531062f702
- Fix tight loop in restorecond patch from Martin Orr
240 lines
8.1 KiB
Diff
240 lines
8.1 KiB
Diff
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/restorecond/restorecond.c policycoreutils-2.0.62/restorecond/restorecond.c
|
|
--- nsapolicycoreutils/restorecond/restorecond.c 2009-02-18 13:45:01.000000000 -0800
|
|
+++ policycoreutils-2.0.62/restorecond/restorecond.c 2009-09-24 20:03:16.000000000 -0700
|
|
@@ -315,21 +315,24 @@
|
|
printf("wd=%d mask=%u cookie=%u len=%u\n",
|
|
event->wd, event->mask,
|
|
event->cookie, event->len);
|
|
- if (event->wd == master_wd)
|
|
- read_config(fd);
|
|
- else {
|
|
- switch (utmpwatcher_handle(fd, event->wd)) {
|
|
- case -1: /* Message was not for utmpwatcher */
|
|
- if (event->len)
|
|
- watch_list_find(event->wd, event->name);
|
|
- break;
|
|
|
|
- case 1: /* utmp has changed need to reload */
|
|
+ if (event->mask & ~IN_IGNORED) {
|
|
+ if (event->wd == master_wd)
|
|
read_config(fd);
|
|
- break;
|
|
-
|
|
- default: /* No users logged in or out */
|
|
- break;
|
|
+ else {
|
|
+ switch (utmpwatcher_handle(fd, event->wd)) {
|
|
+ case -1: /* Message was not for utmpwatcher */
|
|
+ if (event->len)
|
|
+ watch_list_find(event->wd, event->name);
|
|
+ break;
|
|
+
|
|
+ case 1: /* utmp has changed need to reload */
|
|
+ read_config(fd);
|
|
+ break;
|
|
+
|
|
+ default: /* No users logged in or out */
|
|
+ break;
|
|
+ }
|
|
}
|
|
}
|
|
|
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/fixfiles policycoreutils-2.0.62/scripts/fixfiles
|
|
--- nsapolicycoreutils/scripts/fixfiles 2009-05-22 11:10:01.000000000 -0700
|
|
+++ policycoreutils-2.0.62/scripts/fixfiles 2009-07-14 09:08:10.000000000 -0700
|
|
@@ -129,7 +129,7 @@
|
|
if [ ! -z "$FILEPATH" ]; then
|
|
if [ -x /usr/bin/find ]; then
|
|
/usr/bin/find "$FILEPATH" \
|
|
- ! \( -fstype ext2 -o -fstype ext3 -o -fstype ext4 -o -fstype ext4dev -o -fstype gfs2 -o -fstype jfs -o -fstype xfs -o fstype btrfs \) -prune -o -print0 | \
|
|
+ ! \( -fstype ext2 -o -fstype ext3 -o -fstype ext4 -o -fstype ext4dev -o -fstype gfs2 -o -fstype jfs -o -fstype xfs -o -fstype btrfs \) -prune -o -print0 | \
|
|
${RESTORECON} ${OUTFILES} ${FORCEFLAG} $* -0 -f - 2>&1 >> $LOGFILE
|
|
else
|
|
${RESTORECON} ${OUTFILES} ${FORCEFLAG} -R $* $FILEPATH 2>&1 >> $LOGFILE
|
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/Makefile policycoreutils-2.0.62/scripts/Makefile
|
|
--- nsapolicycoreutils/scripts/Makefile 2009-02-18 13:45:01.000000000 -0800
|
|
+++ policycoreutils-2.0.62/scripts/Makefile 2009-07-14 09:08:10.000000000 -0700
|
|
@@ -5,11 +5,12 @@
|
|
