- Apply patch for org.selinux.policy to not be desktop centric from stefw@redhat.com

- at_console should not be used any longer - seunshare: Use setcurrent before setexec
2014-05-07 10:24:43 +02:00 · 2014-05-07 10:24:43 +02:00 · 9c179d530d
parent 20f67e146b
commit 9c179d530d
4 changed files with 197 additions and 1 deletions
--- a/0001-seunshare-Try-to-use-setcurrent-before-setexec.patch
+++ b/0001-seunshare-Try-to-use-setcurrent-before-setexec.patch
@ -0,0 +1,62 @@
+From 8b8915f36a1db76bbdd9695f0bb450132b67f2ca Mon Sep 17 00:00:00 2001
+From: Andy Lutomirski <luto@amacapital.net>
+Date: Wed, 30 Apr 2014 21:59:37 -0700
+Subject: [PATCH 1/3] seunshare: Try to use setcurrent before setexec
+
+If seunshare uses PR_SET_NO_NEW_PRIVS, which certain versions of
+libcap-ng set, setexeccon will cause execve to fail.  This also
+makes setting selinux context the very last action taken by
+seunshare prior to exec, as it may otherwise cause things to fail.
+
+Note that this won't work without adjusting the system policy to
+allow this use of setcurrent.  This rule appears to work:
+
+    allow unconfined_t sandbox_t:process dyntransition;
+
+although a better rule would probably relax the unconfined_t
+restriction.
+
+Signed-off-by: Andy Lutomirski <luto@amacapital.net>
+---
+ policycoreutils/sandbox/seunshare.c | 20 ++++++++++++++------
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+diff --git a/policycoreutils/sandbox/seunshare.c b/policycoreutils/sandbox/seunshare.c
+index 97f3920..fe40757 100644
+--- a/policycoreutils/sandbox/seunshare.c
+++ b/policycoreutils/sandbox/seunshare.c
+@@ -1032,17 +1032,25 @@ int main(int argc, char **argv) {
+ 			goto childerr;
+ 		}
+ 
+-		/* selinux context */
+-		if (execcon && setexeccon(execcon) != 0) {
+-			fprintf(stderr, _("Could not set exec context to %s. %s\n"), execcon, strerror(errno));
+-			goto childerr;
+-		}
+-
+ 		if (chdir(pwd->pw_dir)) {
+ 			perror(_("Failed to change dir to homedir"));
+ 			goto childerr;
+ 		}
+ 		setsid();
+
+		/* selinux context */
+		if (execcon) {
+			/* try dyntransition, since no_new_privs can interfere
+			 * with setexeccon */
+			if (setcon(execcon) != 0) {
+				/* failed; fall back to setexeccon */
+				if (setexeccon(execcon) != 0) {
+					fprintf(stderr, _("Could not set exec context to %s. %s\n"), execcon, strerror(errno));
+					goto childerr;
+				}
+			}
+		}
+
+ 		execv(argv[optind], argv + optind);
+ 		fprintf(stderr, _("Failed to execute command %s: %s\n"), argv[optind], strerror(errno));
+ childerr:
+-- 
+1.9.0
+
--- a/0002-at_console-should-not-be-used-any-longer.patch
+++ b/0002-at_console-should-not-be-used-any-longer.patch
@ -0,0 +1,30 @@
+From 84bff58282256f52a25cec2f36c9831daea48987 Mon Sep 17 00:00:00 2001
+From: Dan Walsh <dwalsh@redhat.com>
+Date: Tue, 6 May 2014 14:38:41 -0400
+Subject: [PATCH 2/3] at_console should not be used any longer
+
+---
+ policycoreutils/sepolicy/org.selinux.conf | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/policycoreutils/sepolicy/org.selinux.conf b/policycoreutils/sepolicy/org.selinux.conf
+index a350978..1ae079d 100644
+--- a/policycoreutils/sepolicy/org.selinux.conf
+++ b/policycoreutils/sepolicy/org.selinux.conf
+@@ -12,12 +12,8 @@
+ 
+   <!-- Allow anyone to invoke methods on the interfaces,
+        authorization is performed by PolicyKit -->
+-  <policy at_console="true">
+-    <allow send_destination="org.selinux"/>
+-  </policy>
+   <policy context="default">
+-    <allow send_destination="org.selinux"
+-	   send_interface="org.freedesktop.DBus.Introspectable"/>
+    <allow send_destination="org.selinux"/>
+   </policy>
+ 
+ </busconfig>
+-- 
+1.9.0
+
--- a/0003-Apply-patch-for-org.selinux.policy-to-not-be-desktop.patch
+++ b/0003-Apply-patch-for-org.selinux.policy-to-not-be-desktop.patch
@ -0,0 +1,93 @@
+From 7a69cd9e185055fc8e096b466923d8712263a9e8 Mon Sep 17 00:00:00 2001
+From: Miroslav Grepl <mgrepl@redhat.com>
+Date: Wed, 7 May 2014 10:18:57 +0200
+Subject: [PATCH 3/3] Apply patch for org.selinux.policy to not be desktop
+ centric from stefw@redhat.com
+
+---
+ policycoreutils/sepolicy/org.selinux.policy | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/policycoreutils/sepolicy/org.selinux.policy b/policycoreutils/sepolicy/org.selinux.policy
+index 4023bca..ddd9caa 100644
+--- a/policycoreutils/sepolicy/org.selinux.policy
+++ b/policycoreutils/sepolicy/org.selinux.policy
+@@ -11,7 +11,7 @@
+         <description>SELinux write access</description>
+         <message>System policy prevents restorecon access to SELinux</message>
+         <defaults>
+-            <allow_any>no</allow_any>
