* Tue May 26 2009 Dan Walsh <dwalsh@redhat.com> 2.0.63-3
- Fix sandbox to be able to execute files in homedir
This commit is contained in:
parent
e785375a96
commit
61c2d77e4e
@ -1272,8 +1272,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
|
|||||||
-mkdir -p $(MANDIR)/man8
|
-mkdir -p $(MANDIR)/man8
|
||||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/sandbox policycoreutils-2.0.63/scripts/sandbox
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/sandbox policycoreutils-2.0.63/scripts/sandbox
|
||||||
--- nsapolicycoreutils/scripts/sandbox 1969-12-31 19:00:00.000000000 -0500
|
--- nsapolicycoreutils/scripts/sandbox 1969-12-31 19:00:00.000000000 -0500
|
||||||
+++ policycoreutils-2.0.63/scripts/sandbox 2009-05-22 13:59:22.000000000 -0400
|
+++ policycoreutils-2.0.63/scripts/sandbox 2009-05-26 12:30:25.000000000 -0400
|
||||||
@@ -0,0 +1,149 @@
|
@@ -0,0 +1,138 @@
|
||||||
+#!/usr/bin/python -E
|
+#!/usr/bin/python -E
|
||||||
+import os, sys, getopt, socket, random, fcntl
|
+import os, sys, getopt, socket, random, fcntl
|
||||||
+import selinux
|
+import selinux
|
||||||
@ -1365,8 +1365,10 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
|
|||||||
+
|
+
|
||||||
+ setype = "sandbox_t"
|
+ setype = "sandbox_t"
|
||||||
+ mount_ind = False
|
+ mount_ind = False
|
||||||
+ gopts, cmds = getopt.getopt(sys.argv[1:], "t:m",
|
+ try:
|
||||||
+ ["type=",
|
+ gopts, cmds = getopt.getopt(sys.argv[1:], "ht:m",
|
||||||
|
+ ["help",
|
||||||
|
+ "type=",
|
||||||
+ "mount"])
|
+ "mount"])
|
||||||
+ for o, a in gopts:
|
+ for o, a in gopts:
|
||||||
+ if o == "-t" or o == "--type":
|
+ if o == "-t" or o == "--type":
|
||||||
@ -1374,15 +1376,14 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
|
|||||||
+
|
+
|
||||||
+ if o == "-m" or o == "--mount":
|
+ if o == "-m" or o == "--mount":
|
||||||
+ mount_ind = True
|
+ mount_ind = True
|
||||||
+
|
+ if o == "-h" or o == "--help":
|
||||||
|
+ usage(_("Usage"));
|
||||||
+
|
+
|
||||||
+ if len(cmds) == 0:
|
+ if len(cmds) == 0:
|
||||||
+ usage(_("Command required"))
|
+ usage(_("Command required"))
|
||||||
+
|
+
|
||||||
+ os.chdir("/")
|
|
||||||
+ execcon, filecon = gen_context(setype)
|
+ execcon, filecon = gen_context(setype)
|
||||||
+ rc = -1
|
+ rc = -1
|
||||||
+ try:
|
|
||||||
+ if mount_ind:
|
+ if mount_ind:
|
||||||
+ mount(filecon)
|
+ mount(filecon)
|
||||||
+
|
+
|
||||||
@ -1393,27 +1394,13 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
|
|||||||
+ cmds[0] = f
|
+ cmds[0] = f
|
||||||
+ break
|
+ break
|
||||||
+
|
+
|
||||||
+ setype = selinux.getfilecon(cmds[0])[1].split(":")[2]
|
|
||||||
+ if setype == "user_home_t" or setype == "user_tmp_t":
|
|
||||||
+ error_exit(_("""
|
|
||||||
+Sandboxed applications can not read/execute files labeled as user content; (%s)
|
|
||||||
+Temporarily label '%s" as bin_t, if you want it to run it under a sandbox.
|
|
||||||
+
|
|
||||||
+chcon -t bin_t %s
|
|
||||||
+
|
|
||||||
+restorecon %s
|
|
||||||
+
|
|
||||||
+Will set the executable back to the correct context.
|
|
||||||
+""") % (setype, cmds[0], cmds[0], cmds[0]) )
|
|
||||||
+
|
|
||||||
+ selinux.setexeccon(execcon)
|
+ selinux.setexeccon(execcon)
|
||||||
+ rc = os.spawnvp(os.P_WAIT, cmds[0], cmds)
|
+ rc = os.spawnvp(os.P_WAIT, cmds[0], cmds)
|
||||||
+ selinux.setexeccon(None)
|
+ selinux.setexeccon(None)
|
||||||
+
|
+
|
||||||
+ if mount_ind:
|
+ if mount_ind:
|
||||||
+ umount(filecon)
|
+ umount(filecon)
|
||||||
+
|
+ except getopt.GetoptError, error:
|
||||||
+ except getopt.error, error:
|
|
||||||
+ usage(_("Options Error %s ") % error.msg)
|
+ usage(_("Options Error %s ") % error.msg)
|
||||||
+ except ValueError, error:
|
+ except ValueError, error:
|
||||||
+ error_exit(error.args[0])
|
+ error_exit(error.args[0])
|
||||||
@ -1421,6 +1408,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
|
|||||||
+ error_exit(_("Invalid value %s") % error.args[0])
|
+ error_exit(_("Invalid value %s") % error.args[0])
|
||||||
+ except IOError, error:
|
+ except IOError, error:
|
||||||
+ error_exit(error.args[1])
|
+ error_exit(error.args[1])
|
||||||
|
+ except OSError, error:
|
||||||
|
+ error_exit(error.args[1])
|
||||||
+
|
+
|
||||||
+ sys.exit(rc)
|
+ sys.exit(rc)
|
||||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/sandbox.8 policycoreutils-2.0.63/scripts/sandbox.8
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/sandbox.8 policycoreutils-2.0.63/scripts/sandbox.8
|
||||||
|
@ -6,7 +6,7 @@
|
|||||||
Summary: SELinux policy core utilities
|
Summary: SELinux policy core utilities
|
||||||
Name: policycoreutils
|
Name: policycoreutils
|
||||||
Version: 2.0.63
|
Version: 2.0.63
|
||||||
Release: 2%{?dist}
|
Release: 3%{?dist}
|
||||||
License: GPLv2+
|
License: GPLv2+
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
|
Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
|
||||||
@ -226,6 +226,9 @@ else
|
|||||||
fi
|
fi
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue May 26 2009 Dan Walsh <dwalsh@redhat.com> 2.0.63-3
|
||||||
|
- Fix sandbox to be able to execute files in homedir
|
||||||
|
|
||||||
* Fri May 22 2009 Dan Walsh <dwalsh@redhat.com> 2.0.63-2
|
* Fri May 22 2009 Dan Walsh <dwalsh@redhat.com> 2.0.63-2
|
||||||
- Change polgen.py to be able to generate policy
|
- Change polgen.py to be able to generate policy
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user