Compare commits
26 Commits
Author | SHA1 | Date | |
---|---|---|---|
|
72a4d21573 | ||
|
df863663f2 | ||
|
9f197b5eb0 | ||
|
f415a12acc | ||
|
397914a5b7 | ||
|
de46aea469 | ||
|
fe90fcfea9 | ||
|
4cd6edc808 | ||
|
16246ac8b2 | ||
|
55fb6920ca | ||
|
78134e652a | ||
|
ed4c843b48 | ||
|
6d8189f150 | ||
|
4189d94570 | ||
|
f7c4958dbf | ||
|
c06fc4b8dd | ||
|
fd42cdb339 | ||
|
9f8f4e973f | ||
|
65350da6d3 | ||
|
b6d72dd04b | ||
|
312470de44 | ||
|
93a6f1fc9d | ||
|
2ab6e22253 | ||
|
513ebc6132 | ||
|
4d63979d6d | ||
|
aae6082678 |
@ -1,6 +1,6 @@
|
|||||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/booleansPage.py policycoreutils-2.0.85/gui/booleansPage.py
|
diff -up policycoreutils-2.0.86/gui/booleansPage.py.gui policycoreutils-2.0.86/gui/booleansPage.py
|
||||||
--- nsapolicycoreutils/gui/booleansPage.py 1969-12-31 19:00:00.000000000 -0500
|
--- policycoreutils-2.0.86/gui/booleansPage.py.gui 2011-04-12 10:52:07.463643555 -0400
|
||||||
+++ policycoreutils-2.0.85/gui/booleansPage.py 2011-01-21 09:25:41.000000000 -0500
|
+++ policycoreutils-2.0.86/gui/booleansPage.py 2011-04-12 10:52:07.463643555 -0400
|
||||||
@@ -0,0 +1,247 @@
|
@@ -0,0 +1,247 @@
|
||||||
+#
|
+#
|
||||||
+# booleansPage.py - GUI for Booleans page in system-config-securitylevel
|
+# booleansPage.py - GUI for Booleans page in system-config-securitylevel
|
||||||
@ -249,9 +249,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/booleansPage.py poli
|
|||||||
+ self.load(self.filter)
|
+ self.load(self.filter)
|
||||||
+ return True
|
+ return True
|
||||||
+
|
+
|
||||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/domainsPage.py policycoreutils-2.0.85/gui/domainsPage.py
|
diff -up policycoreutils-2.0.86/gui/domainsPage.py.gui policycoreutils-2.0.86/gui/domainsPage.py
|
||||||
--- nsapolicycoreutils/gui/domainsPage.py 1969-12-31 19:00:00.000000000 -0500
|
--- policycoreutils-2.0.86/gui/domainsPage.py.gui 2011-04-12 10:52:07.464643571 -0400
|
||||||
+++ policycoreutils-2.0.85/gui/domainsPage.py 2011-01-21 09:25:41.000000000 -0500
|
+++ policycoreutils-2.0.86/gui/domainsPage.py 2011-04-12 10:52:07.464643571 -0400
|
||||||
@@ -0,0 +1,154 @@
|
@@ -0,0 +1,154 @@
|
||||||
+## domainsPage.py - show selinux domains
|
+## domainsPage.py - show selinux domains
|
||||||
+## Copyright (C) 2009 Red Hat, Inc.
|
+## Copyright (C) 2009 Red Hat, Inc.
|
||||||
@ -407,9 +407,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/domainsPage.py polic
|
|||||||
+
|
+
|
||||||
+ except ValueError, e:
|
+ except ValueError, e:
|
||||||
+ self.error(e.args[0])
|
+ self.error(e.args[0])
|
||||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/fcontextPage.py policycoreutils-2.0.85/gui/fcontextPage.py
|
diff -up policycoreutils-2.0.86/gui/fcontextPage.py.gui policycoreutils-2.0.86/gui/fcontextPage.py
|
||||||
--- nsapolicycoreutils/gui/fcontextPage.py 1969-12-31 19:00:00.000000000 -0500
|
--- policycoreutils-2.0.86/gui/fcontextPage.py.gui 2011-04-12 10:52:07.468643633 -0400
|
||||||
+++ policycoreutils-2.0.85/gui/fcontextPage.py 2011-01-21 09:25:41.000000000 -0500
|
+++ policycoreutils-2.0.86/gui/fcontextPage.py 2011-04-12 10:52:07.468643633 -0400
|
||||||
@@ -0,0 +1,223 @@
|
@@ -0,0 +1,223 @@
|
||||||
+## fcontextPage.py - show selinux mappings
|
+## fcontextPage.py - show selinux mappings
|
||||||
+## Copyright (C) 2006 Red Hat, Inc.
|
+## Copyright (C) 2006 Red Hat, Inc.
|
||||||
@ -634,9 +634,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/fcontextPage.py poli
|
|||||||
+ self.store.set_value(iter, SPEC_COL, fspec)
|
+ self.store.set_value(iter, SPEC_COL, fspec)
|
||||||
+ self.store.set_value(iter, FTYPE_COL, ftype)
|
+ self.store.set_value(iter, FTYPE_COL, ftype)
|
||||||
+ self.store.set_value(iter, TYPE_COL, "%s:%s" % (type, mls))
|
+ self.store.set_value(iter, TYPE_COL, "%s:%s" % (type, mls))
|
||||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/html_util.py policycoreutils-2.0.85/gui/html_util.py
|
diff -up policycoreutils-2.0.86/gui/html_util.py.gui policycoreutils-2.0.86/gui/html_util.py
|
||||||
--- nsapolicycoreutils/gui/html_util.py 1969-12-31 19:00:00.000000000 -0500
|
--- policycoreutils-2.0.86/gui/html_util.py.gui 2011-04-12 10:52:07.469643648 -0400
|
||||||
+++ policycoreutils-2.0.85/gui/html_util.py 2011-01-21 09:25:41.000000000 -0500
|
+++ policycoreutils-2.0.86/gui/html_util.py 2011-04-12 10:52:07.470643663 -0400
|
||||||
@@ -0,0 +1,164 @@
|
@@ -0,0 +1,164 @@
|
||||||
+# Authors: John Dennis <jdennis@redhat.com>
|
+# Authors: John Dennis <jdennis@redhat.com>
|
||||||
+#
|
+#
|
||||||
@ -802,9 +802,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/html_util.py policyc
|
|||||||
+ doc += tail
|
+ doc += tail
|
||||||
+ return doc
|
+ return doc
|
||||||
+
|
+
|
||||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/lockdown.glade policycoreutils-2.0.85/gui/lockdown.glade
|
diff -up policycoreutils-2.0.86/gui/lockdown.glade.gui policycoreutils-2.0.86/gui/lockdown.glade
|
||||||
--- nsapolicycoreutils/gui/lockdown.glade 1969-12-31 19:00:00.000000000 -0500
|
--- policycoreutils-2.0.86/gui/lockdown.glade.gui 2011-04-12 10:52:07.471643678 -0400
|
||||||
+++ policycoreutils-2.0.85/gui/lockdown.glade 2011-01-21 09:25:41.000000000 -0500
|
+++ policycoreutils-2.0.86/gui/lockdown.glade 2011-04-12 10:52:07.477643771 -0400
|
||||||
@@ -0,0 +1,771 @@
|
@@ -0,0 +1,771 @@
|
||||||
+<?xml version="1.0" standalone="no"?> <!--*- mode: xml -*-->
|
+<?xml version="1.0" standalone="no"?> <!--*- mode: xml -*-->
|
||||||
+<!DOCTYPE glade-interface SYSTEM "http://glade.gnome.org/glade-2.0.dtd">
|
+<!DOCTYPE glade-interface SYSTEM "http://glade.gnome.org/glade-2.0.dtd">
|
||||||
@ -1577,9 +1577,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/lockdown.glade polic
|
|||||||
+</widget>
|
+</widget>
|
||||||
+
|
+
|
||||||
+</glade-interface>
|
+</glade-interface>
|
||||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/lockdown.gladep policycoreutils-2.0.85/gui/lockdown.gladep
|
diff -up policycoreutils-2.0.86/gui/lockdown.gladep.gui policycoreutils-2.0.86/gui/lockdown.gladep
|
||||||
--- nsapolicycoreutils/gui/lockdown.gladep 1969-12-31 19:00:00.000000000 -0500
|
--- policycoreutils-2.0.86/gui/lockdown.gladep.gui 2011-04-12 10:52:07.482643847 -0400
|
||||||
+++ policycoreutils-2.0.85/gui/lockdown.gladep 2011-01-21 09:25:41.000000000 -0500
|
+++ policycoreutils-2.0.86/gui/lockdown.gladep 2011-04-12 10:52:07.483643863 -0400
|
||||||
@@ -0,0 +1,7 @@
|
@@ -0,0 +1,7 @@
|
||||||
+<?xml version="1.0" standalone="no"?> <!--*- mode: xml -*-->
|
+<?xml version="1.0" standalone="no"?> <!--*- mode: xml -*-->
|
||||||
+<!DOCTYPE glade-project SYSTEM "http://glade.gnome.org/glade-project-2.0.dtd">
|
+<!DOCTYPE glade-project SYSTEM "http://glade.gnome.org/glade-project-2.0.dtd">
|
||||||
@ -1588,9 +1588,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/lockdown.gladep poli
|
|||||||
+ <name></name>
|
+ <name></name>
|
||||||
+ <program_name></program_name>
|
+ <program_name></program_name>
|
||||||
+</glade-project>
|
+</glade-project>
|
||||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/lockdown.py policycoreutils-2.0.85/gui/lockdown.py
|
diff -up policycoreutils-2.0.86/gui/lockdown.py.gui policycoreutils-2.0.86/gui/lockdown.py
|
||||||
--- nsapolicycoreutils/gui/lockdown.py 1969-12-31 19:00:00.000000000 -0500
|
--- policycoreutils-2.0.86/gui/lockdown.py.gui 2011-04-12 10:52:07.484643879 -0400
|
||||||
+++ policycoreutils-2.0.85/gui/lockdown.py 2011-01-21 09:25:41.000000000 -0500
|
+++ policycoreutils-2.0.86/gui/lockdown.py 2011-04-12 10:52:07.484643879 -0400
|
||||||
@@ -0,0 +1,382 @@
|
@@ -0,0 +1,382 @@
|
||||||
+#!/usr/bin/python -Es
|
+#!/usr/bin/python -Es
|
||||||
+#
|
+#
|
||||||
@ -1974,9 +1974,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/lockdown.py policyco
|
|||||||
+
|
+
|
||||||
+ app = booleanWindow()
|
+ app = booleanWindow()
|
||||||
+ app.stand_alone()
|
+ app.stand_alone()
|
||||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/loginsPage.py policycoreutils-2.0.85/gui/loginsPage.py
|
diff -up policycoreutils-2.0.86/gui/loginsPage.py.gui policycoreutils-2.0.86/gui/loginsPage.py
|
||||||
--- nsapolicycoreutils/gui/loginsPage.py 1969-12-31 19:00:00.000000000 -0500
|
--- policycoreutils-2.0.86/gui/loginsPage.py.gui 2011-04-12 10:52:07.485643894 -0400
|
||||||
+++ policycoreutils-2.0.85/gui/loginsPage.py 2011-01-21 09:25:41.000000000 -0500
|
+++ policycoreutils-2.0.86/gui/loginsPage.py 2011-04-12 10:52:07.486643909 -0400
|
||||||
@@ -0,0 +1,185 @@
|
@@ -0,0 +1,185 @@
|
||||||
+## loginsPage.py - show selinux mappings
|
+## loginsPage.py - show selinux mappings
|
||||||
+## Copyright (C) 2006 Red Hat, Inc.
|
+## Copyright (C) 2006 Red Hat, Inc.
|
||||||
@ -2163,9 +2163,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/loginsPage.py policy
|
|||||||
+ self.store.set_value(iter, 1, seuser)
|
+ self.store.set_value(iter, 1, seuser)
|
||||||
+ self.store.set_value(iter, 2, seobject.translate(serange))
|
+ self.store.set_value(iter, 2, seobject.translate(serange))
|
||||||
+
|
+
|
||||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/Makefile policycoreutils-2.0.85/gui/Makefile
|
diff -up policycoreutils-2.0.86/gui/Makefile.gui policycoreutils-2.0.86/gui/Makefile
|
||||||
--- nsapolicycoreutils/gui/Makefile 1969-12-31 19:00:00.000000000 -0500
|
--- policycoreutils-2.0.86/gui/Makefile.gui 2011-04-12 10:52:07.486643909 -0400
|
||||||
+++ policycoreutils-2.0.85/gui/Makefile 2011-01-21 09:25:41.000000000 -0500
|
+++ policycoreutils-2.0.86/gui/Makefile 2011-04-12 10:52:07.487643924 -0400
|
||||||
@@ -0,0 +1,40 @@
|
@@ -0,0 +1,40 @@
|
||||||
+# Installation directories.
|
+# Installation directories.
|
||||||
+PREFIX ?= ${DESTDIR}/usr
|
+PREFIX ?= ${DESTDIR}/usr
|
||||||
@ -2207,9 +2207,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/Makefile policycoreu
|
|||||||
+indent:
|
+indent:
|
||||||
+
|
+
|
||||||
+relabel:
|
+relabel:
|
||||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/mappingsPage.py policycoreutils-2.0.85/gui/mappingsPage.py
|
diff -up policycoreutils-2.0.86/gui/mappingsPage.py.gui policycoreutils-2.0.86/gui/mappingsPage.py
|
||||||
--- nsapolicycoreutils/gui/mappingsPage.py 1969-12-31 19:00:00.000000000 -0500
|
--- policycoreutils-2.0.86/gui/mappingsPage.py.gui 2011-04-12 10:52:07.487643924 -0400
|
||||||
+++ policycoreutils-2.0.85/gui/mappingsPage.py 2011-01-21 09:25:41.000000000 -0500
|
+++ policycoreutils-2.0.86/gui/mappingsPage.py 2011-04-12 10:52:07.492644000 -0400
|
||||||
@@ -0,0 +1,56 @@
|
@@ -0,0 +1,56 @@
|
||||||
+## mappingsPage.py - show selinux mappings
|
+## mappingsPage.py - show selinux mappings
|
||||||
+## Copyright (C) 2006 Red Hat, Inc.
|
+## Copyright (C) 2006 Red Hat, Inc.
|
||||||
@ -2267,9 +2267,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/mappingsPage.py poli
|
|||||||
+ for k in keys:
|
+ for k in keys:
|
||||||
+ print "%-25s %-25s %-25s" % (k, dict[k][0], translate(dict[k][1]))
|
+ print "%-25s %-25s %-25s" % (k, dict[k][0], translate(dict[k][1]))
|
||||||
+
|
+
|
||||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/modulesPage.py policycoreutils-2.0.85/gui/modulesPage.py
|
diff -up policycoreutils-2.0.86/gui/modulesPage.py.gui policycoreutils-2.0.86/gui/modulesPage.py
|
||||||
--- nsapolicycoreutils/gui/modulesPage.py 1969-12-31 19:00:00.000000000 -0500
|
--- policycoreutils-2.0.86/gui/modulesPage.py.gui 2011-04-12 10:52:07.493644016 -0400
|
||||||
+++ policycoreutils-2.0.85/gui/modulesPage.py 2011-01-21 09:25:41.000000000 -0500
|
+++ policycoreutils-2.0.86/gui/modulesPage.py 2011-04-12 10:52:07.493644016 -0400
|
||||||
@@ -0,0 +1,190 @@
|
@@ -0,0 +1,190 @@
|
||||||
+## modulesPage.py - show selinux mappings
|
+## modulesPage.py - show selinux mappings
|
||||||
+## Copyright (C) 2006-2009 Red Hat, Inc.
|
+## Copyright (C) 2006-2009 Red Hat, Inc.
|
||||||
@ -2461,9 +2461,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/modulesPage.py polic
|
|||||||
+
|
+
|
||||||
+ except ValueError, e:
|
+ except ValueError, e:
|
||||||
+ self.error(e.args[0])
|
+ self.error(e.args[0])
|
||||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policycoreutils-2.0.85/gui/polgen.glade
|
diff -up policycoreutils-2.0.86/gui/polgen.glade.gui policycoreutils-2.0.86/gui/polgen.glade
|
||||||
--- nsapolicycoreutils/gui/polgen.glade 1969-12-31 19:00:00.000000000 -0500
|
--- policycoreutils-2.0.86/gui/polgen.glade.gui 2011-04-12 10:52:07.505644201 -0400
|
||||||
+++ policycoreutils-2.0.85/gui/polgen.glade 2011-02-03 16:11:44.000000000 -0500
|
+++ policycoreutils-2.0.86/gui/polgen.glade 2011-04-12 10:52:07.507644232 -0400
|
||||||
@@ -0,0 +1,3432 @@
|
@@ -0,0 +1,3432 @@
|
||||||
+<?xml version="1.0" standalone="no"?> <!--*- mode: xml -*-->
|
+<?xml version="1.0" standalone="no"?> <!--*- mode: xml -*-->
|
||||||
+<!DOCTYPE glade-interface SYSTEM "http://glade.gnome.org/glade-2.0.dtd">
|
+<!DOCTYPE glade-interface SYSTEM "http://glade.gnome.org/glade-2.0.dtd">
|
||||||
@ -2592,7 +2592,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policyc
|
|||||||
+ <child>
|
+ <child>
|
||||||
+ <widget class="GtkLabel" id="select_type_label">
|
+ <widget class="GtkLabel" id="select_type_label">
|
||||||
+ <property name="visible">True</property>
|
+ <property name="visible">True</property>
|
||||||
+ <property name="label" translatable="yes"><b>Select the policy type for the application or user role you wan to confine:</b></property>
|
+ <property name="label" translatable="yes"><b>Select the policy type for the application or user role you want to confine:</b></property>
|
||||||
+ <property name="use_underline">False</property>
|
+ <property name="use_underline">False</property>
|
||||||
+ <property name="use_markup">True</property>
|
+ <property name="use_markup">True</property>
|
||||||
+ <property name="justify">GTK_JUSTIFY_LEFT</property>
|
+ <property name="justify">GTK_JUSTIFY_LEFT</property>
|
||||||
@ -5897,9 +5897,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policyc
|
|||||||
+</widget>
|
+</widget>
|
||||||
+
|
+
|
||||||
+</glade-interface>
|
+</glade-interface>
|
||||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.gladep policycoreutils-2.0.85/gui/polgen.gladep
|
diff -up policycoreutils-2.0.86/gui/polgen.gladep.gui policycoreutils-2.0.86/gui/polgen.gladep
|
||||||
--- nsapolicycoreutils/gui/polgen.gladep 1969-12-31 19:00:00.000000000 -0500
|
--- policycoreutils-2.0.86/gui/polgen.gladep.gui 2011-04-12 10:52:07.508644247 -0400
|
||||||
+++ policycoreutils-2.0.85/gui/polgen.gladep 2011-02-02 16:17:52.000000000 -0500
|
+++ policycoreutils-2.0.86/gui/polgen.gladep 2011-04-12 10:52:07.508644247 -0400
|
||||||
@@ -0,0 +1,7 @@
|
@@ -0,0 +1,7 @@
|
||||||
+<?xml version="1.0" standalone="no"?> <!--*- mode: xml -*-->
|
+<?xml version="1.0" standalone="no"?> <!--*- mode: xml -*-->
|
||||||
+<!DOCTYPE glade-project SYSTEM "http://glade.gnome.org/glade-project-2.0.dtd">
|
+<!DOCTYPE glade-project SYSTEM "http://glade.gnome.org/glade-project-2.0.dtd">
|
||||||
@ -5908,9 +5908,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.gladep policy
|
|||||||
+ <name></name>
|
+ <name></name>
|
||||||
+ <program_name></program_name>
|
+ <program_name></program_name>
|
||||||
+</glade-project>
|
+</glade-project>
|
||||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgengui.py policycoreutils-2.0.85/gui/polgengui.py
|
diff -up policycoreutils-2.0.86/gui/polgengui.py.gui policycoreutils-2.0.86/gui/polgengui.py
|
||||||
--- nsapolicycoreutils/gui/polgengui.py 1969-12-31 19:00:00.000000000 -0500
|
--- policycoreutils-2.0.86/gui/polgengui.py.gui 2011-04-12 10:52:07.513644322 -0400
|
||||||
+++ policycoreutils-2.0.85/gui/polgengui.py 2011-02-03 15:50:31.000000000 -0500
|
+++ policycoreutils-2.0.86/gui/polgengui.py 2011-05-23 17:04:16.377786536 -0400
|
||||||
@@ -0,0 +1,750 @@
|
@@ -0,0 +1,750 @@
|
||||||
+#!/usr/bin/python -Es
|
+#!/usr/bin/python -Es
|
||||||
+#
|
+#
|
||||||
@ -5918,7 +5918,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgengui.py policyc
|
|||||||
+#
|
+#
|
||||||
+# Dan Walsh <dwalsh@redhat.com>
|
+# Dan Walsh <dwalsh@redhat.com>
|
||||||
+#
|
+#
|
||||||
+# Copyright 2007, 2008, 2009 Red Hat, Inc.
