rpms/policycoreutils/F-11 policycoreutils-F11.patch, 1.1, 1.2 policycoreutils.spec, 1.611, 1.612

Daniel J Walsh dwalsh at fedoraproject.org
Tue May 26 16:59:13 UTC 2009 

Author: dwalsh

Update of /cvs/extras/rpms/policycoreutils/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv9582

Modified Files:
	policycoreutils-F11.patch policycoreutils.spec 
Log Message:
* Tue May 26 2009 Dan Walsh <dwalsh at redhat.com> 2.0.62-12.7
- Fix sandbox to be able to execute files in homedir


policycoreutils-F11.patch:

Index: policycoreutils-F11.patch
===================================================================
RCS file: /cvs/extras/rpms/policycoreutils/F-11/policycoreutils-F11.patch,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -p -r1.1 -r1.2
--- policycoreutils-F11.patch	22 May 2009 18:31:02 -0000	1.1
+++ policycoreutils-F11.patch	26 May 2009 16:59:13 -0000	1.2
@@ -17,8 +17,8 @@ diff --exclude-from=exclude --exclude=se
  	-mkdir -p $(MANDIR)/man8
 diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/sandbox policycoreutils-2.0.62/scripts/sandbox
 --- nsapolicycoreutils/scripts/sandbox	1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.62/scripts/sandbox	2009-05-22 14:11:10.000000000 -0400
-@@ -0,0 +1,149 @@
++++ policycoreutils-2.0.62/scripts/sandbox	2009-05-26 12:30:48.000000000 -0400
+@@ -0,0 +1,138 @@
 +#!/usr/bin/python -E
 +import os, sys, getopt, socket, random, fcntl
 +import selinux
@@ -110,55 +110,42 @@ diff --exclude-from=exclude --exclude=se
 +
 +    setype = "sandbox_t"
 +    mount_ind = False
-+    gopts, cmds = getopt.getopt(sys.argv[1:], "t:m", 
-+                                ["type=", 
-+                                 "mount"])
-+    for o, a in gopts:
-+        if o == "-t" or o == "--type":
-+            setype = a
-+
-+        if o == "-m" or o == "--mount":
-+            mount_ind = True
-+                
-+            
-+    if len(cmds) == 0:
-+           usage(_("Command required"))
-+
-+    os.chdir("/")
-+    execcon, filecon = gen_context(setype)
-+    rc = -1
 +    try:
-+        if mount_ind:
-+            mount(filecon)
-+
-+        if cmds[0][0] != "/" and cmds[0][:2] != "./" and cmds[0][:3] != "../":
-+               for i in  os.environ["PATH"].split(':'):
-+                      f = "%s/%s" % (i, cmds[0])
-+                      if os.access(f, os.X_OK):
-+                             cmds[0] = f
-+                             break
-+
-+        setype = selinux.getfilecon(cmds[0])[1].split(":")[2]
-+        if setype == "user_home_t" or setype == "user_tmp_t":
-+               error_exit(_("""
-+Sandboxed applications can not read/execute files labeled as user content;  (%s)
-+Temporarily label '%s" as bin_t, if you want it to run it under a sandbox.
-+
-+chcon -t bin_t %s
-+
-+restorecon %s
-+
-+Will set the executable back to the correct context.
-+""") % (setype, cmds[0], cmds[0], cmds[0]) )
-+
-+        selinux.setexeccon(execcon)
-+        rc = os.spawnvp(os.P_WAIT, cmds[0], cmds)
-+        selinux.setexeccon(None)
-+
-+        if mount_ind:
-+            umount(filecon)
++           gopts, cmds = getopt.getopt(sys.argv[1:], "ht:m", 
++                                       ["help",
++                                        "type=", 
++                                        "mount"])
++           for o, a in gopts:
++                  if o == "-t" or o == "--type":
++                         setype = a
++                         
++           if o == "-m" or o == "--mount":
++                  mount_ind = True
++           if o == "-h" or o == "--help":
++                  usage(_("Usage"));
++            
++           if len(cmds) == 0:
++                  usage(_("Command required"))
 +
-+    except getopt.error, error:
++           execcon, filecon = gen_context(setype)
++           rc = -1
++           if mount_ind:
++                  mount(filecon)
++
++           if cmds[0][0] != "/" and cmds[0][:2] != "./" and cmds[0][:3] != "../":
++                  for i in  os.environ["PATH"].split(':'):
++                         f = "%s/%s" % (i, cmds[0])
++                         if os.access(f, os.X_OK):
++                                cmds[0] = f
++                                break
++
++           selinux.setexeccon(execcon)
++           rc = os.spawnvp(os.P_WAIT, cmds[0], cmds)
++           selinux.setexeccon(None)
++           
++           if mount_ind:
++                  umount(filecon)
++    except getopt.GetoptError, error:
 +        usage(_("Options Error %s ") % error.msg)
 +    except ValueError, error:
 +        error_exit(error.args[0])
@@ -166,6 +153,8 @@ diff --exclude-from=exclude --exclude=se
 +        error_exit(_("Invalid value %s") % error.args[0])
 +    except IOError, error:
 +        error_exit(error.args[1])
++    except OSError, error:
++        error_exit(error.args[1])
 +        
 +    sys.exit(rc)
 diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/sandbox.8 policycoreutils-2.0.62/scripts/sandbox.8


Index: policycoreutils.spec
===================================================================
RCS file: /cvs/extras/rpms/policycoreutils/F-11/policycoreutils.spec,v
retrieving revision 1.611
retrieving revision 1.612
diff -u -p -r1.611 -r1.612
--- policycoreutils.spec	22 May 2009 18:27:32 -0000	1.611
+++ policycoreutils.spec	26 May 2009 16:59:13 -0000	1.612
@@ -6,7 +6,7 @@
 Summary: SELinux policy core utilities
 Name:	 policycoreutils
 Version: 2.0.62
-Release: 12.6%{?dist}
+Release: 12.7%{?dist}
 License: GPLv2+
 Group:	 System Environment/Base
 Source:	 http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
@@ -224,6 +224,9 @@ else
 fi
 
 %changelog
+* Tue May 26 2009 Dan Walsh <dwalsh at redhat.com> 2.0.62-12.7
+- Fix sandbox to be able to execute files in homedir
+
 * Fri May 22 2009 Dan Walsh <dwalsh at redhat.com> 2.0.62-12.6
 - Add sandbox script

More information about the scm-commits mailing list