- Apply patch for org.selinux.policy to not be desktop centric from stefw@redhat.com
- at_console should not be used any longer - seunshare: Use setcurrent before setexec
This commit is contained in:
parent
20f67e146b
commit
9c179d530d
|
@ -0,0 +1,62 @@
|
|||
From 8b8915f36a1db76bbdd9695f0bb450132b67f2ca Mon Sep 17 00:00:00 2001
|
||||
From: Andy Lutomirski <luto@amacapital.net>
|
||||
Date: Wed, 30 Apr 2014 21:59:37 -0700
|
||||
Subject: [PATCH 1/3] seunshare: Try to use setcurrent before setexec
|
||||
|
||||
If seunshare uses PR_SET_NO_NEW_PRIVS, which certain versions of
|
||||
libcap-ng set, setexeccon will cause execve to fail. This also
|
||||
makes setting selinux context the very last action taken by
|
||||
seunshare prior to exec, as it may otherwise cause things to fail.
|
||||
|
||||
Note that this won't work without adjusting the system policy to
|
||||
allow this use of setcurrent. This rule appears to work:
|
||||
|
||||
allow unconfined_t sandbox_t:process dyntransition;
|
||||
|
||||
although a better rule would probably relax the unconfined_t
|
||||
restriction.
|
||||
|
||||
Signed-off-by: Andy Lutomirski <luto@amacapital.net>
|
||||
---
|
||||
policycoreutils/sandbox/seunshare.c | 20 ++++++++++++++------
|
||||
1 file changed, 14 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/policycoreutils/sandbox/seunshare.c b/policycoreutils/sandbox/seunshare.c
|
||||
index 97f3920..fe40757 100644
|
||||
--- a/policycoreutils/sandbox/seunshare.c
|
||||
+++ b/policycoreutils/sandbox/seunshare.c
|
||||
@@ -1032,17 +1032,25 @@ int main(int argc, char **argv) {
|
||||
goto childerr;
|
||||
}
|
||||
|
||||
- /* selinux context */
|
||||
- if (execcon && setexeccon(execcon) != 0) {
|
||||
- fprintf(stderr, _("Could not set exec context to %s. %s\n"), execcon, strerror(errno));
|
||||
- goto childerr;
|
||||
- }
|
||||
-
|
||||
if (chdir(pwd->pw_dir)) {
|
||||
perror(_("Failed to change dir to homedir"));
|
||||
goto childerr;
|
||||
}
|
||||
setsid();
|
||||
+
|
||||
+ /* selinux context */
|
||||
+ if (execcon) {
|
||||
+ /* try dyntransition, since no_new_privs can interfere
|
||||
+ * with setexeccon */
|
||||
+ if (setcon(execcon) != 0) {
|
||||
+ /* failed; fall back to setexeccon */
|
||||
+ if (setexeccon(execcon) != 0) {
|
||||
+ fprintf(stderr, _("Could not set exec context to %s. %s\n"), execcon, strerror(errno));
|
||||
+ goto childerr;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
execv(argv[optind], argv + optind);
|
||||
fprintf(stderr, _("Failed to execute command %s: %s\n"), argv[optind], strerror(errno));
|
||||
childerr:
|
||||
--
|
||||
1.9.0
|
||||
|
|
@ -0,0 +1,30 @@
|
|||
From 84bff58282256f52a25cec2f36c9831daea48987 Mon Sep 17 00:00:00 2001
|
||||
From: Dan Walsh <dwalsh@redhat.com>
|
||||
Date: Tue, 6 May 2014 14:38:41 -0400
|
||||
Subject: [PATCH 2/3] at_console should not be used any longer
|
||||
|
||||
---
|
||||
policycoreutils/sepolicy/org.selinux.conf | 6 +-----
|
||||
1 file changed, 1 insertion(+), 5 deletions(-)
|
||||
|
||||
diff --git a/policycoreutils/sepolicy/org.selinux.conf b/policycoreutils/sepolicy/org.selinux.conf
|
||||
