Commit Graph

566 Commits

Author SHA1 Message Date
Dan Walsh
a648c6f239 Change seunshare to send kill signals to the childs session.
Also add signal handler to catch sigint, so if user enters ctrl-C sandbox will shutdown.
2011-07-07 14:53:37 -04:00
Dan Walsh
af0f4926da Change seunshare to send kill signals to the childs session.
Also add signal handler to catch sigint, so if user enters ctrl-C sandbox will shutdown.
2011-07-07 14:37:24 -04:00
Dan Walsh
8dbd4d49f6 dd new restorecond service 2011-07-05 17:18:12 -04:00
Dan Walsh
759501823b Add -C option to sandbox and seunshare to maintain capabilities, otherwise
the bounding set will be dropped.
Change --cgroups short name -c rather then -C for consistancy
Fix memory and fd leaks in seunshare
2011-07-05 16:51:18 -04:00
Dan Walsh
173e9f90db Do not drop capability bounding set in seunshare, this allows sandbox to
run setuid apps.
2011-06-13 13:37:04 -04:00
Dan Walsh
299d98087e Remove mount -o bind calls from sandbox init script
pam_namespace now has this built in.
2011-06-07 13:58:41 -04:00
Dan Walsh
dc86b007cf Pass desktop dpi to sandbox Xephyr window 2011-06-07 08:37:18 -04:00
Dan Walsh
c2ef4a0bea Allow semodule to pick alternate root for selinux files
Add ~/.config/* to restorcond_user.conf, so restorecond will watch for mislabeled files in this directory.
2011-06-06 13:01:14 -04:00
Dan Walsh
4a56398540 Apply patches from Christoph A.
* fix sandbox title
* stop xephyr from li
Also ignore errors on sandbox include of directory missing files
2011-04-22 07:06:23 -04:00
Dan Walsh
588030fc2c Change fixfiles restore to delete unlabeled sockets in /tmp 2011-04-18 13:18:18 -04:00
Dan Walsh
61f1bc2068 Change fixfiles restore to delete unlabeled sockets in /tmp 2011-04-18 12:47:15 -04:00
Dan Walsh
9f65a26864 Update to upstream
* Use correct color range in mcstrand by Richard Haines.
2011-04-13 16:52:53 -04:00
Dan Walsh
1da0399e25 rsynccmd should run outside of execcon 2011-03-30 14:42:36 -04:00
Dan Walsh
be38aa471e Rewrite seunshare to make sure /tmp is mounted stickybit owned by root 2011-03-03 13:35:37 -05:00
Dan Walsh
433953b033 - Cleaup selinux-polgengui to be a little more modern, fix comments and use selected name
- Cleanup chcat man page
2011-02-03 16:15:43 -05:00
Dan Walsh
331e9ad06d - Report full errors on OSError on Sandbox 2011-02-02 13:34:22 -05:00
Dan Walsh
e764b2d2b6 - Fix newrole hanlding of pcap 2011-01-21 15:11:31 -05:00
Dan Walsh
971f278f98 - Have restorecond watch more directories in homedir 2011-01-19 16:45:53 -05:00
Dan Walsh
12eb5b45f4 - Fix proper handling of getopt errors
- Do not allow modules names to contain spaces
2011-01-10 14:39:21 -05:00
Dan Walsh
c76dc0c642 - Polgengui raises the wrong type of exception. #471078
- Change semanage to not allow it to semanage module -D
- Change setsebool to suggest run as root on failure
2011-01-06 14:38:19 -05:00
Dan Walsh
448a84b06a - Polgengui raises the wrong type of exception. #471078
