Compare commits

...

26 Commits
master ... f15

Author SHA1 Message Date
Dan Walsh 72a4d21573 Fix the handling of namespaces in seunshare/sandbox.
Currently mounting of directories within sandbox is propogating to the
parent namesspace.
2012-01-03 11:12:49 -05:00
Dan Walsh df863663f2 Change seunshare to send kill signals to the childs session.
Also add signal handler to catch sigint, so if user enters ctrl-C sandbox will shutdown.
Add -k qualifier to seunshare to have it attempt to kill all processes with
the matching MCS label.
Add -C option to sandbox and seunshare to maintain capabilities, otherwise
the bounding set will be dropped.
Change --cgroups short name -c rather then -C for consistancy
Fix memory and fd leaks in seunshare
2011-07-07 14:54:55 -04:00
Dan Walsh 9f197b5eb0 Change seunshare to send kill signals to the childs session.
Also add signal handler to catch sigint, so if user enters ctrl-C sandbox will shutdown.
Add -k qualifier to seunshare to have it attempt to kill all processes with
the matching MCS label.
Add -C option to sandbox and seunshare to maintain capabilities, otherwise
the bounding set will be dropped.
Change --cgroups short name -c rather then -C for consistancy
Fix memory and fd leaks in seunshare
2011-07-07 14:47:56 -04:00
Dan Walsh f415a12acc Do not drop capability bounding set in seunshare, this allows sandbox to
run setuid apps.
Cleanup policy generation template
Pass dpi settings to sandbox
Add .config/* to restorecond_users.conf
2011-06-13 14:00:27 -04:00
Dan Walsh 397914a5b7 Do not drop capability bounding set in seunshare, this allows sandbox to
run setuid apps.
Cleanup policy generation template
Pass dpi settings to sandbox
Add .config/* to restorecond_users.conf
2011-06-13 13:53:15 -04:00
Dan Walsh de46aea469 Do not drop capability bounding set in seunshare, this allows sandbox to
run setuid apps.
Cleanup policy generation template
Pass dpi settings to sandbox
2011-06-13 13:46:07 -04:00
Dan Walsh fe90fcfea9 Clean up some of the templates for sepolgen 2011-04-29 12:11:09 -04:00
Dan Walsh 4cd6edc808 Change fixfiles restore to delete unlabeled sockets in /tmp 2011-04-18 13:18:42 -04:00
Dan Walsh 16246ac8b2 Change fixfiles restore to delete unlabeled sockets in /tmp 2011-04-18 12:48:35 -04:00
Dan Walsh 55fb6920ca Add Elia Pinto patches to allow user to specify directories to ignore 2011-04-11 14:34:01 -04:00
Dan Walsh 78134e652a rsynccmd should run outside of execcon 2011-03-29 13:38:42 -04:00
Dan Walsh ed4c843b48 Fix semange node handling of ipv6 addresses 2011-03-24 16:40:45 -04:00
Dan Walsh 6d8189f150 Fix sepolgen-ifgen call, add -p option 2011-03-23 17:55:22 -04:00
Dan Walsh 4189d94570 Fix sepolgen-ifgen call 2011-03-23 09:52:42 -04:00
Dan Walsh f7c4958dbf Fix rsync command to work if the directory is old.
Fix all tests
2011-03-18 17:49:10 -04:00
Dan Walsh c06fc4b8dd Fix sepolgen to generate network polcy using generic_if and genric_node versus all_if and all_node 2011-03-16 17:03:47 -04:00
Dan Walsh fd42cdb339 Return to original seunshare man page 2011-03-16 09:36:26 -04:00
Dan Walsh 9f8f4e973f change default location of HOMEDIR in sandbox to /tmp/.sandbox_home_*
This will allow default sandboxes to work on NFS homedirs without allowing
access to homedir data
2011-03-14 16:23:10 -04:00
Dan Walsh 65350da6d3 Change sepolgen-ifgen to search all available policy files
Exit in restorecond if it can not find a UID in the passwd database
2011-03-11 16:54:41 -05:00
Dan Walsh b6d72dd04b Fix portspage in system-config-selinux to not crash
More fixes for seunshare from Tomas Hoger
2011-03-09 16:16:13 -05:00
Dan Walsh 312470de44 put back in old handling of -T in sandbox command
Put back setsid in seunshare
Fix rsync to maintain times
2011-03-08 18:02:10 -05:00
Dan Walsh 93a6f1fc9d Use rewritten seunshare from thoger 2011-03-08 16:51:35 -05:00
Dan Walsh 2ab6e22253 Require python-IPy for policycoreutils-python package
Fixes for sepologen
Usage statement needs -n name
Names with _ are being prevented
dbus apps should get _chat interface
2011-03-07 17:03:02 -05:00
Dan Walsh 513ebc6132 Fix error message in seunshare, check for tmpdir existance before unlink. 2011-03-03 17:06:51 -05:00
Dan Walsh 4d63979d6d Fix error message in seunshare, check for tmpdir existance before unlink. 2011-03-03 15:51:42 -05:00
Dan Walsh aae6082678 Rewrite seunshare to make sure /tmp is mounted stickybit owned by root
Only allow names in polgengui that contain letters and numbers
Fix up node handling in semanage command
Update translations
2011-03-03 13:46:30 -05:00
8 changed files with 2738 additions and 924 deletions

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,954 @@
diff -up policycoreutils-2.0.86/restorecond/restorecond_user.conf.sandbox policycoreutils-2.0.86/restorecond/restorecond_user.conf
--- policycoreutils-2.0.86/restorecond/restorecond_user.conf.sandbox 2011-06-13 13:47:06.000000000 -0400
+++ policycoreutils-2.0.86/restorecond/restorecond_user.conf 2011-06-13 13:47:27.000000000 -0400
@@ -4,4 +4,4 @@
~/local/*
~/.fonts/*
~/.cache/*
-
+~/.config/*
diff -up policycoreutils-2.0.86/sandbox/sandbox.8.sandbox policycoreutils-2.0.86/sandbox/sandbox.8
--- policycoreutils-2.0.86/sandbox/sandbox.8.sandbox 2011-07-07 14:42:18.000000000 -0400
+++ policycoreutils-2.0.86/sandbox/sandbox.8 2012-01-03 11:09:22.391519370 -0500
@@ -3,11 +3,11 @@
sandbox \- Run cmd under an SELinux sandbox
.SH SYNOPSIS
.B sandbox
-[-l level ] [[-M | -X] -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [ -w windowsize ] [[-i file ]...] [ -t type ] cmd
+[-C] [-c] [ -d DPI ] [-l level ] [[-M | -X] -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [ -w windowsize ] [[-i file ]...] [ -t type ] cmd
.br
.B sandbox
-[-l level ] [[-M | -X] -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [ -w windowsize ] [[-i file ]...] [ -t type ] -S
+[-C] [-c] [ -d DPI ] [-l level ] [[-M | -X] -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [ -w windowsize ] [[-i file ]...] [ -t type ] -S
.br
.SH DESCRIPTION
.PP
@@ -49,7 +49,7 @@ Use alternate tempory directory to mount
Run a full desktop session, Requires level, and home and tmpdir.
.TP
\fB\-w windowsize\fR
-Specifies the windowsize when creating an X based Sandbox. The default windowsize is 1000x700.
+Specifies the windowsize when creating an X based Sandbox. The default windowsize is 1000x700.
.TP
\fB\-W windowmanager\fR
Select alternative window manager to run within
@@ -60,8 +60,14 @@ Default to /usr/bin/matchbox-window-mana
Create an X based Sandbox for gui apps, temporary files for
$HOME and /tmp, secondary Xserver, defaults to sandbox_x_t
.TP
-\fB\-C\fR
+\fB\-d\fR
+Set the DPI value for the sanbox X Server. Defaults to the current X Sever DPI.
+.TP
+\fB\-c\fR
Use control groups to control this copy of sandbox. Specify parameters in /etc/sysconfig/sandbox. Max memory usage and cpu usage are to be specified in percent. You can specify which CPUs to use by numbering them 0,1,2... etc.
+.TP
+\fB\-C\fR
+Use capabilities within the sandbox. By default applications executed within the sandbox will not be allowed to use capabilities (setuid apps), with the -C flag, you can use programs requiring capabilities.
.PP
.SH "SEE ALSO"
.TP
@@ -69,7 +75,7 @@ runcon(1), seunshare(8), selinux(8)
.PP
.SH AUTHOR
-This manual page was written by
+This manual page was written by
.I Dan Walsh <dwalsh@redhat.com>
and
.I Thomas Liu <tliu@fedoraproject.org>
diff -up policycoreutils-2.0.86/sandbox/sandbox.sandbox policycoreutils-2.0.86/sandbox/sandbox
--- policycoreutils-2.0.86/sandbox/sandbox.sandbox 2011-06-13 13:44:44.000000000 -0400
+++ policycoreutils-2.0.86/sandbox/sandbox 2012-01-03 11:08:43.619495043 -0500
@@ -25,7 +25,7 @@ import selinux
import signal
from tempfile import mkdtemp
import pwd
-import commands
+import commands
import setools
PROGNAME = "policycoreutils"
@@ -88,9 +88,7 @@ def copyfile(file, srcdir, dest):
except shutil.Error, elist:
for e in elist.message:
- # ignore files that are missing
- if not e[2].startswith("[Errno 2]"):
- sys.stderr.write(e[2])
+ sys.stderr.write(e[2])
SAVE_FILES[file] = (dest, os.path.getmtime(dest))
@@ -120,10 +118,30 @@ def reserve(level):
sock.bind("\0%s" % level)
fcntl.fcntl(sock.fileno(), fcntl.F_SETFD, fcntl.FD_CLOEXEC)
+def get_range():
+ try:
+ level =selinux.getcon_raw()[1].split(":")[4]
+ lowc,highc = level.split(".")
+ low = int(lowc[1:])
+ high = int(highc[1:])+1
+ if high - low == 0:
+ raise IndexError
+
+ return low,high
+ except IndexError:
+ raise ValueError(_("User account must be setup with an MCS Range"))
+
def gen_mcs():
- while True:
- i1 = random.randrange(0, 1024)
- i2 = random.randrange(0, 1024)
+ low, high = get_range()
+
+ level = None
+ ctr = 0
+ total = high-low
+ total = (total * (total - 1))/2
+ while ctr < total:
+ ctr += 1
+ i1 = random.randrange(low, high)
+ i2 = random.randrange(low, high)
if i1 == i2:
continue
if i1 > i2:
@@ -136,7 +154,10 @@ def gen_mcs():
except socket.error:
continue
break
- return level
+ if level:
+ return level
+ raise ValueError(_("Failed to find any unused category sets. Consider a larger MCS range for this user."))
+
def fullpath(cmd):
for i in [ "/", "./", "../" ]:
@@ -170,7 +191,7 @@ class Sandbox:
if not os.path.exists(SEUNSHARE):
raise ValueError(_("""
-%s is required for the action you want to perform.
+%s is required for the action you want to perform.
""") % SEUNSHARE)
def __mount_callback(self, option, opt, value, parser):
@@ -181,12 +202,12 @@ class Sandbox:
setattr(parser.values, option.dest, True)
if not os.path.exists(SEUNSHARE):
raise ValueError(_("""
-%s is required for the action you want to perform.
+%s is required for the action you want to perform.
""") % SEUNSHARE)
if not os.path.exists(SANDBOXSH):
raise ValueError(_("""
-%s is required for the action you want to perform.
+%s is required for the action you want to perform.
