[policycoreutils/f13/master] - Fix sandbox handling of files with spaces in them
Daniel J Walsh
dwalsh at fedoraproject.org
Mon Oct 18 20:50:37 UTC 2010
commit d14afb9d6ac87d9558c20ae4a8099bc8f58e39e8
Author: Dan Walsh <dwalsh at redhat.com>
Date: Mon Oct 18 16:50:33 2010 -0400
- Fix sandbox handling of files with spaces in them
policycoreutils-rhat.patch | 190 +++++++++++++++++++++++++++++++++++++++-----
policycoreutils.spec | 11 +++-
2 files changed, 180 insertions(+), 21 deletions(-)
---
diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch
index 5425007..895dd24 100644
--- a/policycoreutils-rhat.patch
+++ b/policycoreutils-rhat.patch
@@ -121,7 +121,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
app = AuditToPolicy()
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/audit2allow.1 policycoreutils-2.0.83/audit2allow/audit2allow.1
--- nsapolicycoreutils/audit2allow/audit2allow.1 2010-05-19 14:45:51.000000000 -0400
-+++ policycoreutils-2.0.83/audit2allow/audit2allow.1 2010-07-30 13:50:40.000000000 -0400
++++ policycoreutils-2.0.83/audit2allow/audit2allow.1 2010-09-17 15:14:35.000000000 -0400
@@ -66,6 +66,9 @@
.B "\-M <modulename>"
Generate loadable module package, conflicts with -o
@@ -132,6 +132,81 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
.B "\-o <outputfile>" | "\-\-output <outputfile>"
append output to
.I <outputfile>
+@@ -117,14 +120,6 @@
+ .B Please substitute /var/log/messages for /var/log/audit/audit.log in the
+ .B examples.
+ .PP
+-.B Using audit2allow to generate monolithic (non-module) policy
+-$ cd /etc/selinux/$SELINUXTYPE/src/policy
+-$ cat /var/log/audit/audit.log | audit2allow >> domains/misc/local.te
+-$ cat domains/misc/local.te
+-allow cupsd_config_t unconfined_t:fifo_file { getattr ioctl };
+-<review domains/misc/local.te and customize as desired>
+-$ make load
+-
+ .B Using audit2allow to generate module policy
+
+ $ cat /var/log/audit/audit.log | audit2allow -m local > local.te
+@@ -132,20 +127,38 @@
+ module local 1.0;
+
+ require {
+- role system_r;
++ class file { getattr open read };
+
+
+- class fifo_file { getattr ioctl };
++ type myapp_t;
++ type etc_t;
++ };
+
+
+- type cupsd_config_t;
+- type unconfined_t;
+- };
++allow myapp_t etc_t:file { getattr open read };
++<review local.te and customize as desired>
+
++.B Using audit2allow to generate module policy using reference policy
+
+-allow cupsd_config_t unconfined_t:fifo_file { getattr ioctl };
++$ cat /var/log/audit/audit.log | audit2allow -R -m local > local.te
++$ cat local.te
++policy_module(local, 1.0)
++
++gen_require(`
++ type myapp_t;
++ type etc_t;
++ };
++
++files_read_etc_files(myapp_t)
+ <review local.te and customize as desired>
+
++.B Building module policy using Makefile
++
++# SELinux provides a policy devel environment under /usr/share/selinux/devel
++# You can create a te file and compile it by executing
++$ make -f /usr/share/selinux/devel/Makefile
++$ semodule -i local.pp
++
+ .B Building module policy manually
+
+ # Compile the module
+@@ -168,6 +181,14 @@
+
+ semodule -i local.pp
+
++.B Using audit2allow to generate monolithic (non-module) policy
++$ cd /etc/selinux/$SELINUXTYPE/src/policy
++$ cat /var/log/audit/audit.log | audit2allow >> domains/misc/local.te
++$ cat domains/misc/local.te
++allow cupsd_config_t unconfined_t:fifo_file { getattr ioctl };
++<review domains/misc/local.te and customize as desired>
++$ make load
++
+ .fi
+ .PP
+ .SH AUTHOR
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/audit2allow/sepolgen-ifgen policycoreutils-2.0.83/audit2allow/sepolgen-ifgen
--- nsapolicycoreutils/audit2allow/sepolgen-ifgen 2010-05-19 14:45:51.000000000 -0400
+++ policycoreutils-2.0.83/audit2allow/sepolgen-ifgen 2010-07-30 13:50:40.000000000 -0400
@@ -1647,7 +1722,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
@python test_sandbox.py -v
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox policycoreutils-2.0.83/sandbox/sandbox
--- nsapolicycoreutils/sandbox/sandbox 2010-06-16 08:03:38.000000000 -0400
-+++ policycoreutils-2.0.83/sandbox/sandbox 2010-09-13 11:40:20.000000000 -0400
++++ policycoreutils-2.0.83/sandbox/sandbox 2010-10-18 14:14:54.000000000 -0400
@@ -1,5 +1,6 @@
-#! /usr/bin/python -E
+#! /usr/bin/python -Es
@@ -1747,7 +1822,25 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
def __validdir(self, option, opt, value, parser):
if not os.path.isdir(value):
-@@ -218,7 +232,7 @@
+@@ -194,6 +208,8 @@
+ self.__include(option, opt, i[:-1], parser)
+ except IOError, e:
+ sys.stderr.write(str(e))
++ except TypeError, e:
++ sys.stderr.write(str(e))
+ fd.close()
+
+ def __copyfiles(self):
+@@ -212,13 +228,15 @@
+ /etc/gdm/Xsession
+ """)
+ else:
+- command = " ".join(self.__paths)
++ command = self.__paths[0] + " "
++ for p in self.__paths[1:]:
++ command += "'%s' " % p
+ fd.write("""#! /bin/sh
+ #TITLE: %s
/usr/bin/test -r ~/.xmodmap && /usr/bin/xmodmap ~/.xmodmap
%s &
WM_PID=$!
