* Tue May 20 2014 Miroslav Grepl <mgrepl@redhat.com> - 2.3-4
- Fix setfiles to work correctly if -r option is defined
This commit is contained in:
parent
a0f67d4a93
commit
a3adc5bf70
@ -1,68 +0,0 @@
|
|||||||
diff --git a/policycoreutils/sepolicy/sepolicy/__init__.py b/policycoreutils/sepolicy/sepolicy/__init__.py
|
|
||||||
index f7f05cb..6b94239 100644
|
|
||||||
--- a/policycoreutils/sepolicy/sepolicy/__init__.py
|
|
||||||
+++ b/policycoreutils/sepolicy/sepolicy/__init__.py
|
|
||||||
@@ -98,6 +98,21 @@ def get_conditionals_format_text(cond):
|
|
||||||
def get_types_from_attribute(attribute):
|
|
||||||
return info(ATTRIBUTE,attribute)[0]["types"]
|
|
||||||
|
|
||||||
+def get_attributes_from_type(setype):
|
|
||||||
+ return info(TYPE,setype)[0]["attributes"]
|
|
||||||
+
|
|
||||||
+def file_type_is_executable(setype):
|
|
||||||
+ if "exec_type" in get_attributes_from_type(setype):
|
|
||||||
+ return True
|
|
||||||
+ else:
|
|
||||||
+ return False
|
|
||||||
+
|
|
||||||
+def file_type_is_entrypoint(setype):
|
|
||||||
+ if "entry_type" in get_attributes_from_type(setype):
|
|
||||||
+ return True
|
|
||||||
+ else:
|
|
||||||
+ return False
|
|
||||||
+
|
|
||||||
file_type_str = {}
|
|
||||||
file_type_str["a"] = _("all files")
|
|
||||||
file_type_str["f"] = _("regular file")
|
|
||||||
diff --git a/policycoreutils/sepolicy/sepolicy/manpage.py b/policycoreutils/sepolicy/sepolicy/manpage.py
|
|
||||||
index 9af0794..8daca56 100755
|
|
||||||
--- a/policycoreutils/sepolicy/sepolicy/manpage.py
|
|
||||||
+++ b/policycoreutils/sepolicy/sepolicy/manpage.py
|
|
||||||
@@ -679,10 +679,13 @@ Default Defined Ports:""")
|
|
||||||
|
|
||||||
def _file_context(self):
|
|
||||||
flist=[]
|
|
||||||
+ flist_non_exec=[]
|
|
||||||
mpaths=[]
|
|
||||||
for f in self.all_file_types:
|
|
||||||
if f.startswith(self.domainname):
|
|
||||||
flist.append(f)
|
|
||||||
+ if not file_type_is_executable(f) or not file_type_is_entrypoint(f):
|
|
||||||
+ flist_non_exec.append(f)
|
|
||||||
if f in self.fcdict:
|
|
||||||
mpaths = mpaths + self.fcdict[f]["regex"]
|
|
||||||
if len(mpaths) == 0:
|
|
||||||
@@ -734,19 +737,20 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
|
|
||||||
.PP
|
|
||||||
""" % {'domainname':self.domainname, 'equiv': e, 'alt': e.split('/')[-1] })
|
|
||||||
|
|
||||||
- self.fd.write(r"""
|
|
||||||
+ if flist_non_exec:
|
|
||||||
+ self.fd.write(r"""
|
|
||||||
.PP
|
|
||||||
.B STANDARD FILE CONTEXT
|
|
||||||
|
|
||||||
SELinux defines the file context types for the %(domainname)s, if you wanted to
|
|
||||||
store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk.
|
|
||||||
|
|
||||||
-.B semanage fcontext -a -t %(type)s '/srv/%(domainname)s/content(/.*)?'
|
|
||||||
+.B semanage fcontext -a -t %(type)s '/srv/my%(domainname)s_content(/.*)?'
|
|
||||||
.br
|
|
||||||
.B restorecon -R -v /srv/my%(domainname)s_content
|
|
||||||
|
|
||||||
Note: SELinux often uses regular expressions to specify labels that match multiple files.
