From a3adc5bf7021c59f65e884e896b353e26ba2a759 Mon Sep 17 00:00:00 2001 From: Miroslav Grepl Date: Tue, 20 May 2014 12:11:11 +0200 Subject: [PATCH] * Tue May 20 2014 Miroslav Grepl - 2.3-4 - Fix setfiles to work correctly if -r option is defined --- ...RD_FILE_CONTEXT-section-in-man-pages.patch | 68 ------------------- ...work-correctly-if-r-option-is-define.patch | 25 +++++++ ...Try-to-use-setcurrent-before-setexec.patch | 63 ----------------- ...xecutable-we-don-t-want-to-print-a-p.patch | 27 -------- policycoreutils.spec | 8 ++- 5 files changed, 32 insertions(+), 159 deletions(-) delete mode 100644 0001-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch create mode 100644 0001-Fix-setfiles-to-work-correctly-if-r-option-is-define.patch delete mode 100644 0002-seunshare-Try-to-use-setcurrent-before-setexec.patch delete mode 100644 0003-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch diff --git a/0001-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch b/0001-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch deleted file mode 100644 index a60392a..0000000 --- a/0001-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch +++ /dev/null @@ -1,68 +0,0 @@ -diff --git a/policycoreutils/sepolicy/sepolicy/__init__.py b/policycoreutils/sepolicy/sepolicy/__init__.py -index f7f05cb..6b94239 100644 ---- a/policycoreutils/sepolicy/sepolicy/__init__.py -+++ b/policycoreutils/sepolicy/sepolicy/__init__.py -@@ -98,6 +98,21 @@ def get_conditionals_format_text(cond): - def get_types_from_attribute(attribute): - return info(ATTRIBUTE,attribute)[0]["types"] - -+def get_attributes_from_type(setype): -+ return info(TYPE,setype)[0]["attributes"] -+ -+def file_type_is_executable(setype): -+ if "exec_type" in get_attributes_from_type(setype): -+ return True -+ else: -+ return False -+ -+def file_type_is_entrypoint(setype): -+ if "entry_type" in get_attributes_from_type(setype): -+ return True -+ else: -+ return False -+ - file_type_str = {} - file_type_str["a"] = _("all files") - file_type_str["f"] = _("regular file") -diff --git a/policycoreutils/sepolicy/sepolicy/manpage.py b/policycoreutils/sepolicy/sepolicy/manpage.py -index 9af0794..8daca56 100755 ---- a/policycoreutils/sepolicy/sepolicy/manpage.py -+++ b/policycoreutils/sepolicy/sepolicy/manpage.py -@@ -679,10 +679,13 @@ Default Defined Ports:""") - - def _file_context(self): - flist=[] -+ flist_non_exec=[] - mpaths=[] - for f in self.all_file_types: - if f.startswith(self.domainname): - flist.append(f) -+ if not file_type_is_executable(f) or not file_type_is_entrypoint(f): -+ flist_non_exec.append(f) - if f in self.fcdict: - mpaths = mpaths + self.fcdict[f]["regex"] - if len(mpaths) == 0: -@@ -734,19 +737,20 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d - .PP - """ % {'domainname':self.domainname, 'equiv': e, 'alt': e.split('/')[-1] }) - -- self.fd.write(r""" -+ if flist_non_exec: -+ self.fd.write(r""" - .PP - .B STANDARD FILE CONTEXT - - SELinux defines the file context types for the %(domainname)s, if you wanted to - store files with these types in a diffent paths, you need to execute the semanage command to sepecify alternate labeling and then use restorecon to put the labels on disk. - --.B semanage fcontext -a -t %(type)s '/srv/%(domainname)s/content(/.*)?' -+.B semanage fcontext -a -t %(type)s '/srv/my%(domainname)s_content(/.*)?' - .br - .B restorecon -R -v /srv/my%(domainname)s_content - - Note: SELinux often uses regular expressions to specify labels that match multiple files. --""" % {'domainname':self.domainname, "type":flist[0] }) -+""" % {'domainname':self.domainname, "type":flist_non_exec[-1] }) - - self.fd.write(r""" - .I The following file types are defined for %(domainname)s: diff --git a/0001-Fix-setfiles-to-work-correctly-if-r-option-is-define.patch b/0001-Fix-setfiles-to-work-correctly-if-r-option-is-define.patch new file mode 100644 index 0000000..53d7bc7 --- /dev/null +++ b/0001-Fix-setfiles-to-work-correctly-if-r-option-is-define.patch @@ -0,0 +1,25 @@ +From 0c71c12b54b0f201edf53f9956c8c9df8efbca41 Mon Sep 17 00:00:00 2001 +From: Miroslav Grepl +Date: Tue, 20 May 2014 12:07:46 +0200 +Subject: [PATCH] Fix setfiles to work correctly if -r option is defined + +--- + policycoreutils/setfiles/setfiles.