""") % SANDBOXSH)
def __validdir(self, option, opt, value, parser):
@@ -246,26 +267,25 @@ kill -TERM $WM_PID 2> /dev/null
def usage(self, message = ""):
error_exit("%s\n%s" % (self.__parser.usage, message))
-
+
def __parse_options(self):
from optparse import OptionParser
types = ""
try:
types = _("""
-Policy defines the following types for use with the -t:
+Policy defines the following types for use with the -t:
\t%s
""") % "\n\t".join(setools.seinfo(setools.ATTRIBUTE, "sandbox_type")[0]['types'])
except RuntimeError:
pass
usage = _("""
-sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-W windowmanager ] [ -w windowsize ] [[-i file ] ...] [ -t type ] command
+sandbox [-h] [-c] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-W windowmanager ] [ -w windowsize ] [[-i file ] ...] [ -t type ] command
-sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-W windowmanager ] [ -w windowsize ] [[-i file ] ...] [ -t type ] -S
+sandbox [-h] [-c] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-W windowmanager ] [ -w windowsize ] [[-i file ] ...] [ -t type ] -S
%s
""") % types
-
parser = OptionParser(version=self.VERSION, usage=usage)
parser.disable_interspersed_args()
parser.add_option("-i", "--include",
@@ -281,6 +301,10 @@ sandbox [-h] [-l level ] [-[X|M] [-H hom
action="callback", callback=self.__mount_callback,
help=_("mount new home and/or tmp directory"))
+ parser.add_option("-d", "--dpi",
+ dest="dpi", action="store",
+ help=_("dots per inch for X display"))
+
parser.add_option("-S", "--session", action="store_true", dest="session",
default=False, help=_("run complete desktop session within sandbox"))
@@ -291,17 +315,17 @@ sandbox [-h] [-l level ] [-[X|M] [-H hom
parser.add_option("-H", "--homedir",
action="callback", callback=self.__validdir,
type="string",
- dest="homedir",
+ dest="homedir",
help=_("alternate home directory to use for mounting"))
- parser.add_option("-T", "--tmpdir", dest="tmpdir",
+ parser.add_option("-T", "--tmpdir", dest="tmpdir",
type="string",
action="callback", callback=self.__validdir,
help=_("alternate /tmp directory to use for mounting"))
parser.add_option("-w", "--windowsize", dest="windowsize",
type="string", default=DEFAULT_WINDOWSIZE,
- help="size of the sandbox window")
+ help="size of the sandbox window")
parser.add_option("-W", "--windowmanager", dest="wm",
type="string",
@@ -311,9 +335,13 @@ sandbox [-h] [-l level ] [-[X|M] [-H hom
parser.add_option("-l", "--level", dest="level",
help=_("MCS/MLS level for the sandbox"))
- parser.add_option("-C", "--cgroups",
- action="store_true", dest="usecgroup", default=False,
- help="Use cgroups to limit this sandbox.")
+ parser.add_option("-c", "--cgroups",
+ action="store_true", dest="usecgroup", default=False,
+ help=_("Use cgroups to limit this sandbox."))
+
+ parser.add_option("-C", "--capabilities",
+ action="store_true", dest="usecaps", default=False,
+ help="Allow apps requiring capabilities to run within the sandbox.")
self.__parser=parser
@@ -366,8 +394,8 @@ sandbox [-h] [-l level ] [-[X|M] [-H hom
con = selinux.getcon()[1].split(":")
self.__execcon = "%s:%s:%s:%s" % (con[0], con[1], self.setype, level)
- self.__filecon = "%s:%s:%s:%s" % (con[0], "object_r",
- "%s_file_t" % self.setype[:-2],
+ self.__filecon = "%s:%s:%s:%s" % (con[0], "object_r",
+ "%s_file_t" % self.setype[:-2],
level)
def __setup_dir(self):
if self.__options.level or self.__options.session:
@@ -392,12 +420,20 @@ sandbox [-h] [-l level ] [-[X|M] [-H hom
def __execute(self):
try:
cmds = [ SEUNSHARE, "-Z", self.__execcon ]
- if self.__options.usecgroup == True:
+ if self.__options.usecgroup:
cmds.append('-c')
+ if self.__options.usecaps:
+ cmds.append('-C')
if self.__mount:
cmds += [ "-t", self.__tmpdir, "-h", self.__homedir ]
if self.__options.X_ind:
+ if self.__options.dpi:
+ dpi = self.__options.dpi
+ else:
+ import gtk
+ dpi = str(gtk.settings_get_default().props.gtk_xft_dpi/1024)
+
xmodmapfile = self.__homedir + "/.xmodmap"
xd = open(xmodmapfile,"w")
subprocess.Popen(["/usr/bin/xmodmap","-pke"],stdout=xd).wait()
@@ -405,7 +441,7 @@ sandbox [-h] [-l level ] [-[X|M] [-H hom
self.__setup_sandboxrc(self.__options.wm)
- cmds += [ "--", SANDBOXSH, self.__options.windowsize ]
+ cmds += [ "--", SANDBOXSH, self.__options.windowsize, dpi ]
else:
cmds += [ "--" ] + self.__paths
return subprocess.Popen(cmds).wait()
diff -up policycoreutils-2.0.86/sandbox/sandboxX.sh.sandbox policycoreutils-2.0.86/sandbox/sandboxX.sh
--- policycoreutils-2.0.86/sandbox/sandboxX.sh.sandbox 2011-06-13 13:44:44.000000000 -0400
+++ policycoreutils-2.0.86/sandbox/sandboxX.sh 2012-01-03 11:10:04.985546365 -0500
@@ -1,10 +1,12 @@
-#!/bin/bash
-context=`id -Z | secon -t `
-export TITLE="`grep ^#TITLE: ~/.sandboxrc | /usr/bin/cut -b8-80` ($context)"
-[ $# -eq 1 ] && export SCREENSIZE="$1" || export SCREENSIZE="1000x700"
+#!/bin/bash
+trap "" TERM
+context=`id -Z | secon -t -l -P`
+export TITLE="Sandbox $context -- `grep ^#TITLE: ~/.sandboxrc | /usr/bin/cut -b8-80`"
+[ -z $1 ] && export SCREENSIZE="1000x700" || export SCREENSIZE="$1"
+[ -z $2 ] && export DPI="96" || export DPI="$2"
trap "exit 0" HUP
-(/usr/bin/Xephyr -nolisten tcp -title "$TITLE" -terminate -screen $SCREENSIZE -displayfd 5 5>&1 2>/dev/null) | while read D; do
+(/usr/bin/Xephyr -title "$TITLE" -terminate -screen $SCREENSIZE -dpi $DPI -displayfd 5 5>&1 2>/dev/null) | while read D; do
export DISPLAY=:$D
cat > ~/seremote << __EOF
#!/bin/sh
@@ -13,7 +15,7 @@ __EOF
chmod +x ~/seremote
/usr/share/sandbox/start $HOME/.sandboxrc
export EXITCODE=$?