|
|
||||||
-""" % {'domainname':self.domainname, "type":flist[0] })
|
|
||||||
+""" % {'domainname':self.domainname, "type":flist_non_exec[-1] })
|
|
||||||
|
|
||||||
self.fd.write(r"""
|
|
||||||
.I The following file types are defined for %(domainname)s:
|
|
@ -0,0 +1,25 @@
|
|||||||
|
From 0c71c12b54b0f201edf53f9956c8c9df8efbca41 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Miroslav Grepl <mgrepl@redhat.com>
|
||||||
|
Date: Tue, 20 May 2014 12:07:46 +0200
|
||||||
|
Subject: [PATCH] Fix setfiles to work correctly if -r option is defined
|
||||||
|
|
||||||
|
---
|
||||||
|
policycoreutils/setfiles/setfiles.c | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c
|
||||||
|
index 85d8d68..b31df58 100644
|
||||||
|
--- a/policycoreutils/setfiles/setfiles.c
|
||||||
|
+++ b/policycoreutils/setfiles/setfiles.c
|
||||||
|
@@ -334,7 +334,7 @@ int main(int argc, char **argv)
|
||||||
|
argv[0]);
|
||||||
|
exit(-1);
|
||||||
|
}
|
||||||
|
- set_rootpath(argv[optind++]);
|
||||||
|
+ set_rootpath(argv[optind]);
|
||||||
|
break;
|
||||||
|
case 's':
|
||||||
|
use_input_file = 1;
|
||||||
|
--
|
||||||
|
1.9.0
|
||||||
|
|
@ -1,63 +0,0 @@
|
|||||||
From d355fd3326286a01f82c5c46a8eb99ae2f4a11bb Mon Sep 17 00:00:00 2001
|
|
||||||
Message-Id: <d355fd3326286a01f82c5c46a8eb99ae2f4a11bb.1398921725.git.luto@amacapital.net>
|
|
||||||
From: Andy Lutomirski <luto@amacapital.net>
|
|
||||||
Date: Wed, 30 Apr 2014 21:59:37 -0700
|
|
||||||
Subject: [PATCH] seunshare: Try to use setcurrent before setexec
|
|
||||||
|
|
||||||
If seunshare uses PR_SET_NO_NEW_PRIVS, which certain versions of
|
|
||||||
libcap-ng set, setexeccon will cause execve to fail. This also
|
|
||||||
makes setting selinux context the very last action taken by
|
|
||||||
seunshare prior to exec, as it may otherwise cause things to fail.
|
|
||||||
|
|
||||||
Note that this won't work without adjusting the system policy to
|
|
||||||
allow this use of setcurrent. This rule appears to work:
|
|
||||||
|
|
||||||
allow unconfined_t sandbox_t:process dyntransition;
|
|
||||||
|
|
||||||
although a better rule would probably relax the unconfined_t
|
|
||||||
restriction.
|
|
||||||
|
|
||||||
Signed-off-by: Andy Lutomirski <luto@amacapital.net>
|
|
||||||
---
|
|
||||||
policycoreutils/sandbox/seunshare.c | 20 ++++++++++++++------
|
|
||||||
1 file changed, 14 insertions(+), 6 deletions(-)
|
|
||||||
|
|
||||||
diff --git a/policycoreutils/sandbox/seunshare.c b/policycoreutils/sandbox/seunshare.c
|
|
||||||
index 97f3920..fe40757 100644
|
|
||||||
--- a/policycoreutils/sandbox/seunshare.c
|
|
||||||
+++ b/policycoreutils/sandbox/seunshare.c
|
|
||||||
@@ -1032,17 +1032,25 @@ int main(int argc, char **argv) {
|
|
||||||
goto childerr;
|
|
||||||
}
|
|
||||||
|
|
||||||
- /* selinux context */
|
|
||||||
- if (execcon && setexeccon(execcon) != 0) {
|
|
||||||
- fprintf(stderr, _("Could not set exec context to %s. %s\n"), execcon, strerror(errno));
|
|
||||||
- goto childerr;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
if (chdir(pwd->pw_dir)) {
|
|
||||||
perror(_("Failed to change dir to homedir"));
|
|
||||||
goto childerr;
|
|
||||||
}
|
|
||||||
setsid();
|
|
||||||
+
|
|
||||||
+ /* selinux context */
|
|
||||||
+ if (execcon) {
|
|
||||||
+ /* try dyntransition, since no_new_privs can interfere
|
|
||||||
+ * with setexeccon */
|
|
||||||
+ if (setcon(execcon) != 0) {
|
|
||||||
+ /* failed; fall back to setexeccon */
|
|
||||||
+ if (setexeccon(execcon) != 0) {
|
|
||||||
+ fprintf(stderr, _("Could not set exec context to %s. %s\n"), execcon, strerror(errno));
|
