From e764b2d2b6a3e130213792df2a3ab364d3173e7b Mon Sep 17 00:00:00 2001 From: Dan Walsh Date: Fri, 21 Jan 2011 15:11:31 -0500 Subject: [PATCH] - Fix newrole hanlding of pcap --- policycoreutils-rhat.patch | 1157 ++++++++++++++++++++++++++++++++++++ policycoreutils.spec | 5 +- 2 files changed, 1161 insertions(+), 1 deletion(-) diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index d1f0a4d..424cfbd 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -288,6 +288,34 @@ index 03f95a1..5986b23 100644 if_set.to_file(f) f.close() +diff --git a/policycoreutils/newrole/newrole.c b/policycoreutils/newrole/newrole.c +index 2d31d64..e985289 100644 +--- a/policycoreutils/newrole/newrole.c ++++ b/policycoreutils/newrole/newrole.c +@@ -586,7 +586,7 @@ static int drop_capabilities(int full) + return -1; + } + if (! full) +- capng_update(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_SYS_ADMIN | CAP_FOWNER | CAP_CHOWN | CAP_DAC_OVERRIDE); ++ capng_update(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_SYS_ADMIN | CAP_FOWNER | CAP_CHOWN | CAP_DAC_OVERRIDE | CAP_SETPCAP ); + return capng_apply(CAPNG_SELECT_BOTH); + } + +@@ -1030,8 +1030,13 @@ int main(int argc, char *argv[]) + * if it makes sense to continue to run newrole, and setting up + * a scrubbed environment. + */ +- if (drop_capabilities(FALSE)) ++ ++/* if (drop_capabilities(FALSE)) { ++ fprintf(stderr, _("Sorry, newrole failed to drop capabilities\n")); ++ perror(""); + return -1; ++ } ++*/ + if (set_signal_handles()) + return -1; + diff --git a/policycoreutils/restorecond/Makefile b/policycoreutils/restorecond/Makefile index 3f235e6..7552668 100644 --- a/policycoreutils/restorecond/Makefile @@ -338,6 +366,15 @@ index 3f235e6..7552668 100644 relabel: install /sbin/restorecon $(SBINDIR)/restorecond +diff --git a/policycoreutils/restorecond/org.selinux.Restorecond.service b/policycoreutils/restorecond/org.selinux.Restorecond.service +new file mode 100644 +index 0000000..0ef5f0b +--- /dev/null ++++ b/policycoreutils/restorecond/org.selinux.Restorecond.service +@@ -0,0 +1,3 @@ ++[D-BUS Service] ++Name=org.selinux.Restorecond ++Exec=/usr/sbin/restorecond -u diff --git a/policycoreutils/restorecond/restorecond.8 b/policycoreutils/restorecond/restorecond.8 index b149dcb..0c14c94 100644 --- a/policycoreutils/restorecond/restorecond.8 @@ -896,6 +933,19 @@ index 3fc9376..58b723a 100644 /root/.ssh/* - - +diff --git a/policycoreutils/restorecond/restorecond.desktop b/policycoreutils/restorecond/restorecond.desktop +new file mode 100644 +index 0000000..23ff89d +--- /dev/null ++++ b/policycoreutils/restorecond/restorecond.desktop +@@ -0,0 +1,7 @@ ++[Desktop Entry] ++Name=File Context maintainer ++Exec=/usr/sbin/restorecond -u ++Comment=Fix file context in owned by the user ++Encoding=UTF-8 ++Type=Application ++StartupNotify=false diff --git a/policycoreutils/restorecond/restorecond.h b/policycoreutils/restorecond/restorecond.h index e1666bf..8c85ef0 100644 --- a/policycoreutils/restorecond/restorecond.h @@ -957,6 +1007,264 @@ index b966db6..775c52b 100644 exit $RETVAL - +diff --git a/policycoreutils/restorecond/restorecond_user.conf b/policycoreutils/restorecond/restorecond_user.conf +new file mode 100644 +index 0000000..f88a29a +--- /dev/null ++++ b/policycoreutils/restorecond/restorecond_user.conf +@@ -0,0 +1,7 @@ ++~/* ++~/public_html/* ++~/.gnome2/* ++~/local/* ++~/.fonts/* ++~/.cache/* ++ +diff --git a/policycoreutils/restorecond/user.c b/policycoreutils/restorecond/user.c +new file mode 100644 +index 0000000..272479a +--- /dev/null ++++ b/policycoreutils/restorecond/user.c +@@ -0,0 +1,239 @@ ++/* ++ * restorecond ++ * ++ * Copyright (C) 2006-2009 Red Hat ++ * see file 'COPYING' for use and warranty information ++ * ++ * This program is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU General Public License as ++ * published by the Free Software Foundation; either version 2 of ++ * the License, or (at your option) any later version. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++.