rpms/policycoreutils
7
0
Fork 0
Code Issues Pull Requests Releases Activity

* Wed Dec 16 2009 Dan Walsh <dwalsh@redhat.com> 2.0.78-5

Browse Source 
- If restorecond running as a user has no files to watch then it should exit.  (NFS Homedirs)
This commit is contained in:
Daniel J Walsh 2009-12-16 13:21:49 +00:00
parent 79944fd474
commit a1bf0daa6c
4 changed files with 1573 additions and 991 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2181
policycoreutils-po.patch
View File

File diff suppressed because it is too large Load Diff

336
policycoreutils-rhat.patch
View File

@ -140,7 +140,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/Makefile policycoreutils-2.0.78/restorecond/Makefile
--- nsapolicycoreutils/restorecond/Makefile 2009-08-20 15:49:21.000000000 -0400
+++ policycoreutils-2.0.78/restorecond/Makefile 2009-12-08 17:05:49.000000000 -0500
+++ policycoreutils-2.0.78/restorecond/Makefile 2009-12-16 08:16:15.000000000 -0500
@@ -1,17 +1,28 @@
# Installation directories.
PREFIX ?= ${DESTDIR}/usr
@ -189,14 +189,14 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
/sbin/restorecon $(SBINDIR)/restorecond
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/org.selinux.Restorecond.service policycoreutils-2.0.78/restorecond/org.selinux.Restorecond.service
--- nsapolicycoreutils/restorecond/org.selinux.Restorecond.service 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.78/restorecond/org.selinux.Restorecond.service 2009-12-08 17:05:49.000000000 -0500
+++ policycoreutils-2.0.78/restorecond/org.selinux.Restorecond.service 2009-12-16 08:16:16.000000000 -0500
@@ -0,0 +1,3 @@
+[D-BUS Service]
+Name=org.selinux.Restorecond
+Exec=/usr/sbin/restorecond -u
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.8 policycoreutils-2.0.78/restorecond/restorecond.8
--- nsapolicycoreutils/restorecond/restorecond.8 2009-08-20 15:49:21.000000000 -0400
+++ policycoreutils-2.0.78/restorecond/restorecond.8 2009-12-08 17:05:49.000000000 -0500
+++ policycoreutils-2.0.78/restorecond/restorecond.8 2009-12-16 08:16:16.000000000 -0500
@@ -3,7 +3,7 @@
restorecond \- daemon that watches for file creation and then sets the default SELinux file context
@ -233,7 +233,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
.BR restorecon (8),
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.c policycoreutils-2.0.78/restorecond/restorecond.c
--- nsapolicycoreutils/restorecond/restorecond.c 2009-08-20 15:49:21.000000000 -0400
+++ policycoreutils-2.0.78/restorecond/restorecond.c 2009-12-09 16:29:18.000000000 -0500
+++ policycoreutils-2.0.78/restorecond/restorecond.c 2009-12-16 08:16:17.000000000 -0500
@@ -30,9 +30,11 @@
* and makes sure that there security context matches the systems defaults
*
@ -670,7 +670,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
/* Register sighandlers */
sa.sa_flags = 0;
@@ -467,38 +174,59 @@
@@ -467,38 +174,60 @@
set_matchpathcon_flags(MATCHPATHCON_NOTRANS);
@ -679,6 +679,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
- exitApp("inotify_init");
-
- while ((opt = getopt(argc, argv, "dv")) > 0) {
+ exclude_non_seclabel_mounts();
+ atexit( done );
+ while ((opt = getopt(argc, argv, "df:uv")) > 0) {
switch (opt) {
@ -741,7 +742,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
+
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.conf policycoreutils-2.0.78/restorecond/restorecond.conf
