- Change to allow sandbox to run on nfs homedirs, add start python script
This commit is contained in:
parent
8937a040d8
commit
a548207cc4
1
.gitignore
vendored
1
.gitignore
vendored
@ -222,3 +222,4 @@ policycoreutils-2.0.82.tgz
|
||||
sepolgen-1.0.23.tgz
|
||||
policycoreutils-2.0.83.tgz
|
||||
/policycoreutils-2.0.84.tgz
|
||||
/policycoreutils-2.0.85.tgz
|
||||
|
152982
policycoreutils-po.patch
152982
policycoreutils-po.patch
File diff suppressed because it is too large
Load Diff
@ -9,7 +9,7 @@ index 86ed03f..67d0ee8 100644
|
||||
INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null)
|
||||
|
||||
diff --git a/policycoreutils/audit2allow/audit2allow b/policycoreutils/audit2allow/audit2allow
|
||||
index 5435e9d..fddcdaa 100644
|
||||
index 5435e9d..c60490b 100644
|
||||
--- a/policycoreutils/audit2allow/audit2allow
|
||||
+++ b/policycoreutils/audit2allow/audit2allow
|
||||
@@ -1,4 +1,4 @@
|
||||
@ -34,7 +34,7 @@ index 5435e9d..fddcdaa 100644
|
||||
parser.add_option("-d", "--dmesg", action="store_true", dest="dmesg", default=False,
|
||||
help="read input from dmesg - conflicts with --all and --input")
|
||||
parser.add_option("-i", "--input", dest="input",
|
||||
@@ -231,63 +233,44 @@ class AuditToPolicy:
|
||||
@@ -231,29 +233,12 @@ class AuditToPolicy:
|
||||
|
||||
def __output_audit2why(self):
|
||||
import selinux
|
||||
@ -43,8 +43,9 @@ index 5435e9d..fddcdaa 100644
|
||||
- audit2why.init()
|
||||
for i in self.__parser.avc_msgs:
|
||||
- rc, bools = audit2why.analyze(i.scontext.to_string(), i.tcontext.to_string(), i.tclass, i.accesses)
|
||||
- if rc >= 0:
|
||||
+ if i.type >= 0:
|
||||
+ rc = i.type
|
||||
+ bools = i.bools
|
||||
if rc >= 0:
|
||||
print "%s\n\tWas caused by:" % i.message
|
||||
- if rc == audit2why.NOPOLICY:
|
||||
- raise RuntimeError("Must call policy_init first")
|
||||
@ -62,55 +63,10 @@ index 5435e9d..fddcdaa 100644
|
||||
- continue
|
||||
- if rc == audit2why. BADCOMPUTE:
|
||||
- raise RuntimeError("Error during access vector computation")
|
||||
- if rc == audit2why.ALLOW:
|
||||
+ if i.type == audit2why.ALLOW:
|
||||
if rc == audit2why.ALLOW:
|
||||
print "\t\tUnknown - would be allowed by active policy\n",
|
||||
print "\t\tPossible mismatch between this policy and the one under which the audit message was generated.\n"
|
||||
print "\t\tPossible mismatch between current in-memory boolean settings vs. permanent ones.\n"
|
||||
continue
|
||||
- if rc == audit2why.DONTAUDIT:
|
||||
+ if i.type == audit2why.DONTAUDIT:
|
||||
print "\t\tUnknown - should be dontaudit'd by active policy\n",
|
||||
print "\t\tPossible mismatch between this policy and the one under which the audit message was generated.\n"
|
||||
print "\t\tPossible mismatch between current in-memory boolean settings vs. permanent ones.\n"
|
||||
continue
|
||||
- if rc == audit2why.BOOLEAN:
|
||||
- if len(bools) > 1:
|
||||
+ if i.type == audit2why.BOOLEAN:
|
||||
+ if len(i.bools) > 1:
|
||||
print "\tOne of the following booleans was set incorrectly."
