rpms/policycoreutils/F-13 policycoreutils-gui.patch, 1.106, 1.107 policycoreutils-rhat.patch, 1.505, 1.506 policycoreutils.spec, 1.722, 1.723
Daniel J Walsh
dwalsh at fedoraproject.org
Tue Jun 15 17:16:38 UTC 2010
Author: dwalsh
Update of /cvs/extras/rpms/policycoreutils/F-13
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv23817
Modified Files:
policycoreutils-gui.patch policycoreutils-rhat.patch
policycoreutils.spec
Log Message:
* Tue Jun 15 2010 Dan Walsh <dwalsh at redhat.com> 2.0.82-31
- Fix sepolgen code generation
Resolve: #603001
policycoreutils-gui.patch:
Makefile | 40
booleansPage.py | 247 +++
domainsPage.py | 154 ++
fcontextPage.py | 223 ++
html_util.py | 164 ++
lockdown.glade | 771 ++++++++++
lockdown.gladep | 7
lockdown.py | 382 ++++
loginsPage.py | 185 ++
mappingsPage.py | 56
modulesPage.py | 190 ++
polgen.glade | 3305 +++++++++++++++++++++++++++++++++++++++++++
polgen.gladep | 7
polgen.py | 1286 ++++++++++++++++
polgengui.py | 627 ++++++++
portsPage.py | 259 +++
selinux.tbl | 234 +++
semanagePage.py | 168 ++
statusPage.py | 190 ++
system-config-selinux.glade | 3024 +++++++++++++++++++++++++++++++++++++++
system-config-selinux.gladep | 7
system-config-selinux.py | 187 ++
templates/__init__.py | 18
templates/boolean.py | 40
templates/etc_rw.py | 113 +
templates/executable.py | 382 ++++
templates/network.py | 80 +
templates/rw.py | 131 +
templates/script.py | 126 +
templates/semodule.py | 41
templates/tmp.py | 102 +
templates/user.py | 195 ++
templates/var_cache.py | 133 +
templates/var_lib.py | 161 ++
templates/var_log.py | 116 +
templates/var_run.py | 101 +
templates/var_spool.py | 133 +
usersPage.py | 150 +
38 files changed, 13735 insertions(+)
Index: policycoreutils-gui.patch
===================================================================
RCS file: /cvs/extras/rpms/policycoreutils/F-13/policycoreutils-gui.patch,v
retrieving revision 1.106
retrieving revision 1.107
diff -u -p -r1.106 -r1.107
--- policycoreutils-gui.patch 7 Jun 2010 21:15:16 -0000 1.106
+++ policycoreutils-gui.patch 15 Jun 2010 17:16:36 -0000 1.107
@@ -6414,8 +6414,8 @@ diff --exclude-from=exclude -N -u -r nsa
+ app.stand_alone()
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycoreutils-2.0.82/gui/polgen.py
--- nsapolicycoreutils/gui/polgen.py 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.82/gui/polgen.py 2010-06-07 16:38:00.000000000 -0400
-@@ -0,0 +1,1273 @@
++++ policycoreutils-2.0.82/gui/polgen.py 2010-06-15 12:01:00.000000000 -0400
+@@ -0,0 +1,1286 @@
+#!/usr/bin/python
+#
+# Copyright (C) 2007-2010 Red Hat
@@ -7115,7 +7115,7 @@ diff --exclude-from=exclude -N -u -r nsa
+
+ if self.type == USER:
+ for u in self.transition_users:
-+ temp = re.sub("TEMPLATETYPE", self.name, executable.te_userapp_trans_rules)
++ temp = re.sub("TEMPLATETYPE", self.name, user.te_user_trans_rules)
+ newte += re.sub("USER", u.split("_u")[0], temp)
+
+ return newte
@@ -7131,6 +7131,7 @@ diff --exclude-from=exclude -N -u -r nsa
+
+ for u in self.transition_users:
+ role = u.split("_u")[0]
++
+ if (role + "_r") in self.all_roles:
+ tmp = re.sub("TEMPLATETYPE", self.name, user.te_admin_trans_rules)
+ newte += re.sub("USER", role, tmp)
@@ -7265,11 +7266,13 @@ diff --exclude-from=exclude -N -u -r nsa
+ newif =""
+ if self.use_terminal or self.type == USER:
+ newif = re.sub("TEMPLATETYPE", self.name, executable.if_user_program_rules)
++ newif = re.sub("TEMPLATETYPE", self.name, executable.if_role_change_rules)
+ return newif
+
+
+ def generate_if(self):
+ newif = ""
++ newif += re.sub("TEMPLATETYPE", self.name, executable.if_heading_rules)
+ if self.program != "":
+ newif += re.sub("TEMPLATETYPE", self.name, executable.if_program_rules)
+ if self.initscript != "":
@@ -7299,6 +7302,7 @@ diff --exclude-from=exclude -N -u -r nsa
+ if self.type in ( TUSER, XUSER, AUSER, LUSER, EUSER):
+ roles = ""
+ if len(self.roles) > 0:
++ newte += re.sub("TEMPLATETYPE", self.name, user.te_sudo_rules)
+ newte += re.sub("TEMPLATETYPE", self.name, user.te_newrole_rules)
+ for role in self.roles:
+ tmp = re.sub("TEMPLATETYPE", self.name, user.te_roles_rules)
@@ -7317,7 +7321,8 @@ diff --exclude-from=exclude -N -u -r nsa
+########################################
+#
+# %s local policy
-+#""" % self.name
++#
++""" % self.name
+ newte += self.generate_capabilities()
+ newte += self.generate_process()
+ newte += self.generate_network_types()
@@ -7357,6 +7362,8 @@ diff --exclude-from=exclude -N -u -r nsa
+ def generate_fc(self):
+ newfc = ""
+ fclist = []