--- nsapolicycoreutils/restorecond/restorecond.conf 2009-08-20 15:49:21.000000000 -0400
+++ policycoreutils-2.0.78/restorecond/restorecond.conf 2009-12-08 17:05:49.000000000 -0500
+++ policycoreutils-2.0.78/restorecond/restorecond.conf 2009-12-16 08:16:18.000000000 -0500
@@ -4,8 +4,5 @@
/etc/mtab
/var/run/utmp
@ -754,7 +755,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
-
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.desktop policycoreutils-2.0.78/restorecond/restorecond.desktop
--- nsapolicycoreutils/restorecond/restorecond.desktop 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.78/restorecond/restorecond.desktop 2009-12-08 17:05:49.000000000 -0500
+++ policycoreutils-2.0.78/restorecond/restorecond.desktop 2009-12-16 08:16:19.000000000 -0500
@@ -0,0 +1,7 @@
+[Desktop Entry]
+Name=File Context maintainer
@ -765,8 +766,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
+StartupNotify=false
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.h policycoreutils-2.0.78/restorecond/restorecond.h
--- nsapolicycoreutils/restorecond/restorecond.h 2009-08-20 15:49:21.000000000 -0400
+++ policycoreutils-2.0.78/restorecond/restorecond.h 2009-12-08 17:05:49.000000000 -0500
@@ -24,7 +24,21 @@
+++ policycoreutils-2.0.78/restorecond/restorecond.h 2009-12-16 08:16:20.000000000 -0500
@@ -24,7 +24,22 @@
#ifndef RESTORED_CONFIG_H
#define RESTORED_CONFIG_H
@ -788,11 +789,12 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
+extern void watch_list_add(int inotify_fd, const char *path);
+extern int watch_list_find(int wd, const char *file);
+extern void watch_list_free(int fd);
+extern int watch_list_isempty();
#endif
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.init policycoreutils-2.0.78/restorecond/restorecond.init
--- nsapolicycoreutils/restorecond/restorecond.init 2009-08-20 15:49:21.000000000 -0400
+++ policycoreutils-2.0.78/restorecond/restorecond.init 2009-12-08 17:05:49.000000000 -0500
+++ policycoreutils-2.0.78/restorecond/restorecond.init 2009-12-16 08:16:21.000000000 -0500
@@ -75,16 +75,15 @@
status restorecond
RETVAL=$?
@ -814,14 +816,14 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
-
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond_user.conf policycoreutils-2.0.78/restorecond/restorecond_user.conf
--- nsapolicycoreutils/restorecond/restorecond_user.conf 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.78/restorecond/restorecond_user.conf 2009-12-08 17:05:49.000000000 -0500
+++ policycoreutils-2.0.78/restorecond/restorecond_user.conf 2009-12-16 08:16:22.000000000 -0500
@@ -0,0 +1,2 @@
+~/*
+~/public_html/*
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/user.c policycoreutils-2.0.78/restorecond/user.c
--- nsapolicycoreutils/restorecond/user.c 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.78/restorecond/user.c 2009-12-08 17:05:49.000000000 -0500
@@ -0,0 +1,237 @@
+++ policycoreutils-2.0.78/restorecond/user.c 2009-12-16 08:16:24.000000000 -0500
@@ -0,0 +1,239 @@
+/*
+ * restorecond
+ *
@ -1046,6 +1048,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
+
+ read_config(master_fd, watch_file);
+
+ if (watch_list_isempty()) return 0;
+
+ set_matchpathcon_flags(MATCHPATHCON_NOTRANS);
+
+ GIOChannel *c = g_io_channel_unix_new(master_fd);
@ -1061,8 +1065,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
+
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/watch.c policycoreutils-2.0.78/restorecond/watch.c
