From 7d0ef81ff47a4ffcc9e477b09eda7fd5c9339d38 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: May 22 2009 18:00:00 +0000 Subject: * Wed May 20 2009 Dan Walsh 2.0.63-1 - Update to upstream * Fix transaction checking from Dan Walsh. * Make fixfiles -R (for rpm) recursive. * Make semanage permissive clean up after itself from Dan Walsh. * add /root/.ssh/* to restorecond.conf --- diff --git a/.cvsignore b/.cvsignore index d09225f..8d0b37a 100644 --- a/.cvsignore +++ b/.cvsignore @@ -197,3 +197,4 @@ policycoreutils-2.0.61.tgz sepolgen-1.0.15.tgz policycoreutils-2.0.62.tgz sepolgen-1.0.16.tgz +policycoreutils-2.0.63.tgz diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index 48bad40..0de3bd7 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -1,6 +1,6 @@ -diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-2.0.62/audit2allow/audit2allow +diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow policycoreutils-2.0.63/audit2allow/audit2allow --- nsapolicycoreutils/audit2allow/audit2allow 2009-01-13 08:45:35.000000000 -0500 -+++ policycoreutils-2.0.62/audit2allow/audit2allow 2009-05-04 13:40:26.000000000 -0400 ++++ policycoreutils-2.0.63/audit2allow/audit2allow 2009-05-22 13:40:04.000000000 -0400 @@ -126,6 +126,7 @@ elif self.__options.audit: try: @@ -9,18 +9,18 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po except OSError, e: sys.stderr.write('could not run ausearch - "%s"\n' % str(e)) sys.exit(1) -diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/Makefile policycoreutils-2.0.62/Makefile +diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/Makefile policycoreutils-2.0.63/Makefile --- nsapolicycoreutils/Makefile 2008-08-28 09:34:24.000000000 -0400 -+++ policycoreutils-2.0.62/Makefile 2009-05-04 13:40:26.000000000 -0400 ++++ policycoreutils-2.0.63/Makefile 2009-05-22 13:40:04.000000000 -0400 @@ -1,4 +1,4 @@ -SUBDIRS = setfiles semanage load_policy newrole run_init secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po +SUBDIRS = setfiles semanage load_policy newrole run_init secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po gui INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null) -diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/Makefile policycoreutils-2.0.62/restorecond/Makefile +diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/Makefile policycoreutils-2.0.63/restorecond/Makefile --- nsapolicycoreutils/restorecond/Makefile 2009-02-18 16:44:47.000000000 -0500 -+++ policycoreutils-2.0.62/restorecond/Makefile 2009-05-12 15:17:52.000000000 -0400 ++++ policycoreutils-2.0.63/restorecond/Makefile 2009-05-22 13:40:04.000000000 -0400 @@ -2,16 +2,23 @@ PREFIX ?= ${DESTDIR}/usr SBINDIR ?= $(PREFIX)/sbin @@ -62,16 +62,16 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po relabel: install /sbin/restorecon $(SBINDIR)/restorecond -diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/org.selinux.Restorecond.service policycoreutils-2.0.62/restorecond/org.selinux.Restorecond.service +diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/org.selinux.Restorecond.service policycoreutils-2.0.63/restorecond/org.selinux.Restorecond.service --- nsapolicycoreutils/restorecond/org.selinux.Restorecond.service 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.62/restorecond/org.selinux.Restorecond.service 2009-05-04 13:40:26.000000000 -0400 ++++ policycoreutils-2.0.63/restorecond/org.selinux.Restorecond.service 2009-05-22 13:40:04.000000000 -0400 @@ -0,0 +1,3 @@ +[D-BUS Service] +Name=org.selinux.Restorecond +Exec=/usr/sbin/restorecond -u -diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.c policycoreutils-2.0.62/restorecond/restorecond.c +diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.c policycoreutils-2.0.63/restorecond/restorecond.c --- nsapolicycoreutils/restorecond/restorecond.c 2009-02-18 16:44:47.000000000 -0500 -+++ policycoreutils-2.0.62/restorecond/restorecond.c 2009-05-12 15:18:05.000000000 -0400 ++++ policycoreutils-2.0.63/restorecond/restorecond.c 2009-05-22 13:40:04.000000000 -0400 @@ -48,294 +48,37 @@ #include #include @@ -540,19 +540,22 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po } + + -diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.conf