++ if self.type in USERS:
++ return re.sub("EXECUTABLE", self.program, executable.fc_user)
+ if self.program == "":
+ raise ValueError(_("You must enter the executable path for your confined process"))
+
@@ -7480,10 +7487,9 @@ diff --exclude-from=exclude -N -u -r nsa
+ fcfile = "%s/my%s.fc" % (out_dir, self.file_name)
+ else:
+ fcfile = "%s/%s.fc" % (out_dir, self.file_name)
-+ if self.type in APPLICATIONS:
-+ fd = open(fcfile, "w")
-+ fd.write(self.generate_fc())
-+ fd.close()
++ fd = open(fcfile, "w")
++ fd.write(self.generate_fc())
++ fd.close()
+ return fcfile
+
+ def generate(self, out_dir = "."):
@@ -7501,6 +7507,9 @@ diff --exclude-from=exclude -N -u -r nsa
+ sys.exit(1)
+
+def test():
++ import tempfile
++
++ tmpdir = tempfile.mkdtemp()
+ mypolicy = policy("mycgi", CGI)
+ mypolicy.set_program("/var/www/cgi-bin/cgi")
+ mypolicy.set_in_tcp(1, 0, 0, "512, 55000-55000")
@@ -7510,7 +7519,7 @@ diff --exclude-from=exclude -N -u -r nsa
+ mypolicy.set_use_syslog(True)
+ mypolicy.set_use_pam(True)
+ mypolicy.set_out_tcp(0,"8000")
-+ print mypolicy.generate("/var/tmp")
++ print mypolicy.generate(tmpdir)
+
+ mypolicy = policy("myuser", USER)
+ mypolicy.set_program("/usr/bin/myuser")
@@ -7523,7 +7532,7 @@ diff --exclude-from=exclude -N -u -r nsa
+ mypolicy.add_file("/var/lib/myuser/myuser.sock")
+ mypolicy.set_out_tcp(0,"8000")
+ mypolicy.set_transition_users(["unconfined_u", "staff_u"])
-+ print mypolicy.generate("/var/tmp")
++ print mypolicy.generate(tmpdir)
+
+
+ mypolicy = policy("myrwho", DAEMON)
@@ -7537,7 +7546,7 @@ diff --exclude-from=exclude -N -u -r nsa
+ mypolicy.set_use_pam(True)
+ mypolicy.add_dir("/var/run/myrwho")
+ mypolicy.add_dir("/var/lib/myrwho")
-+ print mypolicy.generate("/var/tmp")
++ print mypolicy.generate(tmpdir)
+
+ mypolicy = policy("myinetd", INETD)
+ mypolicy.set_program("/usr/bin/mytest")
@@ -7562,7 +7571,7 @@ diff --exclude-from=exclude -N -u -r nsa
+ mypolicy.set_use_terminal(True)
+ mypolicy.set_use_mail(True)
+ mypolicy.set_out_tcp(0,"8000")
-+ print mypolicy.generate("/var/tmp")
++ print mypolicy.generate(tmpdir)
+
+
+ mypolicy = policy("mydbus", DBUS)
@@ -7573,24 +7582,27 @@ diff --exclude-from=exclude -N -u -r nsa
+ mypolicy.set_use_tmp(True)
+ mypolicy.set_use_syslog(True)
+ mypolicy.set_use_pam(True)
-+ print mypolicy.generate("/var/tmp")
++ print mypolicy.generate(tmpdir)
+
+ mypolicy = policy("mytuser", TUSER)
-+ mypolicy.set_transition_domains(["sudo"])
+ mypolicy.set_admin_roles(["mydbadm"])
+ mypolicy.add_boolean("allow_mytuser_setuid", "Allow mytuser users to run setuid applications")
-+ print mypolicy.generate("/var/tmp")
++ print mypolicy.generate(tmpdir)
+
+ mypolicy = policy("myxuser", XUSER)
+ mypolicy.set_in_tcp(1, 1, 1, "28920")
+ mypolicy.set_in_udp(0, 0, 1, "1513")
+ mypolicy.set_transition_domains(["mozilla"])
-+ print mypolicy.generate("/var/tmp")
++ print mypolicy.generate(tmpdir)
+
+ mypolicy = policy("mydbadm", RUSER)
+ mypolicy.set_admin_domains(["postgresql", "mysql"])
-+ print mypolicy.generate("/var/tmp")
-+
++ print mypolicy.generate(tmpdir)
++ os.chdir(tmpdir)
++ rc, output=commands.getstatusoutput("make -f /usr/share/selinux/devel/Makefile1")
++ print output
++ print type(rc), os.WEXITSTATUS(rc)
++ sys.exit(os.WEXITSTATUS(rc))
+
+import os, sys, getopt, socket, random, fcntl
+
@@ -7610,7 +7622,7 @@ diff --exclude-from=exclude -N -u -r nsa
+ print _("""
+%s
+
-+polgen [ -m ] [ -t type ] executable
++polgen [ -m ] [ -t type ] [ executable | Name ]
+valid Types:
+""") % msg
+ keys=poltype.keys()
@@ -7655,35 +7667,36 @@ diff --exclude-from=exclude -N -u -r nsa
+ usage(_("Options Error %s ") % error.msg)
+
+ if len(cmds) == 0:
-+ usage(_("Executable required"))
++ usage(_("Executable or Name required"))
+
+ try:
+ if not name:
+ name = os.path.basename(cmds[0]).replace("-","_")
+ cmd = cmds[0]
+ mypolicy = policy(name, setype)
-+ mypolicy.set_program(cmd)
-+ for f in gen_writeable(cmd):
-+ for b in mypolicy.DEFAULT_DIRS:
-+ if b == "/etc":
-+ continue
-+ if f.startswith(b):
-+ if os.path.isfile(f):
-+ mypolicy.add_file(f)
-+ else:
-+ mypolicy.add_dir(f)
-+
-+ if os.path.isfile("/var/run/%s.pid" % name):
-+ mypolicy.add_file("/var/run/%s.pid" % name)
-+
-+ if os.path.isfile("/etc/rc.d/init.d/%s" % name):
-+ mypolicy.set_init_script("/etc/rc\.d/init\.d/%s" % name)
-+
-+ symbols = gen_symbols(cmd)
-+ for s in symbols:
-+ for b in mypolicy.symbols:
-+ if s.startswith(b):
-+ exec "mypolicy.%s" % mypolicy.symbols[b]
++ if setype in APPLICATIONS:
