From 83ba7e08a038461bd296de238c71539c58621c0b Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Tue, 15 Jun 2010 17:16:36 +0000 Subject: [PATCH] * Tue Jun 15 2010 Dan Walsh 2.0.82-31 - Fix sepolgen code generation Resolve: #603001 --- policycoreutils-gui.patch | 208 +++++++++++++-------- policycoreutils-rhat.patch | 361 ++++++++++++++++++++++++++++++++----- policycoreutils.spec | 14 +- 3 files changed, 459 insertions(+), 124 deletions(-) diff --git a/policycoreutils-gui.patch b/policycoreutils-gui.patch index 28b1689..476bf9c 100644 --- a/policycoreutils-gui.patch +++ b/policycoreutils-gui.patch @@ -6414,8 +6414,8 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgengui.py policyc + app.stand_alone() diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycoreutils-2.0.82/gui/polgen.py --- nsapolicycoreutils/gui/polgen.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.82/gui/polgen.py 2010-06-07 16:38:00.000000000 -0400 -@@ -0,0 +1,1273 @@ ++++ policycoreutils-2.0.82/gui/polgen.py 2010-06-15 12:01:00.000000000 -0400 +@@ -0,0 +1,1286 @@ +#!/usr/bin/python +# +# Copyright (C) 2007-2010 Red Hat @@ -7115,7 +7115,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore + + if self.type == USER: + for u in self.transition_users: -+ temp = re.sub("TEMPLATETYPE", self.name, executable.te_userapp_trans_rules) ++ temp = re.sub("TEMPLATETYPE", self.name, user.te_user_trans_rules) + newte += re.sub("USER", u.split("_u")[0], temp) + + return newte @@ -7131,6 +7131,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore + + for u in self.transition_users: + role = u.split("_u")[0] ++ + if (role + "_r") in self.all_roles: + tmp = re.sub("TEMPLATETYPE", self.name, user.te_admin_trans_rules) + newte += re.sub("USER", role, tmp) @@ -7265,11 +7266,13 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore + newif ="" + if self.use_terminal or self.type == USER: + newif = re.sub("TEMPLATETYPE", self.name, executable.if_user_program_rules) ++ newif = re.sub("TEMPLATETYPE", self.name, executable.if_role_change_rules) + return newif + + + def generate_if(self): + newif = "" ++ newif += re.sub("TEMPLATETYPE", self.name, executable.if_heading_rules) + if self.program != "": + newif += re.sub("TEMPLATETYPE", self.name, executable.if_program_rules) + if self.initscript != "": @@ -7299,6 +7302,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore + if self.type in ( TUSER, XUSER, AUSER, LUSER, EUSER): + roles = "" + if len(self.roles) > 0: ++ newte += re.sub("TEMPLATETYPE", self.name, user.te_sudo_rules) + newte += re.sub("TEMPLATETYPE", self.name, user.te_newrole_rules) + for role in self.roles: + tmp = re.sub("TEMPLATETYPE", self.name, user.te_roles_rules) @@ -7317,7 +7321,8 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore +######################################## +# +# %s local policy -+#""" % self.name ++# ++""" % self.name + newte += self.generate_capabilities() + newte += self.generate_process() + newte += self.generate_network_types() @@ -7357,6 +7362,8 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore + def generate_fc(self): + newfc = "" + fclist = [] ++ if self.type in USERS: ++ return re.sub("EXECUTABLE", self.program, executable.fc_user) + if self.program == "": + raise ValueError(_("You must enter the executable path for your confined process")) + @@ -7480,10 +7487,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore + fcfile = "%s/my%s.fc" % (out_dir, self.file_name) + else: + fcfile = "%s/%s.fc" % (out_dir, self.file_name) -+ if self.type in APPLICATIONS: -+ fd = open(fcfile, "w") -+ fd.write(self.generate_fc()) -+ fd.close() ++ fd = open(fcfile, "w") ++ fd.write(self.generate_fc()) ++ fd.close() + return fcfile + + def generate(self, out_dir = "."): @@ -7501,6 +7507,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore + sys.exit(1) + +def test(): ++ import tempfile ++ ++ tmpdir = tempfile.mkdtemp() + mypolicy = policy("mycgi", CGI) + mypolicy.set_program("/var/www/cgi-bin/cgi") + mypolicy.set_in_tcp(1, 0, 0, "512, 55000-55000") @@ -7510,7 +7519,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore + mypolicy.set_use_syslog(True) + mypolicy.set_use_pam(True) + mypolicy.set_out_tcp(0,"8000") -+ print mypolicy.generate("/var/tmp") ++ print mypolicy.generate(tmpdir) + + mypolicy = policy("myuser", USER) + mypolicy.set_program("/usr/bin/myuser") @@ -7523,7 +7532,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore + mypolicy.add_file("/var/lib/myuser/myuser.sock") + mypolicy.set_out_tcp(0,"8000") + mypolicy.set_transition_users(["unconfined_u", "staff_u"]) -+ print mypolicy.generate("/var/tmp") ++ print mypolicy.generate(tmpdir) + + + mypolicy = policy("myrwho", DAEMON) @@ -7537,7 +7546,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore + mypolicy.set_use_pam(True) + mypolicy.add_dir("/var/run/myrwho") + mypolicy.add_dir("/var/lib/myrwho") -+ print mypolicy.generate("/var/tmp") ++ print mypolicy.generate(tmpdir) + + mypolicy = policy("myinetd", INETD) + mypolicy.set_program("/usr/bin/mytest") @@ -7562,7 +7571,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore + mypolicy.set_use_terminal(True) + mypolicy.set_use_mail(True) + mypolicy.set_out_tcp(0,"8000") -+ print mypolicy.generate("/var/tmp") ++ print mypolicy.generate(tmpdir) + + + mypolicy = policy("mydbus", DBUS) @@ -7573,24 +7582,27 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore + mypolicy.set_use_tmp(True) + mypolicy.set_use_syslog(True) + mypolicy.set_use_pam(True) -+ print mypolicy.generate("/var/tmp") ++ print mypolicy.generate(tmpdir) + + mypolicy = policy("mytuser", TUSER) -+ mypolicy.set_transition_domains(["sudo"]) + mypolicy.set_admin_roles(["mydbadm"]) + mypolicy.add_boolean("allow_mytuser_setuid", "Allow mytuser users to run setuid applications") -+ print mypolicy.generate("/var/tmp") ++ print mypolicy.generate(tmpdir) + + mypolicy = policy("myxuser", XUSER) + mypolicy.set_in_tcp(1, 1, 1, "28920") + mypolicy.set_in_udp(0, 0, 1, "1513") + mypolicy.set_transition_domains(["mozilla"]) -+ print mypolicy.generate("/var/tmp") ++ print mypolicy.generate(tmpdir) + + mypolicy = policy("mydbadm", RUSER) + mypolicy.set_admin_domains(["postgresql", "mysql"]) -+ print mypolicy.generate("/var/tmp") -+ ++ print mypolicy.generate(tmpdir) ++ os.chdir(tmpdir) ++ rc, output=commands.getstatusoutput("make -f /usr/share/selinux/devel/Makefile1") ++ print output ++ print type(rc), os.WEXITSTATUS(rc) ++ sys.exit(os.WEXITSTATUS(rc)) + +import os, sys, getopt, socket, random, fcntl + @@ -7610,7 +7622,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore + print _(""" +%s + -+polgen [ -m ] [ -t type ] executable ++polgen [ -m ] [ -t type ] [ executable | Name ] +valid Types: +""") % msg + keys=poltype.keys() @@ -7655,35 +7667,36 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore + usage(_("Options Error %s ") % error.msg) + + if len(cmds) == 0: -+ usage(_("Executable required")) ++ usage(_("Executable or Name required")) + + try: + if not name: + name = os.path.basename(cmds[0]).replace("-","_") + cmd = cmds[0] + mypolicy = policy(name, setype) -+ mypolicy.set_program(cmd) -+ for f in gen_writeable(cmd): -+ for b in mypolicy.DEFAULT_DIRS: -+ if b == "/etc": -+ continue -+ if f.startswith(b): -+ if os.path.isfile(f): -+ mypolicy.add_file(f) -+ else: -+ mypolicy.add_dir(f) ++ if setype in APPLICATIONS: ++ mypolicy.set_program(cmd) ++ for f in gen_writeable(cmd): ++ for b in mypolicy.DEFAULT_DIRS: ++ if b == "/etc": ++ continue ++ if f.startswith(b): ++ if os.path.isfile(f): ++ mypolicy.add_file(f) ++ else: ++ mypolicy.add_dir(f) + -+ if os.path.isfile("/var/run/%s.pid" % name): -+ mypolicy.add_file("/var/run/%s.pid" % name) ++ if os.path.isfile("/var/run/%s.pid" % name): ++ mypolicy.add_file("/var/run/%s.pid" % name) + -+ if os.path.isfile("/etc/rc.d/init.d/%s" % name): -+ mypolicy.set_init_script("/etc/rc\.d/init\.d/%s" % name) ++ if os.path.isfile("/etc/rc.d/init.d/%s" % name): ++ mypolicy.set_init_script("/etc/rc\.d/init\.d/%s" % name) + -+ symbols = gen_symbols(cmd) -+ for s in symbols: -+ for b in mypolicy.symbols: -+ if s.startswith(b): -+ exec "mypolicy.%s" % mypolicy.symbols[b] ++ symbols = gen_symbols(cmd) ++ for s in symbols: ++ for b in mypolicy.symbols: ++ if s.startswith(b): ++ exec "mypolicy.%s" % mypolicy.symbols[b] + + print mypolicy.generate() + sys.exit(0) @@ -11788,7 +11801,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/system-config-selinu + app.stand_alone() diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/boolean.py policycoreutils-2.0.82/gui/templates/boolean.py --- nsapolicycoreutils/gui/templates/boolean.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.82/gui/templates/boolean.py 2010-04-28 17:12:20.000000000 -0400 ++++ policycoreutils-2.0.82/gui/templates/boolean.py 2010-06-11 17:08:24.000000000 -0400 @@ -0,0 +1,40 @@ +# Copyright (C) 2007 Red Hat +# see file 'COPYING' for use and warranty information @@ -11832,7 +11845,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/boolean.py + diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/etc_rw.py policycoreutils-2.0.82/gui/templates/etc_rw.py --- nsapolicycoreutils/gui/templates/etc_rw.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.82/gui/templates/etc_rw.py 2010-04-28 17:12:20.000000000 -0400 ++++ policycoreutils-2.0.82/gui/templates/etc_rw.py 2010-06-11 17:08:24.000000000 -0400 @@ -0,0 +1,113 @@ +# Copyright (C) 2007 Red Hat +# see file 'COPYING' for use and warranty information @@ -11949,8 +11962,8 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/etc_rw.py +""" diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/executable.py policycoreutils-2.0.82/gui/templates/executable.py --- nsapolicycoreutils/gui/templates/executable.