* Wed Aug 26 2009 Dan Walsh <dwalsh@redhat.com> 2.0.71-12

- Tighten up controls on seunshare.c
2009-08-26 21:52:30 +00:00 · 2009-08-26 21:52:30 +00:00 · a39af4db38
commit a39af4db38
parent 0a51336809
2 changed files with 53 additions and 35 deletions
--- a/policycoreutils-rhat.patch
+++ b/policycoreutils-rhat.patch
@ -1,6 +1,6 @@
 diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-2.0.71/audit2allow/audit2allow
 --- nsapolicycoreutils/audit2allow/audit2allow	2009-01-13 08:45:35.000000000 -0500
-+++ policycoreutils-2.0.71/audit2allow/audit2allow	2009-08-20 12:53:16.000000000 -0400
+++ policycoreutils-2.0.71/audit2allow/audit2allow	2009-08-26 17:34:50.000000000 -0400
@@ -42,6 +42,8 @@
         from optparse import OptionParser
 
@ -40,7 +40,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
             f = sys.stdin
 diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/Makefile policycoreutils-2.0.71/Makefile
 --- nsapolicycoreutils/Makefile	2008-08-28 09:34:24.000000000 -0400
-+++ policycoreutils-2.0.71/Makefile	2009-08-26 10:04:47.000000000 -0400
+++ policycoreutils-2.0.71/Makefile	2009-08-26 17:34:50.000000000 -0400
@@ -1,4 +1,4 @@
 -SUBDIRS = setfiles semanage load_policy newrole run_init secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po
 +SUBDIRS = setfiles semanage load_policy newrole run_init sandbox secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po gui
@ -49,7 +49,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
 
 diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/Makefile policycoreutils-2.0.71/restorecond/Makefile
 --- nsapolicycoreutils/restorecond/Makefile	2009-08-20 15:49:21.000000000 -0400
-+++ policycoreutils-2.0.71/restorecond/Makefile	2009-08-20 15:30:42.000000000 -0400
+++ policycoreutils-2.0.71/restorecond/Makefile	2009-08-26 17:34:50.000000000 -0400
@@ -1,17 +1,28 @@
 # Installation directories.
 PREFIX ?= ${DESTDIR}/usr
@ -98,14 +98,14 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
 	/sbin/restorecon $(SBINDIR)/restorecond 
 diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/org.selinux.Restorecond.service policycoreutils-2.0.71/restorecond/org.selinux.Restorecond.service
 --- nsapolicycoreutils/restorecond/org.selinux.Restorecond.service	1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.71/restorecond/org.selinux.Restorecond.service	2009-08-20 12:53:16.000000000 -0400
+++ policycoreutils-2.0.71/restorecond/org.selinux.Restorecond.service	2009-08-26 17:34:50.000000000 -0400
@@ -0,0 +1,3 @@
 +[D-BUS Service]
 +Name=org.selinux.Restorecond
 +Exec=/usr/sbin/restorecond -u
 diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.c policycoreutils-2.0.71/restorecond/restorecond.c
 --- nsapolicycoreutils/restorecond/restorecond.c	2009-08-20 15:49:21.000000000 -0400
-+++ policycoreutils-2.0.71/restorecond/restorecond.c	2009-08-22 08:03:13.000000000 -0400
+++ policycoreutils-2.0.71/restorecond/restorecond.c	2009-08-26 17:34:50.000000000 -0400
@@ -48,294 +48,38 @@
 #include <signal.h>
 #include <string.h>
@ -598,7 +598,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
 +
 diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.conf policycoreutils-2.0.71/restorecond/restorecond.conf
 --- nsapolicycoreutils/restorecond/restorecond.conf	2009-08-20 15:49:21.000000000 -0400
-+++ policycoreutils-2.0.71/restorecond/restorecond.conf	2009-08-20 15:30:45.000000000 -0400
+++ policycoreutils-2.0.71/restorecond/restorecond.conf	2009-08-26 17:34:50.000000000 -0400
@@ -4,8 +4,5 @@
 /etc/mtab
 /var/run/utmp
@ -611,7 +611,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
 -
 diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.desktop policycoreutils-2.0.71/restorecond/restorecond.desktop
 --- nsapolicycoreutils/restorecond/restorecond.desktop	1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.71/restorecond/restorecond.desktop	2009-08-20 12:53:16.000000000 -0400
+++ policycoreutils-2.0.71/restorecond/restorecond.desktop	2009-08-26 17:34:50.000000000 -0400
@@ -0,0 +1,7 @@
 +[Desktop Entry]
 +Name=File Context maintainer
@ -622,7 +622,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
 +StartupNotify=false
 diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.h policycoreutils-2.0.71/restorecond/restorecond.h
 --- nsapolicycoreutils/restorecond/restorecond.h	2009-08-20 15:49:21.000000000 -0400
-+++ policycoreutils-2.0.71/restorecond/restorecond.h	2009-08-20 15:30:47.000000000 -0400
+++ policycoreutils-2.0.71/restorecond/restorecond.h	2009-08-26 17:34:50.000000000 -0400