++ mypolicy.set_program(cmd)
++ for f in gen_writeable(cmd):
++ for b in mypolicy.DEFAULT_DIRS:
++ if b == "/etc":
++ continue
++ if f.startswith(b):
++ if os.path.isfile(f):
++ mypolicy.add_file(f)
++ else:
++ mypolicy.add_dir(f)
++
++ if os.path.isfile("/var/run/%s.pid" % name):
++ mypolicy.add_file("/var/run/%s.pid" % name)
++
++ if os.path.isfile("/etc/rc.d/init.d/%s" % name):
++ mypolicy.set_init_script("/etc/rc\.d/init\.d/%s" % name)
++
++ symbols = gen_symbols(cmd)
++ for s in symbols:
++ for b in mypolicy.symbols:
++ if s.startswith(b):
++ exec "mypolicy.%s" % mypolicy.symbols[b]
+
+ print mypolicy.generate()
+ sys.exit(0)
@@ -11788,7 +11801,7 @@ diff --exclude-from=exclude -N -u -r nsa
+ app.stand_alone()
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/boolean.py policycoreutils-2.0.82/gui/templates/boolean.py
--- nsapolicycoreutils/gui/templates/boolean.py 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.82/gui/templates/boolean.py 2010-04-28 17:12:20.000000000 -0400
++++ policycoreutils-2.0.82/gui/templates/boolean.py 2010-06-11 17:08:24.000000000 -0400
@@ -0,0 +1,40 @@
+# Copyright (C) 2007 Red Hat
+# see file 'COPYING' for use and warranty information
@@ -11832,7 +11845,7 @@ diff --exclude-from=exclude -N -u -r nsa
+
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/etc_rw.py policycoreutils-2.0.82/gui/templates/etc_rw.py
--- nsapolicycoreutils/gui/templates/etc_rw.py 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.82/gui/templates/etc_rw.py 2010-04-28 17:12:20.000000000 -0400
++++ policycoreutils-2.0.82/gui/templates/etc_rw.py 2010-06-11 17:08:24.000000000 -0400
@@ -0,0 +1,113 @@
+# Copyright (C) 2007 Red Hat
+# see file 'COPYING' for use and warranty information
@@ -11949,8 +11962,8 @@ diff --exclude-from=exclude -N -u -r nsa
+"""
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/executable.py policycoreutils-2.0.82/gui/templates/executable.py
--- nsapolicycoreutils/gui/templates/executable.py 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.82/gui/templates/executable.py 2010-06-07 16:40:33.000000000 -0400
-@@ -0,0 +1,361 @@
++++ policycoreutils-2.0.82/gui/templates/executable.py 2010-06-11 17:08:24.000000000 -0400
+@@ -0,0 +1,382 @@
+# Copyright (C) 2007-2009 Red Hat
+# see file 'COPYING' for use and warranty information
+#
@@ -12049,7 +12062,7 @@ diff --exclude-from=exclude -N -u -r nsa
+
+apache_content_template(TEMPLATETYPE)
+
-+permissive http_TEMPLATETYPE_script_t;
++permissive httpd_TEMPLATETYPE_script_t;
+"""
+
+te_daemon_rules="""
@@ -12127,20 +12140,13 @@ diff --exclude-from=exclude -N -u -r nsa
+miscfiles_read_localization(TEMPLATETYPE_t)
+"""
+
-+te_userapp_trans_rules="""
-+optional_policy(`
-+ gen_require(`
-+ type USER_t;
-+ role USER_r;
-+ ')
++########################### Interface File #############################
+
-+ TEMPLATETYPE_run(USER_t, USER_r)
-+')
++if_heading_rules="""
++## <summary>policy for TEMPLATETYPE</summary>
+"""
+
-+########################### Interface File #############################
+if_program_rules="""
-+## <summary>policy for TEMPLATETYPE</summary>
+
+########################################
+## <summary>
@@ -12215,6 +12221,29 @@ diff --exclude-from=exclude -N -u -r nsa
+ ps_process_pattern($2, TEMPLATETYPE_t)
+ allow $2 TEMPLATETYPE_t:process signal;
+')
++
++"""
++
++if_role_change_rules="""
++########################################
++## <summary>
++## Change to the TEMPLATETYPE role.
++## </summary>
++## <param name="role">
++## <summary>
++## Role allowed access.
++## </summary>
++## </param>
++## <rolecap/>
++#
++interface(`TEMPLATETYPE_role_change',`
++ gen_require(`
++ role TEMPLATETYPE_r;
++ ')
++
++ allow $1 TEMPLATETYPE_r;
++')
++
+"""
+
+if_initscript_rules="""
@@ -12308,13 +12337,18 @@ diff --exclude-from=exclude -N -u -r nsa
+
+EXECUTABLE -- gen_context(system_u:object_r:TEMPLATETYPE_exec_t,s0)
+"""
++
++fc_user="""\
++# Users do not have file context, leave blank
++"""
++
+fc_initscript="""\
+
+EXECUTABLE -- gen_context(system_u:object_r:TEMPLATETYPE_initrc_exec_t,s0)
+"""
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/__init__.py policycoreutils-2.0.82/gui/templates/__init__.py
--- nsapolicycoreutils/gui/templates/__init__.py 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.82/gui/templates/__init__.py 2010-04-28 17:12:20.000000000 -0400
++++ policycoreutils-2.0.82/gui/templates/__init__.py 2010-06-11 17:08:24.000000000 -0400
@@ -0,0 +1,18 @@
+#
+# Copyright (C) 2007 Red Hat, Inc.