- Change semanage to not allow it to semanage module -D
2011-01-04 17:23:27 -05:00
Dan Walsh
18119ffd24 - Fix restorecond watching utmp file for people logging in our out 2010-12-22 14:38:46 -05:00
Dan Walsh
a548207cc4 - Change to allow sandbox to run on nfs homedirs, add start python script 2010-12-21 16:20:01 -05:00
Dan Walsh
8937a040d8 - Change to allow sandbox to run on nfs homedirs, add start python script 2010-12-15 16:47:38 -05:00
Dan Walsh
6c80e8dc19 - Fix sandbox to show correct types in usage statement 2010-11-30 12:09:48 -05:00
Dan Walsh
8c1d9b0f48 - Stop fixfiles from complaining about missing dirs 2010-11-29 10:14:39 -05:00
Dan Walsh
63fda8aa74 - Update to upstream
- List types available for sandbox in usage statement
2010-11-24 13:44:58 -05:00
Dan Walsh
f0e85a70d6 - Update to upstream
- List types available for sandbox in usage statement
2010-11-24 13:41:52 -05:00
Dan Walsh
b9b7f4161c - Fix up problems pointed out by solar designer on dropping capabilities 2010-11-08 15:12:25 -05:00
Dan Walsh
d7e1c238f4 - Check if you have full privs and reset otherwise dont drop caps 2010-11-01 16:21:00 -04:00
Dan Walsh
cdcc4526b7 - Fix setools require line 2010-11-01 09:50:12 -04:00
Dan Walsh
622bb69d77 - Move /etc/pam.d/newrole in to polcicycoreutils-newrole
- Additiona capability  checking in sepolgen
2010-10-29 09:39:03 -04:00
Dan Walsh
9852e61813 - Remove setuid flag and replace with file capabilities
- Fix sandbox handling of files with spaces in them
2010-10-25 17:25:34 -04:00
Dan Walsh
cccd96b8cf - Move restorecond into its own subpackage 2010-09-23 16:23:05 -04:00
Dan Walsh
e500ad80f0 * Wed Jul 28 2010 Dan Walsh <dwalsh@redhat.com> 2.0.83-9
- Update selinux-polgengui to sepolgen policy generation
2010-07-30 11:19:53 -04:00
Daniel J Walsh
1eab65cee2 * Tue Jul 20 2010 Dan Walsh <dwalsh@redhat.com> 2.0.83-6
- Fix sandbox man page
2010-07-26 15:33:31 +00:00
Daniel J Walsh
d6510fbca2 * Tue Jul 20 2010 Dan Walsh <dwalsh@redhat.com> 2.0.83-4
- Add translations for menus
- Fixup man page from Russell Coker
2010-07-20 13:18:18 +00:00
Daniel J Walsh
614ca03ae7 * Tue Jun 15 2010 Dan Walsh <dwalsh@redhat.com> 2.0.83-3
- Change python scripts to use -s flag
- Update po
2010-07-13 17:32:51 +00:00
Daniel J Walsh
73342918cd * Tue Jun 8 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-30
- Add cgroup support for sandbox
2010-06-08 19:13:40 +00:00
Daniel J Walsh
70b2ff10d0 * Thu Jun 3 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-28
- Fix sandbox init script
- Add dbus-launch to sandbox -X
Resolve: #599599
2010-06-03 21:14:18 +00:00
Daniel J Walsh
85a18e3dcc * Thu Jun 3 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-27
- Move genhomedircon.8 to same package as genhomedircon
- Fix sandbox to pass unit test
Resolves: #595796
2010-06-03 15:04:49 +00:00
Daniel J Walsh
829762e693 * Thu May 27 2010 Dan Walsh <dwalsh@redhat.com> 2.0.82-24
- Man page fixes
- sandbox fixes
Resolves: #595796
