rpms/policycoreutils
7
0
Fork 0
Code Issues Pull Requests Releases Activity

policycoreutils-2.4-13

Browse Source 
- newrole: Set keepcaps around setresuid calls
- newrole: Open stdin as read/write
This commit is contained in:
Petr Lautrbach 2015-10-02 19:52:27 +02:00
parent 90c72fdbb7
commit f8062d58e4
2 changed files with 40 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
policycoreutils-rhat.patch
View File

@ -2851,7 +2851,7 @@ index b863346..d994891 100644
rc = generate_gen_require_attribute(); rc = generate_gen_require_attribute();
if (rc != 0) { if (rc != 0) {
diff --git a/policycoreutils-2.4/newrole/newrole.c b/policycoreutils-2.4/newrole/newrole.c diff --git a/policycoreutils-2.4/newrole/newrole.c b/policycoreutils-2.4/newrole/newrole.c
index 94794e9..55e8d39 100644 index 94794e9..65a945d 100644
--- a/policycoreutils-2.4/newrole/newrole.c --- a/policycoreutils-2.4/newrole/newrole.c
+++ b/policycoreutils-2.4/newrole/newrole.c +++ b/policycoreutils-2.4/newrole/newrole.c
@@ -278,7 +278,7 @@ static int process_pam_config(FILE * cfg) @@ -278,7 +278,7 @@ static int process_pam_config(FILE * cfg)
@ -2863,19 +2863,30 @@ index 94794e9..55e8d39 100644
if (ret < 2 || !app || !service) if (ret < 2 || !app || !service)
goto err; goto err;
@@ -546,9 +546,7 @@ static int drop_capabilities(int full) @@ -546,18 +546,27 @@ static int drop_capabilities(int full)
if (!uid) return 0; if (!uid) return 0;
capng_setpid(getpid()); capng_setpid(getpid());
- capng_clear(CAPNG_SELECT_BOTH); - capng_clear(CAPNG_SELECT_BOTH);
- if (capng_lock() < 0) - if (capng_lock() < 0)
- return -1;
+ capng_clear(CAPNG_SELECT_CAPS); + capng_clear(CAPNG_SELECT_CAPS);
+
+ if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) < 0) {
+ fprintf(stderr, _("Error resetting KEEPCAPS, aborting\n"));
return -1;
+ }
/* Change uid */ /* Change uid */
if (setresuid(uid, uid, uid)) { if (setresuid(uid, uid, uid)) {
@@ -557,7 +555,7 @@ static int drop_capabilities(int full) fprintf(stderr, _("Error changing uid, aborting.\n"));
return -1;
} }
+
+ if (prctl(PR_SET_KEEPCAPS, 0, 0, 0, 0) < 0) {
+ fprintf(stderr, _("Error resetting KEEPCAPS, aborting\n"));
+ return -1;
+ }
+
if (! full) if (! full)
capng_update(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_AUDIT_WRITE); capng_update(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_AUDIT_WRITE);
- return capng_apply(CAPNG_SELECT_BOTH); - return capng_apply(CAPNG_SELECT_BOTH);
@ -2883,7 +2894,7 @@ index 94794e9..55e8d39 100644
} }
#elif defined(NAMESPACE_PRIV) #elif defined(NAMESPACE_PRIV)
/** /**
@@ -575,20 +573,21 @@ static int drop_capabilities(int full) @@ -575,20 +584,32 @@ static int drop_capabilities(int full)
*/ */
static int drop_capabilities(int full) static int drop_capabilities(int full)
{ {
@ -2893,8 +2904,12 @@ index 94794e9..55e8d39 100644
capng_setpid(getpid()); capng_setpid(getpid());
- capng_clear(CAPNG_SELECT_BOTH); - capng_clear(CAPNG_SELECT_BOTH);
- if (capng_lock() < 0) - if (capng_lock() < 0)
- return -1;
+ capng_clear(CAPNG_SELECT_CAPS); + capng_clear(CAPNG_SELECT_CAPS);
+
+ if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) < 0) {
+ fprintf(stderr, _("Error resetting KEEPCAPS, aborting\n"));
return -1;
+ }
- uid_t uid = getuid(); - uid_t uid = getuid();
/* Change uid */ /* Change uid */
@ -2902,6 +2917,12 @@ index 94794e9..55e8d39 100644
fprintf(stderr, _("Error changing uid, aborting.\n")); fprintf(stderr, _("Error changing uid, aborting.\n"));
return -1; return -1;
} }
+
+ if (prctl(PR_SET_KEEPCAPS, 0, 0, 0, 0) < 0) {
+ fprintf(stderr, _("Error resetting KEEPCAPS, aborting\n"));
+ return -1;
+ }
+
if (! full) if (! full)
- capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_SYS_ADMIN , CAP_FOWNER , CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_SETPCAP, -1); - capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_SYS_ADMIN , CAP_FOWNER , CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_SETPCAP, -1);
- return capng_apply(CAPNG_SELECT_BOTH); - return capng_apply(CAPNG_SELECT_BOTH);
@ -2911,7 +2932,7 @@ index 94794e9..55e8d39 100644
} }
#else #else
@@ -679,7 +678,7 @@ static int relabel_tty(const char *ttyn, security_context_t new_context, @@ -679,7 +700,7 @@ static int relabel_tty(const char *ttyn, security_context_t new_context,
security_context_t * tty_context, security_context_t * tty_context,
security_context_t * new_tty_context) security_context_t * new_tty_context)
{ {
@ -2920,7 +2941,7 @@ index 94794e9..55e8d39 100644
int enforcing = security_getenforce(); int enforcing = security_getenforce();
security_context_t tty_con = NULL; security_context_t tty_con = NULL;
security_context_t new_tty_con = NULL; security_context_t new_tty_con = NULL;
@@ -698,7 +697,13 @@ static int relabel_tty(const char *ttyn, security_context_t new_context, @@ -698,7 +719,13 @@ static int relabel_tty(const char *ttyn, security_context_t new_context,
fprintf(stderr, _("Error! Could not open %s.\n"), ttyn); fprintf(stderr, _("Error! Could not open %s.\n"), ttyn);
return fd; return fd;
} }
@ -2935,7 +2956,7 @@ index 94794e9..55e8d39 100644
if (fgetfilecon(fd, &tty_con) < 0) { if (fgetfilecon(fd, &tty_con) < 0) {
fprintf(stderr, _("%s! Could not get current context " fprintf(stderr, _("%s! Could not get current context "
@@ -1009,9 +1014,9 @@ int main(int argc, char *argv[]) @@ -1009,9 +1036,9 @@ int main(int argc, char *argv[])
int fd; int fd;
pid_t childPid = 0; pid_t childPid = 0;
char *shell_argv0 = NULL; char *shell_argv0 = NULL;
@ -2946,7 +2967,7 @@ index 94794e9..55e8d39 100644
int pam_status; /* pam return code */ int pam_status; /* pam return code */
pam_handle_t *pam_handle; /* opaque handle used by all PAM functions */ pam_handle_t *pam_handle; /* opaque handle used by all PAM functions */
@@ -1104,7 +1109,7 @@ int main(int argc, char *argv[]) @@ -1104,7 +1131,7 @@ int main(int argc, char *argv[])
* command when invoked by newrole. * command when invoked by newrole.
*/ */
char *cmd = NULL; char *cmd = NULL;
@ -2955,12 +2976,8 @@ index 94794e9..55e8d39 100644
if (rc != EOF && cmd) { if (rc != EOF && cmd) {
char *app_service_name = char *app_service_name =
(char *)hashtab_search(app_service_names, (char *)hashtab_search(app_service_names,
@@ -1222,18 +1227,26 @@ int main(int argc, char *argv[]) @@ -1225,15 +1252,23 @@ int main(int argc, char *argv[])
fprintf(stderr, _("Could not close descriptors.\n")); fd = open(ttyn, O_RDWR | O_NONBLOCK);
goto err_close_pam;
}
- fd = open(ttyn, O_RDWR | O_NONBLOCK);
+ fd = open(ttyn, O_RDONLY | O_NONBLOCK);
if (fd != 0) if (fd != 0)
goto err_close_pam; goto err_close_pam;
- fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) & ~O_NONBLOCK); - fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) & ~O_NONBLOCK);
@ -2986,7 +3003,7 @@ index 94794e9..55e8d39 100644
} }
/* /*
@@ -1267,19 +1280,24 @@ int main(int argc, char *argv[]) @@ -1267,19 +1302,24 @@ int main(int argc, char *argv[])
} }
#endif #endif

