diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index ead4dd0..e7b960d 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -1690,10 +1690,12 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po + diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/Makefile policycoreutils-2.0.79/sandbox/Makefile --- nsapolicycoreutils/sandbox/Makefile 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.79/sandbox/Makefile 2010-02-16 13:46:01.000000000 -0500 -@@ -0,0 +1,31 @@ ++++ policycoreutils-2.0.79/sandbox/Makefile 2010-02-17 14:53:37.000000000 -0500 +@@ -0,0 +1,38 @@ +# Installation directories. +PREFIX ?= ${DESTDIR}/usr ++INITDIR ?= ${DESTDIR}/etc/rc.d/init.d/ ++SYSCONFDIR ?= ${DESTDIR}/etc/sysconfig +BINDIR ?= $(PREFIX)/bin +SBINDIR ?= $(PREFIX)/sbin +MANDIR ?= $(PREFIX)/share/man @@ -1712,9 +1714,14 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po + install -m 755 sandbox $(BINDIR) + -mkdir -p $(MANDIR)/man8 + install -m 644 sandbox.8 $(MANDIR)/man8/ ++ -mkdir -p $(SBINDIR) + install -m 4755 seunshare $(SBINDIR)/ + -mkdir -p $(SHAREDIR) + install -m 755 sandboxX.sh $(SHAREDIR) ++ -mkdir -p $(INITDIR) ++ install -m 755 sandbox.init $(INITDIR)/sandbox ++ -mkdir -p $(SYSCONFDIR) ++ install -m 644 sandbox.config $(SYSCONFDIR)/sandbox + +clean: + -rm -f seunshare *.o *~ @@ -1725,8 +1732,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po +relabel: diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox policycoreutils-2.0.79/sandbox/sandbox --- nsapolicycoreutils/sandbox/sandbox 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.79/sandbox/sandbox 2010-02-16 13:46:01.000000000 -0500 -@@ -0,0 +1,360 @@ ++++ policycoreutils-2.0.79/sandbox/sandbox 2010-02-17 14:50:21.000000000 -0500 +@@ -0,0 +1,377 @@ +#! /usr/bin/python -E +# Authors: Dan Walsh +# Authors: Josh Cogliati @@ -1899,13 +1906,28 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po + fd.close() + os.chmod(execfile, 0700) + ++def validate_home(): ++ homedir=pwd.getpwuid(os.getuid()).pw_dir ++ fd = open("/proc/self/mountinfo", "r") ++ recs = fd.readlines() ++ fd.close() ++ for i in recs: ++ x = i.split() ++ if x[3] == x[4] and homedir.startswith(x[3]+"/"): ++ return ++ raise ValueError(_(""" ++'%s' is required to be a shared mount point for this tool to run. ++'%s' can be added to the HOMEDIR variable in /etc/sysconfig/sandbox ++ along with a reboot will fix the problem. ++""" % ((os.path.dirname(homedir)), os.path.dirname(homedir)))) ++ +if __name__ == '__main__': + setup_sighandlers() + if selinux.is_selinux_enabled() != 1: + error_exit("Requires an SELinux enabled system") -+ ++ + init_files = [] -+ ++ + def usage(message = ""): + text = _(""" +sandbox [-h] [-[X|M] [-l level ] [-H homedir] [-T tempdir]] [-I includefile ] [[-i file ] ...] [ -t type ] command @@ -1996,6 +2018,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po + + try: + if home_and_temp: ++ validate_home() ++ + if not os.path.exists("/usr/sbin/seunshare"): + raise ValueError("""/usr/sbin/seunshare required for sandbox -M, to install you need to execute +#yum install /usr/sbin/seunshare""") @@ -2141,6 +2165,83 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po +.TP +runcon(1) +.PP +diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.config policycoreutils-2.0.79/sandbox/sandbox.config +--- nsapolicycoreutils/sandbox/sandbox.config 1969-12-31 19:00:00.000000000 -0500 ++++ policycoreutils-2.0.79/sandbox/sandbox.config 2010-02-17 13:29:45.000000000 -0500 +@@ -0,0 +1,2 @@ ++# Space separate list of homedirs ++HOMEDIRS="/home" +diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.init policycoreutils-2.0.79/sandbox/sandbox.init +--- nsapolicycoreutils/sandbox/sandbox.init 1969-12-31 19:00:00.000000000 -0500 ++++ policycoreutils-2.0.79/sandbox/sandbox.init 2010-02-17 13:29:54.000000000 -0500 +@@ -0,0 +1,67 @@ ++#!/bin/bash ++## BEGIN INIT INFO ++# Provides: sandbox ++# Default-Start: 3 4 5 ++# Default-Stop: 0 1 2 3 4 6 ++# Required-Start: ++# ++## END INIT INFO ++# sandbox: Set up / mountpoint to be shared, /var/tmp, /tmp, /home/sandbox unshared ++# ++# chkconfig: 345 1 99 ++# ++# Description: sandbox is using pam_namespace to share the /var/tmp, /tmp and ++# /home/sandbox accounts. This script will setup the / mount ++# point as shared and all of the subdirectories just these ++# directories as unshared. ++# ++ ++# Source function library. ++. /etc/init.d/functions ++ ++HOMEDIRS="/home" ++ ++. /etc/sysconfig/sandbox ++ ++LOCKFILE=/var/lock/subsys/sandbox ++ ++base=${0##*/} ++ ++case "$1" in ++ start) ++ [ -f "$LOCKFILE" ] && exit 0 ++ ++ touch $LOCKFILE ++ mount --make-rshared / ++ mount --bind /tmp /tmp ++ mount --bind /var/tmp /var/tmp ++ mount --make-private /tmp ++ mount --make-private /var/tmp ++ for h in $HOMEDIRS; do ++ mount --bind $h $h ++ mount --make-private $h ++ done ++ ++ RETVAL=$? ++ exit $RETVAL ++ ;; ++ ++ status) ++ if [ -f "$LOCKFILE" ]; then ++ echo "$base is running" ++ else ++ echo "$base is stopped" ++ fi ++ exit 0 ++ ;; ++ ++ stop) ++ rm -f $LOCKFILE ++ exit 0 ++ ;; ++ ++ *) ++ echo $"Usage: $0 {start|stop}" ++ exit 3 ++ ;; ++esac diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/.sandboxSKnKBc/.esd_auth policycoreutils-2.0.79/sandbox/.sandboxSKnKBc/.esd_auth --- nsapolicycoreutils/sandbox/.sandboxSKnKBc/.esd_auth 1969-12-31 19:00:00.000000000 -0500 +++ policycoreutils-2.0.79/sandbox/.sandboxSKnKBc/.esd_auth 2010-02-16 13:46:01.000000000 -0500 diff --git a/policycoreutils.spec b/policycoreutils.spec index a722ede..8c0bd09 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -7,7 +7,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 2.0.79 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2+ Group: System Environment/Base Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz @@ -20,7 +20,6 @@ Source5: system-config-selinux.console Source6: selinux-polgengui.desktop Source7: selinux-polgengui.console Source8: policycoreutils_man_ru2.tar.bz2 -Source9: sandbox.init Patch: policycoreutils-rhat.patch Patch1: policycoreutils-po.patch Patch3: policycoreutils-gui.patch @@ -80,7 +79,6 @@ mkdir -p %{buildroot}%{_mandir}/man8 mkdir -p %{buildroot}%{_sysconfdir}/pam.d mkdir -p %{buildroot}%{_sysconfdir}/security/console.apps %{__mkdir} -p %{buildroot}/%{_sysconfdir}/rc.d/init.d -install -m0755 %{SOURCE9} %{buildroot}/%{_sysconfdir}/rc.d/init.d/sandbox make LSPP_PRIV=y DESTDIR="%{buildroot}" LIBDIR="%{buildroot}%{_libdir}" install make -C sepolgen-%{sepolgenver} DESTDIR="%{buildroot}" LIBDIR="%{buildroot}%{_libdir}" install @@ -129,9 +127,8 @@ The policycoreutils-python package contains the management tools use to manage a %{_bindir}/sepolgen-ifgen %{python_sitelib}/seobject.py* %{python_sitelib}/sepolgen -%{python_sitelib}/%{name} %{python_sitelib}/%{name}*.egg-info -%{pkgpythondir}/default_encoding_utf8.so +%{pkgpythondir} %dir /var/lib/sepolgen %dir /var/lib/selinux /var/lib/sepolgen/perm_map @@ -163,6 +160,8 @@ The policycoreutils-python package contains the scripts to create graphical sand %files sandbox %defattr(-,root,root,-) %{_sysconfdir}/rc.d/init.d/sandbox +%config(noreplace) %{_sysconfdir}/sysconfig/sandbox +%{_sysconfdir}/sysconfig/sandbox %{_sbindir}/seunshare %{_datadir}/sandbox/sandboxX.sh @@ -306,7 +305,11 @@ fi exit 0 %changelog -* Thu Feb 16 2010 Dan Walsh 2.0.79-1 +* Wed Feb 17 2010 Dan Walsh 2.0.79-2 +- Fix sandbox to complain if mount-shared has not been run +- Fix to use /etc/sysconfig/sandbox + +* Tue Feb 16 2010 Dan Walsh 2.0.79-1 - Update to upstream * Fix double-free in newrole - Fix python language handling diff --git a/sandbox.init b/sandbox.init deleted file mode 100755 index 28d5a20..0000000 --- a/sandbox.init +++ /dev/null @@ -1,60 +0,0 @@ -#!/bin/bash -## BEGIN INIT INFO -# Provides: sandbox -# Default-Start: 5 -# Default-Stop: 0 1 2 3 4 6 -# Required-Start: -# -## END INIT INFO -# sandbox: Set up / mountpoint to be shared, /var/tmp, /tmp, /home/sandbox unshared -# -# chkconfig: 5 1 99 -# -# Description: sandbox is using pam_namespace to share the /var/tmp, /tmp and -# /home/sandbox accounts. This script will setup the / mount -# point as shared and all of the subdirectories just these -# directories as unshared. -# - -# Source function library. -. /etc/init.d/functions - -LOCKFILE=/var/lock/subsys/sandbox - -base=${0##*/} - -case "$1" in - start) - [ -f "$LOCKFILE" ] && exit 0 - - touch $LOCKFILE - mount --make-rshared / - mount --bind /tmp /tmp - mount --bind /var/tmp /var/tmp - mount --bind /home /home - mount --make-private /home - mount --make-private /tmp - mount --make-private /var/tmp - RETVAL=$? - exit $RETVAL - ;; - - status) - if [ -f "$LOCKFILE" ]; then - echo "$base is running" - else - echo "$base is stopped" - fi - exit 0 - ;; - - stop) - rm -f $LOCKFILE - exit 0 - ;; - - *) - echo $"Usage: $0 {start|stop}" - exit 3 - ;; -esac