Fix sandbox to always use sandbox_file_t, so generated policy will work.

- Update Translations
2013-05-21 10:24:55 -04:00 · 2013-05-21 10:24:55 -04:00 · 55520d61bb
parent 72cc2c98e2
commit 55520d61bb
2 changed files with 298 additions and 15 deletions
--- a/policycoreutils-rhat.patch
+++ b/policycoreutils-rhat.patch
@ -248304,7 +248304,7 @@ index d1b435c..1c323d2 100644
 account    include	system-auth
 password   include	system-auth
 diff --git a/policycoreutils/sandbox/sandbox b/policycoreutils/sandbox/sandbox
-index b629006..6631c2d 100644
+index b629006..49f735a 100644
 --- a/policycoreutils/sandbox/sandbox
 +++ b/policycoreutils/sandbox/sandbox
@@ -243,7 +243,7 @@ class Sandbox:
@ -248325,6 +248325,17 @@ index b629006..6631c2d 100644
                           help=_("alternate window manager"))
         parser.add_option("-l", "--level", dest="level", 
@@ -403,9 +403,7 @@ sandbox [-h] [-c] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile
            con = selinux.getcon()[1].split(":")
            self.__execcon = "%s:%s:%s:%s" % (con[0], con[1], self.setype, level)
 -           self.__filecon = "%s:%s:%s:%s" % (con[0], "object_r",
 -                                             "%s_file_t" % self.setype[:-2],
 -                                             level)
 +           self.__filecon = "%s:object_r:sandbox_file_t:%s" % (con[0], level)
     def __setup_dir(self):
            if self.__options.level or self.__options.session:
                   return
 diff --git a/policycoreutils/sandbox/sandbox.8 b/policycoreutils/sandbox/sandbox.8
 index 521afcd..0c8cd1e 100644
 --- a/policycoreutils/sandbox/sandbox.8
@ -249866,18 +249877,70 @@ index 82fea52..6efd463 100644
             fi
             COMPREPLY=( $(compgen -W '${OPTS[$verb]}' -- "$cur") )
 diff --git a/policycoreutils/sepolicy/sepolicy-generate.8 b/policycoreutils/sepolicy/sepolicy-generate.8
-index fb84af6..c2fa601 100644
+index fb84af6..84a96f1 100644
 --- a/policycoreutils/sepolicy/sepolicy-generate.8
 +++ b/policycoreutils/sepolicy/sepolicy-generate.8
-@@ -8,12 +8,18 @@ sepolicy-generate \- Generate an initial SELinux policy module template.
+@@ -4,16 +4,69 @@ sepolicy-generate \- Generate an initial SELinux policy module template.
- .B sepolicy generate [\-h] [\-d DOMAIN] [\-u USER] [\-w WRITE_PATH ] [\-a ADMIN_DOMAIN] [\-n NAME] [\-p PATH] [\-\-admin_user | \-\-application | \-\-cgi | \-\-confined_admin | \-\-customize | \-\-dbus | \-\-desktop_user | \-\-inetd | \-\-newtype | \-\-init | \-\-sandbox | \-\-term_user | \-\-x_user]
+ 
 .SH "SYNOPSIS"
 +Common options
 +
 +.B sepolicy generate [\-h ] [\-p PATH]
 +
 +.br
 +
 +Confined Applications
 +
 +.br
 +.B sepolicy generate \-\-application [\-n NAME] [\-w WRITE_PATH ] command
 +.br
 +.B sepolicy generate \-\-init [\-n NAME] [\-w WRITE_PATH ] command
 +.br
 +.B sepolicy generate \-\-cgi [\-n NAME] [\-w WRITE_PATH ] command
 +.br
 +.B sepolicy generate \-\-dbus [\-n NAME] [\-w WRITE_PATH ] command
 +.br
 +.B sepolicy generate \-\-inetd [\-n NAME] [\-w WRITE_PATH ] command
 +.br
 +.B sepolicy generate \-\-inetd [\-n NAME] [\-w WRITE_PATH ] command
 +.br
 +
 +Confined Users
 +
 +.br
 +.B sepolicy generate \-\-admin_user \-n NAME
 +.br
 +.B sepolicy generate \-\-confined_admin \-n NAME [\-a ADMIN_DOMAIN] [\-u USER] [\-n NAME] [\-p PATH]
 +.br
 +.B sepolicy generate \-\-desktop_user \-n NAME [\-p PATH]
 +.br
 +.B sepolicy generate \-\-term_user \-n NAME [\-p PATH]
 +.br
 +.B sepolicy generate \-\-x_user \-n NAME [\-p PATH]
 .br
 -.B sepolicy generate [\-h] [\-d DOMAIN] [\-u USER] [\-w WRITE_PATH ] [\-a ADMIN_DOMAIN] [\-n NAME] [\-p PATH] [\-\-admin_user | \-\-application | \-\-cgi | \-\-confined_admin | \-\-customize | \-\-dbus | \-\-desktop_user | \-\-inetd | \-\-newtype | \-\-init | \-\-sandbox | \-\-term_user | \-\-x_user]
 +
 +Miscellaneous Policy
 +
 +.br
 +.B sepolicy generate \-\-customize \-d DOMAIN \-n NAME [\-a ADMIN_DOMAIN]
 +.br
 +.B sepolicy generate \-\-newtype \-t type \-n NAME
 +.br
 +.B sepolicy generate \-\-sandbox \-n NAME
 .SH "DESCRIPTION"
 -Use sepolicy generate to generate an SELinux policy Module.  sepolicy generate will generate 4 files.