|
||||||
+ goto childerr;
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
execv(argv[optind], argv + optind);
|
|
||||||
fprintf(stderr, _("Failed to execute command %s: %s\n"), argv[optind], strerror(errno));
|
|
||||||
childerr:
|
|
||||||
--
|
|
||||||
1.9.0
|
|
||||||
|
|
@ -1,27 +0,0 @@
|
|||||||
From cbe5a25fed96d535ba16a936f7347d19ac211fdf Mon Sep 17 00:00:00 2001
|
|
||||||
From: Miroslav Grepl <mgrepl@redhat.com>
|
|
||||||
Date: Mon, 12 May 2014 14:11:22 +0200
|
|
||||||
Subject: [PATCH] If there is no executable we don't want to print a part of
|
|
||||||
STANDARD FILE CONTEXT
|
|
||||||
|
|
||||||
---
|
|
||||||
policycoreutils/sepolicy/sepolicy/manpage.py | 3 ++-
|
|
||||||
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
||||||
|
|
||||||
diff --git a/policycoreutils/sepolicy/sepolicy/manpage.py b/policycoreutils/sepolicy/sepolicy/manpage.py
|
|
||||||
index 835dc43..849eecf 100755
|
|
||||||
--- a/policycoreutils/sepolicy/sepolicy/manpage.py
|
|
||||||
+++ b/policycoreutils/sepolicy/sepolicy/manpage.py
|
|
||||||
@@ -737,7 +737,8 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d
|
|
||||||
.PP
|
|
||||||
""" % {'domainname':self.domainname, 'equiv': e, 'alt': e.split('/')[-1] })
|
|
||||||
|
|
||||||
- self.fd.write(r"""
|
|
||||||
+ if flist_non_exec:
|
|
||||||
+ self.fd.write(r"""
|
|
||||||
.PP
|
|
||||||
.B STANDARD FILE CONTEXT
|
|
||||||
|
|
||||||
--
|
|
||||||
1.9.0
|
|
||||||
|
|
@ -7,7 +7,7 @@
|
|||||||
Summary: SELinux policy core utilities
|
Summary: SELinux policy core utilities
|
||||||
Name: policycoreutils
|
Name: policycoreutils
|
||||||
Version: 2.3
|
Version: 2.3
|
||||||
Release: 3%{?dist}
|
Release: 4%{?dist}
|
||||||
License: GPLv2
|
License: GPLv2
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
# Based on git repository with tag 20101221
|
# Based on git repository with tag 20101221
|
||||||
@ -18,6 +18,7 @@ Source2: policycoreutils_man_ru2.tar.bz2
|
|||||||
Source3: system-config-selinux.png
|
Source3: system-config-selinux.png
|
||||||
Source4: sepolicy-icons.tgz
|
Source4: sepolicy-icons.tgz
|
||||||
Patch: policycoreutils-rhat.patch
|
Patch: policycoreutils-rhat.patch
|
||||||
|
Patch1: 0001-Fix-setfiles-to-work-correctly-if-r-option-is-define.patch
|
||||||
Obsoletes: policycoreutils < 2.0.61-2
|
Obsoletes: policycoreutils < 2.0.61-2
|
||||||
Conflicts: filesystem < 3
|
Conflicts: filesystem < 3
|
||||||
Provides: /sbin/fixfiles
|
Provides: /sbin/fixfiles
|
||||||
@ -48,6 +49,8 @@ to switch roles.
|
|||||||
%prep
|
%prep
|
||||||
%setup -q -a 1
|
%setup -q -a 1
|
||||||
%patch -p2 -b .rhat
|
%patch -p2 -b .rhat
|
||||||
|
%patch1 -p2 -b .setfiles
|
||||||
|
|
||||||
cp %{SOURCE3} gui/
|
cp %{SOURCE3} gui/
|
||||||
tar xvf %{SOURCE4}
|
tar xvf %{SOURCE4}
|
||||||
|
|
||||||
@ -378,6 +381,9 @@ The policycoreutils-restorecond package contains the restorecond service.
|
|||||||
%systemd_postun_with_restart restorecond.service
|
%systemd_postun_with_restart restorecond.service
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue May 20 2014 Miroslav Grepl <mgrepl@redhat.com> - 2.3-4
|
||||||
|
- Fix setfiles to work correctly if -r option is defined
|
||||||
|
|
||||||
* Fri May 16 2014 Dan Walsh <dwalsh@redhat.com> - 2.3-3
|
* Fri May 16 2014 Dan Walsh <dwalsh@redhat.com> - 2.3-3
|
||||||
- Update Miroslav Grepl Patches
|
- Update Miroslav Grepl Patches
|
||||||
* If there is no executable we don't want to print a part of STANDARD FILE CON
|
* If there is no executable we don't want to print a part of STANDARD FILE CON
|
||||||
|
Loading…
Reference in New Issue
Block a user