* Wed Feb 17 2010 Dan Walsh <dwalsh@redhat.com> 2.0.79-2
- Fix sandbox to complain if mount-shared has not been run - Fix to use /etc/sysconfig/sandbox
This commit is contained in:
Daniel J Walsh
parent
74b91a6fb4
commit
9cc9250b2a
|
|
@ -1690,10 +1690,12 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
|
|||
+
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/Makefile policycoreutils-2.0.79/sandbox/Makefile
|
||||
--- nsapolicycoreutils/sandbox/Makefile 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ policycoreutils-2.0.79/sandbox/Makefile 2010-02-16 13:46:01.000000000 -0500
|
||||
@@ -0,0 +1,31 @@
|
||||
+++ policycoreutils-2.0.79/sandbox/Makefile 2010-02-17 14:53:37.000000000 -0500
|
||||
@@ -0,0 +1,38 @@
|
||||
+# Installation directories.
|
||||
+PREFIX ?= ${DESTDIR}/usr
|
||||
+INITDIR ?= ${DESTDIR}/etc/rc.d/init.d/
|
||||
+SYSCONFDIR ?= ${DESTDIR}/etc/sysconfig
|
||||
+BINDIR ?= $(PREFIX)/bin
|
||||
+SBINDIR ?= $(PREFIX)/sbin
|
||||
+MANDIR ?= $(PREFIX)/share/man
|
||||
|
|
@ -1712,9 +1714,14 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
|
|||
+ install -m 755 sandbox $(BINDIR)
|
||||
+ -mkdir -p $(MANDIR)/man8
|
||||
+ install -m 644 sandbox.8 $(MANDIR)/man8/
|
||||
+ -mkdir -p $(SBINDIR)
|
||||
+ install -m 4755 seunshare $(SBINDIR)/
|
||||
+ -mkdir -p $(SHAREDIR)
|
||||
+ install -m 755 sandboxX.sh $(SHAREDIR)
|
||||
+ -mkdir -p $(INITDIR)
|
||||
+ install -m 755 sandbox.init $(INITDIR)/sandbox
|
||||
+ -mkdir -p $(SYSCONFDIR)
|
||||
+ install -m 644 sandbox.config $(SYSCONFDIR)/sandbox
|
||||
+
|
||||
+clean:
|
||||
+ -rm -f seunshare *.o *~
|
||||
|
|
@ -1725,8 +1732,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
|
|||
+relabel:
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox policycoreutils-2.0.79/sandbox/sandbox
|
||||
--- nsapolicycoreutils/sandbox/sandbox 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ policycoreutils-2.0.79/sandbox/sandbox 2010-02-16 13:46:01.000000000 -0500
|
||||
@@ -0,0 +1,360 @@
|
||||
+++ policycoreutils-2.0.79/sandbox/sandbox 2010-02-17 14:50:21.000000000 -0500
|
||||
@@ -0,0 +1,377 @@
|
||||
+#! /usr/bin/python -E
|
||||
+# Authors: Dan Walsh <dwalsh@redhat.com>
|
||||
+# Authors: Josh Cogliati
|
||||
|
|
@ -1899,13 +1906,28 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
|
|||
+ fd.close()
|
||||
+ os.chmod(execfile, 0700)
|
||||
+
|
||||
+def validate_home():
|
||||
+ homedir=pwd.getpwuid(os.getuid()).pw_dir
|
||||
+ fd = open("/proc/self/mountinfo", "r")
|
||||
+ recs = fd.readlines()
|
||||
+ fd.close()
|
||||
+ for i in recs:
|
||||
+ x = i.split()
|
||||
+ if x[3] == x[4] and homedir.startswith(x[3]+"/"):
|
||||
+ return
|
||||
+ raise ValueError(_("""
|
||||
+'%s' is required to be a shared mount point for this tool to run.
|
||||
+'%s' can be added to the HOMEDIR variable in /etc/sysconfig/sandbox
|
||||
+ along with a reboot will fix the problem.
