* Wed Apr 7 2014 Miroslav Grepl <mgrepl@redhat.com> - 2.1.14-46.8

- seunshare: Use setcurrent before setexec from luto@amacapital.net

0001-seunshare-Try-to-use-setcurrent-before-setexec.patch

@@ -0,0 +1,62 @@
+From 4f9823d2f21473f42ddf12fd8d4ea01cf95b564a Mon Sep 17 00:00:00 2001
+From: Andy Lutomirski <luto@amacapital.net>
+Date: Wed, 30 Apr 2014 21:59:37 -0700
+Subject: [PATCH] seunshare: Try to use setcurrent before setexec
+
+If seunshare uses PR_SET_NO_NEW_PRIVS, which certain versions of
+libcap-ng set, setexeccon will cause execve to fail.  This also
+makes setting selinux context the very last action taken by
+seunshare prior to exec, as it may otherwise cause things to fail.
+
+Note that this won't work without adjusting the system policy to
+allow this use of setcurrent.  This rule appears to work:
+
+    allow unconfined_t sandbox_t:process dyntransition;
+
+although a better rule would probably relax the unconfined_t
+restriction.
+
+Signed-off-by: Andy Lutomirski <luto@amacapital.net>
+---
+ policycoreutils/sandbox/seunshare.c | 20 ++++++++++++++------
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+diff --git a/policycoreutils/sandbox/seunshare.c b/policycoreutils/sandbox/seunshare.c
+index 35e5a5e..529b6a6 100644
+--- a/policycoreutils/sandbox/seunshare.c
++++ b/policycoreutils/sandbox/seunshare.c
+@@ -1032,17 +1032,25 @@ int main(int argc, char **argv) {
+ 			goto childerr;
+ 		}
+ 
+-		/* selinux context */
+-		if (execcon && setexeccon(execcon) != 0) {
+-			fprintf(stderr, _("Could not set exec context to %s. %s\n"), execcon, strerror(errno));
+-			goto childerr;
+-		}
+-
+ 		if (chdir(pwd->pw_dir)) {
+ 			perror(_("Failed to change dir to homedir"));
+ 			goto childerr;
+ 		}
+ 		setsid();
++
++		/* selinux context */
++		if (execcon) {
++			/* try dyntransition, since no_new_privs can interfere
++			 * with setexeccon */
++			if (setcon(execcon) != 0) {
++				/* failed; fall back to setexeccon */
++				if (setexeccon(execcon) != 0) {
++					fprintf(stderr, _("Could not set exec context to %s. %s\n"), execcon, strerror(errno));
++					goto childerr;
++				}
++			}
++		}
++
+ 		execv(argv[optind], argv + optind);
+ 		fprintf(stderr, _("Failed to execute command %s: %s\n"), argv[optind], strerror(errno));
+ childerr:
+-- 
+1.9.0
+

policycoreutils-sepolgen.patch

@@ -1,13 +1,131 @@
 diff --git a/sepolgen/src/sepolgen/audit.py b/sepolgen/src/sepolgen/audit.py
-index d636091..9ca35a7 100644
+index d636091..56919be 100644
 --- a/sepolgen/src/sepolgen/audit.py
 +++ b/sepolgen/src/sepolgen/audit.py
-@@ -259,7 +259,7 @@ class AVCMessage(AuditMessage):
+@@ -259,13 +259,13 @@ class AVCMessage(AuditMessage):
                  raise ValueError("Error during access vector computation")
  