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.82/gui/templates/executable.py 2010-06-07 16:40:33.000000000 -0400 -@@ -0,0 +1,361 @@ ++++ policycoreutils-2.0.82/gui/templates/executable.py 2010-06-11 17:08:24.000000000 -0400 +@@ -0,0 +1,382 @@ +# Copyright (C) 2007-2009 Red Hat +# see file 'COPYING' for use and warranty information +# @@ -12049,7 +12062,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/executable + +apache_content_template(TEMPLATETYPE) + -+permissive http_TEMPLATETYPE_script_t; ++permissive httpd_TEMPLATETYPE_script_t; +""" + +te_daemon_rules=""" @@ -12127,20 +12140,13 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/executable +miscfiles_read_localization(TEMPLATETYPE_t) +""" + -+te_userapp_trans_rules=""" -+optional_policy(` -+ gen_require(` -+ type USER_t; -+ role USER_r; -+ ') ++########################### Interface File ############################# + -+ TEMPLATETYPE_run(USER_t, USER_r) -+') ++if_heading_rules=""" ++## policy for TEMPLATETYPE +""" + -+########################### Interface File ############################# +if_program_rules=""" -+## policy for TEMPLATETYPE + +######################################## +## @@ -12215,6 +12221,29 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/executable + ps_process_pattern($2, TEMPLATETYPE_t) + allow $2 TEMPLATETYPE_t:process signal; +') ++ ++""" ++ ++if_role_change_rules=""" ++######################################## ++## ++## Change to the TEMPLATETYPE role. ++## ++## ++## ++## Role allowed access. ++## ++## ++## ++# ++interface(`TEMPLATETYPE_role_change',` ++ gen_require(` ++ role TEMPLATETYPE_r; ++ ') ++ ++ allow $1 TEMPLATETYPE_r; ++') ++ +""" + +if_initscript_rules=""" @@ -12308,13 +12337,18 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/executable + +EXECUTABLE -- gen_context(system_u:object_r:TEMPLATETYPE_exec_t,s0) +""" ++ ++fc_user="""\ ++# Users do not have file context, leave blank ++""" ++ +fc_initscript="""\ + +EXECUTABLE -- gen_context(system_u:object_r:TEMPLATETYPE_initrc_exec_t,s0) +""" diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/__init__.py policycoreutils-2.0.82/gui/templates/__init__.py --- nsapolicycoreutils/gui/templates/__init__.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.82/gui/templates/__init__.py 2010-04-28 17:12:20.000000000 -0400 ++++ policycoreutils-2.0.82/gui/templates/__init__.py 2010-06-11 17:08:24.000000000 -0400 @@ -0,0 +1,18 @@ +# +# Copyright (C) 2007 Red Hat, Inc. @@ -12336,7 +12370,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/__init__.p + diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/network.py policycoreutils-2.0.82/gui/templates/network.py --- nsapolicycoreutils/gui/templates/network.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.82/gui/templates/network.py 2010-04-28 17:12:20.000000000 -0400 ++++ policycoreutils-2.0.82/gui/templates/network.py 2010-06-11 17:08:24.000000000 -0400 @@ -0,0 +1,80 @@ +te_port_types=""" +type TEMPLATETYPE_port_t; @@ -12420,7 +12454,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/network.py + diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/rw.py policycoreutils-2.0.82/gui/templates/rw.py --- nsapolicycoreutils/gui/templates/rw.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.82/gui/templates/rw.py 2010-04-28 17:12:20.000000000 -0400 ++++ policycoreutils-2.0.82/gui/templates/rw.py 2010-06-11 17:08:24.000000000 -0400 @@ -0,0 +1,131 @@ +# Copyright (C) 2007 Red Hat +# see file 'COPYING' for use and warranty information @@ -12555,7 +12589,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/rw.py poli +""" diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/script.py policycoreutils-2.0.82/gui/templates/script.py --- nsapolicycoreutils/gui/templates/script.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.82/gui/templates/script.py 2010-04-28 17:12:20.000000000 -0400 ++++ policycoreutils-2.0.82/gui/templates/script.py 2010-06-11 17:08:24.000000000 -0400 @@ -0,0 +1,126 @@ +# Copyright (C) 2007 Red Hat +# see file 'COPYING' for use and warranty information @@ -12685,7 +12719,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/script.py +""" diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/semodule.py policycoreutils-2.0.82/gui/templates/semodule.py --- nsapolicycoreutils/gui/templates/semodule.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.82/gui/templates/semodule.py 2010-04-28 17:12:20.000000000 -0400 ++++ policycoreutils-2.0.82/gui/templates/semodule.py 2010-06-11 17:08:24.000000000 -0400 @@ -0,0 +1,41 @@ +# Copyright (C) 2007 Red Hat +# see file 'COPYING' for use and warranty information @@ -12730,7 +12764,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/semodule.p + diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/tmp.py policycoreutils-2.0.82/gui/templates/tmp.py --- nsapolicycoreutils/gui/templates/tmp.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.82/gui/templates/tmp.py 2010-04-28 17:12:20.000000000 -0400 ++++ policycoreutils-2.0.82/gui/templates/tmp.py 2010-06-11 17:08:24.000000000 -0400 @@ -0,0 +1,102 @@ +# Copyright (C) 2007 Red Hat +# see file 'COPYING' for use and warranty information @@ -12836,8 +12870,8 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/tmp.py pol +""" diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/user.py policycoreutils-2.0.82/gui/templates/user.py --- nsapolicycoreutils/gui/templates/user.