rpms/policycoreutils
7
0
Fork 0
Code Issues Pull Requests Releases Activity

* Thu Oct 6 2009 Dan Walsh <dwalsh@redhat.com> 2.0.74-8

Browse Source 
- Add check to sandbox to verify save changes - Chris Pardy
- Fix memory leak in restorecond - Steve Grubb
This commit is contained in:
Daniel J Walsh 2009-10-06 16:09:52 +00:00
parent 678a86d335
commit ac48b0b34b
3 changed files with 356 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
policycoreutils-gui.patch
View File

@ -12251,8 +12251,8 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/etc_rw.py
+"""
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/executable.py policycoreutils-2.0.74/gui/templates/executable.py
--- nsapolicycoreutils/gui/templates/executable.py 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.74/gui/templates/executable.py 2009-10-01 12:03:05.000000000 -0400
@@ -0,0 +1,368 @@
+++ policycoreutils-2.0.74/gui/templates/executable.py 2009-10-02 08:46:53.000000000 -0400
@@ -0,0 +1,359 @@
+# Copyright (C) 2007-2009 Red Hat
+# see file 'COPYING' for use and warranty information
+#
@ -12374,20 +12374,11 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/executable
+"""
+
+te_userapp_rules="""
+########################################
+#
+# TEMPLATETYPE local policy
+#
+
+## internal communication is often done using fifo and unix sockets.
+allow TEMPLATETYPE_t self:fifo_file rw_file_perms;
+allow TEMPLATETYPE_t self:fifo_file manage_file_file_perms;
+allow TEMPLATETYPE_t self:unix_stream_socket create_stream_socket_perms;
+
+files_read_etc_files(TEMPLATETYPE_t)
+
+libs_use_ld_so(TEMPLATETYPE_t)
+libs_use_shared_libs(TEMPLATETYPE_t)
+
+miscfiles_read_localization(TEMPLATETYPE_t)
+"""
+
@ -12515,9 +12506,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/executable
+ type TEMPLATETYPE_t;
+ ')
+
+ role $2 types TEMPLATETYPE_t;
+ role $1 types TEMPLATETYPE_t;
+
+ TEMPLATETYPE_domtrans($1)
+ TEMPLATETYPE_domtrans($2)
+
+ ps_process_pattern($2, TEMPLATETYPE_t)
+ allow $2 TEMPLATETYPE_t:process signal;

354
policycoreutils-rhat.patch
View File

@ -939,8 +939,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
+
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/watch.c policycoreutils-2.0.74/restorecond/watch.c
--- nsapolicycoreutils/restorecond/watch.c 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.74/restorecond/watch.c 2009-09-20 21:26:36.000000000 -0400
@@ -0,0 +1,254 @@
+++ policycoreutils-2.0.74/restorecond/watch.c 2009-10-06 12:06:56.000000000 -0400
@@ -0,0 +1,253 @@
+#define _GNU_SOURCE
+#include <sys/inotify.h>
+#include <errno.h>
@ -985,8 +985,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
+ struct watchList *prev = NULL;
+ glob_t globbuf;
+ char *x = strdup(path);
+ if (!x)
+ exitApp("Out of Memory");
+ if (!x) exitApp("Out of Memory");
+ char *file = basename(x);
+ char *dir = dirname(x);
+ ptr = firstDir;
@ -1017,12 +1016,12 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
+ }
+ ptr = calloc(1, sizeof(struct watchList));
+
+ if (!ptr)
+ exitApp("Out of Memory");
+ if (!ptr) exitApp("Out of Memory");
+
