From f8062d58e4b3f58692b0d374d66a195096ff27fd Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Fri, 2 Oct 2015 19:52:27 +0200 Subject: [PATCH] policycoreutils-2.4-13 - newrole: Set keepcaps around setresuid calls - newrole: Open stdin as read/write --- policycoreutils-rhat.patch | 51 +++++++++++++++++++++++++------------- policycoreutils.spec | 8 ++++-- 2 files changed, 40 insertions(+), 19 deletions(-) diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index fb81366..e6fb6db 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -2851,7 +2851,7 @@ index b863346..d994891 100644 rc = generate_gen_require_attribute(); if (rc != 0) { diff --git a/policycoreutils-2.4/newrole/newrole.c b/policycoreutils-2.4/newrole/newrole.c -index 94794e9..55e8d39 100644 +index 94794e9..65a945d 100644 --- a/policycoreutils-2.4/newrole/newrole.c +++ b/policycoreutils-2.4/newrole/newrole.c @@ -278,7 +278,7 @@ static int process_pam_config(FILE * cfg) @@ -2863,19 +2863,30 @@ index 94794e9..55e8d39 100644 if (ret < 2 || !app || !service) goto err; -@@ -546,9 +546,7 @@ static int drop_capabilities(int full) +@@ -546,18 +546,27 @@ static int drop_capabilities(int full) if (!uid) return 0; capng_setpid(getpid()); - capng_clear(CAPNG_SELECT_BOTH); - if (capng_lock() < 0) -- return -1; + capng_clear(CAPNG_SELECT_CAPS); ++ ++ if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) < 0) { ++ fprintf(stderr, _("Error resetting KEEPCAPS, aborting\n")); + return -1; ++ } /* Change uid */ if (setresuid(uid, uid, uid)) { -@@ -557,7 +555,7 @@ static int drop_capabilities(int full) + fprintf(stderr, _("Error changing uid, aborting.\n")); + return -1; } ++ ++ if (prctl(PR_SET_KEEPCAPS, 0, 0, 0, 0) < 0) { ++ fprintf(stderr, _("Error resetting KEEPCAPS, aborting\n")); ++ return -1; ++ } ++ if (! full) capng_update(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_AUDIT_WRITE); - return capng_apply(CAPNG_SELECT_BOTH); @@ -2883,7 +2894,7 @@ index 94794e9..55e8d39 100644 } #elif defined(NAMESPACE_PRIV) /** -@@ -575,20 +573,21 @@ static int drop_capabilities(int full) +@@ -575,20 +584,32 @@ static int drop_capabilities(int full) */ static int drop_capabilities(int full) { @@ -2893,8 +2904,12 @@ index 94794e9..55e8d39 100644 capng_setpid(getpid()); - capng_clear(CAPNG_SELECT_BOTH); - if (capng_lock() < 0) -- return -1; + capng_clear(CAPNG_SELECT_CAPS); ++ ++ if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) < 0) { ++ fprintf(stderr, _("Error resetting KEEPCAPS, aborting\n")); + return -1; ++ } - uid_t uid = getuid(); /* Change uid */ @@ -2902,6 +2917,12 @@ index 94794e9..55e8d39 100644 fprintf(stderr, _("Error changing uid, aborting.\n")); return -1; } ++ ++ if (prctl(PR_SET_KEEPCAPS, 0, 0, 0, 0) < 0) { ++ fprintf(stderr, _("Error resetting KEEPCAPS, aborting\n")); ++ return -1; ++ } ++ if (! full) - capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_SYS_ADMIN , CAP_FOWNER , CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_SETPCAP, -1); - return capng_apply(CAPNG_SELECT_BOTH); @@ -2911,7 +2932,7 @@ index 94794e9..55e8d39 100644 } #else -@@ -679,7 +678,7 @@ static int relabel_tty(const char *ttyn, security_context_t new_context, +@@ -679,7 +700,7 @@ static int relabel_tty(const char *ttyn, security_context_t new_context, security_context_t * tty_context, security_context_t * new_tty_context) { @@ -2920,7 +2941,7 @@ index 94794e9..55e8d39 100644 int enforcing = security_getenforce(); security_context_t tty_con = NULL; security_context_t new_tty_con = NULL; -@@ -698,7 +697,13 @@ static int relabel_tty(const char *ttyn, security_context_t new_context, +@@ -698,7 +719,13 @@ static int relabel_tty(const char *ttyn, security_context_t new_context, fprintf(stderr, _("Error! Could not open %s.\n"), ttyn); return fd; } @@ -2935,7 +2956,7 @@ index 94794e9..55e8d39 100644 if (fgetfilecon(fd, &tty_con) < 0) { fprintf(stderr, _("%s! Could not get current context " -@@ -1009,9 +1014,9 @@ int main(int argc, char *argv[]) +@@ -1009,9 +1036,9 @@ int main(int argc, char *argv[]) int fd; pid_t childPid = 0; char *shell_argv0 = NULL; @@ -2946,7 +2967,7 @@ index 94794e9..55e8d39 100644 int pam_status; /* pam return code */ pam_handle_t *pam_handle; /* opaque handle used by all PAM functions */ -@@ -1104,7 +1109,7 @@ int main(int argc, char *argv[]) +@@ -1104,7 +1131,7 @@ int main(int argc, char *argv[]) * command when invoked by newrole. */ char *cmd = NULL; @@ -2955,12 +2976,8 @@ index 94794e9..55e8d39 100644 if (rc != EOF && cmd) { char *app_service_name = (char *)hashtab_search(app_service_names, -@@ -1222,18 +1227,26 @@ int main(int argc, char *argv[]) - fprintf(stderr, _("Could not close descriptors.\n")); - goto err_close_pam; - } -- fd = open(ttyn, O_RDWR | O_NONBLOCK); -+ fd = open(ttyn, O_RDONLY | O_NONBLOCK); +@@ -1225,15 +1252,23 @@ int main(int argc, char *argv[]) + fd = open(ttyn, O_RDWR | O_NONBLOCK); if (fd != 0) goto err_close_pam; - fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) & ~O_NONBLOCK); @@ -2986,7 +3003,7 @@ index 94794e9..55e8d39 100644 } /* -@@ -1267,19 +1280,24 @@ int main(int argc, char *argv[]) +@@ -1267,19 +1302,24 @@ int main(int argc, char *argv[]) } #endif diff --git a/policycoreutils.spec b/policycoreutils.spec index 58a13ad..2cc1269 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -7,7 +7,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 2.4 -Release: 12%{?dist} +Release: 13%{?dist} License: GPLv2 Group: System Environment/Base # https://github.com/SELinuxProject/selinux/wiki/Releases @@ -18,7 +18,7 @@ Source2: policycoreutils_man_ru2.tar.bz2 Source3: system-config-selinux.png Source4: sepolicy-icons.tgz # use make-rhat-patches.sh to create following patches from https://github.com/fedora-selinux/selinux/ -# HEAD https://github.com/fedora-selinux/selinux/commit/eb5c289a0e39d67b1cb12c85a166be236892b08a +# HEAD https://github.com/fedora-selinux/selinux/commit/2722bc1a30abda48574d87c06413d1219f74d2de Patch: policycoreutils-rhat.patch Patch1: sepolgen-rhat.patch Patch100: policycoreutils-fix-semanage-python3.patch @@ -404,6 +404,10 @@ The policycoreutils-restorecond package contains the restorecond service. %systemd_postun_with_restart restorecond.service %changelog +* Fri Oct 02 2015 Petr Lautrbach 2.4-13 +- newrole: Set keepcaps around setresuid calls +- newrole: Open stdin as read/write + * Fri Sep 04 2015 Petr Lautrbach 2.4-12 - Fix several semanage issue (#1247714) - Decode output from subprocess, if error occurred (#1247039)