+            <allow_any>auth_admin</allow_any>
+             <allow_inactive>no</allow_inactive>
+             <allow_active>auth_admin_keep</allow_active>
+         </defaults>
+@@ -20,7 +20,7 @@
+         <description>SELinux write access</description>
+         <message>System policy prevents setenforce access to SELinux</message>
+         <defaults>
+-            <allow_any>no</allow_any>
+            <allow_any>auth_admin</allow_any>
+             <allow_inactive>no</allow_inactive>
+             <allow_active>auth_admin_keep</allow_active>
+         </defaults>
+@@ -29,7 +29,7 @@
+         <description>SELinux write access</description>
+         <message>System policy prevents semanage access to SELinux</message>
+         <defaults>
+-            <allow_any>no</allow_any>
+            <allow_any>auth_admin</allow_any>
+             <allow_inactive>no</allow_inactive>
+             <allow_active>auth_admin_keep</allow_active>
+         </defaults>
+@@ -38,8 +38,8 @@
+         <description>SELinux Read access</description>
+         <message>System policy prevents read access to SELinux</message>
+         <defaults>
+-          <allow_any>no</allow_any>
+-          <allow_inactive>no</allow_inactive>
+          <allow_any>yes</allow_any>
+          <allow_inactive>yes</allow_inactive>
+ 	  <allow_active>yes</allow_active>
+         </defaults>
+     </action>
+@@ -47,8 +47,8 @@
+         <description>SELinux list modules access</description>
+         <message>System policy prevents read access to SELinux modules</message>
+         <defaults>
+-          <allow_any>no</allow_any>
+-          <allow_inactive>no</allow_inactive>
+          <allow_any>yes</allow_any>
+          <allow_inactive>yes</allow_inactive>
+ 	  <allow_active>yes</allow_active>
+         </defaults>
+     </action>
+@@ -56,7 +56,7 @@
+         <description>SELinux write access</description>
+         <message>System policy prevents relabel_on_boot access to SELinux</message>
+         <defaults>
+-          <allow_any>no</allow_any>
+          <allow_any>auth_admin</allow_any>
+           <allow_inactive>no</allow_inactive>
+ 	  <allow_active>auth_admin_keep</allow_active>
+         </defaults>
+@@ -65,7 +65,7 @@
+         <description>SELinux write access</description>
+         <message>System policy prevents change_default_policy access to SELinux</message>
+         <defaults>
+-          <allow_any>no</allow_any>
+          <allow_any>auth_admin</allow_any>
+           <allow_inactive>no</allow_inactive>
+ 	  <allow_active>auth_admin_keep</allow_active>
+         </defaults>
+@@ -74,7 +74,7 @@
+         <description>Change SELinux default enforcing mode</description>
+         <message>System policy prevents change_default_policy access to SELinux</message>
+         <defaults>
+-          <allow_any>no</allow_any>
+          <allow_any>auth_admin</allow_any>
+           <allow_inactive>no</allow_inactive>
+ 	  <allow_active>auth_admin_keep</allow_active>
+         </defaults>
+-- 
+1.9.0
+
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@ -7,7 +7,7 @@
 Summary: SELinux policy core utilities
 Name:	 policycoreutils
 Version: 2.2.5
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: GPLv2
 Group:	 System Environment/Base
 # Based on git repository with tag 20101221
@ -18,6 +18,9 @@ Source2: policycoreutils_man_ru2.tar.bz2
 Source3: system-config-selinux.png
 Source4: sepolicy-icons.tgz
 Patch:	 policycoreutils-rhat.patch
+Patch1:  0001-seunshare-Try-to-use-setcurrent-before-setexec.patch
+Patch2:  0002-at_console-should-not-be-used-any-longer.patch
+Patch3:  0003-Apply-patch-for-org.selinux.policy-to-not-be-desktop.patch
 #Patch1:	 policycoreutils-sepolgen.patch
 Obsoletes: policycoreutils < 2.0.61-2
 Conflicts: filesystem < 3
@ -49,6 +52,9 @@ to switch roles.
 %prep
 %setup -q -a 1
 %patch -p2 -b .rhat
+%patch1 -p2 -b .seunshare
+%patch2 -p2 -b .at_console
+%patch3 -p2 -b .org.selinux
 #%patch1 -p2 -b .sepolgen -d sepolgen-%{sepolgenver}
 cp %{SOURCE3} gui/
 tar xvf %{SOURCE4}
@ -347,6 +353,11 @@ The policycoreutils-restorecond package contains the restorecond service.
 %systemd_postun_with_restart restorecond.service

 %changelog
+* Wed May 7 2014 Miroslav Grepl <mgrepl@redhat.com> - 2.2.5-4
+- Apply patch for org.selinux.policy to not be desktop centric from stefw@redhat.com
+- at_console should not be used any longer
+- seunshare: Use setcurrent before setexec
+
 * Thu Jan 16 2014 Dan Walsh <dwalsh@redhat.com> - 2.2.5-3
 - Add Miroslav patch to
 - Fix previously_modified_initialize() to show modified changes properly for all selections