|
||||
- for b in bools:
|
||||
+ for b in i.bools:
|
||||
print "\tDescription:\n\t%s\n" % seobject.boolean_desc(b[0])
|
||||
print "\tAllow access by executing:\n\t# setsebool -P %s %d" % (b[0], b[1])
|
||||
else:
|
||||
- print "\tThe boolean %s was set incorrectly. " % (bools[0][0])
|
||||
- print "\tDescription:\n\t%s\n" % seobject.boolean_desc(bools[0][0])
|
||||
- print "\tAllow access by executing:\n\t# setsebool -P %s %d" % (bools[0][0], bools[0][1])
|
||||
+ print "\tThe boolean %s was set incorrectly. " % (i.bools[0][0])
|
||||
+ print "\tDescription:\n\t%s\n" % seobject.boolean_desc(i.bools[0][0])
|
||||
+ print "\tAllow access by executing:\n\t# setsebool -P %s %d" % (i.bools[0][0], i.bools[0][1])
|
||||
continue
|
||||
|
||||
- if rc == audit2why.TERULE:
|
||||
+ if i.type == audit2why.TERULE:
|
||||
print "\t\tMissing type enforcement (TE) allow rule.\n"
|
||||
print "\t\tYou can use audit2allow to generate a loadable module to allow this access.\n"
|
||||
continue
|
||||
|
||||
- if rc == audit2why.CONSTRAINT:
|
||||
+ if i.type == audit2why.CONSTRAINT:
|
||||
print "\t\tPolicy constraint violation.\n"
|
||||
print "\t\tMay require adding a type attribute to the domain or type to satisfy the constraint.\n"
|
||||
print "\t\tConstraints are defined in the policy sources in policy/constraints (general), policy/mcs (MCS), and policy/mls (MLS).\n"
|
||||
continue
|
||||
|
||||
- if rc == audit2why.RBAC:
|
||||
+ if i.type == audit2why.RBAC:
|
||||
print "\t\tMissing role allow rule.\n"
|
||||
print "\t\tAdd an allow rule for the role pair.\n"
|
||||
continue
|
||||
@@ -350,11 +333,19 @@ class AuditToPolicy:
|
||||
@@ -350,11 +335,19 @@ class AuditToPolicy:
|
||||
def main(self):
|
||||
try:
|
||||
self.__parse_options()
|
||||
@ -332,276 +288,6 @@ index 03f95a1..5986b23 100644
|
||||
if_set.to_file(f)
|
||||
f.close()
|
||||
|
||||
diff --git a/policycoreutils/load_policy/load_policy.c b/policycoreutils/load_policy/load_policy.c
|
||||
index 47d9b0f..566565f 100644
|
||||
--- a/policycoreutils/load_policy/load_policy.c
|
||||
+++ b/policycoreutils/load_policy/load_policy.c
|
||||
@@ -1,3 +1,4 @@
|
||||
+#define _GNU_SOURCE
|
||||
#include <unistd.h>
|
||||
#include <stdlib.h>
|
||||
#include <stdio.h>
|
||||
@@ -23,6 +24,14 @@ void usage(char *progname)
|
||||
exit(1);
|
||||
}
|
||||
|
||||
+char *policy_path(void) {
|
||||
+ char *path=NULL;
|
||||
+ if (asprintf(&path, "%s.%d", selinux_binary_policy_path(), security_policyvers()) < 0) {
|
||||
+ return NULL;
|
||||
+ }
|
||||
+ return path;
|
||||
+}
|
||||
+
|
||||
int main(int argc, char **argv)
|
||||
{
|
||||
int ret, opt, quiet = 0, nargs, init=0, enforce=0;
|
||||
@@ -64,6 +73,7 @@ int main(int argc, char **argv)
|
||||
"%s: Warning! Boolean file argument (%s) is no longer supported, installed booleans file is always used. Continuing...\n",
|
||||
argv[0], argv[optind++]);
|
||||
}
|
||||
+ errno = 0;
|
||||
if (init) {
|
||||
if (is_selinux_enabled() == 1) {
|
||||
/* SELinux is already enabled, we should not do an initial load again */
|
||||
@@ -76,9 +86,11 @@ int main(int argc, char **argv)
|
||||