+ ptr->wd = inotify_add_watch(fd, dir, IN_CREATE | IN_MOVED_TO);
+ if (ptr->wd == -1) {
+ free(ptr);
+ free(x);
+ syslog(LOG_ERR, "Unable to watch (%s) %s\n",
+ path, strerror(errno));
+ return;
@ -1195,6 +1194,323 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
+ exitApp("Error watching config file.");
+}
+
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/basicwrapper policycoreutils-2.0.74/sandbox/deliverables/basicwrapper
--- nsapolicycoreutils/sandbox/deliverables/basicwrapper 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.74/sandbox/deliverables/basicwrapper 2009-08-14 10:53:53.000000000 -0400
@@ -0,0 +1,4 @@
+import os, sys
+SANDBOX_ARGS = ['-f%s' % os.environ['_CONDOR_SCRATCH_DIR']]
+SANDBOX_ARGS.extend(sys.argv[1::])
+os.execv('/usr/bin/sandbox',SANDBOX_ARGS)
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/README policycoreutils-2.0.74/sandbox/deliverables/README
--- nsapolicycoreutils/sandbox/deliverables/README 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.74/sandbox/deliverables/README 2009-08-14 10:56:22.000000000 -0400
@@ -0,0 +1,32 @@
+Files:
+run-in-sandbox.py:
+ adds the run in sandbox extension to nautilus
+ copy to .nautilus/python-extensions
+ yum install nautilus-python
+
+sandbox:
+ adds support for file checking, This was working I don't know why it didn't at that presentation
+ adds support for file relabeling, This is/was also working.
+
+basicwrapper:
+ This is pretty much the most basic condor wrapper you can create, it requires the -f option in sandbox. Also I can't make this work, maybe the grid team will have more luck.
+
+Other:
+Xguest Live cd:
+ There's a tutorial on live cds here: http://www.ibm.com/developerworks/library/l-fedora-livecd/index.html?ca=dgr-lnxw16FedoraLiveCD
+ It looks like David Zeuthen is head guy in the live cd department, he might be worth talking to.
+
+System-config-selinux:
+ wiki: fedorahosted.org/system-config-selinux
+ realeases: fedorahosted.org/releases/s/y/system-config-selinux/ includes a spec,srpm, and tarball of current version
+ The project is technically owned by Roman Rakus (rrakus@redhat.com) I've sent him an email asking him to make you a git contributor.
+ I'll continue making updates to this and make sure it gets into the repos.
+
+Assuming I don't get to keep my RedHat email you can contact me:
+email: chris.pardy@gmail.com
+phone: 1-207-838-7119
+
+I'll probably continue to be on the #fedora-selinux and #selinux irc channels
+
+Thanks for a great summer.
+Chris Pardy
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/run-in-sandbox.py policycoreutils-2.0.74/sandbox/deliverables/run-in-sandbox.py
--- nsapolicycoreutils/sandbox/deliverables/run-in-sandbox.py 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.74/sandbox/deliverables/run-in-sandbox.py 2009-08-14 10:25:38.000000000 -0400
@@ -0,0 +1,49 @@
+import os
+import os.path
+import urllib
+
+import nautilus
+import gtk
+import gconf
+
+class RunInSandboxExtension(nautilus.MenuProvider):
+ def __init__(self):
+ self.client = gconf.client_get_default()
+
+ def sandbox_init(self,file,path):
+ if os.path.basename(path).endswith('.desktop'):