--- nsapolicycoreutils/restorecond/watch.c 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.78/restorecond/watch.c 2009-12-09 16:31:48.000000000 -0500
@@ -0,0 +1,254 @@
+++ policycoreutils-2.0.78/restorecond/watch.c 2009-12-16 08:16:27.000000000 -0500
@@ -0,0 +1,260 @@
+#define _GNU_SOURCE
+#include <sys/inotify.h>
+#include <errno.h>
@ -1099,6 +1103,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
+};
+struct watchList *firstDir = NULL;
+
+int watch_list_isempty() {
+ return firstDir == NULL;
+}
+
+void watch_list_add(int fd, const char *path)
+{
@ -1112,6 +1119,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
+ char *dir = dirname(x);
+ ptr = firstDir;
+
+ if (exclude(path)) return;
+
+ globbuf.gl_offs = 1;
+ if (glob(path,
+ GLOB_TILDE | GLOB_PERIOD,
@ -1226,6 +1235,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
+{
+ char buf[BUF_LEN];
+ int len, i = 0;
+ if (firstDir == NULL) return 0;
+
+ len = read(fd, buf, BUF_LEN);
+ if (len < 0) {
+ if (terminate == 0) {
@ -1316,7 +1327,6 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
+ if (master_wd == -1)
+ exitApp("Error watching config file.");
+}
+
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/basicwrapper policycoreutils-2.0.78/sandbox/deliverables/basicwrapper
--- nsapolicycoreutils/sandbox/deliverables/basicwrapper 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.78/sandbox/deliverables/basicwrapper 2009-12-08 17:05:49.000000000 -0500
@ -1671,10 +1681,10 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
+relabel:
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox policycoreutils-2.0.78/sandbox/sandbox
--- nsapolicycoreutils/sandbox/sandbox 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.78/sandbox/sandbox 2009-12-08 17:05:49.000000000 -0500
@@ -0,0 +1,253 @@
+++ policycoreutils-2.0.78/sandbox/sandbox 2009-12-14 09:35:48.000000000 -0500
@@ -0,0 +1,272 @@
+#!/usr/bin/python -E
+import os, sys, getopt, socket, random, fcntl, shutil
+import os, sys, getopt, socket, random, fcntl, shutil, re
+import selinux
+import signal
+
@ -1779,17 +1789,25 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
+ copyfile(f,homedir, newhomedir)
+ copyfile(f,"/tmp", newtmpdir)
+
+def savefile(new, orig):
+ import gtk
+ dlg = gtk.MessageDialog(None, 0, gtk.MESSAGE_INFO,
+ gtk.BUTTONS_YES_NO,
+ _("Do you want to save changes to '%s' (Y/N): ") % orig)
+ dlg.set_title(_("Sandbox Message"))
+ dlg.set_position(gtk.WIN_POS_MOUSE)
+ dlg.show_all()
+ rc = dlg.run()
+ dlg.destroy()
+ if rc == gtk.RESPONSE_YES:
+def savefile(new, orig, X_ind):
+ copy = False
+ if(X_ind):
+ import gtk
+ dlg = gtk.MessageDialog(None, 0, gtk.MESSAGE_INFO,
+ gtk.BUTTONS_YES_NO,
+ _("Do you want to save changes to '%s' (Y/N): ") % orig)
+ dlg.set_title(_("Sandbox Message"))
+ dlg.set_position(gtk.WIN_POS_MOUSE)
+ dlg.show_all()
+ rc = dlg.run()
+ dlg.destroy()
+ if rc == gtk.RESPONSE_YES:
+ copy = True
+ else:
+ ans = raw_input(_("Do you want to save changes to '%s' (y/N): ") % orig)
+ if(re.match(_("[yY]"),ans)):
+ copy = True
+ if(copy):
+ shutil.copy2(new,orig)
+
+if __name__ == '__main__':
@ -1801,19 +1819,21 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
+
+ def usage(message = ""):
+ text = _("""
+sandbox [-h] [-I includefile ] [[-i file ] ...] [ -t type ] command
+sandbox [-h] [-X] [-M][-I includefile ] [[-i file ] ...] [ -t type ] command
+""")
+ error_exit("%s\n%s" % (message, text))
+
+ setype = DEFAULT_TYPE
