| @@ -587,7 +573,7 @@ class policy:
 | ||||
|          def generate_network_action(self, protocol, action, port_name): | ||||
|              line = "" | ||||
| @ -2826,7 +2850,15 @@ index 26f8390..898ec43 100644 | ||||
|                  line = "%s(%s_t)\n" % (method, self.name) | ||||
|              else: | ||||
|                  line = """ | ||||
| @@ -1037,7 +1023,8 @@ allow %s_t %s_t:%s_socket name_%s;
 | ||||
| @@ -1030,14 +1016,15 @@ allow %s_t %s_t:%s_socket name_%s;
 | ||||
|  			if len(self.DEFAULT_DIRS[d][1]) > 0: | ||||
|  				# CGI scripts already have a rw_t | ||||
|  				if self.type != CGI or d != "rw": | ||||
| -					newte += re.sub("TEMPLATETYPE", self.name, self.DEFAULT_DIRS[d][2].te_types)
 | ||||
| +                                    newte += re.sub("TEMPLATETYPE", self.name, self.DEFAULT_DIRS[d][2].te_types)
 | ||||
|   | ||||
|                  if self.type != EUSER: | ||||
|                      newte +=""" | ||||
|  ######################################## | ||||
|  # | ||||
|  # %s local policy | ||||
| @ -2836,6 +2868,41 @@ index 26f8390..898ec43 100644 | ||||
|                  newte += self.generate_capabilities() | ||||
|                  newte += self.generate_process() | ||||
|  		newte += self.generate_network_types() | ||||
| @@ -1048,11 +1035,20 @@ allow %s_t %s_t:%s_socket name_%s;
 | ||||
|   | ||||
|                  for d in self.DEFAULT_KEYS: | ||||
|  			if len(self.DEFAULT_DIRS[d][1]) > 0: | ||||
| -				newte += re.sub("TEMPLATETYPE", self.name, self.DEFAULT_DIRS[d][2].te_rules)
 | ||||
| -                                for i in self.DEFAULT_DIRS[d][1]:
 | ||||
| -                                        if os.path.exists(i) and stat.S_ISSOCK(os.stat(i)[stat.ST_MODE]):
 | ||||
| -                                            newte += re.sub("TEMPLATETYPE", self.name, self.DEFAULT_DIRS[d][2].te_stream_rules)
 | ||||
| -                                            break
 | ||||
| +                            if self.type == EUSER:
 | ||||
| +                                for domain in self.existing_domains:
 | ||||
| +                                    newte += re.sub("TEMPLATETYPE", domain[:-2], self.DEFAULT_DIRS[d][2].te_rules)
 | ||||
| +                            else:
 | ||||
| +                                newte += re.sub("TEMPLATETYPE", self.name, self.DEFAULT_DIRS[d][2].te_rules)
 | ||||
| +                            for i in self.DEFAULT_DIRS[d][1]:
 | ||||
| +                                if os.path.exists(i) and stat.S_ISSOCK(os.stat(i)[stat.ST_MODE]):
 | ||||
| +                                    if self.type == EUSER:
 | ||||
| +                                        for domain in self.existing_domains:
 | ||||
| +                                            newte += re.sub("TEMPLATETYPE", domain[:-2], self.DEFAULT_DIRS[d][2].te_stream_rules)
 | ||||
| +                                        
 | ||||
| +                                    else:
 | ||||
| +                                        newte += re.sub("TEMPLATETYPE", self.name, self.DEFAULT_DIRS[d][2].te_stream_rules)
 | ||||
| +                                    break
 | ||||
|   | ||||
|  		newte += self.generate_tmp_rules() | ||||
|  		newte += self.generate_network_rules() | ||||
| @@ -1079,7 +1075,7 @@ allow %s_t %s_t:%s_socket name_%s;
 | ||||
|                  fclist = [] | ||||
|                  if self.type in USERS +  [ SANDBOX ]: | ||||
|                      return executable.fc_user | ||||
| -                if self.type != NEWTYPE and not self.program:
 | ||||
| +                if self.type not in [ EUSER,  NEWTYPE ] and not self.program:
 | ||||
|                      raise ValueError(_("You must enter the executable path for your confined process")) | ||||
|   | ||||
|                  if self.program: | ||||
| diff --git a/policycoreutils/sepolicy/sepolicy/interface.py b/policycoreutils/sepolicy/sepolicy/interface.py
 | ||||
| index 8b063ca..c9036c3 100644
 | ||||
| --- a/policycoreutils/sepolicy/sepolicy/interface.py
 | ||||
|  | ||||
| @ -7,7 +7,7 @@ | ||||
| Summary: SELinux policy core utilities | ||||
| Name:	 policycoreutils | ||||
| Version: 2.1.14 | ||||
| Release: 24%{?dist} | ||||
| Release: 26%{?dist} | ||||
| License: GPLv2 | ||||
| Group:	 System Environment/Base | ||||
| # Based on git repository with tag 20101221 | ||||
| @ -309,6 +309,13 @@ The policycoreutils-restorecond package contains the restorecond service. | ||||
| %{_bindir}/systemctl try-restart restorecond.service >/dev/null 2>&1 || : | ||||
| 
 | ||||
| %changelog | ||||
| * Mon Mar 25 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-25 | ||||
| - Can not unshare IPC in sandbox, since it blows up Xephyr | ||||
| - Remove bogus error message sandbox about reseting setfsuid | ||||
| 
 | ||||
| * Thu Mar 21 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-24 | ||||
| - Fix sepolicy generate --customize to generate policy with -w commands | ||||
| 
 | ||||
| * Thu Mar 21 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-24 | ||||
| - sepolgen-ifgen needs to handle filename transition rules containing ":" | ||||
| 
 | ||||
|  | ||||
		Loading…
	
		Reference in New Issue
	
	Block a user