|
+# Copyright (C) 2007-2011 Red Hat
|
||||||
+#
|
+#
|
||||||
+# This program is free software; you can redistribute it and/or modify
|
+# This program is free software; you can redistribute it and/or modify
|
||||||
+# it under the terms of the GNU General Public License as published by
|
+# it under the terms of the GNU General Public License as published by
|
||||||
@ -6609,8 +6609,8 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgengui.py policyc
|
|||||||
+
|
+
|
||||||
+ def on_name_page_next(self, *args):
|
+ def on_name_page_next(self, *args):
|
||||||
+ name=self.name_entry.get_text()
|
+ name=self.name_entry.get_text()
|
||||||
+ if name == "":
|
+ if not name.isalnum():
|
||||||
+ self.error(_("You must enter a name"))
|
+ self.error(_("You must add a name made up of letters and numbers and containing no spaces."))
|
||||||
+ return True
|
+ return True
|
||||||
+
|
+
|
||||||
+ for i in self.label_dict:
|
+ for i in self.label_dict:
|
||||||
@ -6662,13 +6662,13 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgengui.py policyc
|
|||||||
+
|
+
|
||||||
+ app = childWindow()
|
+ app = childWindow()
|
||||||
+ app.stand_alone()
|
+ app.stand_alone()
|
||||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycoreutils-2.0.85/gui/polgen.py
|
diff -up policycoreutils-2.0.86/gui/polgen.py.gui policycoreutils-2.0.86/gui/polgen.py
|
||||||
--- nsapolicycoreutils/gui/polgen.py 1969-12-31 19:00:00.000000000 -0500
|
--- policycoreutils-2.0.86/gui/polgen.py.gui 2011-04-12 10:52:07.516644368 -0400
|
||||||
+++ policycoreutils-2.0.85/gui/polgen.py 2011-02-03 17:03:56.000000000 -0500
|
+++ policycoreutils-2.0.86/gui/polgen.py 2011-05-23 17:04:04.539689964 -0400
|
||||||
@@ -0,0 +1,1343 @@
|
@@ -0,0 +1,1346 @@
|
||||||
+#!/usr/bin/python -Es
|
+#!/usr/bin/python -Es
|
||||||
+#
|
+#
|
||||||
+# Copyright (C) 2007-2010 Red Hat
|
+# Copyright (C) 2007-2011 Red Hat
|
||||||
+# see file 'COPYING' for use and warranty information
|
+# see file 'COPYING' for use and warranty information
|
||||||
+#
|
+#
|
||||||
+# policygentool is a tool for the initial generation of SELinux policy
|
+# policygentool is a tool for the initial generation of SELinux policy
|
||||||
@ -6981,6 +6981,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore
|
|||||||
+( self.generate_sandbox_types, self.generate_sandbox_rules))
|
+( self.generate_sandbox_types, self.generate_sandbox_rules))
|
||||||
+ if name == "":
|
+ if name == "":
|
||||||
+ raise ValueError(_("You must enter a name for your confined process/user"))
|
+ raise ValueError(_("You must enter a name for your confined process/user"))
|
||||||
|
+ if not name.isalnum():
|
||||||
|
+ raise ValueError(_("Name must be alpha numberic with no spaces."))
|
||||||
|
+
|
||||||
+ if type == CGI:
|
+ if type == CGI:
|
||||||
+ self.name = "httpd_%s_script" % name
|
+ self.name = "httpd_%s_script" % name
|
||||||
+ else:
|
+ else:
|
||||||
@ -8009,9 +8012,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycore
|
|||||||
+ sys.exit(0)
|
+ sys.exit(0)
|
||||||
+ except ValueError, e:
|
+ except ValueError, e:
|
||||||
+ usage(e)
|
+ usage(e)
|
||||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/portsPage.py policycoreutils-2.0.85/gui/portsPage.py
|
diff -up policycoreutils-2.0.86/gui/portsPage.py.gui policycoreutils-2.0.86/gui/portsPage.py
|
||||||
--- nsapolicycoreutils/gui/portsPage.py 1969-12-31 19:00:00.000000000 -0500
|
--- policycoreutils-2.0.86/gui/portsPage.py.gui 2011-04-12 10:52:07.518644400 -0400
|
||||||
+++ policycoreutils-2.0.85/gui/portsPage.py 2011-01-21 09:25:41.000000000 -0500
|
+++ policycoreutils-2.0.86/gui/portsPage.py 2011-04-12 10:52:07.521644446 -0400
|
||||||
@@ -0,0 +1,259 @@
|
@@ -0,0 +1,259 @@
|
||||||
+## portsPage.py - show selinux mappings
|
+## portsPage.py - show selinux mappings
|
||||||
+## Copyright (C) 2006 Red Hat, Inc.
|
+## Copyright (C) 2006 Red Hat, Inc.
|
||||||
@ -8272,9 +8275,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/portsPage.py policyc
|
|||||||
+
|
+
|
||||||
+ return True
|
+ return True
|
||||||
+
|
+
|
||||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/selinux.tbl policycoreutils-2.0.85/gui/selinux.tbl
|
diff -up policycoreutils-2.0.86/gui/selinux.tbl.gui policycoreutils-2.0.86/gui/selinux.tbl
|
||||||
--- nsapolicycoreutils/gui/selinux.tbl 1969-12-31 19:00:00.000000000 -0500
|
--- policycoreutils-2.0.86/gui/selinux.tbl.gui 2011-04-12 10:52:07.522644461 -0400
|
||||||
+++ policycoreutils-2.0.85/gui/selinux.tbl 2011-01-21 09:25:41.000000000 -0500
|
+++ policycoreutils-2.0.86/gui/selinux.tbl 2011-04-12 10:52:07.522644461 -0400
|
||||||
@@ -0,0 +1,234 @@
|
@@ -0,0 +1,234 @@
|
||||||
+acct_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for acct daemon")
|
+acct_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for acct daemon")
|
||||||
+allow_daemons_dump_core _("Admin") _("Allow all daemons to write corefiles to /")
|
+allow_daemons_dump_core _("Admin") _("Allow all daemons to write corefiles to /")
|
||||||
@ -8510,9 +8513,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/selinux.tbl policyco
|
|||||||
+webadm_manage_user_files _("HTTPD Service") _("Allow SELinux webadm user to manage unprivileged users home directories")
|
+webadm_manage_user_files _("HTTPD Service") _("Allow SELinux webadm user to manage unprivileged users home directories")
|
||||||
+webadm_read_user_files _("HTTPD Service") _("Allow SELinux webadm user to read unprivileged users home directories")
|
+webadm_read_user_files _("HTTPD Service") _("Allow SELinux webadm user to read unprivileged users home directories")
|
||||||
+
|
+
|
||||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/semanagePage.py policycoreutils-2.0.85/gui/semanagePage.py
|
diff -up policycoreutils-2.0.86/gui/semanagePage.py.gui policycoreutils-2.0.86/gui/semanagePage.py
|
||||||
--- nsapolicycoreutils/gui/semanagePage.py 1969-12-31 19:00:00.000000000 -0500
|
--- policycoreutils-2.0.86/gui/semanagePage.py.gui 2011-04-12 10:52:07.523644476 -0400
|
||||||
+++ policycoreutils-2.0.85/gui/semanagePage.py 2011-01-21 09:25:41.000000000 -0500
|
+++ policycoreutils-2.0.86/gui/semanagePage.py 2011-04-12 10:52:07.524644491 -0400
|
||||||
@@ -0,0 +1,168 @@
|
@@ -0,0 +1,168 @@
|
||||||
+## semanagePage.py - show selinux mappings
|
+## semanagePage.py - show selinux mappings
|
||||||
+## Copyright (C) 2006 Red Hat, Inc.
|
+## Copyright (C) 2006 Red Hat, Inc.
|
||||||
@ -8682,9 +8685,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/semanagePage.py poli
|
|||||||
+ self.load(self.filter)
|
+ self.load(self.filter)
|
||||||
+ return True
|
+ return True
|
||||||
+
|
+
|
||||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/statusPage.py policycoreutils-2.0.85/gui/statusPage.py
|
diff -up policycoreutils-2.0.86/gui/statusPage.py.gui policycoreutils-2.0.86/gui/statusPage.py
|
||||||
--- nsapolicycoreutils/gui/statusPage.py 1969-12-31 19:00:00.000000000 -0500
|
--- policycoreutils-2.0.86/gui/statusPage.py.gui 2011-04-12 10:52:07.530644584 -0400
|
||||||
+++ policycoreutils-2.0.85/gui/statusPage.py 2011-01-21 09:25:41.000000000 -0500
|
+++ policycoreutils-2.0.86/gui/statusPage.py 2011-04-12 10:52:07.530644584 -0400
|
||||||
@@ -0,0 +1,190 @@
|
@@ -0,0 +1,190 @@
|
||||||
+# statusPage.py - show selinux status
|
+# statusPage.py - show selinux status
|
||||||
+## Copyright (C) 2006-2009 Red Hat, Inc.
|
+## Copyright (C) 2006-2009 Red Hat, Inc.
|
||||||
@ -8876,9 +8879,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/statusPage.py policy
|
|||||||
+ return self.types[self.selinuxTypeOptionMenu.get_active()]
|
+ return self.types[self.selinuxTypeOptionMenu.get_active()]
|
||||||
+
|
+
|
||||||
+
|
+
|
||||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/system-config-selinux.glade policycoreutils-2.0.85/gui/system-config-selinux.glade
|
diff -up policycoreutils-2.0.86/gui/system-config-selinux.glade.gui policycoreutils-2.0.86/gui/system-config-selinux.glade
|
||||||
--- nsapolicycoreutils/gui/system-config-selinux.glade 1969-12-31 19:00:00.000000000 -0500
|
--- policycoreutils-2.0.86/gui/system-config-selinux.glade.gui 2011-04-12 10:52:07.534644645 -0400
|
||||||
+++ policycoreutils-2.0.85/gui/system-config-selinux.glade 2011-01-21 09:25:41.000000000 -0500
|
+++ policycoreutils-2.0.86/gui/system-config-selinux.glade 2011-04-12 10:52:07.539644720 -0400
|
||||||
@@ -0,0 +1,3024 @@
|
@@ -0,0 +1,3024 @@
|
||||||
+<?xml version="1.0" standalone="no"?> <!--*- mode: xml -*-->
|
+<?xml version="1.0" standalone="no"?> <!--*- mode: xml -*-->
|
||||||
+<!DOCTYPE glade-interface SYSTEM "http://glade.gnome.org/glade-2.0.dtd">
|
+<!DOCTYPE glade-interface SYSTEM "http://glade.gnome.org/glade-2.0.dtd">
|
||||||
@ -11904,9 +11907,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/system-config-selinu
|
|||||||
+</widget>
|
+</widget>
|
||||||
+
|
+
|
||||||
+</glade-interface>
|
+</glade-interface>
|
||||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/system-config-selinux.gladep policycoreutils-2.0.85/gui/system-config-selinux.gladep
|
diff -up policycoreutils-2.0.86/gui/system-config-selinux.gladep.gui policycoreutils-2.0.86/gui/system-config-selinux.gladep
|
||||||
--- nsapolicycoreutils/gui/system-config-selinux.gladep 1969-12-31 19:00:00.000000000 -0500
|
--- policycoreutils-2.0.86/gui/system-config-selinux.gladep.gui 2011-04-12 10:52:07.540644736 -0400
|
||||||
+++ policycoreutils-2.0.85/gui/system-config-selinux.gladep 2011-01-21 09:25:41.000000000 -0500
|
+++ policycoreutils-2.0.86/gui/system-config-selinux.gladep 2011-04-12 10:52:07.541644752 -0400
|
||||||
@@ -0,0 +1,7 @@
|
@@ -0,0 +1,7 @@
|
||||||
+<?xml version="1.0" standalone="no"?> <!--*- mode: xml -*-->
|
+<?xml version="1.0" standalone="no"?> <!--*- mode: xml -*-->
|
||||||
+<!DOCTYPE glade-project SYSTEM "http://glade.gnome.org/glade-project-2.0.dtd">
|
+<!DOCTYPE glade-project SYSTEM "http://glade.gnome.org/glade-project-2.0.dtd">
|
||||||
@ -11915,9 +11918,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/system-config-selinu
|
|||||||
+ <name></name>
|
+ <name></name>
|
||||||
+ <program_name></program_name>
|
+ <program_name></program_name>
|
||||||
+</glade-project>
|
+</glade-project>
|
||||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/system-config-selinux.py policycoreutils-2.0.85/gui/system-config-selinux.py
|
diff -up policycoreutils-2.0.86/gui/system-config-selinux.py.gui policycoreutils-2.0.86/gui/system-config-selinux.py
|
||||||
--- nsapolicycoreutils/gui/system-config-selinux.py 1969-12-31 19:00:00.000000000 -0500
|
--- policycoreutils-2.0.86/gui/system-config-selinux.py.gui 2011-04-12 10:52:07.542644768 -0400
|
||||||
+++ policycoreutils-2.0.85/gui/system-config-selinux.py 2011-01-21 09:25:41.000000000 -0500
|
+++ policycoreutils-2.0.86/gui/system-config-selinux.py 2011-04-12 10:52:07.542644768 -0400
|
||||||
@@ -0,0 +1,187 @@
|
@@ -0,0 +1,187 @@
|
||||||
+#!/usr/bin/python -Es
|
+#!/usr/bin/python -Es
|
||||||
+#
|
+#
|
||||||
@ -12106,11 +12109,11 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/system-config-selinu
|
|||||||
+
|
+
|
||||||
+ app = childWindow()
|
+ app = childWindow()
|
||||||
+ app.stand_alone()
|
+ app.stand_alone()
|
||||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/boolean.py policycoreutils-2.0.85/gui/templates/boolean.py
|
diff -up policycoreutils-2.0.86/gui/templates/boolean.py.gui policycoreutils-2.0.86/gui/templates/boolean.py
|
||||||
--- nsapolicycoreutils/gui/templates/boolean.py 1969-12-31 19:00:00.000000000 -0500
|
--- policycoreutils-2.0.86/gui/templates/boolean.py.gui 2011-04-12 10:52:07.543644784 -0400
|
||||||
+++ policycoreutils-2.0.85/gui/templates/boolean.py 2011-01-21 09:25:41.000000000 -0500
|
+++ policycoreutils-2.0.86/gui/templates/boolean.py 2011-05-23 16:59:42.369598714 -0400
|
||||||
@@ -0,0 +1,40 @@
|
@@ -0,0 +1,40 @@
|
||||||
+# Copyright (C) 2007 Red Hat
|
+# Copyright (C) 2007-2011 Red Hat
|
||||||
+# see file 'COPYING' for use and warranty information
|
+# see file 'COPYING' for use and warranty information
|
||||||
+#
|
+#
|
||||||
+# policygentool is a tool for the initial generation of SELinux policy
|
+# policygentool is a tool for the initial generation of SELinux policy
|
||||||
@ -12139,7 +12142,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/boolean.py
|
|||||||
+## DESCRIPTION
|
+## DESCRIPTION
|
||||||
+## </p>
|
+## </p>
|
||||||
+## </desc>
|
+## </desc>
|
||||||
+gen_tunable(BOOLEAN,false)
|
+gen_tunable(BOOLEAN, false)
|
||||||
+"""
|
+"""
|
||||||
+
|
+
|
||||||
+te_rules="""
|
+te_rules="""
|
||||||
@ -12150,11 +12153,11 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/boolean.py
|
|||||||
+')
|
+')
|
||||||
+"""
|
+"""
|
||||||
+
|
+
|
||||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/etc_rw.py policycoreutils-2.0.85/gui/templates/etc_rw.py
|
diff -up policycoreutils-2.0.86/gui/templates/etc_rw.py.gui policycoreutils-2.0.86/gui/templates/etc_rw.py
|
||||||
--- nsapolicycoreutils/gui/templates/etc_rw.py 1969-12-31 19:00:00.000000000 -0500
|
--- policycoreutils-2.0.86/gui/templates/etc_rw.py.gui 2011-04-12 10:52:07.546644829 -0400
|
||||||
+++ policycoreutils-2.0.85/gui/templates/etc_rw.py 2011-01-21 09:25:41.000000000 -0500
|
+++ policycoreutils-2.0.86/gui/templates/etc_rw.py 2011-05-23 16:59:53.369684469 -0400
|
||||||
@@ -0,0 +1,113 @@
|
@@ -0,0 +1,112 @@
|
||||||
+# Copyright (C) 2007 Red Hat
|
+# Copyright (C) 2007-2011 Red Hat
|
||||||
+# see file 'COPYING' for use and warranty information
|
+# see file 'COPYING' for use and warranty information
|
||||||
+#
|
+#
|
||||||
+# policygentool is a tool for the initial generation of SELinux policy
|
+# policygentool is a tool for the initial generation of SELinux policy
|
||||||
@ -12224,15 +12227,14 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/etc_rw.py
|
|||||||
+ type TEMPLATETYPE_etc_rw_t;
|
+ type TEMPLATETYPE_etc_rw_t;
|
||||||
+ ')
|
+ ')
|
||||||
+
|
+
|
||||||
+ allow $1 TEMPLATETYPE_etc_rw_t:file r_file_perms;
|
+ allow $1 TEMPLATETYPE_etc_rw_t:file read_file_perms;
|
||||||
+ allow $1 TEMPLATETYPE_etc_rw_t:dir list_dir_perms;
|
+ allow $1 TEMPLATETYPE_etc_rw_t:dir list_dir_perms;
|
||||||
+ files_search_etc($1)
|
+ files_search_etc($1)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
+## <summary>
|
+## <summary>
|
||||||
+## Create, read, write, and delete
|
+## Manage TEMPLATETYPE conf files.