+ X_ind = False
+ home_and_temp = False
+ level=None
+ try:
+ gopts, cmds = getopt.getopt(sys.argv[1:], "l:i:ht:XI:",
+ gopts, cmds = getopt.getopt(sys.argv[1:], "l:i:ht:XI:M",
+ ["help",
+ "include=",
+ "includefile=",
+ "type=",
+ "mount",
+ "level="
+ ])
+ for o, a in gopts:
@ -1842,6 +1862,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
+ if DEFAULT_TYPE == setype:
+ setype = DEFAULT_X_TYPE
+ X_ind = True
+ home_and_temp = True
+ if o == "-M" or o == "--mount":
+ home_and_temp = True
+
+ if o == "-h" or o == "--help":
+ usage(_("Usage"));
@ -1862,9 +1885,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
+ try:
+ newhomedir = None
+ newtmpdir = None
+ if X_ind:
+ if home_and_temp:
+ if not os.path.exists("/usr/sbin/seunshare"):
+ raise ValueError("""/usr/sbin/seunshare required for sandbox -X, to install you need to execute
+ raise ValueError("""/usr/sbin/seunshare required for sandbox -M, to install you need to execute
+#yum install /usr/sbin/seunshare""")
+ import warnings
+ warnings.simplefilter("ignore")
@ -1891,21 +1914,27 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
+""" % " ".join(paths))
+ fd.close()
+ os.chmod(execfile, 0700)
+
+ cmds = ("/usr/sbin/seunshare -t %s -h %s -- %s /usr/share/sandbox/sandboxX.sh" % (newtmpdir, newhomedir, execcon)).split()
+ rc = os.spawnvp(os.P_WAIT, cmds[0], cmds)
+ if X_ind:
+ cmds = ("/usr/sbin/seunshare -t %s -h %s -- %s /usr/share/sandbox/sandboxX.sh" % (newtmpdir, newhomedir, execcon)).split()
+ rc = os.spawnvp(os.P_WAIT, cmds[0], cmds)
+ else:
+ cmds = ("/usr/sbin/seunshare -t %s -h %s -- %s " % (newtmpdir, newhomedir, execcon)).split()+cmds
+ rc = os.spawnvp(os.P_WAIT, cmds[0], cmds)
+ selinux.setexeccon(execcon)
+ rc = os.spawnvp(os.P_WAIT, cmds[0], cmds)
+ selinux.setexeccon(None)
+ for i in paths:
+ if i not in X_FILES:
+ continue
+ (dest, mtime) = X_FILES[i]
+ if os.path.getmtime(dest) > mtime:
+ savefile(dest, i)
+ savefile(dest, i, X_ind)
+ else:
+ selinux.setexeccon(execcon)
+ rc = os.spawnvp(os.P_WAIT, cmds[0], cmds)
+ selinux.setexeccon(None)
+ finally:
+ if X_ind:
+ if home_and_temp:
+ if newhomedir:
+ shutil.rmtree(newhomedir)
+ if newtmpdir:
@ -1928,30 +1957,43 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
+
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.8 policycoreutils-2.0.78/sandbox/sandbox.8
--- nsapolicycoreutils/sandbox/sandbox.8 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.78/sandbox/sandbox.8 2009-12-08 17:05:49.000000000 -0500
@@ -0,0 +1,26 @@
+++ policycoreutils-2.0.78/sandbox/sandbox.8 2009-12-14 09:37:40.000000000 -0500
@@ -0,0 +1,39 @@
+.TH SANDBOX "8" "May 2009" "chcat" "User Commands"
+.SH NAME
+sandbox \- Run cmd under an SELinux sandbox
+.SH SYNOPSIS
+.B sandbox
+[-X] [[-i file ]...] [ -t type ] cmd
+[-M] [-X] [-I includefile ] [[-i file ]...] [ -t type ] cmd
+.br
+.SH DESCRIPTION
+.PP
+Run application within a tightly confined SELinux domain, The default sandbox allows the application to only read and write stdin and stdout along with files handled to it by the shell.
+Additionaly a -X qualifier allows you to run sandboxed X applications. These apps will start up their own X Server and create a temporary homedir and /tmp. The default policy does not allow any capabilities or network access. Also prevents all access to the users other processes and files. Any file specified on the command line will be copied into the sandbox.
