From 998c56497f0e9451461f1ef2f1059ba3fd6fd7b8 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Tue, 6 May 2014 18:55:08 +0200 Subject: [PATCH] * Tue May 6 2014 Miroslav Grepl - 2.2.5-15 - Apply patch to use setcon in seunshare from luto@mit.edu --- ...Try-to-use-setcurrent-before-setexec.patch | 63 +++++++++++++++++++ policycoreutils.spec | 8 ++- 2 files changed, 70 insertions(+), 1 deletion(-) create mode 100644 0002-seunshare-Try-to-use-setcurrent-before-setexec.patch diff --git a/0002-seunshare-Try-to-use-setcurrent-before-setexec.patch b/0002-seunshare-Try-to-use-setcurrent-before-setexec.patch new file mode 100644 index 0000000..450ad2e --- /dev/null +++ b/0002-seunshare-Try-to-use-setcurrent-before-setexec.patch @@ -0,0 +1,63 @@ +From d355fd3326286a01f82c5c46a8eb99ae2f4a11bb Mon Sep 17 00:00:00 2001 +Message-Id: +From: Andy Lutomirski +Date: Wed, 30 Apr 2014 21:59:37 -0700 +Subject: [PATCH] seunshare: Try to use setcurrent before setexec + +If seunshare uses PR_SET_NO_NEW_PRIVS, which certain versions of +libcap-ng set, setexeccon will cause execve to fail. This also +makes setting selinux context the very last action taken by +seunshare prior to exec, as it may otherwise cause things to fail. + +Note that this won't work without adjusting the system policy to +allow this use of setcurrent. This rule appears to work: + + allow unconfined_t sandbox_t:process dyntransition; + +although a better rule would probably relax the unconfined_t +restriction. + +Signed-off-by: Andy Lutomirski +--- + policycoreutils/sandbox/seunshare.c | 20 ++++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +diff --git a/policycoreutils/sandbox/seunshare.c b/policycoreutils/sandbox/seunshare.c +index 97f3920..fe40757 100644 +--- a/policycoreutils/sandbox/seunshare.c ++++ b/policycoreutils/sandbox/seunshare.c +@@ -1032,17 +1032,25 @@ int main(int argc, char **argv) { + goto childerr; + } + +- /* selinux context */ +- if (execcon && setexeccon(execcon) != 0) { +- fprintf(stderr, _("Could not set exec context to %s. %s\n"), execcon, strerror(errno)); +- goto childerr; +- } +- + if (chdir(pwd->pw_dir)) { + perror(_("Failed to change dir to homedir")); + goto childerr; + } + setsid(); ++ ++ /* selinux context */ ++ if (execcon) { ++ /* try dyntransition, since no_new_privs can interfere ++ * with setexeccon */ ++ if (setcon(execcon) != 0) { ++ /* failed; fall back to setexeccon */ ++ if (setexeccon(execcon) != 0) { ++ fprintf(stderr, _("Could not set exec context to %s. %s\n"), execcon, strerror(errno)); ++ goto childerr; ++ } ++ } ++ } ++ + execv(argv[optind], argv + optind); + fprintf(stderr, _("Failed to execute command %s: %s\n"), argv[optind], strerror(errno)); + childerr: +-- +1.9.0 + diff --git a/policycoreutils.spec b/policycoreutils.spec index f3f0c24..aabfbe0 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -7,7 +7,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 2.2.5 -Release: 14%{?dist} +Release: 15%{?dist} License: GPLv2 Group: System Environment/Base # Based on git repository with tag 20101221 @@ -21,6 +21,7 @@ Source4: sepolicy-icons.tgz Patch: policycoreutils-rhat-revert.patch Patch1: policycoreutils-sepolicy-manpage.patch Patch2: 0001-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch +Patch3: 0002-seunshare-Try-to-use-setcurrent-before-setexec.patch #Patch1: policycoreutils-sepolgen.patch Obsoletes: policycoreutils < 2.0.61-2 Conflicts: filesystem < 3 @@ -53,6 +54,8 @@ to switch roles. %setup -q -a 1 %patch -p2 -b .rhat %patch2 -p2 -b .man-pages +%patch3 -p2 -b .seunshare +#%patch1 -p2 -b .sepolgen -d sepolgen-%{sepolgenver} #%patch1 -p2 -b .sepolgen -d sepolgen-%{sepolgenver} cp %{SOURCE3} gui/ tar xvf %{SOURCE4} @@ -384,6 +387,9 @@ The policycoreutils-restorecond package contains the restorecond service. %systemd_postun_with_restart restorecond.service %changelog +* Tue May 6 2014 Miroslav Grepl - 2.2.5-15 +- Apply patch to use setcon in seunshare from luto@mit.edu + * Wed Apr 30 2014 Dan Walsh - 2.2.5-14 - Remove requirement for systemd-units