diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-2.0.62/scripts/fixfiles --- nsapolicycoreutils/scripts/fixfiles 2009-05-22 14:10:01.000000000 -0400 +++ policycoreutils-2.0.62/scripts/fixfiles 2009-06-01 06:37:19.000000000 -0400 @@ -129,7 +129,7 @@ if [ ! -z "$FILEPATH" ]; then if [ -x /usr/bin/find ]; then /usr/bin/find "$FILEPATH" \ - ! \( -fstype ext2 -o -fstype ext3 -o -fstype ext4 -o -fstype ext4dev -o -fstype gfs2 -o -fstype jfs -o -fstype xfs -o fstype btrfs \) -prune -o -print0 | \ + ! \( -fstype ext2 -o -fstype ext3 -o -fstype ext4 -o -fstype ext4dev -o -fstype gfs2 -o -fstype jfs -o -fstype xfs -o -fstype btrfs \) -prune -o -print0 | \ ${RESTORECON} ${OUTFILES} ${FORCEFLAG} $* -0 -f - 2>&1 >> $LOGFILE else ${RESTORECON} ${OUTFILES} ${FORCEFLAG} -R $* $FILEPATH 2>&1 >> $LOGFILE diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/Makefile policycoreutils-2.0.62/scripts/Makefile --- nsapolicycoreutils/scripts/Makefile 2009-02-18 16:45:01.000000000 -0500 +++ policycoreutils-2.0.62/scripts/Makefile 2009-05-22 14:11:06.000000000 -0400 @@ -5,11 +5,12 @@ MANDIR ?= $(PREFIX)/share/man LOCALEDIR ?= /usr/share/locale -all: fixfiles genhomedircon +all: fixfiles genhomedircon sandbox chcat install: all -mkdir -p $(BINDIR) install -m 755 chcat $(BINDIR) + install -m 755 sandbox $(BINDIR) install -m 755 fixfiles $(DESTDIR)/sbin install -m 755 genhomedircon $(SBINDIR) -mkdir -p $(MANDIR)/man8 diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/sandbox policycoreutils-2.0.62/scripts/sandbox --- nsapolicycoreutils/scripts/sandbox 1969-12-31 19:00:00.000000000 -0500 +++ policycoreutils-2.0.62/scripts/sandbox 2009-06-01 06:31:39.000000000 -0400 @@ -0,0 +1,139 @@ +#!/usr/bin/python -E +import os, sys, getopt, socket, random, fcntl +import selinux + +PROGNAME = "policycoreutils" + +import gettext +gettext.bindtextdomain(PROGNAME, "/usr/share/locale") +gettext.textdomain(PROGNAME) + +try: + gettext.install(PROGNAME, + localedir = "/usr/share/locale", + unicode=False, + codeset = 'utf-8') +except IOError: + import __builtin__ + __builtin__.__dict__['_'] = unicode + + +random.seed(None) + +def error_exit(msg): + sys.stderr.write("%s: " % sys.argv[0]) + sys.stderr.write("%s\n" % msg) + sys.stderr.flush() + sys.exit(1) + +def mount(context): + if os.getuid() != 0: + usage(_("Mount options require root privileges")) + destdir = "/mnt/%s" % context + os.mkdir(destdir) + rc = os.system('/bin/mount -t tmpfs tmpfs %s' % (destdir)) + selinux.setfilecon(destdir, context) + if rc != 0: + sys.exit(rc) + os.chdir(destdir) + +def umount(dest): + os.chdir("/") + destdir = "/mnt/%s" % dest + os.system('/bin/umount %s' % (destdir)) + os.rmdir(destdir) + + +def reserve(mcs): + sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM) + sock.bind("\0%s" % mcs) + fcntl.fcntl(sock.fileno(), fcntl.F_SETFD, fcntl.FD_CLOEXEC) + +def gen_context(setype): + while True: + i1 = random.randrange(0, 1024) + i2 = random.randrange(0, 1024) + if i1 == i2: + continue + if i1 > i2: + tmp = i1 + i1 = i2 + i2 = tmp + mcs = "s0:c%d,c%d" % (i1, i2) + reserve(mcs) + try: + reserve(mcs) + except: + continue + break + con = selinux.getcon()[1].split(":") + + execcon = "%s:%s:%s:%s" % (con[0], con[1], setype, mcs) + + filecon = "%s:%s:%s:%s" % (con[0], + "object_r", + "%s_file_t" % setype[:-2], + mcs) + return execcon, filecon + + +if __name__ == '__main__': + if selinux.is_selinux_enabled() != 1: + error_exit("Requires an SELinux enabled system") + + def usage(message = ""): + text = _(""" +sandbox [ -m ] [ -t type ] command +""") + error_exit("%s\n%s" % (message, text)) + + setype = "sandbox_t" + mount_ind = False + try: + gopts, cmds = getopt.getopt(sys.argv[1:], "ht:m", + ["help", + "type=", + "mount"]) + for o, a in gopts: + if o == "-t" or o == "--type": + setype = a + + if o == "-m" or o == "--mount": + mount_ind = True + + if o == "-h" or o == "--help": + usage(_("Usage")); + + if len(cmds) == 0: + usage(_("Command required")) + + execcon, filecon = gen_context(setype) + rc = -1 + if mount_ind: + mount(filecon) + + if cmds[0][0] != "/" and cmds[0][:2] != "./" and cmds[0][:3] != "../": + for i in os.environ["PATH"].split(':'): + f = "%s/%s" % (i, cmds[0]) + if os.access(f, os.X_OK): + cmds[0] = f + break + + selinux.setexeccon(execcon) + rc = os.spawnvp(os.P_WAIT, cmds[0], cmds) + selinux.setexeccon(None) + + if mount_ind: + umount(filecon) + except getopt.GetoptError, error: + usage(_("Options Error %s ") % error.msg) + except ValueError, error: + error_exit(error.args[0]) + except KeyError, error: + error_exit(_("Invalid value %s") % error.args[0]) + except IOError, error: + error_exit(error.args[1]) + except OSError, error: + error_exit(error.args[1]) + + sys.exit(rc) diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/sandbox.8 policycoreutils-2.0.62/scripts/sandbox.8 --- nsapolicycoreutils/scripts/sandbox.8 1969-12-31 19:00:00.000000000 -0500 +++ policycoreutils-2.0.62/scripts/sandbox.8 2009-05-22 14:11:10.000000000 -0400 @@ -0,0 +1,22 @@ +.TH SANDBOX "8" "May 2009" "chcat" "User Commands" +.SH NAME +sandbox \- Run cmd under an SELinux sandbox +.SH SYNOPSIS +.B sandbox +[ -M ] [ -t type ] cmd +.br +.SH DESCRIPTION +.PP +Run application within a tightly confined SELinux domain, This application can only read and write stdin and stdout along with files handled to it by the shell. +.PP +.TP +\fB\-m\fR +Mount a temporary file system and change working directory to it, files will be removed when job completes. +.TP +\fB\-t type\fR +Use alternate sandbox type, defaults to sandbox_t +.TP +.SH "SEE ALSO" +.TP +runcon(1) +.PP