* Tue May 26 2009 Dan Walsh <dwalsh@redhat.com> 2.0.62-12.7

- Fix sandbox to be able to execute files in homedir
2009-05-26 16:59:13 +00:00 · 2009-05-26 16:59:13 +00:00 · 99f84b1b02
commit 99f84b1b02
parent a422c176e0
2 changed files with 40 additions and 48 deletions
--- a/policycoreutils-F11.patch
+++ b/policycoreutils-F11.patch
@ -17,8 +17,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
 	-mkdir -p $(MANDIR)/man8
 diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/sandbox policycoreutils-2.0.62/scripts/sandbox
 --- nsapolicycoreutils/scripts/sandbox	1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.62/scripts/sandbox	2009-05-22 14:11:10.000000000 -0400
-@@ -0,0 +1,149 @@
+++ policycoreutils-2.0.62/scripts/sandbox	2009-05-26 12:30:48.000000000 -0400
+@@ -0,0 +1,138 @@
 +#!/usr/bin/python -E
 +import os, sys, getopt, socket, random, fcntl
 +import selinux
@ -110,55 +110,42 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
 +
 +    setype = "sandbox_t"
 +    mount_ind = False
-+    gopts, cmds = getopt.getopt(sys.argv[1:], "t:m", 
-+                                ["type=", 
-+                                 "mount"])
-+    for o, a in gopts:
-+        if o == "-t" or o == "--type":
-+            setype = a
-+
-+        if o == "-m" or o == "--mount":
-+            mount_ind = True
-+                
-+            
-+    if len(cmds) == 0:
-+           usage(_("Command required"))
-+
-+    os.chdir("/")
-+    execcon, filecon = gen_context(setype)
-+    rc = -1
 +    try:
-+        if mount_ind:
-+            mount(filecon)
+           gopts, cmds = getopt.getopt(sys.argv[1:], "ht:m", 
+                                       ["help",
+                                        "type=", 
+                                        "mount"])
+           for o, a in gopts:
+                  if o == "-t" or o == "--type":
+                         setype = a
+                         
+           if o == "-m" or o == "--mount":
+                  mount_ind = True
+           if o == "-h" or o == "--help":
+                  usage(_("Usage"));
+            
+           if len(cmds) == 0:
+                  usage(_("Command required"))
 +
-+        if cmds[0][0] != "/" and cmds[0][:2] != "./" and cmds[0][:3] != "../":
-+               for i in  os.environ["PATH"].split(':'):
-+                      f = "%s/%s" % (i, cmds[0])
-+                      if os.access(f, os.X_OK):
-+                             cmds[0] = f
-+                             break
+           execcon, filecon = gen_context(setype)
+           rc = -1
+           if mount_ind:
+                  mount(filecon)
 +
-+        setype = selinux.getfilecon(cmds[0])[1].split(":")[2]
-+        if setype == "user_home_t" or setype == "user_tmp_t":
-+               error_exit(_("""
-+Sandboxed applications can not read/execute files labeled as user content;  (%s)
-+Temporarily label '%s" as bin_t, if you want it to run it under a sandbox.
+           if cmds[0][0] != "/" and cmds[0][:2] != "./" and cmds[0][:3] != "../":
+                  for i in  os.environ["PATH"].split(':'):
+                         f = "%s/%s" % (i, cmds[0])
+                         if os.access(f, os.X_OK):
+                                cmds[0] = f
+                                break
 +
-+chcon -t bin_t %s
-+
-+restorecon %s
-+
-+Will set the executable back to the correct context.
-+""") % (setype, cmds[0], cmds[0], cmds[0]) )
-+
-+        selinux.setexeccon(execcon)
-+        rc = os.spawnvp(os.P_WAIT, cmds[0], cmds)
-+        selinux.setexeccon(None)
-+
-+        if mount_ind:
-+            umount(filecon)
-+
-+    except getopt.error, error:
+           selinux.setexeccon(execcon)
+           rc = os.spawnvp(os.P_WAIT, cmds[0], cmds)
+           selinux.setexeccon(None)
+           
+           if mount_ind:
+                  umount(filecon)
+    except getopt.GetoptError, error:
 +        usage(_("Options Error %s ") % error.msg)
 +    except ValueError, error:
 +        error_exit(error.args[0])
@ -166,6 +153,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po
 +        error_exit(_("Invalid value %s") % error.args[0])
 +    except IOError, error:
 +        error_exit(error.args[1])
+    except OSError, error:
+        error_exit(error.args[1])
 +        
 +    sys.exit(rc)
 diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/sandbox.8 policycoreutils-2.0.62/scripts/sandbox.8
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@ -6,7 +6,7 @@
 Summary: SELinux policy core utilities
 Name:	 policycoreutils
 Version: 2.0.62
-Release: 12.6%{?dist}
+Release: 12.7%{?dist}
 License: GPLv2+
 Group:	 System Environment/Base
 Source:	 http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
@ -224,6 +224,9 @@ else
 fi

 %changelog
+* Tue May 26 2009 Dan Walsh <dwalsh@redhat.com> 2.0.62-12.7
+- Fix sandbox to be able to execute files in homedir
+
 * Fri May 22 2009 Dan Walsh <dwalsh@redhat.com> 2.0.62-12.6
 - Add sandbox script