|
||||||
+## TEMPLATETYPE conf files.
|
|
||||||
+## </summary>
|
+## </summary>
|
||||||
+## <param name="domain">
|
+## <param name="domain">
|
||||||
+## <summary>
|
+## <summary>
|
||||||
@ -12267,11 +12269,11 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/etc_rw.py
|
|||||||
+fc_dir="""\
|
+fc_dir="""\
|
||||||
+FILENAME(/.*)? gen_context(system_u:object_r:TEMPLATETYPE_etc_rw_t,s0)
|
+FILENAME(/.*)? gen_context(system_u:object_r:TEMPLATETYPE_etc_rw_t,s0)
|
||||||
+"""
|
+"""
|
||||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/executable.py policycoreutils-2.0.85/gui/templates/executable.py
|
diff -up policycoreutils-2.0.86/gui/templates/executable.py.gui policycoreutils-2.0.86/gui/templates/executable.py
|
||||||
--- nsapolicycoreutils/gui/templates/executable.py 1969-12-31 19:00:00.000000000 -0500
|
--- policycoreutils-2.0.86/gui/templates/executable.py.gui 2011-04-12 10:52:07.548644859 -0400
|
||||||
+++ policycoreutils-2.0.85/gui/templates/executable.py 2011-01-21 09:25:41.000000000 -0500
|
+++ policycoreutils-2.0.86/gui/templates/executable.py 2011-05-23 17:03:10.575251921 -0400
|
||||||
@@ -0,0 +1,447 @@
|
@@ -0,0 +1,451 @@
|
||||||
+# Copyright (C) 2007-2009 Red Hat
|
+# Copyright (C) 2007-2011 Red Hat
|
||||||
+# see file 'COPYING' for use and warranty information
|
+# see file 'COPYING' for use and warranty information
|
||||||
+#
|
+#
|
||||||
+# policygentool is a tool for the initial generation of SELinux policy
|
+# policygentool is a tool for the initial generation of SELinux policy
|
||||||
@ -12294,7 +12296,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/executable
|
|||||||
+#
|
+#
|
||||||
+########################### Type Enforcement File #############################
|
+########################### Type Enforcement File #############################
|
||||||
+te_daemon_types="""\
|
+te_daemon_types="""\
|
||||||
+policy_module(TEMPLATETYPE,1.0.0)
|
+policy_module(TEMPLATETYPE, 1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
+#
|
+#
|
||||||
@ -12314,7 +12316,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/executable
|
|||||||
+"""
|
+"""
|
||||||
+
|
+
|
||||||
+te_dbusd_types="""\
|
+te_dbusd_types="""\
|
||||||
+policy_module(TEMPLATETYPE,1.0.0)
|
+policy_module(TEMPLATETYPE, 1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
+#
|
+#
|
||||||
@ -12329,7 +12331,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/executable
|
|||||||
+"""
|
+"""
|
||||||
+
|
+
|
||||||
+te_inetd_types="""\
|
+te_inetd_types="""\
|
||||||
+policy_module(TEMPLATETYPE,1.0.0)
|
+policy_module(TEMPLATETYPE, 1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
+#
|
+#
|
||||||
@ -12344,7 +12346,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/executable
|
|||||||
+"""
|
+"""
|
||||||
+
|
+
|
||||||
+te_userapp_types="""\
|
+te_userapp_types="""\
|
||||||
+policy_module(TEMPLATETYPE,1.0.0)
|
+policy_module(TEMPLATETYPE, 1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
+#
|
+#
|
||||||
@ -12360,7 +12362,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/executable
|
|||||||
+"""
|
+"""
|
||||||
+
|
+
|
||||||
+te_sandbox_types="""\
|
+te_sandbox_types="""\
|
||||||
+policy_module(TEMPLATETYPE,1.0.0)
|
+policy_module(TEMPLATETYPE, 1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
+#
|
+#
|
||||||
@ -12375,7 +12377,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/executable
|
|||||||
+"""
|
+"""
|
||||||
+
|
+
|
||||||
+te_cgi_types="""\
|
+te_cgi_types="""\
|
||||||
+policy_module(TEMPLATETYPE,1.0.0)
|
+policy_module(TEMPLATETYPE, 1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
+#
|
+#
|
||||||
@ -12486,11 +12488,11 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/executable
|
|||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
+## <summary>
|
+## <summary>
|
||||||
+## Execute a domain transition to run TEMPLATETYPE.
|
+## Transition to TEMPLATETYPE.
|
||||||
+## </summary>
|
+## </summary>
|
||||||
+## <param name=\"domain\">
|
+## <param name=\"domain\">
|
||||||
+## <summary>
|
+## <summary>
|
||||||
+## Domain allowed access.
|
+## Domain allowed to transition.
|
||||||
+## </summary>
|
+## </summary>
|
||||||
+## </param>
|
+## </param>
|
||||||
+#
|
+#
|
||||||
@ -12499,6 +12501,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/executable
|
|||||||
+ type TEMPLATETYPE_t, TEMPLATETYPE_exec_t;
|
+ type TEMPLATETYPE_t, TEMPLATETYPE_exec_t;
|
||||||
+ ')
|
+ ')
|
||||||
+
|
+
|
||||||
|
+ corecmd_search_bin($1)
|
||||||
+ domtrans_pattern($1, TEMPLATETYPE_exec_t, TEMPLATETYPE_t)
|
+ domtrans_pattern($1, TEMPLATETYPE_exec_t, TEMPLATETYPE_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
@ -12512,7 +12515,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/executable
|
|||||||
+## </summary>
|
+## </summary>
|
||||||
+## <param name="domain">
|
+## <param name="domain">
|
||||||
+## <summary>
|
+## <summary>
|
||||||
+## Domain allowed access
|
+## Domain allowed to transition
|
||||||
+## </summary>
|
+## </summary>
|
||||||
+## </param>
|
+## </param>
|
||||||
+## <param name="role">
|
+## <param name="role">
|
||||||
@ -12568,7 +12571,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/executable
|
|||||||
+## </summary>
|
+## </summary>
|
||||||
+## <param name="domain">
|
+## <param name="domain">
|
||||||
+## <summary>
|
+## <summary>
|
||||||
+## Domain allowed access
|
+## Domain allowed to transition.
|
||||||
+## </summary>
|
+## </summary>
|
||||||
+## </param>
|
+## </param>
|
||||||
+## <param name="role">
|
+## <param name="role">
|
||||||
@ -12625,7 +12628,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/executable
|
|||||||
+## </summary>
|
+## </summary>
|
||||||
+## <param name="domain">
|
+## <param name="domain">
|
||||||
+## <summary>
|
+## <summary>
|
||||||
+## The type of the process performing this action.
|
+## Domain allowed access.
|
||||||
+## </summary>
|
+## </summary>
|
||||||
+## </param>
|
+## </param>
|
||||||
+#
|
+#
|
||||||
@ -12636,6 +12639,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/executable
|
|||||||
+
|
+
|
||||||
+ init_labeled_script_domtrans($1, TEMPLATETYPE_initrc_exec_t)
|
+ init_labeled_script_domtrans($1, TEMPLATETYPE_initrc_exec_t)
|
||||||
+')
|
+')
|
||||||
|
+
|
||||||
+"""
|
+"""
|
||||||
+
|
+
|
||||||
+if_dbus_rules="""
|
+if_dbus_rules="""
|
||||||
@ -12659,6 +12663,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/executable
|
|||||||
+ allow $1 TEMPLATETYPE_t:dbus send_msg;
|
+ allow $1 TEMPLATETYPE_t:dbus send_msg;
|
||||||
+ allow TEMPLATETYPE_t $1:dbus send_msg;
|
+ allow TEMPLATETYPE_t $1:dbus send_msg;
|
||||||
+')
|
+')
|
||||||
|
+
|
||||||
+"""
|
+"""
|
||||||
+
|
+
|
||||||
+if_begin_admin="""
|
+if_begin_admin="""
|
||||||
@ -12702,6 +12707,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/executable
|
|||||||
+
|
+
|
||||||
+if_end_admin="""
|
+if_end_admin="""
|
||||||
+')
|
+')
|
||||||
|
+
|
||||||
+"""
|
+"""
|
||||||
+
|
+
|
||||||
+########################### File Context ##################################
|
+########################### File Context ##################################
|
||||||
@ -12718,12 +12724,12 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/executable
|
|||||||
+
|
+
|
||||||
+EXECUTABLE -- gen_context(system_u:object_r:TEMPLATETYPE_initrc_exec_t,s0)
|
+EXECUTABLE -- gen_context(system_u:object_r:TEMPLATETYPE_initrc_exec_t,s0)
|
||||||
+"""
|
+"""
|
||||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/__init__.py policycoreutils-2.0.85/gui/templates/__init__.py
|
diff -up policycoreutils-2.0.86/gui/templates/__init__.py.gui policycoreutils-2.0.86/gui/templates/__init__.py
|
||||||
--- nsapolicycoreutils/gui/templates/__init__.py 1969-12-31 19:00:00.000000000 -0500
|
--- policycoreutils-2.0.86/gui/templates/__init__.py.gui 2011-04-12 10:52:07.549644874 -0400
|
||||||
+++ policycoreutils-2.0.85/gui/templates/__init__.py 2011-01-21 09:25:41.000000000 -0500
|
+++ policycoreutils-2.0.86/gui/templates/__init__.py 2011-05-23 17:02:40.424008790 -0400
|
||||||
@@ -0,0 +1,18 @@
|
@@ -0,0 +1,18 @@
|
||||||
+#
|
+#
|
||||||
+# Copyright (C) 2007 Red Hat, Inc.
|
+# Copyright (C) 2007-2011 Red Hat
|
||||||
+#
|
+#
|
||||||
+# This program is free software; you can redistribute it and/or modify
|
+# This program is free software; you can redistribute it and/or modify
|
||||||
+# it under the terms of the GNU General Public License as published by
|
+# it under the terms of the GNU General Public License as published by
|
||||||
@ -12740,10 +12746,32 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/__init__.p
|
|||||||
+# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
|
+# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
|
||||||
+#
|
+#
|
||||||
+
|
+
|
||||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/network.py policycoreutils-2.0.85/gui/templates/network.py
|
diff -up policycoreutils-2.0.86/gui/templates/network.py.gui policycoreutils-2.0.86/gui/templates/network.py
|
||||||
--- nsapolicycoreutils/gui/templates/network.py 1969-12-31 19:00:00.000000000 -0500
|
--- policycoreutils-2.0.86/gui/templates/network.py.gui 2011-04-12 10:52:07.556644982 -0400
|
||||||
+++ policycoreutils-2.0.85/gui/templates/network.py 2011-01-21 09:25:41.000000000 -0500
|
+++ policycoreutils-2.0.86/gui/templates/network.py 2011-05-23 17:03:09.237241107 -0400
|
||||||
@@ -0,0 +1,80 @@
|
@@ -0,0 +1,102 @@
|
||||||
|
+# Copyright (C) 2007-2011 Red Hat
|
||||||
|
+# see file 'COPYING' for use and warranty information
|
||||||
|
+#
|
||||||
|
+# policygentool is a tool for the initial generation of SELinux policy
|
||||||
|
+#
|
||||||
|
+# This program is free software; you can redistribute it and/or
|
||||||
|
+# modify it under the terms of the GNU General Public License as
|
||||||
|
+# published by the Free Software Foundation; either version 2 of
|
||||||
|
+# the License, or (at your option) any later version.
|
||||||
|
+#
|
||||||
|
+# This program is distributed in the hope that it will be useful,
|
||||||
|
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
+# GNU General Public License for more details.
|
||||||
|
+#
|
||||||
|
+# You should have received a copy of the GNU General Public License
|
||||||
|
+# along with this program; if not, write to the Free Software
|
||||||
|
+# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
|
||||||
|
+# 02111-1307 USA
|
||||||
|
+#
|
||||||
|
+#
|
||||||
|
+########################### Type Enforcement File #############################
|
||||||
+te_port_types="""
|
+te_port_types="""
|
||||||
+type TEMPLATETYPE_port_t;
|
+type TEMPLATETYPE_port_t;
|
||||||
+corenet_port(TEMPLATETYPE_port_t)
|
+corenet_port(TEMPLATETYPE_port_t)
|
||||||
@ -12756,13 +12784,13 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/network.py
|
|||||||
+
|
+
|
||||||
+te_tcp="""\
|
+te_tcp="""\
|
||||||
+allow TEMPLATETYPE_t self:tcp_socket create_stream_socket_perms;
|
+allow TEMPLATETYPE_t self:tcp_socket create_stream_socket_perms;
|
||||||
+corenet_tcp_sendrecv_all_if(TEMPLATETYPE_t)
|
+corenet_tcp_sendrecv_generic_if(TEMPLATETYPE_t)
|
||||||
+corenet_tcp_sendrecv_all_nodes(TEMPLATETYPE_t)
|
+corenet_tcp_sendrecv_generic_node(TEMPLATETYPE_t)
|
||||||
+corenet_tcp_sendrecv_all_ports(TEMPLATETYPE_t)
|
+corenet_tcp_sendrecv_all_ports(TEMPLATETYPE_t)
|
||||||
+"""
|
+"""
|
||||||
+
|
+
|
||||||
+te_in_tcp="""\
|
+te_in_tcp="""\
|
||||||
+corenet_tcp_bind_all_nodes(TEMPLATETYPE_t)
|
+corenet_tcp_bind_generic_node(TEMPLATETYPE_t)
|
||||||
+"""
|
+"""
|
||||||
+
|
+
|
||||||
+te_in_need_port_tcp="""\
|
+te_in_need_port_tcp="""\
|
||||||
@ -12775,13 +12803,13 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/network.py
|
|||||||
+
|
+
|
||||||
+te_udp="""\
|
+te_udp="""\
|
||||||
+allow TEMPLATETYPE_t self:udp_socket { create_socket_perms listen };
|
+allow TEMPLATETYPE_t self:udp_socket { create_socket_perms listen };
|
||||||
+corenet_udp_sendrecv_all_if(TEMPLATETYPE_t)
|
+corenet_udp_sendrecv_generic_if(TEMPLATETYPE_t)
|
||||||
+corenet_udp_sendrecv_all_nodes(TEMPLATETYPE_t)
|
+corenet_udp_sendrecv_generic_node(TEMPLATETYPE_t)
|
||||||
+corenet_udp_sendrecv_all_ports(TEMPLATETYPE_t)
|
+corenet_udp_sendrecv_all_ports(TEMPLATETYPE_t)
|
||||||
+"""
|
+"""
|
||||||
+
|
+
|
||||||
+te_in_udp="""\
|
+te_in_udp="""\
|
||||||
+corenet_udp_bind_all_nodes(TEMPLATETYPE_t)
|
+corenet_udp_bind_generic_node(TEMPLATETYPE_t)
|
||||||
+"""
|
+"""
|
||||||
+
|
+
|
||||||
+te_in_need_port_udp="""\
|
+te_in_need_port_udp="""\
|
||||||
@ -12824,11 +12852,11 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/network.py
|
|||||||
+corenet_udp_bind_all_unreserved_ports(TEMPLATETYPE_t)
|
+corenet_udp_bind_all_unreserved_ports(TEMPLATETYPE_t)
|
||||||
+"""
|
+"""
|
||||||
+
|
+
|
||||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/rw.py policycoreutils-2.0.85/gui/templates/rw.py
|
diff -up policycoreutils-2.0.86/gui/templates/rw.py.gui policycoreutils-2.0.86/gui/templates/rw.py
|
||||||
--- nsapolicycoreutils/gui/templates/rw.py 1969-12-31 19:00:00.000000000 -0500
|
--- policycoreutils-2.0.86/gui/templates/rw.py.gui 2011-04-12 10:52:07.557644997 -0400
|
||||||
+++ policycoreutils-2.0.85/gui/templates/rw.py 2011-01-21 09:25:41.000000000 -0500
|
+++ policycoreutils-2.0.86/gui/templates/rw.py 2011-05-23 16:59:48.308644991 -0400
|
||||||
@@ -0,0 +1,131 @@
|
@@ -0,0 +1,129 @@
|
||||||
+# Copyright (C) 2007 Red Hat
|
+# Copyright (C) 2007-2011 Red Hat
|
||||||
+# see file 'COPYING' for use and warranty information
|
+# see file 'COPYING' for use and warranty information
|
||||||
+#
|
+#
|
||||||
+# policygentool is a tool for the initial generation of SELinux policy
|
+# policygentool is a tool for the initial generation of SELinux policy
|
||||||
@ -12897,15 +12925,14 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/rw.py poli
|
|||||||
+ type TEMPLATETYPE_rw_t;
|
+ type TEMPLATETYPE_rw_t;
|
||||||
+ ')
|
+ ')
|
||||||
+
|
+
|
||||||
+ allow $1 TEMPLATETYPE_rw_t:file r_file_perms;
|
+ allow $1 TEMPLATETYPE_rw_t:file read_file_perms;
|
||||||
+ allow $1 TEMPLATETYPE_rw_t:dir list_dir_perms;
|
+ allow $1 TEMPLATETYPE_rw_t:dir list_dir_perms;
|
||||||
+ files_search_rw($1)
|
+ files_search_rw($1)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
+## <summary>
|
+## <summary>
|
||||||
+## Create, read, write, and delete
|
+## Manage TEMPLATETYPE rw files.
|
||||||
+## TEMPLATETYPE rw files.
