rpms
/
policycoreutils
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

* Tue May 26 2009 Dan Walsh <dwalsh@redhat.com> 2.0.63-3 

- Fix sandbox to be able to execute files in homedir
This commit is contained in:
Daniel J Walsh 2009-05-26 16:58:40 +00:00
parent e785375a96
commit 61c2d77e4e
2 changed files with 40 additions and 48 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

83
policycoreutils-rhat.patch
View File

@ -1272,8 +1272,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
-mkdir -p $(MANDIR)/man8 -mkdir -p $(MANDIR)/man8
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/sandbox policycoreutils-2.0.63/scripts/sandbox diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/sandbox policycoreutils-2.0.63/scripts/sandbox
--- nsapolicycoreutils/scripts/sandbox 1969-12-31 19:00:00.000000000 -0500 --- nsapolicycoreutils/scripts/sandbox 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.63/scripts/sandbox 2009-05-22 13:59:22.000000000 -0400 +++ policycoreutils-2.0.63/scripts/sandbox 2009-05-26 12:30:25.000000000 -0400
@@ -0,0 +1,149 @@ @@ -0,0 +1,138 @@
+#!/usr/bin/python -E +#!/usr/bin/python -E
+import os, sys, getopt, socket, random, fcntl +import os, sys, getopt, socket, random, fcntl
+import selinux +import selinux
@ -1365,55 +1365,42 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
+ +
+ setype = "sandbox_t" + setype = "sandbox_t"
+ mount_ind = False + mount_ind = False
+ gopts, cmds = getopt.getopt(sys.argv[1:], "t:m",
+ ["type=",
+ "mount"])
+ for o, a in gopts:
+ if o == "-t" or o == "--type":
+ setype = a
+
+ if o == "-m" or o == "--mount":
+ mount_ind = True
+
+
+ if len(cmds) == 0:
+ usage(_("Command required"))
+
+ os.chdir("/")
+ execcon, filecon = gen_context(setype)
+ rc = -1
+ try: + try:
+ if mount_ind: + gopts, cmds = getopt.getopt(sys.argv[1:], "ht:m",
+ mount(filecon) + ["help",
+ "type=",
+ "mount"])
+ for o, a in gopts:
+ if o == "-t" or o == "--type":
+ setype = a
+
+ if o == "-m" or o == "--mount":
+ mount_ind = True
+ if o == "-h" or o == "--help":
+ usage(_("Usage"));
+
+ if len(cmds) == 0:
+ usage(_("Command required"))
+ +
+ if cmds[0][0] != "/" and cmds[0][:2] != "./" and cmds[0][:3] != "../": + execcon, filecon = gen_context(setype)
+ for i in os.environ["PATH"].split(':'): + rc = -1
+ f = "%s/%s" % (i, cmds[0]) + if mount_ind:
+ if os.access(f, os.X_OK): + mount(filecon)
+ cmds[0] = f
+ break
+ +
+ setype = selinux.getfilecon(cmds[0])[1].split(":")[2] + if cmds[0][0] != "/" and cmds[0][:2] != "./" and cmds[0][:3] != "../":
+ if setype == "user_home_t" or setype == "user_tmp_t": + for i in os.environ["PATH"].split(':'):
+ error_exit(_(""" + f = "%s/%s" % (i, cmds[0])
+Sandboxed applications can not read/execute files labeled as user content; (%s) + if os.access(f, os.X_OK):
+Temporarily label '%s" as bin_t, if you want it to run it under a sandbox. + cmds[0] = f
+ break
+ +
+chcon -t bin_t %s + selinux.setexeccon(execcon)
+ + rc = os.spawnvp(os.P_WAIT, cmds[0], cmds)
+restorecon %s + selinux.setexeccon(None)
+ +
+Will set the executable back to the correct context. + if mount_ind:
+""") % (setype, cmds[0], cmds[0], cmds[0]) ) + umount(filecon)
+ + except getopt.GetoptError, error:
+ selinux.setexeccon(execcon)
+ rc = os.spawnvp(os.P_WAIT, cmds[0], cmds)
+ selinux.setexeccon(None)
+
+ if mount_ind:
+ umount(filecon)
+
+ except getopt.error, error:
+ usage(_("Options Error %s ") % error.msg) + usage(_("Options Error %s ") % error.msg)
+ except ValueError, error: + except ValueError, error:
+ error_exit(error.args[0]) + error_exit(error.args[0])
@ -1421,6 +1408,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
+ error_exit(_("Invalid value %s") % error.args[0]) + error_exit(_("Invalid value %s") % error.args[0])
+ except IOError, error: + except IOError, error:
+ error_exit(error.args[1]) + error_exit(error.args[1])
+ except OSError, error:
+ error_exit(error.args[1])
+ +
+ sys.exit(rc) + sys.exit(rc)
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/sandbox.8 policycoreutils-2.0.63/scripts/sandbox.8 diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/sandbox.8 policycoreutils-2.0.63/scripts/sandbox.8

5
policycoreutils.spec
View File

@ -6,7 +6,7 @@
Summary: SELinux policy core utilities Summary: SELinux policy core utilities
Name: policycoreutils Name: policycoreutils
Version: 2.0.63 Version: 2.0.63
Release: 2%{?dist} Release: 3%{?dist}
License: GPLv2+ License: GPLv2+
Group: System Environment/Base Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
@ -226,6 +226,9 @@ else
fi fi
%changelog %changelog
* Tue May 26 2009 Dan Walsh <dwalsh@redhat.com> 2.0.63-3
- Fix sandbox to be able to execute files in homedir
* Fri May 22 2009 Dan Walsh <dwalsh@redhat.com> 2.0.63-2 * Fri May 22 2009 Dan Walsh <dwalsh@redhat.com> 2.0.63-2
- Change polgen.py to be able to generate policy - Change polgen.py to be able to generate policy