* ++ * You should have received a copy of the GNU General Public License ++ * along with this program; if not, write to the Free Software ++ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA ++ * 02111-1307 USA ++ * ++ * Authors: ++ * Dan Walsh ++ * ++*/ ++ ++#define _GNU_SOURCE ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#include "restorecond.h" ++#include "stringslist.h" ++#include ++#ifdef HAVE_DBUS ++#include ++#include ++#include ++ ++static DBusHandlerResult signal_filter (DBusConnection *connection, DBusMessage *message, void *user_data); ++ ++static const char *PATH="/org/selinux/Restorecond"; ++//static const char *BUSNAME="org.selinux.Restorecond"; ++static const char *INTERFACE="org.selinux.RestorecondIface"; ++static const char *RULE="type='signal',interface='org.selinux.RestorecondIface'"; ++ ++ ++static DBusHandlerResult ++signal_filter (DBusConnection *connection __attribute__ ((__unused__)), DBusMessage *message, void *user_data) ++{ ++ /* User data is the event loop we are running in */ ++ GMainLoop *loop = user_data; ++ ++ /* A signal from the bus saying we are about to be disconnected */ ++ if (dbus_message_is_signal ++ (message, INTERFACE, "Stop")) { ++ ++ /* Tell the main loop to quit */ ++ g_main_loop_quit (loop); ++ /* We have handled this message, don't pass it on */ ++ return DBUS_HANDLER_RESULT_HANDLED; ++ } ++ /* A Ping signal on the com.burtonini.dbus.Signal interface */ ++ else if (dbus_message_is_signal (message, INTERFACE, "Start")) { ++ DBusError error; ++ dbus_error_init (&error); ++ g_print("Start received\n"); ++ return DBUS_HANDLER_RESULT_HANDLED; ++ } ++ return DBUS_HANDLER_RESULT_NOT_YET_HANDLED; ++} ++ ++static int dbus_server(GMainLoop *loop) { ++ DBusConnection *bus; ++ DBusError error; ++ dbus_error_init (&error); ++ bus = dbus_bus_get (DBUS_BUS_SESSION, &error); ++ if (bus) { ++ dbus_connection_setup_with_g_main (bus, NULL); ++ ++ /* listening to messages from all objects as no path is specified */ ++ dbus_bus_add_match (bus, RULE, &error); // see signals from the given interfacey ++ dbus_connection_add_filter (bus, signal_filter, loop, NULL); ++ return 0; ++ } ++ return -1; ++} ++ ++#endif ++#include ++#include ++ ++/* size of the event structure, not counting name */ ++#define EVENT_SIZE (sizeof (struct inotify_event)) ++/* reasonable guess as to size of 1024 events */ ++#define BUF_LEN (1024 * (EVENT_SIZE + 16)) ++ ++static gboolean ++io_channel_callback ++ (GIOChannel *source, ++ GIOCondition condition, ++ gpointer data __attribute__((__unused__))) ++{ ++ ++ char buffer[BUF_LEN+1]; ++ gsize bytes_read; ++ unsigned int i = 0; ++ ++ if (condition & G_IO_IN) { ++ /* Data is available. */ ++ g_io_channel_read ++ (source, buffer, ++ sizeof (buffer), ++ &bytes_read); ++ ++ while (i < bytes_read) { ++ struct inotify_event *event; ++ event = (struct inotify_event *)&buffer[i]; ++ if (debug_mode) ++ printf("wd=%d mask=%u cookie=%u len=%u\n", ++ event->wd, event->mask, ++ event->cookie, event->len); ++ if (event->len) ++ watch_list_find(event->wd, event->name); ++ ++ i += EVENT_SIZE + event->len; ++ } ++ } ++ ++ /* An error happened while reading ++ the file. */ ++ ++ if (condition & G_IO_NVAL) ++ return FALSE; ++ ++ /* We have reached the end of the ++ file. */ ++ ++ if (condition & G_IO_HUP) { ++ g_io_channel_close (source); ++ return FALSE; ++ } ++ ++ /* Returning TRUE will make sure ++ the callback remains associated ++ to the channel. */ ++ ++ return TRUE; ++} ++ ++int start() { ++#ifdef HAVE_DBUS ++ DBusConnection *bus; ++ DBusError error; ++ DBusMessage *message; ++ ++ /* Get a connection to the session bus */ ++ dbus_error_init (&error); ++ bus = dbus_bus_get (DBUS_BUS_SESSION, &error); ++ if (!bus) { ++ if (debug_mode) ++ g_warning ("Failed to connect to the D-BUS daemon: %s", error.message); ++ dbus_error_free (&error); ++ return 1; ++ } ++ ++ ++ /* Create a new signal "Start" on the interface, ++ * from the object */ ++ message = dbus_message_new_signal (PATH, ++ INTERFACE, "Start"); ++ /* Send the signal */ ++ dbus_connection_send (bus, message, NULL); ++ /* Free the signal now we have finished with it */ ++ dbus_message_unref (message); ++#endif /* HAVE_DBUS */ ++ return 0; ++} ++ ++static int local_server() { ++ // ! dbus, run as local service ++ char *ptr=NULL; ++ asprintf(&ptr, "%s/.restorecond", homedir); ++ int fd = open(ptr, O_CREAT | O_WRONLY | O_NOFOLLOW, S_IRUSR | S_IWUSR); ++ if (debug_mode) ++ g_warning ("Lock file: %s", ptr); ++ ++ free(ptr); ++ if (fd < 0) { ++ if (debug_mode) ++ perror("open"); ++ return -1; ++ } ++ if (flock(fd, LOCK_EX | LOCK_NB) < 0) { ++ if (debug_mode) ++ perror("flock"); ++ return -1; ++ } ++ return 0; ++} ++ ++int server(int master_fd, const char *watch_file) { ++ GMainLoop *loop; ++ ++ loop = g_main_loop_new (NULL, FALSE); ++ ++#ifdef HAVE_DBUS ++ if (dbus_server(loop) != 0) ++#endif /* HAVE_DBUS */ ++ if (local_server(loop) != 0) ++ return 0; ++ ++ read_config(master_fd, watch_file); ++ ++ if (watch_list_isempty()) return 0; ++ ++ set_matchpathcon_flags(MATCHPATHCON_NOTRANS); ++ ++ GIOChannel *c = g_io_channel_unix_new(master_fd); ++ ++ g_io_add_watch_full( c, ++ G_PRIORITY_HIGH, ++ G_IO_IN|G_IO_ERR|G_IO_HUP, ++ io_channel_callback, NULL, NULL); ++ ++ g_main_loop_run (loop); ++ return 0; ++} ++ diff --git a/policycoreutils/restorecond/utmpwatcher.c b/policycoreutils/restorecond/utmpwatcher.c index f182c22..feddb5a 100644 --- a/policycoreutils/restorecond/utmpwatcher.c @@ -971,6 +1279,282 @@ index f182c22..feddb5a 100644 strings_list_free(prev_utmp_ptr); } return changed; +diff --git a/policycoreutils/restorecond/watch.c b/policycoreutils/restorecond/watch.c +new file mode 100644 +index 0000000..c0caab2 +--- /dev/null ++++ b/policycoreutils/restorecond/watch.c +@@ -0,0 +1,270 @@ ++#define _GNU_SOURCE ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include "../setfiles/restore.h" ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include "restorecond.h" ++#include "stringslist.h" ++#include "utmpwatcher.h" ++ ++/* size of the event structure, not counting name */ ++#define EVENT_SIZE (sizeof (struct inotify_event)) ++/* reasonable guess as to size of 1024 events */ ++#define BUF_LEN (1024 * (EVENT_SIZE + 16)) ++ ++ ++struct watchList { ++ struct watchList *next; ++ int wd; ++ char *dir; ++ struct stringsList *files; ++}; ++struct watchList *firstDir = NULL; ++ ++int watch_list_isempty() { ++ return firstDir == NULL; ++} ++ ++void watch_list_add(int fd, const char *path) ++{ ++ struct watchList *ptr = NULL; ++ size_t i = 0; ++ struct watchList *prev = NULL; ++ glob_t globbuf; ++ char *x = strdup(path); ++ if (!x) exitApp("Out of Memory"); ++ char *file = basename(x); ++ char *dir = dirname(x); ++ ptr = firstDir; ++ ++ if (exclude(path)) return; ++ ++ globbuf.gl_offs = 1; ++ if (glob(path, ++ GLOB_TILDE | GLOB_PERIOD, ++ NULL, ++ &globbuf) >= 0) { ++ for (i=0; i < globbuf.gl_pathc; i++) { ++ int len = strlen(globbuf.gl_pathv[i]) -2; ++ if (len > 0 && strcmp(&globbuf.gl_pathv[i][len--], "/.") == 0) continue; ++ if (len > 0 && strcmp(&globbuf.gl_pathv[i][len], "/..") == 0) continue; ++ if (process_one_realpath(globbuf.gl_pathv[i], 0) > 0) ++ process_one_realpath(globbuf.gl_pathv[i], 1); ++ } ++ globfree(&globbuf); ++ } ++ ++ while (ptr != NULL) { ++ if (strcmp(dir, ptr->dir) == 0) { ++ strings_list_add(&ptr->files, file); ++ free(x); ++ return; ++ } ++ prev = ptr; ++ ptr = ptr->next; ++ } ++ ptr = calloc(1, sizeof(struct watchList)); ++ ++ if (!ptr) exitApp("Out of Memory"); ++ ++ ptr->wd = inotify_add_watch(fd, dir, IN_CREATE | IN_MOVED_TO); ++ if (ptr->wd == -1) { ++ free(ptr); ++ free(x); ++ if (! run_as_user) ++ syslog(LOG_ERR, "Unable to watch (%s) %s\n", ++ path, strerror(errno)); ++ return; ++ } ++ ++ ptr->dir = strdup(dir); ++ if (!ptr->dir) ++ exitApp("Out of Memory"); ++ ++ strings_list_add(&ptr->files, file); ++ if (prev) ++ prev->next = ptr; ++ else ++ firstDir = ptr; ++ ++ if (debug_mode) ++ printf("%d: Dir=%s, File=%s\n", ptr->wd, ptr->dir, file); ++ ++ free(x); ++} ++ ++/* ++ A file was in a direcroty has been created. This function checks to ++ see if it is one that we are watching. ++*/ ++ ++int watch_list_find(int wd, const char *file) ++{ ++ struct watchList *ptr = NULL; ++ ptr = firstDir; ++ if (debug_mode) ++ printf("%d: File=%s\n", wd, file); ++ while (ptr != NULL) { ++ if (ptr->wd == wd) { ++ int exact=0; ++ if (strings_list_find(ptr->files, file, &exact) == 0) { ++ char *path = NULL; ++ if (asprintf(&path, "%s/%s", ptr->dir, file) < ++ 0) ++ exitApp("Error allocating memory."); ++ ++ process_one_realpath(path, 0); ++ free(path); ++ return 0; ++ } ++ if (debug_mode) ++ strings_list_print(ptr->files); ++ ++ /* Not found in this directory */ ++ return -1; ++ } ++ ptr = ptr->next; ++ } ++ /* Did not find a directory */ ++ return -1; ++} ++ ++void watch_list_free(int fd) ++{ ++ struct watchList *ptr = NULL; ++ struct watchList *prev = NULL; ++ ptr = firstDir; ++ ++ while (ptr != NULL) { ++ inotify_rm_watch(fd, ptr->wd); ++ strings_list_free(ptr->files); ++ free(ptr->dir); ++ prev = ptr; ++ ptr = ptr->next; ++ free(prev); ++ } ++ firstDir = NULL; ++} ++ ++/* ++ Inotify watch loop ++*/ ++int watch(int fd, const char *watch_file) ++{ ++ char buf[BUF_LEN]; ++ int len, i = 0; ++ if (firstDir == NULL) return 0; ++ ++ len = read(fd, buf, BUF_LEN); ++ if (len < 0) { ++ if (terminate == 0) { ++ syslog(LOG_ERR, "Read error (%s)", strerror(errno)); ++ return 0; ++ } ++ syslog(LOG_ERR, "terminated"); ++ return -1; ++ } else if (!len) ++ /* BUF_LEN too small? */ ++ return -1; ++ while (i < len) { ++ struct inotify_event *event; ++ event = (struct inotify_event *)&buf[i]; ++ if (debug_mode) ++ printf("wd=%d mask=%u cookie=%u len=%u\n", ++ event->wd, event->mask, ++ event->cookie, event->len); ++ if (event->wd == master_wd) ++ read_config(fd, watch_file); ++ else { ++ switch (utmpwatcher_handle(fd, event->wd)) { ++ case -1: /* Message was not for utmpwatcher */ ++ if (event->len) ++ watch_list_find(event->wd, event->name); ++ break; ++ case 1: /* utmp has changed need to reload */ ++ read_config(fd, watch_file); ++ break; ++ ++ default: /* No users logged in or out */ ++ break; ++ } ++ } ++ ++ i += EVENT_SIZE + event->len; ++ } ++ return 0; ++} ++ ++static void process_config(int fd, FILE * cfg) ++{ ++ char *line_buf = NULL; ++ size_t len = 0; ++ ++ while (getline(&line_buf, &len, cfg) > 0) { ++ char *buffer = line_buf; ++ while (isspace(*buffer)) ++ buffer++; ++ if (buffer[0] == '#') ++ continue; ++ int l = strlen(buffer) - 1; ++ if (l <= 0) ++ continue; ++ buffer[l] = 0; ++ if (buffer[0] == '~') { ++ if (run_as_user) { ++ char *ptr=NULL; ++ asprintf(&ptr, "%s%s", homedir, &buffer[1]); ++ watch_list_add(fd, ptr); ++ free(ptr); ++ } else { ++ utmpwatcher_add(fd, &buffer[1]); ++ } ++ } else { ++ watch_list_add(fd, buffer); ++ } ++ } ++ free(line_buf); ++} ++ ++/* ++ Read config file ignoring Comment lines ++ Files specified one per line. Files with "~" will be expanded to the logged in users ++ homedirs. ++*/ ++ ++void read_config(int fd, const char *watch_file_path) ++{ ++ ++ FILE *cfg = NULL; ++ if (debug_mode) ++ printf("Read Config\n"); ++ ++ watch_list_free(fd); ++ ++ cfg = fopen(watch_file_path, "r"); ++ if (!cfg){ ++ perror(watch_file_path); ++ exitApp("Error reading config file"); ++ } ++ process_config(fd, cfg); ++ fclose(cfg); ++ ++ inotify_rm_watch(fd, master_wd); ++ master_wd = ++ inotify_add_watch(fd, watch_file_path, IN_MOVED_FROM | IN_MODIFY); ++ if (master_wd == -1) ++ exitApp("Error watching config file."); ++} diff --git a/policycoreutils/sandbox/Makefile b/policycoreutils/sandbox/Makefile index ff0ee7c..0c8a085 100644 --- a/policycoreutils/sandbox/Makefile @@ -1303,6 +1887,65 @@ index 1479364..73d33b3 100644 +.I Dan Walsh +and +.I Thomas Liu +diff --git a/policycoreutils/sandbox/sandbox.conf b/policycoreutils/sandbox/sandbox.conf +new file mode 100644 +index 0000000..7c35808 +--- /dev/null ++++ b/policycoreutils/sandbox/sandbox.conf +@@ -0,0 +1,7 @@ ++# Space separate list of homedirs ++HOMEDIRS="/home" ++# Control group configuration ++NAME=sandbox ++CPUAFFINITY=ALL ++MEMUSAGE=80% ++CPUUSAGE=80% +diff --git a/policycoreutils/sandbox/sandbox.conf.5 b/policycoreutils/sandbox/sandbox.conf.5 +new file mode 100644 +index 0000000..ee97e10 +--- /dev/null ++++ b/policycoreutils/sandbox/sandbox.conf.5 +@@ -0,0 +1,40 @@ ++.TH sandbox.conf "5" "June 2010" "sandbox.conf" "Linux System Administration" ++.SH NAME ++sandbox.conf \- user config file for the SELinux sandbox ++.SH DESCRIPTION ++.PP ++When running sandbox with the -C argument, it will be confined using control groups and a system administrator can specify how the sandbox is confined. ++ ++.PP ++Everything after "#" is ignored, as are empty lines. All arguments should be separated by and equals sign ("="). ++ ++.PP ++These keywords are allowed. ++ ++.RS ++.TP ++.B NAME ++The name of the sandbox