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.82/gui/templates/user.py 2010-04-28 17:12:20.000000000 -0400 -@@ -0,0 +1,179 @@ ++++ policycoreutils-2.0.82/gui/templates/user.py 2010-06-11 17:08:24.000000000 -0400 +@@ -0,0 +1,195 @@ +# Copyright (C) 2007 Red Hat +# see file 'COPYING' for use and warranty information +# @@ -12880,7 +12914,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/user.py po +# Declarations +# + -+userdom_admin_login_user_template(TEMPLATETYPE) ++userdom_admin_user_template(TEMPLATETYPE) +""" + +te_min_login_user_types="""\ @@ -12933,6 +12967,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/user.py po +# +# TEMPLATETYPE local policy +# ++ +""" + +te_existing_user_rules="""\ @@ -12966,6 +13001,16 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/user.py po +') +""" + ++te_user_trans_rules=""" ++optional_policy(` ++ gen_require(` ++ role USER_r; ++ ') ++ ++ TEMPLATETYPE_role_change(USER_r) ++') ++""" ++ +te_admin_rules=""" +allow TEMPLATETYPE_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice }; +files_dontaudit_search_all_dirs(TEMPLATETYPE_t) @@ -12981,45 +13026,50 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/user.py po +domain_dontaudit_search_all_domains_state(TEMPLATETYPE_t) +domain_dontaudit_ptrace_all_domains(TEMPLATETYPE_t) + -+userdom_dontaudit_search_sysadm_home_dirs(TEMPLATETYPE_t) -+userdom_dontaudit_search_generic_user_home_dirs(TEMPLATETYPE_t) ++userdom_dontaudit_search_admin_dir(TEMPLATETYPE_t) ++userdom_dontaudit_search_user_home_dirs(TEMPLATETYPE_t) + +bool TEMPLATETYPE_read_user_files false; +bool TEMPLATETYPE_manage_user_files false; + +if (TEMPLATETYPE_read_user_files) { -+ userdom_read_unpriv_users_home_content_files(TEMPLATETYPE_t) -+ userdom_read_unpriv_users_tmp_files(TEMPLATETYPE_t) ++ userdom_read_user_home_content_files(TEMPLATETYPE_t) ++ userdom_read_user_tmp_files(TEMPLATETYPE_t) +} + +if (TEMPLATETYPE_manage_user_files) { -+ userdom_manage_unpriv_users_home_content_dirs(TEMPLATETYPE_t) -+ userdom_read_unpriv_users_tmp_files(TEMPLATETYPE_t) -+ userdom_write_unpriv_users_tmp_files(TEMPLATETYPE_t) ++ userdom_manage_user_home_content(TEMPLATETYPE_t) ++ userdom_manage_user_tmp_files(TEMPLATETYPE_t) +} + +""" + +te_admin_trans_rules=""" -+userdom_role_change_template(USER, TEMPLATETYPE) ++allow user_r TEMPLATETYPE_r; +""" + +te_admin_domain_rules=""" +optional_policy(` -+ APPLICATION_admin(TEMPLATETYPE_t, TEMPLATETYPE_r,{ TEMPLATETYPE_devpts_t TEMPLATETYPE_tty_device_t }) ++ APPLICATION_admin(TEMPLATETYPE_t, TEMPLATETYPE_r, { TEMPLATETYPE_devpts_t TEMPLATETYPE_tty_device_t }) +') +""" + +te_roles_rules=""" -+userdom_role_change_template(TEMPLATETYPE, ROLE) ++ROLE_role_change(TEMPLATETYPE_r) ++""" ++ ++te_sudo_rules=""" ++optional_policy(` ++ sudo_role_template(TEMPLATETYPE, TEMPLATETYPE_r, TEMPLATETYPE_t) ++') +""" + +te_newrole_rules=""" -+seutil_run_newrole(TEMPLATETYPE_t, TEMPLATETYPE_r,{ TEMPLATETYPE_devpts_t TEMPLATETYPE_tty_device_t }) ++seutil_run_newrole(TEMPLATETYPE_t, TEMPLATETYPE_r, { TEMPLATETYPE_devpts_t TEMPLATETYPE_tty_device_t }) +""" diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_cache.py policycoreutils-2.0.82/gui/templates/var_cache.py --- nsapolicycoreutils/gui/templates/var_cache.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.82/gui/templates/var_cache.py 2010-06-07 16:46:31.000000000 -0400 ++++ policycoreutils-2.0.82/gui/templates/var_cache.py 2010-06-11 17:08:24.000000000 -0400 @@ -0,0 +1,133 @@ +# Copyright (C) 2010 Red Hat +# see file 'COPYING' for use and warranty information @@ -13156,7 +13206,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_cache. +""" diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_lib.py policycoreutils-2.0.82/gui/templates/var_lib.py --- nsapolicycoreutils/gui/templates/var_lib.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.82/gui/templates/var_lib.py 2010-05-26 09:29:58.000000000 -0400 ++++ policycoreutils-2.0.82/gui/templates/var_lib.py 2010-06-11 17:08:24.000000000 -0400 @@ -0,0 +1,161 @@ +# Copyright (C) 2007 Red Hat +# see file 'COPYING' for use and warranty information @@ -13321,7 +13371,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_lib.py +""" diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_log.py policycoreutils-2.0.82/gui/templates/var_log.py --- nsapolicycoreutils/gui/templates/var_log.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.82/gui/templates/var_log.py 2010-05-26 09:32:01.000000000 -0400 ++++ policycoreutils-2.0.82/gui/templates/var_log.py 2010-06-11 17:08:24.000000000 -0400 @@ -0,0 +1,116 @@ +# Copyright (C) 2007,2010 Red Hat +# see file 'COPYING' for use and warranty information @@ -13441,7 +13491,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_log.py + diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_run.py policycoreutils-2.0.82/gui/templates/var_run.py --- nsapolicycoreutils/gui/templates/var_run.