change default location of HOMEDIR in sandbox to /tmp/.sandbox_home_*
This will allow default sandboxes to work on NFS homedirs without allowing access to homedir data
This commit is contained in:
parent
65350da6d3
commit
9f8f4e973f
|
@ -1639,7 +1639,7 @@ index ff0ee7c..0c8a085 100644
|
||||||
test:
|
test:
|
||||||
@python test_sandbox.py -v
|
@python test_sandbox.py -v
|
||||||
diff --git a/policycoreutils/sandbox/sandbox b/policycoreutils/sandbox/sandbox
|
diff --git a/policycoreutils/sandbox/sandbox b/policycoreutils/sandbox/sandbox
|
||||||
index 48a26c2..d1037bd 100644
|
index 48a26c2..b815af2 100644
|
||||||
--- a/policycoreutils/sandbox/sandbox
|
--- a/policycoreutils/sandbox/sandbox
|
||||||
+++ b/policycoreutils/sandbox/sandbox
|
+++ b/policycoreutils/sandbox/sandbox
|
||||||
@@ -1,5 +1,6 @@
|
@@ -1,5 +1,6 @@
|
||||||
|
@ -1650,7 +1650,7 @@ index 48a26c2..d1037bd 100644
|
||||||
# Authors: Josh Cogliati
|
# Authors: Josh Cogliati
|
||||||
#
|
#
|
||||||
# Copyright (C) 2009,2010 Red Hat
|
# Copyright (C) 2009,2010 Red Hat
|
||||||
@@ -19,15 +20,18 @@
|
@@ -19,15 +20,17 @@
|
||||||
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
||||||
#
|
#
|
||||||
|
|
||||||
|
@ -1664,14 +1664,14 @@ index 48a26c2..d1037bd 100644
|
||||||
+import setools
|
+import setools
|
||||||
|
|
||||||
PROGNAME = "policycoreutils"
|
PROGNAME = "policycoreutils"
|
||||||
HOMEDIR=pwd.getpwuid(os.getuid()).pw_dir
|
-HOMEDIR=pwd.getpwuid(os.getuid()).pw_dir
|
||||||
-
|
-
|
||||||
+SEUNSHARE = "/usr/sbin/seunshare"
|
+SEUNSHARE = "/usr/sbin/seunshare"
|
||||||
+SANDBOXSH = "/usr/share/sandbox/sandboxX.sh"
|
+SANDBOXSH = "/usr/share/sandbox/sandboxX.sh"
|
||||||
import gettext
|
import gettext
|
||||||
gettext.bindtextdomain(PROGNAME, "/usr/share/locale")
|
gettext.bindtextdomain(PROGNAME, "/usr/share/locale")
|
||||||
gettext.textdomain(PROGNAME)
|
gettext.textdomain(PROGNAME)
|
||||||
@@ -41,6 +45,7 @@ except IOError:
|
@@ -41,6 +44,7 @@ except IOError:
|
||||||
import __builtin__
|
import __builtin__
|
||||||
__builtin__.__dict__['_'] = unicode
|
__builtin__.__dict__['_'] = unicode
|
||||||
|
|
||||||
|
@ -1679,7 +1679,7 @@ index 48a26c2..d1037bd 100644
|
||||||
DEFAULT_TYPE = "sandbox_t"
|
DEFAULT_TYPE = "sandbox_t"
|
||||||
DEFAULT_X_TYPE = "sandbox_x_t"
|
DEFAULT_X_TYPE = "sandbox_x_t"
|
||||||
SAVE_FILES = {}
|
SAVE_FILES = {}
|
||||||
@@ -63,15 +68,15 @@ def error_exit(msg):
|
@@ -63,15 +67,15 @@ def error_exit(msg):
|
||||||
sys.stderr.flush()
|
sys.stderr.flush()
|
||||||
sys.exit(1)
|
sys.exit(1)
|
||||||
|
|
||||||
|
@ -1699,7 +1699,7 @@ index 48a26c2..d1037bd 100644
|
||||||
if not os.path.exists(newdir):
|
if not os.path.exists(newdir):
|
||||||
os.makedirs(newdir)
|
os.makedirs(newdir)
|
||||||
dest = newdir + "/" + bname
|
dest = newdir + "/" + bname
|
||||||