+Run the
+.I cmd
+application within a tightly confined SELinux domain. The default sandbox domain only allows applications the ability to read and write stdin, stdout and any other file descriptors handed to it. It is not allowed to open any other files.
+
+If you have the
+.I policycoreutils-sandbox
+package installed, you can use the -X option.
+.B sandbox -X
+allows you to run sandboxed X applications. These applications will start up their own X Server and create a temporary homedir and /tmp. The default policy does not allow any capabilities or network access. It also prevents all access to the users other processes and files. Any file specified on the command line will be copied into the sandbox.
+.PP
+.TP
+\fB\-t type\fR
+Use alternate sandbox type, defaults to sandbox_t or sandbox_x_t for -X.
+.TP
+\fB\-i file\fR
+Copy this file into the temporary sandbox homedir. Command can be repeated.
+Copy this file into the temporary sandbox appriate. Command can be repeated.
+.TP
+\fB\-I inputfile\fR
+Copy all files listed in inputfile into the appropriate temporary sandbox direcories.
+.TP
+\fB\-X\fR
+Create an X based Sandbox for gui apps, temporary files for $HOME and /tmp, seconday Xserver, defaults to sandbox_x_t
+.TP
+\fB\-M\fR
+Create a Sandbox with temporary files for $HOME and /tmp, defaults to sandbox_t
+.TP
+.SH "SEE ALSO"
+.TP
+runcon(1)
@ -3360,8 +3402,24 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
}
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/restore.c policycoreutils-2.0.78/setfiles/restore.c
--- nsapolicycoreutils/setfiles/restore.c 2009-11-03 09:21:40.000000000 -0500
+++ policycoreutils-2.0.78/setfiles/restore.c 2009-12-08 17:05:49.000000000 -0500
@@ -303,6 +303,12 @@
+++ policycoreutils-2.0.78/setfiles/restore.c 2009-12-16 08:14:21.000000000 -0500
@@ -31,7 +31,6 @@
static file_spec_t *fl_head;
-static int exclude(const char *file);
static int filespec_add(ino_t ino, const security_context_t con, const char *file);
static int only_changed_user(const char *a, const char *b);
struct restore_opts *r_opts = NULL;
@@ -53,7 +52,6 @@
}
}
return;
-
}
void restore_init(struct restore_opts *opts)
@@ -303,6 +301,12 @@
FTS *fts_handle;
FTSENT *ftsent;
@ -3374,7 +3432,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
fts_handle = fts_open((char **)namelist, r_opts->fts_flags, NULL);
if (fts_handle == NULL) {
fprintf(stderr,
@@ -374,6 +380,7 @@
@@ -374,6 +378,7 @@
} else {
rc = lstat(name, &sb);
if (rc < 0) {
@ -3382,9 +3440,86 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
fprintf(stderr, "%s: lstat(%s) failed: %s\n",
r_opts->progname, name, strerror(errno));
return -1;
@@ -409,7 +414,7 @@
}
}
-static int exclude(const char *file)
+int exclude(const char *file)
{
int i = 0;
for (i = 0; i < excludeCtr; i++) {
@@ -602,5 +607,67 @@
return -1;
}
+#include <sys/utsname.h>
+/*
+ Search /proc/mounts for all file systems that do not support extended
+ attributes and add them to the exclude directory table. File systems
+ that support security labels have the seclabel option.