+ import re
+ f = open(path,'r')
+ for i in f.readlines():
+ m = re.match(r'Exec=(?P<name>\S+)',i)
+ if m:
+ path = m.group('name')
+ f.close()
+ break
+ os.system('/usr/bin/sandbox -X %s &' % path)
+
+ def get_file_items(self, window, files):
+ if len(files) != 1:
+ return
+
+ file = files[0]
+
+ if file.is_directory():
+ return
+
+ if file.get_uri_scheme() != 'file':
+ return
+
+ path = file.get_uri().replace('file://','',1)
+ if not os.access(path,os.X_OK):
+ return
+
+ path = os.path.realpath(path)
+
+ item = nautilus.MenuItem('NautilusPython::openterminal_file_items','Run In Sandbox','Run %s in Sandbox' % file.get_name())
+ item.connect('activate',self.sandbox_init,path)
+ return item,
+
+ def get_background_items(self, window, file):
+ return
+
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/sandbox policycoreutils-2.0.74/sandbox/deliverables/sandbox
--- nsapolicycoreutils/sandbox/deliverables/sandbox 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.74/sandbox/deliverables/sandbox 2009-08-14 10:22:47.000000000 -0400
@@ -0,0 +1,216 @@
+#!/usr/bin/python -E
+import os, sys, getopt, socket, random, fcntl, shutil
+import selinux
+
+PROGNAME = "policycoreutils"
+
+import gettext
+gettext.bindtextdomain(PROGNAME, "/usr/share/locale")
+gettext.textdomain(PROGNAME)
+
+try:
+ gettext.install(PROGNAME,
+ localedir = "/usr/share/locale",
+ unicode=False,
+ codeset = 'utf-8')
+except IOError:
+ import __builtin__
+ __builtin__.__dict__['_'] = unicode
+
+
+DEFAULT_TYPE = "sandbox_t"
+DEFAULT_X_TYPE = "sandbox_x_t"
+
+X_FILES = {}
+OLD_FCONTEXTS = {}
+
+random.seed(None)
+
+def error_exit(msg):
+ sys.stderr.write("%s: " % sys.argv[0])
+ sys.stderr.write("%s\n" % msg)
+ sys.stderr.flush()
+ sys.exit(1)
+
+def reserve(mcs):
+ sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
+ sock.bind("\0%s" % mcs)
+ fcntl.fcntl(sock.fileno(), fcntl.F_SETFD, fcntl.FD_CLOEXEC)
+
+def gen_context(setype):
+ while True:
+ i1 = random.randrange(0, 1024)
+ i2 = random.randrange(0, 1024)
+ if i1 == i2:
+ continue
+ if i1 > i2:
+ tmp = i1
+ i1 = i2
+ i2 = tmp
+ mcs = "s0:c%d,c%d" % (i1, i2)
+ reserve(mcs)
+ try:
+ reserve(mcs)
+ except:
+ continue
+ break
+ con = selinux.getcon()[1].split(":")
+
+ execcon = "%s:%s:%s:%s" % (con[0], con[1], setype, mcs)
+
+ filecon = "%s:%s:%s:%s" % (con[0],
+ "object_r",
+ "%s_file_t" % setype[:-2],
+ mcs)
+ return execcon, filecon
+
+def copyfile(file, dir, dest):
+ import re
+ if file.startswith(dir):
+ dname = os.path.dirname(file)
+ bname = os.path.basename(file)
+ if dname == dir:
+ dest = dest + "/" + bname
+ else:
+ newdir = re.sub(dir, dest, dname)
+ os.makedirs(newdir)
+ dest = newdir + "/" + bname
+
+ if os.path.isdir(file):
+ shutil.copytree(file, dest)
+ else:
+ shutil.copy2(file, dest)
+ X_FILES[dest] = os.path.getmtime(dest)
+
+def copyfiles(newhomedir, newtmpdir, files):
+ import pwd
+ homedir=pwd.getpwuid(os.getuid()).pw_dir
+
+ for f in files:
+ copyfile(f,homedir, newhomedir)
+ copyfile(f,"/tmp", newtmpdir)
+
+def uncopyfile(newhomedir,file):
+ import pwd
+ homedir=pwd.getpwuid(os.getuid()).pw_dir