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.82/gui/templates/var_run.py 2010-05-26 09:28:54.000000000 -0400 ++++ policycoreutils-2.0.82/gui/templates/var_run.py 2010-06-11 17:08:24.000000000 -0400 @@ -0,0 +1,101 @@ +# Copyright (C) 2007,2010 Red Hat +# see file 'COPYING' for use and warranty information @@ -13546,7 +13596,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_run.py +""" diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_spool.py policycoreutils-2.0.82/gui/templates/var_spool.py --- nsapolicycoreutils/gui/templates/var_spool.py 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.82/gui/templates/var_spool.py 2010-06-07 16:46:58.000000000 -0400 ++++ policycoreutils-2.0.82/gui/templates/var_spool.py 2010-06-11 17:08:24.000000000 -0400 @@ -0,0 +1,133 @@ +# Copyright (C) 2007 Red Hat +# see file 'COPYING' for use and warranty information diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index c47ab2a..4506e70 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -1549,8 +1549,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po + diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/Makefile policycoreutils-2.0.82/sandbox/Makefile --- nsapolicycoreutils/sandbox/Makefile 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.82/sandbox/Makefile 2010-05-25 16:18:41.000000000 -0400 -@@ -0,0 +1,42 @@ ++++ policycoreutils-2.0.82/sandbox/Makefile 2010-06-08 15:05:27.000000000 -0400 +@@ -0,0 +1,44 @@ +# Installation directories. +PREFIX ?= ${DESTDIR}/usr +INITDIR ?= ${DESTDIR}/etc/rc.d/init.d/ @@ -1561,7 +1561,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po +LOCALEDIR ?= /usr/share/locale +SHAREDIR ?= $(PREFIX)/share/sandbox +override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="\"policycoreutils\"" -Wall -Werror -Wextra -+LDLIBS += -lselinux -lcap-ng ++LDLIBS += -lcgroup -lselinux -lcap-ng + +all: sandbox seunshare sandboxX.sh + @@ -1574,6 +1574,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po + -mkdir -p $(MANDIR)/man8 + install -m 644 sandbox.8 $(MANDIR)/man8/ + install -m 644 seunshare.8 $(MANDIR)/man8/ ++ -mkdir -p $(MANDIR)/man5 ++ install -m 644 sandbox.conf.5 $(MANDIR)/man5/ + -mkdir -p $(SBINDIR) + install -m 4755 seunshare $(SBINDIR)/ + -mkdir -p $(SHAREDIR) @@ -1581,7 +1583,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po + -mkdir -p $(INITDIR) + install -m 755 sandbox.init $(INITDIR)/sandbox + -mkdir -p $(SYSCONFDIR) -+ install -m 644 sandbox.config $(SYSCONFDIR)/sandbox ++ install -m 644 sandbox.conf $(SYSCONFDIR)/sandbox + +test: + @python test_sandbox.py -v @@ -1595,10 +1597,11 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po +relabel: diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox policycoreutils-2.0.82/sandbox/sandbox --- nsapolicycoreutils/sandbox/sandbox 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.82/sandbox/sandbox 2010-06-03 16:30:17.000000000 -0400 -@@ -0,0 +1,427 @@ ++++ policycoreutils-2.0.82/sandbox/sandbox 2010-06-08 15:12:00.000000000 -0400 +@@ -0,0 +1,434 @@ +#! /usr/bin/python -E +# Authors: Dan Walsh ++# Authors: Thomas Liu +# Authors: Josh Cogliati +# +# Copyright (C) 2009,2010 Red Hat @@ -1885,6 +1888,10 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po + parser.add_option("-l", "--level", dest="level", + help=_("MCS/MLS level for the sandbox")) + ++ parser.add_option("-C", "--cgroups", ++ action="store_true", dest="usecgroup", default=False, ++ help="Use cgroups to limit this sandbox.") ++ + self.__parser=parser + + self.__options, cmds = parser.parse_args() @@ -1960,22 +1967,24 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po + + def __execute(self): + try: -+ if self.__options.X_ind: -+ xmodmapfile = self.__homedir + "/.xmodmap" -+ xd = open(xmodmapfile,"w") -+ subprocess.Popen(["/usr/bin/xmodmap","-pke"],stdout=xd).wait() -+ xd.close() -+ -+ self.__setup_sandboxrc(self.__options.wm) -+ -+ cmds = [ '/usr/sbin/seunshare', "-t", self.__tmpdir, "-h", self.__homedir, "--", self.__execcon, "/usr/share/sandbox/sandboxX.sh" ] -+ rc = subprocess.Popen(cmds).wait() -+ return rc -+ ++ cmds = [ '/usr/sbin/seunshare', "-Z", self.__execcon ] ++ if self.__options.usecgroup == True: ++ cmds.append('-c') + if self.__mount: -+ cmds = [ '/usr/sbin/seunshare', "-t", self.__tmpdir, "-h", self.__homedir, "--", self.__execcon ] + self.__paths -+ rc = subprocess.Popen(cmds).wait() -+ return rc ++ cmds += [ "-t", self.__tmpdir, "-h", self.__homedir ] ++ ++ if self.__options.X_ind: ++ xmodmapfile = self.__homedir + "/.xmodmap" ++ xd = open(xmodmapfile,"w") ++ subprocess.Popen(["/usr/bin/xmodmap","-pke"],stdout=xd).wait() ++ xd.close() ++ ++ self.__setup_sandboxrc(self.__options.wm) ++ ++ cmds += [ "--", "/usr/share/sandbox/sandboxX.sh" ] ++ else: ++ cmds += [ "--" ] + self.__paths ++ return subprocess.Popen(cmds).wait() + + selinux.setexeccon(self.__execcon) + rc = subprocess.Popen(self.