@@ -24,7 +24,21 @@
 #ifndef RESTORED_CONFIG_H
 #define RESTORED_CONFIG_H
@ -649,13 +649,13 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
 #endif
 diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond_user.conf policycoreutils-2.0.71/restorecond/restorecond_user.conf
 --- nsapolicycoreutils/restorecond/restorecond_user.conf	1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.71/restorecond/restorecond_user.conf	2009-08-20 12:53:16.000000000 -0400
+++ policycoreutils-2.0.71/restorecond/restorecond_user.conf	2009-08-26 17:34:50.000000000 -0400
@@ -0,0 +1,2 @@
 +~/*
 +~/public_html/*
 diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/user.c policycoreutils-2.0.71/restorecond/user.c
 --- nsapolicycoreutils/restorecond/user.c	1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.71/restorecond/user.c	2009-08-20 13:08:42.000000000 -0400
+++ policycoreutils-2.0.71/restorecond/user.c	2009-08-26 17:34:50.000000000 -0400
@@ -0,0 +1,237 @@
 +/*
 + * restorecond
@ -896,7 +896,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
 +
 diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/watch.c policycoreutils-2.0.71/restorecond/watch.c
 --- nsapolicycoreutils/restorecond/watch.c	1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.71/restorecond/watch.c	2009-08-20 13:08:19.000000000 -0400
+++ policycoreutils-2.0.71/restorecond/watch.c	2009-08-26 17:34:50.000000000 -0400
@@ -0,0 +1,254 @@
 +#define _GNU_SOURCE
 +#include <sys/inotify.h>
@ -1154,7 +1154,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
 +
 diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/Makefile policycoreutils-2.0.71/sandbox/Makefile
 --- nsapolicycoreutils/sandbox/Makefile	1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.71/sandbox/Makefile	2009-08-26 10:50:50.000000000 -0400
+++ policycoreutils-2.0.71/sandbox/Makefile	2009-08-26 17:34:50.000000000 -0400
@@ -0,0 +1,31 @@
 +# Installation directories.
 +PREFIX ?= ${DESTDIR}/usr
@ -1189,7 +1189,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
 +relabel:
 diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox policycoreutils-2.0.71/sandbox/sandbox
 --- nsapolicycoreutils/sandbox/sandbox	1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.71/sandbox/sandbox	2009-08-26 10:03:24.000000000 -0400
+++ policycoreutils-2.0.71/sandbox/sandbox	2009-08-26 17:34:50.000000000 -0400
@@ -0,0 +1,193 @@
 +#!/usr/bin/python -E
 +import os, sys, getopt, socket, random, fcntl, shutil
@ -1386,7 +1386,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
 +
 diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.8 policycoreutils-2.0.71/sandbox/sandbox.8
 --- nsapolicycoreutils/sandbox/sandbox.8	1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.71/sandbox/sandbox.8	2009-08-26 10:03:24.000000000 -0400
+++ policycoreutils-2.0.71/sandbox/sandbox.8	2009-08-26 17:34:50.000000000 -0400
@@ -0,0 +1,26 @@
 +.TH SANDBOX "8" "May 2009" "chcat" "User Commands"
 +.SH NAME
@ -1416,7 +1416,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
 +.PP
 diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandboxX.sh policycoreutils-2.0.71/sandbox/sandboxX.sh
 --- nsapolicycoreutils/sandbox/sandboxX.sh	1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.71/sandbox/sandboxX.sh	2009-08-26 10:03:24.000000000 -0400
+++ policycoreutils-2.0.71/sandbox/sandboxX.sh	2009-08-26 17:34:50.000000000 -0400
@@ -0,0 +1,13 @@
 +#!/bin/bash 
 +(Xephyr -terminate -screen 1000x700 -displayfd 5 5>&1 2>/dev/null) | while read D; do 
@ -1434,8 +1434,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
 Binary files nsapolicycoreutils/sandbox/seunshare and policycoreutils-2.0.71/sandbox/seunshare differ
 diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/seunshare.c policycoreutils-2.0.71/sandbox/seunshare.c
 --- nsapolicycoreutils/sandbox/seunshare.c	1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.71/sandbox/seunshare.c	2009-08-26 10:06:05.000000000 -0400
-@@ -0,0 +1,188 @@
+++ policycoreutils-2.0.71/sandbox/seunshare.c	2009-08-26 17:50:31.000000000 -0400
+@@ -0,0 +1,203 @@
 +#include <signal.h>
 +#include <sys/types.h>
 +#include <sys/wait.h>
@ -1456,8 +1456,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
 +/**
 + * This function will drop the capabilities so that we are left
 + * only with access to the audit system and the ability to raise
-+ * CAP_SYS_ADMIN, CAP_DAC_OVERRIDE, CAP_FOWNER and CAP_CHOWN,
-+ * before invoking unshare and mounting a couple of directories. 