if (ret != 0 ) {
|
||||
if (enforce > 0) {
|
||||
/* SELinux in enforcing mode but load_policy failed */
|
||||
+ char *path=policy_path();
|
||||
fprintf(stderr,
|
||||
- _("%s: Can't load policy and enforcing mode requested: %s\n"),
|
||||
- argv[0], strerror(errno));
|
||||
+ _("%s: Can't load policy file %s and enforcing mode requested: %s\n"),
|
||||
+ argv[0], path, strerror(errno));
|
||||
+ free(path);
|
||||
exit(3);
|
||||
}
|
||||
}
|
||||
@@ -86,9 +98,16 @@ int main(int argc, char **argv)
|
||||
else {
|
||||
ret = selinux_mkload_policy(1);
|
||||
}
|
||||
- if (ret < 0) {
|
||||
- fprintf(stderr, _("%s: Can't load policy: %s\n"),
|
||||
- argv[0], strerror(errno));
|
||||
+
|
||||
+ /* selinux_init_load_policy returns -1 if it did not load_policy
|
||||
+ * On SELinux disabled system it will always return -1
|
||||
+ * So check errno to see if anything went wrong
|
||||
+ */
|
||||
+ if (ret < 0 && errno != 0) {
|
||||
+ char *path=policy_path();
|
||||
+ fprintf(stderr, _("%s: Can't load policy file %s: %s\n"),
|
||||
+ argv[0], path, strerror(errno));
|
||||
+ free(path);
|
||||
exit(2);
|
||||
}
|
||||
exit(0);
|
||||
diff --git a/policycoreutils/newrole/Makefile b/policycoreutils/newrole/Makefile
|
||||
index 6c19bd1..bd8e7a7 100644
|
||||
--- a/policycoreutils/newrole/Makefile
|
||||
+++ b/policycoreutils/newrole/Makefile
|
||||
@@ -50,7 +50,7 @@ ifeq (${NAMESPACE_PRIV},y)
|
||||
endif
|
||||
ifeq (${IS_SUID},y)
|
||||
MODE := 4555
|
||||
- LDLIBS += -lcap
|
||||
+ LDLIBS += -lcap-ng
|
||||
else
|
||||
MODE := 0555
|
||||
endif
|
||||
diff --git a/policycoreutils/newrole/newrole.c b/policycoreutils/newrole/newrole.c
|
||||
index d191be6..071b393 100644
|
||||
--- a/policycoreutils/newrole/newrole.c
|
||||
+++ b/policycoreutils/newrole/newrole.c
|
||||
@@ -77,7 +77,7 @@
|
||||
#endif
|
||||
#if defined(AUDIT_LOG_PRIV) || (NAMESPACE_PRIV)
|
||||
#include <sys/prctl.h>
|
||||
-#include <sys/capability.h>
|
||||
+#include <cap-ng.h>
|
||||
#endif
|
||||
#ifdef USE_NLS
|
||||
#include <locale.h> /* for setlocale() */
|
||||
@@ -90,6 +90,9 @@
|
||||
#define PACKAGE "policycoreutils" /* the name of this package lang translation */
|
||||
#endif
|
||||
|
||||
+# define TRUE 1
|
||||
+# define FALSE 0
|
||||
+
|
||||
/* USAGE_STRING describes the command-line args of this program. */
|
||||
#define USAGE_STRING "USAGE: newrole [ -r role ] [ -t type ] [ -l level ] [ -p ] [ -V ] [ -- args ]"
|
||||
|
||||
@@ -538,69 +541,23 @@ static int restore_environment(int preserve_environment,
|
||||
* Returns zero on success, non-zero otherwise
|
||||
*/
|
||||
#if defined(AUDIT_LOG_PRIV) && !defined(NAMESPACE_PRIV)
|
||||
-static int drop_capabilities(void)
|
||||
+static int drop_capabilities(int full)
|
||||
{
|
||||
- int rc = 0;
|
||||
- cap_t new_caps, tmp_caps;
|
||||
- cap_value_t cap_list[] = { CAP_AUDIT_WRITE };
|
||||
- cap_value_t tmp_cap_list[] = { CAP_AUDIT_WRITE, CAP_SETUID };
|
||||
- uid_t uid = getuid();
|
||||
-
|
||||
- if (!uid)
|
||||
- return 0;
|
||||
-
|
||||
- /* Non-root caller, suid root path */
|
||||
- new_caps = cap_init();
|
||||
- tmp_caps = cap_init();