control group. Default is "sandbox". ++ ++.TP ++.B CPUAFFINITY ++Which cpus to assign sandbox to. The default is ALL, but users can specify a comma-separated list with dashes ("-") to represent ranges. Ex: 0-2,5 ++ ++.TP ++.B MEMUSAGE ++How much memory to allow sandbox to use. The default is 80%. Users can specify either a percentage or a value in the form of a number followed by one of the suffixes K, M, G to denote kilobytes, megabytes or gigabytes respectively. Ex: 50% or 100M ++ ++.TP ++.B CPUUSAGE ++Percentage of cpu sandbox should be allowed to use. The default is 80%. Specify a value followed by a percent sign ("%"). Ex: 50% ++ ++ ++ ++.SH "SEE ALSO" ++.TP ++sandbox(8) ++.PP ++ ++.SH AUTHOR ++This manual page was written by ++.I Thomas Liu diff --git a/policycoreutils/sandbox/sandbox.init b/policycoreutils/sandbox/sandbox.init index ff8b3ef..8508647 100644 --- a/policycoreutils/sandbox/sandbox.init @@ -1356,6 +1999,49 @@ index 8338203..e501b03 100644 export EXITCODE=$? kill -HUP 0 break +diff --git a/policycoreutils/sandbox/seunshare.8 b/policycoreutils/sandbox/seunshare.8 +new file mode 100644 +index 0000000..e7b8991 +--- /dev/null ++++ b/policycoreutils/sandbox/seunshare.8 +@@ -0,0 +1,37 @@ ++.TH SEUNSHARE "8" "May 2010" "seunshare" "User Commands" ++.SH NAME ++seunshare \- Run cmd with alternate homedir, tmpdir and/or SELinux context ++.SH SYNOPSIS ++.B seunshare ++[ -v ] [ -t tmpdir ] [ -h homedir ] [ -Z context ] -- executable [args] ++.br ++.SH DESCRIPTION ++.PP ++Run the ++.I executable ++within the specified context, using the alternate home directory and /tmp directory. The seunshare command unshares from the default namespace, then mounts the specified homedir and tmpdir over the default homedir and /tmp. Finally it tells the kernel to execute the application under the specified SELinux context. ++ ++.TP ++\fB\-h homedir\fR ++Alternate homedir to be used by the application. Homedir must be owned by the user. ++.TP ++\fB\-t\ tmpdir ++Use alternate tempory directory to mount on /tmp. tmpdir must be owned by the user. ++.TP ++\fB\-c cgroups\fR ++Use cgroups to control this copy of seunshare. Specify parameters in /etc/sysconfig/sandbox. Max memory usage and cpu usage are to be specified in percent. You can specify which CPUs to use by numbering them 0,1,2... etc. ++.TP ++\fB\-Z\ context ++Use alternate SELinux context while runing the executable. ++.TP ++\fB\-v\fR ++Verbose output ++.SH "SEE ALSO" ++.TP ++runcon(1), sandbox(8), selinux(8) ++.PP ++.SH AUTHOR ++This manual page was written by ++.I Dan Walsh ++and ++.I Thomas Liu diff --git a/policycoreutils/sandbox/seunshare.c b/policycoreutils/sandbox/seunshare.c index ec692e7..de694ad 100644 --- a/policycoreutils/sandbox/seunshare.c @@ -1810,6 +2496,21 @@ index ec692e7..de694ad 100644 - return status; } +diff --git a/policycoreutils/sandbox/start b/policycoreutils/sandbox/start +new file mode 100644 +index 0000000..52950d7 +--- /dev/null ++++ b/policycoreutils/sandbox/start +@@ -0,0 +1,9 @@ ++#! /usr/bin/python -Es ++import gtk, commands, sys ++rc = [-1,''] ++try: ++ rc=commands.getstatusoutput(sys.argv[1]) ++except: ++ pass ++if rc[0] == 0: ++ print rc[1] diff --git a/policycoreutils/scripts/Makefile b/policycoreutils/scripts/Makefile index 53b65b6..cc75a96 100644 --- a/policycoreutils/scripts/Makefile @@ -1935,6 +2636,195 @@ index ae519fc..0890811 100755 restore } +diff --git a/policycoreutils/scripts/genhomedircon.8 b/policycoreutils/scripts/genhomedircon.8 +new file mode 100644 +index 0000000..6331660 +--- /dev/null ++++ b/policycoreutils/scripts/genhomedircon.8 +@@ -0,0 +1,37 @@ ++.\" Hey, Emacs! This is an -*- nroff -*- source file. ++.\" Copyright (c) 2010 Dan Walsh ++.\" ++.\" This is free documentation; you can redistribute it and/or ++.\" modify it under the terms of the GNU General Public License as ++.\" published by the Free Software Foundation; either version 2 of ++.\" the License, or (at your option) any later version. ++.\" ++.\" The GNU General Public License's references to "object code" ++.\" and "executables" are to be interpreted as the output of any ++.\" document formatting or typesetting system, including ++.\" intermediate and printed output. ++.\" ++.