+ copyfile(file,newhomedir,homedir)
+
+if __name__ == '__main__':
+ if selinux.is_selinux_enabled() != 1:
+ error_exit("Requires an SELinux enabled system")
+
+ init_files = []
+
+ def usage(message = ""):
+ text = _("""
+sandbox [-h] [-I includefile ] [[-i file ] ...] [[-f file] ...][ -t type ] command
+""")
+ error_exit("%s\n%s" % (message, text))
+
+ setype = DEFAULT_TYPE
+ X_ind = False
+ try:
+ gopts, cmds = getopt.getopt(sys.argv[1:], "i:ht:XI:f:",
+ ["help",
+ "include=",
+ "includefile=",
+ "type="
+ "file="
+ ])
+ for o, a in gopts:
+ if o == "-t" or o == "--type":
+ setype = a
+
+ if o == "-i" or o == "--include":
+ rp = os.path.realpath(a)
+ if rp not in init_files:
+ init_files.append(rp)
+
+ if o == "-f" or o == "--file":
+ rp = os.path.realpath(a)
+ OLD_FCONTEXTS[a] = selinux.getfilecon(rp)[1]
+
+ if o == "-I" or o == "--includefile":
+ fd = open(a, "r")
+ for i in fd.read().split("\n"):
+ if os.path.exists(i):
+ rp = os.path.realpath(i)
+ if rp not in init_files:
+ init_files.append(rp)
+
+ fd.close
+
+ if o == "-X":
+ if DEFAULT_TYPE == setype:
+ setype = DEFAULT_X_TYPE
+ X_ind = True
+
+ if o == "-h" or o == "--help":
+ usage(_("Usage"));
+
+ if len(cmds) == 0:
+ usage(_("Command required"))
+
+ execcon, filecon = gen_context(setype)
+ rc = -1
+
+ if cmds[0][0] != "/" and cmds[0][:2] != "./" and cmds[0][:3] != "../":
+ for i in os.environ["PATH"].split(':'):
+ f = "%s/%s" % (i, cmds[0])
+ if os.access(f, os.X_OK):
+ cmds[0] = f
+ break
+
+ try:
+ if X_ind:
+ import warnings
+ warnings.simplefilter("ignore")
+ newhomedir = os.tempnam(".", ".sandbox%s")
+ os.mkdir(newhomedir)
+ selinux.setfilecon(newhomedir, filecon)
+ newtmpdir = os.tempnam("/tmp", ".sandbox")
+ os.mkdir(newtmpdir)
+ selinux.setfilecon(newtmpdir, filecon)
+ warnings.resetwarnings()
+ copyfiles(newhomedir, newtmpdir, init_files + cmds)
+ execfile = newhomedir + "/.sandboxrc"
+ fd = open(execfile, "w+")
+ fd.write("""#! /bin/sh
+%s
+""" % " ".join(cmds))
+ fd.close()
+ os.chmod(execfile, 0700)
+
+ cmds = ("/usr/sbin/seunshare -t %s -h %s -- %s /usr/share/sandbox/sandboxX.sh" % (newtmpdir, newhomedir, execcon)).split()
+ rc = os.spawnvp(os.P_WAIT, cmds[0], cmds)
+ for i in X_FILES.keys():
+ if os.path.getmtime(i) > X_FILES[i]:
+ yn = raw_input("do you want to save your changes to the file %s (Y/N): " % os.path.basename(i)).lower()
+ if yn.startswith('y'):
+ uncopyfile(newhomedir,i)
+ else:
+ for i in OLD_FCONTEXTS.keys():
+ selinux.setfilecon(i,filecon)
+ selinux.setexeccon(execcon)
+ rc = os.spawnvp(os.P_WAIT, cmds[0], cmds)
+ selinux.setexeccon(None)
+ for i in OLD_FCONTEXTS.keys():
+ selinux.setfilecon(i,OLD_FCONTEXTS[i])
+ finally:
+ if X_ind:
+ shutil.rmtree(newhomedir)
+ shutil.rmtree(newtmpdir)
+
+ except getopt.GetoptError, error:
+ usage(_("Options Error %s ") % error.msg)
+ except OSError, error:
+ error_exit(error.args[1])
+ except ValueError, error:
+ error_exit(error.args[0])
+ except KeyError, error:
+ error_exit(_("Invalid value %s") % error.args[0])
+ except IOError, error:
+ error_exit(error.args[1])
+
+ sys.exit(rc)
+
