rpms/policycoreutils
7
0
Fork 0
Code Issues Pull Requests Releases Activity

- Change to allow sandbox to run on nfs homedirs, add start python script

Browse Source
This commit is contained in:
Dan Walsh 2010-12-21 16:20:01 -05:00
parent 8937a040d8
commit a548207cc4
5 changed files with 73075 additions and 80245 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -222,3 +222,4 @@ policycoreutils-2.0.82.tgz
sepolgen-1.0.23.tgz sepolgen-1.0.23.tgz
policycoreutils-2.0.83.tgz policycoreutils-2.0.83.tgz
/policycoreutils-2.0.84.tgz /policycoreutils-2.0.84.tgz
/policycoreutils-2.0.85.tgz

152982
policycoreutils-po.patch
View File

File diff suppressed because it is too large Load Diff

328
policycoreutils-rhat.patch
View File

@ -9,7 +9,7 @@ index 86ed03f..67d0ee8 100644
INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null) INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null)
diff --git a/policycoreutils/audit2allow/audit2allow b/policycoreutils/audit2allow/audit2allow diff --git a/policycoreutils/audit2allow/audit2allow b/policycoreutils/audit2allow/audit2allow
index 5435e9d..fddcdaa 100644 index 5435e9d..c60490b 100644
--- a/policycoreutils/audit2allow/audit2allow --- a/policycoreutils/audit2allow/audit2allow
+++ b/policycoreutils/audit2allow/audit2allow +++ b/policycoreutils/audit2allow/audit2allow
@@ -1,4 +1,4 @@ @@ -1,4 +1,4 @@
@ -34,7 +34,7 @@ index 5435e9d..fddcdaa 100644
parser.add_option("-d", "--dmesg", action="store_true", dest="dmesg", default=False, parser.add_option("-d", "--dmesg", action="store_true", dest="dmesg", default=False,
help="read input from dmesg - conflicts with --all and --input") help="read input from dmesg - conflicts with --all and --input")
parser.add_option("-i", "--input", dest="input", parser.add_option("-i", "--input", dest="input",
@@ -231,63 +233,44 @@ class AuditToPolicy: @@ -231,29 +233,12 @@ class AuditToPolicy:
def __output_audit2why(self): def __output_audit2why(self):
import selinux import selinux
@ -43,8 +43,9 @@ index 5435e9d..fddcdaa 100644
- audit2why.init() - audit2why.init()
for i in self.__parser.avc_msgs: for i in self.__parser.avc_msgs:
- rc, bools = audit2why.analyze(i.scontext.to_string(), i.tcontext.to_string(), i.tclass, i.accesses) - rc, bools = audit2why.analyze(i.scontext.to_string(), i.tcontext.to_string(), i.tclass, i.accesses)
- if rc >= 0: + rc = i.type
+ if i.type >= 0: + bools = i.bools
if rc >= 0:
print "%s\n\tWas caused by:" % i.message print "%s\n\tWas caused by:" % i.message
- if rc == audit2why.NOPOLICY: - if rc == audit2why.NOPOLICY:
- raise RuntimeError("Must call policy_init first") - raise RuntimeError("Must call policy_init first")
@ -62,55 +63,10 @@ index 5435e9d..fddcdaa 100644
- continue - continue
- if rc == audit2why. BADCOMPUTE: - if rc == audit2why. BADCOMPUTE:
- raise RuntimeError("Error during access vector computation") - raise RuntimeError("Error during access vector computation")
- if rc == audit2why.ALLOW: if rc == audit2why.ALLOW:
+ if i.type == audit2why.ALLOW:
print "\t\tUnknown - would be allowed by active policy\n", print "\t\tUnknown - would be allowed by active policy\n",
print "\t\tPossible mismatch between this policy and the one under which the audit message was generated.\n" print "\t\tPossible mismatch between this policy and the one under which the audit message was generated.\n"
print "\t\tPossible mismatch between current in-memory boolean settings vs. permanent ones.\n" @@ -350,11 +335,19 @@ class AuditToPolicy:
continue
- if rc == audit2why.DONTAUDIT:
+ if i.type == audit2why.DONTAUDIT:
print "\t\tUnknown - should be dontaudit'd by active policy\n",
print "\t\tPossible mismatch between this policy and the one under which the audit message was generated.\n"
print "\t\tPossible mismatch between current in-memory boolean settings vs. permanent ones.\n"
continue
- if rc == audit2why.BOOLEAN:
- if len(bools) > 1:
+ if i.type == audit2why.BOOLEAN:
+ if len(i.bools) > 1:
print "\tOne of the following booleans was set incorrectly."
- for b in bools:
+ for b in i.bools:
print "\tDescription:\n\t%s\n" % seobject.boolean_desc(b[0])
print "\tAllow access by executing:\n\t# setsebool -P %s %d" % (b[0], b[1])
else:
- print "\tThe boolean %s was set incorrectly. " % (bools[0][0])
- print "\tDescription:\n\t%s\n" % seobject.boolean_desc(bools[0][0])
- print "\tAllow access by executing:\n\t# setsebool -P %s %d" % (bools[0][0], bools[0][1])
+ print "\tThe boolean %s was set incorrectly. " % (i.bools[0][0])
+ print "\tDescription:\n\t%s\n" % seobject.boolean_desc(i.bools[0][0])
+ print "\tAllow access by executing:\n\t# setsebool -P %s %d" % (i.bools[0][0], i.bools[0][1])