\" This manual is distributed in the hope that it will be useful, ++.\" but WITHOUT ANY WARRANTY; without even the implied warranty of ++.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++.\" GNU General Public License for more details. ++.\" ++.\" You should have received a copy of the GNU General Public ++.\" License along with this manual; if not, write to the Free ++.\" Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, ++.\" USA. ++.\" ++.\" ++.TH GENHOMEDIRCON "8" "May 2010" "Security Enhanced Linux" "SELinux" ++.SH NAME ++genhomedircon \- generate SELinux file context configuration entries for user home directories ++.SH SYNOPSIS ++.B genhomedircon ++is a script that executes semodule to rebuild policy and create the ++labels for HOMEDIRS based on home directories returned by the getpw calls. ++ ++This functionality is enabled via the usepasswd flag in /etc/selinux/semanage.conf. ++ ++.SH AUTHOR ++This manual page was written by ++.I Dan Walsh +diff --git a/policycoreutils/semanage/default_encoding/Makefile b/policycoreutils/semanage/default_encoding/Makefile +new file mode 100644 +index 0000000..176b11f +--- /dev/null ++++ b/policycoreutils/semanage/default_encoding/Makefile +@@ -0,0 +1,8 @@ ++all: ++ LDFLAGS="" python setup.py build ++ ++install: all ++ LDFLAGS="" python setup.py install --root=$(DESTDIR)/ ++ ++clean: ++ rm -rf build *~ +diff --git a/policycoreutils/semanage/default_encoding/default_encoding.c b/policycoreutils/semanage/default_encoding/default_encoding.c +new file mode 100644 +index 0000000..c3cdd4e +--- /dev/null ++++ b/policycoreutils/semanage/default_encoding/default_encoding.c +@@ -0,0 +1,59 @@ ++/* ++ * Authors: ++ * John Dennis ++ * ++ * Copyright (C) 2009 Red Hat ++ * see file 'COPYING' for use and warranty information ++ * ++ * This program is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU General Public License as ++ * published by the Free Software Foundation. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with this program; if not, write to the Free Software ++ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA ++ */ ++ ++#include ++ ++PyDoc_STRVAR(setdefaultencoding_doc, ++"setdefaultencoding(encoding='utf-8')\n\ ++\n\ ++Set the current default string encoding used by the Unicode implementation.\n\ ++Defaults to utf-8." ++); ++ ++static PyObject * ++setdefaultencoding(PyObject *self, PyObject *args, PyObject *kwds) ++{ ++ static char *kwlist[] = {"utf-8", NULL}; ++ char *encoding; ++ ++ if (!PyArg_ParseTupleAndKeywords(args, kwds, "s:setdefaultencoding", kwlist, &encoding)) ++ return NULL; ++ ++ if (PyUnicode_SetDefaultEncoding(encoding)) ++ return NULL; ++ ++ Py_RETURN_NONE; ++} ++ ++static PyMethodDef methods[] = { ++ {"setdefaultencoding", (PyCFunction)setdefaultencoding, METH_VARARGS|METH_KEYWORDS, setdefaultencoding_doc}, ++ {NULL, NULL} /* sentinel */ ++}; ++ ++ ++PyMODINIT_FUNC ++initdefault_encoding_utf8(void) ++{ ++ PyObject* m; ++ ++ PyUnicode_SetDefaultEncoding("utf-8"); ++ m = Py_InitModule3("default_encoding_utf8", methods, "Forces the default encoding to utf-8"); ++} +diff --git a/policycoreutils/semanage/default_encoding/policycoreutils/__init__.py b/policycoreutils/semanage/default_encoding/policycoreutils/__init__.py +new file mode 100644 +index 0000000..ccb6b8b +--- /dev/null ++++ b/policycoreutils/semanage/default_encoding/policycoreutils/__init__.py +@@ -0,0 +1,17 @@ ++# ++# Copyright (C) 2006,2007,2008, 2009 Red Hat, Inc. ++# ++# This program is free software; you can redistribute it and/or modify ++# it under the terms of the GNU General Public License as published by ++# the Free Software Foundation; either version 2 of the License, or ++# (at your option) any later version. ++# ++# This program is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with this program; if not, write to the Free Software ++# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. ++# +diff --git a/policycoreutils/semanage/default_encoding/setup.py b/policycoreutils/semanage/default_encoding/setup.py +new file mode 100644 +index 0000000..e2befdb +--- /dev/null ++++ b/policycoreutils/semanage/default_encoding/setup.py +@@ -0,0 +1,38 @@ ++# Authors: ++# John Dennis ++# ++# Copyright (C) 2009 Red Hat ++# see