-+Use \fBsepolicy generate\fP to generate an SELinux policy Module.  \fBsepolicy generate\fP will create 5 files.
+Use \fBsepolicy generate\fP to generate an SELinux policy Module.
 +
-+If you specify a binary path, \fBsepolicy generate\fP will use the rpm payload of the binary along with \fBnm -D BINARY\fP to discover types and policy rules to generate these template files.
+.br
 +\fBsepolicy generate\fP will create 5 files.
 +
 +When specifying a \fBconfined application\fP you must specify a
 +path. \fBsepolicy generate\fP will use the rpm payload of the
 +application along with \fBnm -D APPLICATION\fP to help it generate
 +types and policy rules for your policy files.
 .B Type Enforcing File NAME.te
 .br
@ -249889,7 +249952,7 @@ index fb84af6..c2fa601 100644
 .B Interface File NAME.if
 .br
 This file defines the interfaces for the types generated in the te file, which can be used by other policy domains.
-@@ -25,7 +31,7 @@ file paths to the types.  Tools like restorecon and RPM will use these paths to
+@@ -25,7 +78,7 @@ file paths to the types.  Tools like restorecon and RPM will use these paths to
 .B RPM Spec File NAME_selinux.spec
 .br
@ -249898,6 +249961,27 @@ index fb84af6..c2fa601 100644
 .B Shell File NAME.sh
 .br
@@ -39,13 +92,19 @@ If a generate is possible, this tool will print out all generate paths from the
 .I                \-h, \-\-help
 Display help message
 .TP
 +.I                \-d, \-\-domain
 +Enter domain type(s) which you will be extending
 +.TP
 .I                \-n, \-\-name
 -Specify alternate name of policy. The policy will default to the executable or name specified.
 +Specify alternate name of policy. The policy will default to the executable or name specified
 .TP
 .I                \-p, \-\-path
 Specify the directory to store the created policy files. (Default to current working directory )
 optional arguments:
 .TP
 +.I                \-t, \-\-type
 +Enter type(s) for which you will generate new definition and rule(s)
 +.TP
 .I                \-u, \-\-user
 SELinux user(s) which will transition to this domain
 .TP
 diff --git a/policycoreutils/sepolicy/sepolicy-interface.8 b/policycoreutils/sepolicy/sepolicy-interface.8
 index 4fc9792..02c4c1a 100644
 --- a/policycoreutils/sepolicy/sepolicy-interface.8
@ -250657,7 +250741,7 @@ index a179d95..9b9a09a 100755
     tlist = []
     for l in map(lambda y: y[sepolicy.TARGET], filter(lambda x: set(perm).issubset(x[sepolicy.PERMS]), allows)):
 diff --git a/policycoreutils/sepolicy/sepolicy/generate.py b/policycoreutils/sepolicy/sepolicy/generate.py
-index 26f8390..4739025 100644
+index 26f8390..837d3e3 100644
 --- a/policycoreutils/sepolicy/sepolicy/generate.py
 +++ b/policycoreutils/sepolicy/sepolicy/generate.py
@@ -63,20 +63,6 @@ except IOError:
@ -250811,6 +250895,38 @@ index 26f8390..4739025 100644
                 for u in self.transition_users:
                     tmp =  re.sub("TEMPLATETYPE", self.name, script.admin_trans)
                     newsh += re.sub("USER", u, tmp)
@@ -1143,6 +1145,8 @@ allow %s_t %s_t:%s_socket name_%s;
                     newsh  = re.sub("TEMPLATEFILE", "%s" % self.file_name, temp)