- Move seunshare to base package
2010-05-27 21:23:08 +00:00
Daniel J Walsh
be45950990 * Thu Feb 16 2010 Dan Walsh <dwalsh@redhat.com> 2.0.79-1
- Update to upstream
	* Fix double-free in newrole
- Fix python language handling
2010-02-16 21:35:16 +00:00
Daniel J Walsh
fc6c93ebeb * Thu Feb 16 2010 Dan Walsh <dwalsh@redhat.com> 2.0.79-1
- Update to upstream
	* Fix double-free in newrole
2010-02-16 19:49:37 +00:00
Daniel J Walsh
8fd9d71264 * Thu Feb 11 2010 Dan Walsh <dwalsh@redhat.com> 2.0.78-21
- Fix display of command in sandbox
2010-02-11 22:13:39 +00:00
Daniel J Walsh
fce031b620 * Thu Feb 11 2010 Dan Walsh <dwalsh@redhat.com> 2.0.78-21
- Fix display of command in sandbox
2010-02-11 21:56:38 +00:00
Daniel J Walsh
ee3649bda5 * Thu Feb 11 2010 Dan Walsh <dwalsh@redhat.com> 2.0.78-21
- Fix display of command in sandbox
2010-02-11 18:24:55 +00:00
Daniel J Walsh
e7737e34ea * Wed Feb 3 2010 Dan Walsh <dwalsh@redhat.com> 2.0.78-19
- Fix seobject and fixfiles
2010-02-03 20:24:35 +00:00
Daniel J Walsh
c8f4893a95 * Wed Feb 3 2010 Dan Walsh <dwalsh@redhat.com> 2.0.78-18
- Fix seobject and fixfiles
2010-02-03 16:42:37 +00:00
Daniel J Walsh
35da894f0e * Wed Feb 3 2010 Dan Walsh <dwalsh@redhat.com> 2.0.78-18
- Fix seobject and fixfiles
2010-02-03 16:42:35 +00:00
Daniel J Walsh
db71b70994 * Fri Jan 29 2010 Dan Walsh <dwalsh@redhat.com> 2.0.78-17
- Change seobject to use translations properly
2010-02-01 14:40:42 +00:00
Daniel J Walsh
dd674534b4 * Wed Jan 27 2010 Dan Walsh <dwalsh@redhat.com> 2.0.78-14
- Add session capability to sandbox
- sandbox -SX -H ~/.homedir -t unconfined_t -l s0:c15 /etc/gdm/Xsession
2010-01-27 21:52:27 +00:00
Daniel J Walsh
a02089d628 * Thu Jan 14 2010 Dan Walsh <dwalsh@redhat.com> 2.0.78-11
- Run with the same xdmodmap in sandbox as outside
- Patch from Josh Cogliati
2010-01-19 17:25:36 +00:00
Daniel J Walsh
54e6651778 * Thu Jan 14 2010 Dan Walsh <dwalsh@redhat.com> 2.0.78-11
- Run with the same xdmodmap in sandbox as outside
- Patch from Josh Cogliati
2010-01-14 21:34:51 +00:00
Daniel J Walsh
6c22c6b1f6 * Fri Jan 8 2010 Dan Walsh <dwalsh@redhat.com> 2.0.78-9
- Add -e to semanage man page
- Add -D qualifier to audit2allow to generate dontaudit rules
2010-01-08 14:37:32 +00:00
Daniel J Walsh
29b74ccd7d * Fri Dec 18 2009 Dan Walsh <dwalsh@redhat.com> 2.0.78-7
- Fixes to sandbox man page
2009-12-21 21:56:27 +00:00
Daniel J Walsh
a1bf0daa6c * Wed Dec 16 2009 Dan Walsh <dwalsh@redhat.com> 2.0.78-5
- If restorecond running as a user has no files to watch then it should exit.  (NFS Homedirs)
2009-12-16 13:21:49 +00:00
Daniel J Walsh
79944fd474 * Tue Dec 8 2009 Dan Walsh <dwalsh@redhat.com> 2.0.78-3
- Fix audit2allow to report constraints, dontaudits, types, booleans
2009-12-09 21:33:50 +00:00
Daniel J Walsh
3fbc112632 * Tue Dec 1 2009 Dan Walsh <dwalsh@redhat.com> 2.0.78-1
- Update to upstream
	* Remove non-working OUTFILE from fixfiles from Dan Walsh.
	* Additional exception handling in chcat from Dan Walsh.