policycoreutils-2.0.62/restorecond/restorecond.conf ---- nsapolicycoreutils/restorecond/restorecond.conf 2009-02-18 16:44:47.000000000 -0500 -+++ policycoreutils-2.0.62/restorecond/restorecond.conf 2009-05-04 13:40:26.000000000 -0400 -@@ -4,4 +4,5 @@ +diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.conf policycoreutils-2.0.63/restorecond/restorecond.conf +--- nsapolicycoreutils/restorecond/restorecond.conf 2009-05-18 13:53:14.000000000 -0400 ++++ policycoreutils-2.0.63/restorecond/restorecond.conf 2009-05-22 13:40:04.000000000 -0400 +@@ -4,8 +4,5 @@ /etc/mtab /var/run/utmp /var/log/wtmp -~/* +-/root/.ssh +/root/* -+/root/.ssh/* -diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.desktop policycoreutils-2.0.62/restorecond/restorecond.desktop + /root/.ssh/* +- +- +diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.desktop policycoreutils-2.0.63/restorecond/restorecond.desktop --- nsapolicycoreutils/restorecond/restorecond.desktop 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.62/restorecond/restorecond.desktop 2009-05-06 14:10:09.000000000 -0400 ++++ policycoreutils-2.0.63/restorecond/restorecond.desktop 2009-05-22 13:40:04.000000000 -0400 @@ -0,0 +1,7 @@ +[Desktop Entry] +Name=File Context maintainer @@ -561,9 +564,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po +Encoding=UTF-8 +Type=Application +StartupNotify=false -diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.h policycoreutils-2.0.62/restorecond/restorecond.h +diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.h policycoreutils-2.0.63/restorecond/restorecond.h --- nsapolicycoreutils/restorecond/restorecond.h 2008-08-28 09:34:24.000000000 -0400 -+++ policycoreutils-2.0.62/restorecond/restorecond.h 2009-05-12 15:13:35.000000000 -0400 ++++ policycoreutils-2.0.63/restorecond/restorecond.h 2009-05-22 13:40:04.000000000 -0400 @@ -24,7 +24,22 @@ #ifndef RESTORED_CONFIG_H #define RESTORED_CONFIG_H @@ -589,15 +592,15 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po +extern void watch_list_free(int fd); #endif -diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond_user.conf policycoreutils-2.0.62/restorecond/restorecond_user.conf +diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond_user.conf policycoreutils-2.0.63/restorecond/restorecond_user.conf --- nsapolicycoreutils/restorecond/restorecond_user.conf 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.62/restorecond/restorecond_user.conf 2009-05-04 13:40:26.000000000 -0400 ++++ policycoreutils-2.0.63/restorecond/restorecond_user.conf 2009-05-22 13:40:04.000000000 -0400 @@ -0,0 +1,2 @@ +~/* +~/public_html/* -diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/user.c policycoreutils-2.0.62/restorecond/user.c +diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/user.c policycoreutils-2.0.63/restorecond/user.c --- nsapolicycoreutils/restorecond/user.c 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.62/restorecond/user.c 2009-05-12 15:15:38.000000000 -0400 ++++ policycoreutils-2.0.63/restorecond/user.c 2009-05-22 13:40:04.000000000 -0400 @@ -0,0 +1,220 @@ +/* + * restorecond @@ -819,9 +822,43 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po + return 0; +} + -diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/watch.c policycoreutils-2.0.62/restorecond/watch.c +diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/walk.c policycoreutils-2.0.63/restorecond/walk.c +--- nsapolicycoreutils/restorecond/walk.c 1969-12-31 19:00:00.000000000 -0500 ++++ policycoreutils-2.0.63/restorecond/walk.c 2009-05-22 13:40:04.000000000 -0400 +@@ -0,0 +1,30 @@ ++#define _XOPEN_SOURCE 500 ++#include ++#include ++#include ++#include ++ ++int ctr=0; ++static int ++display_info(const char *fpath, const struct stat *sb, ++ int tflag, struct FTW *ftwbuf) ++{ ++ if (tflag == FTW_D) { ++ printf(" %-40s %d %s\n", ++ fpath, ftwbuf->base, fpath + ftwbuf->base); ++ ctr++; ++ } ++ return 0; /* To tell nftw() to continue */ ++} ++ ++int ++main(int argc, char *argv[]) ++{ ++ int flags = 0; ++ ++ flags = FTW_PHYS | FTW_MOUNT; ++ ++ nftw((argc < 2) ? "." : argv[1], display_info, 20, flags); ++ printf("Total Dirs %d\n",ctr); ++ exit(EXIT_SUCCESS); ++} +diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/watch.c policycoreutils-2.0.63/restorecond/watch.c --- nsapolicycoreutils/restorecond/watch.c 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.62/restorecond/watch.c 2009-05-12 15:12:28.000000000 -0400 ++++ policycoreutils-2.0.63/restorecond/watch.c 2009-05-22 13:40:04.000000000 -0400 @@ -0,0 +1,346 @@ +#define _GNU_SOURCE +#include @@ -1169,9 +1206,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po + exitApp("Error watching config file."); +} + -diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/chcat policycoreutils-2.0.62/scripts/chcat +diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/chcat policycoreutils-2.0.63/scripts/chcat --- nsapolicycoreutils/scripts/chcat 2009-01-13 08:45:35.000000000 -0500 -+++ policycoreutils-2.0.62/scripts/chcat 2009-05-04 13:40:26.000000000 -0400 ++++ policycoreutils-2.0.63/scripts/chcat 2009-05-22 13:46:01.000000000 -0400 @@ -281,14 +281,14 @@ def expandCats(cats): newcats = [] @@ -1195,9 +1232,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po if i not in newcats: newcats.append(i) if len(newcats) > 25: -diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-2.0.62/scripts/fixfiles ---- nsapolicycoreutils/scripts/fixfiles 2009-02-18 16:44:47.000000000 -0500 -+++ policycoreutils-2.0.62/scripts/fixfiles 2009-05-05 10:47:08.000000000 -0400 +diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-2.0.63/scripts/fixfiles +--- nsapolicycoreutils/scripts/fixfiles 2009-05-18 13:53:14.000000000 -0400 ++++ policycoreutils-2.0.63/scripts/fixfiles 2009-05-22 13:40:04.000000000 -0400 @@ -89,7 +89,7 @@ fi; \ done | \ @@ -1207,15 +1244,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po \( -wholename /home -o -wholename /root -o -wholename /tmp -wholename /dev \) -prune -o -print0"; \ done 2> /dev/null | \ ${RESTORECON} $* -0 -f - -@@ -122,14 +122,14 @@ - fi - if [ ! -z "$RPMFILES" ]; then - for i in `echo "$RPMFILES" | sed 's/,/ /g'`; do -- rpmlist $i | ${RESTORECON} ${OUTFILES} ${FORCEFLAG} $* -i -f - 2>&1 >> $LOGFILE -+ rpmlist $i | ${RESTORECON} ${OUTFILES} ${FORCEFLAG} $* -R -i -f - 2>&1 >> $LOGFILE - done - exit $? - fi +@@ -129,7 +129,7 @@ if [ ! -z "$FILEPATH" ]; then if [ -x /usr/bin/find ]; then /usr/bin/find "$FILEPATH" \ @@ -1224,9 +1253,276 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po ${RESTORECON} ${OUTFILES} ${FORCEFLAG} $* -0 -f - 2>&1 >> $LOGFILE else ${RESTORECON} ${OUTFILES} ${FORCEFLAG} -R $* $FILEPATH 2>&1 >> $LOGFILE -diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.62/semanage/semanage ---- nsapolicycoreutils/semanage/semanage 2009-02-18 16:44:47.000000000 -0500 -+++ policycoreutils-2.0.62/semanage/semanage 2009-05-04 13:40:26.000000000 -0400 +diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/Makefile policycoreutils-2.0.63/scripts/Makefile +--- nsapolicycoreutils/scripts/Makefile 2008-08-28 09:34:24.000000000 -0400 ++++ policycoreutils-2.0.63/scripts/Makefile 2009-05-22 13:43:33.000000000 -0400 +@@ -5,11 +5,12 @@ + MANDIR ?= $(PREFIX)/share/man + LOCALEDIR ?= /usr/share/locale + +-all: fixfiles genhomedircon ++all: fixfiles genhomedircon sandbox chcat + + install: all + -mkdir -p $(BINDIR) + install -m 755 chcat $(BINDIR) ++ install -m 755 sandbox $(BINDIR) + install -m 755 fixfiles $(DESTDIR)/sbin + install -m 755 genhomedircon $(SBINDIR) + -mkdir -p $(MANDIR)/man8 +diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/sandbox policycoreutils-2.0.63/scripts/sandbox +--- nsapolicycoreutils/scripts/sandbox 1969-12-31 19:00:00.000000000 -0500 ++++ policycoreutils-2.0.63/scripts/sandbox 2009-05-22 13:59:22.000000000 -0400 +@@ -0,0 +1,149 @@ ++#!/usr/bin/python -E ++import os, sys, getopt, socket, random, fcntl ++import selinux ++ ++PROGNAME = "policycoreutils" ++ ++import gettext ++gettext.bindtextdomain(PROGNAME, "/usr/share/locale") ++gettext.textdomain(PROGNAME) ++ ++try: ++ gettext.install(PROGNAME, ++ localedir = "/usr/share/locale", ++ unicode=False, ++ codeset = 'utf-8') ++except IOError: ++ import __builtin__ ++ __builtin__.