                 else:
                     newsh  = re.sub("TEMPLATEFILE", self.file_name, temp)
 +                    newsh += re.sub("DOMAINTYPE", self.name, script.manpage)
 +                
                 if self.program:
                     newsh += re.sub("FILENAME", self.program, script.restorecon)
                 if self.initscript != "":
@@ -1165,6 +1169,7 @@ allow %s_t %s_t:%s_socket name_%s;
 			newsh += re.sub("TEMPLATETYPE", self.name, t1)
                 newsh += self.generate_user_sh()
 +                newsh += re.sub("TEMPLATETYPE", self.name, script.rpm)
 		return newsh
@@ -1198,7 +1203,13 @@ allow %s_t %s_t:%s_socket name_%s;
 		if self.type not in APPLICATIONS:
                     newspec = re.sub("%relabel_files", "", newspec) 
 -		return newspec
 +                # Remove man pages from EUSER spec file
 +                if self.type == EUSER:
 +                    newspec = re.sub(".*%s_selinux.8.*" % self.name,"", newspec)
 +                # Remove user context file from non users spec file
 +                if self.type not in ( TUSER, XUSER, AUSER, LUSER, RUSER):
 +                    newspec = re.sub(".*%s_u.*" % self.name,"", newspec)
 +                return newspec
 	def write_spec(self, out_dir):
 		specfile = "%s/%s_selinux.spec" % (out_dir, self.file_name)
 diff --git a/policycoreutils/sepolicy/sepolicy/interface.py b/policycoreutils/sepolicy/sepolicy/interface.py
 index 8b063ca..c7dac62 100644
 --- a/policycoreutils/sepolicy/sepolicy/interface.py
@ -251345,6 +251461,111 @@ index 66efe26..a446d68 100755
     d={}
     tlist = get_types(src, "%s_socket" % protocol, [perm])
     if len(tlist) > 0:
 diff --git a/policycoreutils/sepolicy/sepolicy/templates/script.py b/policycoreutils/sepolicy/sepolicy/templates/script.py
 index c139070..54fd40a 100644
 --- a/policycoreutils/sepolicy/sepolicy/templates/script.py
 +++ b/policycoreutils/sepolicy/sepolicy/templates/script.py
@@ -66,14 +66,17 @@ set -x
 make -f /usr/share/selinux/devel/Makefile TEMPLATEFILE.pp || exit
 /usr/sbin/semodule -i TEMPLATEFILE.pp
 -# Generate a man page off the installed module
 -sepolicy manpage -p . -d DOMAINTYPE_t
 -
 +"""
 +rpm="""\
 # Generate a rpm package for the newly generated policy
 pwd=$(pwd)
 rpmbuild --define "_sourcedir ${pwd}" --define "_specdir ${pwd}" --define "_builddir ${pwd}" --define "_srcrpmdir ${pwd}" --define "_rpmdir ${pwd}" --define "_buildrootdir ${pwd}/.build"  -ba TEMPLATETYPE_selinux.spec
 +"""
 +manpage="""\
 +# Generate a man page off the installed module
 +sepolicy manpage -p . -d DOMAINTYPE_t
 """
 restorecon="""\
@@ -107,8 +110,7 @@ admin_trans="""\
 """
 min_login_user_default_context="""\
 -if [ ! -f /etc/selinux/targeted/contexts/users/TEMPLATETYPE_u ]; then
 -cat > /etc/selinux/targeted/contexts/users/TEMPLATETYPE_u << _EOF
 +cat > TEMPLATETYPE_u << _EOF
 TEMPLATETYPE_r:TEMPLATETYPE_t:s0	TEMPLATETYPE_r:TEMPLATETYPE_t
 system_r:crond_t		TEMPLATETYPE_r:TEMPLATETYPE_t
 system_r:initrc_su_t		TEMPLATETYPE_r:TEMPLATETYPE_t
@@ -116,12 +118,13 @@ system_r:local_login_t		TEMPLATETYPE_r:TEMPLATETYPE_t
 system_r:remote_login_t		TEMPLATETYPE_r:TEMPLATETYPE_t