MANDIR ?= $(PREFIX)/share/man
|
|
LOCALEDIR ?= /usr/share/locale
|
|
|
|
-all: fixfiles genhomedircon
|
|
+all: fixfiles genhomedircon sandbox chcat
|
|
|
|
install: all
|
|
-mkdir -p $(BINDIR)
|
|
install -m 755 chcat $(BINDIR)
|
|
+ install -m 755 sandbox $(BINDIR)
|
|
install -m 755 fixfiles $(DESTDIR)/sbin
|
|
install -m 755 genhomedircon $(SBINDIR)
|
|
-mkdir -p $(MANDIR)/man8
|
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/sandbox policycoreutils-2.0.62/scripts/sandbox
|
|
--- nsapolicycoreutils/scripts/sandbox 1969-12-31 16:00:00.000000000 -0800
|
|
+++ policycoreutils-2.0.62/scripts/sandbox 2009-07-14 09:08:10.000000000 -0700
|
|
@@ -0,0 +1,139 @@
|
|
+#!/usr/bin/python -E
|
|
+import os, sys, getopt, socket, random, fcntl
|
|
+import selinux
|
|
+
|
|
+PROGNAME = "policycoreutils"
|
|
+
|
|
+import gettext
|
|
+gettext.bindtextdomain(PROGNAME, "/usr/share/locale")
|
|
+gettext.textdomain(PROGNAME)
|
|
+
|
|
+try:
|
|
+ gettext.install(PROGNAME,
|
|
+ localedir = "/usr/share/locale",
|
|
+ unicode=False,
|
|
+ codeset = 'utf-8')
|
|
+except IOError:
|
|
+ import __builtin__
|
|
+ __builtin__.__dict__['_'] = unicode
|
|
+
|
|
+
|
|
+random.seed(None)
|
|
+
|
|
+def error_exit(msg):
|
|
+ sys.stderr.write("%s: " % sys.argv[0])
|
|
+ sys.stderr.write("%s\n" % msg)
|
|
+ sys.stderr.flush()
|
|
+ sys.exit(1)
|
|
+
|
|
+def mount(context):
|
|
+ if os.getuid() != 0:
|
|
+ usage(_("Mount options require root privileges"))
|
|
+ destdir = "/mnt/%s" % context
|
|
+ os.mkdir(destdir)
|
|
+ rc = os.system('/bin/mount -t tmpfs tmpfs %s' % (destdir))
|
|
+ selinux.setfilecon(destdir, context)
|
|
+ if rc != 0:
|
|
+ sys.exit(rc)
|
|
+ os.chdir(destdir)
|
|
+
|
|
+def umount(dest):
|
|
+ os.chdir("/")
|
|
+ destdir = "/mnt/%s" % dest
|
|
+ os.system('/bin/umount %s' % (destdir))
|
|
+ os.rmdir(destdir)
|
|
+
|
|
+
|
|
+def reserve(mcs):
|
|
+ sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
|
|
+ sock.bind("\0%s" % mcs)
|
|
+ fcntl.fcntl(sock.fileno(), fcntl.F_SETFD, fcntl.FD_CLOEXEC)
|
|
+
|
|
+def gen_context(setype):
|
|
+ while True:
|
|
+ i1 = random.randrange(0, 1024)
|
|
+ i2 = random.randrange(0, 1024)
|
|
+ if i1 == i2:
|
|
+ continue
|
|
+ if i1 > i2:
|
|
+ tmp = i1
|
|
+ i1 = i2
|
|
+ i2 = tmp
|
|
+ mcs = "s0:c%d,c%d" % (i1, i2)
|
|
+ reserve(mcs)
|
|
+ try:
|
|
+ reserve(mcs)
|
|
+ except:
|
|
+ continue
|
|
+ break
|
|
+ con = selinux.getcon()[1].split(":")
|
|
+
|
|
+ execcon = "%s:%s:%s:%s" % (con[0], con[1], setype, mcs)
|
|
+
|
|
+ filecon = "%s:%s:%s:%s" % (con[0],
|
|
+ "object_r",
|
|
+ "%s_file_t" % setype[:-2],
|
|
+ mcs)
|
|
+ return execcon, filecon