              if self.type == audit2why.CONSTRAINT:
 -                self.data = []
 +                self.data = [ self.data ]
                  if self.scontext.user != self.tcontext.user:
-                     self.data.append("user")
+-                    self.data.append("user")
++                    self.data.append(("user (%s)" % self.scontext.user, 'user (%s)' % self.tcontext.user))
                  if self.scontext.role != self.tcontext.role and self.tcontext.role != "object_r":
+-                    self.data.append("role")
++                    self.data.append(("role (%s)" % self.scontext.role, 'role (%s)' % self.tcontext.role))
+                 if self.scontext.level != self.tcontext.level:
+-                    self.data.append("level")
++                    self.data.append(("level (%s)" % self.scontext.level, 'level (%s)' % self.tcontext.level))
+ 
+             avcdict[(scontext, tcontext, self.tclass, access_tuple)] = (self.type, self.data)
+ 
+diff --git a/sepolgen/src/sepolgen/policygen.py b/sepolgen/src/sepolgen/policygen.py
+index cc9f8ea..ce643e5 100644
+--- a/sepolgen/src/sepolgen/policygen.py
++++ b/sepolgen/src/sepolgen/policygen.py
+@@ -161,21 +161,21 @@ class PolicyGenerator:
+             if self.explain:
+                 rule.comment = str(refpolicy.Comment(explain_access(av, verbosity=self.explain)))
+             if av.type == audit2why.ALLOW:
+-                rule.comment += "#!!!! This avc is allowed in the current policy\n"
++                rule.comment += "\n#!!!! This avc is allowed in the current policy"
+             if av.type == audit2why.DONTAUDIT:
+-                rule.comment += "#!!!! This avc has a dontaudit rule in the current policy\n"
++                rule.comment += "\n#!!!! This avc has a dontaudit rule in the current policy"
+ 
+             if av.type == audit2why.BOOLEAN:
+                 if len(av.data) > 1:
+-                    rule.comment += "#!!!! This avc can be allowed using one of the these booleans:\n#     %s\n" % ", ".join(map(lambda x: x[0], av.data))
++                    rule.comment += "\n#!!!! This avc can be allowed using one of the these booleans:\n#     %s" % ", ".join(map(lambda x: x[0], av.data))
+                 else:
+-                    rule.comment += "#!!!! This avc can be allowed using the boolean '%s'\n" % av.data[0][0]
++                    rule.comment += "\n#!!!! This avc can be allowed using the boolean '%s'" % av.data[0][0]
+ 
+             if av.type == audit2why.CONSTRAINT:
+-                rule.comment += "#!!!! This avc is a constraint violation.  You will need to add an attribute to either the source or target type to make it work.\n"
+-                rule.comment += "#Constraint rule: "
+-                for reason in av.data:
+-                    rule.comment += "\n#\tPossible cause source context and target context '%s' differ\b" % reason
++                rule.comment += "\n#!!!! This avc is a constraint violation.  You would need to modify the attributes of either the source or target types to allow this access.\n"
++                rule.comment += "#Constraint rule: \n\t" + av.data[0]
++                for reason in av.data[1:]:
++                    rule.comment += "#\tPossible cause is the source %s and target %s are different." % reason
+ 
+             try:
+                 if ( av.type == audit2why.TERULE and
+@@ -189,9 +189,9 @@ class PolicyGenerator:
+                         if i not in self.domains:
+                             types.append(i)
+                     if len(types) == 1:
+-                        rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following type:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
++                        rule.comment += "\n#!!!! The source type '%s' can write to a '%s' of the following type:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
+                     elif len(types) >= 1:
+-                        rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following types:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
++                        rule.comment += "\n#!!!! The source type '%s' can write to a '%s' of the following types:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
+             except:
+                 pass
+             self.module.children.append(rule)
+diff --git a/sepolgen/src/sepolgen/refparser.py b/sepolgen/src/sepolgen/refparser.py
+index 7b76261..a05d9d1 100644
+--- a/sepolgen/src/sepolgen/refparser.py
++++ b/sepolgen/src/sepolgen/refparser.py
+@@ -65,6 +65,7 @@ tokens = (
+     'BAR',
+     'EXPL',
+     'EQUAL',
++    'FILENAME',
+     'IDENTIFIER',
+     'NUMBER',
+     'PATH',
+@@ -249,11 +250,17 @@ def t_refpolicywarn(t):
+     t.lexer.lineno += 1
+ 
+ def t_IDENTIFIER(t):
+-    r'[a-zA-Z_\$\"][a-zA-Z0-9_\-\+\.\$\*\"~]*'
++    r'[a-zA-Z_\$][a-zA-Z0-9_\-\+\.\$\*~]*'
+     # Handle any keywords
+     t.type = reserved.get(t.value,'IDENTIFIER')
+     return t
+ 
++def t_FILENAME(t):
++    r'\"[a-zA-Z0-9_\-\+\.\$\*~ :]+\"'
++    # Handle any keywords
++    t.type = reserved.get(t.value,'FILENAME')
++    return t
++
+ def t_comment(t):
+     r'\#.*\n'
+     # Ignore all comments
+@@ -450,6 +457,7 @@ def p_interface_call_param(p):
+                             | nested_id_set
+                             | TRUE
+                             | FALSE
++                            | FILENAME
+     '''
+     # Intentionally let single identifiers pass through
+     # List means set, non-list identifier
+@@ -461,6 +469,7 @@ def p_interface_call_param(p):
+ def p_interface_call_param_list(p):
+     '''interface_call_param_list : interface_call_param
+                                  | interface_call_param_list COMMA interface_call_param
++                                 | interface_call_param_list COMMA interface_call_param COMMA interface_call_param_list
+     '''
+     if len(p) == 2:
+         p[0] = [p[1]]
+@@ -787,6 +796,7 @@ def p_avrule_def(p):
+ 
+ def p_typerule_def(p):
+     '''typerule_def : TYPE_TRANSITION names names COLON names IDENTIFIER SEMI
++                    | TYPE_TRANSITION names names COLON names IDENTIFIER FILENAME SEMI
+                     | TYPE_TRANSITION names names COLON names IDENTIFIER IDENTIFIER SEMI
+                     | TYPE_CHANGE names names COLON names IDENTIFIER SEMI
+                     | TYPE_MEMBER names names COLON names IDENTIFIER SEMI
+@@ -800,6 +810,7 @@ def p_typerule_def(p):
+     t.tgt_types = p[3]
+     t.obj_classes = p[5]
+     t.dest_type = p[6]
++    t.file_name = p[7]
+     p[0] = t
+ 
+ def p_bool(p):