policycoreutils-2.4-13
- newrole: Set keepcaps around setresuid calls - newrole: Open stdin as read/write
This commit is contained in:
Petr Lautrbach
parent
90c72fdbb7
commit
f8062d58e4
|
|
@ -2851,7 +2851,7 @@ index b863346..d994891 100644
|
|||
rc = generate_gen_require_attribute();
|
||||
if (rc != 0) {
|
||||
diff --git a/policycoreutils-2.4/newrole/newrole.c b/policycoreutils-2.4/newrole/newrole.c
|
||||
index 94794e9..55e8d39 100644
|
||||
index 94794e9..65a945d 100644
|
||||
--- a/policycoreutils-2.4/newrole/newrole.c
|
||||
+++ b/policycoreutils-2.4/newrole/newrole.c
|
||||
@@ -278,7 +278,7 @@ static int process_pam_config(FILE * cfg)
|
||||
|
|
@ -2863,19 +2863,30 @@ index 94794e9..55e8d39 100644
|
|||
if (ret < 2 || !app || !service)
|
||||
goto err;
|
||||
|
||||
@@ -546,9 +546,7 @@ static int drop_capabilities(int full)
|
||||
@@ -546,18 +546,27 @@ static int drop_capabilities(int full)
|
||||
if (!uid) return 0;
|
||||
|
||||
capng_setpid(getpid());
|
||||
- capng_clear(CAPNG_SELECT_BOTH);
|
||||
- if (capng_lock() < 0)
|
||||
- return -1;
|
||||
+ capng_clear(CAPNG_SELECT_CAPS);
|
||||
+
|
||||
+ if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) < 0) {
|
||||
+ fprintf(stderr, _("Error resetting KEEPCAPS, aborting\n"));
|
||||
return -1;
|
||||
+ }
|
||||
|
||||
/* Change uid */
|
||||
if (setresuid(uid, uid, uid)) {
|
||||
@@ -557,7 +555,7 @@ static int drop_capabilities(int full)
|
||||
fprintf(stderr, _("Error changing uid, aborting.\n"));
|
||||
return -1;
|
||||
}
|
||||
+
|
||||
+ if (prctl(PR_SET_KEEPCAPS, 0, 0, 0, 0) < 0) {
|
||||
+ fprintf(stderr, _("Error resetting KEEPCAPS, aborting\n"));
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
if (! full)
|
||||
capng_update(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_AUDIT_WRITE);
|
||||
- return capng_apply(CAPNG_SELECT_BOTH);
|
||||
|
|
@ -2883,7 +2894,7 @@ index 94794e9..55e8d39 100644
|
|||
}
|
||||
#elif defined(NAMESPACE_PRIV)
|
||||
/**
|
||||
@@ -575,20 +573,21 @@ static int drop_capabilities(int full)
|
||||
@@ -575,20 +584,32 @@ static int drop_capabilities(int full)
|
||||
*/
|
||||
static int drop_capabilities(int full)
|
||||
{
|
||||
|
|
@ -2893,8 +2904,12 @@ index 94794e9..55e8d39 100644
|
|||
capng_setpid(getpid());
|
||||
- capng_clear(CAPNG_SELECT_BOTH);
|
||||
- if (capng_lock() < 0)
|
||||
- return -1;
|
||||
+ capng_clear(CAPNG_SELECT_CAPS);
|
||||
+
|
||||
+ if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0) < 0) {
|
||||
+ fprintf(stderr, _("Error resetting KEEPCAPS, aborting\n"));
|
||||
return -1;
|
||||
+ }
|
||||
|
||||
- uid_t uid = getuid();
|
||||
/* Change uid */
|
||||
|
|
@ -2902,6 +2917,12 @@ index 94794e9..55e8d39 100644
|
|||
fprintf(stderr, _("Error changing uid, aborting.\n"));
|
||||
return -1;
|
||||
}
|
||||
+
|
||||
+ if (prctl(PR_SET_KEEPCAPS, 0, 0, 0, 0) < 0) {
|
||||
+ fprintf(stderr, _("Error resetting KEEPCAPS, aborting\n"));
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
if (! full)
|
||||
- capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_SYS_ADMIN , CAP_FOWNER , CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_SETPCAP, -1);
|
||||
- return capng_apply(CAPNG_SELECT_BOTH);
|
||||
|
|
@ -2911,7 +2932,7 @@ index 94794e9..55e8d39 100644
|
|||
}
|
||||
|
||||
#else
|
||||
@@ -679,7 +678,7 @@ static int relabel_tty(const char *ttyn, security_context_t new_context,
|
||||
@@ -679,7 +700,7 @@ static int relabel_tty(const char *ttyn, security_context_t new_context,
|
||||
security_context_t * tty_context,
|
||||
security_context_t * new_tty_context)
|
||||
{
|
||||
|
|
@ -2920,7 +2941,7 @@ index 94794e9..55e8d39 100644
|
|||
int enforcing = security_getenforce();
|
||||
security_context_t tty_con = NULL;
|
||||
security_context_t new_tty_con = NULL;
|
||||
@@ -698,7 +697,13 @@ static int relabel_tty(const char *ttyn, security_context_t new_context,
|
||||
@@ -698,7 +719,13 @@ static int relabel_tty(const char *ttyn, security_context_t new_context,
|
||||
fprintf(stderr, _("Error! Could not open %s.\n"), ttyn);
|
||||
return fd;
|
||||
}
|
||||
|
|
@ -2935,7 +2956,7 @@ index 94794e9..55e8d39 100644
|
|||
|
||||
if (fgetfilecon(fd, &tty_con) < 0) {
|
||||
fprintf(stderr, _("%s! Could not get current context "
|
||||
@@ -1009,9 +1014,9 @@ int main(int argc, char *argv[])
|
||||
@@ -1009,9 +1036,9 @@ int main(int argc, char *argv[])
|
||||
int fd;
|
||||
pid_t childPid = 0;
|
||||
char *shell_argv0 = NULL;
|
||||
|
|
@ -2946,7 +2967,7 @@ index 94794e9..55e8d39 100644
|
|||
int pam_status; /* pam return code */
|
||||
pam_handle_t *pam_handle; /* opaque handle used by all PAM functions */
|
||||
|
||||
@@ -1104,7 +1109,7 @@ int main(int argc, char *argv[])
|
||||
@@ -1104,7 +1131,7 @@ int main(int argc, char *argv[])
|
||||
* command when invoked by newrole.
