diff --git a/policycoreutils.spec b/policycoreutils.spec index 3d504e8..e016f85 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -12,7 +12,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 2.8 -Release: 12%{?dist} +Release: 13%{?dist} License: GPLv2 # https://github.com/SELinuxProject/selinux/wiki/Releases Source0: https://raw.githubusercontent.com/wiki/SELinuxProject/selinux/files/releases/20180524/policycoreutils-2.8.tar.gz @@ -37,7 +37,7 @@ Source22: gui-po.tgz Source23: sandbox-po.tgz # download https://raw.githubusercontent.com/fedora-selinux/scripts/master/selinux/make-fedora-selinux-patch.sh # run: -# HEAD https://github.com/fedora-selinux/selinux/commit/f63677145675024f6a1dbdab595c0be1403bd592 +# HEAD https://github.com/fedora-selinux/selinux/commit/2fee0bccb66a6cafcf0d178b8c75c23ebd3f9924 # $ for i in policycoreutils selinux-python selinux-gui selinux-sandbox selinux-dbus semodule-utils restorecond; do # VERSION=2.8 ./make-fedora-selinux-patch.sh $i # done @@ -276,7 +276,6 @@ Requires:policycoreutils = %{version}-%{release} Requires:python3-libsemanage >= %{libsemanagever} python3-libselinux # no python3-audit-libs yet Requires:audit-libs-python3 >= %{libauditver} -Requires: python3-IPy Requires: checkpolicy Requires: python3-setools >= 4.1.1 BuildArch: noarch @@ -374,7 +373,7 @@ The policycoreutils-devel package contains the management tools use to develop p Summary: SELinux sandbox utilities Requires: python3-policycoreutils = %{version}-%{release} Requires: xorg-x11-server-Xephyr >= 1.14.1-2 /usr/bin/rsync /usr/bin/xmodmap -Requires: openbox +Requires: matchbox-window-manager BuildRequires: libcap-ng-devel %description sandbox @@ -531,6 +530,13 @@ The policycoreutils-restorecond package contains the restorecond service. %systemd_postun_with_restart restorecond.service %changelog +* Mon Dec 10 2018 Petr Lautrbach - 2.8-13 +- chcat: use check_call instead of getstatusoutput +- Use matchbox-window-manager instead of openbox +- Use ipaddress python module instead of IPy +- semanage: Fix handling of -a/-e/-d/-r options +- semanage: Use standard argparse.error() method + * Mon Nov 12 2018 Petr Lautrbach - 2.8-12 - sepolicy,semanage: replace aliases with corresponding type names - sepolicy-generate: Handle more reserved port types diff --git a/selinux-gui-fedora.patch b/selinux-gui-fedora.patch index 934de65..9b9982f 100644 --- a/selinux-gui-fedora.patch +++ b/selinux-gui-fedora.patch @@ -195,6 +195,37 @@ index 0000000..1795c5c +../system-config-selinux.py +../system-config-selinux.ui +../usersPage.py +diff --git selinux-gui-2.8/polgen.ui selinux-gui-2.8/polgen.ui +index aa4c70a..6a8c067 100644 +--- selinux-gui-2.8/polgen.ui ++++ selinux-gui-2.8/polgen.ui +@@ -1975,7 +1975,7 @@ Tab + + True + False +- Add File ++ Add File + True + + +@@ -2028,7 +2028,7 @@ Tab + + True + False +- Add Directory ++ Add Directory + True + + +@@ -2176,7 +2176,7 @@ Tab + + True + False +- Add Boolean ++ Add Boolean + True + + diff --git selinux-gui-2.8/polgengui.py selinux-gui-2.8/polgengui.py index 1601dbe..7e0d9d0 100644 --- selinux-gui-2.8/polgengui.py diff --git a/selinux-python-fedora.patch b/selinux-python-fedora.patch index 40da556..0b7f04d 100644 --- a/selinux-python-fedora.patch +++ b/selinux-python-fedora.patch @@ -75,10 +75,22 @@ index a826a9f..4427dea 100644 if __name__ == "__main__": unittest.main() diff --git selinux-python-2.8/chcat/chcat selinux-python-2.8/chcat/chcat -index 4bd9fc6..edfe571 100755 +index 4bd9fc6..a2cc9fa 100755 --- selinux-python-2.8/chcat/chcat +++ selinux-python-2.8/chcat/chcat -@@ -34,7 +34,7 @@ import getopt +@@ -22,10 +22,7 @@ + # 02111-1307 USA + # + # +-try: +- from subprocess import getstatusoutput +-except ImportError: +- from commands import getstatusoutput ++import subprocess + import sys + import os + import pwd +@@ -34,7 +31,7 @@ import getopt import selinux import seobject @@ -87,6 +99,133 @@ index 4bd9fc6..edfe571 100755 try: import gettext kwargs = {} +@@ -99,12 +96,12 @@ def chcat_user_add(newcat, users): + new_serange = "%s-%s" % (serange[0], top[0]) + + if add_ind: +- cmd = "semanage login -a -r %s -s %s %s" % (new_serange, user[0], u) ++ cmd = ["semanage", "login", "-a", "-r", new_serange, "-s", user[0], u] + else: +- cmd = "semanage login -m -r %s -s %s %s" % (new_serange, user[0], u) +- rc = getstatusoutput(cmd) +- if rc[0] != 0: +- print(rc[1]) ++ cmd = ["semanage", "login", "-m", "-r", new_serange, "-s", user[0], u] ++ try: ++ subprocess.check_call(cmd, stderr=subprocess.STDOUT, shell=False) ++ except subprocess.CalledProcessError as e: + errors += 1 + + return errors +@@ -140,10 +137,11 @@ def chcat_add(orig, newcat, objects, login_ind): + cat_string = "%s,%s" % (cat_string, c) + else: + cat_string = cat +- cmd = 'chcon -l %s:%s %s' % (sensitivity, cat_string, f) +- rc = getstatusoutput(cmd) +- if rc[0] != 0: +- print(rc[1]) ++ ++ cmd = ["chcon", "-l", "%s:%s" % (sensitivity, cat_string), f] ++ try: ++ subprocess.check_call(cmd, stderr=subprocess.STDOUT, shell=False) ++ except subprocess.CalledProcessError as e: + errors += 1 + return errors + +@@ -179,13 +177,15 @@ def chcat_user_remove(newcat, users): + new_serange = "%s-%s" % (serange[0], top[0]) + + if add_ind: +- cmd = "semanage login -a -r %s -s %s %s" % (new_serange, user[0], u) ++ cmd = ["semanage", "login", "-a", "-r", new_serange, "-s", user[0], u] + else: +- cmd = "semanage login -m -r %s -s %s %s" % (new_serange, user[0], u) +- rc = getstatusoutput(cmd) +- if rc[0] != 0: +- print(rc[1]) ++ cmd = ["semanage", "login", "-m", "-r", new_serange, "-s", user[0], u] ++ ++ try: ++ subprocess.check_call(cmd, stderr=subprocess.STDOUT, shell=False) ++ except subprocess.CalledProcessError as e: + errors += 1 ++ + return errors + + +@@ -224,12 +224,14 @@ def chcat_remove(orig, newcat, objects, login_ind): + continue + + if len(cat) == 0: +- cmd = 'chcon -l %s %s' % (sensitivity, f) ++ new_serange = sensitivity + else: +- cmd = 'chcon -l %s:%s %s' % (sensitivity, cat, f) +- rc = getstatusoutput(cmd) +- if rc[0] != 0: +- print(rc[1]) ++ new_serange = '%s:%s' % (sensitivity, cat) ++ ++ cmd = ["chcon", "-l", new_serange, f] ++ try: ++ subprocess.check_call(cmd, stderr=subprocess.STDOUT, shell=False) ++ except subprocess.CalledProcessError as e: + errors += 1 + return errors + +@@ -247,17 +249,17 @@ def chcat_user_replace(newcat, users): + add_ind = 1 + user = seusers["__default__"] + serange = user[1].split("-") +- new_serange = "%s-%s:%s" % (serange[0], newcat[0], string.join(newcat[1:], ",")) ++ new_serange = "%s-%s:%s" % (serange[0], newcat[0], ",".join(newcat[1:])) + if new_serange[-1:] == ":": + new_serange = new_serange[:-1] + + if add_ind: +- cmd = "semanage login -a -r %s -s %s %s" % (new_serange, user[0], u) ++ cmd = ["semanage", "login", "-a", "-r", new_serange, "-s", user[0], u] + else: +- cmd = "semanage login -m -r %s -s %s %s" % (new_serange, user[0], u) +- rc = getstatusoutput(cmd) +- if rc[0] != 0: +- print(rc[1]) ++ cmd = ["semanage", "login", "-m", "-r", new_serange, "-s", user[0], u] ++ try: ++ subprocess.check_call(cmd, stderr=subprocess.STDOUT, shell=False) ++ except subprocess.CalledProcessError as e: + errors += 1 + return errors + +@@ -267,20 +269,16 @@ def chcat_replace(newcat, objects, login_ind): + return chcat_user_replace(newcat, objects) + errors = 0 + if len(newcat) == 1: +- sensitivity = newcat[0] +- cmd = 'chcon -l %s ' % newcat[0] ++ new_serange = newcat[0] + else: +- sensitivity = newcat[0] +- cmd = 'chcon -l %s:%s' % (sensitivity, newcat[1]) ++ new_serange = "%s:%s" % (newcat[0], newcat[1]) + for cat in newcat[2:]: +- cmd = '%s,%s' % (cmd, cat) ++ new_serange = '%s,%s' % (new_serange, cat) + +- for f in objects: +- cmd = "%s %s" % (cmd, f) +- +- rc = getstatusoutput(cmd) +- if rc[0] != 0: +- print(rc[1]) ++ cmd = ["chcon", "-l", new_serange] + objects ++ try: ++ subprocess.check_call(cmd, stderr=subprocess.STDOUT, shell=False) ++ except subprocess.CalledProcessError as e: + errors += 1 + + return errors diff --git selinux-python-2.8/po/Makefile selinux-python-2.8/po/Makefile new file mode 100644 index 0000000..4e052d5 @@ -193,7 +332,7 @@ index 0000000..128eb87 +../sepolicy/sepolicy/interface.py +../sepolicy/sepolicy.py diff --git selinux-python-2.8/semanage/semanage selinux-python-2.8/semanage/semanage -index 8d8a086..4ced085 100644 +index 8d8a086..26fa46a 100644 --- selinux-python-2.8/semanage/semanage +++ selinux-python-2.8/semanage/semanage @@ -27,7 +27,7 @@ import traceback @@ -232,6 +371,66 @@ index 8d8a086..4ced085 100644 ''')) userParser.add_argument('-P', '--prefix', default="user", help=argparse.SUPPRESS) userParser.add_argument('selinux_name', nargs='?', default=None, help=_('selinux_name')) +@@ -604,19 +604,19 @@ def setupInterfaceParser(subparsers): + + def handleModule(args): + OBJECT = seobject.moduleRecords(args) +- if args.action == "add": +- OBJECT.add(args.module_name, args.priority) +- if args.action == "enable": +- OBJECT.set_enabled(args.module_name, True) +- if args.action == "disable": +- OBJECT.set_enabled(args.module_name, False) +- if args.action == "remove": +- OBJECT.delete(args.module_name, args.priority) +- if args.action is "deleteall": ++ if args.action_add: ++ OBJECT.add(args.action_add, args.priority) ++ if args.action_enable: ++ OBJECT.set_enabled(args.action_enable, True) ++ if args.action_disable: ++ OBJECT.set_enabled(args.action_disable, False) ++ if args.action_remove: ++ OBJECT.delete(args.action_remove, args.priority) ++ if args.action == "deleteall": + OBJECT.deleteall() + if args.action == "list": + OBJECT.list(args.noheading, args.locallist) +- if args.action is "extract": ++ if args.action == "extract": + for i in OBJECT.customized(): + print("module %s" % str(i)) + +@@ -630,14 +630,13 @@ def setupModuleParser(subparsers): + parser_add_priority(moduleParser, "module") + + mgroup = moduleParser.add_mutually_exclusive_group(required=True) +- parser_add_add(mgroup, "module") + parser_add_list(mgroup, "module") + parser_add_extract(mgroup, "module") + parser_add_deleteall(mgroup, "module") +- mgroup.add_argument('-r', '--remove', dest='action', action='store_const', const='remove', help=_("Remove a module")) +- mgroup.add_argument('-d', '--disable', dest='action', action='store_const', const='disable', help=_("Disable a module")) +- mgroup.add_argument('-e', '--enable', dest='action', action='store_const', const='enable', help=_("Enable a module")) +- moduleParser.add_argument('module_name', nargs='?', default=None, help=_('Name of the module to act on')) ++ mgroup.add_argument('-a', '--add', dest='action_add', action='store', nargs=1, metavar='module_name', help=_("Add a module")) ++ mgroup.add_argument('-r', '--remove', dest='action_remove', action='store', nargs='+', metavar='module_name', help=_("Remove a module")) ++ mgroup.add_argument('-d', '--disable', dest='action_disable', action='store', nargs='+', metavar='module_name', help=_("Disable a module")) ++ mgroup.add_argument('-e', '--enable', dest='action_enable', action='store', nargs='+', metavar='module_name', help=_("Enable a module")) + moduleParser.set_defaults(func=handleModule) + + +@@ -739,9 +738,7 @@ def handlePermissive(args): + if args.action is "delete": + OBJECT.delete(args.type) + else: +- args.parser.print_usage(sys.stderr) +- sys.stderr.write(_('semanage permissive: error: the following argument is required: type\n')) +- sys.exit(1) ++ args.parser.error(message=_('semanage permissive: error: the following argument is required: type\n')) + + + def setupPermissiveParser(subparsers): diff --git selinux-python-2.8/semanage/semanage-user.8 selinux-python-2.8/semanage/semanage-user.8 index 30bc670..23fec69 100644 --- selinux-python-2.8/semanage/semanage-user.8 @@ -262,10 +461,10 @@ index 0bdb90f..0cdcfcc 100644 user identities to authorized role sets. In most cases, only the former mapping needs to be adjusted by the administrator; the latter diff --git selinux-python-2.8/semanage/seobject.py selinux-python-2.8/semanage/seobject.py -index c76dce8..972d5af 100644 +index c76dce8..a0cdeb7 100644 --- selinux-python-2.8/semanage/seobject.py +++ selinux-python-2.8/semanage/seobject.py -@@ -30,7 +30,7 @@ import sys +@@ -30,10 +30,10 @@ import sys import stat import socket from semanage import * @@ -273,7 +472,11 @@ index c76dce8..972d5af 100644 +PROGNAME = "selinux-python" import sepolicy import setools - from IPy import IP +-from IPy import IP ++import ipaddress + + try: + import gettext @@ -101,6 +101,8 @@ ftype_to_audit = {"": "any", try: @@ -292,7 +495,38 @@ index c76dce8..972d5af 100644 class logger: def __init__(self): -@@ -593,7 +595,6 @@ class loginRecords(semanageRecords): +@@ -397,6 +399,8 @@ class moduleRecords(semanageRecords): + print("%-25s %-9s %-5s %s" % (t[0], t[2], t[3], disabled)) + + def add(self, file, priority): ++ if type(file) == list: ++ file = file[0] + if not os.path.exists(file): + raise ValueError(_("Module does not exist: %s ") % file) + +@@ -409,7 +413,9 @@ class moduleRecords(semanageRecords): + self.commit() + + def set_enabled(self, module, enable): +- for m in module.split(): ++ if type(module) == str: ++ module = module.split() ++ for m in module: + rc, key = semanage_module_key_create(self.sh) + if rc < 0: + raise ValueError(_("Could not create module key")) +@@ -431,7 +437,9 @@ class moduleRecords(semanageRecords): + if rc < 0: + raise ValueError(_("Invalid priority %d (needs to be between 1 and 999)") % priority) + +- for m in module.split(): ++ if type(module) == str: ++ module = module.split() ++ for m in module: + rc = semanage_module_remove(self.sh, m) + if rc < 0 and rc != -2: + raise ValueError(_("Could not remove module %s (remove failed)") % m) +@@ -593,7 +601,6 @@ class loginRecords(semanageRecords): semanage_seuser_key_free(k) semanage_seuser_free(u) @@ -300,7 +534,7 @@ index c76dce8..972d5af 100644 def add(self, name, sename, serange): try: -@@ -601,7 +602,6 @@ class loginRecords(semanageRecords): +@@ -601,7 +608,6 @@ class loginRecords(semanageRecords): self.__add(name, sename, serange) self.commit() except ValueError as error: @@ -308,7 +542,7 @@ index c76dce8..972d5af 100644 raise error def __modify(self, name, sename="", serange=""): -@@ -653,7 +653,6 @@ class loginRecords(semanageRecords): +@@ -653,7 +659,6 @@ class loginRecords(semanageRecords): semanage_seuser_key_free(k) semanage_seuser_free(u) @@ -316,7 +550,7 @@ index c76dce8..972d5af 100644 def modify(self, name, sename="", serange=""): try: -@@ -661,7 +660,6 @@ class loginRecords(semanageRecords): +@@ -661,7 +666,6 @@ class loginRecords(semanageRecords): self.__modify(name, sename, serange) self.commit() except ValueError as error: @@ -324,7 +558,7 @@ index c76dce8..972d5af 100644 raise error def __delete(self, name): -@@ -694,8 +692,6 @@ class loginRecords(semanageRecords): +@@ -694,8 +698,6 @@ class loginRecords(semanageRecords): rec, self.sename, self.serange = selinux.getseuserbyname("__default__") range, (rc, serole) = userrec.get(self.sename) @@ -333,7 +567,7 @@ index c76dce8..972d5af 100644 def delete(self, name): try: self.begin() -@@ -703,7 +699,6 @@ class loginRecords(semanageRecords): +@@ -703,7 +705,6 @@ class loginRecords(semanageRecords): self.commit() except ValueError as error: @@ -341,7 +575,7 @@ index c76dce8..972d5af 100644 raise error def deleteall(self): -@@ -717,7 +712,6 @@ class loginRecords(semanageRecords): +@@ -717,7 +718,6 @@ class loginRecords(semanageRecords): self.__delete(semanage_seuser_get_name(u)) self.commit() except ValueError as error: @@ -349,7 +583,7 @@ index c76dce8..972d5af 100644 raise error def get_all_logins(self): -@@ -1087,6 +1081,8 @@ class portRecords(semanageRecords): +@@ -1087,6 +1087,8 @@ class portRecords(semanageRecords): if type == "": raise ValueError(_("Type is required")) @@ -358,7 +592,7 @@ index c76dce8..972d5af 100644 if type not in self.valid_types: raise ValueError(_("Type %s is invalid, must be a port type") % type) -@@ -1151,6 +1147,7 @@ class portRecords(semanageRecords): +@@ -1151,6 +1153,7 @@ class portRecords(semanageRecords): else: raise ValueError(_("Requires setype")) @@ -366,7 +600,7 @@ index c76dce8..972d5af 100644 if setype and setype not in self.valid_types: raise ValueError(_("Type %s is invalid, must be a port type") % setype) -@@ -1355,6 +1352,8 @@ class ibpkeyRecords(semanageRecords): +@@ -1355,6 +1358,8 @@ class ibpkeyRecords(semanageRecords): if type == "": raise ValueError(_("Type is required")) @@ -375,7 +609,7 @@ index c76dce8..972d5af 100644 if type not in self.valid_types: raise ValueError(_("Type %s is invalid, must be a ibpkey type") % type) -@@ -1417,6 +1416,8 @@ class ibpkeyRecords(semanageRecords): +@@ -1417,6 +1422,8 @@ class ibpkeyRecords(semanageRecords): else: raise ValueError(_("Requires setype")) @@ -384,7 +618,7 @@ index c76dce8..972d5af 100644 if setype and setype not in self.valid_types: raise ValueError(_("Type %s is invalid, must be a ibpkey type") % setype) -@@ -1603,6 +1604,8 @@ class ibendportRecords(semanageRecords): +@@ -1603,6 +1610,8 @@ class ibendportRecords(semanageRecords): if type == "": raise ValueError(_("Type is required")) @@ -393,7 +627,7 @@ index c76dce8..972d5af 100644 if type not in self.valid_types: raise ValueError(_("Type %s is invalid, must be an ibendport type") % type) (k, ibendport, port) = self.__genkey(ibendport, ibdev_name) -@@ -1664,6 +1667,8 @@ class ibendportRecords(semanageRecords): +@@ -1664,6 +1673,8 @@ class ibendportRecords(semanageRecords): else: raise ValueError(_("Requires setype")) @@ -402,7 +636,26 @@ index c76dce8..972d5af 100644 if setype and setype not in self.valid_types: raise ValueError(_("Type %s is invalid, must be an ibendport type") % setype) -@@ -1853,6 +1858,8 @@ class nodeRecords(semanageRecords): +@@ -1826,13 +1837,13 @@ class nodeRecords(semanageRecords): + + # verify valid comination + if len(mask) == 0 or mask[0] == "/": +- i = IP(addr + mask) +- newaddr = i.strNormal(0) +- newmask = str(i.netmask()) +- if newmask == "0.0.0.0" and i.version() == 6: ++ i = ipaddress.ip_network(addr + mask) ++ newaddr = str(i.network_address) ++ newmask = str(i.netmask) ++ if newmask == "0.0.0.0" and i.version == 6: + newmask = "::" + +- protocol = "ipv%d" % i.version() ++ protocol = "ipv%d" % i.version + + try: + newprotocol = self.protocol.index(protocol) +@@ -1853,6 +1864,8 @@ class nodeRecords(semanageRecords): if ctype == "": raise ValueError(_("SELinux node type is required")) @@ -411,7 +664,7 @@ index c76dce8..972d5af 100644 if ctype not in self.valid_types: raise ValueError(_("Type %s is invalid, must be a node type") % ctype) -@@ -1922,6 +1929,8 @@ class nodeRecords(semanageRecords): +@@ -1922,6 +1935,8 @@ class nodeRecords(semanageRecords): if serange == "" and setype == "": raise ValueError(_("Requires setype or serange")) @@ -420,7 +673,7 @@ index c76dce8..972d5af 100644 if setype and setype not in self.valid_types: raise ValueError(_("Type %s is invalid, must be a node type") % setype) -@@ -2241,7 +2250,6 @@ class fcontextRecords(semanageRecords): +@@ -2241,7 +2256,6 @@ class fcontextRecords(semanageRecords): try: valid_types = list(list(sepolicy.info(sepolicy.ATTRIBUTE, "file_type"))[0]["types"]) valid_types += list(list(sepolicy.info(sepolicy.ATTRIBUTE, "device_node"))[0]["types"]) @@ -428,7 +681,7 @@ index c76dce8..972d5af 100644 except RuntimeError: valid_types = [] -@@ -2369,8 +2377,10 @@ class fcontextRecords(semanageRecords): +@@ -2369,8 +2383,10 @@ class fcontextRecords(semanageRecords): if type == "": raise ValueError(_("SELinux Type is required")) @@ -441,7 +694,7 @@ index c76dce8..972d5af 100644 (rc, k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype]) if rc < 0: -@@ -2432,8 +2442,10 @@ class fcontextRecords(semanageRecords): +@@ -2432,8 +2448,10 @@ class fcontextRecords(semanageRecords): def __modify(self, target, setype, ftype, serange, seuser): if serange == "" and setype == "" and seuser == "": raise ValueError(_("Requires setype, serange or seuser")) diff --git a/selinux-sandbox-fedora.patch b/selinux-sandbox-fedora.patch index 1bf6dbf..4986b98 100644 --- a/selinux-sandbox-fedora.patch +++ b/selinux-sandbox-fedora.patch @@ -114,7 +114,7 @@ index 0000000..deff3f2 @@ -0,0 +1 @@ +../sandbox diff --git selinux-sandbox-2.8/sandbox selinux-sandbox-2.8/sandbox -index c07a1d8..a051360 100644 +index c07a1d8..948496d 100644 --- selinux-sandbox-2.8/sandbox +++ selinux-sandbox-2.8/sandbox @@ -37,7 +37,7 @@ import sepolicy @@ -126,14 +126,59 @@ index c07a1d8..a051360 100644 try: import gettext kwargs = {} +@@ -268,7 +268,7 @@ class Sandbox: + copyfile(f, "/tmp", self.__tmpdir) + copyfile(f, "/var/tmp", self.__tmpdir) + +- def __setup_sandboxrc(self, wm="/usr/bin/openbox"): ++ def __setup_sandboxrc(self, wm="/usr/bin/matchbox-window-manager"): + execfile = self.__homedir + "/.sandboxrc" + fd = open(execfile, "w+") + if self.__options.session: +@@ -362,7 +362,7 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [- + + parser.add_option("-W", "--windowmanager", dest="wm", + type="string", +- default="/usr/bin/openbox", ++ default="/usr/bin/matchbox-window-manager", + help=_("alternate window manager")) + + parser.add_option("-l", "--level", dest="level", +diff --git selinux-sandbox-2.8/sandbox.8 selinux-sandbox-2.8/sandbox.8 +index d83fee7..90ef495 100644 +--- selinux-sandbox-2.8/sandbox.8 ++++ selinux-sandbox-2.8/sandbox.8 +@@ -77,7 +77,7 @@ Specifies the windowsize when creating an X based Sandbox. The default windowsiz + \fB\-W\fR \fB\-\-windowmanager\fR + Select alternative window manager to run within + .B sandbox \-X. +-Default to /usr/bin/openbox. ++Default to /usr/bin/matchbox-window-manager. + .TP + \fB\-X\fR + Create an X based Sandbox for gui apps, temporary files for diff --git selinux-sandbox-2.8/sandboxX.sh selinux-sandbox-2.8/sandboxX.sh -index eaa500d..4774528 100644 +index eaa500d..c211ebc 100644 --- selinux-sandbox-2.8/sandboxX.sh +++ selinux-sandbox-2.8/sandboxX.sh -@@ -20,7 +20,7 @@ cat > ~/.config/openbox/rc.xml << EOF - - EOF +@@ -6,21 +6,7 @@ export TITLE="Sandbox $context -- `grep ^#TITLE: ~/.sandboxrc | /usr/bin/cut -b8 + [ -z $2 ] && export DPI="96" || export DPI="$2" + trap "exit 0" HUP +-mkdir -p ~/.config/openbox +-cat > ~/.config/openbox/rc.xml << EOF +- +- +- +- no +- all +- yes +- +- +- +-EOF +- -(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do +(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -reset -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do export DISPLAY=:$D