continue
- if rc == audit2why.TERULE:
+ if i.type == audit2why.TERULE:
print "\t\tMissing type enforcement (TE) allow rule.\n"
print "\t\tYou can use audit2allow to generate a loadable module to allow this access.\n"
continue
- if rc == audit2why.CONSTRAINT:
+ if i.type == audit2why.CONSTRAINT:
print "\t\tPolicy constraint violation.\n"
print "\t\tMay require adding a type attribute to the domain or type to satisfy the constraint.\n"
print "\t\tConstraints are defined in the policy sources in policy/constraints (general), policy/mcs (MCS), and policy/mls (MLS).\n"
continue
- if rc == audit2why.RBAC:
+ if i.type == audit2why.RBAC:
print "\t\tMissing role allow rule.\n"
print "\t\tAdd an allow rule for the role pair.\n"
continue
@@ -350,11 +333,19 @@ class AuditToPolicy:
def main(self): def main(self):
try: try:
self.__parse_options() self.__parse_options()
@ -332,276 +288,6 @@ index 03f95a1..5986b23 100644
if_set.to_file(f) if_set.to_file(f)
f.close() f.close()
diff --git a/policycoreutils/load_policy/load_policy.c b/policycoreutils/load_policy/load_policy.c
index 47d9b0f..566565f 100644
--- a/policycoreutils/load_policy/load_policy.c
+++ b/policycoreutils/load_policy/load_policy.c
@@ -1,3 +1,4 @@
+#define _GNU_SOURCE
#include <unistd.h>
#include <stdlib.h>
#include <stdio.h>
@@ -23,6 +24,14 @@ void usage(char *progname)
exit(1);
}
+char *policy_path(void) {
+ char *path=NULL;
+ if (asprintf(&path, "%s.%d", selinux_binary_policy_path(), security_policyvers()) < 0) {
+ return NULL;
+ }
+ return path;
+}
+
int main(int argc, char **argv)
{
int ret, opt, quiet = 0, nargs, init=0, enforce=0;
@@ -64,6 +73,7 @@ int main(int argc, char **argv)
"%s: Warning! Boolean file argument (%s) is no longer supported, installed booleans file is always used. Continuing...\n",
argv[0], argv[optind++]);
}
+ errno = 0;
if (init) {
if (is_selinux_enabled() == 1) {
/* SELinux is already enabled, we should not do an initial load again */
@@ -76,9 +86,11 @@ int main(int argc, char **argv)
if (ret != 0 ) {
if (enforce > 0) {
/* SELinux in enforcing mode but load_policy failed */
+ char *path=policy_path();
fprintf(stderr,
- _("%s: Can't load policy and enforcing mode requested: %s\n"),
- argv[0], strerror(errno));
+ _("%s: Can't load policy file %s and enforcing mode requested: %s\n"),
+ argv[0], path, strerror(errno));
+ free(path);
exit(3);
}
}
@@ -86,9 +98,16 @@ int main(int argc, char **argv)
else {
ret = selinux_mkload_policy(1);
}
- if (ret < 0) {
- fprintf(stderr, _("%s: Can't load policy: %s\n"),
- argv[0], strerror(errno));
+
+ /* selinux_init_load_policy returns -1 if it did not load_policy
+ * On SELinux disabled system it will always return -1
+ * So check errno to see if anything went wrong
+ */
+ if (ret < 0 && errno != 0) {
+ char *path=policy_path();
+ fprintf(stderr, _("%s: Can't load policy file %s: %s\n"),
+ argv[0], path, strerror(errno));
+ free(path);
exit(2);
}
exit(0);
diff --git a/policycoreutils/newrole/Makefile b/policycoreutils/newrole/Makefile
index 6c19bd1..bd8e7a7 100644
--- a/policycoreutils/newrole/Makefile
+++ b/policycoreutils/newrole/Makefile
@@ -50,7 +50,7 @@ ifeq (${NAMESPACE_PRIV},y)
endif
ifeq (${IS_SUID},y)
MODE := 4555
- LDLIBS += -lcap
+ LDLIBS += -lcap-ng
else
MODE := 0555
endif
diff --git a/policycoreutils/newrole/newrole.c b/policycoreutils/newrole/newrole.c
index d191be6..071b393 100644
--- a/policycoreutils/newrole/newrole.c
+++ b/policycoreutils/newrole/newrole.c
@@ -77,7 +77,7 @@
#endif
#if defined(AUDIT_LOG_PRIV) || (NAMESPACE_PRIV)
#include <sys/prctl.h>
-#include <sys/capability.h>
+#include <cap-ng.h>
#endif
#ifdef USE_NLS
#include <locale.h> /* for setlocale() */
@@ -90,6 +90,9 @@
#define PACKAGE "policycoreutils" /* the name of this package lang translation */
#endif
+# define TRUE 1
+# define FALSE 0
+
/* USAGE_STRING describes the command-line args of this program. */
#define USAGE_STRING "USAGE: newrole [ -r role ] [ -t type ] [ -l level ] [ -p ] [ -V ] [ -- args ]"
@@ -538,69 +541,23 @@ static int restore_environment(int preserve_environment,
* Returns zero on success, non-zero otherwise
*/
#if defined(AUDIT_LOG_PRIV) && !defined(NAMESPACE_PRIV)
-static int drop_capabilities(void)
+static int drop_capabilities(int full)
{
- int rc = 0;
- cap_t new_caps, tmp_caps;
- cap_value_t cap_list[] = { CAP_AUDIT_WRITE };
- cap_value_t tmp_cap_list[] = { CAP_AUDIT_WRITE, CAP_SETUID };
- uid_t uid = getuid();
-
- if (!uid)
- return 0;
-
- /* Non-root caller, suid root path */
- new_caps = cap_init();
- tmp_caps = cap_init();
- if (!new_caps || !tmp_caps) {
