rpms/policycoreutils/F-11 policycoreutils-F11.patch, 1.1, 1.2 policycoreutils.spec, 1.611, 1.612
Daniel J Walsh
dwalsh at fedoraproject.org
Tue May 26 16:59:13 UTC 2009
Author: dwalsh
Update of /cvs/extras/rpms/policycoreutils/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv9582
Modified Files:
policycoreutils-F11.patch policycoreutils.spec
Log Message:
* Tue May 26 2009 Dan Walsh <dwalsh at redhat.com> 2.0.62-12.7
- Fix sandbox to be able to execute files in homedir
policycoreutils-F11.patch:
Index: policycoreutils-F11.patch
===================================================================
RCS file: /cvs/extras/rpms/policycoreutils/F-11/policycoreutils-F11.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -p -r1.1 -r1.2
--- policycoreutils-F11.patch 22 May 2009 18:31:02 -0000 1.1
+++ policycoreutils-F11.patch 26 May 2009 16:59:13 -0000 1.2
@@ -17,8 +17,8 @@ diff --exclude-from=exclude --exclude=se
-mkdir -p $(MANDIR)/man8
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/sandbox policycoreutils-2.0.62/scripts/sandbox
--- nsapolicycoreutils/scripts/sandbox 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.62/scripts/sandbox 2009-05-22 14:11:10.000000000 -0400
-@@ -0,0 +1,149 @@
++++ policycoreutils-2.0.62/scripts/sandbox 2009-05-26 12:30:48.000000000 -0400
+@@ -0,0 +1,138 @@
+#!/usr/bin/python -E
+import os, sys, getopt, socket, random, fcntl
+import selinux
@@ -110,55 +110,42 @@ diff --exclude-from=exclude --exclude=se
+
+ setype = "sandbox_t"
+ mount_ind = False
-+ gopts, cmds = getopt.getopt(sys.argv[1:], "t:m",
-+ ["type=",
-+ "mount"])
-+ for o, a in gopts:
-+ if o == "-t" or o == "--type":
-+ setype = a
-+
-+ if o == "-m" or o == "--mount":
-+ mount_ind = True
-+
-+
-+ if len(cmds) == 0:
-+ usage(_("Command required"))
-+
-+ os.chdir("/")
-+ execcon, filecon = gen_context(setype)
-+ rc = -1
+ try:
-+ if mount_ind:
-+ mount(filecon)
-+
-+ if cmds[0][0] != "/" and cmds[0][:2] != "./" and cmds[0][:3] != "../":
-+ for i in os.environ["PATH"].split(':'):
-+ f = "%s/%s" % (i, cmds[0])
-+ if os.access(f, os.X_OK):
-+ cmds[0] = f
-+ break
-+
-+ setype = selinux.getfilecon(cmds[0])[1].split(":")[2]
-+ if setype == "user_home_t" or setype == "user_tmp_t":
-+ error_exit(_("""
-+Sandboxed applications can not read/execute files labeled as user content; (%s)
-+Temporarily label '%s" as bin_t, if you want it to run it under a sandbox.
-+
-+chcon -t bin_t %s
-+
-+restorecon %s
-+
-+Will set the executable back to the correct context.
-+""") % (setype, cmds[0], cmds[0], cmds[0]) )
-+
-+ selinux.setexeccon(execcon)
-+ rc = os.spawnvp(os.P_WAIT, cmds[0], cmds)
-+ selinux.setexeccon(None)
-+
-+ if mount_ind:
-+ umount(filecon)
++ gopts, cmds = getopt.getopt(sys.argv[1:], "ht:m",
++ ["help",
++ "type=",
++ "mount"])
++ for o, a in gopts:
++ if o == "-t" or o == "--type":
++ setype = a
++
++ if o == "-m" or o == "--mount":
++ mount_ind = True
++ if o == "-h" or o == "--help":
++ usage(_("Usage"));
++
++ if len(cmds) == 0:
++ usage(_("Command required"))
+
-+ except getopt.error, error:
++ execcon, filecon = gen_context(setype)
++ rc = -1
++ if mount_ind:
++ mount(filecon)
++
++ if cmds[0][0] != "/" and cmds[0][:2] != "./" and cmds[0][:3] != "../":
++ for i in os.environ["PATH"].split(':'):
++ f = "%s/%s" % (i, cmds[0])
++ if os.access(f, os.X_OK):
++ cmds[0] = f
++ break
++
++ selinux.setexeccon(execcon)
++ rc = os.spawnvp(os.P_WAIT, cmds[0], cmds)
++ selinux.setexeccon(None)
++
++ if mount_ind:
++ umount(filecon)
++ except getopt.GetoptError, error:
+ usage(_("Options Error %s ") % error.msg)
+ except ValueError, error:
+ error_exit(error.args[0])
@@ -166,6 +153,8 @@ diff --exclude-from=exclude --exclude=se
+ error_exit(_("Invalid value %s") % error.args[0])
+ except IOError, error:
+ error_exit(error.args[1])
++ except OSError, error:
++ error_exit(error.args[1])
+
+ sys.exit(rc)
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/sandbox.8 policycoreutils-2.0.62/scripts/sandbox.8
Index: policycoreutils.spec
===================================================================
RCS file: /cvs/extras/rpms/policycoreutils/F-11/policycoreutils.spec,v
retrieving revision 1.611
retrieving revision 1.612
diff -u -p -r1.611 -r1.612
--- policycoreutils.spec 22 May 2009 18:27:32 -0000 1.611
+++ policycoreutils.spec 26 May 2009 16:59:13 -0000 1.612
@@ -6,7 +6,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.0.62
-Release: 12.6%{?dist}
+Release: 12.7%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
@@ -224,6 +224,9 @@ else
fi
%changelog
+* Tue May 26 2009 Dan Walsh <dwalsh at redhat.com> 2.0.62-12.7
+- Fix sandbox to be able to execute files in homedir
+
* Fri May 22 2009 Dan Walsh <dwalsh at redhat.com> 2.0.62-12.6
- Add sandbox script
More information about the scm-commits
mailing list