__dict__['_'] = unicode ++ ++ ++random.seed(None) ++ ++def error_exit(msg): ++ sys.stderr.write("%s: " % sys.argv[0]) ++ sys.stderr.write("%s\n" % msg) ++ sys.stderr.flush() ++ sys.exit(1) ++ ++def mount(context): ++ if os.getuid() != 0: ++ usage(_("Mount options require root privileges")) ++ destdir = "/mnt/%s" % context ++ os.mkdir(destdir) ++ rc = os.system('/bin/mount -t tmpfs tmpfs %s' % (destdir)) ++ selinux.setfilecon(destdir, context) ++ if rc != 0: ++ sys.exit(rc) ++ os.chdir(destdir) ++ ++def umount(dest): ++ os.chdir("/") ++ destdir = "/mnt/%s" % dest ++ os.system('/bin/umount %s' % (destdir)) ++ os.rmdir(destdir) ++ ++ ++def reserve(mcs): ++ sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) ++ sock.bind("\0%s" % mcs) ++ fcntl.fcntl(sock.fileno(), fcntl.F_SETFD, fcntl.FD_CLOEXEC) ++ ++def gen_context(setype): ++ while True: ++ i1 = random.randrange(0, 1024) ++ i2 = random.randrange(0, 1024) ++ if i1 == i2: ++ continue ++ if i1 > i2: ++ tmp = i1 ++ i1 = i2 ++ i2 = tmp ++ mcs = "s0:c%d,c%d" % (i1, i2) ++ reserve(mcs) ++ try: ++ reserve(mcs) ++ except: ++ continue ++ break ++ con = selinux.getcon()[1].split(":") ++ ++ execcon = "%s:%s:%s:%s" % (con[0], con[1], setype, mcs) ++ ++ filecon = "%s:%s:%s:%s" % (con[0], ++ "object_r", ++ "%s_file_t" % setype[:-2], ++ mcs) ++ return execcon, filecon ++ ++ ++if __name__ == '__main__': ++ if selinux.is_selinux_enabled() != 1: ++ error_exit("Requires an SELinux enabled system") ++ ++ def usage(message = ""): ++ text = _(""" ++sandbox [ -m ] [ -t type ] command ++""") ++ error_exit("%s\n%s" % (message, text)) ++ ++ setype = "sandbox_t" ++ mount_ind = False ++ gopts, cmds = getopt.getopt(sys.argv[1:], "t:m", ++ ["type=", ++ "mount"]) ++ for o, a in gopts: ++ if o == "-t" or o == "--type": ++ setype = a ++ ++ if o == "-m" or o == "--mount": ++ mount_ind = True ++ ++ ++ if len(cmds) == 0: ++ usage(_("Command required")) ++ ++ os.chdir("/") ++ execcon, filecon = gen_context(setype) ++ rc = -1 ++ try: ++ if mount_ind: ++ mount(filecon) ++ ++ if cmds[0][0] != "/" and cmds[0][:2] != "./" and cmds[0][:3] != "../": ++ for i in os.environ["PATH"].split(':'): ++ f = "%s/%s" % (i, cmds[0]) ++ if os.access(f, os.X_OK): ++ cmds[0] = f ++ break ++ ++ setype = selinux.getfilecon(cmds[0])[1].split(":")[2] ++ if setype == "user_home_t" or setype == "user_tmp_t": ++ error_exit(_(""" ++Sandboxed applications can not read/execute files labeled as user content; (%s) ++Temporarily label '%s" as bin_t, if you want it to run it under a sandbox. ++ ++chcon -t bin_t %s ++ ++restorecon %s ++ ++Will set the executable back to the correct context. ++""") % (setype, cmds[0], cmds[0], cmds[0]) ) ++ ++ selinux.setexeccon(execcon) ++ rc = os.spawnvp(os.P_WAIT, cmds[0], cmds) ++ selinux.setexeccon(None) ++ ++ if mount_ind: ++ umount(filecon) ++ ++ except getopt.error, error: ++ usage(_("Options Error %s ") % error.msg) ++ except ValueError, error: ++ error_exit(error.args[0]) ++ except KeyError, error: ++ error_exit(_("Invalid value %s") % error.args[0]) ++ except IOError, error: ++ error_exit(error.args[1]) ++ ++ sys.exit(rc) +diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/sandbox.8 policycoreutils-2.0.63/scripts/sandbox.8 +--- nsapolicycoreutils/scripts/sandbox.8 1969-12-31 19:00:00.000000000 -0500 ++++ policycoreutils-2.0.63/scripts/sandbox.8 2009-05-22 13:43:03.000000000 -0400 +@@ -0,0 +1,22 @@ ++.TH SANDBOX "8" "May 2009" "chcat" "User Commands" ++.SH NAME ++sandbox \- Run cmd under an SELinux sandbox ++.SH SYNOPSIS ++.B sandbox ++[ -M ] [ -t type ] cmd ++.br ++.SH DESCRIPTION ++.PP ++Run application within a tightly confined SELinux domain, This application can only read and write stdin and stdout along with files handled to it by the shell. ++.PP ++.TP ++\fB\-m\fR ++Mount a temporary file system and change working directory to it, files will be removed when job completes. ++.TP ++\fB\-t type\fR ++Use alternate sandbox type, defaults to sandbox_t ++.TP ++.SH "SEE ALSO" ++.TP ++runcon(1) ++.PP +diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/sandbox.py policycoreutils-2.0.63/scripts/sandbox.py +--- nsapolicycoreutils/scripts/sandbox.py 1969-12-31 19:00:00.000000000 -0500 ++++ policycoreutils-2.0.63/scripts/sandbox.py 2009-05-22 13:40:04.000000000 -0400 +@@ -0,0 +1,67 @@ ++#!