rpms/policycoreutils
7
0
Fork 0
Code Issues Pull Requests Releases Activity

policycoreutils-2.8-13

Browse Source 
- chcat: use check_call instead of getstatusoutput
- Use matchbox-window-manager instead of openbox
- Use ipaddress python module instead of IPy
- semanage: Fix handling of -a/-e/-d/-r options
- semanage: Use standard argparse.error() method
This commit is contained in:
Petr Lautrbach 2018-12-10 18:00:15 +01:00
parent 3183fc4035
commit a56e58893b
4 changed files with 368 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
policycoreutils.spec
View File

@ -12,7 +12,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.8
Release: 12%{?dist}
Release: 13%{?dist}
License: GPLv2
# https://github.com/SELinuxProject/selinux/wiki/Releases
Source0: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/policycoreutils-2.8.tar.gz
@ -37,7 +37,7 @@ Source22: gui-po.tgz
Source23: sandbox-po.tgz
# download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh
# run:
# HEAD https://github.com/fedora-selinux/selinux/commit/f63677145675024f6a1dbdab595c0be1403bd592
# HEAD https://github.com/fedora-selinux/selinux/commit/2fee0bccb66a6cafcf0d178b8c75c23ebd3f9924
# $ for i in policycoreutils selinux-python selinux-gui selinux-sandbox selinux-dbus semodule-utils restorecond; do
# VERSION=2.8 ./make-fedora-selinux-patch.sh $i
# done
@ -276,7 +276,6 @@ Requires:policycoreutils = %{version}-%{release}
Requires:python3-libsemanage >= %{libsemanagever} python3-libselinux
# no python3-audit-libs yet
Requires:audit-libs-python3 >= %{libauditver}
Requires: python3-IPy
Requires: checkpolicy
Requires: python3-setools >= 4.1.1
BuildArch: noarch
@ -374,7 +373,7 @@ The policycoreutils-devel package contains the management tools use to develop p
Summary: SELinux sandbox utilities
Requires: python3-policycoreutils = %{version}-%{release}
Requires: xorg-x11-server-Xephyr >= 1.14.1-2 /usr/bin/rsync /usr/bin/xmodmap
Requires: openbox
Requires: matchbox-window-manager
BuildRequires: libcap-ng-devel
%description sandbox
@ -531,6 +530,13 @@ The policycoreutils-restorecond package contains the restorecond service.
%systemd_postun_with_restart restorecond.service
%changelog
* Mon Dec 10 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-13
- chcat: use check_call instead of getstatusoutput
- Use matchbox-window-manager instead of openbox
- Use ipaddress python module instead of IPy
- semanage: Fix handling of -a/-e/-d/-r options
- semanage: Use standard argparse.error() method
* Mon Nov 12 2018 Petr Lautrbach <plautrba@redhat.com> - 2.8-12
- sepolicy,semanage: replace aliases with corresponding type names
- sepolicy-generate: Handle more reserved port types

31
selinux-gui-fedora.patch
View File

@ -195,6 +195,37 @@ index 0000000..1795c5c
+../system-config-selinux.py
+../system-config-selinux.ui
+../usersPage.py
diff --git selinux-gui-2.8/polgen.ui selinux-gui-2.8/polgen.ui
index aa4c70a..6a8c067 100644
--- selinux-gui-2.8/polgen.ui
+++ selinux-gui-2.8/polgen.ui
@@ -1975,7 +1975,7 @@ Tab</property>
<object class="GtkLabel" id="label17">
<property name="visible">True</property>
<property name="can_focus">False</property>
- <property name="label">Add File</property>
+ <property name="label" translatable="yes">Add File</property>
<property name="use_underline">True</property>