|
||||
- if (!new_caps || !tmp_caps) {
|
||||
- fprintf(stderr, _("Error initializing capabilities, aborting.\n"));
|
||||
+ capng_clear(CAPNG_SELECT_BOTH);
|
||||
+ if (capng_lock() < 0)
|
||||
return -1;
|
||||
- }
|
||||
- rc |= cap_set_flag(new_caps, CAP_PERMITTED, 1, cap_list, CAP_SET);
|
||||
- rc |= cap_set_flag(new_caps, CAP_EFFECTIVE, 1, cap_list, CAP_SET);
|
||||
- rc |= cap_set_flag(tmp_caps, CAP_PERMITTED, 2, tmp_cap_list, CAP_SET);
|
||||
- rc |= cap_set_flag(tmp_caps, CAP_EFFECTIVE, 2, tmp_cap_list, CAP_SET);
|
||||
- if (rc) {
|
||||
- fprintf(stderr, _("Error setting capabilities, aborting\n"));
|
||||
- goto out;
|
||||
- }
|
||||
-
|
||||
- /* Keep capabilities across uid change */
|
||||
- if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0)) {
|
||||
- fprintf(stderr, _("Error setting KEEPCAPS, aborting\n"));
|
||||
- rc = -1;
|
||||
- goto out;
|
||||
- }
|
||||
|
||||
- /* Does this temporary change really buy us much? */
|
||||
- /* We should still have root's caps, so drop most capabilities now */
|
||||
- if ((rc = cap_set_proc(tmp_caps))) {
|
||||
- fprintf(stderr, _("Error dropping capabilities, aborting\n"));
|
||||
- goto out;
|
||||
- }
|
||||
+ uid_t uid = getuid();
|
||||
+ if (!uid) return 0;
|
||||
|
||||
/* Change uid */
|
||||
- if ((rc = setresuid(uid, uid, uid))) {
|
||||
+ if (setresuid(uid, uid, uid)) {
|
||||
fprintf(stderr, _("Error changing uid, aborting.\n"));
|
||||
- goto out;
|
||||
- }
|
||||
-
|
||||
- /* Now get rid of this ability */
|
||||
- if ((rc = prctl(PR_SET_KEEPCAPS, 0, 0, 0, 0) < 0)) {
|
||||
- fprintf(stderr, _("Error resetting KEEPCAPS, aborting\n"));
|
||||
- goto out;
|
||||
- }
|
||||
-
|
||||
- /* Finish dropping capabilities. */
|
||||
- if ((rc = cap_set_proc(new_caps))) {
|
||||
- fprintf(stderr,
|
||||
- _("Error dropping SETUID capability, aborting\n"));
|
||||
- goto out;
|
||||
+ return -1;
|
||||
}
|
||||
- out:
|
||||
- if (cap_free(tmp_caps) || cap_free(new_caps))
|
||||
- fprintf(stderr, _("Error freeing caps\n"));
|
||||
- return rc;
|
||||
+ if (! full)
|
||||
+ capng_update(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_AUDIT_WRITE);
|
||||
+ return capng_apply(CAPNG_SELECT_BOTH);
|
||||
}
|
||||
#elif defined(NAMESPACE_PRIV)
|
||||
/**
|
||||
@@ -616,50 +573,25 @@ static int drop_capabilities(void)
|
||||
*
|
||||
* Returns zero on success, non-zero otherwise
|
||||
*/
|
||||
-static int drop_capabilities(void)
|
||||
+static int drop_capabilities(int full)
|
||||
{
|
||||
- int rc = 0;
|
||||
- cap_t new_caps;
|
||||
- cap_value_t cap_list[] = { CAP_AUDIT_WRITE, CAP_SETUID,
|
||||
- CAP_SYS_ADMIN, CAP_FOWNER, CAP_CHOWN,
|
||||
- CAP_DAC_OVERRIDE
|
||||
- };
|
||||
-
|
||||
- if (!getuid())
|
||||
- return 0;
|
||||
-
|
||||
- /* Non-root caller, suid root path */
|
||||
- new_caps = cap_init();
|
||||
- if (!new_caps) {
|
||||
- fprintf(stderr, _("Error initializing capabilities, aborting.\n"));
|
||||
+ capng_clear(CAPNG_SELECT_BOTH);
|
||||
+ if (capng_lock() < 0)
|
||||
return -1;
|
||||
- }
|
||||
- rc |= cap_set_flag(new_caps, CAP_PERMITTED, 6, cap_list, CAP_SET);
|
||||