- fprintf(stderr, _("Error initializing capabilities, aborting.\n"));
+ capng_clear(CAPNG_SELECT_BOTH);
+ if (capng_lock() < 0)
return -1;
- }
- rc |= cap_set_flag(new_caps, CAP_PERMITTED, 1, cap_list, CAP_SET);
- rc |= cap_set_flag(new_caps, CAP_EFFECTIVE, 1, cap_list, CAP_SET);
- rc |= cap_set_flag(tmp_caps, CAP_PERMITTED, 2, tmp_cap_list, CAP_SET);
- rc |= cap_set_flag(tmp_caps, CAP_EFFECTIVE, 2, tmp_cap_list, CAP_SET);
- if (rc) {
- fprintf(stderr, _("Error setting capabilities, aborting\n"));
- goto out;
- }
-
- /* Keep capabilities across uid change */
- if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0)) {
- fprintf(stderr, _("Error setting KEEPCAPS, aborting\n"));
- rc = -1;
- goto out;
- }
- /* Does this temporary change really buy us much? */
- /* We should still have root's caps, so drop most capabilities now */
- if ((rc = cap_set_proc(tmp_caps))) {
- fprintf(stderr, _("Error dropping capabilities, aborting\n"));
- goto out;
- }
+ uid_t uid = getuid();
+ if (!uid) return 0;
/* Change uid */
- if ((rc = setresuid(uid, uid, uid))) {
+ if (setresuid(uid, uid, uid)) {
fprintf(stderr, _("Error changing uid, aborting.\n"));
- goto out;
- }
-
- /* Now get rid of this ability */
- if ((rc = prctl(PR_SET_KEEPCAPS, 0, 0, 0, 0) < 0)) {
- fprintf(stderr, _("Error resetting KEEPCAPS, aborting\n"));
- goto out;
- }
-
- /* Finish dropping capabilities. */
- if ((rc = cap_set_proc(new_caps))) {
- fprintf(stderr,
- _("Error dropping SETUID capability, aborting\n"));
- goto out;
+ return -1;
}
- out:
- if (cap_free(tmp_caps) || cap_free(new_caps))
- fprintf(stderr, _("Error freeing caps\n"));
- return rc;
+ if (! full)
+ capng_update(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_AUDIT_WRITE);
+ return capng_apply(CAPNG_SELECT_BOTH);
}
#elif defined(NAMESPACE_PRIV)
/**
@@ -616,50 +573,25 @@ static int drop_capabilities(void)
*
* Returns zero on success, non-zero otherwise
*/
-static int drop_capabilities(void)
+static int drop_capabilities(int full)
{
- int rc = 0;
- cap_t new_caps;
- cap_value_t cap_list[] = { CAP_AUDIT_WRITE, CAP_SETUID,
- CAP_SYS_ADMIN, CAP_FOWNER, CAP_CHOWN,
- CAP_DAC_OVERRIDE
- };
-
- if (!getuid())
- return 0;
-
- /* Non-root caller, suid root path */
- new_caps = cap_init();
- if (!new_caps) {
- fprintf(stderr, _("Error initializing capabilities, aborting.\n"));
+ capng_clear(CAPNG_SELECT_BOTH);
+ if (capng_lock() < 0)
return -1;
- }
- rc |= cap_set_flag(new_caps, CAP_PERMITTED, 6, cap_list, CAP_SET);
- rc |= cap_set_flag(new_caps, CAP_EFFECTIVE, 6, cap_list, CAP_SET);
- if (rc) {
- fprintf(stderr, _("Error setting capabilities, aborting\n"));
- goto out;
- }
- /* Ensure that caps are dropped after setuid call */
- if ((rc = prctl(PR_SET_KEEPCAPS, 0, 0, 0, 0) < 0)) {
- fprintf(stderr, _("Error resetting KEEPCAPS, aborting\n"));
- goto out;
- }
-
- /* We should still have root's caps, so drop most capabilities now */
- if ((rc = cap_set_proc(new_caps))) {
- fprintf(stderr, _("Error dropping capabilities, aborting\n"));
- goto out;
+ uid_t uid = getuid();
+ /* Change uid */
+ if (setresuid(uid, uid, uid)) {
+ fprintf(stderr, _("Error changing uid, aborting.\n"));
+ return -1;
}
- out:
- if (cap_free(new_caps))
- fprintf(stderr, _("Error freeing caps\n"));
- return rc;
+ if (! full)
+ capng_update(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_SYS_ADMIN | CAP_FOWNER | CAP_CHOWN | CAP_DAC_OVERRIDE);
+ return capng_apply(CAPNG_SELECT_BOTH);
}
#else
-static inline int drop_capabilities(void)
+static inline int drop_capabilities(__attribute__ ((__unused__)) int full)
{
return 0;
}
@@ -1098,7 +1030,7 @@ int main(int argc, char *argv[])
* if it makes sense to continue to run newrole, and setting up
* a scrubbed environment.
*/
- if (drop_capabilities())
+ if (drop_capabilities(FALSE))
return -1;
if (set_signal_handles())
return -1;
@@ -1334,11 +1266,15 @@ int main(int argc, char *argv[])
if (send_audit_message(1, old_context, new_context, ttyn))
goto err_close_pam_session;
+ freecon(old_context); old_context=NULL;
+ freecon(new_context); new_context=NULL;
+
#ifdef NAMESPACE_PRIV
if (transition_to_caller_uid())
goto err_close_pam_session;
#endif
+ drop_capabilities(TRUE);
/* Handle environment changes */
if (restore_environment(preserve_environment, old_environ, &pw)) {
fprintf(stderr, _("Unable to restore the environment, "
diff --git a/policycoreutils/restorecond/Makefile b/policycoreutils/restorecond/Makefile diff --git a/policycoreutils/restorecond/Makefile b/policycoreutils/restorecond/Makefile
index 3f235e6..7552668 100644 index 3f235e6..7552668 100644
--- a/policycoreutils/restorecond/Makefile --- a/policycoreutils/restorecond/Makefile

