* Tue May 20 2014 Miroslav Grepl <mgrepl@redhat.com> - 2.3-4

- Fix setfiles to work correctly if -r option is defined
This commit is contained in:
Miroslav Grepl 2014-05-20 12:11:11 +02:00
parent a0f67d4a93
commit a3adc5bf70
5 changed files with 32 additions and 159 deletions

View File

@ -1,68 +0,0 @@
diff --git a/policycoreutils/sepolicy/sepolicy/__init__.py b/policycoreutils/sepolicy/sepolicy/__init__.py
index f7f05cb..6b94239 100644
--- a/policycoreutils/sepolicy/sepolicy/__init__.py
+++ b/policycoreutils/sepolicy/sepolicy/__init__.py
@@ -98,6 +98,21 @@ def get_conditionals_format_text(cond):
def get_types_from_attribute(attribute):
return info(ATTRIBUTE,attribute)[0]["types"]
+def get_attributes_from_type(setype):
+ return info(TYPE,setype)[0]["attributes"]
+
+def file_type_is_executable(setype):
+ if "exec_type" in get_attributes_from_type(setype):
+ return True
+ else:
+ return False
+
+def file_type_is_entrypoint(setype):
+ if "entry_type" in get_attributes_from_type(setype):
+ return True
+ else:
+ return False
+
file_type_str = {}
file_type_str["a"] = _("all files")
file_type_str["f"] = _("regular file")
diff --git a/policycoreutils/sepolicy/sepolicy/manpage.py b/policycoreutils/sepolicy/sepolicy/manpage.py
index 9af0794..8daca56 100755
--- a/policycoreutils/sepolicy/sepolicy/manpage.py
+++ b/policycoreutils/sepolicy/sepolicy/manpage.py
@@ -679,10 +679,13 @@ Default Defined Ports:""")
def _file_context(self):
flist=[]
+ flist_non_exec=[]
mpaths=[]
for f in self.all_file_types:
if f.startswith(self.domainname):
flist.append(f)
+ if not file_type_is_executable(f) or not file_type_is_entrypoint(f):
+ flist_non_exec.append(f)
if f in self.fcdict:
mpaths = mpaths + self.fcdict[f]["regex"]
if len(mpaths) == 0:
@@ -734,19 +737,20 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
.PP
""" % {'domainname':self.domainname, 'equiv': e, 'alt': e.split('/')[-1] })
- self.fd.write(r"""
+ if flist_non_exec:
+ self.fd.write(r"""
.PP
.B STANDARD FILE CONTEXT
SELinux defines the file context types for the %(domainname)s, if you wanted to
store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk.
-.B semanage fcontext -a -t %(type)s '/srv/%(domainname)s/content(/.*)?'
+.B semanage fcontext -a -t %(type)s '/srv/my%(domainname)s_content(/.*)?'
.br
.B restorecon -R -v /srv/my%(domainname)s_content
Note: SELinux often uses regular expressions to specify labels that match multiple files.
-""" % {'domainname':self.domainname, "type":flist[0] })
+""" % {'domainname':self.domainname, "type":flist_non_exec[-1] })
self.fd.write(r"""
.I The following file types are defined for %(domainname)s:

View File

@ -0,0 +1,25 @@
From 0c71c12b54b0f201edf53f9956c8c9df8efbca41 Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Tue, 20 May 2014 12:07:46 +0200
Subject: [PATCH] Fix setfiles to work correctly if -r option is defined
---
policycoreutils/setfiles/setfiles.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c
index 85d8d68..b31df58 100644
--- a/policycoreutils/setfiles/setfiles.c
+++ b/policycoreutils/setfiles/setfiles.c
@@ -334,7 +334,7 @@ int main(int argc, char **argv)
argv[0]);
exit(-1);
}
- set_rootpath(argv[optind++]);
+ set_rootpath(argv[optind]);
break;
case 's':
use_input_file = 1;
--
1.9.0