@@ -1756,7 +1849,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
kill -TERM $WM_PID 2> /dev/null
""" % (command, wm, command))
fd.close()
-@@ -230,9 +244,9 @@
+@@ -230,9 +248,9 @@
def __parse_options(self):
from optparse import OptionParser
usage = _("""
@@ -1768,7 +1861,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
""")
parser = OptionParser(version=self.VERSION, usage=usage)
-@@ -268,6 +282,10 @@
+@@ -268,6 +286,10 @@
action="callback", callback=self.__validdir,
help=_("alternate /tmp directory to use for mounting"))
@@ -1779,7 +1872,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
parser.add_option("-W", "--windowmanager", dest="wm",
type="string",
default="/usr/bin/matchbox-window-manager -use_titlebar no",
-@@ -276,13 +294,17 @@
+@@ -276,13 +298,17 @@
parser.add_option("-l", "--level", dest="level",
help=_("MCS/MLS level for the sandbox"))
@@ -1798,7 +1891,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
if self.__options.setype:
self.setype = self.__options.setype
-@@ -299,6 +321,9 @@
+@@ -299,6 +325,9 @@
self.__options.X_ind = True
self.__homedir = self.__options.homedir
self.__tmpdir = self.__options.tmpdir
@@ -1808,7 +1901,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
else:
if len(cmds) == 0:
self.usage(_("Command required"))
-@@ -351,22 +376,24 @@
+@@ -351,22 +380,24 @@
def __execute(self):
try:
@@ -2065,7 +2158,7 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
+.I Thomas Liu <tliu at fedoraproject.org>
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/seunshare.c policycoreutils-2.0.83/sandbox/seunshare.c
--- nsapolicycoreutils/sandbox/seunshare.c 2010-06-16 08:03:38.000000000 -0400
-+++ policycoreutils-2.0.83/sandbox/seunshare.c 2010-08-24 22:49:42.000000000 -0400
++++ policycoreutils-2.0.83/sandbox/seunshare.c 2010-10-15 17:36:29.000000000 -0400
@@ -1,13 +1,21 @@
+/*
+ * Authors: Dan Walsh <dwalsh at redhat.com>
@@ -2655,6 +2748,31 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
install -m 644 chcat.8 $(MANDIR)/man8/
clean:
+diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/severify.py policycoreutils-2.0.83/scripts/severify.py
+--- nsapolicycoreutils/scripts/severify.py 1969-12-31 19:00:00.000000000 -0500
++++ policycoreutils-2.0.83/scripts/severify.py 2010-10-13 14:14:23.000000000 -0400
+@@ -0,0 +1,21 @@
++#! /usr/bin/python -Es
++import seobject
++import selinux
++import setools
++import sys
++#store = selinux.selinux_getpolicytype()[1]
++#mod=seobject.moduleRecords(store = store, reload=False)
++#mod.disable("zebra")
++fd = open(sys.argv[1], "r")
++lines = fd.readlines()
++#fd.close()
++#for i in lines:
++# j = i.split()
++# if len(j) == 0 or ( j[0] != "allow" and j[0] != "dontaudit"):
++# continue
++# allow = j[0]
++# print j[1]
++#sys.exit()
++#setools.sesearch([ setools.ALLOW ], { setools.SCONTEXT:"rwho_t", setools.TCONTEXT:"rwho_spool_t" } )
++#mod.enable("zebra")
++
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/default_encoding/default_encoding.c policycoreutils-2.0.83/semanage/default_encoding/default_encoding.c
--- nsapolicycoreutils/semanage/default_encoding/default_encoding.c 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.83/semanage/default_encoding/default_encoding.c 2010-07-30 13:50:40.000000000 -0400
@@ -3208,8 +3326,8 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
+ errorExit(error.args[1])
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage.8 policycoreutils-2.0.83/semanage/semanage.8
--- nsapolicycoreutils/semanage/semanage.8 2010-05-19 14:45:51.000000000 -0400
-+++ policycoreutils-2.0.83/semanage/semanage.8 2010-07-30 13:50:40.000000000 -0400
-@@ -1,29 +1,65 @@
++++ policycoreutils-2.0.83/semanage/semanage.8 2010-09-23 16:46:29.000000000 -0400
+@@ -1,29 +1,69 @@
-.TH "semanage" "8" "2005111103" "" ""
+.TH "semanage" "8" "20100223" "" ""
.SH "NAME"
@@ -3223,12 +3341,14 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
+.B semanage [ -S store ] -o [ output_file | - ]
+
+Input local customizations
-+.br
+ .br
+-.B semanage login \-{a|d|m} [\-sr] login_name | %groupname
+.B semanage [ -S store ] -i [ input_file | - ]
+
+Manage booleans. Booleans allow the administrator to modify the confinement of
+processes based on his configuration.