 system_r:sshd_t			TEMPLATETYPE_r:TEMPLATETYPE_t
 _EOF
 +if [ ! -f /etc/selinux/targeted/contexts/users/TEMPLATETYPE_u ]; then
 +   cp TEMPLATETYPE_u /etc/selinux/targeted/contexts/users/
 fi
 """
 x_login_user_default_context="""\
 -if [ ! -f /etc/selinux/targeted/contexts/users/TEMPLATETYPE_u ]; then
 -cat > /etc/selinux/targeted/contexts/users/TEMPLATETYPE_u << _EOF
 +cat > TEMPLATETYPE_u << _EOF
 TEMPLATETYPE_r:TEMPLATETYPE_t	TEMPLATETYPE_r:TEMPLATETYPE_t
 system_r:crond_t		TEMPLATETYPE_r:TEMPLATETYPE_t
 system_r:initrc_su_t		TEMPLATETYPE_r:TEMPLATETYPE_t
@@ -130,5 +133,7 @@ system_r:remote_login_t		TEMPLATETYPE_r:TEMPLATETYPE_t
 system_r:sshd_t				TEMPLATETYPE_r:TEMPLATETYPE_t
 system_r:xdm_t				TEMPLATETYPE_r:TEMPLATETYPE_t
 _EOF
 +if [ ! -f /etc/selinux/targeted/contexts/users/TEMPLATETYPE_u ]; then
 +   cp TEMPLATETYPE_u /etc/selinux/targeted/contexts/users/
 fi
 """
 diff --git a/policycoreutils/sepolicy/sepolicy/templates/spec.py b/policycoreutils/sepolicy/sepolicy/templates/spec.py
 index dbddf39..d8ee42f 100644
 --- a/policycoreutils/sepolicy/sepolicy/templates/spec.py
 +++ b/policycoreutils/sepolicy/sepolicy/templates/spec.py
@@ -18,6 +18,7 @@ URL:		http://HOSTNAME
 Source0:	MODULENAME.pp
 Source1:	MODULENAME.if
 Source2:	DOMAINNAME_selinux.8
 +Source3:	DOMAINNAME_u
 Requires: policycoreutils, libselinux-utils
 Requires(post): selinux-policy-base >= %{selinux_policyver}, policycoreutils
@@ -36,13 +37,16 @@ install -m 644 %{SOURCE0} %{buildroot}%{_datadir}/selinux/packages
 install -d %{buildroot}%{_datadir}/selinux/devel/include/contrib
 install -m 644 %{SOURCE1} %{buildroot}%{_datadir}/selinux/devel/include/contrib/
 install -d %{buildroot}%{_mandir}/man8/
 -install -m 644 %{SOURCE2} %{buildroot}%{_mandir}/man8/
 +install -m 644 %{SOURCE2} %{buildroot}%{_mandir}/man8/DOMAINNAME_selinux.8
 +install -d %{buildroot}/etc/selinux/targeted/contexts/users/
 +install -m 644 %{SOURCE3} %{buildroot}/etc/selinux/targeted/contexts/users/DOMAINNAME_u 
 %post
 semodule -n -i %{_datadir}/selinux/packages/MODULENAME.pp
 if /usr/sbin/selinuxenabled ; then
     /usr/sbin/load_policy
     %relabel_files
 +    /usr/sbin/semanage user -a -R DOMAINNAME_r DOMAINNAME_u
 fi;
 exit 0
@@ -52,6 +56,7 @@ if [ $1 -eq 0 ]; then
     if /usr/sbin/selinuxenabled ; then
        /usr/sbin/load_policy
        %relabel_files
 +       /usr/sbin/semanage user -d DOMAINNAME_u
     fi;
 fi;
 exit 0
@@ -60,6 +65,7 @@ exit 0
 %attr(0600,root,root) %{_datadir}/selinux/packages/MODULENAME.pp
 %{_datadir}/selinux/devel/include/contrib/MODULENAME.if
 %{_mandir}/man8/DOMAINNAME_selinux.8.*
 +/etc/selinux/targeted/contexts/users/DOMAINNAME_u 
 %changelog
 * TODAYSDATE YOUR NAME <YOUR@EMAILADDRESS> 1.0-1
 diff --git a/policycoreutils/sepolicy/sepolicy/templates/test_module.py b/policycoreutils/sepolicy/sepolicy/templates/test_module.py
 new file mode 100644
 index 0000000..3a3faa6
@ -251470,6 +251691,63 @@ index 0000000..3a3faa6
 +#
 +
 +"""
 diff --git a/policycoreutils/sepolicy/sepolicy/templates/user.py b/policycoreutils/sepolicy/sepolicy/templates/user.py
 index 79f3997..9c9439c 100644