</object>
<packing>
@@ -2028,7 +2028,7 @@ Tab</property>
<object class="GtkLabel" id="label16">
<property name="visible">True</property>
<property name="can_focus">False</property>
- <property name="label">Add Directory</property>
+ <property name="label" translatable="yes">Add Directory</property>
<property name="use_underline">True</property>
</object>
<packing>
@@ -2176,7 +2176,7 @@ Tab</property>
<object class="GtkLabel" id="label3">
<property name="visible">True</property>
<property name="can_focus">False</property>
- <property name="label">Add Boolean</property>
+ <property name="label" translatable="yes">Add Boolean</property>
<property name="use_underline">True</property>
</object>
<packing>
diff --git selinux-gui-2.8/polgengui.py selinux-gui-2.8/polgengui.py
index 1601dbe..7e0d9d0 100644
--- selinux-gui-2.8/polgengui.py

301
selinux-python-fedora.patch
View File

@ -75,10 +75,22 @@ index a826a9f..4427dea 100644
if __name__ == "__main__":
unittest.main()
diff --git selinux-python-2.8/chcat/chcat selinux-python-2.8/chcat/chcat
index 4bd9fc6..edfe571 100755
index 4bd9fc6..a2cc9fa 100755
--- selinux-python-2.8/chcat/chcat
+++ selinux-python-2.8/chcat/chcat
@@ -34,7 +34,7 @@ import getopt
@@ -22,10 +22,7 @@
# 02111-1307 USA
#
#
-try:
- from subprocess import getstatusoutput
-except ImportError:
- from commands import getstatusoutput
+import subprocess
import sys
import os
import pwd
@@ -34,7 +31,7 @@ import getopt
import selinux
import seobject
@ -87,6 +99,133 @@ index 4bd9fc6..edfe571 100755
try:
import gettext
kwargs = {}
@@ -99,12 +96,12 @@ def chcat_user_add(newcat, users):
new_serange = "%s-%s" % (serange[0], top[0])
if add_ind:
- cmd = "semanage login -a -r %s -s %s %s" % (new_serange, user[0], u)
+ cmd = ["semanage", "login", "-a", "-r", new_serange, "-s", user[0], u]
else:
- cmd = "semanage login -m -r %s -s %s %s" % (new_serange, user[0], u)
- rc = getstatusoutput(cmd)
- if rc[0] != 0:
- print(rc[1])
+ cmd = ["semanage", "login", "-m", "-r", new_serange, "-s", user[0], u]
+ try:
+ subprocess.check_call(cmd, stderr=subprocess.STDOUT, shell=False)
+ except subprocess.CalledProcessError as e:
errors += 1
return errors
@@ -140,10 +137,11 @@ def chcat_add(orig, newcat, objects, login_ind):
cat_string = "%s,%s" % (cat_string, c)
else:
cat_string = cat
- cmd = 'chcon -l %s:%s %s' % (sensitivity, cat_string, f)
- rc = getstatusoutput(cmd)
- if rc[0] != 0:
- print(rc[1])
+
+ cmd = ["chcon", "-l", "%s:%s" % (sensitivity, cat_string), f]
+ try:
+ subprocess.check_call(cmd, stderr=subprocess.STDOUT, shell=False)
+ except subprocess.CalledProcessError as e:
errors += 1
return errors
@@ -179,13 +177,15 @@ def chcat_user_remove(newcat, users):
new_serange = "%s-%s" % (serange[0], top[0])
if add_ind:
- cmd = "semanage login -a -r %s -s %s %s" % (new_serange, user[0], u)
+ cmd = ["semanage", "login", "-a", "-r", new_serange, "-s", user[0], u]
else:
- cmd = "semanage login -m -r %s -s %s %s" % (new_serange, user[0], u)
- rc = getstatusoutput(cmd)
- if rc[0] != 0:
- print(rc[1])
+ cmd = ["semanage", "login", "-m", "-r", new_serange, "-s", user[0], u]
+
+ try:
+ subprocess.check_call(cmd, stderr=subprocess.STDOUT, shell=False)
+ except subprocess.CalledProcessError as e:
errors += 1
+
return errors