2009-12-01 21:17:45 +00:00
Daniel J Walsh
f3a1cbae2a * Tue Nov 24 2009 Dan Walsh <dwalsh@redhat.com> 2.0.77-1
- Update to upstream
	* Fixed bug preventing semanage node -a from working
	  from Chad Sellers
	* Fixed bug preventing semanage fcontext -l from working
	  from Chad Sellers
- Change semanage to use unicode
2009-11-24 15:30:53 +00:00
Daniel J Walsh
e973847bf6 * Wed Nov 18 2009 Dan Walsh <dwalsh@redhat.com> 2.0.76-1
- Update to upstream
	* Remove setrans management from semanage, as it does not work
	  from Dan Walsh.
	* Move load_policy from /usr/sbin to /sbin from Dan Walsh.
2009-11-18 22:20:42 +00:00
Daniel J Walsh
4e4a82e887 * Mon Nov 16 2009 Dan Walsh <dwalsh@redhat.com> 2.0.75-3
- Raise exception if user tries to add file context with an embedded space
2009-11-16 21:54:45 +00:00
Daniel J Walsh
a1e42cb153 * Wed Nov 11 2009 Dan Walsh <dwalsh@redhat.com> 2.0.75-2
- Fix sandbox to setsid so it can run under mozilla without crashing the session
2009-11-11 21:56:23 +00:00
Daniel J Walsh
942b683f29 * Tue Nov 2 2009 Dan Walsh <dwalsh@redhat.com> 2.0.75-1
- Update to upstream
	* Factor out restoring logic from setfiles.c into restore.c
2009-11-09 21:12:58 +00:00
Daniel J Walsh
44bb682976 * Fri Oct 30 2009 Dan Walsh <dwalsh@redhat.com> 2.0.74-15
- Fix typo in seobject.py
2009-11-02 16:40:00 +00:00
Daniel J Walsh
8cf3bcfdee * Fri Oct 30 2009 Dan Walsh <dwalsh@redhat.com> 2.0.74-14
- Allow semanage -i and semanage -o to generate customization files.
- semanage -o will generate a customization file that semanage -i can read and set a machines to the same selinux configuration
2009-10-30 21:01:42 +00:00
Daniel J Walsh
fd3c8c94ea * Wed Oct 14 2009 Dan Walsh <dwalsh@redhat.com> 2.0.74-9
- Move fixfiles man pages into the correct package
- Add genhomedircon to fixfiles restore
2009-10-14 14:47:50 +00:00
Daniel J Walsh
ac48b0b34b * Thu Oct 6 2009 Dan Walsh <dwalsh@redhat.com> 2.0.74-8
- Add check to sandbox to verify save changes - Chris Pardy
- Fix memory leak in restorecond - Steve Grubb
2009-10-06 16:09:52 +00:00
Daniel J Walsh
678a86d335 * Thu Oct 1 2009 Dan Walsh <dwalsh@redhat.com> 2.0.74-7
- Fixes Templates
2009-10-01 16:04:13 +00:00
Daniel J Walsh
f466aa0b3b * Wed Sep 30 2009 Dan Walsh <dwalsh@redhat.com> 2.0.74-5
- Fixes for semanage -equiv, readded modules, --enable, --disable
2009-09-30 15:37:12 +00:00
Daniel J Walsh
6c27d724c5 * Sun Sep 20 2009 Dan Walsh <dwalsh@redhat.com> 2.0.74-4
- Close sandbox when eclipse exits
2009-09-21 13:54:02 +00:00
Daniel J Walsh
425e7d2796 * Fri Sep 18 2009 Dan Walsh <dwalsh@redhat.com> 2.0.74-3
- Security fixes for seunshare
- Fix Sandbox to handle non file input to command.
2009-09-19 01:40:53 +00:00
Daniel J Walsh
b98d816316 * Thu Sep 17 2009 Dan Walsh <dwalsh@redhat.com> 2.0.74-2
- Security fixes for seunshare
2009-09-17 19:19:53 +00:00
Daniel J Walsh
26d020dedb * Thu Sep 17 2009 Dan Walsh <dwalsh@redhat.com> 2.0.74-1
- Update to upstream
	* Change semodule upgrade behavior to install even if the module
	  is not present from Dan Walsh.
