Compare commits
32 Commits
Author | SHA1 | Date |
---|---|---|
|
e2585817b9 | |
|
4e76fa053c | |
|
7b5f7410d8 | |
|
c8944cf0c5 | |
|
700fcd7d59 | |
|
0378c32552 | |
|
ecf5132b5c | |
|
f81e3d0371 | |
|
1a1b575f7a | |
|
c6021285eb | |
|
7c656bbb66 | |
|
a4276d4030 | |
|
6334ae4e3b | |
|
04a21e14f5 | |
|
55520d61bb | |
|
72cc2c98e2 | |
|
893a20e39a | |
|
62c82285f2 | |
|
0d5bdb0982 | |
|
f3516b164f | |
|
a1622cbdfc | |
|
e19e89cc2d | |
|
3425b4c3dc | |
|
153f8e3865 | |
|
96c084f7c3 | |
|
93ba232940 | |
|
ea6e803673 | |
|
05cf7b36dc | |
|
d052bda88a | |
|
9ef13ad6bc | |
|
f5c1b2817f | |
|
38c288127b |
|
@ -0,0 +1,62 @@
|
|||
From 4f9823d2f21473f42ddf12fd8d4ea01cf95b564a Mon Sep 17 00:00:00 2001
|
||||
From: Andy Lutomirski <luto@amacapital.net>
|
||||
Date: Wed, 30 Apr 2014 21:59:37 -0700
|
||||
Subject: [PATCH] seunshare: Try to use setcurrent before setexec
|
||||
|
||||
If seunshare uses PR_SET_NO_NEW_PRIVS, which certain versions of
|
||||
libcap-ng set, setexeccon will cause execve to fail. This also
|
||||
makes setting selinux context the very last action taken by
|
||||
seunshare prior to exec, as it may otherwise cause things to fail.
|
||||
|
||||
Note that this won't work without adjusting the system policy to
|
||||
allow this use of setcurrent. This rule appears to work:
|
||||
|
||||
allow unconfined_t sandbox_t:process dyntransition;
|
||||
|
||||
although a better rule would probably relax the unconfined_t
|
||||
restriction.
|
||||
|
||||
Signed-off-by: Andy Lutomirski <luto@amacapital.net>
|
||||
---
|
||||
policycoreutils/sandbox/seunshare.c | 20 ++++++++++++++------
|
||||
1 file changed, 14 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/policycoreutils/sandbox/seunshare.c b/policycoreutils/sandbox/seunshare.c
|
||||
index 35e5a5e..529b6a6 100644
|
||||
--- a/policycoreutils/sandbox/seunshare.c
|
||||
+++ b/policycoreutils/sandbox/seunshare.c
|
||||
@@ -1032,17 +1032,25 @@ int main(int argc, char **argv) {
|
||||
goto childerr;
|
||||
}
|
||||
|
||||
- /* selinux context */
|
||||
- if (execcon && setexeccon(execcon) != 0) {
|
||||
- fprintf(stderr, _("Could not set exec context to %s. %s\n"), execcon, strerror(errno));
|
||||
- goto childerr;
|
||||
- }
|
||||
-
|
||||
if (chdir(pwd->pw_dir)) {
|
||||
perror(_("Failed to change dir to homedir"));
|
||||
goto childerr;
|
||||
}
|
||||
setsid();
|
||||
+
|
||||
+ /* selinux context */
|
||||
+ if (execcon) {
|
||||
+ /* try dyntransition, since no_new_privs can interfere
|
||||
+ * with setexeccon */
|
||||
+ if (setcon(execcon) != 0) {
|
||||
+ /* failed; fall back to setexeccon */
|
||||
+ if (setexeccon(execcon) != 0) {
|
||||
+ fprintf(stderr, _("Could not set exec context to %s. %s\n"), execcon, strerror(errno));
|
||||
+ goto childerr;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
execv(argv[optind], argv + optind);
|
||||
fprintf(stderr, _("Failed to execute command %s: %s\n"), argv[optind], strerror(errno));
|
||||
childerr:
|
||||
--
|
||||
1.9.0
|
||||
|
File diff suppressed because it is too large
Load Diff
249844
policycoreutils-rhat.patch
249844
policycoreutils-rhat.patch
File diff suppressed because it is too large
Load Diff
|
@ -1,13 +1,131 @@
|
|||
diff --git a/sepolgen/src/sepolgen/audit.py b/sepolgen/src/sepolgen/audit.py
