From ac48b0b34be4e1b42fbcc8f2604354bb1b210f85 Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Oct 06 2009 16:09:52 +0000 Subject: * Thu Oct 6 2009 Dan Walsh 2.0.74-8 - Add check to sandbox to verify save changes - Chris Pardy - Fix memory leak in restorecond - Steve Grubb --- diff --git a/policycoreutils-gui.patch b/policycoreutils-gui.patch index 9063b2e..d8dcbd0 100644 --- a/policycoreutils-gui.patch +++ b/policycoreutils-gui.patch @@ -12251,8 +12251,8 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/etc_rw.py +""" diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/executable.py policycoreutils-2.0.74/gui/templates/executable.py --- nsapolicycoreutils/gui/templates/executable.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.74/gui/templates/executable.py 2009-10-01 12:03:05.000000000 -0400 -@@ -0,0 +1,368 @@ ++++ policycoreutils-2.0.74/gui/templates/executable.py 2009-10-02 08:46:53.000000000 -0400 +@@ -0,0 +1,359 @@ +# Copyright (C) 2007-2009 Red Hat +# see file 'COPYING' for use and warranty information +# @@ -12374,20 +12374,11 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/executable +""" + +te_userapp_rules=""" -+######################################## -+# -+# TEMPLATETYPE local policy -+# -+ -+## internal communication is often done using fifo and unix sockets. -+allow TEMPLATETYPE_t self:fifo_file rw_file_perms; ++allow TEMPLATETYPE_t self:fifo_file manage_file_file_perms; +allow TEMPLATETYPE_t self:unix_stream_socket create_stream_socket_perms; + +files_read_etc_files(TEMPLATETYPE_t) + -+libs_use_ld_so(TEMPLATETYPE_t) -+libs_use_shared_libs(TEMPLATETYPE_t) -+ +miscfiles_read_localization(TEMPLATETYPE_t) +""" + @@ -12515,9 +12506,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/executable + type TEMPLATETYPE_t; + ') + -+ role $2 types TEMPLATETYPE_t; ++ role $1 types TEMPLATETYPE_t; + -+ TEMPLATETYPE_domtrans($1) ++ TEMPLATETYPE_domtrans($2) + + ps_process_pattern($2, TEMPLATETYPE_t) + allow $2 TEMPLATETYPE_t:process signal; diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index 8ebf39b..4089fe9 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -939,8 +939,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po + diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/watch.c policycoreutils-2.0.74/restorecond/watch.c --- nsapolicycoreutils/restorecond/watch.c 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.74/restorecond/watch.c 2009-09-20 21:26:36.000000000 -0400 -@@ -0,0 +1,254 @@ ++++ policycoreutils-2.0.74/restorecond/watch.c 2009-10-06 12:06:56.000000000 -0400 +@@ -0,0 +1,253 @@ +#define _GNU_SOURCE +#include +#include @@ -985,8 +985,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po + struct watchList *prev = NULL; + glob_t globbuf; + char *x = strdup(path); -+ if (!x) -+ exitApp("Out of Memory"); ++ if (!x) exitApp("Out of Memory"); + char *file = basename(x); + char *dir = dirname(x); + ptr = firstDir; @@ -1017,12 +1016,12 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po + } + ptr = calloc(1, sizeof(struct watchList)); + -+ if (!ptr) -+ exitApp("Out of Memory"); ++ if (!ptr) exitApp("Out of Memory"); + + ptr->wd = inotify_add_watch(fd, dir, IN_CREATE | IN_MOVED_TO); + if (ptr->wd == -1) { + free(ptr); ++ free(x); + syslog(LOG_ERR, "Unable to watch (%s) %s\n", + path, strerror(errno)); + return; @@ -1195,6 +1194,323 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po + exitApp("Error watching config file."); +} + +diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/basicwrapper policycoreutils-2.0.74/sandbox/deliverables/basicwrapper +--- nsapolicycoreutils/sandbox/deliverables/basicwrapper 1969-12-31 19:00:00.000000000 -0500 ++++ policycoreutils-2.0.74/sandbox/deliverables/basicwrapper 2009-08-14 10:53:53.000000000 -0400 +@@ -0,0 +1,4 @@ ++import os, sys ++SANDBOX_ARGS = ['-f%s' % os.environ['_CONDOR_SCRATCH_DIR']] ++SANDBOX_ARGS.extend(sys.argv[1::]) ++os.execv('/usr/bin/sandbox',SANDBOX_ARGS) +diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/README policycoreutils-2.0.74/sandbox/deliverables/README +--- nsapolicycoreutils/sandbox/deliverables/README 1969-12-31 19:00:00.000000000 -0500 ++++ policycoreutils-2.0.74/sandbox/deliverables/README 2009-08-14 10:56:22.000000000 -0400 +@@ -0,0 +1,32 @@ ++Files: ++run-in-sandbox.py: ++ adds the run in sandbox extension to nautilus ++ copy to .nautilus/python-extensions ++ yum install nautilus-python ++ ++sandbox: ++ adds support for file checking, This was working I don't know why it didn't at that presentation ++ adds support for file relabeling, This is/was also working. ++ ++basicwrapper: ++ This is pretty much the most basic condor wrapper you can create, it requires the -f option in sandbox. Also I can't make this work, maybe the grid team will have more luck. ++ ++Other: ++Xguest Live cd: ++ There's a tutorial on live cds here: http://www.ibm.com/developerworks/library/l-fedora-livecd/index.html?ca=dgr-lnxw16FedoraLiveCD ++ It looks like David Zeuthen is head guy in the live cd department, he might be worth talking to. ++ ++System-config-selinux: ++ wiki: fedorahosted.org/system-config-selinux ++ realeases: fedorahosted.org/releases/s/y/system-config-selinux/ includes a spec,srpm, and tarball of current version ++ The project is technically owned by Roman Rakus (rrakus@redhat.com) I've sent him an email asking him to make you a git contributor. ++ I'll continue making updates to this and make sure it gets into the repos. ++ ++Assuming I don't get to keep my RedHat email you can contact me: ++email: chris.pardy@gmail.com ++phone: 1-207-838-7119 ++ ++I'll probably continue to be on the #fedora-selinux and #selinux irc channels ++ ++Thanks for a great summer. ++Chris Pardy +diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/run-in-sandbox.py policycoreutils-2.0.74/sandbox/deliverables/run-in-sandbox.py +--- nsapolicycoreutils/sandbox/deliverables/run-in-sandbox.py 1969-12-31 19:00:00.000000000 -0500 ++++ policycoreutils-2.0.74/sandbox/deliverables/run-in-sandbox.py 2009-08-14 10:25:38.000000000 -0400 +@@ -0,0 +1,49 @@ ++import os ++import os.path ++import urllib ++ ++import nautilus ++import gtk ++import gconf ++ ++class RunInSandboxExtension(nautilus.MenuProvider): ++ def __init__(self): ++ self.client = gconf.client_get_default() ++ ++ def sandbox_init(self,file,path): ++ if os.path.basename(path).endswith('.desktop'): ++ import re ++ f = open(path,'r') ++ for i in