sandbox init script should always return 0

sandbox command needs to check range of categories and report error if not big enough

policycoreutils-rhat.patch

@@ -111,10 +111,56 @@ index 1c458f1..96c6795 100644
  	install -m 4755 seunshare $(SBINDIR)/
  	-mkdir -p $(SHAREDIR)
 diff --git a/policycoreutils/sandbox/sandbox b/policycoreutils/sandbox/sandbox
-index 486cd4e..cdd4293 100644
+index 486cd4e..a21e508 100644
 --- a/policycoreutils/sandbox/sandbox
 +++ b/policycoreutils/sandbox/sandbox
-@@ -160,6 +160,17 @@ class Sandbox:
+@@ -118,10 +118,30 @@ def reserve(level):
+     sock.bind("\0%s" % level)
+     fcntl.fcntl(sock.fileno(), fcntl.F_SETFD, fcntl.FD_CLOEXEC)
+ 
++def get_range():
++       try:
++              level =selinux.getcon_raw()[1].split(":")[4]
++              lowc,highc = level.split(".")
++              low = int(lowc[1:])
++              high = int(highc[1:])+1
++              if high - low < 100:
++                     raise IndexError
++                     
++              return low,high
++       except IndexError:
++              raise ValueError(_("User account must be setup with an MCS Range with more then 100 categories"))
++
+ def gen_mcs():
+-       while True:
+-              i1 = random.randrange(0, 1024)
+-              i2 = random.randrange(0, 1024)
++       low, high = get_range()
++
++       level = None
++       ctr = 0
++       total = high-low 
++       total = (total * total)/2 - total
++       while ctr < total:
++              ctr += 1
++              i1 = random.randrange(low, high)
++              i2 = random.randrange(low, high)
+               if i1 == i2:
+                      continue
+               if i1 > i2:
+@@ -134,7 +154,10 @@ def gen_mcs():
+               except socket.error:
+                      continue
+               break
+-       return level
++       if level:
++              return level
++       raise ValueError(_("Failed to find any unused categories"))
++       
+ 
+ def fullpath(cmd):
+        for i in [ "/", "./", "../" ]:
+@@ -160,6 +183,17 @@ class Sandbox:
          self.__level = None
          self.__homedir = None
          self.__tmpdir = None
@@ -132,7 +178,7 @@ index 486cd4e..cdd4293 100644
  
      def __validate_mount(self):
             if self.__options.level:
-@@ -278,6 +289,9 @@ sandbox [-h] [-c] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile
+@@ -278,6 +312,9 @@ sandbox [-h] [-c] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile
                            action="callback", callback=self.__mount_callback, 
                            help=_("mount new home and/or tmp directory"))
  
@@ -142,7 +188,7 @@ index 486cd4e..cdd4293 100644
          parser.add_option("-S", "--session", action="store_true",  dest="session", 
                            default=False,  help=_("run complete desktop session within sandbox"))
  
-@@ -322,7 +336,7 @@ sandbox [-h] [-c] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile
+@@ -322,7 +359,7 @@ sandbox [-h] [-c] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile
  
          if self.__options.X_ind:
                 self.setype = DEFAULT_X_TYPE
@@ -151,7 +197,7 @@ index 486cd4e..cdd4293 100644
          if self.__options.setype:
                 self.setype = self.__options.setype
  
-@@ -408,7 +422,7 @@ sandbox [-h] [-c] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile
+@@ -408,7 +445,7 @@ sandbox [-h] [-c] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile
  
                                  self.__setup_sandboxrc(self.__options.wm)
  
@@ -281,7 +327,7 @@ index b3ee67d..0000000
 -This manual page was written by
 -.I Thomas Liu <tliu@fedoraproject.org>
 diff --git a/policycoreutils/sandbox/sandbox.init b/policycoreutils/sandbox/sandbox.init
-index d1ccdc2..11c391c 100644
+index d1ccdc2..b3979bf 100644
 --- a/policycoreutils/sandbox/sandbox.init
 +++ b/policycoreutils/sandbox/sandbox.init
 @@ -19,6 +19,7 @@
@@ -292,6 +338,15 @@ index d1ccdc2..11c391c 100644
  
  LOCKFILE=/var/lock/subsys/sandbox
  
+@@ -27,7 +28,7 @@ base=${0##*/}
+ start() {
+ 	echo -n "Starting sandbox"
+ 
+-	[ -f "$LOCKFILE" ] && return 1
++	[ -f "$LOCKFILE" ] && return 0
+ 
+ 	touch $LOCKFILE
+ 	mount --make-rshared / || return $? 
 diff --git a/policycoreutils/scripts/genhomedircon b/policycoreutils/scripts/genhomedircon
 index ab696a7..58b19cd 100644
 --- a/policycoreutils/scripts/genhomedircon

policycoreutils.spec

@@ -7,7 +7,7 @@
 Summary: SELinux policy core utilities
 Name:	 policycoreutils
 Version: 2.1.8
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: GPLv2
 Group:	 System Environment/Base
 # Based on git repository with tag 20101221
@@ -352,6 +352,10 @@ fi
 /bin/systemctl try-restart restorecond.service >/dev/null 2>&1 || :
 
 %changelog
+* Fri Nov 11 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.8-4
+- sandbox init script should always return 0
+- sandbox command needs to check range of categories and report error if not big enough
+
 * Mon Nov 7 2011 Dan Walsh <dwalsh@redhat.com> - 2.1.8-3
 - Allow user to specify DPI when running sandbox