- kill -HUP 0
+ kill -TERM 0
break
done
exit 0
diff -up policycoreutils-2.0.86/sandbox/seunshare.8.sandbox policycoreutils-2.0.86/sandbox/seunshare.8
--- policycoreutils-2.0.86/sandbox/seunshare.8.sandbox 2011-07-07 14:41:16.000000000 -0400
+++ policycoreutils-2.0.86/sandbox/seunshare.8 2012-01-03 11:10:36.498566587 -0500
@@ -3,11 +3,11 @@
seunshare \- Run cmd with alternate homedir, tmpdir and/or SELinux context
.SH SYNOPSIS
.B seunshare
-[ -v ] [ -t tmpdir ] [ -h homedir ] [ -Z context ] -- executable [args]
+[ -v ] [ -c ] [ -C ] [ -k ] [ -t tmpdir ] [ -h homedir ] [ -Z context ] -- executable [args]
.br
.SH DESCRIPTION
.PP
-Run the
+Run the
.I executable
within the specified context, using the alternate home directory and /tmp directory. The seunshare command unshares from the default namespace, then mounts the specified homedir and tmpdir over the default homedir and /tmp. Finally it tells the kernel to execute the application under the specified SELinux context.
@@ -18,9 +18,15 @@ Alternate homedir to be used by the appl
\fB\-t\ tmpdir
Use alternate tempory directory to mount on /tmp. tmpdir must be owned by the user.
.TP
-\fB\-c cgroups\fR
+\fB\-c --cgroups\fR
Use cgroups to control this copy of seunshare. Specify parameters in /etc/sysconfig/sandbox. Max memory usage and cpu usage are to be specified in percent. You can specify which CPUs to use by numbering them 0,1,2... etc.
.TP
+\fB\-C --capabilities\fR
+Allow apps executed within the namespace to use capabilities. Default is no capabilities.
+.TP
+\fB\-k --kill\fR
+Kill all processes with matching MCS level.
+.TP
\fB\-Z\ context
Use alternate SELinux context while runing the executable.
.TP
@@ -28,10 +34,10 @@ Use alternate SELinux context while runi
Verbose output
.SH "SEE ALSO"
.TP
-runcon(1), sandbox(8), selinux(8)
+runcon(1), sandbox(8), selinux(8)
.PP
.SH AUTHOR
-This manual page was written by
+This manual page was written by
.I Dan Walsh <dwalsh@redhat.com>
and
.I Thomas Liu <tliu@fedoraproject.org>
diff -up policycoreutils-2.0.86/sandbox/seunshare.c.sandbox policycoreutils-2.0.86/sandbox/seunshare.c
--- policycoreutils-2.0.86/sandbox/seunshare.c.sandbox 2011-06-13 13:44:44.000000000 -0400
+++ policycoreutils-2.0.86/sandbox/seunshare.c 2012-01-03 11:08:59.081504712 -0500
@@ -5,8 +5,9 @@
#define _GNU_SOURCE
#include <signal.h>
-#include <sys/types.h>
+#include <sys/fsuid.h>
#include <sys/stat.h>
+#include <sys/types.h>
#include <sys/wait.h>
#include <syslog.h>
#include <sys/mount.h>
@@ -18,7 +19,6 @@
#include <stdio.h>
#include <regex.h>
#include <unistd.h>
-#include <sys/fsuid.h>
#include <stdlib.h>
#include <cap-ng.h>
#include <getopt.h> /* for getopt_long() form of getopt() */
@@ -29,6 +29,7 @@
#include <selinux/selinux.h>
#include <selinux/context.h> /* for context-mangling functions */
+#include <dirent.h>
#ifdef USE_NLS
#include <locale.h> /* for setlocale() */
@@ -42,8 +43,8 @@
#define MS_REC 1<<14
#endif
-#ifndef MS_PRIVATE
-#define MS_PRIVATE 1<<18
+#ifndef MS_SLAVE
+#define MS_SLAVE 1<<19
#endif
#ifndef PACKAGE
@@ -52,21 +53,22 @@
#define BUF_SIZE 1024
#define DEFAULT_PATH "/usr/bin:/bin"
-
-#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -c ] -t tmpdir -h homedir [-Z context] -- executable [args]")
+#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -C ] [ -c ] [ -k ] [ -t tmpdir ] [ -h homedir ] [ -Z CONTEXT ] -- executable [args] ")
static int verbose = 0;
+static int child = 0;
+static capng_select_t cap_set = CAPNG_SELECT_BOTH;
/**
* This function will drop all capabilities.
*/
static int drop_caps()
{
- if (capng_have_capabilities(CAPNG_SELECT_BOTH) == CAPNG_NONE)
+ if (capng_have_capabilities(cap_set) == CAPNG_NONE)
return 0;
- capng_clear(CAPNG_SELECT_BOTH);
- if (capng_lock() == -1 || capng_apply(CAPNG_SELECT_BOTH) == -1) {
+ capng_clear(cap_set);
+ if (capng_lock() == -1 || capng_apply(cap_set) == -1) {
fprintf(stderr, _("Failed to drop all capabilities\n"));
return -1;
}
@@ -86,6 +88,13 @@ static int drop_privs(uid_t uid)
}
/**
+ * If the user sends a siginto to seunshare, kill the child's session
+ */
+void handler(int sig) {
+ if (child > 0) kill(-child,sig);
+}
+
+/**
* Take care of any signal setup.
*/
static int set_signal_handles(void)
@@ -101,11 +110,16 @@ static int set_signal_handles(void)
(void)sigprocmask(SIG_SETMASK, &empty, NULL);
/* Terminate on SIGHUP */
- if (signal(SIGHUP, SIG_IGN) == SIG_ERR) {
+ if (signal(SIGHUP, SIG_DFL) == SIG_ERR) {
perror("Unable to set SIGHUP handler");
return -1;
}
+ if (signal(SIGINT, handler) == SIG_ERR) {
+ perror("Unable to set SIGINT handler");
+ return -1;
+ }
+
return 0;
}
@@ -192,7 +206,7 @@ static int verify_directory(const char *
struct stat sb;
if (st_out == NULL) st_out = &sb;
-
+
if (lstat(dir, st_out) == -1) {
fprintf(stderr, _("Failed to stat %s: %s\n"), dir, strerror(errno));
return -1;
@@ -241,7 +255,7 @@ static int verify_shell(const char *shel
*/
static int seunshare_mount(const char *src, const char *dst, struct stat *src_st)
{
- int flags = MS_REC;
+ int flags = 0;
int is_tmp = 0;
if (verbose)
@@ -253,14 +267,6 @@ static int seunshare_mount(const char *s
}
/* mount directory */
- if (mount(dst, dst, NULL, MS_BIND | flags, NULL) < 0) {
- fprintf(stderr, _("Failed to mount %s on %s: %s\n"), dst, dst, strerror(errno));
- return -1;
- }
- if (mount(dst, dst, NULL, MS_PRIVATE | flags, NULL) < 0) {
- fprintf(stderr, _("Failed to make %s private: %s\n"), dst, strerror(errno));
- return -1;
- }
if (mount(src, dst, NULL, MS_BIND | flags, NULL) < 0) {
fprintf(stderr, _("Failed to mount %s on %s: %s\n"), src, dst, strerror(errno));
return -1;
@@ -274,14 +280,6 @@ static int seunshare_mount(const char *s
if (verbose)
printf(_("Mounting /tmp on /var/tmp\n"));
- if (mount("/var/tmp", "/var/tmp", NULL, MS_BIND | flags, NULL) < 0) {
- fprintf(stderr, _("Failed to mount /var/tmp on /var/tmp: %s\n"), strerror(errno));
- return -1;
- }
- if (mount("/var/tmp", "/var/tmp", NULL, MS_PRIVATE | flags, NULL) < 0) {
- fprintf(stderr, _("Failed to make /var/tmp private: %s\n"), strerror(errno));
- return -1;
- }
if (mount("/tmp", "/var/tmp", NULL, MS_BIND | flags, NULL) < 0) {
fprintf(stderr, _("Failed to mount /tmp on /var/tmp: %s\n"), strerror(errno));
return -1;
@@ -308,12 +306,12 @@ static int sandbox_error(const char *str
static int match(const char *string, char *pattern)
{
int status;
- regex_t re;
+ regex_t re;
if (regcomp(&re, pattern, REG_EXTENDED|REG_NOSUB) != 0) {
return 0;
}
status = regexec(&re, string, (size_t)0, NULL, 0);
- regfree(&re);
+ regfree(&re);
if (status != 0) {
return 0;
}
@@ -334,8 +332,9 @@ static int setup_cgroups()
char buf[BUF_SIZE];
char *tok = NULL;
int rc = -1;
- const char* fname = "/etc/sysconfig/sandbox";
-
+ char *str = NULL;
+ const char* fname = "/etc/sysconfig/sandbox";
+
if ((fp = fopen(fname, "rt")) == NULL) {
fprintf(stderr, "Error opening sandbox config file.");
return rc;
@@ -343,12 +342,15 @@ static int setup_cgroups()
while(fgets(buf, BUF_SIZE, fp) != NULL) {
/* Skip comments */
if (buf[0] == '#') continue;
-
+
/* Copy the string, ignoring whitespace */
int len = strlen(buf);
- char *str = malloc((len + 1) * sizeof(char));
-
- int ind = 0;
+ free(str);
+ str = malloc((len + 1) * sizeof(char));
+ if (!str)
+ goto err;
+
+ int ind = 0;
int i;
for (i = 0; i < len; i++) {
char cur = buf[i];
@@ -358,7 +360,7 @@ static int setup_cgroups()
}
}
str[ind] = '\0';
-
+
tok = strtok(str, "=\n");
if (tok != NULL) {
if (!strcmp(tok, "CPUAFFINITY")) {
@@ -382,7 +384,7 @@ static int setup_cgroups()
fprintf(stderr, "Error parsing config file.");
goto err;
}
-
+
} else if (!strcmp(tok, "CPUUSAGE")) {
tok = strtok(NULL, "=\n");
if (match(tok, "^[0-9]+\%")) {
@@ -400,14 +402,14 @@ static int setup_cgroups()
continue;
}
}
-
+
}
if (mem == NULL) {
long phypz = sysconf(_SC_PHYS_PAGES);
long psize = sysconf(_SC_PAGE_SIZE);
memusage = phypz * psize * (float) memusage / 100.0;
}
-
+
cgroup_init();
int64_t current_runtime = 0;
@@ -423,8 +425,8 @@ static int setup_cgroups()
cgroup_get_cgroup(curr);
cgroup_get_value_int64(cgroup_get_controller(curr, "cpu"), "cpu.rt_runtime_us", &current_runtime);
cgroup_get_value_int64(cgroup_get_controller(curr, "cpu"), "cpu.rt_period_us", &current_period);
- }
-
+ }
+
ret = cgroup_get_current_controller_path(getpid(), "memory", &curr_mem_path);
if (ret) {
sandbox_error("Error while trying to get current controller path.\n");
@@ -432,33 +434,33 @@ static int setup_cgroups()
struct cgroup *curr = cgroup_new_cgroup(curr_mem_path);
cgroup_get_cgroup(curr);
cgroup_get_value_int64(cgroup_get_controller(curr, "memory"), "memory.limit_in_bytes", &current_mem);
- }
-
+ }
+
if (((float) cpupercentage) / 100.0> (float)current_runtime / (float) current_period) {
sandbox_error("CPU usage restricted!\n");
goto err;
- }
-
- if (mem == NULL) {
+ }
+
+ if (mem == NULL) {
if (memusage > current_mem) {
sandbox_error("Attempting to use more memory than allowed!");
goto err;
}
}
-
+
long nprocs = sysconf(_SC_NPROCESSORS_ONLN);
-
- struct sched_param sp;
+
+ struct sched_param sp;
sp.sched_priority = sched_get_priority_min(SCHED_FIFO);
sched_setscheduler(getpid(), SCHED_FIFO, &sp);
struct cgroup *sandbox_group = cgroup_new_cgroup(cgroupname);
cgroup_add_controller(sandbox_group, "memory");
cgroup_add_controller(sandbox_group, "cpu");
-
+
if (mem == NULL) {
if (memusage > 0) {
cgroup_set_value_uint64(cgroup_get_controller(sandbox_group, "memory"), "memory.limit_in_bytes", memusage);
- }
+ }
} else {
cgroup_set_value_string(cgroup_get_controller(sandbox_group, "memory"), "memory.limit_in_bytes", mem);
}
@@ -470,13 +472,13 @@ static int setup_cgroups()
if (cpus != NULL) {
cgroup_set_value_string(cgroup_get_controller(sandbox_group, "cpu"), "cgroup.procs",cpus);
}
-
+
uint64_t allocated_mem;
if (cgroup_get_value_uint64(cgroup_get_controller(sandbox_group, "memory"), "memory.limit_in_bytes", &allocated_mem) > current_mem) {
sandbox_error("Attempting to use more memory than allowed!\n");
goto err;
}
-
+
rc = cgroup_create_cgroup(sandbox_group, 1);
if (rc != 0) {
sandbox_error("Failed to create group. Ensure that cgconfig service is running. \n");
@@ -487,13 +489,15 @@ static int setup_cgroups()
rc = 0;
err:
+ fclose(fp);
+ free(str);
free(mem);
free(cgroupname);
free(cpus);
return rc;
}
-/*
+/*
If path is empy or ends with "/." or "/.. return -1 else return 0;
*/
static int bad_path(const char *path) {
@@ -515,7 +519,7 @@ static int bad_path(const char *path) {
return 0;
}
-static int rsynccmd(const char * src, const char *dst, char **cmdbuf)
+static int rsynccmd(const char * src, const char *dst, char **cmdbuf)
{
char *buf = NULL;
char *newbuf = NULL;
@@ -559,7 +563,7 @@ static int rsynccmd(const char * src, co
newbuf = NULL;
}
- if (buf) {
+ if (buf) {
if (asprintf(&newbuf, "/usr/bin/rsync -trlHDq %s '%s'", buf, dst) == -1) {
fprintf(stderr, "Out of memory\n");
goto err;
@@ -674,8 +678,12 @@ static char *create_tmpdir(const char *s
if (verify_directory(tmpdir, NULL, out_st) < 0) {
goto err;
}
- if (check_owner_uid(0, tmpdir, out_st) < 0) goto err;
- if (check_owner_gid(getgid(), tmpdir, out_st) < 0) goto err;
+
+ if (check_owner_uid(0, tmpdir, out_st) < 0)
+ goto err;
+
+ if (check_owner_gid(getgid(), tmpdir, out_st) < 0)
+ goto err;
/* change permissions of the temporary directory */
if ((fd_t = open(tmpdir, O_RDONLY)) < 0) {
@@ -702,7 +710,7 @@ static char *create_tmpdir(const char *s
/* copy selinux context */
if (execcon) {
- if (fsetfilecon(fd_t, con) == -1) {
+ if (fsetfilecon(fd_t, con) == -1) {
fprintf(stderr, _("Failed to set context of the directory %s: %s\n"), tmpdir, strerror(errno));
goto err;
}
@@ -734,12 +742,77 @@ good:
return tmpdir;
}
+#define PROC_BASE "/proc"
+
+static int
+killall (security_context_t execcon)
+{
+ DIR *dir;
+ security_context_t scon;
+ struct dirent *de;
+ pid_t *pid_table, pid, self;
+ int i;
+ int pids, max_pids;
+ int running = 0;
+ self = getpid();
+ if (!(dir = opendir(PROC_BASE))) {
+ return -1;
+ }
+ max_pids = 256;
+ pid_table = malloc(max_pids * sizeof (pid_t));
+ if (!pid_table) {
+ (void)closedir(dir);
+ return -1;
+ }
+ pids = 0;
+ context_t con;
+ con = context_new(execcon);
+ const char *mcs = context_range_get(con);
+ printf("mcs=%s\n", mcs);
+ while ((de = readdir (dir)) != NULL) {
+ if (!(pid = (pid_t)atoi(de->d_name)) || pid == self)
+ continue;
+
+ if (pids == max_pids) {
+ if (!(pid_table = realloc(pid_table, 2*pids*sizeof(pid_t)))) {
+ (void)closedir(dir);
+ return -1;
+ }
+ max_pids *= 2;
+ }
+ pid_table[pids++] = pid;
+ }
+
+ (void)closedir(dir);
+
+ for (i = 0; i < pids; i++) {
+ pid_t id = pid_table[i];
+
+ if (getpidcon(id, &scon) == 0) {
+
+ context_t pidcon = context_new(scon);
+ /* Attempt to kill remaining processes */
+ if (strcmp(context_range_get(pidcon), mcs) == 0)
+ kill(id, SIGKILL);
+
+ context_free(pidcon);
+ freecon(scon);
+ }
+ running++;
+ }
+
+ context_free(con);
+ free(pid_table);
+ return running;
+}
+
int main(int argc, char **argv) {
int status = -1;
security_context_t execcon = NULL;
int clflag; /* holds codes for command line flags */
int usecgroups = 0;
+ int kill_all = 0;
char *homedir_s = NULL; /* homedir spec'd by user in argv[] */
char *tmpdir_s = NULL; /* tmpdir spec'd by user in argv[] */
@@ -752,18 +825,21 @@ int main(int argc, char **argv) {
const struct option long_options[] = {
{"homedir", 1, 0, 'h'},
{"tmpdir", 1, 0, 't'},
+ {"kill", 1, 0, 'k'},
{"verbose", 1, 0, 'v'},
{"cgroups", 1, 0, 'c'},
{"context", 1, 0, 'Z'},
+ {"capabilities", 1, 0, 'C'},
{NULL, 0, 0, 0}
};
uid_t uid = getuid();
-
+/*
if (!uid) {
fprintf(stderr, _("Must not be root"));
return -1;
}
+*/
#ifdef USE_NLS
setlocale(LC_ALL, "");
@@ -783,7 +859,7 @@ int main(int argc, char **argv) {
}
while (1) {
- clflag = getopt_long(argc, argv, "cvh:t:Z:", long_options, NULL);
+ clflag = getopt_long(argc, argv, "Ccvh:t:Z:", long_options, NULL);
if (clflag == -1)
break;
@@ -791,6 +867,9 @@ int main(int argc, char **argv) {
case 't':
tmpdir_s = optarg;
break;
+ case 'k':
+ kill_all = 1;
+ break;
case 'h':
homedir_s = optarg;
break;
@@ -800,6 +879,9 @@ int main(int argc, char **argv) {
case 'c':
usecgroups = 1;
break;
+ case 'C':
+ cap_set = CAPNG_SELECT_CAPS;
+ break;
case 'Z':
execcon = optarg;
break;
@@ -824,9 +906,11 @@ int main(int argc, char **argv) {
return -1;
}
- if (set_signal_handles()) return -1;
+ if (set_signal_handles())
+ return -1;
- if (usecgroups && setup_cgroups() < 0) return -1;
+ if (usecgroups && setup_cgroups() < 0)
+ return -1;
/* set fsuid to ruid */
/* Changing fsuid is usually required when user-specified directory is
@@ -851,7 +935,7 @@ int main(int argc, char **argv) {
}
/* spawn child process */
- int child = fork();
+ child = fork();
if (child == -1) {
perror(_("Unable to fork"));
goto err;
@@ -859,6 +943,7 @@ int main(int argc, char **argv) {
if (child == 0) {
char *display = NULL;
+ char *LANG = NULL;
int rc = -1;
if (unshare(CLONE_NEWNS) < 0) {
@@ -866,6 +951,13 @@ int main(int argc, char **argv) {
goto childerr;
}
+ /* Remount / as SLAVE so that nothing mounted in the namespace
+ shows up in the parent */
+ if (mount("none", "/", NULL, MS_SLAVE | MS_REC , NULL) < 0) {
+ perror(_("Failed to make / a SLAVE mountpoint\n"));
+ goto childerr;
+ }
+
/* assume fsuid==ruid after this point */
setfsuid(uid);
@@ -884,12 +976,23 @@ int main(int argc, char **argv) {
goto childerr;
}
}
+
+ /* construct a new environment */
+ if ((LANG = getenv("LANG")) != NULL) {
+ if ((LANG = strdup(LANG)) == NULL) {
+ perror(_("Out of memory"));
+ goto childerr;
+ }
+ }
+
if ((rc = clearenv()) != 0) {
perror(_("Failed to clear environment"));
goto childerr;
}
- if (display)
+ if (display)
rc |= setenv("DISPLAY", display, 1);
+ if (LANG)
+ rc |= setenv("LANG", LANG, 1);
rc |= setenv("HOME", pwd->pw_dir, 1);
rc |= setenv("SHELL", pwd->pw_shell, 1);
rc |= setenv("USER", pwd->pw_name, 1);
@@ -899,7 +1002,7 @@ int main(int argc, char **argv) {
fprintf(stderr, _("Failed to construct environment\n"));
goto childerr;
}
-
+
/* selinux context */
if (execcon && setexeccon(execcon) != 0) {
fprintf(stderr, _("Could not set exec context to %s.\n"), execcon);
@@ -910,13 +1013,12 @@ int main(int argc, char **argv) {
perror(_("Failed to change dir to homedir"));
goto childerr;
}
-
setsid();
-
execv(argv[optind], argv + optind);
fprintf(stderr, _("Failed to execute command %s: %s\n"), argv[optind], strerror(errno));
childerr:
free(display);
+ free(LANG);
exit(-1);
}
@@ -926,10 +1028,15 @@ childerr:
waitpid(child, &status, 0);
status_to_retval(status, status);
+ /* Make sure all child processes exit */
+ kill(-child,SIGTERM);
+
+ if (execcon && kill_all)
+ killall(execcon);
+
if (tmpdir_r) cleanup_tmpdir(tmpdir_r, tmpdir_s, pwd, 1);
err:
free(tmpdir_r);
return status;
}
-

View File

@ -6,8 +6,8 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.0.85
Release: 12%{?dist}
Version: 2.0.86
Release: 7.3%{?dist}
License: GPLv2
Group: System Environment/Base
# Based on git repository with tag 20101221
@ -25,7 +25,8 @@ Patch: policycoreutils-rhat.patch
Patch1: policycoreutils-po.patch
Patch3: policycoreutils-gui.patch
Patch4: policycoreutils-sepolgen.patch
Obsoletes: policycoreutils < 2.0.61-2
Patch5: policycoreutils-sandbox.patch
Obsoletes: policycoreutils < 2.0.86-7
%global python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")
@ -63,6 +64,7 @@ context.
%patch1 -p1 -b .rhatpo
%patch3 -p1 -b .gui
%patch4 -p1 -b .sepolgen
%patch5 -p1 -b .sandbox
%build
make LSPP_PRIV=y LIBDIR="%{_libdir}" CFLAGS="%{optflags} -fPIE " LDFLAGS="-pie -Wl,-z,relro" all
@ -119,6 +121,7 @@ Requires: /usr/bin/make
Requires(pre): python >= 2.6
Obsoletes: policycoreutils < 2.0.61-2
Requires: setools-libs-python >= 3.3.7-6
Requires: python-IPy
%description python
The policycoreutils-python package contains the management tools use to manage an SELinux environment.
@ -156,19 +159,19 @@ exit 0
Summary: SELinux sandbox utilities
Group: System Environment/Base
Requires: policycoreutils-python = %{version}-%{release}
Requires: xorg-x11-server-Xephyr
Requires: xorg-x11-server-Xephyr /usr/bin/rsync /usr/bin/xmodmap
Requires: matchbox-window-manager
Requires(post): /sbin/chkconfig
BuildRequires: libcap-ng-devel
%description sandbox
The policycoreutils-python package contains the scripts to create graphical sandboxes
The policycoreutils-sandbox package contains the scripts to create graphical sandboxes
%files sandbox
%defattr(-,root,root,-)
%{_datadir}/sandbox/sandboxX.sh
%{_datadir}/sandbox/start
%attr(0755,root,root) %caps(cap_setpcap,cap_fowner,cap_dac_override,cap_sys_admin,cap_sys_nice=pe) %{_sbindir}/seunshare
%attr(0755,root,root) %caps(cap_setpcap,cap_setuid,cap_fowner,cap_dac_override,cap_sys_admin,cap_sys_nice=pe) %{_sbindir}/seunshare
%{_mandir}/man8/seunshare.8*
%{_mandir}/man5/sandbox.conf.5*
@ -180,6 +183,7 @@ exit 0
if [ $1 -eq 1 ]; then
/sbin/chkconfig sandbox --add
fi
%preun sandbox
if [ $1 -eq 0 ]; then
/sbin/chkconfig sandbox --del
@ -296,6 +300,7 @@ rm -rf %{buildroot}
Summary: SELinux restorecond utilities
Group: System Environment/Base
Requires(post): /sbin/chkconfig
Obsoletes: policycoreutils < 2.0.86-7
%description restorecond
The policycoreutils-restorecond package contains the restorecond service.
@ -329,6 +334,115 @@ fi
exit 0
%changelog
* Tue Jan 3 2012 Dan Walsh <dwalsh@redhat.com> - 2.0.86-7.3
- Fix the handling of namespaces in seunshare/sandbox.
- Currently mounting of directories within sandbox is propogating to the
- parent namesspace.
* Thu Jul 7 2011 Dan Walsh <dwalsh@redhat.com> 2.0.86-7.2
- Change seunshare to send kill signals to the childs session.
- Also add signal handler to catch sigint, so if user enters ctrl-C sandbox will shutdown.
- Add -k qualifier to seunshare to have it attempt to kill all processes with
the matching MCS label.
- Add -C option to sandbox and seunshare to maintain capabilities, otherwise
the bounding set will be dropped.
- Change --cgroups short name -c rather then -C for consistancy
- Fix memory and fd leaks in seunshare
* Mon Jun 13 2011 Dan Walsh <dwalsh@redhat.com> 2.0.86-7.1
- Do not drop capability bounding set in seunshare, this allows sandbox to
- run setuid apps.
- Cleanup policy generation template
- Pass dpi settings to sandbox
- Add .config/* to restorecond_users.conf
* Fri Apr 29 2011 Dan Walsh <dwalsh@redhat.com> 2.0.86-7
- Clean up some of the templates for sepolgen
* Fri Apr 22 2011 Dan Walsh <dwalsh@redhat.com> 2.0.86-6
- Apply patches from Christoph A.
* fix sandbox title
* stop xephyr from li
- Also ignore errors on sandbox include of directory missing files
* Thu Apr 21 2011 Dan Walsh <dwalsh@redhat.com> 2.0.86-5
- rebuild versus latest libsepol
* Mon Apr 18 2011 Dan Walsh <dwalsh@redhat.com> 2.0.86-4
- Change fixfiles restore to delete unlabeled sockets in /tmp
* Mon Apr 18 2011 Dan Walsh <dwalsh@redhat.com> 2.0.86-2
- rebuild versus latest libsepol
* Tue Apr 12 2011 Dan Walsh <dwalsh@redhat.com> 2.0.86-1
- Update to upstream
* Use correct color range in mcstrand by Richard Haines.
* Mon Apr 11 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-30
- Add Elia Pinto patches to allow user to specify directories to ignore
* Tue Apr 5 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-29
- Fix policycoreutils-sandbox description
* Tue Mar 29 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-28
- rsynccmd should run outside of execcon
* Thu Mar 24 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-27
- Fix semange node handling of ipv6 addresses
* Wed Mar 23 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-26
- Fix sepolgen-ifgen call, add -p option
* Wed Mar 23 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-25
- Fix sepolgen-ifgen call
* Fri Mar 18 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-24
- Fix rsync command to work if the directory is old.
- Fix all tests
* Wed Mar 16 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-23
- Fix sepolgen to generate network polcy using generic_if and genric_node versus all_if and all_node
* Wed Mar 16 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-22
- Return to original seunshare man page
* Fri Mar 11 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-21
- change default location of HOMEDIR in sandbox to /tmp/.sandbox_home_*
- This will allow default sandboxes to work on NFS homedirs without allowing
access to homedir data
* Fri Mar 11 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-20
- Change sepolgen-ifgen to search all available policy files
- Exit in restorecond if it can not find a UID in the passwd database
* Wed Mar 9 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-19
- Fix portspage in system-config-selinux to not crash
- More fixes for seunshare from Tomas Hoger
* Tue Mar 8 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-18
- put back in old handling of -T in sandbox command
- Put back setsid in seunshare
- Fix rsync to maintain times
* Tue Mar 8 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-17
- Use rewritten seunshare from thoger
* Mon Mar 7 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-16
- Require python-IPy for policycoreutils-python package
- Fixes for sepologen
- Usage statement needs -n name
- Names with _ are being prevented
- dbus apps should get _chat interface
* Thu Mar 3 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-15
- Fix error message in seunshare, check for tmpdir existance before unlink.
* Fri Feb 25 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-13
- Rewrite seunshare to make sure /tmp is mounted stickybit owned by root
- Only allow names in polgengui that contain letters and numbers
- Fix up node handling in semanage command
- Update translations
* Wed Feb 09 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.0.85-12
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild

View File

@ -2,6 +2,7 @@
Name=SELinux Policy Generation Tool
Name[bn_IN]=SELinux Policy ি
Name[ca]=Eina de generació de polítiques del SELinux
Name[da]=Regelsætgenereringsværktøj til SELinux
Name[de]=Tool zur Erstellung von SELinux-Richtlinien
Name[es]=Generador de Políticas de SELinux
Name[fi]=SELinux-käytäntöjen generointityökalu
@ -24,12 +25,13 @@ Name[ru]=Средство создания политики SELinux
Name[sv]=Genereringsverktyg för SELinuxpolicy
Name[ta]=SELinux ிி ி ி
Name[te]=SELinux ి
Name[uk]=Утиліта генерації політики SELinux
Name[uk]=Утиліта генерації правил SELinux
Name[zh_CN]=SELinux
Name[zh_TW]=SELinux SELinux Policy Generation Tool
Comment=Generate SELinux policy modules
Comment[bn_IN]=SELinux িি ি ি
Comment[ca]=Genera els mòduls de les polítiques de SELinux
Comment[da]=Generér SELinux-regelsætmodul
Comment[de]=Tool zur Erstellung von SELinux-Richtlinien
Comment[es]=Generar módulos de política de SELinux
Comment[fi]=Generoi SELinuxin käytäntömoduuleja

View File

@ -1,3 +1,3 @@
49faa2e5f343317bcfcf34d7286f6037 sepolgen-1.0.23.tgz
59d33101d57378ce69889cc078addf90 policycoreutils_man_ru2.tar.bz2
92fa615448d443b22c4ad6ecf89fc974 policycoreutils-2.0.85.tgz
13d864a8a6f8a933ef7aee7baf4a9662 policycoreutils-2.0.86.tgz

View File

@ -1,6 +1,7 @@
[Desktop Entry]
Name=SELinux Management
Name[bn_IN]=SELinux ি
Name[da]=Håndtering af SELinux
Name[de]=SELinux-Management
Name[ca]=Gestió de SELinux
Name[es]=Administración de SELinux
@ -30,6 +31,7 @@ Name[zh_TW]=SELinux 管理
Comment=Configure SELinux in a graphical setting
Comment[bn_IN]=ি ি SELinux ি
Comment[ca]=Configura SELinuc an mode de preferències gràfiques
Comment[da]=Konfigurér SELinux i et grafisk miljø
Comment[de]=SELinux in einer grafischen Einstellung konfigurieren
Comment[es]=Defina SELinux en una configuración de interfaz gráfica
Comment[fi]=Tee SELinuxin asetukset graafisesti