rpms
/
policycoreutils
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

change default location of HOMEDIR in sandbox to /tmp/.sandbox_home_* 

This will allow default sandboxes to work on NFS homedirs without allowing
access to homedir data
This commit is contained in:
Dan Walsh 2011-03-14 16:23:10 -04:00
parent 65350da6d3
commit 9f8f4e973f
2 changed files with 46 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

56
policycoreutils-rhat.patch
View File

@ -1639,7 +1639,7 @@ index ff0ee7c..0c8a085 100644
test: test:
@python test_sandbox.py -v @python test_sandbox.py -v
diff --git a/policycoreutils/sandbox/sandbox b/policycoreutils/sandbox/sandbox diff --git a/policycoreutils/sandbox/sandbox b/policycoreutils/sandbox/sandbox
index 48a26c2..d1037bd 100644 index 48a26c2..b815af2 100644
--- a/policycoreutils/sandbox/sandbox --- a/policycoreutils/sandbox/sandbox
+++ b/policycoreutils/sandbox/sandbox +++ b/policycoreutils/sandbox/sandbox
@@ -1,5 +1,6 @@ @@ -1,5 +1,6 @@
@ -1650,7 +1650,7 @@ index 48a26c2..d1037bd 100644
# Authors: Josh Cogliati # Authors: Josh Cogliati
# #
# Copyright (C) 2009,2010 Red Hat # Copyright (C) 2009,2010 Red Hat
@@ -19,15 +20,18 @@ @@ -19,15 +20,17 @@
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
# #
@ -1664,14 +1664,14 @@ index 48a26c2..d1037bd 100644
+import setools +import setools
PROGNAME = "policycoreutils" PROGNAME = "policycoreutils"
HOMEDIR=pwd.getpwuid(os.getuid()).pw_dir -HOMEDIR=pwd.getpwuid(os.getuid()).pw_dir
- -
+SEUNSHARE = "/usr/sbin/seunshare" +SEUNSHARE = "/usr/sbin/seunshare"
+SANDBOXSH = "/usr/share/sandbox/sandboxX.sh" +SANDBOXSH = "/usr/share/sandbox/sandboxX.sh"
import gettext import gettext
gettext.bindtextdomain(PROGNAME, "/usr/share/locale") gettext.bindtextdomain(PROGNAME, "/usr/share/locale")
gettext.textdomain(PROGNAME) gettext.textdomain(PROGNAME)
@@ -41,6 +45,7 @@ except IOError: @@ -41,6 +44,7 @@ except IOError:
import __builtin__ import __builtin__
__builtin__.__dict__['_'] = unicode __builtin__.__dict__['_'] = unicode
@ -1679,7 +1679,7 @@ index 48a26c2..d1037bd 100644
DEFAULT_TYPE = "sandbox_t" DEFAULT_TYPE = "sandbox_t"
DEFAULT_X_TYPE = "sandbox_x_t" DEFAULT_X_TYPE = "sandbox_x_t"
SAVE_FILES = {} SAVE_FILES = {}
@@ -63,15 +68,15 @@ def error_exit(msg): @@ -63,15 +67,15 @@ def error_exit(msg):
sys.stderr.flush() sys.stderr.flush()
sys.exit(1) sys.exit(1)
@ -1699,7 +1699,7 @@ index 48a26c2..d1037bd 100644
if not os.path.exists(newdir): if not os.path.exists(newdir):
os.makedirs(newdir) os.makedirs(newdir)
dest = newdir + "/" + bname dest = newdir + "/" + bname
@@ -81,9 +86,10 @@ def copyfile(file, dir, dest): @@ -81,9 +85,10 @@ def copyfile(file, dir, dest):
shutil.copytree(file, dest) shutil.copytree(file, dest)
else: else:
shutil.copy2(file, dest) shutil.copy2(file, dest)
@ -1712,7 +1712,7 @@ index 48a26c2..d1037bd 100644
SAVE_FILES[file] = (dest, os.path.getmtime(dest)) SAVE_FILES[file] = (dest, os.path.getmtime(dest))
@@ -161,10 +167,10 @@ class Sandbox: @@ -161,10 +166,10 @@ class Sandbox:
if not self.__options.homedir or not self.__options.tmpdir: if not self.__options.homedir or not self.__options.tmpdir:
self.usage(_("Homedir and tempdir required for level mounts")) self.usage(_("Homedir and tempdir required for level mounts"))
