rpms/policycoreutils/devel policycoreutils-rhat.patch, 1.420, 1.421 policycoreutils.spec, 1.608, 1.609
Daniel J Walsh
dwalsh at fedoraproject.org
Tue May 26 16:58:42 UTC 2009
Author: dwalsh
Update of /cvs/extras/rpms/policycoreutils/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv9186
Modified Files:
policycoreutils-rhat.patch policycoreutils.spec
Log Message:
* Tue May 26 2009 Dan Walsh <dwalsh at redhat.com> 2.0.63-3
- Fix sandbox to be able to execute files in homedir
policycoreutils-rhat.patch:
Index: policycoreutils-rhat.patch
===================================================================
RCS file: /cvs/extras/rpms/policycoreutils/devel/policycoreutils-rhat.patch,v
retrieving revision 1.420
retrieving revision 1.421
diff -u -p -r1.420 -r1.421
--- policycoreutils-rhat.patch 22 May 2009 18:00:00 -0000 1.420
+++ policycoreutils-rhat.patch 26 May 2009 16:58:40 -0000 1.421
@@ -1272,8 +1272,8 @@ diff --exclude-from=exclude --exclude=se
-mkdir -p $(MANDIR)/man8
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/sandbox policycoreutils-2.0.63/scripts/sandbox
--- nsapolicycoreutils/scripts/sandbox 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.63/scripts/sandbox 2009-05-22 13:59:22.000000000 -0400
-@@ -0,0 +1,149 @@
++++ policycoreutils-2.0.63/scripts/sandbox 2009-05-26 12:30:25.000000000 -0400
+@@ -0,0 +1,138 @@
+#!/usr/bin/python -E
+import os, sys, getopt, socket, random, fcntl
+import selinux
@@ -1365,55 +1365,42 @@ diff --exclude-from=exclude --exclude=se
+
+ setype = "sandbox_t"
+ mount_ind = False
-+ gopts, cmds = getopt.getopt(sys.argv[1:], "t:m",
-+ ["type=",
-+ "mount"])
-+ for o, a in gopts:
-+ if o == "-t" or o == "--type":
-+ setype = a
-+
-+ if o == "-m" or o == "--mount":
-+ mount_ind = True
-+
-+
-+ if len(cmds) == 0:
-+ usage(_("Command required"))
-+
-+ os.chdir("/")
-+ execcon, filecon = gen_context(setype)
-+ rc = -1
+ try:
-+ if mount_ind:
-+ mount(filecon)
-+
-+ if cmds[0][0] != "/" and cmds[0][:2] != "./" and cmds[0][:3] != "../":
-+ for i in os.environ["PATH"].split(':'):
-+ f = "%s/%s" % (i, cmds[0])
-+ if os.access(f, os.X_OK):
-+ cmds[0] = f
-+ break
-+
-+ setype = selinux.getfilecon(cmds[0])[1].split(":")[2]
-+ if setype == "user_home_t" or setype == "user_tmp_t":
-+ error_exit(_("""
-+Sandboxed applications can not read/execute files labeled as user content; (%s)
-+Temporarily label '%s" as bin_t, if you want it to run it under a sandbox.
-+
-+chcon -t bin_t %s
-+
-+restorecon %s
-+
-+Will set the executable back to the correct context.
-+""") % (setype, cmds[0], cmds[0], cmds[0]) )
-+
-+ selinux.setexeccon(execcon)
-+ rc = os.spawnvp(os.P_WAIT, cmds[0], cmds)
-+ selinux.setexeccon(None)
-+
-+ if mount_ind:
-+ umount(filecon)
++ gopts, cmds = getopt.getopt(sys.argv[1:], "ht:m",
++ ["help",
++ "type=",
++ "mount"])
++ for o, a in gopts:
++ if o == "-t" or o == "--type":
++ setype = a
++
++ if o == "-m" or o == "--mount":
++ mount_ind = True
++ if o == "-h" or o == "--help":
++ usage(_("Usage"));
++
++ if len(cmds) == 0:
++ usage(_("Command required"))
+
-+ except getopt.error, error:
++ execcon, filecon = gen_context(setype)
++ rc = -1
++ if mount_ind:
++ mount(filecon)
++
++ if cmds[0][0] != "/" and cmds[0][:2] != "./" and cmds[0][:3] != "../":
++ for i in os.environ["PATH"].split(':'):
++ f = "%s/%s" % (i, cmds[0])
++ if os.access(f, os.X_OK):
++ cmds[0] = f
++ break
++
++ selinux.setexeccon(execcon)
++ rc = os.spawnvp(os.P_WAIT, cmds[0], cmds)
++ selinux.setexeccon(None)
++
++ if mount_ind:
++ umount(filecon)
++ except getopt.GetoptError, error:
+ usage(_("Options Error %s ") % error.msg)
+ except ValueError, error:
+ error_exit(error.args[0])
@@ -1421,6 +1408,8 @@ diff --exclude-from=exclude --exclude=se
+ error_exit(_("Invalid value %s") % error.args[0])
+ except IOError, error:
+ error_exit(error.args[1])
++ except OSError, error:
++ error_exit(error.args[1])
+
+ sys.exit(rc)
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/sandbox.8 policycoreutils-2.0.63/scripts/sandbox.8
Index: policycoreutils.spec
===================================================================
RCS file: /cvs/extras/rpms/policycoreutils/devel/policycoreutils.spec,v
retrieving revision 1.608
retrieving revision 1.609
diff -u -p -r1.608 -r1.609
--- policycoreutils.spec 22 May 2009 21:10:16 -0000 1.608
+++ policycoreutils.spec 26 May 2009 16:58:41 -0000 1.609
@@ -6,7 +6,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.0.63
-Release: 2%{?dist}
+Release: 3%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
@@ -226,6 +226,9 @@ else
fi
%changelog
+* Tue May 26 2009 Dan Walsh <dwalsh at redhat.com> 2.0.63-3
+- Fix sandbox to be able to execute files in homedir
+
* Fri May 22 2009 Dan Walsh <dwalsh at redhat.com> 2.0.63-2
- Change polgen.py to be able to generate policy
More information about the scm-commits
mailing list