|
|
||||||
+## </summary>
|
+## </summary>
|
||||||
+## <param name="domain">
|
+## <param name="domain">
|
||||||
+## <summary>
|
+## <summary>
|
||||||
@ -12950,7 +12977,6 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/rw.py poli
|
|||||||
+ admin_pattern($1, TEMPLATETYPE_rw_t)
|
+ admin_pattern($1, TEMPLATETYPE_rw_t)
|
||||||
+"""
|
+"""
|
||||||
+
|
+
|
||||||
+
|
|
||||||
+########################### File Context ##################################
|
+########################### File Context ##################################
|
||||||
+fc_file="""
|
+fc_file="""
|
||||||
+FILENAME -- gen_context(system_u:object_r:TEMPLATETYPE_rw_t,s0)
|
+FILENAME -- gen_context(system_u:object_r:TEMPLATETYPE_rw_t,s0)
|
||||||
@ -12959,11 +12985,11 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/rw.py poli
|
|||||||
+fc_dir="""
|
+fc_dir="""
|
||||||
+FILENAME(/.*)? gen_context(system_u:object_r:TEMPLATETYPE_rw_t,s0)
|
+FILENAME(/.*)? gen_context(system_u:object_r:TEMPLATETYPE_rw_t,s0)
|
||||||
+"""
|
+"""
|
||||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/script.py policycoreutils-2.0.85/gui/templates/script.py
|
diff -up policycoreutils-2.0.86/gui/templates/script.py.gui policycoreutils-2.0.86/gui/templates/script.py
|
||||||
--- nsapolicycoreutils/gui/templates/script.py 1969-12-31 19:00:00.000000000 -0500
|
--- policycoreutils-2.0.86/gui/templates/script.py.gui 2011-04-12 10:52:07.558645012 -0400
|
||||||
+++ policycoreutils-2.0.85/gui/templates/script.py 2011-01-21 09:25:41.000000000 -0500
|
+++ policycoreutils-2.0.86/gui/templates/script.py 2011-05-23 17:02:13.796795073 -0400
|
||||||
@@ -0,0 +1,126 @@
|
@@ -0,0 +1,126 @@
|
||||||
+# Copyright (C) 2007 Red Hat
|
+# Copyright (C) 2007-2011 Red Hat
|
||||||
+# see file 'COPYING' for use and warranty information
|
+# see file 'COPYING' for use and warranty information
|
||||||
+#
|
+#
|
||||||
+# policygentool is a tool for the initial generation of SELinux policy
|
+# policygentool is a tool for the initial generation of SELinux policy
|
||||||
@ -13089,11 +13115,11 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/script.py
|
|||||||
+_EOF
|
+_EOF
|
||||||
+fi
|
+fi
|
||||||
+"""
|
+"""
|
||||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/semodule.py policycoreutils-2.0.85/gui/templates/semodule.py
|
diff -up policycoreutils-2.0.86/gui/templates/semodule.py.gui policycoreutils-2.0.86/gui/templates/semodule.py
|
||||||
--- nsapolicycoreutils/gui/templates/semodule.py 1969-12-31 19:00:00.000000000 -0500
|
--- policycoreutils-2.0.86/gui/templates/semodule.py.gui 2011-04-12 10:52:07.560645042 -0400
|
||||||
+++ policycoreutils-2.0.85/gui/templates/semodule.py 2011-01-21 09:25:41.000000000 -0500
|
+++ policycoreutils-2.0.86/gui/templates/semodule.py 2011-05-23 17:02:07.466744404 -0400
|
||||||
@@ -0,0 +1,41 @@
|
@@ -0,0 +1,41 @@
|
||||||
+# Copyright (C) 2007 Red Hat
|
+# Copyright (C) 2007-2011 Red Hat
|
||||||
+# see file 'COPYING' for use and warranty information
|
+# see file 'COPYING' for use and warranty information
|
||||||
+#
|
+#
|
||||||
+# policygentool is a tool for the initial generation of SELinux policy
|
+# policygentool is a tool for the initial generation of SELinux policy
|
||||||
@ -13134,11 +13160,11 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/semodule.p
|
|||||||
+semanage ports -a -t TEMPLATETYPE_port_t -p udp PORTNUM
|
+semanage ports -a -t TEMPLATETYPE_port_t -p udp PORTNUM
|
||||||
+"""
|
+"""
|
||||||
+
|
+
|
||||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/tmp.py policycoreutils-2.0.85/gui/templates/tmp.py
|
diff -up policycoreutils-2.0.86/gui/templates/tmp.py.gui policycoreutils-2.0.86/gui/templates/tmp.py
|
||||||
--- nsapolicycoreutils/gui/templates/tmp.py 1969-12-31 19:00:00.000000000 -0500
|
--- policycoreutils-2.0.86/gui/templates/tmp.py.gui 2011-04-12 10:52:07.561645058 -0400
|
||||||
+++ policycoreutils-2.0.85/gui/templates/tmp.py 2011-01-21 09:25:41.000000000 -0500
|
+++ policycoreutils-2.0.86/gui/templates/tmp.py 2011-05-23 17:01:55.736650663 -0400
|
||||||
@@ -0,0 +1,102 @@
|
@@ -0,0 +1,102 @@
|
||||||
+# Copyright (C) 2007 Red Hat
|
+# Copyright (C) 2007-2011 Red Hat
|
||||||
+# see file 'COPYING' for use and warranty information
|
+# see file 'COPYING' for use and warranty information
|
||||||
+#
|
+#
|
||||||
+# policygentool is a tool for the initial generation of SELinux policy
|
+# policygentool is a tool for the initial generation of SELinux policy
|
||||||
@ -13194,11 +13220,11 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/tmp.py pol
|
|||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
+## <summary>
|
+## <summary>
|
||||||
+## Allow domain to read, TEMPLATETYPE tmp files
|
+## Read TEMPLATETYPE tmp files
|
||||||
+## </summary>
|
+## </summary>
|
||||||
+## <param name="domain">
|
+## <param name="domain">
|
||||||
+## <summary>
|
+## <summary>
|
||||||
+## Domain to not audit.
|
+## Domain allowed access.
|
||||||
+## </summary>
|
+## </summary>
|
||||||
+## </param>
|
+## </param>
|
||||||
+#
|
+#
|
||||||
@ -13213,11 +13239,11 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/tmp.py pol
|
|||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
+## <summary>
|
+## <summary>
|
||||||
+## Allow domain to manage TEMPLATETYPE tmp files
|
+## Manage TEMPLATETYPE tmp files
|
||||||
+## </summary>
|
+## </summary>
|
||||||
+## <param name="domain">
|
+## <param name="domain">
|
||||||
+## <summary>
|
+## <summary>
|
||||||
+## Domain to not audit.
|
+## Domain allowed access.
|
||||||
+## </summary>
|
+## </summary>
|
||||||
+## </param>
|
+## </param>
|
||||||
+#
|
+#
|
||||||
@ -13240,11 +13266,11 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/tmp.py pol
|
|||||||
+ files_search_tmp($1)
|
+ files_search_tmp($1)
|
||||||
+ admin_pattern($1, TEMPLATETYPE_tmp_t)
|
+ admin_pattern($1, TEMPLATETYPE_tmp_t)
|
||||||
+"""
|
+"""
|
||||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/user.py policycoreutils-2.0.85/gui/templates/user.py
|
diff -up policycoreutils-2.0.86/gui/templates/user.py.gui policycoreutils-2.0.86/gui/templates/user.py
|
||||||
--- nsapolicycoreutils/gui/templates/user.py 1969-12-31 19:00:00.000000000 -0500
|
--- policycoreutils-2.0.86/gui/templates/user.py.gui 2011-04-12 10:52:07.562645074 -0400
|
||||||
+++ policycoreutils-2.0.85/gui/templates/user.py 2011-01-21 09:25:41.000000000 -0500
|
+++ policycoreutils-2.0.86/gui/templates/user.py 2011-05-23 17:01:46.816579501 -0400
|
||||||
@@ -0,0 +1,205 @@
|
@@ -0,0 +1,204 @@
|
||||||
+# Copyright (C) 2007 Red Hat
|
+# Copyright (C) 2007-2011 Red Hat
|
||||||
+# see file 'COPYING' for use and warranty information
|
+# see file 'COPYING' for use and warranty information
|
||||||
+#
|
+#
|
||||||
+# policygentool is a tool for the initial generation of SELinux policy
|
+# policygentool is a tool for the initial generation of SELinux policy
|
||||||
@ -13268,7 +13294,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/user.py po
|
|||||||
+########################### Type Enforcement File #############################
|
+########################### Type Enforcement File #############################
|
||||||
+
|
+
|
||||||
+te_login_user_types="""\
|
+te_login_user_types="""\
|
||||||
+policy_module(TEMPLATETYPE,1.0.0)
|
+policy_module(TEMPLATETYPE, 1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
+#
|
+#
|
||||||
@ -13279,7 +13305,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/user.py po
|
|||||||
+"""
|
+"""
|
||||||
+
|
+
|
||||||
+te_admin_user_types="""\
|
+te_admin_user_types="""\
|
||||||
+policy_module(TEMPLATETYPE,1.0.0)
|
+policy_module(TEMPLATETYPE, 1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
+#
|
+#
|
||||||
@ -13290,7 +13316,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/user.py po
|
|||||||
+"""
|
+"""
|
||||||
+
|
+
|
||||||
+te_min_login_user_types="""\
|
+te_min_login_user_types="""\
|
||||||
+policy_module(TEMPLATETYPE,1.0.0)
|
+policy_module(TEMPLATETYPE, 1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
+#
|
+#
|
||||||
@ -13301,7 +13327,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/user.py po
|
|||||||
+"""
|
+"""
|
||||||
+
|
+
|
||||||
+te_x_login_user_types="""\
|
+te_x_login_user_types="""\
|
||||||
+policy_module(TEMPLATETYPE,1.0.0)
|
+policy_module(TEMPLATETYPE, 1.0.0)
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
+#
|
+#
|
||||||
@ -13312,7 +13338,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/user.py po
|
|||||||
+"""
|
+"""
|
||||||
+
|
+
|
||||||
+te_existing_user_types="""\
|
+te_existing_user_types="""\
|
||||||
+policy_module(myTEMPLATETYPE,1.0.0)
|
+policy_module(myTEMPLATETYPE, 1.0.0)
|
||||||
+
|
+
|
||||||
+gen_require(`
|
+gen_require(`
|
||||||
+ type TEMPLATETYPE_t, TEMPLATETYPE_devpts_t;
|
+ type TEMPLATETYPE_t, TEMPLATETYPE_devpts_t;
|
||||||
@ -13322,8 +13348,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/user.py po
|
|||||||
+"""
|
+"""
|
||||||
+
|
+
|
||||||
+te_root_user_types="""\
|
+te_root_user_types="""\
|
||||||
+
|
+policy_module(TEMPLATETYPE, 1.0.0)
|
||||||
+policy_module(TEMPLATETYPE,1.0.0)
|
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
+#
|
+#
|
||||||
@ -13449,11 +13474,11 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/user.py po
|
|||||||
+te_newrole_rules="""
|
+te_newrole_rules="""
|
||||||
+seutil_run_newrole(TEMPLATETYPE_t, TEMPLATETYPE_r)
|
+seutil_run_newrole(TEMPLATETYPE_t, TEMPLATETYPE_r)
|
||||||
+"""
|
+"""
|
||||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_cache.py policycoreutils-2.0.85/gui/templates/var_cache.py
|
diff -up policycoreutils-2.0.86/gui/templates/var_cache.py.gui policycoreutils-2.0.86/gui/templates/var_cache.py
|
||||||
--- nsapolicycoreutils/gui/templates/var_cache.py 1969-12-31 19:00:00.000000000 -0500
|
--- policycoreutils-2.0.86/gui/templates/var_cache.py.gui 2011-04-12 10:52:07.566645136 -0400
|
||||||
+++ policycoreutils-2.0.85/gui/templates/var_cache.py 2011-01-21 09:25:41.000000000 -0500
|
+++ policycoreutils-2.0.86/gui/templates/var_cache.py 2011-05-23 17:01:38.793515591 -0400
|
||||||
@@ -0,0 +1,133 @@
|
@@ -0,0 +1,132 @@
|
||||||
+# Copyright (C) 2010 Red Hat
|
+# Copyright (C) 2007-2011 Red Hat
|
||||||
+# see file 'COPYING' for use and warranty information
|
+# see file 'COPYING' for use and warranty information
|
||||||
+#
|
+#
|
||||||
+# policygentool is a tool for the initial generation of SELinux policy
|
+# policygentool is a tool for the initial generation of SELinux policy
|
||||||
@ -13550,8 +13575,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_cache.
|
|||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
+## <summary>
|
+## <summary>
|
||||||
+## Create, read, write, and delete
|
+## Manage TEMPLATETYPE cache dirs.
|
||||||
+## TEMPLATETYPE cache dirs.
|
|
||||||
+## </summary>
|
+## </summary>
|
||||||
+## <param name="domain">
|
+## <param name="domain">
|
||||||
+## <summary>
|
+## <summary>
|
||||||
@ -13586,11 +13610,11 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_cache.
|
|||||||
+fc_dir="""\
|
+fc_dir="""\
|
||||||
+FILENAME(/.*)? gen_context(system_u:object_r:TEMPLATETYPE_cache_t,s0)
|
+FILENAME(/.*)? gen_context(system_u:object_r:TEMPLATETYPE_cache_t,s0)
|
||||||
+"""
|
+"""
|
||||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_lib.py policycoreutils-2.0.85/gui/templates/var_lib.py
|
diff -up policycoreutils-2.0.86/gui/templates/var_lib.py.gui policycoreutils-2.0.86/gui/templates/var_lib.py
|
||||||
--- nsapolicycoreutils/gui/templates/var_lib.py 1969-12-31 19:00:00.000000000 -0500
|
--- policycoreutils-2.0.86/gui/templates/var_lib.py.gui 2011-04-12 10:52:07.567645151 -0400
|
||||||
+++ policycoreutils-2.0.85/gui/templates/var_lib.py 2011-01-21 09:25:41.000000000 -0500
|
+++ policycoreutils-2.0.86/gui/templates/var_lib.py 2011-05-23 17:01:31.516457701 -0400
|
||||||
@@ -0,0 +1,161 @@
|
@@ -0,0 +1,160 @@
|
||||||
+# Copyright (C) 2007 Red Hat
|
+# Copyright (C) 2007-2011 Red Hat
|
||||||
+# see file 'COPYING' for use and warranty information
|
+# see file 'COPYING' for use and warranty information
|
||||||
+#
|
+#
|
||||||
+# policygentool is a tool for the initial generation of SELinux policy
|
+# policygentool is a tool for the initial generation of SELinux policy
|
||||||
@ -13621,7 +13645,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_lib.py
|
|||||||
+te_rules="""
|
+te_rules="""
|
||||||
+manage_dirs_pattern(TEMPLATETYPE_t, TEMPLATETYPE_var_lib_t, TEMPLATETYPE_var_lib_t)
|
+manage_dirs_pattern(TEMPLATETYPE_t, TEMPLATETYPE_var_lib_t, TEMPLATETYPE_var_lib_t)
|
||||||
+manage_files_pattern(TEMPLATETYPE_t, TEMPLATETYPE_var_lib_t, TEMPLATETYPE_var_lib_t)
|
+manage_files_pattern(TEMPLATETYPE_t, TEMPLATETYPE_var_lib_t, TEMPLATETYPE_var_lib_t)
|
||||||
+files_var_lib_filetrans(TEMPLATETYPE_t, TEMPLATETYPE_var_lib_t, { dir file } )
|
+files_var_lib_filetrans(TEMPLATETYPE_t, TEMPLATETYPE_var_lib_t, { dir file })
|
||||||
+"""
|
+"""
|
||||||
+
|
+
|
||||||
+te_stream_rules="""\
|
+te_stream_rules="""\
|
||||||
@ -13672,8 +13696,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_lib.py
|
|||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
+## <summary>
|
+## <summary>
|
||||||
+## Create, read, write, and delete
|
+## Manage TEMPLATETYPE lib files.
|
||||||
+## TEMPLATETYPE lib files.
|
|
||||||
+## </summary>
|
+## </summary>
|
||||||
+## <param name="domain">
|
+## <param name="domain">
|
||||||
+## <summary>
|
+## <summary>
|
||||||
@ -13692,7 +13715,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_lib.py
|
|||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
+## <summary>
|
+## <summary>
|
||||||
+## Manage TEMPLATETYPE lib dirs files.
|
+## Manage TEMPLATETYPE lib directories.
|
||||||
+## </summary>
|
+## </summary>
|
||||||
+## <param name="domain">
|
+## <param name="domain">
|
||||||
+## <summary>
|
+## <summary>
|
||||||
@ -13751,11 +13774,11 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_lib.py
|
|||||||
+fc_dir="""\
|
+fc_dir="""\
|
||||||
+FILENAME(/.*)? gen_context(system_u:object_r:TEMPLATETYPE_var_lib_t,s0)
|
+FILENAME(/.*)? gen_context(system_u:object_r:TEMPLATETYPE_var_lib_t,s0)
|
||||||
+"""
|
+"""
|
||||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_log.py policycoreutils-2.0.85/gui/templates/var_log.py
|
diff -up policycoreutils-2.0.86/gui/templates/var_log.py.gui policycoreutils-2.0.86/gui/templates/var_log.py
|
||||||
--- nsapolicycoreutils/gui/templates/var_log.py 1969-12-31 19:00:00.000000000 -0500
|
--- policycoreutils-2.0.86/gui/templates/var_log.py.gui 2011-04-12 10:52:07.568645166 -0400
|
||||||
+++ policycoreutils-2.0.85/gui/templates/var_log.py 2011-01-21 09:25:41.000000000 -0500
|
+++ policycoreutils-2.0.86/gui/templates/var_log.py 2011-05-23 17:01:22.948389639 -0400
|
||||||
@@ -0,0 +1,116 @@
|
@@ -0,0 +1,114 @@
|
||||||
+# Copyright (C) 2007,2010 Red Hat
|
+# Copyright (C) 2007-2011 Red Hat
|
||||||
+# see file 'COPYING' for use and warranty information
|
+# see file 'COPYING' for use and warranty information
|
||||||
+#
|
+#
|
||||||
+# policygentool is a tool for the initial generation of SELinux policy
|
+# policygentool is a tool for the initial generation of SELinux policy
|
||||||
@ -13787,14 +13810,14 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_log.py
|
|||||||
+te_rules="""
|
+te_rules="""
|
||||||
+manage_dirs_pattern(TEMPLATETYPE_t, TEMPLATETYPE_log_t, TEMPLATETYPE_log_t)
|
+manage_dirs_pattern(TEMPLATETYPE_t, TEMPLATETYPE_log_t, TEMPLATETYPE_log_t)
|
||||||
+manage_files_pattern(TEMPLATETYPE_t, TEMPLATETYPE_log_t, TEMPLATETYPE_log_t)
|
+manage_files_pattern(TEMPLATETYPE_t, TEMPLATETYPE_log_t, TEMPLATETYPE_log_t)
|
||||||
+logging_log_filetrans(TEMPLATETYPE_t, TEMPLATETYPE_log_t, { dir file } )
|
+logging_log_filetrans(TEMPLATETYPE_t, TEMPLATETYPE_log_t, { dir file })
|
||||||
+"""
|
+"""
|
||||||
+
|
+
|
||||||
+########################### Interface File #############################
|
+########################### Interface File #############################
|
||||||
+if_rules="""
|
+if_rules="""
|
||||||
+########################################
|
+########################################
|
||||||
+## <summary>
|
+## <summary>
|
||||||
+## Allow the specified domain to read TEMPLATETYPE's log files.
|
+## Read TEMPLATETYPE's log files.
|
||||||
+## </summary>
|
+## </summary>
|
||||||
+## <param name="domain">
|
+## <param name="domain">
|
||||||
+## <summary>
|
+## <summary>
|
||||||
@ -13814,12 +13837,11 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_log.py
|
|||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
+## <summary>
|
+## <summary>
|
||||||
+## Allow the specified domain to append
|
+## Append to TEMPLATETYPE log files.
|
||||||
+## TEMPLATETYPE log files.
|
|
||||||
+## </summary>
|
+## </summary>
|
||||||
+## <param name="domain">
|
+## <param name="domain">
|
||||||
+## <summary>
|
+## <summary>
|
||||||
+## Domain allowed to transition.