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c +index 85d8d68..b31df58 100644 +--- a/policycoreutils/setfiles/setfiles.c ++++ b/policycoreutils/setfiles/setfiles.c +@@ -334,7 +334,7 @@ int main(int argc, char **argv) + argv[0]); + exit(-1); + } +- set_rootpath(argv[optind++]); ++ set_rootpath(argv[optind]); + break; + case 's': + use_input_file = 1; +-- +1.9.0 + diff --git a/0002-seunshare-Try-to-use-setcurrent-before-setexec.patch b/0002-seunshare-Try-to-use-setcurrent-before-setexec.patch deleted file mode 100644 index 450ad2e..0000000 --- a/0002-seunshare-Try-to-use-setcurrent-before-setexec.patch +++ /dev/null @@ -1,63 +0,0 @@ -From d355fd3326286a01f82c5c46a8eb99ae2f4a11bb Mon Sep 17 00:00:00 2001 -Message-Id: -From: Andy Lutomirski -Date: Wed, 30 Apr 2014 21:59:37 -0700 -Subject: [PATCH] seunshare: Try to use setcurrent before setexec - -If seunshare uses PR_SET_NO_NEW_PRIVS, which certain versions of -libcap-ng set, setexeccon will cause execve to fail. This also -makes setting selinux context the very last action taken by -seunshare prior to exec, as it may otherwise cause things to fail. - -Note that this won't work without adjusting the system policy to -allow this use of setcurrent. This rule appears to work: - - allow unconfined_t sandbox_t:process dyntransition; - -although a better rule would probably relax the unconfined_t -restriction. - -Signed-off-by: Andy Lutomirski ---- - policycoreutils/sandbox/seunshare.c | 20 ++++++++++++++------ - 1 file changed, 14 insertions(+), 6 deletions(-) - -diff --git a/policycoreutils/sandbox/seunshare.c b/policycoreutils/sandbox/seunshare.c -index 97f3920..fe40757 100644 ---- a/policycoreutils/sandbox/seunshare.c -+++ b/policycoreutils/sandbox/seunshare.c -@@ -1032,17 +1032,25 @@ int main(int argc, char **argv) { - goto childerr; - } - -- /* selinux context */ -- if (execcon && setexeccon(execcon) != 0) { -- fprintf(stderr, _("Could not set exec context to %s. %s\n"), execcon, strerror(errno)); -- goto childerr; -- } -- - if (chdir(pwd->pw_dir)) { - perror(_("Failed to change dir to homedir")); - goto childerr; - } - setsid(); -+ -+ /* selinux context */ -+ if (execcon) { -+ /* try dyntransition, since no_new_privs can interfere -+ * with setexeccon */ -+ if (setcon(execcon) != 0) { -+ /* failed; fall back to setexeccon */ -+ if (setexeccon(execcon) != 0) { -+ fprintf(stderr, _("Could not set exec context to %s. %s\n"), execcon, strerror(errno)); -+ goto childerr; -+ } -+ } -+ } -+ - execv(argv[optind], argv + optind); - fprintf(stderr, _("Failed to execute command %s: %s\n"), argv[optind], strerror(errno)); - childerr: --- -1.9.0 - diff --git a/0003-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch b/0003-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch deleted file mode 100644 index 9f151b3..0000000 --- a/0003-If-there-is-no-executable-we-don-t-want-to-print-a-p.patch +++ /dev/null @@ -1,27 +0,0 @@ -From cbe5a25fed96d535ba16a936f7347d19ac211fdf Mon Sep 17 00:00:00 2001 -From: Miroslav Grepl -Date: Mon, 12 May 2014 14:11:22 +0200 -Subject: [PATCH] If there is no executable we don't want to print a part of - STANDARD FILE CONTEXT - ---- - policycoreutils/sepolicy/sepolicy/manpage.py | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/policycoreutils/sepolicy/sepolicy/manpage.py b/policycoreutils/sepolicy/sepolicy/manpage.py -index 835dc43..849eecf 100755 ---- a/policycoreutils/sepolicy/sepolicy/manpage.py -+++ b/policycoreutils/sepolicy/sepolicy/manpage.py -@@ -737,7 +737,8 @@ SELinux %(domainname)s policy is very flexible allowing users to setup their %(d - .PP - """ % {'domainname':self.domainname, 'equiv': e, 'alt': e.split('/')[-1] }) - -- self.fd.write(r""" -+ if flist_non_exec: -+ self.fd.write(r""" - .PP - .B STANDARD FILE CONTEXT - --- -1.9.0 - diff --git a/policycoreutils.spec b/policycoreutils.spec index 76c2103..dfa4eab 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -7,7 +7,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 2.3 -Release: 3%{?dist} +Release: 4%{?dist} License: GPLv2 Group: System Environment/Base # Based on git repository with tag 20101221 @@ -18,6 +18,7 @@ Source2: policycoreutils_man_ru2.tar.bz2 Source3: system-config-selinux.png Source4: sepolicy-icons.tgz Patch: policycoreutils-rhat.patch +Patch1: 0001-Fix-setfiles-to-work-correctly-if-r-option-is-define.patch Obsoletes: policycoreutils < 2.0.61-2 Conflicts: filesystem < 3 Provides: /sbin/fixfiles @@ -48,6 +49,8 @@ to switch roles. %prep %setup -q -a 1 %patch -p2 -b .rhat +%patch1 -p2 -b .setfiles + cp %{SOURCE3} gui/ tar xvf %{SOURCE4} @@ -378,6 +381,9 @@ The policycoreutils-restorecond package contains the restorecond service. %systemd_postun_with_restart restorecond.service %changelog +* Tue May 20 2014 Miroslav Grepl - 2.3-4 +- Fix setfiles to work correctly if -r option is defined + * Fri May 16 2014 Dan Walsh - 2.3-3 - Update Miroslav Grepl Patches * If there is no executable we don't want to print a part of STANDARD FILE CON