- rc |= cap_set_flag(new_caps, CAP_EFFECTIVE, 6, cap_list, CAP_SET);
|
||||
- if (rc) {
|
||||
- fprintf(stderr, _("Error setting capabilities, aborting\n"));
|
||||
- goto out;
|
||||
- }
|
||||
|
||||
- /* Ensure that caps are dropped after setuid call */
|
||||
- if ((rc = prctl(PR_SET_KEEPCAPS, 0, 0, 0, 0) < 0)) {
|
||||
- fprintf(stderr, _("Error resetting KEEPCAPS, aborting\n"));
|
||||
- goto out;
|
||||
- }
|
||||
-
|
||||
- /* We should still have root's caps, so drop most capabilities now */
|
||||
- if ((rc = cap_set_proc(new_caps))) {
|
||||
- fprintf(stderr, _("Error dropping capabilities, aborting\n"));
|
||||
- goto out;
|
||||
+ uid_t uid = getuid();
|
||||
+ /* Change uid */
|
||||
+ if (setresuid(uid, uid, uid)) {
|
||||
+ fprintf(stderr, _("Error changing uid, aborting.\n"));
|
||||
+ return -1;
|
||||
}
|
||||
- out:
|
||||
- if (cap_free(new_caps))
|
||||
- fprintf(stderr, _("Error freeing caps\n"));
|
||||
- return rc;
|
||||
+ if (! full)
|
||||
+ capng_update(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_SYS_ADMIN | CAP_FOWNER | CAP_CHOWN | CAP_DAC_OVERRIDE);
|
||||
+ return capng_apply(CAPNG_SELECT_BOTH);
|
||||
}
|
||||
|
||||
#else
|
||||
-static inline int drop_capabilities(void)
|
||||
+static inline int drop_capabilities(__attribute__ ((__unused__)) int full)
|
||||
{
|
||||
return 0;
|
||||
}
|
||||
@@ -1098,7 +1030,7 @@ int main(int argc, char *argv[])
|
||||
* if it makes sense to continue to run newrole, and setting up
|
||||
* a scrubbed environment.
|
||||
*/
|
||||
- if (drop_capabilities())
|
||||
+ if (drop_capabilities(FALSE))
|
||||
return -1;
|
||||
if (set_signal_handles())
|
||||
return -1;
|
||||
@@ -1334,11 +1266,15 @@ int main(int argc, char *argv[])
|
||||
|
||||
if (send_audit_message(1, old_context, new_context, ttyn))
|
||||
goto err_close_pam_session;
|
||||
+ freecon(old_context); old_context=NULL;
|
||||
+ freecon(new_context); new_context=NULL;
|
||||
+
|
||||
#ifdef NAMESPACE_PRIV
|
||||
if (transition_to_caller_uid())
|
||||
goto err_close_pam_session;
|
||||
#endif
|
||||
|
||||
+ drop_capabilities(TRUE);
|
||||
/* Handle environment changes */
|
||||
if (restore_environment(preserve_environment, old_environ, &pw)) {
|
||||
fprintf(stderr, _("Unable to restore the environment, "
|
||||
diff --git a/policycoreutils/restorecond/Makefile b/policycoreutils/restorecond/Makefile
|
||||
index 3f235e6..7552668 100644
|
||||
--- a/policycoreutils/restorecond/Makefile
|
||||
|
@ -6,11 +6,12 @@
|
||||
|
||||
Summary: SELinux policy core utilities
|
||||
Name: policycoreutils
|
||||
Version: 2.0.84
|
||||
Release: 5%{?dist}
|
||||
Version: 2.0.85
|
||||
Release: 1%{?dist}
|
||||
License: GPLv2
|
||||
Group: System Environment/Base
|
||||
Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
|
||||
# Based on git repository with tag 20101221
|
||||
Source: git://oss.tresys.com/git/selinux/policycoreutils-%{version}.tgz
|
||||
Source1: git://oss.tresys.com/git/selinux/sepolgen-%{sepolgenver}.tgz
|
||||
URL: http://www.selinuxproject.org
|
||||
Source2: system-config-selinux.png
|
||||
|
Loading…
Reference in New Issue
Block a user