+*/
+void exclude_non_seclabel_mounts()
+{
+ struct utsname uts;
+ FILE *fp;
+ size_t len;
+ ssize_t num;
+ int index = 0, found = 0;
+ char *mount_info[4];
+ char *buf = NULL, *item;
+
+ /* Check to see if the kernel supports seclabel */
+ if (uname(&uts) == 0 && strverscmp(uts.release, "2.6.30") < 0)
+ return;
+ if (is_selinux_enabled() <= 0)
+ return;
+
+ fp = fopen("/proc/mounts", "r");
+ if (!fp)
+ return;
+ while ((num = getline(&buf, &len, fp)) != -1) {
+ found = 0;
+ index = 0;
+ item = strtok(buf, " ");
+ while (item != NULL) {
+ mount_info[index] = item;
+ if (index == 3)
+ break;
+ index++;
+ item = strtok(NULL, " ");
+ }
+ if (index < 3) {
+ fprintf(stderr,
+ "/proc/mounts record \"%s\" has incorrect format.\n",
+ buf);
+ continue;
+ }
+
+ /* remove pre-existing entry */
+ remove_exclude(mount_info[1]);
+
+ item = strtok(mount_info[3], ",");
+ while (item != NULL) {
+ if (strcmp(item, "seclabel") == 0) {
+ found = 1;
+ break;
+ }
+ item = strtok(NULL, ",");
+ }
+
+ /* exclude mount points without the seclabel option */
+ if (!found)
+ add_exclude(mount_info[1]);
+ }
+
+ free(buf);
+}
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/restorecon.8 policycoreutils-2.0.78/setfiles/restorecon.8
--- nsapolicycoreutils/setfiles/restorecon.8 2008-08-28 09:34:24.000000000 -0400
+++ policycoreutils-2.0.78/setfiles/restorecon.8 2009-12-08 17:05:49.000000000 -0500
+++ policycoreutils-2.0.78/setfiles/restorecon.8 2009-12-16 08:14:22.000000000 -0500
@@ -4,10 +4,10 @@
.SH "SYNOPSIS"
@ -3410,7 +3545,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
show changes in file labels.
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/restore.h policycoreutils-2.0.78/setfiles/restore.h
--- nsapolicycoreutils/setfiles/restore.h 2009-11-03 09:21:40.000000000 -0500
+++ policycoreutils-2.0.78/setfiles/restore.h 2009-12-08 17:05:49.000000000 -0500
+++ policycoreutils-2.0.78/setfiles/restore.h 2009-12-16 08:14:23.000000000 -0500
@@ -27,6 +27,7 @@
int hard_links;
int verbose;
@ -3419,10 +3554,19 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
char *rootpath;
int rootpathlen;
char *progname;
Binary files nsapolicycoreutils/setfiles/restore.o and policycoreutils-2.0.78/setfiles/restore.o differ
@@ -44,7 +45,9 @@
void restore_init(struct restore_opts *opts);
void restore_finish();
int add_exclude(const char *directory);
+int exclude(const char *path);
void remove_exclude(const char *directory);
int process_one_realpath(char *name, int recurse);
+void exclude_non_seclabel_mounts();
#endif
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/setfiles.8 policycoreutils-2.0.78/setfiles/setfiles.8
--- nsapolicycoreutils/setfiles/setfiles.8 2008-08-28 09:34:24.000000000 -0400
+++ policycoreutils-2.0.78/setfiles/setfiles.8 2009-12-08 17:05:49.000000000 -0500
+++ policycoreutils-2.0.78/setfiles/setfiles.8 2009-12-16 08:14:25.000000000 -0500
@@ -31,6 +31,9 @@
.TP
.B \-n
@ -3435,8 +3579,16 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
suppress non-error output.
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/setfiles.c policycoreutils-2.0.78/setfiles/setfiles.c
--- nsapolicycoreutils/setfiles/setfiles.c 2009-11-03 09:21:40.000000000 -0500
+++ policycoreutils-2.0.78/setfiles/setfiles.c 2009-12-09 16:28:55.000000000 -0500
@@ -25,7 +25,6 @@
+++ policycoreutils-2.0.78/setfiles/setfiles.c 2009-12-16 08:14:26.000000000 -0500
@@ -5,7 +5,6 @@
#include <ctype.h>
#include <regex.h>
#include <sys/vfs.h>
-#include <sys/utsname.h>
#define __USE_XOPEN_EXTENDED 1 /* nftw */
#include <libgen.h>
#ifdef USE_AUDIT
@@ -25,7 +24,6 @@
static int warn_no_match = 0;
static int null_terminated = 0;
static int errors;
@ -3444,7 +3596,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
static struct restore_opts r_opts;
#define STAT_BLOCK_SIZE 1
@@ -44,13 +43,13 @@
@@ -44,13 +42,13 @@
{
if (iamrestorecon) {
fprintf(stderr,
@ -3460,7 +3612,77 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
name);
}
exit(1);
@@ -335,7 +334,7 @@
@@ -138,69 +136,6 @@
#endif
}
-/*
- Search /proc/mounts for all file systems that do not support extended
- attributes and add them to the exclude directory table. File systems
- that support security labels have the seclabel option.