@ -1726,7 +1726,7 @@ index 48a26c2..d1037bd 100644
def __mount_callback(self, option, opt, value, parser): def __mount_callback(self, option, opt, value, parser):
self.__mount = True self.__mount = True
@@ -172,6 +178,15 @@ class Sandbox: @@ -172,6 +177,15 @@ class Sandbox:
def __x_callback(self, option, opt, value, parser): def __x_callback(self, option, opt, value, parser):
self.__mount = True self.__mount = True
setattr(parser.values, option.dest, True) setattr(parser.values, option.dest, True)
@ -1742,7 +1742,7 @@ index 48a26c2..d1037bd 100644
def __validdir(self, option, opt, value, parser): def __validdir(self, option, opt, value, parser):
if not os.path.isdir(value): if not os.path.isdir(value):
@@ -194,6 +209,8 @@ class Sandbox: @@ -194,6 +208,8 @@ class Sandbox:
self.__include(option, opt, i[:-1], parser) self.__include(option, opt, i[:-1], parser)
except IOError, e: except IOError, e:
sys.stderr.write(str(e)) sys.stderr.write(str(e))
@ -1751,7 +1751,7 @@ index 48a26c2..d1037bd 100644
fd.close() fd.close()
def __copyfiles(self): def __copyfiles(self):
@@ -212,13 +229,15 @@ class Sandbox: @@ -212,13 +228,15 @@ class Sandbox:
/etc/gdm/Xsession /etc/gdm/Xsession
""") """)
else: else:
@ -1769,7 +1769,7 @@ index 48a26c2..d1037bd 100644
kill -TERM $WM_PID 2> /dev/null kill -TERM $WM_PID 2> /dev/null
""" % (command, wm, command)) """ % (command, wm, command))
fd.close() fd.close()
@@ -226,14 +245,25 @@ kill -TERM $WM_PID 2> /dev/null @@ -226,14 +244,25 @@ kill -TERM $WM_PID 2> /dev/null
def usage(self, message = ""): def usage(self, message = ""):
error_exit("%s\n%s" % (self.__parser.usage, message)) error_exit("%s\n%s" % (self.__parser.usage, message))
@ -1799,7 +1799,7 @@ index 48a26c2..d1037bd 100644
parser = OptionParser(version=self.VERSION, usage=usage) parser = OptionParser(version=self.VERSION, usage=usage)
parser.disable_interspersed_args() parser.disable_interspersed_args()
@@ -268,6 +298,10 @@ sandbox [-h] [-[X|M] [-l level ] [-H homedir] [-T tempdir]] [-I includefile ] [- @@ -268,6 +297,10 @@ sandbox [-h] [-[X|M] [-l level ] [-H homedir] [-T tempdir]] [-I includefile ] [-
action="callback", callback=self.__validdir, action="callback", callback=self.__validdir,
help=_("alternate /tmp directory to use for mounting")) help=_("alternate /tmp directory to use for mounting"))
@ -1810,7 +1810,7 @@ index 48a26c2..d1037bd 100644
parser.add_option("-W", "--windowmanager", dest="wm", parser.add_option("-W", "--windowmanager", dest="wm",
type="string", type="string",
default="/usr/bin/matchbox-window-manager -use_titlebar no", default="/usr/bin/matchbox-window-manager -use_titlebar no",
@@ -276,13 +310,17 @@ sandbox [-h] [-[X|M] [-l level ] [-H homedir] [-T tempdir]] [-I includefile ] [- @@ -276,13 +309,17 @@ sandbox [-h] [-[X|M] [-l level ] [-H homedir] [-T tempdir]] [-I includefile ] [-
parser.add_option("-l", "--level", dest="level", parser.add_option("-l", "--level", dest="level",
help=_("MCS/MLS level for the sandbox")) help=_("MCS/MLS level for the sandbox"))
@ -1829,7 +1829,7 @@ index 48a26c2..d1037bd 100644
if self.__options.setype: if self.__options.setype:
self.setype = self.__options.setype self.setype = self.__options.setype