	* Make setfiles label if selinux is disabled and a seclabel aware
	  kernel is running from Caleb Case.
	* Clarify forkpty() error message in run_init from Manoj Srivastava.
2009-09-17 13:07:45 +00:00
Daniel J Walsh
1696e8f7d1 * Mon Sep 14 2009 Dan Walsh <dwalsh@redhat.com> 2.0.73-5
- Fix sandbox to handle relative paths
2009-09-16 19:48:49 +00:00
Daniel J Walsh
f109f0076e * Mon Sep 14 2009 Dan Walsh <dwalsh@redhat.com> 2.0.73-3
- Fix restorecond script to use force-reload
2009-09-14 19:39:09 +00:00
Daniel J Walsh
b87b8212fa * Tue Sep 8 2009 Dan Walsh <dwalsh@redhat.com> 2.0.73-2
- Fix init script to show status in usage message
2009-09-09 21:07:24 +00:00
Daniel J Walsh
fc20c42a12 * Tue Sep 8 2009 Dan Walsh <dwalsh@redhat.com> 2.0.73-2
- Fix init script to show status in usage message
2009-09-09 17:04:51 +00:00
Daniel J Walsh
7ae4fd64fa * Tue Sep 8 2009 Dan Walsh <dwalsh@redhat.com> 2.0.73-1
- Update to upstream
        * Add semanage dontaudit to turn off dontaudits from Dan Walsh.
        * Fix semanage to set correct mode for setrans file from Dan Walsh.
        * Fix malformed dictionary in portRecord from Dan Walsh.
	* Restore symlink handling support to restorecon based on a patch by
	Martin Orr.  This fixes the restorecon /dev/stdin performed by Debian
	udev scripts that was broken by policycoreutils 2.0.70.
2009-09-08 14:15:50 +00:00
Daniel J Walsh
7b3ab100a9 * Fri Aug 28 2009 Dan Walsh <dwalsh@redhat.com> 2.0.71-14
- Add enable/disable patch
2009-08-28 18:18:46 +00:00
Daniel J Walsh
a39af4db38 * Wed Aug 26 2009 Dan Walsh <dwalsh@redhat.com> 2.0.71-12
- Tighten up controls on seunshare.c
2009-08-26 21:52:30 +00:00
Daniel J Walsh
349a457593 * Wed Aug 26 2009 Dan Walsh <dwalsh@redhat.com> 2.0.71-11
- Add sandboxX
2009-08-26 18:05:32 +00:00
Daniel J Walsh
4b8a9749e9 * Sat Aug 22 2009 Dan Walsh <dwalsh@redhat.com> 2.0.71-10
- Fix realpath usage to only happen on argv input from user
2009-08-22 12:08:34 +00:00
Daniel J Walsh
4bf248f359 * Thu Aug 20 2009 Dan Walsh <dwalsh@redhat.com> 2.0.71-7
- Fix glob handling of /..
2009-08-20 19:51:45 +00:00
Daniel J Walsh
3f2af1bab0 * Thu Aug 20 2009 Dan Walsh <dwalsh@redhat.com> 2.0.71-7
- Fix glob handling of /..
2009-08-20 19:05:30 +00:00
Daniel J Walsh
c14fb87560 * Wed Aug 19 2009 Dan Walsh <dwalsh@redhat.com> 2.0.71-6
- Redesign restorecond to use setfiles/restore functionality
2009-08-19 20:38:19 +00:00
Daniel J Walsh
8c640c000d * Wed Aug 19 2009 Dan Walsh <dwalsh@redhat.com> 2.0.71-6
- Redesign restorecond to use setfiles/restore functionality
2009-08-19 20:25:21 +00:00
Daniel J Walsh
e96c403a63 * Tue Aug 18 2009 Dan Walsh <dwalsh@redhat.com> 2.0.71-4
- Add --boot flag to audit2allow to get all AVC messages since last boot
2009-08-18 19:25:04 +00:00
Daniel J Walsh
2b1f1bd524 * Tue Aug 18 2009 Dan Walsh <dwalsh@redhat.com> 2.0.71-3
- Fix semanage command
2009-08-18 12:32:44 +00:00
Daniel J Walsh
afa7adf27e * Thu Aug 13 2009 Dan Walsh <dwalsh@redhat.com> 2.0.71-1
- Fix chcat to report error on non existing file
- Update to upstream
	* Modify setfiles/restorecon checking of exclude paths.  Only check
	user-supplied exclude paths (not automatically generated ones based on
	lack of seclabel support), don't require them to be directories, and
	ignore permission denied errors on them (it is ok to exclude a path to
	which the caller lacks permission).