|
||||
index d636091..9ca35a7 100644
|
||||
index d636091..56919be 100644
|
||||
--- a/sepolgen/src/sepolgen/audit.py
|
||||
+++ b/sepolgen/src/sepolgen/audit.py
|
||||
@@ -259,7 +259,7 @@ class AVCMessage(AuditMessage):
|
||||
@@ -259,13 +259,13 @@ class AVCMessage(AuditMessage):
|
||||
raise ValueError("Error during access vector computation")
|
||||
|
||||
if self.type == audit2why.CONSTRAINT:
|
||||
- self.data = []
|
||||
+ self.data = [ self.data ]
|
||||
if self.scontext.user != self.tcontext.user:
|
||||
self.data.append("user")
|
||||
- self.data.append("user")
|
||||
+ self.data.append(("user (%s)" % self.scontext.user, 'user (%s)' % self.tcontext.user))
|
||||
if self.scontext.role != self.tcontext.role and self.tcontext.role != "object_r":
|
||||
- self.data.append("role")
|
||||
+ self.data.append(("role (%s)" % self.scontext.role, 'role (%s)' % self.tcontext.role))
|
||||
if self.scontext.level != self.tcontext.level:
|
||||
- self.data.append("level")
|
||||
+ self.data.append(("level (%s)" % self.scontext.level, 'level (%s)' % self.tcontext.level))
|
||||
|
||||
avcdict[(scontext, tcontext, self.tclass, access_tuple)] = (self.type, self.data)
|
||||
|
||||
diff --git a/sepolgen/src/sepolgen/policygen.py b/sepolgen/src/sepolgen/policygen.py
|
||||
index cc9f8ea..ce643e5 100644
|
||||
--- a/sepolgen/src/sepolgen/policygen.py
|
||||
+++ b/sepolgen/src/sepolgen/policygen.py
|
||||
@@ -161,21 +161,21 @@ class PolicyGenerator:
|
||||
if self.explain:
|
||||
rule.comment = str(refpolicy.Comment(explain_access(av, verbosity=self.explain)))
|
||||
if av.type == audit2why.ALLOW:
|
||||
- rule.comment += "#!!!! This avc is allowed in the current policy\n"
|
||||
+ rule.comment += "\n#!!!! This avc is allowed in the current policy"
|
||||
if av.type == audit2why.DONTAUDIT:
|
||||
- rule.comment += "#!!!! This avc has a dontaudit rule in the current policy\n"
|
||||
+ rule.comment += "\n#!!!! This avc has a dontaudit rule in the current policy"
|
||||
|
||||
if av.type == audit2why.BOOLEAN:
|
||||
if len(av.data) > 1:
|
||||
- rule.comment += "#!!!! This avc can be allowed using one of the these booleans:\n# %s\n" % ", ".join(map(lambda x: x[0], av.data))
|
||||
+ rule.comment += "\n#!!!! This avc can be allowed using one of the these booleans:\n# %s" % ", ".join(map(lambda x: x[0], av.data))
|
||||
else:
|
||||
- rule.comment += "#!!!! This avc can be allowed using the boolean '%s'\n" % av.data[0][0]
|
||||
+ rule.comment += "\n#!!!! This avc can be allowed using the boolean '%s'" % av.data[0][0]
|
||||
|
||||
if av.type == audit2why.CONSTRAINT:
|
||||
- rule.comment += "#!!!! This avc is a constraint violation. You will need to add an attribute to either the source or target type to make it work.\n"
|
||||
- rule.comment += "#Constraint rule: "
|
||||
- for reason in av.data:
|
||||
- rule.comment += "\n#\tPossible cause source context and target context '%s' differ\b" % reason
|
||||
+ rule.comment += "\n#!!!! This avc is a constraint violation. You would need to modify the attributes of either the source or target types to allow this access.\n"
|
||||
+ rule.comment += "#Constraint rule: \n\t" + av.data[0]
|
||||
+ for reason in av.data[1:]:
|
||||