file 'COPYING' for use and warranty information ++# ++# This program is free software; you can redistribute it and/or ++# modify it under the terms of the GNU General Public License as ++# published by the Free Software Foundation. ++# ++# This program is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++# GNU General Public License for more details. ++# ++# You should have received a copy of the GNU General Public License ++# along with this program; if not, write to the Free Software ++# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA ++ ++from distutils.core import setup, Extension ++ ++default_encoding_utf8 = Extension('policycoreutils.default_encoding_utf8', ['default_encoding.c']) ++ ++setup(name = 'policycoreutils-default-encoding', ++ version = '0.1', ++ description = 'Forces the default encoding in Python to be utf-8', ++ long_description = 'Forces the default encoding in Python to be utf-8', ++ author = 'John Dennis', ++ author_email = 'jdennis@redhat.com', ++ maintainer = 'John Dennis', ++ maintainer_email = 'jdennis@redhat.com', ++ license = 'GPLv3+', ++ platforms = 'posix', ++ url = '', ++ download_url = '', ++ ext_modules = [default_encoding_utf8], ++ packages=["policycoreutils"], ++) diff --git a/policycoreutils/semanage/semanage b/policycoreutils/semanage/semanage index ffaca5b..bc989bf 100644 --- a/policycoreutils/semanage/semanage @@ -3417,6 +4307,273 @@ index b7d257b..735c1ba 100644 def list(self, heading = True, locallist = False, use_file = False): on_off = (_("off"), _("on")) if use_file: +diff --git a/policycoreutils/sepolgen-ifgen/Makefile b/policycoreutils/sepolgen-ifgen/Makefile +new file mode 100644 +index 0000000..211580d +--- /dev/null ++++ b/policycoreutils/sepolgen-ifgen/Makefile +@@ -0,0 +1,25 @@ ++# Installation directories. ++PREFIX ?= ${DESTDIR}/usr ++BINDIR ?= $(PREFIX)/bin ++LIBDIR ?= ${PREFIX}/lib ++INCLUDEDIR ?= $(PREFIX)/include ++ ++CFLAGS ?= -Wall -W ++override CFLAGS += -I$(INCLUDEDIR) ++LDLIBS = $(LIBDIR)/libsepol.a ++ ++all: sepolgen-ifgen-attr-helper ++ ++sepolgen-ifgen-attr-helper: sepolgen-ifgen-attr-helper.o ++ ++install: all ++ -mkdir -p $(BINDIR) ++ install -m 755 sepolgen-ifgen-attr-helper $(BINDIR) ++ ++clean: ++ rm -f *~ *.o sepolgen-ifgen-attr-helper ++ ++indent: ++ ../../scripts/Lindent $(wildcard *.[ch]) ++ ++relabel: ; +diff --git a/policycoreutils/sepolgen-ifgen/sepolgen-ifgen-attr-helper.c b/policycoreutils/sepolgen-ifgen/sepolgen-ifgen-attr-helper.c +new file mode 100644 +index 0000000..995b270 +--- /dev/null ++++ b/policycoreutils/sepolgen-ifgen/sepolgen-ifgen-attr-helper.c +@@ -0,0 +1,230 @@ ++/* Authors: Frank Mayer ++ * and Karl MacMillan ++ * ++ * Copyright (C) 2003,2010 Tresys Technology, LLC ++ * ++ * This program is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU General Public License as ++ * published by the Free Software Foundation, version 2. ++ * ++ * Adapted from dispol.c. ++ * ++ * This program is used by sepolgen-ifgen to get the access for all of ++ * the attributes in the policy so that it can resolve the ++ * typeattribute statements in the interfaces. ++ * ++ * It outputs the attribute access in a similar format to what sepolgen ++ * uses to store interface vectors: ++ * [Attribute sandbox_x_domain] ++ * sandbox_x_domain,samba_var_t,file,ioctl,read,getattr,lock,open ++ * sandbox_x_domain,samba_var_t,dir,getattr,search,open ++ * sandbox_x_domain,initrc_var_run_t,file,ioctl,read,getattr,lock,open ++ * ++ */ ++ ++#include ++#include ++#include ++ ++#include ++#include ++#include ++#include ++#include ++#include ++ ++struct val_to_name { ++ unsigned int val; ++ char *name; ++}; ++ ++static int perm_name(hashtab_key_t key, hashtab_datum_t datum, void *data) ++{ ++ struct val_to_name *v = data; ++ perm_datum_t *perdatum; ++ ++ perdatum = (perm_datum_t *) datum; ++ ++ if (v->val == perdatum->s.value) { ++ v->name = key; ++ return 1; ++ } ++ ++ return 0; ++} ++ ++int render_access_mask(uint32_t av, avtab_key_t *key, policydb_t *policydbp, ++ FILE *fp) ++{ ++ struct val_to_name v; ++ class_datum_t *cladatum; ++ char *perm = NULL; ++ unsigned int i; ++ int rc; ++ uint32_t tclass = key->target_class; ++ ++ cladatum = policydbp->class_val_to_struct[tclass - 1]; ++ for (i = 