+ * CAP_SYS_ADMIN before invoking unshare and mounting a couple of directories. 
 + * These capabilities are needed for performing bind mounts/unmounts 
 + * and to create potential new instance directories with appropriate 
 + * DAC attributes. 
@ -1469,12 +1468,12 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
 +	capng_clear(CAPNG_SELECT_BOTH);
 +
 +	if (all) {
-+		if ((getuid() == 0) && (capng_lock() < 0)) 
+		if (capng_lock() < 0) 
 +			return -1;
 +	} else {
-+		if (capng_updatev(CAPNG_ADD, CAP_DAC_OVERRIDE|CAPNG_EFFECTIVE|CAPNG_PERMITTED, CAP_SYS_ADMIN, -1) < 0) 
+		if (capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED, CAP_SYS_ADMIN, CAP_SETPCAP, -1) < 0) { 
 +			return -1;
-+		    
+		}
 +	}
 +
 +	return capng_apply(CAPNG_SELECT_BOTH);
@ -1487,7 +1486,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
 +/**
 + * Take care of any signal setup
 + */
-+static int set_signal_handles()
+static int set_signal_handles(void)
 +{
 +	sigset_t empty;
 +
@ -1513,7 +1512,6 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
 +	int rc;
 +	int status = -1;
 +
-+	struct passwd *pwd=getpwuid(getuid());
 +	security_context_t scontext;
 +
 +	int flag_index;		/* flag index in argv[] */
@ -1526,6 +1524,13 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
 +		{"tmpdir", 1, 0, 't'},
 +		{NULL, 0, 0, 0}
 +	};
+	capng_print_caps_text(CAPNG_PRINT_STDOUT, CAPNG_EFFECTIVE);
+
+	struct passwd *pwd=getpwuid(getuid());
+	if (!pwd) {
+		perror("getpwduid failed");
+		return -1;
+	}
 +
 +	if (drop_capabilities(FALSE)) {
 +		perror("Failed to drop capabilities");
@ -1591,7 +1596,13 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
 +	int child = fork();
 +	if (!child) {
 +		/* Construct a new environment */
-+		char *display =  strdup(getenv("DISPLAY"));
+		char *d = getenv("DISPLAY");
+		if (!d) {
+			perror("DISPLAY Not set");
+			exit(-1);
+		}
+
+		char *display =  strdup(d);
 +		if (!display) {
 +			perror("Out of memory");
 +			exit(-1);
@ -1614,7 +1625,11 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
 +		rc |= setenv("LOGNAME", pwd->pw_name, 1);
 +		rc |= setenv("PATH", DEFAULT_PATH, 1);
 +		
-+		chdir(pwd->pw_dir);
+		if (chdir(pwd->pw_dir)) {
+			perror("Failed to change dir to homedir");
+			exit(-1);
+		}
+		
 +		execv(argv[optind], argv + optind);
 +		perror("execv");
 +		exit(-1);
@ -1627,7 +1642,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
 Binary files nsapolicycoreutils/sandbox/seunshare.o and policycoreutils-2.0.71/sandbox/seunshare.o differ
 diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/chcat policycoreutils-2.0.71/scripts/chcat
 --- nsapolicycoreutils/scripts/chcat	2009-06-23 15:36:07.000000000 -0400
-+++ policycoreutils-2.0.71/scripts/chcat	2009-08-20 12:53:16.000000000 -0400
+++ policycoreutils-2.0.71/scripts/chcat	2009-08-26 17:34:50.000000000 -0400
@@ -435,6 +435,8 @@
                     continue
     except ValueError, e:
@ -1639,7 +1654,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
     
 diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/Makefile policycoreutils-2.0.71/scripts/Makefile
 --- nsapolicycoreutils/scripts/Makefile	2008-08-28 09:34:24.000000000 -0400
-+++ policycoreutils-2.0.71/scripts/Makefile	2009-08-26 10:04:11.000000000 -0400
+++ policycoreutils-2.0.71/scripts/Makefile	2009-08-26 17:34:50.000000000 -0400
@@ -5,7 +5,7 @@
 MANDIR ?= $(PREFIX)/share/man
 LOCALEDIR ?= /usr/share/locale
@ -1651,7 +1666,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