/usr/bin/python ++import os, sys, getopt, socket, random, fcntl ++import selinux ++ ++random.seed(None) ++ ++def mount(src, context): ++ destdir="/mnt/%s" % context ++ os.mkdir(destdir) ++ print 'mount -n -o "context=%s" %s %s' % (context, src, destdir) ++ os.chdir(destdir) ++ ++def umount(dest): ++ os.chdir("/") ++ destdir="/mnt/%s" % dest ++ print ('umount -n %s' % destdir) ++ os.rmdir(destdir) ++ ++ ++def reserve(mcs): ++ sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) ++ sock.bind("\0%s" % mcs) ++ fcntl.fcntl(sock.fileno(), fcntl.F_SETFD, fcntl.FD_CLOEXEC) ++ ++def gen_context(type): ++ while True: ++ i1 = random.randrange(0,1024) ++ i2 = random.randrange(0,1024) ++ if i1 == i2: ++ continue ++ if i1 > i2: ++ tmp = i1 ++ i1 = i2 ++ i2 = tmp ++ mcs = "s0:c%d,c%d" % (i1, i2) ++ reserve(mcs) ++ try: ++ reserve(mcs) ++ except: ++ continue ++ break ++ con = selinux.getcon()[1].split(":") ++ ++ execcon="%s:%s:%s:%s" % (con[0], con[1], type, mcs) ++ ++ filecon="%s:%s:%s:%s" % (con[0], "object_r", "%s_file_t" % type[:-2], mcs) ++ return execcon, filecon ++ ++ ++type = "sandbox_t" ++mount_src = None ++gopts, cmds = getopt.getopt(sys.argv[1:],"t:m:", ++ ["type", ++ "mount"]) ++for o, a in gopts: ++ if o == "-t" or o == "--type": ++ type = a ++ if o == "-m" or o == "--mount": ++ mount_src = a ++ ++execcon, filecon = gen_context(type) ++selinux.setexeccon(execcon) ++ ++if mount_src != None: ++ mount(mount_src, filecon) ++ umount(filecon) ++os.execvp(cmds[0], cmds) +diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.63/semanage/semanage +--- nsapolicycoreutils/semanage/semanage 2009-05-18 13:53:14.000000000 -0400 ++++ policycoreutils-2.0.63/semanage/semanage 2009-05-22 13:40:04.000000000 -0400 @@ -44,16 +44,17 @@ text = _(""" semanage [ -S store ] -i [ input_file | - ] @@ -1405,22 +1701,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po elif object == "node": OBJECT.delete(target, mask, proto) -@@ -464,10 +505,10 @@ - else: - fd = open(input, 'r') - trans = seobject.semanageRecords(store) -- trans.begin() -+ trans.start() - for l in fd.readlines(): - process_args(mkargv(l)) -- trans.commit() -+ trans.finish() - else: - process_args(sys.argv[1:]) - -diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage.8 policycoreutils-2.0.62/semanage/semanage.8 +diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage.8 policycoreutils-2.0.63/semanage/semanage.8 --- nsapolicycoreutils/semanage/semanage.8 2008-08-28 09:34:24.000000000 -0400 -+++ policycoreutils-2.0.62/semanage/semanage.8 2009-05-04 13:40:26.000000000 -0400 ++++ policycoreutils-2.0.63/semanage/semanage.8 2009-05-22 13:40:04.000000000 -0400 @@ -21,6 +21,8 @@ .br .B semanage permissive \-{a|d} type @@ -1430,9 +1713,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po .B semanage translation \-{a|d|m} [\-T] level .P -diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.62/semanage/seobject.py ---- nsapolicycoreutils/semanage/seobject.py 2008-11-14 17:10:15.000000000 -0500 -+++ policycoreutils-2.0.62/semanage/seobject.py 2009-05-05 16:49:09.000000000 -0400 +diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/seobject.py policycoreutils-2.0.63/semanage/seobject.py +--- nsapolicycoreutils/semanage/seobject.py 2009-05-18 13:53:14.000000000 -0400 ++++ policycoreutils-2.0.63/semanage/seobject.py 2009-05-22 13:40:04.000000000 -0400 @@ -1,5 +1,5 @@ #! /usr/bin/python -E -# Copyright (C) 2005, 2006, 2007, 2008 Red Hat @@ -1535,40 +1818,19 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po os.rename(newfilename, self.filename) os.system("/sbin/service mcstrans reload > /dev/null") -@@ -281,15 +282,20 @@ - global handle - +@@ -283,7 +284,7 @@ if handle != None: -- self.transaction = True self.sh = handle else: - self.sh=get_handle(store) -- self.transaction = False + self.sh = get_handle(store) -+ self.transaction = False + self.transaction = False def deleteall(self): - raise ValueError(_("Not yet implemented")) +@@ -314,6 +315,49 @@ + self.transaction = False + self.commit() -+ def start(self): -+ if self.transaction: -+ raise ValueError(_("Semanage transaction already in progress")) -+ self.begin() -+ self.transaction = True -+ - def begin(self): - if self.transaction: - return -@@ -303,6 +309,55 @@ - if rc < 0: - raise ValueError(_("Could not commit semanage transaction")) - -+ def finish(self): -+ if not self.transaction: -+ raise ValueError(_("Semanage transaction not in progress")) -+ self.transaction = False -+ self.commit() -+ +class moduleRecords(semanageRecords): + def __init__(self, store): + semanageRecords.