@@ -224,12 +224,14 @@ def chcat_remove(orig, newcat, objects, login_ind):
continue
if len(cat) == 0:
- cmd = 'chcon -l %s %s' % (sensitivity, f)
+ new_serange = sensitivity
else:
- cmd = 'chcon -l %s:%s %s' % (sensitivity, cat, f)
- rc = getstatusoutput(cmd)
- if rc[0] != 0:
- print(rc[1])
+ new_serange = '%s:%s' % (sensitivity, cat)
+
+ cmd = ["chcon", "-l", new_serange, f]
+ try:
+ subprocess.check_call(cmd, stderr=subprocess.STDOUT, shell=False)
+ except subprocess.CalledProcessError as e:
errors += 1
return errors
@@ -247,17 +249,17 @@ def chcat_user_replace(newcat, users):
add_ind = 1
user = seusers["__default__"]
serange = user[1].split("-")
- new_serange = "%s-%s:%s" % (serange[0], newcat[0], string.join(newcat[1:], ","))
+ new_serange = "%s-%s:%s" % (serange[0], newcat[0], ",".join(newcat[1:]))
if new_serange[-1:] == ":":
new_serange = new_serange[:-1]
if add_ind:
- cmd = "semanage login -a -r %s -s %s %s" % (new_serange, user[0], u)
+ cmd = ["semanage", "login", "-a", "-r", new_serange, "-s", user[0], u]
else:
- cmd = "semanage login -m -r %s -s %s %s" % (new_serange, user[0], u)
- rc = getstatusoutput(cmd)
- if rc[0] != 0:
- print(rc[1])
+ cmd = ["semanage", "login", "-m", "-r", new_serange, "-s", user[0], u]
+ try:
+ subprocess.check_call(cmd, stderr=subprocess.STDOUT, shell=False)
+ except subprocess.CalledProcessError as e:
errors += 1
return errors
@@ -267,20 +269,16 @@ def chcat_replace(newcat, objects, login_ind):
return chcat_user_replace(newcat, objects)
errors = 0
if len(newcat) == 1:
- sensitivity = newcat[0]
- cmd = 'chcon -l %s ' % newcat[0]
+ new_serange = newcat[0]
else:
- sensitivity = newcat[0]
- cmd = 'chcon -l %s:%s' % (sensitivity, newcat[1])
+ new_serange = "%s:%s" % (newcat[0], newcat[1])
for cat in newcat[2:]:
- cmd = '%s,%s' % (cmd, cat)
+ new_serange = '%s,%s' % (new_serange, cat)
- for f in objects:
- cmd = "%s %s" % (cmd, f)
-
- rc = getstatusoutput(cmd)
- if rc[0] != 0:
- print(rc[1])
+ cmd = ["chcon", "-l", new_serange] + objects
+ try:
+ subprocess.check_call(cmd, stderr=subprocess.STDOUT, shell=False)
+ except subprocess.CalledProcessError as e:
errors += 1
return errors
diff --git selinux-python-2.8/po/Makefile selinux-python-2.8/po/Makefile
new file mode 100644
index 0000000..4e052d5
@ -193,7 +332,7 @@ index 0000000..128eb87
+../sepolicy/sepolicy/interface.py
+../sepolicy/sepolicy.py
diff --git selinux-python-2.8/semanage/semanage selinux-python-2.8/semanage/semanage
index 8d8a086..4ced085 100644
index 8d8a086..26fa46a 100644
--- selinux-python-2.8/semanage/semanage
+++ selinux-python-2.8/semanage/semanage
@@ -27,7 +27,7 @@ import traceback
@ -232,6 +371,66 @@ index 8d8a086..4ced085 100644
'''))
userParser.add_argument('-P', '--prefix', default="user", help=argparse.SUPPRESS)
userParser.add_argument('selinux_name', nargs='?', default=None, help=_('selinux_name'))
@@ -604,19 +604,19 @@ def setupInterfaceParser(subparsers):
def handleModule(args):
OBJECT = seobject.moduleRecords(args)
- if args.action == "add":
- OBJECT.add(args.module_name, args.priority)
- if args.action == "enable":
- OBJECT.set_enabled(args.module_name, True)
- if args.action == "disable":
- OBJECT.set_enabled(args.module_name, False)
- if args.action == "remove":
- OBJECT.delete(args.module_name, args.priority)