2009-08-13 15:51:51 +00:00
Daniel J Walsh
f23e0fcdf3 * Mon Aug 10 2009 Dan Walsh <dwalsh@redhat.com> 2.0.70-2
- Don't warn if the user did not specify the exclude if root can not stat file system
2009-08-10 15:26:43 +00:00
Daniel J Walsh
886ea9345c * Wed Aug 5 2009 Dan Walsh <dwalsh@redhat.com> 2.0.70-1
- Update to upstream
	* Modify restorecon to only call realpath() on user-supplied pathnames
	from Stephen Smalley.
	* Fix typo in fixfiles that prevented it from relabeling btrfs
	  filesystems from Dan Walsh.
2009-08-05 19:27:53 +00:00
Daniel J Walsh
d03de9fdcd * Sun Jul 29 2009 Dan Walsh <dwalsh@redhat.com> 2.0.68-1
- Fix location of man pages
- Update to upstream
	* Modify setfiles to exclude mounts without seclabel option in
	/proc/mounts on kernels >= 2.6.30 from Thomas Liu.
	* Re-enable disable_dontaudit rules upon semodule -B from Christopher
	Pardy and Dan Walsh.
	* setfiles converted to fts from Thomas Liu.
2009-07-29 13:43:53 +00:00
Daniel J Walsh
2cc7fbfc2e * Fri Jun 26 2009 Dan Walsh <dwalsh@redhat.com> 2.0.64-1
- Update to upstream
	* Keep setfiles from spamming console from Dan Walsh.
	* Fix chcat's category expansion for users from Dan Walsh.
- Update po files
- Fix sepolgen
2009-06-26 19:02:05 +00:00
Daniel J Walsh
b30ac013f1 * Mon Jun 1 2009 Dan Walsh <dwalsh@redhat.com> 2.0.63-4
- Fix Sandbox option handling
- Fix fixfiles handling of btrfs
2009-06-01 10:43:27 +00:00
Daniel J Walsh
61c2d77e4e * Tue May 26 2009 Dan Walsh <dwalsh@redhat.com> 2.0.63-3
- Fix sandbox to be able to execute files in homedir
2009-05-26 16:58:40 +00:00
Daniel J Walsh
7d0ef81ff4 * Wed May 20 2009 Dan Walsh <dwalsh@redhat.com> 2.0.63-1
- Update to upstream
	* Fix transaction checking from Dan Walsh.
	* Make fixfiles -R (for rpm) recursive.
	* Make semanage permissive clean up after itself from Dan Walsh.
	* add /root/.ssh/* to restorecond.conf
2009-05-22 18:00:00 +00:00
Daniel J Walsh
e265547be3 * Wed Apr 22 2009 Dan Walsh <dwalsh@redhat.com> 2.0.62-14
- Fix audit2allow -a to retun /var/log/messages
2009-05-12 19:32:47 +00:00
Daniel J Walsh
43016e2233 * Wed Apr 22 2009 Dan Walsh <dwalsh@redhat.com> 2.0.62-14
- Fix audit2allow -a to retun /var/log/messages
2009-05-05 19:50:40 +00:00
Daniel J Walsh
b61040e0cd * Wed Apr 22 2009 Dan Walsh <dwalsh@redhat.com> 2.0.62-14
- Fix audit2allow -a to retun /var/log/messages
2009-05-05 18:51:52 +00:00