View File

@ -1,63 +0,0 @@
From d355fd3326286a01f82c5c46a8eb99ae2f4a11bb Mon Sep 17 00:00:00 2001
Message-Id: <d355fd3326286a01f82c5c46a8eb99ae2f4a11bb.1398921725.git.luto@amacapital.net>
From: Andy Lutomirski <luto@amacapital.net>
Date: Wed, 30 Apr 2014 21:59:37 -0700
Subject: [PATCH] seunshare: Try to use setcurrent before setexec
If seunshare uses PR_SET_NO_NEW_PRIVS, which certain versions of
libcap-ng set, setexeccon will cause execve to fail. This also
makes setting selinux context the very last action taken by
seunshare prior to exec, as it may otherwise cause things to fail.
Note that this won't work without adjusting the system policy to
allow this use of setcurrent. This rule appears to work:
allow unconfined_t sandbox_t:process dyntransition;
although a better rule would probably relax the unconfined_t
restriction.
Signed-off-by: Andy Lutomirski <luto@amacapital.net>
---
policycoreutils/sandbox/seunshare.c | 20 ++++++++++++++------
1 file changed, 14 insertions(+), 6 deletions(-)
diff --git a/policycoreutils/sandbox/seunshare.c b/policycoreutils/sandbox/seunshare.c
index 97f3920..fe40757 100644
--- a/policycoreutils/sandbox/seunshare.c
+++ b/policycoreutils/sandbox/seunshare.c
@@ -1032,17 +1032,25 @@ int main(int argc, char **argv) {
goto childerr;
}
- /* selinux context */
- if (execcon && setexeccon(execcon) != 0) {
- fprintf(stderr, _("Could not set exec context to %s. %s\n"), execcon, strerror(errno));
- goto childerr;
- }
-
if (chdir(pwd->pw_dir)) {
perror(_("Failed to change dir to homedir"));
goto childerr;
}
setsid();
+
+ /* selinux context */
+ if (execcon) {
+ /* try dyntransition, since no_new_privs can interfere
+ * with setexeccon */
+ if (setcon(execcon) != 0) {
+ /* failed; fall back to setexeccon */
+ if (setexeccon(execcon) != 0) {
+ fprintf(stderr, _("Could not set exec context to %s. %s\n"), execcon, strerror(errno));
+ goto childerr;
+ }
+ }
+ }
+
execv(argv[optind], argv + optind);
fprintf(stderr, _("Failed to execute command %s: %s\n"), argv[optind], strerror(errno));
childerr:
--
1.9.0

View File

@ -1,27 +0,0 @@
From cbe5a25fed96d535ba16a936f7347d19ac211fdf Mon Sep 17 00:00:00 2001
From: Miroslav Grepl <mgrepl@redhat.com>
Date: Mon, 12 May 2014 14:11:22 +0200
Subject: [PATCH] If there is no executable we don't want to print a part of
STANDARD FILE CONTEXT
---
policycoreutils/sepolicy/sepolicy/manpage.py | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/policycoreutils/sepolicy/sepolicy/manpage.py b/policycoreutils/sepolicy/sepolicy/manpage.py
index 835dc43..849eecf 100755
--- a/policycoreutils/sepolicy/sepolicy/manpage.py
+++ b/policycoreutils/sepolicy/sepolicy/manpage.py
@@ -737,7 +737,8 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
.PP
""" % {'domainname':self.domainname, 'equiv': e, 'alt': e.split('/')[-1] })
- self.fd.write(r"""
+ if flist_non_exec:
+ self.fd.write(r"""
.PP
.B STANDARD FILE CONTEXT
--
1.9.0

View File

@ -7,7 +7,7 @@
Summary: SELinux policy core utilities Summary: SELinux policy core utilities
Name: policycoreutils Name: policycoreutils
Version: 2.3 Version: 2.3
Release: 3%{?dist} Release: 4%{?dist}
License: GPLv2 License: GPLv2
Group: System Environment/Base Group: System Environment/Base
# Based on git repository with tag 20101221 # Based on git repository with tag 20101221
@ -18,6 +18,7 @@ Source2: policycoreutils_man_ru2.tar.bz2
Source3: system-config-selinux.png Source3: system-config-selinux.png
Source4: sepolicy-icons.tgz Source4: sepolicy-icons.tgz
Patch: policycoreutils-rhat.patch Patch: policycoreutils-rhat.patch
Patch1: 0001-Fix-setfiles-to-work-correctly-if-r-option-is-define.patch
Obsoletes: policycoreutils < 2.0.61-2 Obsoletes: policycoreutils < 2.0.61-2
Conflicts: filesystem < 3 Conflicts: filesystem < 3
Provides: /sbin/fixfiles Provides: /sbin/fixfiles
@ -48,6 +49,8 @@ to switch roles.
%prep %prep
%setup -q -a 1 %setup -q -a 1
%patch -p2 -b .rhat %patch -p2 -b .rhat
%patch1 -p2 -b .setfiles
cp %{SOURCE3} gui/ cp %{SOURCE3} gui/
tar xvf %{SOURCE4} tar xvf %{SOURCE4}
@ -378,6 +381,9 @@ The policycoreutils-restorecond package contains the restorecond service.
%systemd_postun_with_restart restorecond.service %systemd_postun_with_restart restorecond.service
%changelog %changelog
* Tue May 20 2014 Miroslav Grepl <mgrepl@redhat.com> - 2.3-4
- Fix setfiles to work correctly if -r option is defined
* Fri May 16 2014 Dan Walsh <dwalsh@redhat.com> - 2.3-3 * Fri May 16 2014 Dan Walsh <dwalsh@redhat.com> - 2.3-3
- Update Miroslav Grepl Patches - Update Miroslav Grepl Patches
* If there is no executable we don't want to print a part of STANDARD FILE CON * If there is no executable we don't want to print a part of STANDARD FILE CON