f.readlines(): ++ m = re.match(r'Exec=(?P\S+)',i) ++ if m: ++ path = m.group('name') ++ f.close() ++ break ++ os.system('/usr/bin/sandbox -X %s &' % path) ++ ++ def get_file_items(self, window, files): ++ if len(files) != 1: ++ return ++ ++ file = files[0] ++ ++ if file.is_directory(): ++ return ++ ++ if file.get_uri_scheme() != 'file': ++ return ++ ++ path = file.get_uri().replace('file://','',1) ++ if not os.access(path,os.X_OK): ++ return ++ ++ path = os.path.realpath(path) ++ ++ item = nautilus.MenuItem('NautilusPython::openterminal_file_items','Run In Sandbox','Run %s in Sandbox' % file.get_name()) ++ item.connect('activate',self.sandbox_init,path) ++ return item, ++ ++ def get_background_items(self, window, file): ++ return ++ +diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/deliverables/sandbox policycoreutils-2.0.74/sandbox/deliverables/sandbox +--- nsapolicycoreutils/sandbox/deliverables/sandbox 1969-12-31 19:00:00.000000000 -0500 ++++ policycoreutils-2.0.74/sandbox/deliverables/sandbox 2009-08-14 10:22:47.000000000 -0400 +@@ -0,0 +1,216 @@ ++#!/usr/bin/python -E ++import os, sys, getopt, socket, random, fcntl, shutil ++import selinux ++ ++PROGNAME = "policycoreutils" ++ ++import gettext ++gettext.bindtextdomain(PROGNAME, "/usr/share/locale") ++gettext.textdomain(PROGNAME) ++ ++try: ++ gettext.install(PROGNAME, ++ localedir = "/usr/share/locale", ++ unicode=False, ++ codeset = 'utf-8') ++except IOError: ++ import __builtin__ ++ __builtin__.__dict__['_'] = unicode ++ ++ ++DEFAULT_TYPE = "sandbox_t" ++DEFAULT_X_TYPE = "sandbox_x_t" ++ ++X_FILES = {} ++OLD_FCONTEXTS = {} ++ ++random.seed(None) ++ ++def error_exit(msg): ++ sys.stderr.write("%s: " % sys.argv[0]) ++ sys.stderr.write("%s\n" % msg) ++ sys.stderr.flush() ++ sys.exit(1) ++ ++def reserve(mcs): ++ sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) ++ sock.bind("\0%s" % mcs) ++ fcntl.fcntl(sock.fileno(), fcntl.F_SETFD, fcntl.FD_CLOEXEC) ++ ++def gen_context(setype): ++ while True: ++ i1 = random.randrange(0, 1024) ++ i2 = random.randrange(0, 1024) ++ if i1 == i2: ++ continue ++ if i1 > i2: ++ tmp = i1 ++ i1 = i2 ++ i2 = tmp ++ mcs = "s0:c%d,c%d" % (i1, i2) ++ reserve(mcs) ++ try: ++ reserve(mcs) ++ except: ++ continue ++ break ++ con = selinux.getcon()[1].split(":") ++ ++ execcon = "%s:%s:%s:%s" % (con[0], con[1], setype, mcs) ++ ++ filecon = "%s:%s:%s:%s" % (con[0], ++ "object_r", ++ "%s_file_t" % setype[:-2], ++ mcs) ++ return execcon, filecon ++ ++def copyfile(file, dir, dest): ++ import re ++ if file.startswith(dir): ++ dname = os.path.dirname(file) ++ bname = os.path.basename(file) ++ if dname == dir: ++ dest = dest + "/" + bname ++ else: ++ newdir = re.sub(dir, dest, dname) ++ os.makedirs(newdir) ++ dest = newdir + "/" + bname ++ ++ if os.path.isdir(file): ++ shutil.copytree(file, dest) ++ else: ++ shutil.copy2(file, dest) ++ X_FILES[dest] = os.path.getmtime(dest) ++ ++def copyfiles(newhomedir, newtmpdir, files): ++ import pwd ++ homedir=pwd.getpwuid(os.getuid()).pw_dir ++ ++ for f in files: ++ copyfile(f,homedir, newhomedir) ++ copyfile(f,"/tmp", newtmpdir) ++ ++def uncopyfile(newhomedir,file): ++ import pwd ++ homedir=pwd.getpwuid(os.getuid()).pw_dir ++ copyfile(file,newhomedir,homedir) ++ ++if __name__ == '__main__': ++ if selinux.is_selinux_enabled() != 1: ++ error_exit("Requires an SELinux enabled system") ++ ++ init_files = [] ++ ++ def usage(message = ""): ++ text = _(""" ++sandbox [-h] [-I includefile ] [[-i file ] ...] [[-f file] ...][ -t type ] command ++""") ++ error_exit("%s\n%s" % (message, text)) ++ ++ setype = DEFAULT_TYPE ++ X_ind = False ++ try: ++ gopts, cmds = getopt.getopt(sys.argv[1:], "i:ht:XI:f:", ++ ["help", ++ "include=", ++ "includefile=", ++ "type=" ++ "file=" ++ ]) ++ for o, a in gopts: ++ if o == "-t" or o == "--type": ++ setype = a ++ ++ if o == "-i" or o == "--include": ++ rp = os.path.realpath(a) ++ if rp not in init_files: ++ init_files.append(rp) ++ ++ if o == "-f" or o == "--file": ++ rp = os.path.realpath(a) ++ OLD_FCONTEXTS[a] = selinux.getfilecon(rp)[1] ++ ++ if o == "-I" or o == "--includefile": ++ fd = open(a, "r") ++ for i in fd.read().split("\n"): ++ if os.path.exists(i): ++ rp = os.path.realpath(i) ++ if rp not in init_files: ++ init_files.append(rp) ++ ++ fd.close ++ ++ if o == "-X": ++ if DEFAULT_TYPE == setype: ++ setype = DEFAULT_X_TYPE ++ X_ind = True ++ ++ if o == "-h" or o == "--help": ++ usage(_("Usage")); ++ ++ if len(cmds) == 0: ++ usage(_("Command required")) ++ ++ execcon, filecon = gen_context(setype) ++ rc = -1 ++ ++ if cmds[0][0] != "/" and cmds[0][:2] != "./" and cmds[0][:3] != "../": ++ for i in os.environ["PATH"].split(':'): ++ f = "%s/%s" % (i, cmds[0]) ++ if os.access(f, os.X_OK): ++ cmds[0] = f ++ break ++ ++ try: ++ if X_ind: ++ import warnings ++ warnings.simplefilter("ignore") ++ newhomedir = os.tempnam(".", ".sandbox%s") ++ os.mkdir(newhomedir) ++ selinux.setfilecon(newhomedir, filecon) ++ newtmpdir = os.tempnam("/tmp", ".sandbox") ++ os.mkdir(newtmpdir) ++ selinux.setfilecon(newtmpdir, filecon) ++ warnings.resetwarnings() ++ copyfiles(newhomedir, newtmpdir, init_files + cmds) ++ execfile = newhomedir + "/.sandboxrc" ++ fd = open(execfile, "w+") ++ fd.write("""#! /bin/sh ++%s ++""" % " ".join(cmds)) ++ fd.close() ++ os.chmod(execfile, 0700) ++ ++ cmds = ("/usr/sbin/seunshare -t %s -h %s -- %s /usr/share/sandbox/sandboxX.sh" % (newtmpdir, newhomedir, execcon)).split() ++ rc = os.spawnvp(os.P_WAIT, cmds[0], cmds) ++ for i in X_FILES.keys(): ++ if os.path.getmtime(i) > X_FILES[i]: ++ yn = raw_input("do you want to save your changes to the file %s (Y/N): " % os.path.basename(i)).lower() ++ if yn.startswith('y'): ++ uncopyfile(newhomedir,i) ++ else: ++ for i in OLD_FCONTEXTS.keys(): ++ selinux.setfilecon(i,filecon) ++ selinux.setexeccon(execcon) ++ rc = os.spawnvp(os.P_WAIT, cmds[0], cmds) ++ selinux.setexeccon(None) ++ for i in OLD_FCONTEXTS.keys(): ++ selinux.setfilecon(i,OLD_FCONTEXTS[i]) ++ finally: ++ if X_ind: ++ shutil.rmtree(newhomedir) ++ shutil.rmtree(newtmpdir) ++ ++ except getopt.GetoptError, error: ++ usage(_("Options Error %s ") % error.msg) ++ except OSError, error: ++ error_exit(error.args[1]) ++ except ValueError, error: ++ error_exit(error.args[0]) ++ except KeyError, error: ++ error_exit(_("Invalid value %s") % error.args[0]) ++ except IOError, error: ++ error_exit(error.args[1]) ++ ++ sys.exit(rc) ++ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/Makefile