__init__(self, store) @@ -1615,7 +1877,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po class permissiveRecords(semanageRecords): def __init__(self, store): semanageRecords.__init__(self, store) -@@ -320,7 +375,7 @@ +@@ -331,7 +375,7 @@ l.append(name.split("permissive_")[1]) return l @@ -1624,15 +1886,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po if heading: print "\n%-25s\n" % (_("Permissive Types")) for t in self.get_all(): -@@ -328,6 +383,7 @@ - - - def add(self, type): -+ import glob - name = "permissive_%s" % type - dirname = "/var/lib/selinux" - os.chdir(dirname) -@@ -341,7 +397,7 @@ +@@ -353,7 +397,7 @@ permissive %s; """ % (name, type, type) @@ -1641,32 +1895,16 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po fd.write(modtxt) fd.close() mc = module.ModuleCompiler() -@@ -351,16 +407,19 @@ - fd.close() - - rc = semanage_module_install(self.sh, data, len(data)); -- if rc < 0: -- raise ValueError(_("Could not set permissive domain %s (module installation failed)") % name) -- -- self.commit() -+ if rc >= 0: -+ self.commit() +@@ -366,7 +410,7 @@ + if rc >= 0: + self.commit() - for root, dirs, files in os.walk("tmp", topdown=False): + for root, dirs, files in os.walk("tmp", topdown = False): for name in files: os.remove(os.path.join(root, name)) for name in dirs: - os.rmdir(os.path.join(root, name)) -+ os.removedirs("tmp") -+ for i in glob.glob("permissive_%s.*" % type): -+ os.remove(i) -+ if rc < 0: -+ raise ValueError(_("Could not set permissive domain %s (module installation failed)") % name) - - def delete(self, name): - for n in name.split(): -@@ -390,11 +449,11 @@ +@@ -405,11 +449,11 @@ if sename == "": sename = "user_u" @@ -1680,7 +1918,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po if rc < 0: raise ValueError(_("Could not check if login mapping for %s is defined") % name) if exists: -@@ -410,7 +469,7 @@ +@@ -425,7 +469,7 @@ except: raise ValueError(_("Linux User %s does not exist") % name) @@ -1689,7 +1927,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po if rc < 0: raise ValueError(_("Could not create login mapping for %s") % name) -@@ -450,17 +509,17 @@ +@@ -465,17 +509,17 @@ if sename == "" and serange == "": raise ValueError(_("Requires seuser or serange")) @@ -1710,7 +1948,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po if rc < 0: raise ValueError(_("Could not query seuser for %s") % name) -@@ -483,7 +542,7 @@ +@@ -498,7 +542,7 @@ semanage_seuser_key_free(k) semanage_seuser_free(u) @@ -1719,7 +1957,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po def modify(self, name, sename = "", serange = ""): try: -@@ -492,21 +551,21 @@ +@@ -507,21 +551,21 @@ self.commit() except ValueError, error: @@ -1745,7 +1983,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po if rc < 0: raise ValueError(_("Could not check if login mapping for %s is defined") % name) if not exists: -@@ -525,10 +584,10 @@ +@@ -540,10 +584,10 @@ self.commit() except ValueError, error: @@ -1758,7 +1996,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po def get_all(self, locallist = 0): ddict = {} -@@ -578,17 +637,17 @@ +@@ -593,17 +637,17 @@ if len(roles) < 1: raise ValueError(_("You must add at least one role for %s") % name) @@ -1779,7 +2017,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po if rc < 0: raise ValueError(_("Could not create SELinux user for %s") % name) -@@ -612,7 +671,7 @@ +@@ -627,7 +671,7 @@ rc = semanage_user_set_prefix(self.sh, u, prefix) if rc < 0: raise ValueError(_("Could not add prefix %s for %s") % (r, prefix)) @@ -1788,7 +2026,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po if rc < 0: raise ValueError(_("Could not extract key for %s") % name) -@@ -645,17 +704,17 @@ +@@ -660,17 +704,17 @@ else: raise ValueError(_("Requires prefix or roles")) @@ -1809,7 +2047,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po if rc < 0: raise ValueError(_("Could not query user for %s") % name) -@@ -703,17 +762,17 @@ +@@ -718,17 +762,17 @@ raise error def __delete(self, name): @@ -1830,7 +2068,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po if rc < 0: raise ValueError(_("Could not check if SELinux user %s is defined") % name) if not exists: -@@ -795,7 +854,7 @@ +@@ -810,7 +854,7 @@ low = int(ports[0]) high = int(ports[1]) @@ -1839,7 +2077,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po if rc < 0: raise ValueError(_("Could not create a key for %s/%s") % (proto, port)) return ( k, proto_d, low, high ) -@@ -812,13 +871,13 @@ +@@ -827,13 +871,13 @@ ( k, proto_d, low, high ) = self.__genkey(port, proto) @@ -1855,7 +2093,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po if rc < 0: raise ValueError(_("Could not create port for %s/%s") % (proto, port)) -@@ -871,13 +930,13 @@ +@@ -886,13 +930,13 @@ ( k, proto_d, low, high ) = self.__genkey(port, proto) @@ -1871,7 +2109,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po if rc < 0: raise ValueError(_("Could not query port %s/%s") % (proto, port)) -@@ -926,13 +985,13 @@ +@@ -941,13 +985,13 @@ def __delete(self, port, proto): ( k, proto_d, low, high ) = self.__genkey(port, proto) @@ -1887,7 +2125,16 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po if rc < 0: raise ValueError(_("Could not check if port %s/%s is defined") % (proto, port)) if not exists: -@@ -1038,17 +1097,17 @@ +@@ -983,7 +1027,7 @@ + proto_str = semanage_port_get_proto_str(proto) + low = semanage_port_get_low(port) + high = semanage_port_get_high(port) +- ddict[(low, high)] = (ctype, proto_str, level) ++ ddict[(low, high, proto_str)] = (ctype, level) + return ddict + + def get_all_by_type(self, locallist = 0): +@@ -1053,17 +1097,17 @@ if ctype == "": raise ValueError(_("SELinux Type is required")) @@ -1908,7 +2155,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po if rc < 0: raise ValueError(_("Could not create addr for %s") % addr) -@@ -1113,17 +1172,17 @@ +@@ -1128,17 +1172,17 @@ if serange == "" and setype == "": raise ValueError(_("Requires setype or serange")) @@ -1929,7 +2176,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po if rc < 0: raise ValueError(_("Could not query addr %s") % addr) -@@ -1160,17 +1219,17 @@ +@@ -1175,17 +1219,17 @@ else: raise ValueError(_("Unknown or missing protocol")) @@ -1950,7 +2197,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po if rc < 0: raise ValueError(_("Could not check if addr %s is defined") % addr) if not exists: -@@ -1240,17 +1299,17 @@ +@@ -1255,17 +1299,17 @@ if ctype == "": raise ValueError(_("SELinux Type is required")) @@ -1971,7 +2218,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po if rc < 0: raise ValueError(_("Could not create interface for %s") % interface) -@@ -1301,17 +1360,17 @@ +@@ -1316,17 +1360,17 @@ if serange == "" and setype == "": raise ValueError(_("Requires setype or serange")) @@ -1992,7 +2239,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po if rc < 0: raise ValueError(_("Could not query interface %s") % interface) -@@ -1335,17 +1394,17 @@ +@@ -1350,17 +1394,17 @@ self.commit() def __delete(self, interface): @@ -2013,7 +2260,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po if rc < 0: raise ValueError(_("Could not check if interface %s is defined") % interface) if not exists: -@@ -1393,6 +1452,48 @@ +@@ -1408,6 +1452,48 @@ class fcontextRecords(semanageRecords): def __init__(self, store = ""): semanageRecords.__init__(self, store) @@ -2062,7 +2309,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po def createcon(self, target, seuser = "system_u"): (rc, con) = semanage_context_create(self.sh) -@@ -1429,23 +1530,23 @@ +@@ -1444,23 +1530,23 @@ if type == "": raise ValueError(_("SELinux Type is required")) @@ -2090,7 +2337,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po if rc < 0: raise ValueError(_("Could not create file context for %s") % target) -@@ -1486,21 +1587,21 @@ +@@ -1501,21 +1587,21 @@ raise ValueError(_("Requires setype, serange or seuser")) self.validate(target) @@ -2117,7 +2364,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po