@@ -81,9 +86,10 @@ def copyfile(file, dir, dest):
|
@@ -81,9 +85,10 @@ def copyfile(file, dir, dest):
|
||||||
shutil.copytree(file, dest)
|
shutil.copytree(file, dest)
|
||||||
else:
|
else:
|
||||||
shutil.copy2(file, dest)
|
shutil.copy2(file, dest)
|
||||||
|
@ -1712,7 +1712,7 @@ index 48a26c2..d1037bd 100644
|
||||||
|
|
||||||
SAVE_FILES[file] = (dest, os.path.getmtime(dest))
|
SAVE_FILES[file] = (dest, os.path.getmtime(dest))
|
||||||
|
|
||||||
@@ -161,10 +167,10 @@ class Sandbox:
|
@@ -161,10 +166,10 @@ class Sandbox:
|
||||||
if not self.__options.homedir or not self.__options.tmpdir:
|
if not self.__options.homedir or not self.__options.tmpdir:
|
||||||
self.usage(_("Homedir and tempdir required for level mounts"))
|
self.usage(_("Homedir and tempdir required for level mounts"))
|
||||||
|
|
||||||
|
@ -1726,7 +1726,7 @@ index 48a26c2..d1037bd 100644
|
||||||
|
|
||||||
def __mount_callback(self, option, opt, value, parser):
|
def __mount_callback(self, option, opt, value, parser):
|
||||||
self.__mount = True
|
self.__mount = True
|
||||||
@@ -172,6 +178,15 @@ class Sandbox:
|
@@ -172,6 +177,15 @@ class Sandbox:
|
||||||
def __x_callback(self, option, opt, value, parser):
|
def __x_callback(self, option, opt, value, parser):
|
||||||
self.__mount = True
|
self.__mount = True
|
||||||
setattr(parser.values, option.dest, True)
|
setattr(parser.values, option.dest, True)
|
||||||
|
@ -1742,7 +1742,7 @@ index 48a26c2..d1037bd 100644
|
||||||
|
|
||||||
def __validdir(self, option, opt, value, parser):
|
def __validdir(self, option, opt, value, parser):
|
||||||
if not os.path.isdir(value):
|
if not os.path.isdir(value):
|
||||||
@@ -194,6 +209,8 @@ class Sandbox:
|
@@ -194,6 +208,8 @@ class Sandbox:
|
||||||
self.__include(option, opt, i[:-1], parser)
|
self.__include(option, opt, i[:-1], parser)
|
||||||
except IOError, e:
|
except IOError, e:
|
||||||
sys.stderr.write(str(e))
|
sys.stderr.write(str(e))
|
||||||
|
@ -1751,7 +1751,7 @@ index 48a26c2..d1037bd 100644
|
||||||
fd.close()
|
fd.close()
|
||||||
|
|
||||||
def __copyfiles(self):
|
def __copyfiles(self):
|
||||||
@@ -212,13 +229,15 @@ class Sandbox:
|
@@ -212,13 +228,15 @@ class Sandbox:
|
||||||
/etc/gdm/Xsession
|
/etc/gdm/Xsession
|
||||||
""")
|
""")
|
||||||
else:
|
else:
|
||||||
|
@ -1769,7 +1769,7 @@ index 48a26c2..d1037bd 100644
|
||||||
kill -TERM $WM_PID 2> /dev/null
|
kill -TERM $WM_PID 2> /dev/null
|
||||||
""" % (command, wm, command))
|
""" % (command, wm, command))
|
||||||
fd.close()
|
fd.close()
|
||||||
@@ -226,14 +245,25 @@ kill -TERM $WM_PID 2> /dev/null
|
@@ -226,14 +244,25 @@ kill -TERM $WM_PID 2> /dev/null
|
||||||
|
|
||||||
def usage(self, message = ""):
|
def usage(self, message = ""):
|
||||||
error_exit("%s\n%s" % (self.__parser.usage, message))
|
error_exit("%s\n%s" % (self.__parser.usage, message))