 	-mkdir -p $(BINDIR)
 diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.71/semanage/semanage
 --- nsapolicycoreutils/semanage/semanage	2009-08-19 16:35:03.000000000 -0400
-+++ policycoreutils-2.0.71/semanage/semanage	2009-08-20 12:53:16.000000000 -0400
+++ policycoreutils-2.0.71/semanage/semanage	2009-08-26 17:34:50.000000000 -0400
@@ -68,6 +68,7 @@
 	-h, --help       Display this message
 	-n, --noheading  Do not print heading when listing OBJECTS
@ -1761,7 +1776,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
 
 diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.71/semanage/seobject.py
 --- nsapolicycoreutils/semanage/seobject.py	2009-08-19 16:35:03.000000000 -0400
-+++ policycoreutils-2.0.71/semanage/seobject.py	2009-08-20 12:53:16.000000000 -0400
+++ policycoreutils-2.0.71/semanage/seobject.py	2009-08-26 17:34:50.000000000 -0400
@@ -1,5 +1,5 @@
 #! /usr/bin/python -E
 -# Copyright (C) 2005, 2006, 2007, 2008 Red Hat 
@ -1890,7 +1905,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
 	def __init__(self, store = ""):
 diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/Makefile policycoreutils-2.0.71/setfiles/Makefile
 --- nsapolicycoreutils/setfiles/Makefile	2009-07-07 15:32:32.000000000 -0400
-+++ policycoreutils-2.0.71/setfiles/Makefile	2009-08-20 12:53:16.000000000 -0400
+++ policycoreutils-2.0.71/setfiles/Makefile	2009-08-26 17:34:50.000000000 -0400
@@ -5,7 +5,7 @@
 LIBDIR ?= $(PREFIX)/lib
 AUDITH = $(shell ls /usr/include/libaudit.h 2>/dev/null)
@ -1911,7 +1926,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
 	ln -sf setfiles restorecon
 diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/restore.c policycoreutils-2.0.71/setfiles/restore.c
 --- nsapolicycoreutils/setfiles/restore.c	1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.71/setfiles/restore.c	2009-08-22 07:59:20.000000000 -0400
+++ policycoreutils-2.0.71/setfiles/restore.c	2009-08-26 17:34:50.000000000 -0400
@@ -0,0 +1,519 @@
 +#include "restore.h"
 +
@ -2434,7 +2449,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
 +
 diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/restore.h policycoreutils-2.0.71/setfiles/restore.h
 --- nsapolicycoreutils/setfiles/restore.h	1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.71/setfiles/restore.h	2009-08-22 08:02:45.000000000 -0400
+++ policycoreutils-2.0.71/setfiles/restore.h	2009-08-26 17:34:50.000000000 -0400
@@ -0,0 +1,49 @@
 +#ifndef RESTORE_H
 +#define RESTORE_H
@ -2487,7 +2502,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
 +#endif
 diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/setfiles.c policycoreutils-2.0.71/setfiles/setfiles.c
 --- nsapolicycoreutils/setfiles/setfiles.c	2009-08-12 12:08:15.000000000 -0400
-+++ policycoreutils-2.0.71/setfiles/setfiles.c	2009-08-22 08:06:25.000000000 -0400
+++ policycoreutils-2.0.71/setfiles/setfiles.c	2009-08-26 17:34:50.000000000 -0400
@@ -1,26 +1,12 @@
 -#ifndef _GNU_SOURCE
 -#define _GNU_SOURCE
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@ -6,7 +6,7 @@
 Summary: SELinux policy core utilities
 Name:	 policycoreutils
 Version: 2.0.71
-Release: 11%{?dist}
+Release: 12%{?dist}
 License: GPLv2+
 Group:	 System Environment/Base
 Source:	 http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
@ -295,6 +295,9 @@ fi
 exit 0

 %changelog
+* Wed Aug 26 2009 Dan Walsh <dwalsh@redhat.com> 2.0.71-12
+- Tighten up controls on seunshare.c
+
 * Wed Aug 26 2009 Dan Walsh <dwalsh@redhat.com> 2.0.71-11
 - Add sandboxX