if rc < 0: raise ValueError(_("Could not query file context for %s") % target) -@@ -1550,7 +1651,7 @@ +@@ -1565,7 +1651,7 @@ target = semanage_fcontext_get_expr(fcontext) ftype = semanage_fcontext_get_type(fcontext) ftype_str = semanage_fcontext_get_type_str(ftype) @@ -2126,7 +2373,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po if rc < 0: raise ValueError(_("Could not create a key for %s") % target) -@@ -1558,19 +1659,26 @@ +@@ -1573,19 +1659,26 @@ if rc < 0: raise ValueError(_("Could not delete the file context %s") % target) semanage_fcontext_key_free(k) @@ -2157,7 +2404,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po if rc < 0: raise ValueError(_("Could not check if file context for %s is defined") % target) if exists: -@@ -1617,11 +1725,11 @@ +@@ -1632,11 +1725,11 @@ return ddict def list(self, heading = 1, locallist = 0 ): @@ -2171,7 +2418,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po for k in keys: if fcon_dict[k]: if is_mls_enabled: -@@ -1630,11 +1738,17 @@ +@@ -1645,11 +1738,17 @@ print "%-50s %-18s %s:%s:%s " % (k[0], k[1], fcon_dict[k][0], fcon_dict[k][1],fcon_dict[k][2]) else: print "%-50s %-18s <>" % (k[0], k[1]) @@ -2190,7 +2437,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po self.dict["TRUE"] = 1 self.dict["FALSE"] = 0 self.dict["ON"] = 1 -@@ -1643,16 +1757,16 @@ +@@ -1658,16 +1757,16 @@ self.dict["0"] = 0 def __mod(self, name, value): @@ -2210,7 +2457,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po if rc < 0: raise ValueError(_("Could not query file context %s") % name) -@@ -1670,7 +1784,7 @@ +@@ -1685,7 +1784,7 @@ semanage_bool_key_free(k) semanage_bool_free(b) @@ -2219,7 +2466,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po self.begin() -@@ -1694,16 +1808,16 @@ +@@ -1709,16 +1808,16 @@ def __delete(self, name): @@ -2239,7 +2486,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po if rc < 0: raise ValueError(_("Could not check if boolean %s is defined") % name) if not exists: -@@ -1762,7 +1876,7 @@ +@@ -1777,7 +1876,7 @@ return _("unknown") def list(self, heading = True, locallist = False, use_file = False): @@ -2248,9 +2495,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po if use_file: ddict = self.get_all(locallist) keys = ddict.keys() -diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/setfiles.c policycoreutils-2.0.62/setfiles/setfiles.c +diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/setfiles/setfiles.c policycoreutils-2.0.63/setfiles/setfiles.c --- nsapolicycoreutils/setfiles/setfiles.c 2008-08-28 09:34:24.000000000 -0400 -+++ policycoreutils-2.0.62/setfiles/setfiles.c 2009-05-04 13:40:26.000000000 -0400 ++++ policycoreutils-2.0.63/setfiles/setfiles.c 2009-05-22 13:40:04.000000000 -0400 @@ -29,6 +29,8 @@ static int mass_relabel; static int mass_relabel_errs; diff --git a/policycoreutils.spec b/policycoreutils.spec index 32fac8f..fc4b68b 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -5,8 +5,8 @@ %define sepolgenver 1.0.16 Summary: SELinux policy core utilities Name: policycoreutils -Version: 2.0.62 -Release: 14%{?dist} +Version: 2.0.63 +Release: 1%{?dist} License: GPLv2+ Group: System Environment/Base Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz @@ -113,6 +113,7 @@ The policycoreutils-python package contains the management tools use to manage a %{_bindir}/audit2allow %{_bindir}/audit2why %{_bindir}/chcat +%{_bindir}/sandbox %{_bindir}/sepolgen-ifgen %{_libdir}/python?.?/site-packages/seobject.py* %{_libdir}/python?.?/site-packages/sepolgen/* @@ -225,6 +226,13 @@ else fi %changelog +* Wed May 20 2009 Dan Walsh 2.0.63-1 +- Update to upstream + * Fix transaction checking from Dan Walsh. + * Make fixfiles -R (for rpm) recursive. + * Make semanage permissive clean up after itself from Dan Walsh. + * add /root/.ssh/* to restorecond.conf + * Wed Apr 22 2009 Dan Walsh 2.0.62-14 - Fix audit2allow -a to retun /var/log/messages diff --git a/sources b/sources index 868ad5a..12df478 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -7163e6b815bb45eb4f6a620cd8240690 policycoreutils-2.0.62.tgz e1b5416c3e0d76e5d702b3f54f4def45 sepolgen-1.0.16.tgz +6a45dc84a2291dc2722fc60f18fb8393 policycoreutils-2.0.63.tgz