|
||||
*/
|
||||
char *cmd = NULL;
|
||||
|
|
@ -2955,12 +2976,8 @@ index 94794e9..55e8d39 100644
|
|||
if (rc != EOF && cmd) {
|
||||
char *app_service_name =
|
||||
(char *)hashtab_search(app_service_names,
|
||||
@@ -1222,18 +1227,26 @@ int main(int argc, char *argv[])
|
||||
fprintf(stderr, _("Could not close descriptors.\n"));
|
||||
goto err_close_pam;
|
||||
}
|
||||
- fd = open(ttyn, O_RDWR | O_NONBLOCK);
|
||||
+ fd = open(ttyn, O_RDONLY | O_NONBLOCK);
|
||||
@@ -1225,15 +1252,23 @@ int main(int argc, char *argv[])
|
||||
fd = open(ttyn, O_RDWR | O_NONBLOCK);
|
||||
if (fd != 0)
|
||||
goto err_close_pam;
|
||||
- fcntl(fd, F_SETFL, fcntl(fd, F_GETFL, 0) & ~O_NONBLOCK);
|
||||
|
|
@ -2986,7 +3003,7 @@ index 94794e9..55e8d39 100644
|
|||
|
||||
}
|
||||
/*
|
||||
@@ -1267,19 +1280,24 @@ int main(int argc, char *argv[])
|
||||
@@ -1267,19 +1302,24 @@ int main(int argc, char *argv[])
|
||||
}
|
||||
#endif
|
||||
|
||||
|
|
|
|||
|
|
@ -7,7 +7,7 @@
|
|||
Summary: SELinux policy core utilities
|
||||
Name: policycoreutils
|
||||
Version: 2.4
|
||||
Release: 12%{?dist}
|
||||
Release: 13%{?dist}
|
||||
License: GPLv2
|
||||
Group: System Environment/Base
|
||||
# https://github.com/SELinuxProject/selinux/wiki/Releases
|
||||
|
|
@ -18,7 +18,7 @@ Source2: policycoreutils_man_ru2.tar.bz2
|
|||
Source3: system-config-selinux.png
|
||||
Source4: sepolicy-icons.tgz
|
||||
# use make-rhat-patches.sh to create following patches from https://github.com/fedora-selinux/selinux/
|
||||
# HEAD https://github.com/fedora-selinux/selinux/commit/eb5c289a0e39d67b1cb12c85a166be236892b08a
|
||||
# HEAD https://github.com/fedora-selinux/selinux/commit/2722bc1a30abda48574d87c06413d1219f74d2de
|
||||
Patch: policycoreutils-rhat.patch
|
||||
Patch1: sepolgen-rhat.patch
|
||||
Patch100: policycoreutils-fix-semanage-python3.patch
|
||||
|
|
@ -404,6 +404,10 @@ The policycoreutils-restorecond package contains the restorecond service.
|
|||
%systemd_postun_with_restart restorecond.service
|
||||
|
||||
%changelog
|
||||
* Fri Oct 02 2015 Petr Lautrbach <plautrba@redhat.com> 2.4-13
|
||||
- newrole: Set keepcaps around setresuid calls
|
||||
- newrole: Open stdin as read/write
|
||||
|
||||
* Fri Sep 04 2015 Petr Lautrbach <plautrba@redhat.com> 2.4-12
|
||||
- Fix several semanage issue (#1247714)
|
||||
- Decode output from subprocess, if error occurred (#1247039)
|
||||
|
|
|
|||
Loading…
Reference in New Issue