 --- a/policycoreutils/sepolicy/sepolicy/templates/user.py
 +++ b/policycoreutils/sepolicy/sepolicy/templates/user.py
@@ -34,6 +34,20 @@ userdom_unpriv_user_template(TEMPLATETYPE)
 te_admin_user_types="""\
 policy_module(TEMPLATETYPE, 1.0.0)
 +## <desc>
 +## <p>
 +## Allow TEMPLATETYPE to read files in the user home directory
 +## </p>
 +## </desc>
 +gen_tunable(TEMPLATETYPE_read_user_files, false)
 +
 +## <desc>
 +## <p>
 +## Allow TEMPLATETYPE to manage files in the user home directory
 +## </p>
 +## </desc>
 +gen_tunable(TEMPLATETYPE_manage_user_files, false)
 +
 ########################################
 #
 # Declarations
@@ -76,20 +90,6 @@ policy_module(TEMPLATETYPE, 1.0.0)
 # Declarations
 #
 -## <desc>
 -## <p>
 -## Allow TEMPLATETYPE to read files in the user home directory
 -## </p>
 -## </desc>
 -gen_tunable(TEMPLATETYPE_read_user_files, false)
 -
 -## <desc>
 -## <p>
 -## Allow TEMPLATETYPE to manage files in the user home directory
 -## </p>
 -## </desc>
 -gen_tunable(TEMPLATETYPE_manage_user_files, false)
 -
 userdom_base_user_template(TEMPLATETYPE)
 """
@@ -151,7 +151,9 @@ tunable_policy(`TEMPLATETYPE_read_user_files',`
 ')
 tunable_policy(`TEMPLATETYPE_manage_user_files',`
 -        userdom_manage_user_home_content(TEMPLATETYPE_t)
 +	userdom_manage_user_home_content_dirs(TEMPLATETYPE_t)
 +	userdom_manage_user_home_content_files(TEMPLATETYPE_t)
 +	userdom_manage_user_home_content_symlinks(TEMPLATETYPE_t)
         userdom_manage_user_tmp_files(TEMPLATETYPE_t)
 ')
 """
 diff --git a/policycoreutils/sepolicy/sepolicy/transition.py b/policycoreutils/sepolicy/sepolicy/transition.py
 index 5850622..5e308e3 100755
 --- a/policycoreutils/sepolicy/sepolicy/transition.py
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@ -7,7 +7,7 @@
 Summary: SELinux policy core utilities
 Name:	 policycoreutils
 Version: 2.1.14
-Release: 43%{?dist}
+Release: 45%{?dist}
 License: GPLv2
 Group:	 System Environment/Base
 # Based on git repository with tag 20101221
@ -308,13 +308,18 @@ The policycoreutils-restorecond package contains the restorecond service.
 %postun restorecond
 %systemd_postun_with_restart restorecond.service
 %triggerun -- restorecond < 2.0.86-13
 %{_bindir}/systemd-sysv-convert --save restorecond >/dev/null 2>&1 ||:
 %{_bindir}/systemctl enable restorecond.service >/dev/null 2>&1
 %{_sbindir}/chkconfig --del restorecond >/dev/null 2>&1 || :
 %{_bindir}/systemctl try-restart restorecond.service >/dev/null 2>&1 || :
 %changelog
 * Tue May 21 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-45
 - Fix sandbox to always use sandbox_file_t, so generated policy will work.
 - Update Translations
 * Thu May 16 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-44
 - Fix sepolicy-generate man page to clear up options/policy type
 - Add Miroslav Grepl to not generate man page when doing 
  sepolicy generate --customize
 - Add support for executing semanage user within spec file
 - Fix generation of confined admin domains, to handle booleans properly.
 * Tue May 14 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-43
 - Need to handle gziped policy.xml as well as not compressed.