|
+## Domain allowed access.
|
||||||
+## </summary>
|
+## </summary>
|
||||||
+## </param>
|
+## </param>
|
||||||
+#
|
+#
|
||||||
@ -13834,11 +13856,11 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_log.py
|
|||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
+## <summary>
|
+## <summary>
|
||||||
+## Allow domain to manage TEMPLATETYPE log files
|
+## Manage TEMPLATETYPE log files
|
||||||
+## </summary>
|
+## </summary>
|
||||||
+## <param name="domain">
|
+## <param name="domain">
|
||||||
+## <summary>
|
+## <summary>
|
||||||
+## Domain to not audit.
|
+## Domain allowed access.
|
||||||
+## </summary>
|
+## </summary>
|
||||||
+## </param>
|
+## </param>
|
||||||
+#
|
+#
|
||||||
@ -13870,12 +13892,11 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_log.py
|
|||||||
+fc_dir="""\
|
+fc_dir="""\
|
||||||
+FILENAME(/.*)? gen_context(system_u:object_r:TEMPLATETYPE_log_t,s0)
|
+FILENAME(/.*)? gen_context(system_u:object_r:TEMPLATETYPE_log_t,s0)
|
||||||
+"""
|
+"""
|
||||||
+
|
diff -up policycoreutils-2.0.86/gui/templates/var_run.py.gui policycoreutils-2.0.86/gui/templates/var_run.py
|
||||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_run.py policycoreutils-2.0.85/gui/templates/var_run.py
|
--- policycoreutils-2.0.86/gui/templates/var_run.py.gui 2011-04-12 10:52:07.569645181 -0400
|
||||||
--- nsapolicycoreutils/gui/templates/var_run.py 1969-12-31 19:00:00.000000000 -0500
|
+++ policycoreutils-2.0.86/gui/templates/var_run.py 2011-05-23 17:01:11.639299961 -0400
|
||||||
+++ policycoreutils-2.0.85/gui/templates/var_run.py 2011-01-21 09:25:41.000000000 -0500
|
|
||||||
@@ -0,0 +1,101 @@
|
@@ -0,0 +1,101 @@
|
||||||
+# Copyright (C) 2007,2010 Red Hat
|
+# Copyright (C) 2007-2011 Red Hat
|
||||||
+# see file 'COPYING' for use and warranty information
|
+# see file 'COPYING' for use and warranty information
|
||||||
+#
|
+#
|
||||||
+# policygentool is a tool for the initial generation of SELinux policy
|
+# policygentool is a tool for the initial generation of SELinux policy
|
||||||
@ -13953,7 +13974,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_run.py
|
|||||||
+ ')
|
+ ')
|
||||||
+
|
+
|
||||||
+ files_search_pids($1)
|
+ files_search_pids($1)
|
||||||
+ stream_connect_pattern($1, TEMPLATETYPE_var_run_t, TEMPLATETYPE_var_run_t)
|
+ stream_connect_pattern($1, TEMPLATETYPE_var_run_t, TEMPLATETYPE_var_run_t, TEMPLATETYPE_t)
|
||||||
+')
|
+')
|
||||||
+"""
|
+"""
|
||||||
+
|
+
|
||||||
@ -13976,11 +13997,11 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_run.py
|
|||||||
+fc_dir="""\
|
+fc_dir="""\
|
||||||
+FILENAME(/.*)? gen_context(system_u:object_r:TEMPLATETYPE_var_run_t,s0)
|
+FILENAME(/.*)? gen_context(system_u:object_r:TEMPLATETYPE_var_run_t,s0)
|
||||||
+"""
|
+"""
|
||||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_spool.py policycoreutils-2.0.85/gui/templates/var_spool.py
|
diff -up policycoreutils-2.0.86/gui/templates/var_spool.py.gui policycoreutils-2.0.86/gui/templates/var_spool.py
|
||||||
--- nsapolicycoreutils/gui/templates/var_spool.py 1969-12-31 19:00:00.000000000 -0500
|
--- policycoreutils-2.0.86/gui/templates/var_spool.py.gui 2011-04-12 10:52:07.573645242 -0400
|
||||||
+++ policycoreutils-2.0.85/gui/templates/var_spool.py 2011-01-21 09:25:41.000000000 -0500
|
+++ policycoreutils-2.0.86/gui/templates/var_spool.py 2011-05-25 16:09:23.350352658 -0400
|
||||||
@@ -0,0 +1,133 @@
|
@@ -0,0 +1,131 @@
|
||||||
+# Copyright (C) 2007 Red Hat
|
+# Copyright (C) 2007-2011 Red Hat
|
||||||
+# see file 'COPYING' for use and warranty information
|
+# see file 'COPYING' for use and warranty information
|
||||||
+#
|
+#
|
||||||
+# policygentool is a tool for the initial generation of SELinux policy
|
+# policygentool is a tool for the initial generation of SELinux policy
|
||||||
@ -14052,13 +14073,12 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_spool.
|
|||||||
+ ')
|
+ ')
|
||||||
+
|
+
|
||||||
+ files_search_spool($1)
|
+ files_search_spool($1)
|
||||||
+ read_files_pattern($1, TEMPLATETYPE_spool_t TEMPLATETYPE_spool_t)
|
+ read_files_pattern($1, TEMPLATETYPE_spool_t, TEMPLATETYPE_spool_t)
|
||||||
+')
|
+')
|
||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
+## <summary>
|
+## <summary>
|
||||||
+## Create, read, write, and delete
|
+## Manage TEMPLATETYPE spool files.
|
||||||
+## TEMPLATETYPE spool files.
|
|
||||||
+## </summary>
|
+## </summary>
|
||||||
+## <param name="domain">
|
+## <param name="domain">
|
||||||
+## <summary>
|
+## <summary>
|
||||||
@ -14077,8 +14097,7 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_spool.
|
|||||||
+
|
+
|
||||||
+########################################
|
+########################################
|
||||||
+## <summary>
|
+## <summary>
|
||||||
+## Create, read, write, and delete
|
+## Manage TEMPLATETYPE spool dirs.
|
||||||
+## TEMPLATETYPE spool dirs.
|
|
||||||
+## </summary>
|
+## </summary>
|
||||||
+## <param name="domain">
|
+## <param name="domain">
|
||||||
+## <summary>
|
+## <summary>
|
||||||
@ -14113,9 +14132,9 @@ diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_spool.
|
|||||||
+fc_dir="""\
|
+fc_dir="""\
|
||||||
+FILENAME(/.*)? gen_context(system_u:object_r:TEMPLATETYPE_spool_t,s0)
|
+FILENAME(/.*)? gen_context(system_u:object_r:TEMPLATETYPE_spool_t,s0)
|
||||||
+"""
|
+"""
|
||||||
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/usersPage.py policycoreutils-2.0.85/gui/usersPage.py
|
diff -up policycoreutils-2.0.86/gui/usersPage.py.gui policycoreutils-2.0.86/gui/usersPage.py
|
||||||
--- nsapolicycoreutils/gui/usersPage.py 1969-12-31 19:00:00.000000000 -0500
|
--- policycoreutils-2.0.86/gui/usersPage.py.gui 2011-04-12 10:52:07.578645320 -0400
|
||||||
+++ policycoreutils-2.0.85/gui/usersPage.py 2011-01-21 09:25:41.000000000 -0500
|
+++ policycoreutils-2.0.86/gui/usersPage.py 2011-04-12 10:52:07.578645320 -0400
|
||||||
@@ -0,0 +1,150 @@
|
@@ -0,0 +1,150 @@
|
||||||
+## usersPage.py - show selinux mappings
|
+## usersPage.py - show selinux mappings
|
||||||
+## Copyright (C) 2006,2007,2008 Red Hat, Inc.
|
+## Copyright (C) 2006,2007,2008 Red Hat, Inc.
|
||||||
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
954
policycoreutils-sandbox.patch
Normal file
954
policycoreutils-sandbox.patch
Normal file
@ -0,0 +1,954 @@
|
|||||||
|
diff -up policycoreutils-2.0.86/restorecond/restorecond_user.conf.sandbox policycoreutils-2.0.86/restorecond/restorecond_user.conf
|
||||||
|
--- policycoreutils-2.0.86/restorecond/restorecond_user.conf.sandbox 2011-06-13 13:47:06.000000000 -0400
|
||||||
|
+++ policycoreutils-2.0.86/restorecond/restorecond_user.conf 2011-06-13 13:47:27.000000000 -0400
|
||||||
|
@@ -4,4 +4,4 @@
|
||||||
|
~/local/*
|
||||||
|
~/.fonts/*
|
||||||
|
~/.cache/*
|
||||||
|
-
|
||||||
|
+~/.config/*
|
||||||
|
diff -up policycoreutils-2.0.86/sandbox/sandbox.8.sandbox policycoreutils-2.0.86/sandbox/sandbox.8
|
||||||
|
--- policycoreutils-2.0.86/sandbox/sandbox.8.sandbox 2011-07-07 14:42:18.000000000 -0400
|
||||||
|
+++ policycoreutils-2.0.86/sandbox/sandbox.8 2012-01-03 11:09:22.391519370 -0500
|
||||||
|
@@ -3,11 +3,11 @@
|
||||||
|
sandbox \- Run cmd under an SELinux sandbox
|
||||||
|
.SH SYNOPSIS
|
||||||
|
.B sandbox
|
||||||
|
-[-l level ] [[-M | -X] -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [ -w windowsize ] [[-i file ]...] [ -t type ] cmd
|
||||||
|
+[-C] [-c] [ -d DPI ] [-l level ] [[-M | -X] -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [ -w windowsize ] [[-i file ]...] [ -t type ] cmd
|
||||||
|
|
||||||
|
.br
|
||||||
|
.B sandbox
|
||||||
|
-[-l level ] [[-M | -X] -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [ -w windowsize ] [[-i file ]...] [ -t type ] -S
|
||||||
|
+[-C] [-c] [ -d DPI ] [-l level ] [[-M | -X] -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [ -w windowsize ] [[-i file ]...] [ -t type ] -S
|
||||||
|
.br
|
||||||
|
.SH DESCRIPTION
|
||||||
|
.PP
|
||||||
|
@@ -49,7 +49,7 @@ Use alternate tempory directory to mount
|
||||||
|
Run a full desktop session, Requires level, and home and tmpdir.
|
||||||
|
.TP
|
||||||
|
\fB\-w windowsize\fR
|
||||||
|
-Specifies the windowsize when creating an X based Sandbox. The default windowsize is 1000x700.
|
||||||
|
+Specifies the windowsize when creating an X based Sandbox. The default windowsize is 1000x700.
|
||||||
|
.TP
|
||||||
|
\fB\-W windowmanager\fR
|
||||||
|
Select alternative window manager to run within
|
||||||
|
@@ -60,8 +60,14 @@ Default to /usr/bin/matchbox-window-mana
|
||||||
|
Create an X based Sandbox for gui apps, temporary files for
|
||||||
|
$HOME and /tmp, secondary Xserver, defaults to sandbox_x_t
|
||||||
|
.TP
|
||||||
|
-\fB\-C\fR
|
||||||
|
+\fB\-d\fR
|
||||||
|
+Set the DPI value for the sanbox X Server. Defaults to the current X Sever DPI.
|
||||||
|
+.TP
|
||||||
|
+\fB\-c\fR
|
||||||
|
Use control groups to control this copy of sandbox. Specify parameters in /etc/sysconfig/sandbox. Max memory usage and cpu usage are to be specified in percent. You can specify which CPUs to use by numbering them 0,1,2... etc.
|
||||||
|
+.TP
|
||||||
|
+\fB\-C\fR
|
||||||
|
+Use capabilities within the sandbox. By default applications executed within the sandbox will not be allowed to use capabilities (setuid apps), with the -C flag, you can use programs requiring capabilities.
|
||||||
|
.PP
|
||||||
|
.SH "SEE ALSO"
|
||||||
|
.TP
|
||||||
|
@@ -69,7 +75,7 @@ runcon(1), seunshare(8), selinux(8)
|
||||||
|
.PP
|
||||||
|
|
||||||
|
.SH AUTHOR
|
||||||
|
-This manual page was written by
|
||||||
|
+This manual page was written by
|
||||||
|
.I Dan Walsh <dwalsh@redhat.com>
|
||||||
|
and
|
||||||
|
.I Thomas Liu <tliu@fedoraproject.org>
|
||||||
|
diff -up policycoreutils-2.0.86/sandbox/sandbox.sandbox policycoreutils-2.0.86/sandbox/sandbox
|
||||||
|
--- policycoreutils-2.0.86/sandbox/sandbox.sandbox 2011-06-13 13:44:44.000000000 -0400
|
||||||
|
+++ policycoreutils-2.0.86/sandbox/sandbox 2012-01-03 11:08:43.619495043 -0500
|
||||||
|
@@ -25,7 +25,7 @@ import selinux
|
||||||
|
import signal
|
||||||
|
from tempfile import mkdtemp
|
||||||
|
import pwd
|
||||||
|
-import commands
|
||||||
|
+import commands
|
||||||
|
import setools
|
||||||
|
|
||||||
|
PROGNAME = "policycoreutils"
|
||||||
|
@@ -88,9 +88,7 @@ def copyfile(file, srcdir, dest):
|
||||||
|
|
||||||
|
except shutil.Error, elist:
|
||||||
|
for e in elist.message:
|
||||||
|
- # ignore files that are missing
|
||||||
|
- if not e[2].startswith("[Errno 2]"):
|
||||||
|
- sys.stderr.write(e[2])
|
||||||
|
+ sys.stderr.write(e[2])
|
||||||
|
|
||||||
|
SAVE_FILES[file] = (dest, os.path.getmtime(dest))
|
||||||
|
|
||||||
|
@@ -120,10 +118,30 @@ def reserve(level):
|
||||||
|
sock.bind("\0%s" % level)
|
||||||
|
fcntl.fcntl(sock.fileno(), fcntl.F_SETFD, fcntl.FD_CLOEXEC)
|
||||||
|
|
||||||
|
+def get_range():
|
||||||
|
+ try:
|
||||||
|
+ level =selinux.getcon_raw()[1].split(":")[4]
|
||||||
|
+ lowc,highc = level.split(".")
|
||||||
|
+ low = int(lowc[1:])
|
||||||
|
+ high = int(highc[1:])+1
|
||||||
|
+ if high - low == 0:
|
||||||
|
+ raise IndexError
|
||||||
|
+
|
||||||
|
+ return low,high
|
||||||
|
+ except IndexError:
|
||||||
|
+ raise ValueError(_("User account must be setup with an MCS Range"))
|
||||||
|
+
|
||||||
|
def gen_mcs():
|
||||||
|
- while True:
|
||||||
|
- i1 = random.randrange(0, 1024)
|
||||||
|
- i2 = random.randrange(0, 1024)
|
||||||
|
+ low, high = get_range()
|
||||||
|
+
|
||||||
|
+ level = None
|
||||||
|
+ ctr = 0
|
||||||
|
+ total = high-low
|
||||||
|
+ total = (total * (total - 1))/2
|
||||||
|
+ while ctr < total:
|
||||||
|
+ ctr += 1
|
||||||
|
+ i1 = random.randrange(low, high)
|
||||||
|
+ i2 = random.randrange(low, high)
|
||||||
|
if i1 == i2:
|
||||||
|
continue
|
||||||
|
if i1 > i2:
|
||||||
|
@@ -136,7 +154,10 @@ def gen_mcs():
|
||||||
|
except socket.error:
|
||||||
|
continue
|
||||||
|
break
|
||||||
|
- return level
|
||||||
|
+ if level:
|
||||||
|
+ return level
|
||||||
|
+ raise ValueError(_("Failed to find any unused category sets. Consider a larger MCS range for this user."))
|
||||||
|
+
|
||||||
|
|
||||||
|
def fullpath(cmd):
|
||||||
|
for i in [ "/", "./", "../" ]:
|
||||||
|
@@ -170,7 +191,7 @@ class Sandbox:
|
||||||
|
|
||||||
|
if not os.path.exists(SEUNSHARE):
|
||||||
|
raise ValueError(_("""
|
||||||
|
-%s is required for the action you want to perform.
|
||||||
|
+%s is required for the action you want to perform.
|
||||||
|
""") % SEUNSHARE)
|
||||||
|
|
||||||
|
def __mount_callback(self, option, opt, value, parser):
|
||||||
|
@@ -181,12 +202,12 @@ class Sandbox:
|
||||||
|
setattr(parser.values, option.dest, True)
|
||||||
|
if not os.path.exists(SEUNSHARE):
|
||||||
|
raise ValueError(_("""
|
||||||
|
-%s is required for the action you want to perform.
|
||||||
|
+%s is required for the action you want to perform.
|
||||||
|
""") % SEUNSHARE)
|
||||||
|
|
||||||
|
if not os.path.exists(SANDBOXSH):
|
||||||
|
raise ValueError(_("""
|
||||||
|
-%s is required for the action you want to perform.
|
||||||
|
+%s is required for the action you want to perform.
|
||||||
|
""") % SANDBOXSH)
|
||||||
|
|
||||||
|
def __validdir(self, option, opt, value, parser):
|
||||||
|
@@ -246,26 +267,25 @@ kill -TERM $WM_PID 2> /dev/null
|
||||||
|
|
||||||
|
def usage(self, message = ""):
|
||||||
|
error_exit("%s\n%s" % (self.__parser.usage, message))
|
||||||
|
-
|
||||||
|
+
|
||||||
|
def __parse_options(self):
|
||||||
|
from optparse import OptionParser
|
||||||
|
types = ""
|
||||||
|
try:
|
||||||
|
types = _("""
|
||||||
|
-Policy defines the following types for use with the -t:
|
||||||
|
+Policy defines the following types for use with the -t:
|
||||||
|
\t%s
|
||||||
|
""") % "\n\t".join(setools.seinfo(setools.ATTRIBUTE, "sandbox_type")[0]['types'])
|
||||||
|
except RuntimeError:
|
||||||
|
pass
|
||||||
|
|
||||||
|
usage = _("""
|
||||||
|
-sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-W windowmanager ] [ -w windowsize ] [[-i file ] ...] [ -t type ] command
|
||||||
|
+sandbox [-h] [-c] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-W windowmanager ] [ -w windowsize ] [[-i file ] ...] [ -t type ] command
|
||||||
|
|
||||||
|
-sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-W windowmanager ] [ -w windowsize ] [[-i file ] ...] [ -t type ] -S
|
||||||
|
+sandbox [-h] [-c] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-W windowmanager ] [ -w windowsize ] [[-i file ] ...] [ -t type ] -S
|
||||||
|
%s
|
||||||
|
""") % types
|
||||||
|
|
||||||
|
-
|
||||||
|
parser = OptionParser(version=self.VERSION, usage=usage)
|
||||||
|
parser.disable_interspersed_args()
|
||||||
|
parser.add_option("-i", "--include",
|
||||||
|
@@ -281,6 +301,10 @@ sandbox [-h] [-l level ] [-[X|M] [-H hom
|
||||||
|
action="callback", callback=self.__mount_callback,
|
||||||
|
help=_("mount new home and/or tmp directory"))
|
||||||
|
|
||||||
|
+ parser.add_option("-d", "--dpi",
|
||||||
|
+ dest="dpi", action="store",
|
||||||
|
+ help=_("dots per inch for X display"))
|
||||||
|
+
|
||||||
|
parser.add_option("-S", "--session", action="store_true", dest="session",
|
||||||
|
default=False, help=_("run complete desktop session within sandbox"))
|
||||||
|
|
||||||
|
@@ -291,17 +315,17 @@ sandbox [-h] [-l level ] [-[X|M] [-H hom
|
||||||
|
parser.add_option("-H", "--homedir",
|
||||||
|
action="callback", callback=self.__validdir,
|
||||||
|
type="string",
|
||||||
|
- dest="homedir",
|
||||||
|
+ dest="homedir",
|
||||||
|
help=_("alternate home directory to use for mounting"))
|
||||||
|
|
||||||
|
- parser.add_option("-T", "--tmpdir", dest="tmpdir",
|
||||||
|
+ parser.add_option("-T", "--tmpdir", dest="tmpdir",
|
||||||
|
type="string",
|
||||||
|
action="callback", callback=self.__validdir,
|
||||||
|
help=_("alternate /tmp directory to use for mounting"))
|
||||||
|
|
||||||
|
parser.add_option("-w", "--windowsize", dest="windowsize",
|
||||||
|
type="string", default=DEFAULT_WINDOWSIZE,
|
||||||
|
- help="size of the sandbox window")
|
||||||
|
+ help="size of the sandbox window")
|
||||||
|
|
||||||
|
parser.add_option("-W", "--windowmanager", dest="wm",
|
||||||
|
type="string",
|
||||||
|
@@ -311,9 +335,13 @@ sandbox [-h] [-l level ] [-[X|M] [-H hom
|
||||||
|
parser.add_option("-l", "--level", dest="level",
|
||||||
|
help=_("MCS/MLS level for the sandbox"))
|
||||||
|
|
||||||
|
- parser.add_option("-C", "--cgroups",
|
||||||
|
- action="store_true", dest="usecgroup", default=False,
|
||||||
|
- help="Use cgroups to limit this sandbox.")