@@ -12336,7 +12370,7 @@ diff --exclude-from=exclude -N -u -r nsa
+
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/network.py policycoreutils-2.0.82/gui/templates/network.py
--- nsapolicycoreutils/gui/templates/network.py 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.82/gui/templates/network.py 2010-04-28 17:12:20.000000000 -0400
++++ policycoreutils-2.0.82/gui/templates/network.py 2010-06-11 17:08:24.000000000 -0400
@@ -0,0 +1,80 @@
+te_port_types="""
+type TEMPLATETYPE_port_t;
@@ -12420,7 +12454,7 @@ diff --exclude-from=exclude -N -u -r nsa
+
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/rw.py policycoreutils-2.0.82/gui/templates/rw.py
--- nsapolicycoreutils/gui/templates/rw.py 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.82/gui/templates/rw.py 2010-04-28 17:12:20.000000000 -0400
++++ policycoreutils-2.0.82/gui/templates/rw.py 2010-06-11 17:08:24.000000000 -0400
@@ -0,0 +1,131 @@
+# Copyright (C) 2007 Red Hat
+# see file 'COPYING' for use and warranty information
@@ -12555,7 +12589,7 @@ diff --exclude-from=exclude -N -u -r nsa
+"""
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/script.py policycoreutils-2.0.82/gui/templates/script.py
--- nsapolicycoreutils/gui/templates/script.py 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.82/gui/templates/script.py 2010-04-28 17:12:20.000000000 -0400
++++ policycoreutils-2.0.82/gui/templates/script.py 2010-06-11 17:08:24.000000000 -0400
@@ -0,0 +1,126 @@
+# Copyright (C) 2007 Red Hat
+# see file 'COPYING' for use and warranty information
@@ -12685,7 +12719,7 @@ diff --exclude-from=exclude -N -u -r nsa
+"""
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/semodule.py policycoreutils-2.0.82/gui/templates/semodule.py
--- nsapolicycoreutils/gui/templates/semodule.py 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.82/gui/templates/semodule.py 2010-04-28 17:12:20.000000000 -0400
++++ policycoreutils-2.0.82/gui/templates/semodule.py 2010-06-11 17:08:24.000000000 -0400
@@ -0,0 +1,41 @@
+# Copyright (C) 2007 Red Hat
+# see file 'COPYING' for use and warranty information
@@ -12730,7 +12764,7 @@ diff --exclude-from=exclude -N -u -r nsa
+
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/tmp.py policycoreutils-2.0.82/gui/templates/tmp.py
--- nsapolicycoreutils/gui/templates/tmp.py 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.82/gui/templates/tmp.py 2010-04-28 17:12:20.000000000 -0400
++++ policycoreutils-2.0.82/gui/templates/tmp.py 2010-06-11 17:08:24.000000000 -0400
@@ -0,0 +1,102 @@
+# Copyright (C) 2007 Red Hat
+# see file 'COPYING' for use and warranty information
@@ -12836,8 +12870,8 @@ diff --exclude-from=exclude -N -u -r nsa
+"""
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/user.py policycoreutils-2.0.82/gui/templates/user.py
--- nsapolicycoreutils/gui/templates/user.py 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.82/gui/templates/user.py 2010-04-28 17:12:20.000000000 -0400
-@@ -0,0 +1,179 @@
++++ policycoreutils-2.0.82/gui/templates/user.py 2010-06-11 17:08:24.000000000 -0400
+@@ -0,0 +1,195 @@
+# Copyright (C) 2007 Red Hat
+# see file 'COPYING' for use and warranty information
+#
@@ -12880,7 +12914,7 @@ diff --exclude-from=exclude -N -u -r nsa
+# Declarations
+#
+
-+userdom_admin_login_user_template(TEMPLATETYPE)
++userdom_admin_user_template(TEMPLATETYPE)
+"""
+
+te_min_login_user_types="""\
@@ -12933,6 +12967,7 @@ diff --exclude-from=exclude -N -u -r nsa
+#
+# TEMPLATETYPE local policy
+#
++
+"""
+
+te_existing_user_rules="""\
@@ -12966,6 +13001,16 @@ diff --exclude-from=exclude -N -u -r nsa
+')
+"""
+
++te_user_trans_rules="""
++optional_policy(`
++ gen_require(`
++ role USER_r;
++ ')
++
++ TEMPLATETYPE_role_change(USER_r)
++')
++"""
++
+te_admin_rules="""
+allow TEMPLATETYPE_t self:capability { dac_override dac_read_search kill sys_ptrace sys_nice };
+files_dontaudit_search_all_dirs(TEMPLATETYPE_t)
@@ -12981,45 +13026,50 @@ diff --exclude-from=exclude -N -u -r nsa
+domain_dontaudit_search_all_domains_state(TEMPLATETYPE_t)
+domain_dontaudit_ptrace_all_domains(TEMPLATETYPE_t)
+
-+userdom_dontaudit_search_sysadm_home_dirs(TEMPLATETYPE_t)
-+userdom_dontaudit_search_generic_user_home_dirs(TEMPLATETYPE_t)
++userdom_dontaudit_search_admin_dir(TEMPLATETYPE_t)
++userdom_dontaudit_search_user_home_dirs(TEMPLATETYPE_t)
+
+bool TEMPLATETYPE_read_user_files false;
+bool TEMPLATETYPE_manage_user_files false;
+
+if (TEMPLATETYPE_read_user_files) {
-+ userdom_read_unpriv_users_home_content_files(TEMPLATETYPE_t)
-+ userdom_read_unpriv_users_tmp_files(TEMPLATETYPE_t)
++ userdom_read_user_home_content_files(TEMPLATETYPE_t)
++ userdom_read_user_tmp_files(TEMPLATETYPE_t)
+}
+
+if (TEMPLATETYPE_manage_user_files) {
-+ userdom_manage_unpriv_users_home_content_dirs(TEMPLATETYPE_t)
-+ userdom_read_unpriv_users_tmp_files(TEMPLATETYPE_t)
-+ userdom_write_unpriv_users_tmp_files(TEMPLATETYPE_t)
++ userdom_manage_user_home_content(TEMPLATETYPE_t)
++ userdom_manage_user_tmp_files(TEMPLATETYPE_t)
+}
+
+"""
+
+te_admin_trans_rules="""
-+userdom_role_change_template(USER, TEMPLATETYPE)
++allow user_r TEMPLATETYPE_r;
+"""
+
+te_admin_domain_rules="""
+optional_policy(`
-+ APPLICATION_admin(TEMPLATETYPE_t, TEMPLATETYPE_r,{ TEMPLATETYPE_devpts_t TEMPLATETYPE_tty_device_t })
++ APPLICATION_admin(TEMPLATETYPE_t, TEMPLATETYPE_r, { TEMPLATETYPE_devpts_t TEMPLATETYPE_tty_device_t })
+')
+"""
+
+te_roles_rules="""
-+userdom_role_change_template(TEMPLATETYPE, ROLE)
++ROLE_role_change(TEMPLATETYPE_r)
++"""
++
++te_sudo_rules="""
++optional_policy(`