-*/
-static void exclude_non_seclabel_mounts()
-{
- struct utsname uts;
- FILE *fp;
- size_t len;
- ssize_t num;
- int index = 0, found = 0;
- char *mount_info[4];
- char *buf = NULL, *item;
-
- /* Check to see if the kernel supports seclabel */
- if (uname(&uts) == 0 && strverscmp(uts.release, "2.6.30") < 0)
- return;
- if (is_selinux_enabled() <= 0)
- return;
-
- fp = fopen("/proc/mounts", "r");
- if (!fp)
- return;
-
- while ((num = getline(&buf, &len, fp)) != -1) {
- found = 0;
- index = 0;
- item = strtok(buf, " ");
- while (item != NULL) {
- mount_info[index] = item;
- if (index == 3)
- break;
- index++;
- item = strtok(NULL, " ");
- }
- if (index < 3) {
- fprintf(stderr,
- "/proc/mounts record \"%s\" has incorrect format.\n",
- buf);
- continue;
- }
-
- /* remove pre-existing entry */
- remove_exclude(mount_info[1]);
-
- item = strtok(mount_info[3], ",");
- while (item != NULL) {
- if (strcmp(item, "seclabel") == 0) {
- found = 1;
- break;
- }
- item = strtok(NULL, ",");
- }
-
- /* exclude mount points without the seclabel option */
- if (!found)
- add_exclude(mount_info[1]);
- }
-
- free(buf);
-}
-
int main(int argc, char **argv)
{
struct stat sb;
@@ -335,7 +270,7 @@
r_opts.debug = 1;
break;
case 'i':
@ -3469,7 +3691,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
break;
case 'l':
r_opts.logging = 1;
@@ -371,7 +370,7 @@
@@ -371,7 +306,7 @@
break;
}
if (optind + 1 >= argc) {

37
policycoreutils-sepolgen.patch
View File

@ -1,6 +1,6 @@
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/access.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/access.py
--- nsasepolgen/src/sepolgen/access.py 2009-05-18 13:53:14.000000000 -0400
+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/access.py 2009-12-08 17:02:52.000000000 -0500
+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/access.py 2009-12-08 17:05:49.000000000 -0500
@@ -32,6 +32,7 @@
"""
@ -56,7 +56,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/access.py policyco
if audit_msg:
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/audit.py
--- nsasepolgen/src/sepolgen/audit.py 2009-12-01 15:46:50.000000000 -0500
+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/audit.py 2009-12-08 17:02:17.000000000 -0500
+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/audit.py 2009-12-08 17:05:49.000000000 -0500
@@ -23,6 +23,27 @@
# Convenience functions
@ -194,7 +194,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/audit.py policycor
-
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/policygen.py
--- nsasepolgen/src/sepolgen/policygen.py 2008-09-12 11:48:15.000000000 -0400
+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/policygen.py 2009-12-08 17:03:16.000000000 -0500
+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/policygen.py 2009-12-16 08:20:45.000000000 -0500
@@ -29,6 +29,8 @@
import access
import interfaces
@ -213,13 +213,15 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py polic
def set_gen_refpol(self, if_set=None, perm_maps=None):
"""Set whether reference policy interfaces are generated.
