[policycoreutils/f15/master] change default location of HOMEDIR in sandbox to /tmp/.sandbox_home_* This will allow default sandbo
Daniel J Walsh
dwalsh at fedoraproject.org
Mon Mar 14 20:40:54 UTC 2011
commit 9f8f4e973fe5b4bdfb0dfc7439bc27d5f2c0a811
Author: Dan Walsh <dwalsh at redhat.com>
Date: Mon Mar 14 16:23:10 2011 -0400
change default location of HOMEDIR in sandbox to /tmp/.sandbox_home_*
This will allow default sandboxes to work on NFS homedirs without allowing
access to homedir data
policycoreutils-rhat.patch | 56 +++++++++++++++++++++++++++++++------------
policycoreutils.spec | 7 ++++-
2 files changed, 46 insertions(+), 17 deletions(-)
---
diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch
index 95603e6..7ba2583 100644
--- a/policycoreutils-rhat.patch
+++ b/policycoreutils-rhat.patch
@@ -1639,7 +1639,7 @@ index ff0ee7c..0c8a085 100644
test:
@python test_sandbox.py -v
diff --git a/policycoreutils/sandbox/sandbox b/policycoreutils/sandbox/sandbox
-index 48a26c2..d1037bd 100644
+index 48a26c2..b815af2 100644
--- a/policycoreutils/sandbox/sandbox
+++ b/policycoreutils/sandbox/sandbox
@@ -1,5 +1,6 @@
@@ -1650,7 +1650,7 @@ index 48a26c2..d1037bd 100644
# Authors: Josh Cogliati
#
# Copyright (C) 2009,2010 Red Hat
-@@ -19,15 +20,18 @@
+@@ -19,15 +20,17 @@
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
@@ -1664,14 +1664,14 @@ index 48a26c2..d1037bd 100644
+import setools
PROGNAME = "policycoreutils"
- HOMEDIR=pwd.getpwuid(os.getuid()).pw_dir
+-HOMEDIR=pwd.getpwuid(os.getuid()).pw_dir
-
+SEUNSHARE = "/usr/sbin/seunshare"
+SANDBOXSH = "/usr/share/sandbox/sandboxX.sh"
import gettext
gettext.bindtextdomain(PROGNAME, "/usr/share/locale")
gettext.textdomain(PROGNAME)
-@@ -41,6 +45,7 @@ except IOError:
+@@ -41,6 +44,7 @@ except IOError:
import __builtin__
__builtin__.__dict__['_'] = unicode
@@ -1679,7 +1679,7 @@ index 48a26c2..d1037bd 100644
DEFAULT_TYPE = "sandbox_t"
DEFAULT_X_TYPE = "sandbox_x_t"
SAVE_FILES = {}
-@@ -63,15 +68,15 @@ def error_exit(msg):
+@@ -63,15 +67,15 @@ def error_exit(msg):
sys.stderr.flush()
sys.exit(1)
@@ -1699,7 +1699,7 @@ index 48a26c2..d1037bd 100644
if not os.path.exists(newdir):
os.makedirs(newdir)
dest = newdir + "/" + bname
-@@ -81,9 +86,10 @@ def copyfile(file, dir, dest):
+@@ -81,9 +85,10 @@ def copyfile(file, dir, dest):
shutil.copytree(file, dest)
else:
shutil.copy2(file, dest)
@@ -1712,7 +1712,7 @@ index 48a26c2..d1037bd 100644
SAVE_FILES[file] = (dest, os.path.getmtime(dest))
-@@ -161,10 +167,10 @@ class Sandbox:
+@@ -161,10 +166,10 @@ class Sandbox:
if not self.__options.homedir or not self.__options.tmpdir:
self.usage(_("Homedir and tempdir required for level mounts"))
@@ -1726,7 +1726,7 @@ index 48a26c2..d1037bd 100644
def __mount_callback(self, option, opt, value, parser):
self.__mount = True
-@@ -172,6 +178,15 @@ class Sandbox:
+@@ -172,6 +177,15 @@ class Sandbox:
def __x_callback(self, option, opt, value, parser):
self.__mount = True
setattr(parser.values, option.dest, True)
@@ -1742,7 +1742,7 @@ index 48a26c2..d1037bd 100644
def __validdir(self, option, opt, value, parser):
if not os.path.isdir(value):
-@@ -194,6 +209,8 @@ class Sandbox:
+@@ -194,6 +208,8 @@ class Sandbox:
self.__include(option, opt, i[:-1], parser)
except IOError, e:
sys.stderr.write(str(e))
@@ -1751,7 +1751,7 @@ index 48a26c2..d1037bd 100644
fd.close()
def __copyfiles(self):
-@@ -212,13 +229,15 @@ class Sandbox:
+@@ -212,13 +228,15 @@ class Sandbox:
/etc/gdm/Xsession
""")
else:
@@ -1769,7 +1769,7 @@ index 48a26c2..d1037bd 100644
kill -TERM $WM_PID 2> /dev/null
""" % (command, wm, command))
fd.close()
-@@ -226,14 +245,25 @@ kill -TERM $WM_PID 2> /dev/null
+@@ -226,14 +244,25 @@ kill -TERM $WM_PID 2> /dev/null
def usage(self, message = ""):