- if args.action is "deleteall":
+ if args.action_add:
+ OBJECT.add(args.action_add, args.priority)
+ if args.action_enable:
+ OBJECT.set_enabled(args.action_enable, True)
+ if args.action_disable:
+ OBJECT.set_enabled(args.action_disable, False)
+ if args.action_remove:
+ OBJECT.delete(args.action_remove, args.priority)
+ if args.action == "deleteall":
OBJECT.deleteall()
if args.action == "list":
OBJECT.list(args.noheading, args.locallist)
- if args.action is "extract":
+ if args.action == "extract":
for i in OBJECT.customized():
print("module %s" % str(i))
@@ -630,14 +630,13 @@ def setupModuleParser(subparsers):
parser_add_priority(moduleParser, "module")
mgroup = moduleParser.add_mutually_exclusive_group(required=True)
- parser_add_add(mgroup, "module")
parser_add_list(mgroup, "module")
parser_add_extract(mgroup, "module")
parser_add_deleteall(mgroup, "module")
- mgroup.add_argument('-r', '--remove', dest='action', action='store_const', const='remove', help=_("Remove a module"))
- mgroup.add_argument('-d', '--disable', dest='action', action='store_const', const='disable', help=_("Disable a module"))
- mgroup.add_argument('-e', '--enable', dest='action', action='store_const', const='enable', help=_("Enable a module"))
- moduleParser.add_argument('module_name', nargs='?', default=None, help=_('Name of the module to act on'))
+ mgroup.add_argument('-a', '--add', dest='action_add', action='store', nargs=1, metavar='module_name', help=_("Add a module"))
+ mgroup.add_argument('-r', '--remove', dest='action_remove', action='store', nargs='+', metavar='module_name', help=_("Remove a module"))
+ mgroup.add_argument('-d', '--disable', dest='action_disable', action='store', nargs='+', metavar='module_name', help=_("Disable a module"))
+ mgroup.add_argument('-e', '--enable', dest='action_enable', action='store', nargs='+', metavar='module_name', help=_("Enable a module"))
moduleParser.set_defaults(func=handleModule)
@@ -739,9 +738,7 @@ def handlePermissive(args):
if args.action is "delete":
OBJECT.delete(args.type)
else:
- args.parser.print_usage(sys.stderr)
- sys.stderr.write(_('semanage permissive: error: the following argument is required: type\n'))
- sys.exit(1)
+ args.parser.error(message=_('semanage permissive: error: the following argument is required: type\n'))
def setupPermissiveParser(subparsers):
diff --git selinux-python-2.8/semanage/semanage-user.8 selinux-python-2.8/semanage/semanage-user.8
index 30bc670..23fec69 100644
--- selinux-python-2.8/semanage/semanage-user.8
@ -262,10 +461,10 @@ index 0bdb90f..0cdcfcc 100644
user identities to authorized role sets. In most cases, only the
former mapping needs to be adjusted by the administrator; the latter
diff --git selinux-python-2.8/semanage/seobject.py selinux-python-2.8/semanage/seobject.py
index c76dce8..972d5af 100644
index c76dce8..a0cdeb7 100644
--- selinux-python-2.8/semanage/seobject.py
+++ selinux-python-2.8/semanage/seobject.py
@@ -30,7 +30,7 @@ import sys
@@ -30,10 +30,10 @@ import sys
import stat
import socket
from semanage import *
@ -273,7 +472,11 @@ index c76dce8..972d5af 100644
+PROGNAME = "selinux-python"
import sepolicy
import setools
from IPy import IP
-from IPy import IP
+import ipaddress
try:
import gettext
@@ -101,6 +101,8 @@ ftype_to_audit = {"": "any",
try:
@ -292,7 +495,38 @@ index c76dce8..972d5af 100644
class logger:
def __init__(self):
@@ -593,7 +595,6 @@ class loginRecords(semanageRecords):
@@ -397,6 +399,8 @@ class moduleRecords(semanageRecords):
print("%-25s %-9s %-5s %s" % (t[0], t[2], t[3], disabled))
def add(self, file, priority):
+ if type(file) == list:
+ file = file[0]
if not os.path.exists(file):
raise ValueError(_("Module does not exist: %s ") % file)
@@ -409,7 +413,9 @@ class moduleRecords(semanageRecords):
self.commit()
def set_enabled(self, module, enable):
- for m in module.split():
+ if type(module) == str:
+ module = module.split()
+ for m in module:
rc, key = semanage_module_key_create(self.sh)
if rc < 0:
raise ValueError(_("Could not create module key"))
@@ -431,7 +437,9 @@ class moduleRecords(semanageRecords):
if rc < 0:
raise ValueError(_("Invalid priority %d (needs to be between 1 and 999)") % priority)
- for m in module.split():
+ if type(module) == str:
+ module = module.split()
+ for m in module:
rc = semanage_module_remove(self.sh, m)
if rc < 0 and rc != -2:
raise ValueError(_("Could not remove module %s (remove failed)") % m)
@@ -593,7 +601,6 @@ class loginRecords(semanageRecords):
semanage_seuser_key_free(k)
semanage_seuser_free(u)
@ -300,7 +534,7 @@ index c76dce8..972d5af 100644
def add(self, name, sename, serange):
try:
@@ -601,7 +602,6 @@ class loginRecords(semanageRecords):
@@ -601,7 +608,6 @@ class loginRecords(semanageRecords):
self.__add(name, sename, serange)
self.commit()
except ValueError as error:
@ -308,7 +542,7 @@ index c76dce8..972d5af 100644
raise error
def __modify(self, name, sename="", serange=""):
@@ -653,7 +653,6 @@ class loginRecords(semanageRecords):
@@ -653,7 +659,6 @@ class loginRecords(semanageRecords):
semanage_seuser_key_free(k)
semanage_seuser_free(u)
@ -316,7 +550,7 @@ index c76dce8..972d5af 100644
def modify(self, name, sename="", serange=""):
try:
@@ -661,7 +660,6 @@ class loginRecords(semanageRecords):
@@ -661,7 +666,6 @@ class loginRecords(semanageRecords):
self.__modify(name, sename, serange)
self.commit()
except ValueError as error:
@ -324,7 +558,7 @@ index c76dce8..972d5af 100644
raise error
def __delete(self, name):
@@ -694,8 +692,6 @@ class loginRecords(semanageRecords):
@@ -694,8 +698,6 @@ class loginRecords(semanageRecords):
rec, self.sename, self.serange = selinux.getseuserbyname("__default__")
range, (rc, serole) = userrec.get(self.sename)
@ -333,7 +567,7 @@ index c76dce8..972d5af 100644
def delete(self, name):
try:
self.begin()
@@ -703,7 +699,6 @@ class loginRecords(semanageRecords):
@@ -703,7 +705,6 @@ class loginRecords(semanageRecords):
self.commit()
except ValueError as error:
@ -341,7 +575,7 @@ index c76dce8..972d5af 100644
raise error
def deleteall(self):
@@ -717,7 +712,6 @@ class loginRecords(semanageRecords):
@@ -717,7 +718,6 @@ class loginRecords(semanageRecords):
self.__delete(semanage_seuser_get_name(u))
self.commit()
except ValueError as error:
@ -349,7 +583,7 @@ index c76dce8..972d5af 100644
raise error
def get_all_logins(self):
@@ -1087,6 +1081,8 @@ class portRecords(semanageRecords):
@@ -1087,6 +1087,8 @@ class portRecords(semanageRecords):
if type == "":
raise ValueError(_("Type is required"))
@ -358,7 +592,7 @@ index c76dce8..972d5af 100644
if type not in self.valid_types:
raise ValueError(_("Type %s is invalid, must be a port type") % type)
@@ -1151,6 +1147,7 @@ class portRecords(semanageRecords):
@@ -1151,6 +1153,7 @@ class portRecords(semanageRecords):
else:
raise ValueError(_("Requires setype"))
@ -366,7 +600,7 @@ index c76dce8..972d5af 100644
if setype and setype not in self.valid_types:
raise ValueError(_("Type %s is invalid, must be a port type") % setype)
@@ -1355,6 +1352,8 @@ class ibpkeyRecords(semanageRecords):
@@ -1355,6 +1358,8 @@ class ibpkeyRecords(semanageRecords):
if type == "":
raise ValueError(_("Type is required"))
@ -375,7 +609,7 @@ index c76dce8..972d5af 100644
if type not in self.valid_types:
raise ValueError(_("Type %s is invalid, must be a ibpkey type") % type)
@@ -1417,6 +1416,8 @@ class ibpkeyRecords(semanageRecords):
@@ -1417,6 +1422,8 @@ class ibpkeyRecords(semanageRecords):
else:
raise ValueError(_("Requires setype"))
@ -384,7 +618,7 @@ index c76dce8..972d5af 100644
if setype and setype not in self.valid_types:
raise ValueError(_("Type %s is invalid, must be a ibpkey type") % setype)
@@ -1603,6 +1604,8 @@ class ibendportRecords(semanageRecords):
@@ -1603,6 +1610,8 @@ class ibendportRecords(semanageRecords):
if type == "":
raise ValueError(_("Type is required"))
@ -393,7 +627,7 @@ index c76dce8..972d5af 100644
if type not in self.valid_types:
raise ValueError(_("Type %s is invalid, must be an ibendport type") % type)
(k, ibendport, port) = self.__genkey(ibendport, ibdev_name)
@@ -1664,6 +1667,8 @@ class ibendportRecords(semanageRecords):
@@ -1664,6 +1673,8 @@ class ibendportRecords(semanageRecords):
else:
raise ValueError(_("Requires setype"))
@ -402,7 +636,26 @@ index c76dce8..972d5af 100644
if setype and setype not in self.valid_types:
raise ValueError(_("Type %s is invalid, must be an ibendport type") % setype)
@@ -1853,6 +1858,8 @@ class nodeRecords(semanageRecords):
@@ -1826,13 +1837,13 @@ class nodeRecords(semanageRecords):
# verify valid comination
if len(mask) == 0 or mask[0] == "/":
- i = IP(addr + mask)
- newaddr = i.strNormal(0)
- newmask = str(i.netmask())
- if newmask == "0.0.0.0" and i.version() == 6:
+ i = ipaddress.ip_network(addr + mask)
+ newaddr = str(i.network_address)
+ newmask = str(i.netmask)
+ if newmask == "0.0.0.0" and i.version == 6:
newmask = "::"
- protocol = "ipv%d" % i.version()
+ protocol = "ipv%d" % i.version
try:
newprotocol = self.protocol.index(protocol)
@@ -1853,6 +1864,8 @@ class nodeRecords(semanageRecords):
if ctype == "":
raise ValueError(_("SELinux node type is required"))
@ -411,7 +664,7 @@ index c76dce8..972d5af 100644
if ctype not in self.valid_types:
raise ValueError(_("Type %s is invalid, must be a node type") % ctype)
@@ -1922,6 +1929,8 @@ class nodeRecords(semanageRecords):
@@ -1922,6 +1935,8 @@ class nodeRecords(semanageRecords):
if serange == "" and setype == "":
raise ValueError(_("Requires setype or serange"))
@ -420,7 +673,7 @@ index c76dce8..972d5af 100644
if setype and setype not in self.valid_types:
raise ValueError(_("Type %s is invalid, must be a node type") % setype)
@@ -2241,7 +2250,6 @@ class fcontextRecords(semanageRecords):
@@ -2241,7 +2256,6 @@ class fcontextRecords(semanageRecords):
try:
valid_types = list(list(sepolicy.info(sepolicy.ATTRIBUTE, "file_type"))[0]["types"])
valid_types += list(list(sepolicy.info(sepolicy.ATTRIBUTE, "device_node"))[0]["types"])