__cmds).wait() @@ -2026,8 +2035,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po + sys.exit(rc) diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.8 policycoreutils-2.0.82/sandbox/sandbox.8 --- nsapolicycoreutils/sandbox/sandbox.8 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.82/sandbox/sandbox.8 2010-05-27 13:42:03.000000000 -0400 -@@ -0,0 +1,64 @@ ++++ policycoreutils-2.0.82/sandbox/sandbox.8 2010-06-08 14:41:10.000000000 -0400 +@@ -0,0 +1,69 @@ +.TH SANDBOX "8" "May 2010" "sandbox" "User Commands" +.SH NAME +sandbox \- Run cmd under an SELinux sandbox @@ -2083,6 +2092,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po +\fB\-X\fR +Create an X based Sandbox for gui apps, temporary files for +$HOME and /tmp, secondary Xserver, defaults to sandbox_x_t ++.TP ++\fB\-C\fR ++Use control groups to control this copy of sandbox. Specify parameters in /etc/sysconfig/sandbox. Max memory usage and cpu usage are to be specified in percent. You can specify which CPUs to use by numbering them 0,1,2... etc. +.PP +.SH "SEE ALSO" +.TP @@ -2092,12 +2104,63 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po +.SH AUTHOR +This manual page was written by +.I Dan Walsh -diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.config policycoreutils-2.0.82/sandbox/sandbox.config ---- nsapolicycoreutils/sandbox/sandbox.config 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.82/sandbox/sandbox.config 2010-04-28 17:12:19.000000000 -0400 -@@ -0,0 +1,2 @@ ++and ++.I Thomas Liu +diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.conf policycoreutils-2.0.82/sandbox/sandbox.conf +--- nsapolicycoreutils/sandbox/sandbox.conf 1969-12-31 19:00:00.000000000 -0500 ++++ policycoreutils-2.0.82/sandbox/sandbox.conf 2010-06-08 14:41:59.000000000 -0400 +@@ -0,0 +1,7 @@ +# Space separate list of homedirs +HOMEDIRS="/home" ++# Control group configuration ++NAME=sandbox ++CPUAFFINITY=ALL ++MEMUSAGE=80% ++CPUUSAGE=80% +diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.conf.5 policycoreutils-2.0.82/sandbox/sandbox.conf.5 +--- nsapolicycoreutils/sandbox/sandbox.conf.5 1969-12-31 19:00:00.000000000 -0500 ++++ policycoreutils-2.0.82/sandbox/sandbox.conf.5 2010-06-08 14:41:19.000000000 -0400 +@@ -0,0 +1,40 @@ ++.TH sandbox.conf "5" "June 2010" "sandbox.conf" "Linux System Administration" ++.SH NAME ++sandbox.conf \- user config file for the SELinux sandbox ++.SH DESCRIPTION ++.PP ++When running sandbox with the -C argument, it will be confined using control groups and a system administrator can specify how the sandbox is confined. ++ ++.PP ++Everything after "#" is ignored, as are empty lines. All arguments should be separated by and equals sign ("="). ++ ++.PP ++These keywords are allowed. ++ ++.RS ++.TP ++.B NAME ++The name of the sandbox control group. Default is "sandbox". ++ ++.TP ++.B CPUAFFINITY ++Which cpus to assign sandbox to. The default is ALL, but users can specify a comma-separated list with dashes ("-") to represent ranges. Ex: 0-2,5 ++ ++.TP ++.B MEMUSAGE ++How much memory to allow sandbox to use. The default is 80%. Users can specify either a percentage or a value in the form of a number followed by one of the suffixes K, M, G to denote kilobytes, megabytes or gigabytes respectively. Ex: 50% or 100M ++ ++.TP ++.B CPUUSAGE ++Percentage of cpu sandbox should be allowed to use. The default is 80%. Specify a value followed by a percent sign ("%"). Ex: 50% ++ ++ ++ ++.SH "SEE ALSO" ++.TP ++sandbox(8) ++.PP ++ ++.SH AUTHOR ++This manual page was written by ++.I Thomas Liu diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.init policycoreutils-2.0.82/sandbox/sandbox.init --- nsapolicycoreutils/sandbox/sandbox.init 1969-12-31 19:00:00.000000000 -0500 +++ policycoreutils-2.0.82/sandbox/sandbox.init 2010-06-03 17:11:59.000000000 -0400 @@ -2195,8 +2258,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po +exit 0 diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/seunshare.8 policycoreutils-2.0.82/sandbox/seunshare.8 --- nsapolicycoreutils/sandbox/seunshare.8 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.82/sandbox/seunshare.8 2010-05-21 08:12:39.000000000 -0400 -@@ -0,0 +1,29 @@ ++++ policycoreutils-2.0.82/sandbox/seunshare.8 2010-06-08 14:41:19.000000000 -0400 +@@ -0,0 +1,34 @@ +.TH SEUNSHARE "8" "May 2010" "seunshare" "User Commands" +.SH NAME +seunshare \- Run cmd under an SELinux context @@ -2217,6 +2280,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po +\fB\-t\ tmpdir +Use alternate tempory directory to mount on /tmp. tmpdir must be owned by the user. +.TP ++\fB\-c cgroups\fR ++Use cgroups to control this copy of seunshare. Specify parameters in /etc/sysconfig/sandbox. Max memory usage and cpu usage are to be specified in percent. You can specify which CPUs to use by numbering them 0,1,2... etc. ++.TP +\fB\-v\fR +Verbose output +.SH "SEE ALSO" @@ -2226,10 +2292,17 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po +.SH AUTHOR +This manual page was written by +.I Dan Walsh ++and ++.I Thomas Liu diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/seunshare.c policycoreutils-2.0.82/sandbox/seunshare.c --- nsapolicycoreutils/sandbox/seunshare.c 1969-12-31 19:00:00.000000000 -0500 -+++ policycoreutils-2.0.82/sandbox/seunshare.c 2010-05-25 13:37:30.000000000 -0400 -@@ -0,0 +1,313 @@ ++++ policycoreutils-2.0.82/sandbox/seunshare.c 2010-06-08 14:56:09.000000000 -0400 +@@ -0,0 +1,522 @@ ++/* ++ * Authors: Dan Walsh ++ * Authors: Thomas Liu ++ */ ++ +#define _GNU_SOURCE +#include +#include @@ -2239,8 +2312,10 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po +#include +#include +#include ++#include +#include +#include ++#include +#include +#include +#include /* for getopt_long() form of getopt() */ @@ -2265,6 +2340,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po +#define PACKAGE "policycoreutils" /* the name of this package lang translation */ +#endif + ++#define BUF_SIZE 1024 ++ +/** + * This function will drop all capabilities + * Returns zero on success, non-zero otherwise @@ -2382,23 +2459,53 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po + return 0; +} + -+#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -t tmpdir ] [ -h homedir ] -- CONTEXT executable [args] ") ++#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -t tmpdir ] [ -h homedir ] [-Z CONTEXT] -- executable [args] ") ++ ++int sandbox_error(const char *string) { ++ fprintf(stderr, string); ++ syslog(LOG_AUTHPRIV | LOG_ALERT, string); ++ exit(-1); ++ ++} ++ ++ ++int match(const char *string, char *pattern) { ++ int status; ++ regex_t re; ++ if (regcomp(&re, pattern, REG_EXTENDED|REG_NOSUB) != 0) { ++ return 0; ++ } ++ status = regexec(&re, string, (size_t)0, NULL, 0); ++ regfree(&re); ++ if (status != 0) { ++ return 0; ++ } ++ return 1; ++} ++ ++void config_error() { ++ fprintf(stderr, "Error parsing config file."); ++ exit(-1); ++} + +int main(int argc, char **argv) { + int rc; + int status = -1; + -+ security_context_t scontext; ++ security_context_t scontext = NULL; + + int flag_index; /* flag index in argv[] */ + int clflag; /* holds codes for command line flags */ + char *tmpdir_s = NULL; /* tmpdir spec'd by user in argv[] */ + char *homedir_s = NULL; /* homedir spec'd by user in argv[] */ ++ int usecgroups = 0; + + const struct option long_options[] = { + {"homedir", 1, 0, 'h'}, + {"tmpdir", 1, 0, 't'}, + {"verbose", 1, 0, 'v'}, ++ {"cgroups", 1, 0, 'c'}, ++ {"context", 1, 0, 'Z'}, + {NULL, 0, 0, 0} + }; + @@ -2427,7 +2534,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po + } + + while (1) { -+ clflag = getopt_long(argc, argv, "vh:t:", long_options, ++ clflag = getopt_long(argc, argv, "cvh:t:c:m:p:Z:", long_options, + &flag_index); + if (clflag == -1) + break; @@ -2445,6 +2552,12 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po + case 'v': + verbose = 1; + break; ++ case 'c': ++ usecgroups = 1; ++ break; ++ case 'Z': ++ scontext = strdup(optarg); ++ break; + default: + fprintf(stderr, "%s\n", USAGE_STRING); + return -1; @@ -2456,15 +2569,175 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po + return -1; + } + -+ if (argc - optind < 2) { -+ fprintf(stderr, _("Error: context and executable required \n %s \n"), USAGE_STRING); ++ if (argc - optind < 1) { ++ fprintf(stderr, _("Error: executable required \n %s \n"), USAGE_STRING); + return -1; + } + -+ scontext = argv[optind++]; + + if (set_signal_handles()) + return -1; ++ if (usecgroups) { ++ char *cpus = NULL; /* which CPUs to use */ ++ char *cgroupname = NULL;/* name for the cgroup */ ++ char *mem = NULL; /* string for memory amount to pass to cgroup */ ++ int64_t memusage = 0; /* amount of memory to use max (percent) */ ++ int cpupercentage = 0; /* what percentage of cpu to allow usage */ ++ FILE* fp; ++ char buf[BUF_SIZE]; ++ char *tok = NULL; ++ const char* fname = "/etc/sysconfig/sandbox"; ++ ++ if ((fp = fopen(fname, "rt")) == NULL) { ++ fprintf(stderr, "Error opening sandbox config file."); ++ exit(-1); ++ } ++ while(fgets(buf, BUF_SIZE, fp) != NULL) { ++ /* Skip comments */ ++ if (buf[0] == '#') continue; ++ ++ /* Copy the string, ignoring whitespace */ ++ int len = strlen(buf); ++ char *str = malloc((len + 1) * sizeof(char)); ++ ++ int ind = 0; ++ int i; ++ for (i = 0; i < len; i++) { ++ char cur = buf[i]; ++ if (cur != ' ' && cur != '\t') { ++ str[ind] = cur; ++ ind++; ++ } ++ } ++ str[ind] = '\0'; ++ ++ tok = strtok(str, "=\n"); ++ if (tok != NULL) { ++ if (!strcmp(tok, "CPUAFFINITY")) { ++ tok = strtok(NULL, "=\n"); ++ cpus = strdup(tok); ++ if (!strcmp(cpus, "ALL")) { ++ cpus = NULL; ++ } ++ } else if (!strcmp(tok, "MEMUSAGE")) { ++ tok = strtok(NULL, "=\n"); ++ if (match(tok, "^[0-9]+[kKmMgG%]")) { ++ char *ind = strchr(tok, '%'); ++ if (ind != NULL) { ++ *ind = '\0';; ++ memusage = atoi(tok); ++ } else { ++ mem = strdup(tok); ++ } ++ } else { ++ config_error(); ++ } ++ ++ } else if (!strcmp(tok, "CPUUSAGE")) { ++ tok = strtok(NULL, "=\n"); ++ if (match(tok, "^[0-9]+\%")) { ++ char* ind = strchr(tok, '%'); ++ *ind = '\0'; ++ cpupercentage = atoi(tok); ++ } else { ++ config_error(); ++ } ++ } else if (!strcmp(tok, "NAME")) { ++ tok = strtok(NULL, "=\n"); ++ cgroupname = strdup(tok); ++ } else { ++ continue; ++ } ++ } ++ ++ ++ } ++ if (mem == NULL) { ++ long phypz = sysconf(_SC_PHYS_PAGES); ++ long psize = sysconf(_SC_PAGE_SIZE); ++ memusage = phypz * psize * (float) memusage / 100.0; ++ } ++ ++ cgroup_init(); ++ ++ int64_t current_runtime = 0; ++ int64_t current_period = 0 ; ++ int64_t current_mem = 0; ++ char *curr_cpu_path = NULL; ++ char *curr_mem_path = NULL; ++ int ret = cgroup_get_current_controller_path(getpid(), "cpu", &curr_cpu_path); ++ if (ret) { ++ sandbox_error("Error while trying to get current controller path.\n"); ++ } else { ++ struct cgroup *curr = cgroup_new_cgroup(curr_cpu_path); ++ cgroup_get_cgroup(curr); ++ cgroup_get_value_int64(cgroup_get_controller(curr, "cpu"), "cpu.rt_runtime_us", ¤t_runtime); ++ cgroup_get_value_int64(cgroup_get_controller(curr, "cpu"), "cpu.rt_period_us", ¤t_period); ++ } ++ ++ ret = cgroup_get_current_controller_path(getpid(), "memory", &curr_mem_path); ++ if (ret) { ++ sandbox_error("Error while trying to get current controller path.\n"); ++ } else { ++ struct cgroup *curr = cgroup_new_cgroup(curr_mem_path); ++ cgroup_get_cgroup(curr); ++ cgroup_get_value_int64(cgroup_get_controller(curr, "memory"), "memory.limit_in_bytes", ¤t_mem); ++ } ++ ++ if (((float) cpupercentage) / 100.0> (float)current_runtime / (float) current_period) { ++ sandbox_error("CPU usage restricted!\n"); ++ exit(-1); ++ } ++ ++ if (mem == NULL) { ++ if (memusage > current_mem) { ++ sandbox_error("Attempting to use more memory than allowed!"); ++ exit(-1); ++ } ++ } ++ ++ long nprocs = sysconf(_SC_NPROCESSORS_ONLN); ++ ++ struct sched_param sp; ++ sp.sched_priority = sched_get_priority_min(SCHED_FIFO); ++ sched_setscheduler(getpid(), SCHED_FIFO, &sp); ++ struct cgroup *sandbox_group = cgroup_new_cgroup(cgroupname); ++ cgroup_add_controller(sandbox_group, "memory"); ++ cgroup_add_controller(sandbox_group, "cpu"); ++ ++ if (mem == NULL) { ++ if (memusage > 0) { ++ cgroup_set_value_uint64(cgroup_get_controller(sandbox_group, "memory"), "memory.limit_in_bytes", memusage); ++ } ++ } else { ++ cgroup_set_value_string(cgroup_get_controller(sandbox_group, "memory"), "memory.limit_in_bytes", mem); ++ } ++ if (cpupercentage > 0) { ++ cgroup_set_value_uint64(cgroup_get_controller(sandbox_group, "cpu"), "cpu.rt_runtime_us", ++ (float) cpupercentage / 100.0 * 60000); ++ cgroup_set_value_uint64(cgroup_get_controller(sandbox_group, "cpu"), "cpu.rt_period_us",60000 * nprocs); ++ } ++ if (cpus != NULL) { ++ cgroup_set_value_string(cgroup_get_controller(sandbox_group, "cpu"), "cgroup.procs",cpus); ++ } ++ ++ uint64_t allocated_mem; ++ if (cgroup_get_value_uint64(cgroup_get_controller(sandbox_group, "memory"), "memory.limit_in_bytes", &allocated_mem) > current_mem) { ++ sandbox_error("Attempting to use more memory than allowed!\n"); ++ exit(-1); ++ } ++ ++ ++ int r = cgroup_create_cgroup(sandbox_group, 1); ++ if (r != 0) { ++ sandbox_error("Failed to create group. Ensure that cgconfig service is running. \n"); ++ exit(-1); ++ } ++ ++ ++ cgroup_attach_task(sandbox_group); ++ ++ } + + if (unshare(CLONE_NEWNS) < 0) { + perror(_("Failed to unshare")); @@ -2513,11 +2786,13 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po + exit(-1); + } + -+ if (setexeccon(scontext)) { -+ fprintf(stderr, _("Could not set exec context to %s.\n"), -+ scontext); -+ free(display); -+ exit(-1); ++ if (scontext) { ++ if (setexeccon(scontext)) { ++ fprintf(stderr, _("Could not set exec context to %s.\n"), ++ scontext); ++ free(display); ++ exit(-1); ++ } + } + + if (display) @@ -2533,8 +2808,10 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po + exit(-1); + } + setsid(); ++ + execv(argv[optind], argv + optind); + free(display); ++ freecon(scontext); + perror("execv"); + exit(-1); + } else { diff --git a/policycoreutils.spec b/policycoreutils.spec index 54a7b54..da0627c 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -7,7 +7,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 2.0.82 -Release: 29%{?dist} +Release: 31%{?dist} License: GPLv2+ Group: System Environment/Base Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz @@ -30,7 +30,7 @@ Obsoletes: policycoreutils < 2.0.61-2 %global pkgpythondir %{python_sitelib}/%{name} -BuildRequires: pam-devel libsepol-static >= %{libsepolver} libsemanage-static >= %{libsemanagever} libselinux-devel >= %{libselinuxver} libcap-devel audit-libs-devel >= %{libauditver} gettext +BuildRequires: pam-devel libcgroup-devel libsepol-static >= %{libsepolver} libsemanage-static >= %{libsemanagever} libselinux-devel >= %{libselinuxver} libcap-devel audit-libs-devel >= %{libauditver} gettext BuildRequires: desktop-file-utils dbus-devel dbus-glib-devel BuildRequires: python-devel Requires: /bin/mount /bin/egrep /bin/awk /usr/bin/diff rpm /bin/sed @@ -111,7 +111,7 @@ desktop-file-install --vendor fedora \ Summary: SELinux policy core python utilities Group: System Environment/Base Requires: policycoreutils = %{version}-%{release} -Requires: libsemanage-python >= %{libsemanagever} libselinux-python +Requires: libsemanage-python >= %{libsemanagever} libselinux-python libcgroup Requires: audit-libs-python >= %{libauditver} Requires: /usr/bin/make Requires(pre): python >= 2.6 @@ -140,6 +140,7 @@ The policycoreutils-python package contains the management tools use to manage a %{_mandir}/man1/audit2allow.1* %{_mandir}/ru/man1/audit2allow.1* %{_mandir}/man1/audit2why.1* +%{_mandir}/man5/sandbox.conf.5* %{_mandir}/man8/chcat.8* %{_mandir}/ru/man8/chcat.8* %{_mandir}/man8/sandbox.8* @@ -313,6 +314,13 @@ fi exit 0 %changelog +* Tue Jun 15 2010 Dan Walsh 2.0.82-31 +- Fix sepolgen code generation +Resolve: #603001 + +* Tue Jun 8 2010 Dan Walsh 2.0.82-30 +- Add cgroup support for sandbox + * Mon Jun 7 2010 Dan Walsh 2.0.82-29 - Allow creation of /var/cache/DOMAIN from sepolgen