error_exit("%s\n%s" % (self.__parser.usage, message))
@@ -1799,7 +1799,7 @@ index 48a26c2..d1037bd 100644
parser = OptionParser(version=self.VERSION, usage=usage)
parser.disable_interspersed_args()
-@@ -268,6 +298,10 @@ sandbox [-h] [-[X|M] [-l level ] [-H homedir] [-T tempdir]] [-I includefile ] [-
+@@ -268,6 +297,10 @@ sandbox [-h] [-[X|M] [-l level ] [-H homedir] [-T tempdir]] [-I includefile ] [-
action="callback", callback=self.__validdir,
help=_("alternate /tmp directory to use for mounting"))
@@ -1810,7 +1810,7 @@ index 48a26c2..d1037bd 100644
parser.add_option("-W", "--windowmanager", dest="wm",
type="string",
default="/usr/bin/matchbox-window-manager -use_titlebar no",
-@@ -276,13 +310,17 @@ sandbox [-h] [-[X|M] [-l level ] [-H homedir] [-T tempdir]] [-I includefile ] [-
+@@ -276,13 +309,17 @@ sandbox [-h] [-[X|M] [-l level ] [-H homedir] [-T tempdir]] [-I includefile ] [-
parser.add_option("-l", "--level", dest="level",
help=_("MCS/MLS level for the sandbox"))
@@ -1829,7 +1829,7 @@ index 48a26c2..d1037bd 100644
if self.__options.setype:
self.setype = self.__options.setype
-@@ -299,6 +337,9 @@ sandbox [-h] [-[X|M] [-l level ] [-H homedir] [-T tempdir]] [-I includefile ] [-
+@@ -299,6 +336,9 @@ sandbox [-h] [-[X|M] [-l level ] [-H homedir] [-T tempdir]] [-I includefile ] [-
self.__options.X_ind = True
self.__homedir = self.__options.homedir
self.__tmpdir = self.__options.tmpdir
@@ -1839,7 +1839,31 @@ index 48a26c2..d1037bd 100644
else:
if len(cmds) == 0:
self.usage(_("Command required"))
-@@ -351,22 +392,24 @@ sandbox [-h] [-[X|M] [-l level ] [-H homedir] [-T tempdir]] [-I includefile ] [-
+@@ -329,44 +369,43 @@ sandbox [-h] [-[X|M] [-l level ] [-H homedir] [-T tempdir]] [-I includefile ] [-
+ def __setup_dir(self):
+ if self.__options.level or self.__options.session:
+ return
+- sandboxdir = HOMEDIR + "/.sandbox"
+- if not os.path.exists(sandboxdir):
+- os.mkdir(sandboxdir)
+
+ if self.__options.homedir:
+ selinux.chcon(self.__options.homedir, self.__filecon, recursive=True)
+ self.__homedir = self.__options.homedir
+ else:
+ selinux.setfscreatecon(self.__filecon)
+- self.__homedir = mkdtemp(dir=sandboxdir, prefix=".sandbox")
++ self.__homedir = mkdtemp(dir="/tmp", prefix=".sandbox_home_")
+
+ if self.__options.tmpdir:
+ selinux.chcon(self.__options.tmpdir, self.__filecon, recursive=True)
+ self.__tmpdir = self.__options.tmpdir
+ else:
+ selinux.setfscreatecon(self.__filecon)
+- self.__tmpdir = mkdtemp(dir="/tmp", prefix=".sandbox")
++ self.__tmpdir = mkdtemp(dir="/tmp", prefix=".sandbox_tmp_")
+ selinux.setfscreatecon(None)
+ self.__copyfiles()
def __execute(self):
try:
@@ -1879,7 +1903,7 @@ index 48a26c2..d1037bd 100644
selinux.setexeccon(self.__execcon)
rc = subprocess.Popen(self.__cmds).wait()
-@@ -404,7 +447,7 @@ if __name__ == '__main__':
+@@ -404,7 +443,7 @@ if __name__ == '__main__':
sandbox = Sandbox()
rc = sandbox.main()
except OSError, error:
diff --git a/policycoreutils.spec b/policycoreutils.spec
index acb2d54..f8eb3fa 100644
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@@ -7,7 +7,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.0.85
-Release: 20%{?dist}
+Release: 21%{?dist}
License: GPLv2
Group: System Environment/Base
# Based on git repository with tag 20101221
@@ -331,6 +331,11 @@ fi
exit 0
%changelog
+* Fri Mar 11 2011 Dan Walsh <dwalsh at redhat.com> 2.0.85-21
+- change default location of HOMEDIR in sandbox to /tmp/.sandbox_home_*
+- This will allow default sandboxes to work on NFS homedirs without allowing
+ access to homedir data
+
* Fri Mar 11 2011 Dan Walsh <dwalsh at redhat.com> 2.0.85-20
- Change sepolgen-ifgen to search all available policy files
- Exit in restorecond if it can not find a UID in the passwd database
More information about the scm-commits
mailing list