|
||||
+""" % ((os.path.dirname(homedir)), os.path.dirname(homedir))))
|
||||
+
|
||||
+if __name__ == '__main__':
|
||||
+ setup_sighandlers()
|
||||
+ if selinux.is_selinux_enabled() != 1:
|
||||
+ error_exit("Requires an SELinux enabled system")
|
||||
+
|
||||
+
|
||||
+ init_files = []
|
||||
+
|
||||
+
|
||||
+ def usage(message = ""):
|
||||
+ text = _("""
|
||||
+sandbox [-h] [-[X|M] [-l level ] [-H homedir] [-T tempdir]] [-I includefile ] [[-i file ] ...] [ -t type ] command
|
||||
|
|
@ -1996,6 +2018,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
|
|||
+
|
||||
+ try:
|
||||
+ if home_and_temp:
|
||||
+ validate_home()
|
||||
+
|
||||
+ if not os.path.exists("/usr/sbin/seunshare"):
|
||||
+ raise ValueError("""/usr/sbin/seunshare required for sandbox -M, to install you need to execute
|
||||
+#yum install /usr/sbin/seunshare""")
|
||||
|
|
@ -2141,6 +2165,83 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po
|
|||
+.TP
|
||||
+runcon(1)
|
||||
+.PP
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.config policycoreutils-2.0.79/sandbox/sandbox.config
|
||||
--- nsapolicycoreutils/sandbox/sandbox.config 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ policycoreutils-2.0.79/sandbox/sandbox.config 2010-02-17 13:29:45.000000000 -0500
|
||||
@@ -0,0 +1,2 @@
|
||||
+# Space separate list of homedirs
|
||||
+HOMEDIRS="/home"
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.init policycoreutils-2.0.79/sandbox/sandbox.init
|
||||
--- nsapolicycoreutils/sandbox/sandbox.init 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ policycoreutils-2.0.79/sandbox/sandbox.init 2010-02-17 13:29:54.000000000 -0500
|
||||
@@ -0,0 +1,67 @@
|
||||
+#!/bin/bash
|
||||
+## BEGIN INIT INFO
|
||||
+# Provides: sandbox
|
||||
+# Default-Start: 3 4 5
|
||||
+# Default-Stop: 0 1 2 3 4 6
|
||||
+# Required-Start:
|
||||
+#
|
||||
+## END INIT INFO
|
||||
+# sandbox: Set up / mountpoint to be shared, /var/tmp, /tmp, /home/sandbox unshared
|
||||
+#
|
||||
+# chkconfig: 345 1 99
|
||||
+#
|
||||
+# Description: sandbox is using pam_namespace to share the /var/tmp, /tmp and
|
||||
+# /home/sandbox accounts. This script will setup the / mount
|
||||
+# point as shared and all of the subdirectories just these
|
||||
+# directories as unshared.
|
||||
+#
|
||||
+
|
||||
+# Source function library.
|
||||
+. /etc/init.d/functions
|
||||
+
|
||||
+HOMEDIRS="/home"
|
||||
+
|
||||
+. /etc/sysconfig/sandbox
|
||||
+
|
||||
+LOCKFILE=/var/lock/subsys/sandbox
|
||||
+
|
||||
+base=${0##*/}
|
||||
+
|
||||
+case "$1" in
|
||||
+ start)
|
||||
+ [ -f "$LOCKFILE" ] && exit 0
|
||||
+
|
||||
+ touch $LOCKFILE
|
||||
+ mount --make-rshared /
|
||||
+ mount --bind /tmp /tmp
|
||||
+ mount --bind /var/tmp /var/tmp
|
||||
+ mount --make-private /tmp
|
||||
+ mount --make-private /var/tmp
|
||||
+ for h in $HOMEDIRS; do
|
||||
+ mount --bind $h $h
|
||||
+ mount --make-private $h
|
||||
+ done
|
||||
+
|
||||
+ RETVAL=$?