0; i < cladatum->permissions.nprim; i++) { ++ if (av & (1 << i)) { ++ v.val = i + 1; ++ rc = hashtab_map(cladatum->permissions.table, ++ perm_name, &v); ++ if (!rc && cladatum->comdatum) { ++ rc = hashtab_map(cladatum->comdatum-> ++ permissions.table, perm_name, ++ &v); ++ } ++ if (rc) ++ perm = v.name; ++ if (perm) { ++ fprintf(fp, ",%s", perm); ++ } ++ } ++ } ++ ++ return 0; ++} ++ ++static int render_key(avtab_key_t *key, policydb_t *p, FILE *fp) ++{ ++ char *stype, *ttype, *tclass; ++ stype = p->p_type_val_to_name[key->source_type - 1]; ++ ttype = p->p_type_val_to_name[key->target_type - 1]; ++ tclass = p->p_class_val_to_name[key->target_class - 1]; ++ if (stype && ttype) { ++ fprintf(fp, "%s,%s,%s", stype, ttype, tclass); ++ } else { ++ fprintf(stderr, "error rendering key\n"); ++ exit(1); ++ } ++ ++ return 0; ++} ++ ++struct callback_data ++{ ++ uint32_t attr; ++ policydb_t *policy; ++ FILE *fp; ++}; ++ ++int output_avrule(avtab_key_t *key, avtab_datum_t *datum, void *args) ++{ ++ struct callback_data *cb_data = (struct callback_data *)args; ++ ++ if (key->source_type != cb_data->attr) ++ return 0; ++ ++ if (!(key->specified & AVTAB_AV && key->specified & AVTAB_ALLOWED)) ++ return 0; ++ ++ render_key(key, cb_data->policy, cb_data->fp); ++ render_access_mask(datum->data, key, cb_data->policy, cb_data->fp); ++ fprintf(cb_data->fp, "\n"); ++ ++ return 0; ++} ++ ++static int attribute_callback(hashtab_key_t key, hashtab_datum_t datum, void *datap) ++{ ++ struct callback_data *cb_data = (struct callback_data *)datap; ++ type_datum_t *t = (type_datum_t *)datum; ++ ++ if (t->flavor == TYPE_ATTRIB) { ++ fprintf(cb_data->fp, "[Attribute %s]\n", key); ++ cb_data->attr = t->s.value; ++ if (avtab_map(&cb_data->policy->te_avtab, output_avrule, cb_data) < 0) ++ return -1; ++ if (avtab_map(&cb_data->policy->te_cond_avtab, output_avrule, cb_data) < 0) ++ return -1; ++ } ++ ++ return 0; ++} ++ ++static policydb_t *load_policy(const char *filename) ++{ ++ policydb_t *policydb; ++ struct policy_file pf; ++ FILE *fp; ++ int ret; ++ ++ fp = fopen(filename, "r"); ++ if (fp == NULL) { ++ fprintf(stderr, "Can't open '%s': %s\n", ++ filename, strerror(errno)); ++ return NULL; ++ } ++ ++ policy_file_init(&pf); ++ pf.type = PF_USE_STDIO; ++ pf.fp = fp; ++ ++ policydb = malloc(sizeof(policydb_t)); ++ if (policydb == NULL) { ++ fprintf(stderr, "Out of memory!\n"); ++ return NULL; ++ } ++ ++ if (policydb_init(policydb)) { ++ fprintf(stderr, "Out of memory!\n"); ++ return NULL; ++ } ++ ++ ret = policydb_read(policydb, &pf, 1); ++ if (ret) { ++ fprintf(stderr, ++ "error(s) encountered while parsing configuration\n"); ++ return NULL; ++ } ++ ++ fclose(fp); ++ ++ return policydb; ++ ++} ++ ++void usage(char *progname) ++{ ++ printf("usage: %s policy_file out_file\n", progname); ++} ++ ++int main(int argc, char **argv) ++{ ++ policydb_t *p; ++ struct callback_data cb_data; ++ FILE *fp; ++ ++ if (argc != 3) { ++ usage(argv[0]); ++ exit(1); ++ } ++ ++ /* Open the policy. */ ++ p = load_policy(argv[1]); ++ if (p == NULL) { ++ exit(1); ++ } ++ ++ /* Open the output policy. */ ++ fp = fopen(argv[2], "w"); ++ if (fp == NULL) { ++ fprintf(stderr, "error opening output file\n"); ++ policydb_destroy(p); ++ free(p); ++ } ++ ++ /* Find all of the attributes and output their access. */ ++ cb_data.policy = p; ++ cb_data.fp = fp; ++ ++ if (hashtab_map(p->p_types.table, attribute_callback, &cb_data)) { ++ printf("error finding attributes\n"); ++ } ++ ++ policydb_destroy(p); ++ free(p); ++ fclose(fp); ++ ++ return 0; ++} diff --git a/policycoreutils/setfiles/restore.c b/policycoreutils/setfiles/restore.c index b649d8f..38416d8 100644 --- a/policycoreutils/setfiles/restore.c diff --git a/policycoreutils.spec b/policycoreutils.spec index 1b92535..7a99daf 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -7,7 +7,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 2.0.85 -Release: 7%{?dist} +Release: 8%{?dist} License: GPLv2 Group: System Environment/Base # Based on git repository with tag 20101221 @@ -329,6 +329,9 @@ fi exit 0 %changelog +* Wed Jan 21 2011 Dan Walsh 2.0.85-8 +- Fix newrole hanlding of pcap + * Wed Jan 19 2011 Dan Walsh 2.0.85-7 - Have restorecond watch more directories in homedir