++ sudo_role_template(TEMPLATETYPE, TEMPLATETYPE_r, TEMPLATETYPE_t)
++')
+"""
+
+te_newrole_rules="""
-+seutil_run_newrole(TEMPLATETYPE_t, TEMPLATETYPE_r,{ TEMPLATETYPE_devpts_t TEMPLATETYPE_tty_device_t })
++seutil_run_newrole(TEMPLATETYPE_t, TEMPLATETYPE_r, { TEMPLATETYPE_devpts_t TEMPLATETYPE_tty_device_t })
+"""
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_cache.py policycoreutils-2.0.82/gui/templates/var_cache.py
--- nsapolicycoreutils/gui/templates/var_cache.py 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.82/gui/templates/var_cache.py 2010-06-07 16:46:31.000000000 -0400
++++ policycoreutils-2.0.82/gui/templates/var_cache.py 2010-06-11 17:08:24.000000000 -0400
@@ -0,0 +1,133 @@
+# Copyright (C) 2010 Red Hat
+# see file 'COPYING' for use and warranty information
@@ -13156,7 +13206,7 @@ diff --exclude-from=exclude -N -u -r nsa
+"""
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_lib.py policycoreutils-2.0.82/gui/templates/var_lib.py
--- nsapolicycoreutils/gui/templates/var_lib.py 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.82/gui/templates/var_lib.py 2010-05-26 09:29:58.000000000 -0400
++++ policycoreutils-2.0.82/gui/templates/var_lib.py 2010-06-11 17:08:24.000000000 -0400
@@ -0,0 +1,161 @@
+# Copyright (C) 2007 Red Hat
+# see file 'COPYING' for use and warranty information
@@ -13321,7 +13371,7 @@ diff --exclude-from=exclude -N -u -r nsa
+"""
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_log.py policycoreutils-2.0.82/gui/templates/var_log.py
--- nsapolicycoreutils/gui/templates/var_log.py 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.82/gui/templates/var_log.py 2010-05-26 09:32:01.000000000 -0400
++++ policycoreutils-2.0.82/gui/templates/var_log.py 2010-06-11 17:08:24.000000000 -0400
@@ -0,0 +1,116 @@
+# Copyright (C) 2007,2010 Red Hat
+# see file 'COPYING' for use and warranty information
@@ -13441,7 +13491,7 @@ diff --exclude-from=exclude -N -u -r nsa
+
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_run.py policycoreutils-2.0.82/gui/templates/var_run.py
--- nsapolicycoreutils/gui/templates/var_run.py 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.82/gui/templates/var_run.py 2010-05-26 09:28:54.000000000 -0400
++++ policycoreutils-2.0.82/gui/templates/var_run.py 2010-06-11 17:08:24.000000000 -0400
@@ -0,0 +1,101 @@
+# Copyright (C) 2007,2010 Red Hat
+# see file 'COPYING' for use and warranty information
@@ -13546,7 +13596,7 @@ diff --exclude-from=exclude -N -u -r nsa
+"""
diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_spool.py policycoreutils-2.0.82/gui/templates/var_spool.py
--- nsapolicycoreutils/gui/templates/var_spool.py 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.82/gui/templates/var_spool.py 2010-06-07 16:46:58.000000000 -0400
++++ policycoreutils-2.0.82/gui/templates/var_spool.py 2010-06-11 17:08:24.000000000 -0400
@@ -0,0 +1,133 @@
+# Copyright (C) 2007 Red Hat
+# see file 'COPYING' for use and warranty information
policycoreutils-rhat.patch:
Makefile | 2
audit2allow/Makefile | 1
audit2allow/audit2allow | 53 -
audit2allow/audit2allow.1 | 3
audit2allow/sepolgen-ifgen | 89 ---
newrole/newrole.c | 3
restorecond/Makefile | 24
restorecond/org.selinux.Restorecond.service | 3
restorecond/restorecond.8 | 15
restorecond/restorecond.c | 429 ++------------
restorecond/restorecond.conf | 5
restorecond/restorecond.desktop | 7
restorecond/restorecond.h | 19
restorecond/restorecond.init | 7
restorecond/restorecond_user.conf | 2
restorecond/user.c | 239 ++++++++
restorecond/watch.c | 260 ++++++++
sandbox/Makefile | 44 +
sandbox/deliverables/README | 32 +
sandbox/deliverables/basicwrapper | 4
sandbox/deliverables/run-in-sandbox.py | 49 +
sandbox/sandbox | 434 ++++++++++++++
sandbox/sandbox.8 | 69 ++
sandbox/sandbox.conf | 7
sandbox/sandbox.conf.5 | 40 +
sandbox/sandbox.init | 72 ++
sandbox/sandboxX.sh | 15
sandbox/seunshare.8 | 34 +
sandbox/seunshare.c | 522 ++++++++++++++++++
sandbox/test.txt | 1
sandbox/test_sandbox.py | 98 +++
scripts/Makefile | 1
scripts/fixfiles | 46 -
scripts/genhomedircon.8 | 38 +
semanage/default_encoding/Makefile | 8
semanage/default_encoding/default_encoding.c | 59 ++
semanage/default_encoding/policycoreutils/__init__.py | 17
semanage/default_encoding/setup.py | 38 +
semanage/semanage | 162 ++++-
semanage/semanage.8 | 128 +++-
semanage/seobject.py | 458 ++++++++++++---
sepolgen-ifgen/Makefile | 26
sepolgen-ifgen/sepolgen-ifgen | 131 ++++
sepolgen-ifgen/sepolgen-ifgen-attr-helper.c | 230 +++++++
setfiles/restore.c | 109 +++
setfiles/restore.h | 4
setfiles/restorecon.8 | 7
setfiles/setfiles.8 | 3
setfiles/setfiles.c | 78 --
49 files changed, 3369 insertions(+), 756 deletions(-)
Index: policycoreutils-rhat.patch
===================================================================
RCS file: /cvs/extras/rpms/policycoreutils/F-13/policycoreutils-rhat.patch,v
retrieving revision 1.505
retrieving revision 1.506
diff -u -p -r1.505 -r1.506
--- policycoreutils-rhat.patch 3 Jun 2010 21:14:52 -0000 1.505
+++ policycoreutils-rhat.patch 15 Jun 2010 17:16:37 -0000 1.506
@@ -1549,8 +1549,8 @@ diff --exclude-from=exclude --exclude=se
+
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/Makefile policycoreutils-2.0.82/sandbox/Makefile
--- nsapolicycoreutils/sandbox/Makefile 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.82/sandbox/Makefile 2010-05-25 16:18:41.000000000 -0400
-@@ -0,0 +1,42 @@
++++ policycoreutils-2.0.82/sandbox/Makefile 2010-06-08 15:05:27.000000000 -0400
+@@ -0,0 +1,44 @@
+# Installation directories.
+PREFIX ?= ${DESTDIR}/usr
+INITDIR ?= ${DESTDIR}/etc/rc.d/init.d/
@@ -1561,7 +1561,7 @@ diff --exclude-from=exclude --exclude=se
+LOCALEDIR ?= /usr/share/locale
+SHAREDIR ?= $(PREFIX)/share/sandbox
+override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="\"policycoreutils\"" -Wall -Werror -Wextra
-+LDLIBS += -lselinux -lcap-ng
++LDLIBS += -lcgroup -lselinux -lcap-ng
+
+all: sandbox seunshare sandboxX.sh
+
@@ -1574,6 +1574,8 @@ diff --exclude-from=exclude --exclude=se
+ -mkdir -p $(MANDIR)/man8
+ install -m 644 sandbox.8 $(MANDIR)/man8/
+ install -m 644 seunshare.8 $(MANDIR)/man8/
++ -mkdir -p $(MANDIR)/man5
++ install -m 644 sandbox.conf.5 $(MANDIR)/man5/
+ -mkdir -p $(SBINDIR)
+ install -m 4755 seunshare $(SBINDIR)/
+ -mkdir -p $(SHAREDIR)
@@ -1581,7 +1583,7 @@ diff --exclude-from=exclude --exclude=se
+ -mkdir -p $(INITDIR)
+ install -m 755 sandbox.init $(INITDIR)/sandbox
+ -mkdir -p $(SYSCONFDIR)
-+ install -m 644 sandbox.config $(SYSCONFDIR)/sandbox
++ install -m 644 sandbox.conf $(SYSCONFDIR)/sandbox
+
+test:
+ @python test_sandbox.py -v
@@ -1595,10 +1597,11 @@ diff --exclude-from=exclude --exclude=se
+relabel:
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox policycoreutils-2.0.82/sandbox/sandbox
--- nsapolicycoreutils/sandbox/sandbox 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.82/sandbox/sandbox 2010-06-03 16:30:17.000000000 -0400
-@@ -0,0 +1,427 @@
++++ policycoreutils-2.0.82/sandbox/sandbox 2010-06-08 15:12:00.000000000 -0400
+@@ -0,0 +1,434 @@
+#! /usr/bin/python -E
+# Authors: Dan Walsh <dwalsh at redhat.com>
++# Authors: Thomas Liu <tliu at fedoraproject.org>
+# Authors: Josh Cogliati
+#
+# Copyright (C) 2009,2010 Red Hat
@@ -1885,6 +1888,10 @@ diff --exclude-from=exclude --exclude=se
+ parser.add_option("-l", "--level", dest="level",
+ help=_("MCS/MLS level for the sandbox"))
+
++ parser.add_option("-C", "--cgroups",
++ action="store_true", dest="usecgroup", default=False,
++ help="Use cgroups to limit this sandbox.")
++
+ self.__parser=parser
+
+ self.__options, cmds = parser.parse_args()
@@ -1960,22 +1967,24 @@ diff --exclude-from=exclude --exclude=se
+
+ def __execute(self):
+ try:
-+ if self.__options.X_ind:
-+ xmodmapfile = self.__homedir + "/.xmodmap"
-+ xd = open(xmodmapfile,"w")
-+ subprocess.Popen(["/usr/bin/xmodmap","-pke"],stdout=xd).wait()
-+ xd.close()
-+
-+ self.__setup_sandboxrc(self.__options.wm)
-+
-+ cmds = [ '/usr/sbin/seunshare', "-t", self.__tmpdir, "-h", self.__homedir, "--", self.__execcon, "/usr/share/sandbox/sandboxX.sh" ]
-+ rc = subprocess.Popen(cmds).wait()
-+ return rc
-+
++ cmds = [ '/usr/sbin/seunshare', "-Z", self.__execcon ]
++ if self.__options.usecgroup == True:
++ cmds.append('-c')
+ if self.__mount:
-+ cmds = [ '/usr/sbin/seunshare', "-t", self.__tmpdir, "-h", self.__homedir, "--", self.__execcon ] + self.__paths
-+ rc = subprocess.Popen(cmds).wait()
-+ return rc
++ cmds += [ "-t", self.__tmpdir, "-h", self.__homedir ]
++
++ if self.__options.X_ind:
++ xmodmapfile = self.__homedir + "/.xmodmap"
++ xd = open(xmodmapfile,"w")
++ subprocess.Popen(["/usr/bin/xmodmap","-pke"],stdout=xd).wait()
++ xd.close()
++
++ self.__setup_sandboxrc(self.__options.wm)
++
++ cmds += [ "--", "/usr/share/sandbox/sandboxX.sh" ]
++ else:
++ cmds += [ "--" ] + self.__paths
++ return subprocess.Popen(cmds).wait()
+
+ selinux.setexeccon(self.__execcon)
+ rc = subprocess.Popen(self.__cmds).wait()
@@ -2026,8 +2035,8 @@ diff --exclude-from=exclude --exclude=se
+ sys.exit(rc)
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.8 policycoreutils-2.0.82/sandbox/sandbox.8
--- nsapolicycoreutils/sandbox/sandbox.8 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.82/sandbox/sandbox.8 2010-05-27 13:42:03.000000000 -0400
-@@ -0,0 +1,64 @@
++++ policycoreutils-2.0.82/sandbox/sandbox.8 2010-06-08 14:41:10.000000000 -0400
+@@ -0,0 +1,69 @@
+.TH SANDBOX "8" "May 2010" "sandbox" "User Commands"
+.SH NAME
+sandbox \- Run cmd under an SELinux sandbox
@@ -2083,6 +2092,9 @@ diff --exclude-from=exclude --exclude=se
+\fB\-X\fR
+Create an X based Sandbox for gui apps, temporary files for
+$HOME and /tmp, secondary Xserver, defaults to sandbox_x_t
++.TP
++\fB\-C\fR
++Use control groups to control this copy of sandbox. Specify parameters in /etc/sysconfig/sandbox. Max memory usage and cpu usage are to be specified in percent. You can specify which CPUs to use by numbering them 0,1,2... etc.
+.PP
+.SH "SEE ALSO"
+.TP
@@ -2092,12 +2104,63 @@ diff --exclude-from=exclude --exclude=se
+.SH AUTHOR
+This manual page was written by
+.I Dan Walsh <dwalsh at redhat.com>
-diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.config policycoreutils-2.0.82/sandbox/sandbox.config
---- nsapolicycoreutils/sandbox/sandbox.config 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.82/sandbox/sandbox.config 2010-04-28 17:12:19.000000000 -0400
-@@ -0,0 +1,2 @@
++and
++.I Thomas Liu <tliu at fedoraproject.org>
+diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.conf policycoreutils-2.0.82/sandbox/sandbox.conf
+--- nsapolicycoreutils/sandbox/sandbox.conf 1969-12-31 19:00:00.000000000 -0500
++++ policycoreutils-2.0.82/sandbox/sandbox.conf 2010-06-08 14:41:59.000000000 -0400
+@@ -0,0 +1,7 @@
+# Space separate list of homedirs
+HOMEDIRS="/home"
++# Control group configuration
++NAME=sandbox
++CPUAFFINITY=ALL
++MEMUSAGE=80%
++CPUUSAGE=80%
+diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.conf.5 policycoreutils-2.0.82/sandbox/sandbox.conf.5
+--- nsapolicycoreutils/sandbox/sandbox.conf.5 1969-12-31 19:00:00.000000000 -0500
++++ policycoreutils-2.0.82/sandbox/sandbox.conf.5 2010-06-08 14:41:19.000000000 -0400
+@@ -0,0 +1,40 @@
++.TH sandbox.conf "5" "June 2010" "sandbox.conf" "Linux System Administration"
++.SH NAME
++sandbox.conf \- user config file for the SELinux sandbox
++.SH DESCRIPTION
++.PP
++When running sandbox with the -C argument, it will be confined using control groups and a system administrator can specify how the sandbox is confined.
++
++.PP
++Everything after "#" is ignored, as are empty lines. All arguments should be separated by and equals sign ("=").
++
++.PP
++These keywords are allowed.
++
++.RS
++.TP
++.B NAME
++The name of the sandbox control group. Default is "sandbox".
++
++.TP
++.B CPUAFFINITY
++Which cpus to assign sandbox to. The default is ALL, but users can specify a comma-separated list with dashes ("-") to represent ranges. Ex: 0-2,5
++
++.TP
++.B MEMUSAGE
++How much memory to allow sandbox to use. The default is 80%. Users can specify either a percentage or a value in the form of a number followed by one of the suffixes K, M, G to denote kilobytes, megabytes or gigabytes respectively. Ex: 50% or 100M
++
++.TP
++.B CPUUSAGE
++Percentage of cpu sandbox should be allowed to use. The default is 80%. Specify a value followed by a percent sign ("%"). Ex: 50%
++
++
++
++.SH "SEE ALSO"
++.TP
++sandbox(8)
++.PP
++
++.SH AUTHOR
++This manual page was written by
++.I Thomas Liu <tliu at fedoraproject.org>
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.init policycoreutils-2.0.82/sandbox/sandbox.init
--- nsapolicycoreutils/sandbox/sandbox.init 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.82/sandbox/sandbox.init 2010-06-03 17:11:59.000000000 -0400
@@ -2195,8 +2258,8 @@ diff --exclude-from=exclude --exclude=se
+exit 0
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/seunshare.8 policycoreutils-2.0.82/sandbox/seunshare.8
--- nsapolicycoreutils/sandbox/seunshare.8 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.82/sandbox/seunshare.8 2010-05-21 08:12:39.000000000 -0400
-@@ -0,0 +1,29 @@
++++ policycoreutils-2.0.82/sandbox/seunshare.8 2010-06-08 14:41:19.000000000 -0400
+@@ -0,0 +1,34 @@
+.TH SEUNSHARE "8" "May 2010" "seunshare" "User Commands"
+.SH NAME
+seunshare \- Run cmd under an SELinux context
@@ -2217,6 +2280,9 @@ diff --exclude-from=exclude --exclude=se
+\fB\-t\ tmpdir
+Use alternate tempory directory to mount on /tmp. tmpdir must be owned by the user.
+.TP
++\fB\-c cgroups\fR
++Use cgroups to control this copy of seunshare. Specify parameters in /etc/sysconfig/sandbox. Max memory usage and cpu usage are to be specified in percent. You can specify which CPUs to use by numbering them 0,1,2... etc.