index a350978..1ae079d 100644
|
||||
--- a/policycoreutils/sepolicy/org.selinux.conf
|
||||
+++ b/policycoreutils/sepolicy/org.selinux.conf
|
||||
@@ -12,12 +12,8 @@
|
||||
|
||||
<!-- Allow anyone to invoke methods on the interfaces,
|
||||
authorization is performed by PolicyKit -->
|
||||
- <policy at_console="true">
|
||||
- <allow send_destination="org.selinux"/>
|
||||
- </policy>
|
||||
<policy context="default">
|
||||
- <allow send_destination="org.selinux"
|
||||
- send_interface="org.freedesktop.DBus.Introspectable"/>
|
||||
+ <allow send_destination="org.selinux"/>
|
||||
</policy>
|
||||
|
||||
</busconfig>
|
||||
--
|
||||
1.9.0
|
||||
|
|
@ -0,0 +1,93 @@
|
|||
From 7a69cd9e185055fc8e096b466923d8712263a9e8 Mon Sep 17 00:00:00 2001
|
||||
From: Miroslav Grepl <mgrepl@redhat.com>
|
||||
Date: Wed, 7 May 2014 10:18:57 +0200
|
||||
Subject: [PATCH 3/3] Apply patch for org.selinux.policy to not be desktop
|
||||
centric from stefw@redhat.com
|
||||
|
||||
---
|
||||
policycoreutils/sepolicy/org.selinux.policy | 20 ++++++++++----------
|
||||
1 file changed, 10 insertions(+), 10 deletions(-)
|
||||
|
||||
diff --git a/policycoreutils/sepolicy/org.selinux.policy b/policycoreutils/sepolicy/org.selinux.policy
|
||||
index 4023bca..ddd9caa 100644
|
||||
--- a/policycoreutils/sepolicy/org.selinux.policy
|
||||
+++ b/policycoreutils/sepolicy/org.selinux.policy
|
||||
@@ -11,7 +11,7 @@
|
||||
<description>SELinux write access</description>
|
||||
<message>System policy prevents restorecon access to SELinux</message>
|
||||
<defaults>
|
||||
- <allow_any>no</allow_any>
|
||||
+ <allow_any>auth_admin</allow_any>
|
||||
<allow_inactive>no</allow_inactive>
|
||||
<allow_active>auth_admin_keep</allow_active>
|
||||
</defaults>
|
||||
@@ -20,7 +20,7 @@
|
||||
<description>SELinux write access</description>
|
||||
<message>System policy prevents setenforce access to SELinux</message>
|
||||
<defaults>
|
||||
- <allow_any>no</allow_any>
|
||||
+ <allow_any>auth_admin</allow_any>
|
||||
<allow_inactive>no</allow_inactive>
|
||||
<allow_active>auth_admin_keep</allow_active>
|
||||
</defaults>
|
||||
@@ -29,7 +29,7 @@
|
||||
<description>SELinux write access</description>
|
||||
<message>System policy prevents semanage access to SELinux</message>
|
||||
<defaults>
|
||||
- <allow_any>no</allow_any>
|
||||
+ <allow_any>auth_admin</allow_any>
|
||||
<allow_inactive>no</allow_inactive>
|
||||
<allow_active>auth_admin_keep</allow_active>
|
||||
</defaults>
|
||||
@@ -38,8 +38,8 @@
|
||||
<description>SELinux Read access</description>
|
||||
<message>System policy prevents read access to SELinux</message>
|
||||
<defaults>
|
||||
- <allow_any>no</allow_any>
|
||||
- <allow_inactive>no</allow_inactive>
|
||||
+ <allow_any>yes</allow_any>
|
||||
+ <allow_inactive>yes</allow_inactive>
|
||||
<allow_active>yes</allow_active>
|
||||
</defaults>
|
||||
</action>
|
||||
@@ -47,8 +47,8 @@
|
||||
<description>SELinux list modules access</description>
|
||||
<message>System policy prevents read access to SELinux modules</message>
|
||||
<defaults>
|
||||
- <allow_any>no</allow_any>
|
||||
- <allow_inactive>no</allow_inactive>