7
policycoreutils.spec
View File

@ -6,11 +6,12 @@
Summary: SELinux policy core utilities Summary: SELinux policy core utilities
Name: policycoreutils Name: policycoreutils
Version: 2.0.84 Version: 2.0.85
Release: 5%{?dist} Release: 1%{?dist}
License: GPLv2 License: GPLv2
Group: System Environment/Base Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz # Based on git repository with tag 20101221
Source: git://oss.tresys.com/git/selinux/policycoreutils-%{version}.tgz
Source1: git://oss.tresys.com/git/selinux/sepolgen-%{sepolgenver}.tgz Source1: git://oss.tresys.com/git/selinux/sepolgen-%{sepolgenver}.tgz
URL: http://www.selinuxproject.org URL: http://www.selinuxproject.org
Source2: system-config-selinux.png Source2: system-config-selinux.png

2
sources
View File

@ -1,3 +1,3 @@
49faa2e5f343317bcfcf34d7286f6037 sepolgen-1.0.23.tgz 49faa2e5f343317bcfcf34d7286f6037 sepolgen-1.0.23.tgz
59d33101d57378ce69889cc078addf90 policycoreutils_man_ru2.tar.bz2 59d33101d57378ce69889cc078addf90 policycoreutils_man_ru2.tar.bz2
b79060bbc673997e404584959524374d policycoreutils-2.0.84.tgz 92fa615448d443b22c4ad6ecf89fc974 policycoreutils-2.0.85.tgz