|
||||||
|
@ -1799,7 +1799,7 @@ index 48a26c2..d1037bd 100644
|
||||||
|
|
||||||
parser = OptionParser(version=self.VERSION, usage=usage)
|
parser = OptionParser(version=self.VERSION, usage=usage)
|
||||||
parser.disable_interspersed_args()
|
parser.disable_interspersed_args()
|
||||||
@@ -268,6 +298,10 @@ sandbox [-h] [-[X|M] [-l level ] [-H homedir] [-T tempdir]] [-I includefile ] [-
|
@@ -268,6 +297,10 @@ sandbox [-h] [-[X|M] [-l level ] [-H homedir] [-T tempdir]] [-I includefile ] [-
|
||||||
action="callback", callback=self.__validdir,
|
action="callback", callback=self.__validdir,
|
||||||
help=_("alternate /tmp directory to use for mounting"))
|
help=_("alternate /tmp directory to use for mounting"))
|
||||||
|
|
||||||
|
@ -1810,7 +1810,7 @@ index 48a26c2..d1037bd 100644
|
||||||
parser.add_option("-W", "--windowmanager", dest="wm",
|
parser.add_option("-W", "--windowmanager", dest="wm",
|
||||||
type="string",
|
type="string",
|
||||||
default="/usr/bin/matchbox-window-manager -use_titlebar no",
|
default="/usr/bin/matchbox-window-manager -use_titlebar no",
|
||||||
@@ -276,13 +310,17 @@ sandbox [-h] [-[X|M] [-l level ] [-H homedir] [-T tempdir]] [-I includefile ] [-
|
@@ -276,13 +309,17 @@ sandbox [-h] [-[X|M] [-l level ] [-H homedir] [-T tempdir]] [-I includefile ] [-
|
||||||
parser.add_option("-l", "--level", dest="level",
|
parser.add_option("-l", "--level", dest="level",
|
||||||
help=_("MCS/MLS level for the sandbox"))
|
help=_("MCS/MLS level for the sandbox"))
|
||||||
|
|
||||||
|
@ -1829,7 +1829,7 @@ index 48a26c2..d1037bd 100644
|
||||||
if self.__options.setype:
|
if self.__options.setype:
|
||||||
self.setype = self.__options.setype
|
self.setype = self.__options.setype
|
||||||
|
|
||||||
@@ -299,6 +337,9 @@ sandbox [-h] [-[X|M] [-l level ] [-H homedir] [-T tempdir]] [-I includefile ] [-
|
@@ -299,6 +336,9 @@ sandbox [-h] [-[X|M] [-l level ] [-H homedir] [-T tempdir]] [-I includefile ] [-
|
||||||
self.__options.X_ind = True
|
self.__options.X_ind = True
|
||||||
self.__homedir = self.__options.homedir
|
self.__homedir = self.__options.homedir
|
||||||
self.__tmpdir = self.__options.tmpdir
|
self.__tmpdir = self.__options.tmpdir
|
||||||
|
@ -1839,7 +1839,31 @@ index 48a26c2..d1037bd 100644
|
||||||
else:
|
else:
|
||||||
if len(cmds) == 0:
|
if len(cmds) == 0:
|
||||||
self.usage(_("Command required"))
|
self.usage(_("Command required"))
|
||||||
@@ -351,22 +392,24 @@ sandbox [-h] [-[X|M] [-l level ] [-H homedir] [-T tempdir]] [-I includefile ] [-
|
@@ -329,44 +369,43 @@ sandbox [-h] [-[X|M] [-l level ] [-H homedir] [-T tempdir]] [-I includefile ] [-
|
||||||
|
def __setup_dir(self):
|
||||||
|
if self.__options.level or self.__options.session:
|
||||||
|
return
|
||||||
|
- sandboxdir = HOMEDIR + "/.sandbox"
|
||||||
|
- if not os.path.exists(sandboxdir):