+ rule.comment += "#\tPossible cause is the source %s and target %s are different." % reason
|
||||
|
||||
try:
|
||||
if ( av.type == audit2why.TERULE and
|
||||
@@ -189,9 +189,9 @@ class PolicyGenerator:
|
||||
if i not in self.domains:
|
||||
types.append(i)
|
||||
if len(types) == 1:
|
||||
- rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following type:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
|
||||
+ rule.comment += "\n#!!!! The source type '%s' can write to a '%s' of the following type:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
|
||||
elif len(types) >= 1:
|
||||
- rule.comment += "#!!!! The source type '%s' can write to a '%s' of the following types:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
|
||||
+ rule.comment += "\n#!!!! The source type '%s' can write to a '%s' of the following types:\n# %s\n" % ( av.src_type, av.obj_class, ", ".join(types))
|
||||
except:
|
||||
pass
|
||||
self.module.children.append(rule)
|
||||
diff --git a/sepolgen/src/sepolgen/refparser.py b/sepolgen/src/sepolgen/refparser.py
|
||||
index 7b76261..a05d9d1 100644
|
||||
--- a/sepolgen/src/sepolgen/refparser.py
|
||||
+++ b/sepolgen/src/sepolgen/refparser.py
|
||||
@@ -65,6 +65,7 @@ tokens = (
|
||||
'BAR',
|
||||
'EXPL',
|
||||
'EQUAL',
|
||||
+ 'FILENAME',
|
||||
'IDENTIFIER',
|
||||
'NUMBER',
|
||||
'PATH',
|
||||
@@ -249,11 +250,17 @@ def t_refpolicywarn(t):
|
||||
t.lexer.lineno += 1
|
||||
|
||||
def t_IDENTIFIER(t):
|
||||
- r'[a-zA-Z_\$\"][a-zA-Z0-9_\-\+\.\$\*\"~]*'
|
||||
+ r'[a-zA-Z_\$][a-zA-Z0-9_\-\+\.\$\*~]*'
|
||||
# Handle any keywords
|
||||
t.type = reserved.get(t.value,'IDENTIFIER')
|
||||
return t
|
||||
|
||||
+def t_FILENAME(t):
|
||||
+ r'\"[a-zA-Z0-9_\-\+\.\$\*~ :]+\"'
|
||||
+ # Handle any keywords
|
||||
+ t.type = reserved.get(t.value,'FILENAME')
|
||||
+ return t
|
||||
+
|
||||
def t_comment(t):
|
||||
r'\#.*\n'
|
||||
# Ignore all comments
|
||||
@@ -450,6 +457,7 @@ def p_interface_call_param(p):
|
||||
| nested_id_set
|
||||
| TRUE
|
||||
| FALSE
|
||||
+ | FILENAME
|
||||
'''
|
||||
# Intentionally let single identifiers pass through
|
||||
# List means set, non-list identifier
|
||||
@@ -461,6 +469,7 @@ def p_interface_call_param(p):
|
||||
def p_interface_call_param_list(p):
|
||||
'''interface_call_param_list : interface_call_param
|
||||
| interface_call_param_list COMMA interface_call_param
|
||||
+ | interface_call_param_list COMMA interface_call_param COMMA interface_call_param_list
|
||||
'''
|
||||
if len(p) == 2:
|
||||
p[0] = [p[1]]
|
||||
@@ -787,6 +796,7 @@ def p_avrule_def(p):
|
||||
|
||||
def p_typerule_def(p):
|
||||
'''typerule_def : TYPE_TRANSITION names names COLON names IDENTIFIER SEMI
|
||||
+ | TYPE_TRANSITION names names COLON names IDENTIFIER FILENAME SEMI
|
||||
| TYPE_TRANSITION names names COLON names IDENTIFIER IDENTIFIER SEMI
|
||||
| TYPE_CHANGE names names COLON names IDENTIFIER SEMI
|
||||
| TYPE_MEMBER names names COLON names IDENTIFIER SEMI
|
||||
@@ -800,6 +810,7 @@ def p_typerule_def(p):
|
||||
t.tgt_types = p[3]
|
||||
t.obj_classes = p[5]
|
||||
t.dest_type = p[6]
|
||||
+ t.file_name = p[7]
|
||||
p[0] = t
|
||||
|
||||
def p_bool(p):
|
||||
|
|
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue