rsynccmd should run outside of execcon

2011-03-29 14:28:26 -04:00 · 2011-03-29 14:28:26 -04:00 · 299b50a55d
commit 299b50a55d
parent d04e8562ad
2 changed files with 20 additions and 12 deletions
--- a/policycoreutils-rhat.patch
+++ b/policycoreutils-rhat.patch
@ -2237,7 +2237,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 +.I Thomas Liu <tliu@fedoraproject.org>
 diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/seunshare.c policycoreutils-2.0.83/sandbox/seunshare.c
 --- nsapolicycoreutils/sandbox/seunshare.c	2010-06-16 08:04:12.000000000 -0400
-+++ policycoreutils-2.0.83/sandbox/seunshare.c	2011-03-24 17:53:45.207410252 -0400
+++ policycoreutils-2.0.83/sandbox/seunshare.c	2011-03-29 14:27:05.755938173 -0400
@@ -1,28 +1,35 @@
 +/*
 + * Authors: Dan Walsh <dwalsh@redhat.com>
@ -2474,7 +2474,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 			break;
 		}
 	}
-@@ -131,45 +236,520 @@
+@@ -131,45 +236,525 @@
 	return rc;
 }
 
@ -2907,10 +2907,6 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 +			goto err;
 +		}
 +
-+		if (rsynccmd(src, tmpdir, &cmdbuf) < 0) {
-+			goto err;
-+		}
-+
 +		/* ok to not reach this if there is an error */
 +		setfsuid(0);
 +	}
@ -2963,6 +2959,15 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 +		}
 +	}
 +
+	setfsuid(pwd->pw_uid);
+
+	if (rsynccmd(src, tmpdir, &cmdbuf) < 0) {
+		goto err;
+	}
+
+	/* ok to not reach this if there is an error */
+	setfsuid(0);
+
 +	if (cmdbuf && spawn_command(cmdbuf, pwd->pw_uid) != 0) {
 +		fprintf(stderr, _("Failed to populate runtime temporary directory\n"));
 +		cleanup_tmpdir(tmpdir, src, pwd, 0);
@ -3009,7 +3014,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 		{NULL, 0, 0, 0}
 	};
 
-@@ -180,6 +760,12 @@
+@@ -180,6 +765,12 @@
 		return -1;
 	}
 
@ -3022,7 +3027,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 	struct passwd *pwd=getpwuid(uid);
 	if (!pwd) {
 		perror(_("getpwduid failed"));
-@@ -187,34 +773,30 @@
+@@ -187,34 +778,30 @@
 	}
 
 	if (verify_shell(pwd->pw_shell) < 0) {
@ -3068,7 +3073,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 			break;
 		default:
 			fprintf(stderr, "%s\n", USAGE_STRING);
-@@ -223,76 +805,84 @@
+@@ -223,76 +810,84 @@
 	}
 
 	if (! homedir_s && ! tmpdir_s) {
@ -3201,7 +3206,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
 		if (display) 
 			rc |= setenv("DISPLAY", display, 1);
 		rc |= setenv("HOME", pwd->pw_dir, 1);
-@@ -300,22 +890,41 @@
+@@ -300,22 +895,41 @@
 		rc |= setenv("USER", pwd->pw_name, 1);
 		rc |= setenv("LOGNAME", pwd->pw_name, 1);
 		rc |= setenv("PATH", DEFAULT_PATH, 1);
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@ -7,7 +7,7 @@
 Summary: SELinux policy core utilities
 Name:	 policycoreutils
 Version: 2.0.83
-Release: 33.7%{?dist}
+Release: 33.8%{?dist}
 License: GPLv2
 Group:	 System Environment/Base
 Source:  http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
@ -316,7 +316,10 @@ fi
 exit 0

 %changelog
-* Thu Mar 24 2011 Dan Walsh <dwalsh@redhat.com> 2.0.83-33.5
+* Tue Mar 29 2011 Dan Walsh <dwalsh@redhat.com> 2.0.83-33.8
+- rsynccmd should run outside of execcon
+
+* Thu Mar 24 2011 Dan Walsh <dwalsh@redhat.com> 2.0.83-33.7
 - More fixes for seunshare

 * Fri Mar 18 2011 Dan Walsh <dwalsh@redhat.com> 2.0.83-33.5