|
|
+
|
|
+
|
|
+if __name__ == '__main__':
|
|
+ if selinux.is_selinux_enabled() != 1:
|
|
+ error_exit("Requires an SELinux enabled system")
|
|
+
|
|
+ def usage(message = ""):
|
|
+ text = _("""
|
|
+sandbox [ -m ] [ -t type ] command
|
|
+""")
|
|
+ error_exit("%s\n%s" % (message, text))
|
|
+
|
|
+ setype = "sandbox_t"
|
|
+ mount_ind = False
|
|
+ try:
|
|
+ gopts, cmds = getopt.getopt(sys.argv[1:], "ht:m",
|
|
+ ["help",
|
|
+ "type=",
|
|
+ "mount"])
|
|
+ for o, a in gopts:
|
|
+ if o == "-t" or o == "--type":
|
|
+ setype = a
|
|
+
|
|
+ if o == "-m" or o == "--mount":
|
|
+ mount_ind = True
|
|
+
|
|
+ if o == "-h" or o == "--help":
|
|
+ usage(_("Usage"));
|
|
+
|
|
+ if len(cmds) == 0:
|
|
+ usage(_("Command required"))
|
|
+
|
|
+ execcon, filecon = gen_context(setype)
|
|
+ rc = -1
|
|
+ if mount_ind:
|
|
+ mount(filecon)
|
|
+
|
|
+ if cmds[0][0] != "/" and cmds[0][:2] != "./" and cmds[0][:3] != "../":
|
|
+ for i in os.environ["PATH"].split(':'):
|
|
+ f = "%s/%s" % (i, cmds[0])
|
|
+ if os.access(f, os.X_OK):
|
|
+ cmds[0] = f
|
|
+ break
|
|
+
|
|
+ selinux.setexeccon(execcon)
|
|
+ rc = os.spawnvp(os.P_WAIT, cmds[0], cmds)
|
|
+ selinux.setexeccon(None)
|
|
+
|
|
+ if mount_ind:
|
|
+ umount(filecon)
|
|
+ except getopt.GetoptError, error:
|
|
+ usage(_("Options Error %s ") % error.msg)
|
|
+ except ValueError, error:
|
|
+ error_exit(error.args[0])
|
|
+ except KeyError, error:
|
|
+ error_exit(_("Invalid value %s") % error.args[0])
|
|
+ except IOError, error:
|
|
+ error_exit(error.args[1])
|
|
+ except OSError, error:
|
|
+ error_exit(error.args[1])
|
|
+
|
|
+ sys.exit(rc)
|
|
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/sandbox.8 policycoreutils-2.0.62/scripts/sandbox.8
|
|
--- nsapolicycoreutils/scripts/sandbox.8 1969-12-31 16:00:00.000000000 -0800
|
|
+++ policycoreutils-2.0.62/scripts/sandbox.8 2009-07-14 09:08:10.000000000 -0700
|
|
@@ -0,0 +1,22 @@
|
|
+.TH SANDBOX "8" "May 2009" "chcat" "User Commands"
|
|
+.SH NAME
|
|
+sandbox \- Run cmd under an SELinux sandbox
|
|
+.SH SYNOPSIS
|
|
+.B sandbox
|
|
+[ -M ] [ -t type ] cmd
|
|
+.br
|
|
+.SH DESCRIPTION
|
|
+.PP
|
|
+Run application within a tightly confined SELinux domain, This application can only read and write stdin and stdout along with files handled to it by the shell.
|
|
+.PP
|
|
+.TP
|
|
+\fB\-m\fR
|
|
+Mount a temporary file system and change working directory to it, files will be removed when job completes.
|
|
+.TP
|
|
+\fB\-t type\fR
|
|
+Use alternate sandbox type, defaults to sandbox_t
|
|
+.TP
|
|
+.SH "SEE ALSO"
|
|
+.TP
|
|
+runcon(1)
|
|
+.PP
|