|
||||||
|
+ parser.add_option("-c", "--cgroups",
|
||||||
|
+ action="store_true", dest="usecgroup", default=False,
|
||||||
|
+ help=_("Use cgroups to limit this sandbox."))
|
||||||
|
+
|
||||||
|
+ parser.add_option("-C", "--capabilities",
|
||||||
|
+ action="store_true", dest="usecaps", default=False,
|
||||||
|
+ help="Allow apps requiring capabilities to run within the sandbox.")
|
||||||
|
|
||||||
|
self.__parser=parser
|
||||||
|
|
||||||
|
@@ -366,8 +394,8 @@ sandbox [-h] [-l level ] [-[X|M] [-H hom
|
||||||
|
|
||||||
|
con = selinux.getcon()[1].split(":")
|
||||||
|
self.__execcon = "%s:%s:%s:%s" % (con[0], con[1], self.setype, level)
|
||||||
|
- self.__filecon = "%s:%s:%s:%s" % (con[0], "object_r",
|
||||||
|
- "%s_file_t" % self.setype[:-2],
|
||||||
|
+ self.__filecon = "%s:%s:%s:%s" % (con[0], "object_r",
|
||||||
|
+ "%s_file_t" % self.setype[:-2],
|
||||||
|
level)
|
||||||
|
def __setup_dir(self):
|
||||||
|
if self.__options.level or self.__options.session:
|
||||||
|
@@ -392,12 +420,20 @@ sandbox [-h] [-l level ] [-[X|M] [-H hom
|
||||||
|
def __execute(self):
|
||||||
|
try:
|
||||||
|
cmds = [ SEUNSHARE, "-Z", self.__execcon ]
|
||||||
|
- if self.__options.usecgroup == True:
|
||||||
|
+ if self.__options.usecgroup:
|
||||||
|
cmds.append('-c')
|
||||||
|
+ if self.__options.usecaps:
|
||||||
|
+ cmds.append('-C')
|
||||||
|
if self.__mount:
|
||||||
|
cmds += [ "-t", self.__tmpdir, "-h", self.__homedir ]
|
||||||
|
|
||||||
|
if self.__options.X_ind:
|
||||||
|
+ if self.__options.dpi:
|
||||||
|
+ dpi = self.__options.dpi
|
||||||
|
+ else:
|
||||||
|
+ import gtk
|
||||||
|
+ dpi = str(gtk.settings_get_default().props.gtk_xft_dpi/1024)
|
||||||
|
+
|
||||||
|
xmodmapfile = self.__homedir + "/.xmodmap"
|
||||||
|
xd = open(xmodmapfile,"w")
|
||||||
|
subprocess.Popen(["/usr/bin/xmodmap","-pke"],stdout=xd).wait()
|
||||||
|
@@ -405,7 +441,7 @@ sandbox [-h] [-l level ] [-[X|M] [-H hom
|
||||||
|
|
||||||
|
self.__setup_sandboxrc(self.__options.wm)
|
||||||
|
|
||||||
|
- cmds += [ "--", SANDBOXSH, self.__options.windowsize ]
|
||||||
|
+ cmds += [ "--", SANDBOXSH, self.__options.windowsize, dpi ]
|
||||||
|
else:
|
||||||
|
cmds += [ "--" ] + self.__paths
|
||||||
|
return subprocess.Popen(cmds).wait()
|
||||||
|
diff -up policycoreutils-2.0.86/sandbox/sandboxX.sh.sandbox policycoreutils-2.0.86/sandbox/sandboxX.sh
|
||||||
|
--- policycoreutils-2.0.86/sandbox/sandboxX.sh.sandbox 2011-06-13 13:44:44.000000000 -0400
|
||||||
|
+++ policycoreutils-2.0.86/sandbox/sandboxX.sh 2012-01-03 11:10:04.985546365 -0500
|
||||||
|
@@ -1,10 +1,12 @@
|
||||||
|
-#!/bin/bash
|
||||||
|
-context=`id -Z | secon -t `
|
||||||
|
-export TITLE="`grep ^#TITLE: ~/.sandboxrc | /usr/bin/cut -b8-80` ($context)"
|
||||||
|
-[ $# -eq 1 ] && export SCREENSIZE="$1" || export SCREENSIZE="1000x700"
|
||||||
|
+#!/bin/bash
|
||||||
|
+trap "" TERM
|
||||||
|
+context=`id -Z | secon -t -l -P`
|
||||||
|
+export TITLE="Sandbox $context -- `grep ^#TITLE: ~/.sandboxrc | /usr/bin/cut -b8-80`"
|
||||||
|
+[ -z $1 ] && export SCREENSIZE="1000x700" || export SCREENSIZE="$1"
|
||||||
|
+[ -z $2 ] && export DPI="96" || export DPI="$2"
|
||||||
|
trap "exit 0" HUP
|
||||||
|
|
||||||
|
-(/usr/bin/Xephyr -nolisten tcp -title "$TITLE" -terminate -screen $SCREENSIZE -displayfd 5 5>&1 2>/dev/null) | while read D; do
|
||||||
|
+(/usr/bin/Xephyr -title "$TITLE" -terminate -screen $SCREENSIZE -dpi $DPI -displayfd 5 5>&1 2>/dev/null) | while read D; do
|
||||||
|
export DISPLAY=:$D
|
||||||
|
cat > ~/seremote << __EOF
|
||||||
|
#!/bin/sh
|
||||||
|
@@ -13,7 +15,7 @@ __EOF
|
||||||
|
chmod +x ~/seremote
|
||||||
|
/usr/share/sandbox/start $HOME/.sandboxrc
|
||||||
|
export EXITCODE=$?
|
||||||
|
- kill -HUP 0
|
||||||
|
+ kill -TERM 0
|
||||||
|
break
|
||||||
|
done
|
||||||
|
exit 0
|
||||||
|
diff -up policycoreutils-2.0.86/sandbox/seunshare.8.sandbox policycoreutils-2.0.86/sandbox/seunshare.8
|
||||||
|
--- policycoreutils-2.0.86/sandbox/seunshare.8.sandbox 2011-07-07 14:41:16.000000000 -0400
|
||||||
|
+++ policycoreutils-2.0.86/sandbox/seunshare.8 2012-01-03 11:10:36.498566587 -0500
|
||||||
|
@@ -3,11 +3,11 @@
|
||||||
|
seunshare \- Run cmd with alternate homedir, tmpdir and/or SELinux context
|
||||||
|
.SH SYNOPSIS
|
||||||
|
.B seunshare
|
||||||
|
-[ -v ] [ -t tmpdir ] [ -h homedir ] [ -Z context ] -- executable [args]
|
||||||
|
+[ -v ] [ -c ] [ -C ] [ -k ] [ -t tmpdir ] [ -h homedir ] [ -Z context ] -- executable [args]
|
||||||
|
.br
|
||||||
|
.SH DESCRIPTION
|
||||||
|
.PP
|
||||||
|
-Run the
|
||||||
|
+Run the
|
||||||
|
.I executable
|
||||||
|
within the specified context, using the alternate home directory and /tmp directory. The seunshare command unshares from the default namespace, then mounts the specified homedir and tmpdir over the default homedir and /tmp. Finally it tells the kernel to execute the application under the specified SELinux context.
|
||||||
|
|
||||||
|
@@ -18,9 +18,15 @@ Alternate homedir to be used by the appl
|
||||||
|
\fB\-t\ tmpdir
|
||||||
|
Use alternate tempory directory to mount on /tmp. tmpdir must be owned by the user.
|
||||||
|
.TP
|
||||||
|
-\fB\-c cgroups\fR
|
||||||
|
+\fB\-c --cgroups\fR
|
||||||
|
Use cgroups to control this copy of seunshare. Specify parameters in /etc/sysconfig/sandbox. Max memory usage and cpu usage are to be specified in percent. You can specify which CPUs to use by numbering them 0,1,2... etc.
|
||||||
|
.TP
|
||||||
|
+\fB\-C --capabilities\fR
|
||||||
|
+Allow apps executed within the namespace to use capabilities. Default is no capabilities.
|
||||||
|
+.TP
|
||||||
|
+\fB\-k --kill\fR
|
||||||
|
+Kill all processes with matching MCS level.
|
||||||
|
+.TP
|
||||||
|
\fB\-Z\ context
|
||||||
|
Use alternate SELinux context while runing the executable.
|
||||||
|
.TP
|
||||||
|
@@ -28,10 +34,10 @@ Use alternate SELinux context while runi
|
||||||
|
Verbose output
|
||||||
|
.SH "SEE ALSO"
|
||||||
|
.TP
|
||||||
|
-runcon(1), sandbox(8), selinux(8)
|
||||||
|
+runcon(1), sandbox(8), selinux(8)
|
||||||
|
.PP
|
||||||
|
.SH AUTHOR
|
||||||
|
-This manual page was written by
|
||||||
|
+This manual page was written by
|
||||||
|
.I Dan Walsh <dwalsh@redhat.com>
|
||||||
|
and
|
||||||
|
.I Thomas Liu <tliu@fedoraproject.org>
|
||||||
|
diff -up policycoreutils-2.0.86/sandbox/seunshare.c.sandbox policycoreutils-2.0.86/sandbox/seunshare.c
|
||||||
|
--- policycoreutils-2.0.86/sandbox/seunshare.c.sandbox 2011-06-13 13:44:44.000000000 -0400
|
||||||
|
+++ policycoreutils-2.0.86/sandbox/seunshare.c 2012-01-03 11:08:59.081504712 -0500
|
||||||
|
@@ -5,8 +5,9 @@
|
||||||
|
|
||||||
|
#define _GNU_SOURCE
|
||||||
|
#include <signal.h>
|
||||||
|
-#include <sys/types.h>
|
||||||
|
+#include <sys/fsuid.h>
|
||||||
|
#include <sys/stat.h>
|
||||||
|
+#include <sys/types.h>
|
||||||
|
#include <sys/wait.h>
|
||||||
|
#include <syslog.h>
|
||||||
|
#include <sys/mount.h>
|
||||||
|
@@ -18,7 +19,6 @@
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <regex.h>
|
||||||
|
#include <unistd.h>
|
||||||
|
-#include <sys/fsuid.h>
|
||||||
|
#include <stdlib.h>
|
||||||
|
#include <cap-ng.h>
|
||||||
|
#include <getopt.h> /* for getopt_long() form of getopt() */
|
||||||
|
@@ -29,6 +29,7 @@
|
||||||
|
|
||||||
|
#include <selinux/selinux.h>
|
||||||
|
#include <selinux/context.h> /* for context-mangling functions */
|
||||||
|
+#include <dirent.h>
|
||||||
|
|
||||||
|
#ifdef USE_NLS
|
||||||
|
#include <locale.h> /* for setlocale() */
|
||||||
|
@@ -42,8 +43,8 @@
|
||||||
|
#define MS_REC 1<<14
|
||||||
|
#endif
|
||||||
|
|
||||||
|
-#ifndef MS_PRIVATE
|
||||||
|
-#define MS_PRIVATE 1<<18
|
||||||
|
+#ifndef MS_SLAVE
|
||||||
|
+#define MS_SLAVE 1<<19
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#ifndef PACKAGE
|
||||||
|
@@ -52,21 +53,22 @@
|
||||||
|
|
||||||
|
#define BUF_SIZE 1024
|
||||||
|
#define DEFAULT_PATH "/usr/bin:/bin"
|
||||||
|
-
|
||||||
|
-#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -c ] -t tmpdir -h homedir [-Z context] -- executable [args]")
|
||||||
|
+#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -C ] [ -c ] [ -k ] [ -t tmpdir ] [ -h homedir ] [ -Z CONTEXT ] -- executable [args] ")
|
||||||
|
|
||||||
|
static int verbose = 0;
|
||||||
|
+static int child = 0;
|
||||||
|
|
||||||
|
+static capng_select_t cap_set = CAPNG_SELECT_BOTH;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* This function will drop all capabilities.
|
||||||
|
*/
|
||||||
|
static int drop_caps()
|
||||||
|
{
|
||||||
|
- if (capng_have_capabilities(CAPNG_SELECT_BOTH) == CAPNG_NONE)
|
||||||
|
+ if (capng_have_capabilities(cap_set) == CAPNG_NONE)
|
||||||
|
return 0;
|
||||||
|
- capng_clear(CAPNG_SELECT_BOTH);
|
||||||
|
- if (capng_lock() == -1 || capng_apply(CAPNG_SELECT_BOTH) == -1) {
|
||||||
|
+ capng_clear(cap_set);
|
||||||
|
+ if (capng_lock() == -1 || capng_apply(cap_set) == -1) {
|
||||||
|
fprintf(stderr, _("Failed to drop all capabilities\n"));
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
@@ -86,6 +88,13 @@ static int drop_privs(uid_t uid)
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
+ * If the user sends a siginto to seunshare, kill the child's session
|
||||||
|
+ */
|
||||||
|
+void handler(int sig) {
|
||||||
|
+ if (child > 0) kill(-child,sig);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+/**
|
||||||
|
* Take care of any signal setup.
|
||||||
|
*/
|
||||||
|
static int set_signal_handles(void)
|
||||||
|
@@ -101,11 +110,16 @@ static int set_signal_handles(void)
|
||||||
|
(void)sigprocmask(SIG_SETMASK, &empty, NULL);
|
||||||
|
|
||||||
|
/* Terminate on SIGHUP */
|
||||||
|
- if (signal(SIGHUP, SIG_IGN) == SIG_ERR) {
|
||||||
|
+ if (signal(SIGHUP, SIG_DFL) == SIG_ERR) {
|
||||||
|
perror("Unable to set SIGHUP handler");
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (signal(SIGINT, handler) == SIG_ERR) {
|
||||||
|
+ perror("Unable to set SIGINT handler");
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -192,7 +206,7 @@ static int verify_directory(const char *
|
||||||
|
struct stat sb;
|
||||||
|
|
||||||
|
if (st_out == NULL) st_out = &sb;
|
||||||
|
-
|
||||||
|
+
|
||||||
|
if (lstat(dir, st_out) == -1) {
|
||||||
|
fprintf(stderr, _("Failed to stat %s: %s\n"), dir, strerror(errno));
|
||||||
|
return -1;
|
||||||
|
@@ -241,7 +255,7 @@ static int verify_shell(const char *shel
|
||||||
|
*/
|
||||||
|
static int seunshare_mount(const char *src, const char *dst, struct stat *src_st)
|
||||||
|
{
|
||||||
|
- int flags = MS_REC;
|
||||||
|
+ int flags = 0;
|
||||||
|
int is_tmp = 0;
|
||||||
|
|
||||||
|
if (verbose)
|
||||||
|
@@ -253,14 +267,6 @@ static int seunshare_mount(const char *s
|
||||||
|
}
|
||||||
|
|
||||||
|
/* mount directory */
|
||||||
|
- if (mount(dst, dst, NULL, MS_BIND | flags, NULL) < 0) {
|
||||||
|
- fprintf(stderr, _("Failed to mount %s on %s: %s\n"), dst, dst, strerror(errno));
|
||||||
|
- return -1;
|
||||||
|
- }
|
||||||
|
- if (mount(dst, dst, NULL, MS_PRIVATE | flags, NULL) < 0) {
|
||||||
|
- fprintf(stderr, _("Failed to make %s private: %s\n"), dst, strerror(errno));
|
||||||
|
- return -1;
|
||||||
|
- }
|
||||||
|
if (mount(src, dst, NULL, MS_BIND | flags, NULL) < 0) {
|
||||||
|
fprintf(stderr, _("Failed to mount %s on %s: %s\n"), src, dst, strerror(errno));
|
||||||
|
return -1;
|
||||||
|
@@ -274,14 +280,6 @@ static int seunshare_mount(const char *s
|
||||||
|
if (verbose)
|
||||||
|
printf(_("Mounting /tmp on /var/tmp\n"));
|
||||||
|
|
||||||
|
- if (mount("/var/tmp", "/var/tmp", NULL, MS_BIND | flags, NULL) < 0) {
|
||||||
|
- fprintf(stderr, _("Failed to mount /var/tmp on /var/tmp: %s\n"), strerror(errno));
|
||||||
|
- return -1;
|
||||||
|
- }
|
||||||
|
- if (mount("/var/tmp", "/var/tmp", NULL, MS_PRIVATE | flags, NULL) < 0) {
|
||||||
|
- fprintf(stderr, _("Failed to make /var/tmp private: %s\n"), strerror(errno));
|
||||||
|
- return -1;
|
||||||
|
- }
|
||||||
|
if (mount("/tmp", "/var/tmp", NULL, MS_BIND | flags, NULL) < 0) {
|
||||||
|
fprintf(stderr, _("Failed to mount /tmp on /var/tmp: %s\n"), strerror(errno));
|
||||||
|
return -1;
|
||||||
|
@@ -308,12 +306,12 @@ static int sandbox_error(const char *str
|
||||||
|
static int match(const char *string, char *pattern)
|
||||||
|
{
|
||||||
|
int status;
|
||||||
|
- regex_t re;
|
||||||
|
+ regex_t re;
|
||||||
|
if (regcomp(&re, pattern, REG_EXTENDED|REG_NOSUB) != 0) {
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
status = regexec(&re, string, (size_t)0, NULL, 0);
|
||||||
|
- regfree(&re);
|
||||||
|
+ regfree(&re);
|
||||||
|
if (status != 0) {
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
@@ -334,8 +332,9 @@ static int setup_cgroups()
|
||||||
|
char buf[BUF_SIZE];
|
||||||
|
char *tok = NULL;
|
||||||
|
int rc = -1;
|
||||||
|
- const char* fname = "/etc/sysconfig/sandbox";
|
||||||
|
-
|
||||||
|
+ char *str = NULL;
|
||||||
|
+ const char* fname = "/etc/sysconfig/sandbox";
|
||||||
|
+
|
||||||
|
if ((fp = fopen(fname, "rt")) == NULL) {
|
||||||
|
fprintf(stderr, "Error opening sandbox config file.");
|
||||||
|
return rc;
|
||||||
|
@@ -343,12 +342,15 @@ static int setup_cgroups()
|
||||||
|
while(fgets(buf, BUF_SIZE, fp) != NULL) {
|
||||||
|
/* Skip comments */
|
||||||
|
if (buf[0] == '#') continue;
|
||||||
|
-
|
||||||
|
+
|
||||||
|
/* Copy the string, ignoring whitespace */
|
||||||
|
int len = strlen(buf);
|
||||||
|
- char *str = malloc((len + 1) * sizeof(char));
|
||||||
|
-
|
||||||
|
- int ind = 0;
|
||||||
|
+ free(str);
|
||||||
|
+ str = malloc((len + 1) * sizeof(char));
|
||||||
|
+ if (!str)
|
||||||
|
+ goto err;
|
||||||
|
+
|
||||||
|
+ int ind = 0;
|
||||||
|
int i;
|
||||||
|
for (i = 0; i < len; i++) {
|
||||||
|
char cur = buf[i];
|
||||||
|
@@ -358,7 +360,7 @@ static int setup_cgroups()
|
||||||
|
}
|
||||||
|
}
|
||||||
|
str[ind] = '\0';
|
||||||
|
-
|
||||||
|
+
|
||||||
|
tok = strtok(str, "=\n");
|
||||||
|
if (tok != NULL) {
|
||||||
|
if (!strcmp(tok, "CPUAFFINITY")) {
|
||||||
|
@@ -382,7 +384,7 @@ static int setup_cgroups()
|
||||||
|
fprintf(stderr, "Error parsing config file.");
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
-
|
||||||
|
+
|
||||||
|
} else if (!strcmp(tok, "CPUUSAGE")) {
|
||||||
|
tok = strtok(NULL, "=\n");
|
||||||
|
if (match(tok, "^[0-9]+\%")) {
|
||||||
|
@@ -400,14 +402,14 @@ static int setup_cgroups()
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
-
|
||||||
|
+
|
||||||
|
}
|
||||||
|
if (mem == NULL) {
|
||||||
|
long phypz = sysconf(_SC_PHYS_PAGES);
|
||||||
|
long psize = sysconf(_SC_PAGE_SIZE);
|
||||||
|
memusage = phypz * psize * (float) memusage / 100.0;
|
||||||
|
}
|
||||||
|
-
|
||||||
|
+
|
||||||
|
cgroup_init();
|
||||||
|
|
||||||
|
int64_t current_runtime = 0;
|
||||||
|
@@ -423,8 +425,8 @@ static int setup_cgroups()
|
||||||
|
cgroup_get_cgroup(curr);
|
||||||
|
cgroup_get_value_int64(cgroup_get_controller(curr, "cpu"), "cpu.rt_runtime_us", ¤t_runtime);
|
||||||
|
cgroup_get_value_int64(cgroup_get_controller(curr, "cpu"), "cpu.rt_period_us", ¤t_period);
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
ret = cgroup_get_current_controller_path(getpid(), "memory", &curr_mem_path);
|
||||||
|
if (ret) {
|
||||||
|
sandbox_error("Error while trying to get current controller path.\n");
|
||||||
|
@@ -432,33 +434,33 @@ static int setup_cgroups()
|
||||||
|
struct cgroup *curr = cgroup_new_cgroup(curr_mem_path);
|
||||||
|
cgroup_get_cgroup(curr);
|
||||||
|
cgroup_get_value_int64(cgroup_get_controller(curr, "memory"), "memory.limit_in_bytes", ¤t_mem);
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if (((float) cpupercentage) / 100.0> (float)current_runtime / (float) current_period) {
|
||||||
|
sandbox_error("CPU usage restricted!\n");
|
||||||
|
goto err;
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
- if (mem == NULL) {
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (mem == NULL) {
|
||||||
|
if (memusage > current_mem) {
|
||||||
|
sandbox_error("Attempting to use more memory than allowed!");
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
-
|
||||||
|
+
|
||||||
|
long nprocs = sysconf(_SC_NPROCESSORS_ONLN);
|
||||||
|
-
|
||||||
|
- struct sched_param sp;
|
||||||
|
+
|
||||||
|
+ struct sched_param sp;
|
||||||
|
sp.sched_priority = sched_get_priority_min(SCHED_FIFO);
|
||||||
|
sched_setscheduler(getpid(), SCHED_FIFO, &sp);
|
||||||
|
struct cgroup *sandbox_group = cgroup_new_cgroup(cgroupname);
|
||||||
|
cgroup_add_controller(sandbox_group, "memory");
|
||||||
|
cgroup_add_controller(sandbox_group, "cpu");
|
||||||
|
-
|
||||||
|
+
|
||||||
|
if (mem == NULL) {
|
||||||
|
if (memusage > 0) {
|
||||||
|
cgroup_set_value_uint64(cgroup_get_controller(sandbox_group, "memory"), "memory.limit_in_bytes", memusage);
|
||||||
|
- }
|
||||||
|
+ }
|
||||||
|
} else {
|
||||||
|
cgroup_set_value_string(cgroup_get_controller(sandbox_group, "memory"), "memory.limit_in_bytes", mem);
|
||||||
|
}
|
||||||
|
@@ -470,13 +472,13 @@ static int setup_cgroups()
|
||||||
|
if (cpus != NULL) {
|
||||||
|
cgroup_set_value_string(cgroup_get_controller(sandbox_group, "cpu"), "cgroup.procs",cpus);
|
||||||
|
}
|
||||||
|
-
|
||||||
|
+
|
||||||
|
uint64_t allocated_mem;
|
||||||
|
if (cgroup_get_value_uint64(cgroup_get_controller(sandbox_group, "memory"), "memory.limit_in_bytes", &allocated_mem) > current_mem) {
|
||||||
|
sandbox_error("Attempting to use more memory than allowed!\n");
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
-
|
||||||
|
+
|
||||||
|
rc = cgroup_create_cgroup(sandbox_group, 1);
|
||||||
|
if (rc != 0) {
|
||||||
|
sandbox_error("Failed to create group. Ensure that cgconfig service is running. \n");
|
||||||
|
@@ -487,13 +489,15 @@ static int setup_cgroups()
|
||||||
|
|
||||||
|
rc = 0;
|
||||||
|
err:
|
||||||
|
+ fclose(fp);
|
||||||
|
+ free(str);
|
||||||
|
free(mem);
|
||||||
|
free(cgroupname);
|
||||||
|
free(cpus);
|
||||||
|
return rc;
|
||||||
|
}
|
||||||
|
|
||||||
|
-/*
|
||||||
|
+/*
|
||||||
|
If path is empy or ends with "/." or "/.. return -1 else return 0;
|
||||||
|
*/
|
||||||
|
static int bad_path(const char *path) {
|
||||||
|
@@ -515,7 +519,7 @@ static int bad_path(const char *path) {
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
-static int rsynccmd(const char * src, const char *dst, char **cmdbuf)
|
||||||
|
+static int rsynccmd(const char * src, const char *dst, char **cmdbuf)
|
||||||
|
{
|
||||||
|
char *buf = NULL;
|
||||||
|
char *newbuf = NULL;
|
||||||
|
@@ -559,7 +563,7 @@ static int rsynccmd(const char * src, co
|
||||||
|
newbuf = NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (buf) {
|
||||||
|
+ if (buf) {
|
||||||
|
if (asprintf(&newbuf, "/usr/bin/rsync -trlHDq %s '%s'", buf, dst) == -1) {
|
||||||
|
fprintf(stderr, "Out of memory\n");
|
||||||
|
goto err;
|
||||||
|
@@ -674,8 +678,12 @@ static char *create_tmpdir(const char *s
|
||||||
|
if (verify_directory(tmpdir, NULL, out_st) < 0) {
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
- if (check_owner_uid(0, tmpdir, out_st) < 0) goto err;
|
||||||
|
- if (check_owner_gid(getgid(), tmpdir, out_st) < 0) goto err;
|
||||||
|
+
|
||||||
|
+ if (check_owner_uid(0, tmpdir, out_st) < 0)
|
||||||
|
+ goto err;
|
||||||
|
+
|
||||||
|
+ if (check_owner_gid(getgid(), tmpdir, out_st) < 0)
|
||||||
|
+ goto err;
|
||||||
|
|
||||||
|
/* change permissions of the temporary directory */
|
||||||
|
if ((fd_t = open(tmpdir, O_RDONLY)) < 0) {
|
||||||
|
@@ -702,7 +710,7 @@ static char *create_tmpdir(const char *s
|
||||||
|
|
||||||
|
/* copy selinux context */
|
||||||
|
if (execcon) {
|
||||||
|
- if (fsetfilecon(fd_t, con) == -1) {
|
||||||
|
+ if (fsetfilecon(fd_t, con) == -1) {
|
||||||
|
fprintf(stderr, _("Failed to set context of the directory %s: %s\n"), tmpdir, strerror(errno));
|
||||||
|
goto err;
|
||||||
|
}
|
||||||
|
@@ -734,12 +742,77 @@ good:
|
||||||
|
return tmpdir;
|
||||||
|
}
|
||||||
|
|
||||||
|
+#define PROC_BASE "/proc"
|
||||||
|
+
|
||||||
|
+static int
|
||||||
|
+killall (security_context_t execcon)
|
||||||
|
+{
|
||||||
|
+ DIR *dir;
|
||||||
|
+ security_context_t scon;
|
||||||
|
+ struct dirent *de;
|
||||||
|
+ pid_t *pid_table, pid, self;
|
||||||
|
+ int i;
|
||||||
|
+ int pids, max_pids;
|
||||||
|
+ int running = 0;
|
||||||
|
+ self = getpid();
|
||||||
|
+ if (!(dir = opendir(PROC_BASE))) {
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
+ max_pids = 256;
|
||||||
|
+ pid_table = malloc(max_pids * sizeof (pid_t));
|
||||||
|
+ if (!pid_table) {
|
||||||
|
+ (void)closedir(dir);
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
+ pids = 0;
|
||||||
|
+ context_t con;
|
||||||
|
+ con = context_new(execcon);
|
||||||
|
+ const char *mcs = context_range_get(con);
|
||||||
|
+ printf("mcs=%s\n", mcs);
|
||||||
|
+ while ((de = readdir (dir)) != NULL) {
|
||||||
|
+ if (!(pid = (pid_t)atoi(de->d_name)) || pid == self)
|
||||||
|
+ continue;
|
||||||
|
+
|
||||||
|
+ if (pids == max_pids) {
|
||||||
|
+ if (!(pid_table = realloc(pid_table, 2*pids*sizeof(pid_t)))) {
|
||||||
|
+ (void)closedir(dir);
|
||||||
|
+ return -1;
|
||||||
|
+ }
|
||||||
|
+ max_pids *= 2;
|
||||||
|
+ }
|
||||||
|
+ pid_table[pids++] = pid;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ (void)closedir(dir);
|
||||||
|
+
|
||||||
|
+ for (i = 0; i < pids; i++) {
|
||||||
|
+ pid_t id = pid_table[i];
|
||||||
|
+
|
||||||
|
+ if (getpidcon(id, &scon) == 0) {
|
||||||
|
+
|
||||||
|
+ context_t pidcon = context_new(scon);
|
||||||
|
+ /* Attempt to kill remaining processes */
|
||||||
|
+ if (strcmp(context_range_get(pidcon), mcs) == 0)
|
||||||
|
+ kill(id, SIGKILL);
|
||||||
|
+
|
||||||
|
+ context_free(pidcon);
|
||||||
|
+ freecon(scon);
|
||||||
|
+ }
|
||||||
|
+ running++;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ context_free(con);
|
||||||
|
+ free(pid_table);
|
||||||
|
+ return running;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
int main(int argc, char **argv) {
|
||||||
|
int status = -1;
|
||||||
|
security_context_t execcon = NULL;
|
||||||
|
|
||||||
|
int clflag; /* holds codes for command line flags */
|
||||||
|
int usecgroups = 0;
|
||||||
|
+ int kill_all = 0;
|
||||||
|
|
||||||
|
char *homedir_s = NULL; /* homedir spec'd by user in argv[] */
|
||||||
|
char *tmpdir_s = NULL; /* tmpdir spec'd by user in argv[] */
|
||||||
|
@@ -752,18 +825,21 @@ int main(int argc, char **argv) {
|
||||||
|
const struct option long_options[] = {
|
||||||
|
{"homedir", 1, 0, 'h'},
|
||||||
|
{"tmpdir", 1, 0, 't'},
|
||||||
|
+ {"kill", 1, 0, 'k'},
|
||||||
|
{"verbose", 1, 0, 'v'},
|
||||||
|
{"cgroups", 1, 0, 'c'},
|
||||||
|
{"context", 1, 0, 'Z'},
|
||||||
|
+ {"capabilities", 1, 0, 'C'},
|
||||||
|
{NULL, 0, 0, 0}
|
||||||
|
};
|
||||||
|
|
||||||
|
uid_t uid = getuid();
|
||||||
|
-
|
||||||
|
+/*
|
||||||
|
if (!uid) {
|
||||||
|
fprintf(stderr, _("Must not be root"));
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
+*/
|
||||||
|
|
||||||
|
#ifdef USE_NLS
|
||||||
|
setlocale(LC_ALL, "");
|
||||||
|
@@ -783,7 +859,7 @@ int main(int argc, char **argv) {
|
||||||
|
}
|
||||||
|
|
||||||
|
while (1) {
|
||||||
|
- clflag = getopt_long(argc, argv, "cvh:t:Z:", long_options, NULL);
|
||||||
|
+ clflag = getopt_long(argc, argv, "Ccvh:t:Z:", long_options, NULL);
|
||||||
|
if (clflag == -1)
|
||||||
|
break;
|
||||||
|
|
||||||
|
@@ -791,6 +867,9 @@ int main(int argc, char **argv) {
|
||||||
|
case 't':
|
||||||
|
tmpdir_s = optarg;
|
||||||
|
break;
|
||||||
|
+ case 'k':
|
||||||
|
+ kill_all = 1;
|
||||||
|
+ break;
|
||||||
|
case 'h':
|
||||||
|
homedir_s = optarg;
|
||||||
|
break;
|
||||||
|
@@ -800,6 +879,9 @@ int main(int argc, char **argv) {
|
||||||
|
case 'c':
|
||||||
|
usecgroups = 1;
|
||||||
|
break;
|
||||||
|
+ case 'C':
|
||||||
|
+ cap_set = CAPNG_SELECT_CAPS;
|
||||||
|
+ break;
|
||||||
|
case 'Z':
|
||||||
|
execcon = optarg;
|
||||||
|
break;
|
||||||
|
@@ -824,9 +906,11 @@ int main(int argc, char **argv) {
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (set_signal_handles()) return -1;
|
||||||
|
+ if (set_signal_handles())
|
||||||
|
+ return -1;
|
||||||
|
|
||||||
|
- if (usecgroups && setup_cgroups() < 0) return -1;
|
||||||
|
+ if (usecgroups && setup_cgroups() < 0)
|
||||||
|
+ return -1;
|
||||||
|
|
||||||
|
/* set fsuid to ruid */
|
||||||
|
/* Changing fsuid is usually required when user-specified directory is
|
||||||
|
@@ -851,7 +935,7 @@ int main(int argc, char **argv) {
|
||||||
|
}
|
||||||
|
|
||||||
|
/* spawn child process */
|
||||||
|
- int child = fork();
|
||||||
|
+ child = fork();
|
||||||
|
if (child == -1) {
|
||||||
|
perror(_("Unable to fork"));
|
||||||
|
goto err;
|
||||||
|
@@ -859,6 +943,7 @@ int main(int argc, char **argv) {
|
||||||
|
|
||||||
|
if (child == 0) {
|
||||||
|
char *display = NULL;
|
||||||
|
+ char *LANG = NULL;
|
||||||
|
int rc = -1;
|
||||||
|
|
||||||
|
if (unshare(CLONE_NEWNS) < 0) {
|
||||||
|
@@ -866,6 +951,13 @@ int main(int argc, char **argv) {
|
||||||
|
goto childerr;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ /* Remount / as SLAVE so that nothing mounted in the namespace
|
||||||
|
+ shows up in the parent */
|
||||||
|
+ if (mount("none", "/", NULL, MS_SLAVE | MS_REC , NULL) < 0) {
|
||||||
|
+ perror(_("Failed to make / a SLAVE mountpoint\n"));
|
||||||
|
+ goto childerr;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
/* assume fsuid==ruid after this point */
|
||||||
|
setfsuid(uid);
|
||||||
|
|
||||||
|
@@ -884,12 +976,23 @@ int main(int argc, char **argv) {
|
||||||
|
goto childerr;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+ /* construct a new environment */
|
||||||
|
+ if ((LANG = getenv("LANG")) != NULL) {
|
||||||
|
+ if ((LANG = strdup(LANG)) == NULL) {
|
||||||
|
+ perror(_("Out of memory"));
|
||||||
|
+ goto childerr;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if ((rc = clearenv()) != 0) {
|
||||||
|
perror(_("Failed to clear environment"));
|
||||||
|
goto childerr;
|
||||||
|
}
|
||||||
|
- if (display)
|
||||||
|
+ if (display)
|
||||||
|
rc |= setenv("DISPLAY", display, 1);
|
||||||
|
+ if (LANG)
|
||||||
|
+ rc |= setenv("LANG", LANG, 1);
|
||||||
|
rc |= setenv("HOME", pwd->pw_dir, 1);
|
||||||
|
rc |= setenv("SHELL", pwd->pw_shell, 1);
|
||||||
|
rc |= setenv("USER", pwd->pw_name, 1);
|
||||||
|
@@ -899,7 +1002,7 @@ int main(int argc, char **argv) {
|
||||||
|
fprintf(stderr, _("Failed to construct environment\n"));
|
||||||
|
goto childerr;
|
||||||
|
}
|
||||||
|
-
|
||||||
|
+
|
||||||
|
/* selinux context */
|
||||||
|
if (execcon && setexeccon(execcon) != 0) {
|
||||||
|
fprintf(stderr, _("Could not set exec context to %s.\n"), execcon);
|
||||||
|
@@ -910,13 +1013,12 @@ int main(int argc, char **argv) {
|
||||||
|
perror(_("Failed to change dir to homedir"));
|
||||||
|
goto childerr;
|
||||||
|
}
|
||||||
|
-
|
||||||
|
setsid();
|
||||||
|
-
|
||||||
|
execv(argv[optind], argv + optind);
|
||||||
|
fprintf(stderr, _("Failed to execute command %s: %s\n"), argv[optind], strerror(errno));
|
||||||
|
childerr:
|
||||||
|
free(display);
|
||||||
|
+ free(LANG);
|
||||||
|
exit(-1);
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -926,10 +1028,15 @@ childerr:
|
||||||
|
waitpid(child, &status, 0);
|
||||||
|
status_to_retval(status, status);
|
||||||
|
|
||||||
|
+ /* Make sure all child processes exit */
|
||||||
|
+ kill(-child,SIGTERM);
|
||||||
|
+
|
||||||
|
+ if (execcon && kill_all)
|
||||||
|
+ killall(execcon);
|
||||||
|
+
|
||||||
|
if (tmpdir_r) cleanup_tmpdir(tmpdir_r, tmpdir_s, pwd, 1);
|
||||||
|
|
||||||
|
err:
|
||||||
|
free(tmpdir_r);
|
||||||
|
return status;
|
||||||
|
}
|
||||||
|
-
|
@ -6,8 +6,8 @@
|
|||||||
|
|
||||||
Summary: SELinux policy core utilities
|
Summary: SELinux policy core utilities
|
||||||
Name: policycoreutils
|
Name: policycoreutils
|
||||||
Version: 2.0.85
|
Version: 2.0.86
|
||||||
Release: 12%{?dist}
|
Release: 7.3%{?dist}
|
||||||
License: GPLv2
|
License: GPLv2
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
# Based on git repository with tag 20101221
|
# Based on git repository with tag 20101221
|
||||||
@ -25,7 +25,8 @@ Patch: policycoreutils-rhat.patch
|
|||||||
Patch1: policycoreutils-po.patch
|
Patch1: policycoreutils-po.patch
|
||||||
Patch3: policycoreutils-gui.patch
|
Patch3: policycoreutils-gui.patch
|
||||||
Patch4: policycoreutils-sepolgen.patch
|
Patch4: policycoreutils-sepolgen.patch
|
||||||
Obsoletes: policycoreutils < 2.0.61-2
|
Patch5: policycoreutils-sandbox.patch
|
||||||
|
Obsoletes: policycoreutils < 2.0.86-7
|
||||||
|
|
||||||
%global python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")
|
%global python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")
|
||||||
|
|
||||||
@ -63,6 +64,7 @@ context.