8
policycoreutils.spec
View File

@ -7,7 +7,7 @@
Summary: SELinux policy core utilities Summary: SELinux policy core utilities
Name: policycoreutils Name: policycoreutils
Version: 2.4 Version: 2.4
Release: 12%{?dist} Release: 13%{?dist}
License: GPLv2 License: GPLv2
Group: System Environment/Base Group: System Environment/Base
# https://github.com/SELinuxProject/selinux/wiki/Releases # https://github.com/SELinuxProject/selinux/wiki/Releases
@ -18,7 +18,7 @@ Source2: policycoreutils_man_ru2.tar.bz2
Source3: system-config-selinux.png Source3: system-config-selinux.png
Source4: sepolicy-icons.tgz Source4: sepolicy-icons.tgz
# use make-rhat-patches.sh to create following patches from https://github.com/fedora-selinux/selinux/ # use make-rhat-patches.sh to create following patches from https://github.com/fedora-selinux/selinux/
# HEAD https://github.com/fedora-selinux/selinux/commit/eb5c289a0e39d67b1cb12c85a166be236892b08a # HEAD https://github.com/fedora-selinux/selinux/commit/2722bc1a30abda48574d87c06413d1219f74d2de
Patch: policycoreutils-rhat.patch Patch: policycoreutils-rhat.patch
Patch1: sepolgen-rhat.patch Patch1: sepolgen-rhat.patch
Patch100: policycoreutils-fix-semanage-python3.patch Patch100: policycoreutils-fix-semanage-python3.patch
@ -404,6 +404,10 @@ The policycoreutils-restorecond package contains the restorecond service.
%systemd_postun_with_restart restorecond.service %systemd_postun_with_restart restorecond.service
%changelog %changelog
* Fri Oct 02 2015 Petr Lautrbach <plautrba@redhat.com> 2.4-13
- newrole: Set keepcaps around setresuid calls
- newrole: Open stdin as read/write
* Fri Sep 04 2015 Petr Lautrbach <plautrba@redhat.com> 2.4-12 * Fri Sep 04 2015 Petr Lautrbach <plautrba@redhat.com> 2.4-12
- Fix several semanage issue (#1247714) - Fix several semanage issue (#1247714)
- Decode output from subprocess, if error occurred (#1247039) - Decode output from subprocess, if error occurred (#1247039)