@@ -144,8 +146,32 @@
@@ -144,8 +146,35 @@
def __add_allow_rules(self, avs):
for av in avs:
rule = refpolicy.AVRule(av)
+ rule.comment = ""
if self.explain:
rule.comment = refpolicy.Comment(explain_access(av, verbosity=self.explain))
+ if av.type == audit2why.ALLOW:
+ rule.comment += "#!!!! This avc is allowed in the current policy\n"
+ if av.type == audit2why.DONTAUDIT:
+ rule.comment += "#!!!! This avc has a dontaudit rule in the current policy\n"
+ if av.type == audit2why.BOOLEAN:
@ -231,24 +233,25 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/policygen.py polic
+ if av.type == audit2why.CONSTRAINT:
+ rule.comment += "#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work.\n"
+ if av.type == audit2why.TERULE:
+ if "open" in av.perms and "write" in av.perms:
+ if not self.domains:
+ self.domains = seinfo(ATTRIBUTE, name="domain")[0]["types"]
+ types=[]
+ for i in map(lambda x: x[TCONTEXT], sesearch([ALLOW], {SCONTEXT: av.src_type, CLASS: av.obj_class, PERMS: av.perms})):
+ if i not in self.domains:
+ types.append(i)
+ if len(types) == 1:
+ rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following type:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
+ elif len(types) >= 1:
+ rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following types:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
+ if "write" in av.perms:
+ if "dir" in av.obj_class or "open" in av.perms:
+ if not self.domains:
+ self.domains = seinfo(ATTRIBUTE, name="domain")[0]["types"]
+ types=[]
+ for i in map(lambda x: x[TCONTEXT], sesearch([ALLOW], {SCONTEXT: av.src_type, CLASS: av.obj_class, PERMS: av.perms})):
+ if i not in self.domains:
+ types.append(i)
+ if len(types) == 1:
+ rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following type:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
+ elif len(types) >= 1:
+ rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following types:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
+
self.module.children.append(rule)
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refparser.py
--- nsasepolgen/src/sepolgen/refparser.py 2009-10-29 15:21:39.000000000 -0400
+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refparser.py 2009-12-08 17:01:22.000000000 -0500
+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refparser.py 2009-12-08 17:05:49.000000000 -0500
@@ -973,7 +973,7 @@
def list_headers(root):
modules = []
@ -260,7 +263,7 @@ diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refparser.py polic
for name in filenames:
diff --exclude-from=exclude -N -u -r nsasepolgen/src/sepolgen/refpolicy.py policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refpolicy.py
--- nsasepolgen/src/sepolgen/refpolicy.py 2009-10-29 15:21:39.000000000 -0400
+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refpolicy.py 2009-12-08 17:02:00.000000000 -0500
+++ policycoreutils-2.0.78/sepolgen-1.0.19/src/sepolgen/refpolicy.py 2009-12-08 17:05:49.000000000 -0500
@@ -398,6 +398,7 @@
return "attribute %s;" % self.name

10
policycoreutils.spec
View File

@ -6,7 +6,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.0.78
Release: 3%{?dist}
Release: 5%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
@ -131,6 +131,7 @@ The policycoreutils-python package contains the management tools use to manage a
%{_mandir}/man1/audit2why.1*
%{_mandir}/man8/chcat.8*
%{_mandir}/ru/man8/chcat.8*
%{_mandir}/man8/sandbox.8*
%{_mandir}/man8/semanage.8*
%{_mandir}/ru/man8/semanage.8*
@ -152,7 +153,6 @@ The policycoreutils-python package contains the scripts to create graphical sand
%files sandbox
%{_sysconfdir}/rc.d/init.d/sandbox
%{_mandir}/man8/sandbox.8*
%{_sbindir}/seunshare
%{_datadir}/sandbox/sandboxX.sh
@ -296,6 +296,12 @@ fi
exit 0
%changelog
* Wed Dec 16 2009 Dan Walsh <dwalsh@redhat.com> 2.0.78-5
- If restorecond running as a user has no files to watch then it should exit. (NFS Homedirs)
* Thu Dec 10 2009 Dan Walsh <dwalsh@redhat.com> 2.0.78-4
- Move sandbox man page to base package
* Tue Dec 8 2009 Dan Walsh <dwalsh@redhat.com> 2.0.78-3
- Fix audit2allow to report constraints, dontaudits, types, booleans