|
|||||||
%patch1 -p1 -b .rhatpo
|
%patch1 -p1 -b .rhatpo
|
||||||
%patch3 -p1 -b .gui
|
%patch3 -p1 -b .gui
|
||||||
%patch4 -p1 -b .sepolgen
|
%patch4 -p1 -b .sepolgen
|
||||||
|
%patch5 -p1 -b .sandbox
|
||||||
|
|
||||||
%build
|
%build
|
||||||
make LSPP_PRIV=y LIBDIR="%{_libdir}" CFLAGS="%{optflags} -fPIE " LDFLAGS="-pie -Wl,-z,relro" all
|
make LSPP_PRIV=y LIBDIR="%{_libdir}" CFLAGS="%{optflags} -fPIE " LDFLAGS="-pie -Wl,-z,relro" all
|
||||||
@ -119,6 +121,7 @@ Requires: /usr/bin/make
|
|||||||
Requires(pre): python >= 2.6
|
Requires(pre): python >= 2.6
|
||||||
Obsoletes: policycoreutils < 2.0.61-2
|
Obsoletes: policycoreutils < 2.0.61-2
|
||||||
Requires: setools-libs-python >= 3.3.7-6
|
Requires: setools-libs-python >= 3.3.7-6
|
||||||
|
Requires: python-IPy
|
||||||
|
|
||||||
%description python
|
%description python
|
||||||
The policycoreutils-python package contains the management tools use to manage an SELinux environment.
|
The policycoreutils-python package contains the management tools use to manage an SELinux environment.
|
||||||
@ -156,19 +159,19 @@ exit 0
|
|||||||
Summary: SELinux sandbox utilities
|
Summary: SELinux sandbox utilities
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Requires: policycoreutils-python = %{version}-%{release}
|
Requires: policycoreutils-python = %{version}-%{release}
|
||||||
Requires: xorg-x11-server-Xephyr
|
Requires: xorg-x11-server-Xephyr /usr/bin/rsync /usr/bin/xmodmap
|
||||||
Requires: matchbox-window-manager
|
Requires: matchbox-window-manager
|
||||||
Requires(post): /sbin/chkconfig
|
Requires(post): /sbin/chkconfig
|
||||||
BuildRequires: libcap-ng-devel
|
BuildRequires: libcap-ng-devel
|
||||||
|
|
||||||
%description sandbox
|
%description sandbox
|
||||||
The policycoreutils-python package contains the scripts to create graphical sandboxes
|
The policycoreutils-sandbox package contains the scripts to create graphical sandboxes
|
||||||
|
|
||||||
%files sandbox
|
%files sandbox
|
||||||
%defattr(-,root,root,-)
|
%defattr(-,root,root,-)
|
||||||
%{_datadir}/sandbox/sandboxX.sh
|
%{_datadir}/sandbox/sandboxX.sh
|
||||||
%{_datadir}/sandbox/start
|
%{_datadir}/sandbox/start
|
||||||
%attr(0755,root,root) %caps(cap_setpcap,cap_fowner,cap_dac_override,cap_sys_admin,cap_sys_nice=pe) %{_sbindir}/seunshare
|
%attr(0755,root,root) %caps(cap_setpcap,cap_setuid,cap_fowner,cap_dac_override,cap_sys_admin,cap_sys_nice=pe) %{_sbindir}/seunshare
|
||||||
%{_mandir}/man8/seunshare.8*
|
%{_mandir}/man8/seunshare.8*
|
||||||
%{_mandir}/man5/sandbox.conf.5*
|
%{_mandir}/man5/sandbox.conf.5*
|
||||||
|
|
||||||
@ -180,6 +183,7 @@ exit 0
|
|||||||
if [ $1 -eq 1 ]; then
|
if [ $1 -eq 1 ]; then
|
||||||
/sbin/chkconfig sandbox --add
|
/sbin/chkconfig sandbox --add
|
||||||
fi
|
fi
|
||||||
|
|
||||||
%preun sandbox
|
%preun sandbox
|
||||||
if [ $1 -eq 0 ]; then
|
if [ $1 -eq 0 ]; then
|
||||||
/sbin/chkconfig sandbox --del
|
/sbin/chkconfig sandbox --del
|
||||||
@ -296,6 +300,7 @@ rm -rf %{buildroot}
|
|||||||
Summary: SELinux restorecond utilities
|
Summary: SELinux restorecond utilities
|
||||||
Group: System Environment/Base
|
Group: System Environment/Base
|
||||||
Requires(post): /sbin/chkconfig
|
Requires(post): /sbin/chkconfig
|
||||||
|
Obsoletes: policycoreutils < 2.0.86-7
|
||||||
|
|
||||||
%description restorecond
|
%description restorecond
|
||||||
The policycoreutils-restorecond package contains the restorecond service.
|
The policycoreutils-restorecond package contains the restorecond service.
|
||||||
@ -329,6 +334,115 @@ fi
|
|||||||
exit 0
|
exit 0
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Jan 3 2012 Dan Walsh <dwalsh@redhat.com> - 2.0.86-7.3
|
||||||
|
- Fix the handling of namespaces in seunshare/sandbox.
|
||||||
|
- Currently mounting of directories within sandbox is propogating to the
|
||||||
|
- parent namesspace.
|
||||||
|
|
||||||
|
* Thu Jul 7 2011 Dan Walsh <dwalsh@redhat.com> 2.0.86-7.2
|
||||||
|
- Change seunshare to send kill signals to the childs session.
|
||||||
|
- Also add signal handler to catch sigint, so if user enters ctrl-C sandbox will shutdown.
|
||||||
|
- Add -k qualifier to seunshare to have it attempt to kill all processes with
|
||||||
|
the matching MCS label.
|
||||||
|
- Add -C option to sandbox and seunshare to maintain capabilities, otherwise
|
||||||
|
the bounding set will be dropped.
|
||||||
|
- Change --cgroups short name -c rather then -C for consistancy
|
||||||
|
- Fix memory and fd leaks in seunshare
|
||||||
|
|
||||||
|
* Mon Jun 13 2011 Dan Walsh <dwalsh@redhat.com> 2.0.86-7.1
|
||||||
|
- Do not drop capability bounding set in seunshare, this allows sandbox to
|
||||||
|
- run setuid apps.
|
||||||
|
- Cleanup policy generation template
|
||||||
|
- Pass dpi settings to sandbox
|
||||||
|
- Add .config/* to restorecond_users.conf
|
||||||
|
|
||||||
|
* Fri Apr 29 2011 Dan Walsh <dwalsh@redhat.com> 2.0.86-7
|
||||||
|
- Clean up some of the templates for sepolgen
|
||||||
|
|
||||||
|
* Fri Apr 22 2011 Dan Walsh <dwalsh@redhat.com> 2.0.86-6
|
||||||
|
- Apply patches from Christoph A.
|
||||||
|
* fix sandbox title
|
||||||
|
* stop xephyr from li
|
||||||
|
- Also ignore errors on sandbox include of directory missing files
|
||||||
|
|
||||||
|
* Thu Apr 21 2011 Dan Walsh <dwalsh@redhat.com> 2.0.86-5
|
||||||
|
- rebuild versus latest libsepol
|
||||||
|
|
||||||
|
* Mon Apr 18 2011 Dan Walsh <dwalsh@redhat.com> 2.0.86-4
|
||||||
|
- Change fixfiles restore to delete unlabeled sockets in /tmp
|
||||||
|
|
||||||
|
* Mon Apr 18 2011 Dan Walsh <dwalsh@redhat.com> 2.0.86-2
|
||||||
|
- rebuild versus latest libsepol
|
||||||
|
|
||||||
|
* Tue Apr 12 2011 Dan Walsh <dwalsh@redhat.com> 2.0.86-1
|
||||||
|
- Update to upstream
|
||||||
|
* Use correct color range in mcstrand by Richard Haines.
|
||||||
|
|
||||||
|
* Mon Apr 11 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-30
|
||||||
|
- Add Elia Pinto patches to allow user to specify directories to ignore
|
||||||
|
|
||||||
|
* Tue Apr 5 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-29
|
||||||
|
- Fix policycoreutils-sandbox description
|
||||||
|
|
||||||
|
* Tue Mar 29 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-28
|
||||||
|
- rsynccmd should run outside of execcon
|
||||||
|
|
||||||
|
* Thu Mar 24 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-27
|
||||||
|
- Fix semange node handling of ipv6 addresses
|
||||||
|
|
||||||
|
* Wed Mar 23 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-26
|
||||||
|
- Fix sepolgen-ifgen call, add -p option
|
||||||
|
|
||||||
|
* Wed Mar 23 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-25
|
||||||
|
- Fix sepolgen-ifgen call
|
||||||
|
|
||||||
|
* Fri Mar 18 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-24
|
||||||
|
- Fix rsync command to work if the directory is old.
|
||||||
|
- Fix all tests
|
||||||
|
|
||||||
|
* Wed Mar 16 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-23
|
||||||
|
- Fix sepolgen to generate network polcy using generic_if and genric_node versus all_if and all_node
|
||||||
|
|
||||||
|
* Wed Mar 16 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-22
|
||||||
|
- Return to original seunshare man page
|
||||||
|
|
||||||
|
* Fri Mar 11 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-21
|
||||||
|
- change default location of HOMEDIR in sandbox to /tmp/.sandbox_home_*
|
||||||
|
- This will allow default sandboxes to work on NFS homedirs without allowing
|
||||||
|
access to homedir data
|
||||||
|
|
||||||
|
* Fri Mar 11 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-20
|
||||||
|
- Change sepolgen-ifgen to search all available policy files
|
||||||
|
- Exit in restorecond if it can not find a UID in the passwd database
|
||||||
|
|
||||||
|
* Wed Mar 9 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-19
|
||||||
|
- Fix portspage in system-config-selinux to not crash
|
||||||
|
- More fixes for seunshare from Tomas Hoger
|
||||||
|
|
||||||
|
* Tue Mar 8 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-18
|
||||||
|
- put back in old handling of -T in sandbox command
|
||||||
|
- Put back setsid in seunshare
|
||||||
|
- Fix rsync to maintain times
|
||||||
|
|
||||||
|
* Tue Mar 8 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-17
|
||||||
|
- Use rewritten seunshare from thoger
|
||||||
|
|
||||||
|
* Mon Mar 7 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-16
|
||||||
|
- Require python-IPy for policycoreutils-python package
|
||||||
|
- Fixes for sepologen
|
||||||
|
- Usage statement needs -n name
|
||||||
|
- Names with _ are being prevented
|
||||||
|
- dbus apps should get _chat interface
|
||||||
|
|
||||||
|
* Thu Mar 3 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-15
|
||||||
|
- Fix error message in seunshare, check for tmpdir existance before unlink.
|
||||||
|
|
||||||
|
* Fri Feb 25 2011 Dan Walsh <dwalsh@redhat.com> 2.0.85-13
|
||||||
|
- Rewrite seunshare to make sure /tmp is mounted stickybit owned by root
|
||||||
|
- Only allow names in polgengui that contain letters and numbers
|
||||||
|
- Fix up node handling in semanage command
|
||||||
|
- Update translations
|
||||||
|
|
||||||
* Wed Feb 09 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.0.85-12
|
* Wed Feb 09 2011 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.0.85-12
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
|
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
|
||||||
|
|
||||||
|
@ -2,6 +2,7 @@
|
|||||||
Name=SELinux Policy Generation Tool
|
Name=SELinux Policy Generation Tool
|
||||||
Name[bn_IN]=SELinux Policy নির্মাণের সামগ্রী
|
Name[bn_IN]=SELinux Policy নির্মাণের সামগ্রী
|
||||||
Name[ca]=Eina de generació de polítiques del SELinux
|
Name[ca]=Eina de generació de polítiques del SELinux
|
||||||
|
Name[da]=Regelsætgenereringsværktøj til SELinux
|
||||||
Name[de]=Tool zur Erstellung von SELinux-Richtlinien
|
Name[de]=Tool zur Erstellung von SELinux-Richtlinien
|
||||||
Name[es]=Generador de Políticas de SELinux
|
Name[es]=Generador de Políticas de SELinux
|
||||||
Name[fi]=SELinux-käytäntöjen generointityökalu
|
Name[fi]=SELinux-käytäntöjen generointityökalu
|
||||||
@ -24,12 +25,13 @@ Name[ru]=Средство создания политики SELinux
|
|||||||
Name[sv]=Genereringsverktyg för SELinuxpolicy
|
Name[sv]=Genereringsverktyg för SELinuxpolicy
|
||||||
Name[ta]=SELinux பாலிசி உற்பத்தி கருவி
|
Name[ta]=SELinux பாலிசி உற்பத்தி கருவி
|
||||||
Name[te]=SELinux నిర్వహణ
|
Name[te]=SELinux నిర్వహణ
|
||||||
Name[uk]=Утиліта генерації політики SELinux
|
Name[uk]=Утиліта генерації правил SELinux
|
||||||
Name[zh_CN]=SELinux 策略生成工具
|
Name[zh_CN]=SELinux 策略生成工具
|
||||||
Name[zh_TW]=SELinux 政策產生工具(SELinux Policy Generation Tool)
|
Name[zh_TW]=SELinux 政策產生工具(SELinux Policy Generation Tool)
|
||||||
Comment=Generate SELinux policy modules
|
Comment=Generate SELinux policy modules
|
||||||
Comment[bn_IN]=SELinux নিয়মনীতির মডিউল নির্মাণ করুন
|
Comment[bn_IN]=SELinux নিয়মনীতির মডিউল নির্মাণ করুন
|
||||||
Comment[ca]=Genera els mòduls de les polítiques de SELinux
|
Comment[ca]=Genera els mòduls de les polítiques de SELinux
|
||||||
|
Comment[da]=Generér SELinux-regelsætmodul
|
||||||
Comment[de]=Tool zur Erstellung von SELinux-Richtlinien
|
Comment[de]=Tool zur Erstellung von SELinux-Richtlinien
|
||||||
Comment[es]=Generar módulos de política de SELinux
|
Comment[es]=Generar módulos de política de SELinux
|
||||||
Comment[fi]=Generoi SELinuxin käytäntömoduuleja
|
Comment[fi]=Generoi SELinuxin käytäntömoduuleja
|
||||||
|
2
sources
2
sources
@ -1,3 +1,3 @@
|
|||||||
49faa2e5f343317bcfcf34d7286f6037 sepolgen-1.0.23.tgz
|
49faa2e5f343317bcfcf34d7286f6037 sepolgen-1.0.23.tgz
|
||||||
59d33101d57378ce69889cc078addf90 policycoreutils_man_ru2.tar.bz2
|
59d33101d57378ce69889cc078addf90 policycoreutils_man_ru2.tar.bz2
|
||||||
92fa615448d443b22c4ad6ecf89fc974 policycoreutils-2.0.85.tgz
|
13d864a8a6f8a933ef7aee7baf4a9662 policycoreutils-2.0.86.tgz
|
||||||
|
@ -1,6 +1,7 @@
|
|||||||
[Desktop Entry]
|
[Desktop Entry]
|
||||||
Name=SELinux Management
|
Name=SELinux Management
|
||||||
Name[bn_IN]=SELinux পরিচালনা
|
Name[bn_IN]=SELinux পরিচালনা
|
||||||
|
Name[da]=Håndtering af SELinux
|
||||||
Name[de]=SELinux-Management
|
Name[de]=SELinux-Management
|
||||||
Name[ca]=Gestió de SELinux
|
Name[ca]=Gestió de SELinux
|
||||||
Name[es]=Administración de SELinux
|
Name[es]=Administración de SELinux
|
||||||
@ -30,6 +31,7 @@ Name[zh_TW]=SELinux 管理
|
|||||||
Comment=Configure SELinux in a graphical setting
|
Comment=Configure SELinux in a graphical setting
|
||||||
Comment[bn_IN]=গ্রাফিক্যাল পরিবেশে SELinux কনফিগার করুন
|
Comment[bn_IN]=গ্রাফিক্যাল পরিবেশে SELinux কনফিগার করুন
|
||||||
Comment[ca]=Configura SELinuc an mode de preferències gràfiques
|
Comment[ca]=Configura SELinuc an mode de preferències gràfiques
|
||||||
|
Comment[da]=Konfigurér SELinux i et grafisk miljø
|
||||||
Comment[de]=SELinux in einer grafischen Einstellung konfigurieren
|
Comment[de]=SELinux in einer grafischen Einstellung konfigurieren
|
||||||
Comment[es]=Defina SELinux en una configuración de interfaz gráfica
|
Comment[es]=Defina SELinux en una configuración de interfaz gráfica
|
||||||
Comment[fi]=Tee SELinuxin asetukset graafisesti
|
Comment[fi]=Tee SELinuxin asetukset graafisesti
|
||||||
|
Loading…
Reference in New Issue
Block a user