-+.br
+ .br
+-.B semanage user \-{a|d|m} [\-LrRP] selinux_name
+.B semanage boolean [\-S store] \-{d|m|l|n|D} \-[\-on|\-off|\1|0] -F boolean | boolean_file
+
+Manage SELinux confined users (Roles and levels for an SELinux user)
@@ -3239,6 +3359,10 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
+.br
+.B semanage login [\-S store] \-{a|d|m|l|n|D} [\-sr] login_name | %groupname
+
++Manage policy modules.
++.br
++.B semanage module [\-S store] \-{a|d|l} [-m [--enable | --disable] ] module_name
++
+Manage network port type definitions
+.br
+.B semanage port [\-S store] \-{a|d|m|l|n|D} [\-tr] [\-p proto] port | port_range
@@ -3249,11 +3373,9 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
+.B semanage interface [\-S store] \-{a|d|m|l|n|D} [\-tr] interface_spec
+
+Manage network node type definitions
- .br
--.B semanage login \-{a|d|m} [\-sr] login_name | %groupname
++.br
+.B semanage node [\-S store] -{a|d|m|l|n|D} [-tr] [ -p protocol ] [-M netmask] address
- .br
--.B semanage user \-{a|d|m} [\-LrRP] selinux_name
++.br
+
+Manage file context mapping definitions
.br
@@ -3286,10 +3408,20 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
.SH "DESCRIPTION"
semanage is used to configure certain elements of
SELinux policy without requiring modification to or recompilation
-@@ -52,6 +88,12 @@
+@@ -52,6 +92,22 @@
.I \-D, \-\-deleteall
Remove all OBJECTS local customizations
.TP
++.I \-\-disable
++Disable a policy module, requires -m option
++
++Currently modules only.
++.TP
++.I \-\-enable
++Enable a disabled policy module, requires -m option
++
++Currently modules only.
++.TP
+.I \-e, \-\-equal
+Substitute target path with sourcepath when generating default label. This is used with
+fcontext. Requires source and target path arguments. The context
@@ -3299,12 +3431,30 @@ diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po
.I \-f, \-\-ftype
File Type. This is used with fcontext.
Requires a file type as shown in the mode field by ls, e.g. use -d to match only directories or -- to match only regular files.
-@@ -99,26 +141,67 @@
+@@ -60,6 +116,7 @@
+ Set multiple records from the input file. When used with the \-l \-\-list, it will output the current settings to stdout in the proper format.
+
+ Currently booleans only.
++
+ .TP
+ .I \-h, \-\-help
+ display this message
+@@ -76,6 +133,9 @@
+ .I \-m, \-\-modify
+ Modify a OBJECT record NAME
+ .TP
++.I \-M, \-\-mask
++Network Mask
++.TP
+ .I \-n, \-\-noheading
+ Do not print heading when listing OBJECTS.
+ .TP
+@@ -99,26 +159,67 @@
.TP
.I \-t, \-\-type
SELinux Type for the object
+.TP
-+.I \-i
++.I \-i, \-\-input
+Take a set of commands from a specified file and load them in a single
+transaction.
diff --git a/policycoreutils.spec b/policycoreutils.spec
index 0eb18ef..5e55584 100644
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@@ -7,7 +7,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.0.83
-Release: 28%{?dist}
+Release: 31%{?dist}
License: GPLv2
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
@@ -315,6 +315,15 @@ fi
exit 0
%changelog
+* Mon Oct 18 2010 Dan Walsh <dwalsh at redhat.com> 2.0.83-31
+- Fix sandbox handling of files with spaces in them
+
+* Mon Sep 27 2010 Dan Walsh <dwalsh at redhat.com> 2.0.83-30
+- Catch TypeError exception on sandbox processing -I files
+
+* Thu Sep 23 2010 Dan Walsh <dwalsh at redhat.com> 2.0.83-29
+- Fix semanage man page
+
* Mon Sep 13 2010 Dan Walsh <dwalsh at redhat.com> 2.0.83-28
- Add seremote, to allow the execution of command inside the sandbox from outside the sandbox.
More information about the scm-commits
mailing list