policycoreutils-2.0.74/sandbox/Makefile --- nsapolicycoreutils/sandbox/Makefile 1969-12-31 19:00:00.000000000 -0500 +++ policycoreutils-2.0.74/sandbox/Makefile 2009-09-20 21:26:36.000000000 -0400 @@ -1232,8 +1548,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po +relabel: diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox policycoreutils-2.0.74/sandbox/sandbox --- nsapolicycoreutils/sandbox/sandbox 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.74/sandbox/sandbox 2009-09-23 11:24:57.000000000 -0400 -@@ -0,0 +1,222 @@ ++++ policycoreutils-2.0.74/sandbox/sandbox 2009-10-06 11:48:36.000000000 -0400 +@@ -0,0 +1,242 @@ +#!/usr/bin/python -E +import os, sys, getopt, socket, random, fcntl, shutil +import selinux @@ -1257,11 +1573,11 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po + +DEFAULT_TYPE = "sandbox_t" +DEFAULT_X_TYPE = "sandbox_x_t" ++X_FILES = {} + +random.seed(None) + +def sighandler(signum, frame): -+ print "exiting on signal %s" % signum + signal.signal(signum, signal.SIG_IGN) + os.kill(0, signum) + raise KeyboardInterrupt @@ -1325,6 +1641,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po + shutil.copytree(file, dest) + else: + shutil.copy2(file, dest) ++ X_FILES[file] = (dest, os.path.getmtime(dest)) + +def copyfiles(newhomedir, newtmpdir, files): + import pwd @@ -1333,6 +1650,19 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po + copyfile(f,homedir, newhomedir) + copyfile(f,"/tmp", newtmpdir) + ++def savefile(new, orig): ++ import gtk ++ dlg = gtk.MessageDialog(None, 0, gtk.MESSAGE_INFO, ++ gtk.BUTTONS_YES_NO, ++ _("Do you want to save changes to '%s' (Y/N): ") % orig) ++ dlg.set_title(_("Sandbox Message")) ++ dlg.set_position(gtk.WIN_POS_MOUSE) ++ dlg.show_all() ++ rc = dlg.run() ++ dlg.destroy() ++ if rc == gtk.RESPONSE_YES: ++ shutil.copy2(new,orig) ++ +if __name__ == '__main__': + setup_sighandlers() + if selinux.is_selinux_enabled() != 1: @@ -1430,6 +1760,12 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po + + cmds = ("/usr/sbin/seunshare -t %s -h %s -- %s /usr/share/sandbox/sandboxX.sh" % (newtmpdir, newhomedir, execcon)).split() + rc = os.spawnvp(os.P_WAIT, cmds[0], cmds) ++ for i in paths: ++ if i not in X_FILES: ++ continue ++ (dest, mtime) = X_FILES[i] ++ if os.path.getmtime(dest) > mtime: ++ savefile(dest, i) + else: + selinux.setexeccon(execcon) + rc = os.spawnvp(os.P_WAIT, cmds[0], cmds) diff --git a/policycoreutils.spec b/policycoreutils.spec index dd5431b..ead56cb 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -6,7 +6,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 2.0.74 -Release: 7%{?dist} +Release: 8%{?dist} License: GPLv2+ Group: System Environment/Base Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz @@ -296,11 +296,16 @@ fi exit 0 %changelog +* Thu Oct 6 2009 Dan Walsh 2.0.74-8 +- Add check to sandbox to verify save changes - Chris Pardy +- Fix memory leak in restorecond - Steve Grubb + * Thu Oct 1 2009 Dan Walsh 2.0.74-7 - Fixes Templates * Thu Oct 1 2009 Dan Walsh 2.0.74-6 - Fixes for polgengui to handle tcp ports correctly +- Fix semanage node -a * Wed Sep 30 2009 Dan Walsh 2.0.74-5 - Fixes for semanage -equiv, readded modules, --enable, --disable