* Tue May 6 2014 Miroslav Grepl <mgreplh@redhat.com> - 2.2.5-15

- Apply patch to use setcon in seunshare from luto@mit.edu
2014-05-06 18:55:08 +02:00 · 2014-05-06 18:55:08 +02:00 · 998c56497f
commit 998c56497f
parent 78088dae9e
2 changed files with 70 additions and 1 deletions
--- a/0002-seunshare-Try-to-use-setcurrent-before-setexec.patch
+++ b/0002-seunshare-Try-to-use-setcurrent-before-setexec.patch
@ -0,0 +1,63 @@
 From d355fd3326286a01f82c5c46a8eb99ae2f4a11bb Mon Sep 17 00:00:00 2001
 Message-Id: <d355fd3326286a01f82c5c46a8eb99ae2f4a11bb.1398921725.git.luto@amacapital.net>
 From: Andy Lutomirski <luto@amacapital.net>
 Date: Wed, 30 Apr 2014 21:59:37 -0700
 Subject: [PATCH] seunshare: Try to use setcurrent before setexec
 If seunshare uses PR_SET_NO_NEW_PRIVS, which certain versions of
 libcap-ng set, setexeccon will cause execve to fail.  This also
 makes setting selinux context the very last action taken by
 seunshare prior to exec, as it may otherwise cause things to fail.
 Note that this won't work without adjusting the system policy to
 allow this use of setcurrent.  This rule appears to work:
    allow unconfined_t sandbox_t:process dyntransition;
 although a better rule would probably relax the unconfined_t
 restriction.
 Signed-off-by: Andy Lutomirski <luto@amacapital.net>
 ---
 policycoreutils/sandbox/seunshare.c | 20 ++++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)
 diff --git a/policycoreutils/sandbox/seunshare.c b/policycoreutils/sandbox/seunshare.c
 index 97f3920..fe40757 100644
 --- a/policycoreutils/sandbox/seunshare.c
 +++ b/policycoreutils/sandbox/seunshare.c
@@ -1032,17 +1032,25 @@ int main(int argc, char **argv) {
 			goto childerr;
 		}
 -		/* selinux context */
 -		if (execcon && setexeccon(execcon) != 0) {
 -			fprintf(stderr, _("Could not set exec context to %s. %s\n"), execcon, strerror(errno));
 -			goto childerr;
 -		}
 -
 		if (chdir(pwd->pw_dir)) {
 			perror(_("Failed to change dir to homedir"));
 			goto childerr;
 		}
 		setsid();
 +
 +		/* selinux context */
 +		if (execcon) {
 +			/* try dyntransition, since no_new_privs can interfere
 +			 * with setexeccon */
 +			if (setcon(execcon) != 0) {
 +				/* failed; fall back to setexeccon */
 +				if (setexeccon(execcon) != 0) {
 +					fprintf(stderr, _("Could not set exec context to %s. %s\n"), execcon, strerror(errno));
 +					goto childerr;
 +				}
 +			}
 +		}
 +
 		execv(argv[optind], argv + optind);
 		fprintf(stderr, _("Failed to execute command %s: %s\n"), argv[optind], strerror(errno));
 childerr:
 -- 
 1.9.0
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@ -7,7 +7,7 @@
 Summary: SELinux policy core utilities
 Name:	 policycoreutils
 Version: 2.2.5
-Release: 14%{?dist}
+Release: 15%{?dist}
 License: GPLv2
 Group:	 System Environment/Base
 # Based on git repository with tag 20101221
@ -21,6 +21,7 @@ Source4: sepolicy-icons.tgz
 Patch:   policycoreutils-rhat-revert.patch
 Patch1:  policycoreutils-sepolicy-manpage.patch
 Patch2:  0001-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch
 Patch3:  0002-seunshare-Try-to-use-setcurrent-before-setexec.patch
 #Patch1:	 policycoreutils-sepolgen.patch
 Obsoletes: policycoreutils < 2.0.61-2
 Conflicts: filesystem < 3
@ -53,6 +54,8 @@ to switch roles.
 %setup -q -a 1
 %patch -p2 -b .rhat
 %patch2 -p2 -b .man-pages
 %patch3 -p2 -b .seunshare
 #%patch1 -p2 -b .sepolgen -d sepolgen-%{sepolgenver}
 #%patch1 -p2 -b .sepolgen -d sepolgen-%{sepolgenver}
 cp %{SOURCE3} gui/
 tar xvf %{SOURCE4}
@ -384,6 +387,9 @@ The policycoreutils-restorecond package contains the restorecond service.
 %systemd_postun_with_restart restorecond.service
 %changelog
 * Tue May 6 2014 Miroslav Grepl <mgreplh@redhat.com> - 2.2.5-15
 - Apply patch to use setcon in seunshare from luto@mit.edu
 * Wed Apr 30 2014 Dan Walsh <dwalsh@redhat.com> - 2.2.5-14
 - Remove requirement for systemd-units