Can not unshare IPC in sandbox, since it blows up Xephyr
- Remove bogus error message sandbox about reseting setfsuid
This commit is contained in:
Dan Walsh
parent
c1e35cdc89
commit
98c418def3
@ -1470,20 +1470,28 @@ index 23de6f6..171bb05 100644
|
||||
export DISPLAY=:$D
|
||||
cat > ~/seremote << __EOF
|
||||
diff --git a/policycoreutils/sandbox/seunshare.c b/policycoreutils/sandbox/seunshare.c
|
||||
index dbd5977..68a80c7 100644
|
||||
index dbd5977..b3f1275 100644
|
||||
--- a/policycoreutils/sandbox/seunshare.c
|
||||
+++ b/policycoreutils/sandbox/seunshare.c
|
||||
@@ -961,8 +961,9 @@ int main(int argc, char **argv) {
|
||||
@@ -617,8 +617,8 @@ static int cleanup_tmpdir(const char *tmpdir, const char *src,
|
||||
free(cmdbuf); cmdbuf = NULL;
|
||||
|
||||
/* remove runtime temporary directory */
|
||||
- if ((uid_t)setfsuid(0) != pwd->pw_uid) {
|
||||
- fprintf(stderr, _("Unable to switch to root to clear tmp dir\n"));
|
||||
+ if ((uid_t)setfsuid(0) != 0) {
|
||||
+ /* setfsuid does not return errror, but this check makes code checkers happy */
|
||||
rc++;
|
||||
}
|
||||
|
||||
@@ -961,6 +961,7 @@ int main(int argc, char **argv) {
|
||||
char *display = NULL;
|
||||
char *LANG = NULL;
|
||||
int rc = -1;
|
||||
+ char *resolved_path = NULL;
|
||||
|
||||
- if (unshare(CLONE_NEWNS) < 0) {
|
||||
+ if (unshare(CLONE_NEWNS | CLONE_NEWIPC) < 0) {
|
||||
if (unshare(CLONE_NEWNS) < 0) {
|
||||
perror(_("Failed to unshare"));
|
||||
goto childerr;
|
||||
}
|
||||
@@ -977,8 +978,10 @@ int main(int argc, char **argv) {
|
||||
/* assume fsuid==ruid after this point */
|
||||
if ((uid_t)setfsuid(uid) != 0) goto childerr;
|
||||
@ -2359,7 +2367,7 @@ index b6abdf5..c05c943 100644
|
||||
Generate an additional HTML man pages for the specified domain(s).
|
||||
|
||||
diff --git a/policycoreutils/sepolicy/sepolicy.py b/policycoreutils/sepolicy/sepolicy.py
|
||||
index b25d3b2..6e71f00 100755
|
||||
index b25d3b2..1146bb3 100755
|
||||
--- a/policycoreutils/sepolicy/sepolicy.py
|
||||
+++ b/policycoreutils/sepolicy/sepolicy.py
|
||||
@@ -22,6 +22,8 @@
|
||||
@ -2551,7 +2559,7 @@ index b25d3b2..6e71f00 100755
|
||||
if args.list_admin:
|
||||
for a in get_admin():
|
||||
print a
|
||||
@@ -328,7 +349,7 @@ def interface(args):
|
||||
@@ -328,13 +349,13 @@ def interface(args):
|
||||
for a in get_user():
|
||||
print a
|
||||
if args.list:
|
||||
@ -2560,6 +2568,13 @@ index b25d3b2..6e71f00 100755
|
||||
print m
|
||||
|
||||
def generate(args):
|
||||
from sepolicy.generate import policy, USERS, SANDBOX, APPLICATIONS, NEWTYPE
|
||||
cmd = None
|
||||
- if args.policytype not in USERS + [ SANDBOX, NEWTYPE]:
|
||||
+ if args.policytype in APPLICATIONS:
|
||||
if not args.command:
|
||||
raise ValueError(_("Command required for this type of policy"))
|
||||
cmd = os.path.realpath(args.command)
|
||||
@@ -368,10 +389,10 @@ def gen_interface_args(parser):
|
||||
help=_('List SELinux Policy interfaces'))
|
||||
group = itf.add_mutually_exclusive_group(required=True)
|
||||
@ -2793,7 +2808,7 @@ index 5e7415c..5267ed9 100644
|
||||
booleans_dict = None
|
||||
def gen_bool_dict(path="/usr/share/selinux/devel/policy.xml"):
|
||||
diff --git a/policycoreutils/sepolicy/sepolicy/generate.py b/policycoreutils/sepolicy/sepolicy/generate.py
|
||||
index 26f8390..898ec43 100644
|
||||
index 26f8390..95b3ac0 100644
|
||||
--- a/policycoreutils/sepolicy/sepolicy/generate.py
|
||||
+++ b/policycoreutils/sepolicy/sepolicy/generate.py
|
||||
@@ -63,20 +63,6 @@ except IOError:
|
||||
@ -2817,6 +2832,15 @@ index 26f8390..898ec43 100644
|
||||
def get_rpm_nvr_from_header(hdr):
|
||||
'Given an RPM header return the package NVR as a string'
|
||||
name = hdr['name']
|
||||
@@ -164,7 +150,7 @@ def get_poltype_desc():
|
||||
return msg
|
||||
|
||||
APPLICATIONS = [ DAEMON, DBUS, INETD, USER, CGI ]
|
||||
-USERS = [ XUSER, TUSER, LUSER, AUSER, EUSER, RUSER]
|
||||
+USERS = [ XUSER, TUSER, LUSER, AUSER, RUSER]
|
||||
|
||||
def verify_ports(ports):
|
||||
if ports == "":
|
||||
@@ -587,7 +573,7 @@ class policy:
|
||||
def generate_network_action(self, protocol, action, port_name):
|
||||
line = ""
|
||||
@ -2826,7 +2850,15 @@ index 26f8390..898ec43 100644
|
||||
line = "%s(%s_t)\n" % (method, self.name)
|
||||
else:
|
||||
line = """
|
||||
@@ -1037,7 +1023,8 @@ allow %s_t %s_t:%s_socket name_%s;
|
||||
@@ -1030,14 +1016,15 @@ allow %s_t %s_t:%s_socket name_%s;
|
||||
if len(self.DEFAULT_DIRS[d][1]) > 0:
|
||||
# CGI scripts already have a rw_t
|
||||
if self.type != CGI or d != "rw":
|
||||
- newte += re.sub("TEMPLATETYPE", self.name, self.DEFAULT_DIRS[d][2].te_types)
|
||||
+ newte += re.sub("TEMPLATETYPE", self.name, self.DEFAULT_DIRS[d][2].te_types)
|
||||
|
||||
if self.type != EUSER:
|
||||
newte +="""
|
||||
########################################
|
||||
#
|
||||
# %s local policy
|
||||
@ -2836,6 +2868,41 @@ index 26f8390..898ec43 100644
|
||||
newte += self.generate_capabilities()
|
||||
newte += self.generate_process()
|
||||
newte += self.generate_network_types()
|
||||
@@ -1048,11 +1035,20 @@ allow %s_t %s_t:%s_socket name_%s;
|
||||
|
||||
for d in self.DEFAULT_KEYS:
|
||||
if len(self.DEFAULT_DIRS[d][1]) > 0:
|
||||
- newte += re.sub("TEMPLATETYPE", self.name, self.DEFAULT_DIRS[d][2].te_rules)
|
||||
- for i in self.DEFAULT_DIRS[d][1]:
|
||||
- if os.path.exists(i) and stat.S_ISSOCK(os.stat(i)[stat.ST_MODE]):
|
||||
- newte += re.sub("TEMPLATETYPE", self.name, self.DEFAULT_DIRS[d][2].te_stream_rules)
|
||||
- break
|
||||
+ if self.type == EUSER:
|
||||
+ for domain in self.existing_domains:
|
||||
+ newte += re.sub("TEMPLATETYPE", domain[:-2], self.DEFAULT_DIRS[d][2].te_rules)
|
||||
+ else:
|
||||
+ newte += re.sub("TEMPLATETYPE", self.name, self.DEFAULT_DIRS[d][2].te_rules)
|
||||
+ for i in self.DEFAULT_DIRS[d][1]:
|
||||
+ if os.path.exists(i) and stat.S_ISSOCK(os.stat(i)[stat.ST_MODE]):
|
||||
+ if self.type == EUSER:
|
||||
+ for domain in self.existing_domains:
|
||||
+ newte += re.sub("TEMPLATETYPE", domain[:-2], self.DEFAULT_DIRS[d][2].te_stream_rules)
|
||||
+
|
||||
+ else:
|
||||
+ newte += re.sub("TEMPLATETYPE", self.name, self.DEFAULT_DIRS[d][2].te_stream_rules)
|
||||
+ break
|
||||
|
||||
newte += self.generate_tmp_rules()
|
||||
newte += self.generate_network_rules()
|
||||
@@ -1079,7 +1075,7 @@ allow %s_t %s_t:%s_socket name_%s;
|
||||
fclist = []
|
||||
if self.type in USERS + [ SANDBOX ]:
|
||||
return executable.fc_user
|
||||
- if self.type != NEWTYPE and not self.program:
|
||||
+ if self.type not in [ EUSER, NEWTYPE ] and not self.program:
|
||||
raise ValueError(_("You must enter the executable path for your confined process"))
|
||||
|
||||
if self.program:
|
||||
diff --git a/policycoreutils/sepolicy/sepolicy/interface.py b/policycoreutils/sepolicy/sepolicy/interface.py
|
||||
index 8b063ca..c9036c3 100644
|
||||
--- a/policycoreutils/sepolicy/sepolicy/interface.py
|
||||
|
||||
@ -7,7 +7,7 @@
|
||||
Summary: SELinux policy core utilities
|
||||
Name: policycoreutils
|
||||
Version: 2.1.14
|
||||
Release: 24%{?dist}
|
||||
Release: 26%{?dist}
|
||||
License: GPLv2
|
||||
Group: System Environment/Base
|
||||
# Based on git repository with tag 20101221
|
||||
@ -309,6 +309,13 @@ The policycoreutils-restorecond package contains the restorecond service.
|
||||
%{_bindir}/systemctl try-restart restorecond.service >/dev/null 2>&1 || :
|
||||
|
||||
%changelog
|
||||
* Mon Mar 25 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-25
|
||||
- Can not unshare IPC in sandbox, since it blows up Xephyr
|
||||
- Remove bogus error message sandbox about reseting setfsuid
|
||||
|
||||
* Thu Mar 21 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-24
|
||||
- Fix sepolicy generate --customize to generate policy with -w commands
|
||||
|
||||
* Thu Mar 21 2013 Dan Walsh <dwalsh@redhat.com> - 2.1.14-24
|
||||
- sepolgen-ifgen needs to handle filename transition rules containing ":"
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user