|
||||
+ <allow_any>yes</allow_any>
|
||||
+ <allow_inactive>yes</allow_inactive>
|
||||
<allow_active>yes</allow_active>
|
||||
</defaults>
|
||||
</action>
|
||||
@@ -56,7 +56,7 @@
|
||||
<description>SELinux write access</description>
|
||||
<message>System policy prevents relabel_on_boot access to SELinux</message>
|
||||
<defaults>
|
||||
- <allow_any>no</allow_any>
|
||||
+ <allow_any>auth_admin</allow_any>
|
||||
<allow_inactive>no</allow_inactive>
|
||||
<allow_active>auth_admin_keep</allow_active>
|
||||
</defaults>
|
||||
@@ -65,7 +65,7 @@
|
||||
<description>SELinux write access</description>
|
||||
<message>System policy prevents change_default_policy access to SELinux</message>
|
||||
<defaults>
|
||||
- <allow_any>no</allow_any>
|
||||
+ <allow_any>auth_admin</allow_any>
|
||||
<allow_inactive>no</allow_inactive>
|
||||
<allow_active>auth_admin_keep</allow_active>
|
||||
</defaults>
|
||||
@@ -74,7 +74,7 @@
|
||||
<description>Change SELinux default enforcing mode</description>
|
||||
<message>System policy prevents change_default_policy access to SELinux</message>
|
||||
<defaults>
|
||||
- <allow_any>no</allow_any>
|
||||
+ <allow_any>auth_admin</allow_any>
|
||||
<allow_inactive>no</allow_inactive>
|
||||
<allow_active>auth_admin_keep</allow_active>
|
||||
</defaults>
|
||||
--
|
||||
1.9.0
|
||||
|
|
@ -7,7 +7,7 @@
|
|||
Summary: SELinux policy core utilities
|
||||
Name: policycoreutils
|
||||
Version: 2.2.5
|
||||
Release: 3%{?dist}
|
||||
Release: 4%{?dist}
|
||||
License: GPLv2
|
||||
Group: System Environment/Base
|
||||
# Based on git repository with tag 20101221
|
||||
|
@ -18,6 +18,9 @@ Source2: policycoreutils_man_ru2.tar.bz2
|
|||
Source3: system-config-selinux.png
|
||||
Source4: sepolicy-icons.tgz
|
||||
Patch: policycoreutils-rhat.patch
|
||||
Patch1: 0001-seunshare-Try-to-use-setcurrent-before-setexec.patch
|
||||
Patch2: 0002-at_console-should-not-be-used-any-longer.patch
|
||||
Patch3: 0003-Apply-patch-for-org.selinux.policy-to-not-be-desktop.patch
|
||||
#Patch1: policycoreutils-sepolgen.patch
|
||||
Obsoletes: policycoreutils < 2.0.61-2
|
||||
Conflicts: filesystem < 3
|
||||
|
@ -49,6 +52,9 @@ to switch roles.
|
|||
%prep
|
||||
%setup -q -a 1
|
||||
%patch -p2 -b .rhat
|
||||
%patch1 -p2 -b .seunshare
|
||||
%patch2 -p2 -b .at_console
|
||||
%patch3 -p2 -b .org.selinux
|
||||
#%patch1 -p2 -b .sepolgen -d sepolgen-%{sepolgenver}
|
||||
cp %{SOURCE3} gui/
|
||||
tar xvf %{SOURCE4}
|
||||
|
@ -347,6 +353,11 @@ The policycoreutils-restorecond package contains the restorecond service.
|
|||
%systemd_postun_with_restart restorecond.service
|
||||
|
||||
%changelog
|
||||
* Wed May 7 2014 Miroslav Grepl <mgrepl@redhat.com> - 2.2.5-4
|
||||
- Apply patch for org.selinux.policy to not be desktop centric from stefw@redhat.com
|
||||
- at_console should not be used any longer
|
||||
- seunshare: Use setcurrent before setexec
|
||||
|
||||
* Thu Jan 16 2014 Dan Walsh <dwalsh@redhat.com> - 2.2.5-3
|
||||
- Add Miroslav patch to
|
||||
- Fix previously_modified_initialize() to show modified changes properly for all selections
|
||||
|
|
Loading…
Reference in New Issue