|
||||
+ exit $RETVAL
|
||||
+ ;;
|
||||
+
|
||||
+ status)
|
||||
+ if [ -f "$LOCKFILE" ]; then
|
||||
+ echo "$base is running"
|
||||
+ else
|
||||
+ echo "$base is stopped"
|
||||
+ fi
|
||||
+ exit 0
|
||||
+ ;;
|
||||
+
|
||||
+ stop)
|
||||
+ rm -f $LOCKFILE
|
||||
+ exit 0
|
||||
+ ;;
|
||||
+
|
||||
+ *)
|
||||
+ echo $"Usage: $0 {start|stop}"
|
||||
+ exit 3
|
||||
+ ;;
|
||||
+esac
|
||||
diff --exclude-from=exclude --exclude=sepolgen-1.0.19 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/.sandboxSKnKBc/.esd_auth policycoreutils-2.0.79/sandbox/.sandboxSKnKBc/.esd_auth
|
||||
--- nsapolicycoreutils/sandbox/.sandboxSKnKBc/.esd_auth 1969-12-31 19:00:00.000000000 -0500
|
||||
+++ policycoreutils-2.0.79/sandbox/.sandboxSKnKBc/.esd_auth 2010-02-16 13:46:01.000000000 -0500
|
||||
|
|
|
|||
|
|
@ -1,12 +1,13 @@
|
|||
%define libauditver 1.4.2-1
|
||||
%define libsepolver 2.0.38-1
|
||||
%define libsemanagever 2.0.39-1
|
||||
%define libselinuxver 2.0.87-1
|
||||
%define libselinuxver 2.0.90-1
|
||||
%define sepolgenver 1.0.19
|
||||
|
||||
Summary: SELinux policy core utilities
|
||||
Name: policycoreutils
|
||||
Version: 2.0.79
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
License: GPLv2+
|
||||
Group: System Environment/Base
|
||||
Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
|
||||
|
|
@ -19,7 +20,6 @@ Source5: system-config-selinux.console
|
|||
Source6: selinux-polgengui.desktop
|
||||
Source7: selinux-polgengui.console
|
||||
Source8: policycoreutils_man_ru2.tar.bz2
|
||||
Source9: sandbox.init
|
||||
Patch: policycoreutils-rhat.patch
|
||||
Patch1: policycoreutils-po.patch
|
||||
Patch3: policycoreutils-gui.patch
|
||||
|
|
@ -79,7 +79,6 @@ mkdir -p %{buildroot}%{_mandir}/man8
|
|||
mkdir -p %{buildroot}%{_sysconfdir}/pam.d
|
||||
mkdir -p %{buildroot}%{_sysconfdir}/security/console.apps
|
||||
%{__mkdir} -p %{buildroot}/%{_sysconfdir}/rc.d/init.d
|
||||
install -m0755 %{SOURCE9} %{buildroot}/%{_sysconfdir}/rc.d/init.d/sandbox
|
||||
|
||||
make LSPP_PRIV=y DESTDIR="%{buildroot}" LIBDIR="%{buildroot}%{_libdir}" install
|
||||
make -C sepolgen-%{sepolgenver} DESTDIR="%{buildroot}" LIBDIR="%{buildroot}%{_libdir}" install
|
||||
|
|
@ -128,9 +127,8 @@ The policycoreutils-python package contains the management tools use to manage a
|
|||
%{_bindir}/sepolgen-ifgen
|
||||
%{python_sitelib}/seobject.py*
|
||||
%{python_sitelib}/sepolgen
|
||||
%{python_sitelib}/%{name}
|
||||
%{python_sitelib}/%{name}*.egg-info
|
||||
%{pkgpythondir}/default_encoding_utf8.so
|
||||
%{pkgpythondir}
|
||||
%dir /var/lib/sepolgen
|
||||
%dir /var/lib/selinux
|
||||
/var/lib/sepolgen/perm_map
|
||||
|
|
@ -162,6 +160,8 @@ The policycoreutils-python package contains the scripts to create graphical sand
|
|||
%files sandbox
|
||||
%defattr(-,root,root,-)
|
||||
%{_sysconfdir}/rc.d/init.d/sandbox
|
||||
%config(noreplace) %{_sysconfdir}/sysconfig/sandbox
|
||||
%{_sysconfdir}/sysconfig/sandbox
|
||||
%{_sbindir}/seunshare
|
||||
%{_datadir}/sandbox/sandboxX.sh
|
||||
|
||||
|
|
@ -305,7 +305,11 @@ fi
|
|||
exit 0
|
||||
|
||||
%changelog
|
||||
* Thu Feb 16 2010 Dan Walsh <dwalsh@redhat.com> 2.0.79-1
|
||||
* Wed Feb 17 2010 Dan Walsh <dwalsh@redhat.com> 2.0.79-2
|
||||
- Fix sandbox to complain if mount-shared has not been run
|
||||
- Fix to use /etc/sysconfig/sandbox
|
||||
|
||||
* Tue Feb 16 2010 Dan Walsh <dwalsh@redhat.com> 2.0.79-1
|
||||
- Update to upstream
|
||||
* Fix double-free in newrole
|
||||
- Fix python language handling
|
||||
|
|
@ -314,7 +318,6 @@ exit 0
|
|||
- Fix display of command in sandbox
|
||||
|
||||
* Fri Feb 5 2010 Dan Walsh <dwalsh@redhat.com> 2.0.78-20
|
||||
|
||||
- Catch OSError in semanage
|
||||
|
||||
* Wed Feb 3 2010 Dan Walsh <dwalsh@redhat.com> 2.0.78-19
|
||||
|
|
|
|||
Loading…
Reference in New Issue