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/Makefile policycoreutils-2.0.74/sandbox/Makefile
--- nsapolicycoreutils/sandbox/Makefile 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.74/sandbox/Makefile 2009-09-20 21:26:36.000000000 -0400
@ -1232,8 +1548,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
+relabel:
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox policycoreutils-2.0.74/sandbox/sandbox
--- nsapolicycoreutils/sandbox/sandbox 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.74/sandbox/sandbox 2009-09-23 11:24:57.000000000 -0400
@@ -0,0 +1,222 @@
+++ policycoreutils-2.0.74/sandbox/sandbox 2009-10-06 11:48:36.000000000 -0400
@@ -0,0 +1,242 @@
+#!/usr/bin/python -E
+import os, sys, getopt, socket, random, fcntl, shutil
+import selinux
@ -1257,11 +1573,11 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
+
+DEFAULT_TYPE = "sandbox_t"
+DEFAULT_X_TYPE = "sandbox_x_t"
+X_FILES = {}
+
+random.seed(None)
+
+def sighandler(signum, frame):
+ print "exiting on signal %s" % signum
+ signal.signal(signum, signal.SIG_IGN)
+ os.kill(0, signum)
+ raise KeyboardInterrupt
@ -1325,6 +1641,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
+ shutil.copytree(file, dest)
+ else:
+ shutil.copy2(file, dest)
+ X_FILES[file] = (dest, os.path.getmtime(dest))
+
+def copyfiles(newhomedir, newtmpdir, files):
+ import pwd
@ -1333,6 +1650,19 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
+ copyfile(f,homedir, newhomedir)
+ copyfile(f,"/tmp", newtmpdir)
+
+def savefile(new, orig):
+ import gtk
+ dlg = gtk.MessageDialog(None, 0, gtk.MESSAGE_INFO,
+ gtk.BUTTONS_YES_NO,
+ _("Do you want to save changes to '%s' (Y/N): ") % orig)
+ dlg.set_title(_("Sandbox Message"))
+ dlg.set_position(gtk.WIN_POS_MOUSE)
+ dlg.show_all()
+ rc = dlg.run()
+ dlg.destroy()
+ if rc == gtk.RESPONSE_YES:
+ shutil.copy2(new,orig)
+
+if __name__ == '__main__':
+ setup_sighandlers()
+ if selinux.is_selinux_enabled() != 1:
@ -1430,6 +1760,12 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po
+
+ cmds = ("/usr/sbin/seunshare -t %s -h %s -- %s /usr/share/sandbox/sandboxX.sh" % (newtmpdir, newhomedir, execcon)).split()
+ rc = os.spawnvp(os.P_WAIT, cmds[0], cmds)
+ for i in paths:
+ if i not in X_FILES:
+ continue
+ (dest, mtime) = X_FILES[i]
+ if os.path.getmtime(dest) > mtime:
+ savefile(dest, i)
+ else:
+ selinux.setexeccon(execcon)
+ rc = os.spawnvp(os.P_WAIT, cmds[0], cmds)

7
policycoreutils.spec
View File

@ -6,7 +6,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.0.74
Release: 7%{?dist}
Release: 8%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
@ -296,11 +296,16 @@ fi
exit 0
%changelog
* Thu Oct 6 2009 Dan Walsh <dwalsh@redhat.com> 2.0.74-8
- Add check to sandbox to verify save changes - Chris Pardy
- Fix memory leak in restorecond - Steve Grubb
* Thu Oct 1 2009 Dan Walsh <dwalsh@redhat.com> 2.0.74-7
- Fixes Templates
* Thu Oct 1 2009 Dan Walsh <dwalsh@redhat.com> 2.0.74-6
- Fixes for polgengui to handle tcp ports correctly
- Fix semanage node -a
* Wed Sep 30 2009 Dan Walsh <dwalsh@redhat.com> 2.0.74-5
- Fixes for semanage -equiv, readded modules, --enable, --disable