@@ -299,6 +337,9 @@ sandbox [-h] [-[X|M] [-l level ] [-H homedir] [-T tempdir]] [-I includefile ] [- @@ -299,6 +336,9 @@ sandbox [-h] [-[X|M] [-l level ] [-H homedir] [-T tempdir]] [-I includefile ] [-
self.__options.X_ind = True self.__options.X_ind = True
self.__homedir = self.__options.homedir self.__homedir = self.__options.homedir
self.__tmpdir = self.__options.tmpdir self.__tmpdir = self.__options.tmpdir
@ -1839,7 +1839,31 @@ index 48a26c2..d1037bd 100644
else: else:
if len(cmds) == 0: if len(cmds) == 0:
self.usage(_("Command required")) self.usage(_("Command required"))
@@ -351,22 +392,24 @@ sandbox [-h] [-[X|M] [-l level ] [-H homedir] [-T tempdir]] [-I includefile ] [- @@ -329,44 +369,43 @@ sandbox [-h] [-[X|M] [-l level ] [-H homedir] [-T tempdir]] [-I includefile ] [-
def __setup_dir(self):
if self.__options.level or self.__options.session:
return
- sandboxdir = HOMEDIR + "/.sandbox"
- if not os.path.exists(sandboxdir):
- os.mkdir(sandboxdir)
if self.__options.homedir:
selinux.chcon(self.__options.homedir, self.__filecon, recursive=True)
self.__homedir = self.__options.homedir
else:
selinux.setfscreatecon(self.__filecon)
- self.__homedir = mkdtemp(dir=sandboxdir, prefix=".sandbox")
+ self.__homedir = mkdtemp(dir="/tmp", prefix=".sandbox_home_")
if self.__options.tmpdir:
selinux.chcon(self.__options.tmpdir, self.__filecon, recursive=True)
self.__tmpdir = self.__options.tmpdir
else:
selinux.setfscreatecon(self.__filecon)
- self.__tmpdir = mkdtemp(dir="/tmp", prefix=".sandbox")
+ self.__tmpdir = mkdtemp(dir="/tmp", prefix=".sandbox_tmp_")
selinux.setfscreatecon(None)
self.__copyfiles()
def __execute(self): def __execute(self):
try: try:
@ -1879,7 +1903,7 @@ index 48a26c2..d1037bd 100644
selinux.setexeccon(self.__execcon) selinux.setexeccon(self.__execcon)
rc = subprocess.Popen(self.__cmds).wait() rc = subprocess.Popen(self.__cmds).wait()
@@ -404,7 +447,7 @@ if __name__ == '__main__': @@ -404,7 +443,7 @@ if __name__ == '__main__':
sandbox = Sandbox() sandbox = Sandbox()
rc = sandbox.main() rc = sandbox.main()
except OSError, error: except OSError, error:

7
policycoreutils.spec
View File

@ -7,7 +7,7 @@
Summary: SELinux policy core utilities Summary: SELinux policy core utilities
Name: policycoreutils Name: policycoreutils
Version: 2.0.85 Version: 2.0.85
Release: 20%{?dist} Release: 21%{?dist}
License: GPLv2 License: GPLv2
Group: System Environment/Base Group: System Environment/Base
# Based on git repository with tag 20101221 # Based on git repository with tag 20101221
@ -331,6 +331,11 @@ fi
exit 0 exit 0
%changelog %changelog
* Fri Mar 11 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-21
- change default location of HOMEDIR in sandbox to /tmp/.sandbox_home_*
- This will allow default sandboxes to work on NFS homedirs without allowing
access to homedir data
* Fri Mar 11 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-20 * Fri Mar 11 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-20
- Change sepolgen-ifgen to search all available policy files - Change sepolgen-ifgen to search all available policy files
- Exit in restorecond if it can not find a UID in the passwd database - Exit in restorecond if it can not find a UID in the passwd database