|
||||||
|
- os.mkdir(sandboxdir)
|
||||||
|
|
||||||
|
if self.__options.homedir:
|
||||||
|
selinux.chcon(self.__options.homedir, self.__filecon, recursive=True)
|
||||||
|
self.__homedir = self.__options.homedir
|
||||||
|
else:
|
||||||
|
selinux.setfscreatecon(self.__filecon)
|
||||||
|
- self.__homedir = mkdtemp(dir=sandboxdir, prefix=".sandbox")
|
||||||
|
+ self.__homedir = mkdtemp(dir="/tmp", prefix=".sandbox_home_")
|
||||||
|
|
||||||
|
if self.__options.tmpdir:
|
||||||
|
selinux.chcon(self.__options.tmpdir, self.__filecon, recursive=True)
|
||||||
|
self.__tmpdir = self.__options.tmpdir
|
||||||
|
else:
|
||||||
|
selinux.setfscreatecon(self.__filecon)
|
||||||
|
- self.__tmpdir = mkdtemp(dir="/tmp", prefix=".sandbox")
|
||||||
|
+ self.__tmpdir = mkdtemp(dir="/tmp", prefix=".sandbox_tmp_")
|
||||||
|
selinux.setfscreatecon(None)
|
||||||
|
self.__copyfiles()
|
||||||
|
|
||||||
def __execute(self):
|
def __execute(self):
|
||||||
try:
|
try:
|
||||||
|
@ -1879,7 +1903,7 @@ index 48a26c2..d1037bd 100644
|
||||||
|
|
||||||
selinux.setexeccon(self.__execcon)
|
selinux.setexeccon(self.__execcon)
|
||||||
rc = subprocess.Popen(self.__cmds).wait()
|
rc = subprocess.Popen(self.__cmds).wait()
|
||||||
@@ -404,7 +447,7 @@ if __name__ == '__main__':
|
@@ -404,7 +443,7 @@ if __name__ == '__main__':
|
||||||
sandbox = Sandbox()
|
sandbox = Sandbox()
|
||||||
rc = sandbox.main()
|
rc = sandbox.main()
|
||||||
except OSError, error:
|
except OSError, error:
|
||||||
|
|
|
@ -7,7 +7,7 @@
|
||||||
Summary: SELinux policy core utilities
|
Summary: SELinux policy core utilities
|
||||||
Name: policycoreutils
|
Name: policycoreutils
|
||||||
Version: 2.0.85
|
Version: 2.0.85
|
||||||
Release: 20%{?dist}
|
Release: 21%{?dist}
|
||||||
License: GPLv2
|
License: GPLv2
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
# Based on git repository with tag 20101221
|
# Based on git repository with tag 20101221
|
||||||
|
@ -331,6 +331,11 @@ fi
|
||||||
exit 0
|
exit 0
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Mar 11 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-21
|
||||||
|
- change default location of HOMEDIR in sandbox to /tmp/.sandbox_home_*
|
||||||
|
- This will allow default sandboxes to work on NFS homedirs without allowing
|
||||||
|
access to homedir data
|
||||||
|
|
||||||
* Fri Mar 11 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-20
|
* Fri Mar 11 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-20
|
||||||
- Change sepolgen-ifgen to search all available policy files
|
- Change sepolgen-ifgen to search all available policy files
|
||||||
- Exit in restorecond if it can not find a UID in the passwd database
|
- Exit in restorecond if it can not find a UID in the passwd database
|
||||||
|
|
Loading…
Reference in New Issue