@ -428,7 +681,7 @@ index c76dce8..972d5af 100644
except RuntimeError:
valid_types = []
@@ -2369,8 +2377,10 @@ class fcontextRecords(semanageRecords):
@@ -2369,8 +2383,10 @@ class fcontextRecords(semanageRecords):
if type == "":
raise ValueError(_("SELinux Type is required"))
@ -441,7 +694,7 @@ index c76dce8..972d5af 100644
(rc, k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype])
if rc < 0:
@@ -2432,8 +2442,10 @@ class fcontextRecords(semanageRecords):
@@ -2432,8 +2448,10 @@ class fcontextRecords(semanageRecords):
def __modify(self, target, setype, ftype, serange, seuser):
if serange == "" and setype == "" and seuser == "":
raise ValueError(_("Requires setype, serange or seuser"))

55
selinux-sandbox-fedora.patch
View File

@ -114,7 +114,7 @@ index 0000000..deff3f2
@@ -0,0 +1 @@
+../sandbox
diff --git selinux-sandbox-2.8/sandbox selinux-sandbox-2.8/sandbox
index c07a1d8..a051360 100644
index c07a1d8..948496d 100644
--- selinux-sandbox-2.8/sandbox
+++ selinux-sandbox-2.8/sandbox
@@ -37,7 +37,7 @@ import sepolicy
@ -126,14 +126,59 @@ index c07a1d8..a051360 100644
try:
import gettext
kwargs = {}
@@ -268,7 +268,7 @@ class Sandbox:
copyfile(f, "/tmp", self.__tmpdir)
copyfile(f, "/var/tmp", self.__tmpdir)
- def __setup_sandboxrc(self, wm="/usr/bin/openbox"):
+ def __setup_sandboxrc(self, wm="/usr/bin/matchbox-window-manager"):
execfile = self.__homedir + "/.sandboxrc"
fd = open(execfile, "w+")
if self.__options.session:
@@ -362,7 +362,7 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-
parser.add_option("-W", "--windowmanager", dest="wm",
type="string",
- default="/usr/bin/openbox",
+ default="/usr/bin/matchbox-window-manager",
help=_("alternate window manager"))
parser.add_option("-l", "--level", dest="level",
diff --git selinux-sandbox-2.8/sandbox.8 selinux-sandbox-2.8/sandbox.8
index d83fee7..90ef495 100644
--- selinux-sandbox-2.8/sandbox.8
+++ selinux-sandbox-2.8/sandbox.8
@@ -77,7 +77,7 @@ Specifies the windowsize when creating an X based Sandbox. The default windowsiz
\fB\-W\fR \fB\-\-windowmanager\fR
Select alternative window manager to run within
.B sandbox \-X.
-Default to /usr/bin/openbox.
+Default to /usr/bin/matchbox-window-manager.
.TP
\fB\-X\fR
Create an X based Sandbox for gui apps, temporary files for
diff --git selinux-sandbox-2.8/sandboxX.sh selinux-sandbox-2.8/sandboxX.sh
index eaa500d..4774528 100644
index eaa500d..c211ebc 100644
--- selinux-sandbox-2.8/sandboxX.sh
+++ selinux-sandbox-2.8/sandboxX.sh
@@ -20,7 +20,7 @@ cat > ~/.config/openbox/rc.xml << EOF
</openbox_config>
EOF
@@ -6,21 +6,7 @@ export TITLE="Sandbox $context -- `grep ^#TITLE: ~/.sandboxrc | /usr/bin/cut -b8
[ -z $2 ] && export DPI="96" || export DPI="$2"
trap "exit 0" HUP
-mkdir -p ~/.config/openbox
-cat > ~/.config/openbox/rc.xml << EOF
-<openbox_config xmlns="http://openbox.org/3.4/rc"
- xmlns:xi="http://www.w3.org/2001/XInclude">
-<applications>
- <application class="*">
- <decor>no</decor>
- <desktop>all</desktop>
- <maximized>yes</maximized>
- </application>
-</applications>
-</openbox_config>
-EOF
-
-(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do
+(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -reset -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do
export DISPLAY=:$D