++.TP
+\fB\-v\fR
+Verbose output
+.SH "SEE ALSO"
@@ -2226,10 +2292,17 @@ diff --exclude-from=exclude --exclude=se
+.SH AUTHOR
+This manual page was written by
+.I Dan Walsh <dwalsh at redhat.com>
++and
++.I Thomas Liu <tliu at fedoraproject.org>
diff --exclude-from=exclude --exclude=sepolgen-1.0.23 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/seunshare.c policycoreutils-2.0.82/sandbox/seunshare.c
--- nsapolicycoreutils/sandbox/seunshare.c 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.82/sandbox/seunshare.c 2010-05-25 13:37:30.000000000 -0400
-@@ -0,0 +1,313 @@
++++ policycoreutils-2.0.82/sandbox/seunshare.c 2010-06-08 14:56:09.000000000 -0400
+@@ -0,0 +1,522 @@
++/*
++ * Authors: Dan Walsh <dwalsh at redhat.com>
++ * Authors: Thomas Liu <tliu at fedoraproject.org>
++ */
++
+#define _GNU_SOURCE
+#include <signal.h>
+#include <sys/types.h>
@@ -2239,8 +2312,10 @@ diff --exclude-from=exclude --exclude=se
+#include <pwd.h>
+#include <unistd.h>
+#include <sched.h>
++#include <libcgroup.h>
+#include <string.h>
+#include <stdio.h>
++#include <regex.h>
+#include <stdlib.h>
+#include <cap-ng.h>
+#include <getopt.h> /* for getopt_long() form of getopt() */
@@ -2265,6 +2340,8 @@ diff --exclude-from=exclude --exclude=se
+#define PACKAGE "policycoreutils" /* the name of this package lang translation */
+#endif
+
++#define BUF_SIZE 1024
++
+/**
+ * This function will drop all capabilities
+ * Returns zero on success, non-zero otherwise
@@ -2382,23 +2459,53 @@ diff --exclude-from=exclude --exclude=se
+ return 0;
+}
+
-+#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -t tmpdir ] [ -h homedir ] -- CONTEXT executable [args] ")
++#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -t tmpdir ] [ -h homedir ] [-Z CONTEXT] -- executable [args] ")
++
++int sandbox_error(const char *string) {
++ fprintf(stderr, string);
++ syslog(LOG_AUTHPRIV | LOG_ALERT, string);
++ exit(-1);
++
++}
++
++
++int match(const char *string, char *pattern) {
++ int status;
++ regex_t re;
++ if (regcomp(&re, pattern, REG_EXTENDED|REG_NOSUB) != 0) {
++ return 0;
++ }
++ status = regexec(&re, string, (size_t)0, NULL, 0);
++ regfree(&re);
++ if (status != 0) {
++ return 0;
++ }
++ return 1;
++}
++
++void config_error() {
++ fprintf(stderr, "Error parsing config file.");
++ exit(-1);
++}
+
+int main(int argc, char **argv) {
+ int rc;
+ int status = -1;
+
-+ security_context_t scontext;
++ security_context_t scontext = NULL;
+
+ int flag_index; /* flag index in argv[] */
+ int clflag; /* holds codes for command line flags */
+ char *tmpdir_s = NULL; /* tmpdir spec'd by user in argv[] */
+ char *homedir_s = NULL; /* homedir spec'd by user in argv[] */
++ int usecgroups = 0;
+
+ const struct option long_options[] = {
+ {"homedir", 1, 0, 'h'},
+ {"tmpdir", 1, 0, 't'},
+ {"verbose", 1, 0, 'v'},
++ {"cgroups", 1, 0, 'c'},
++ {"context", 1, 0, 'Z'},
+ {NULL, 0, 0, 0}
+ };
+
@@ -2427,7 +2534,7 @@ diff --exclude-from=exclude --exclude=se
+ }
+
+ while (1) {
-+ clflag = getopt_long(argc, argv, "vh:t:", long_options,
++ clflag = getopt_long(argc, argv, "cvh:t:c:m:p:Z:", long_options,
+ &flag_index);
+ if (clflag == -1)
+ break;
@@ -2445,6 +2552,12 @@ diff --exclude-from=exclude --exclude=se
+ case 'v':
+ verbose = 1;
+ break;
++ case 'c':
++ usecgroups = 1;
++ break;
++ case 'Z':
++ scontext = strdup(optarg);
++ break;
+ default:
+ fprintf(stderr, "%s\n", USAGE_STRING);
+ return -1;
@@ -2456,15 +2569,175 @@ diff --exclude-from=exclude --exclude=se
+ return -1;
+ }
+
-+ if (argc - optind < 2) {
-+ fprintf(stderr, _("Error: context and executable required \n %s \n"), USAGE_STRING);
++ if (argc - optind < 1) {
++ fprintf(stderr, _("Error: executable required \n %s \n"), USAGE_STRING);
+ return -1;
+ }
+
-+ scontext = argv[optind++];
+
+ if (set_signal_handles())
+ return -1;
++ if (usecgroups) {
++ char *cpus = NULL; /* which CPUs to use */
++ char *cgroupname = NULL;/* name for the cgroup */
++ char *mem = NULL; /* string for memory amount to pass to cgroup */
++ int64_t memusage = 0; /* amount of memory to use max (percent) */
++ int cpupercentage = 0; /* what percentage of cpu to allow usage */
++ FILE* fp;
++ char buf[BUF_SIZE];
++ char *tok = NULL;
++ const char* fname = "/etc/sysconfig/sandbox";
++
++ if ((fp = fopen(fname, "rt")) == NULL) {
++ fprintf(stderr, "Error opening sandbox config file.");
++ exit(-1);
++ }
++ while(fgets(buf, BUF_SIZE, fp) != NULL) {
++ /* Skip comments */
++ if (buf[0] == '#') continue;
++
++ /* Copy the string, ignoring whitespace */
++ int len = strlen(buf);
++ char *str = malloc((len + 1) * sizeof(char));
++
++ int ind = 0;
++ int i;
++ for (i = 0; i < len; i++) {
++ char cur = buf[i];
++ if (cur != ' ' && cur != '\t') {
++ str[ind] = cur;
++ ind++;
++ }
++ }
++ str[ind] = '\0';
++
++ tok = strtok(str, "=\n");
++ if (tok != NULL) {
++ if (!strcmp(tok, "CPUAFFINITY")) {
++ tok = strtok(NULL, "=\n");
++ cpus = strdup(tok);
++ if (!strcmp(cpus, "ALL")) {
++ cpus = NULL;
++ }
++ } else if (!strcmp(tok, "MEMUSAGE")) {
++ tok = strtok(NULL, "=\n");
++ if (match(tok, "^[0-9]+[kKmMgG%]")) {
++ char *ind = strchr(tok, '%');
++ if (ind != NULL) {
++ *ind = '\0';;
++ memusage = atoi(tok);
++ } else {
++ mem = strdup(tok);
++ }
++ } else {
++ config_error();
++ }
++
++ } else if (!strcmp(tok, "CPUUSAGE")) {
++ tok = strtok(NULL, "=\n");
++ if (match(tok, "^[0-9]+\%")) {
++ char* ind = strchr(tok, '%');
++ *ind = '\0';
++ cpupercentage = atoi(tok);
++ } else {
++ config_error();
++ }
++ } else if (!strcmp(tok, "NAME")) {
++ tok = strtok(NULL, "=\n");
++ cgroupname = strdup(tok);
++ } else {
++ continue;
++ }
++ }
++
++
++ }
++ if (mem == NULL) {
++ long phypz = sysconf(_SC_PHYS_PAGES);
++ long psize = sysconf(_SC_PAGE_SIZE);
++ memusage = phypz * psize * (float) memusage / 100.0;
++ }
++
++ cgroup_init();
++
++ int64_t current_runtime = 0;
++ int64_t current_period = 0 ;
++ int64_t current_mem = 0;
++ char *curr_cpu_path = NULL;
++ char *curr_mem_path = NULL;
++ int ret = cgroup_get_current_controller_path(getpid(), "cpu", &curr_cpu_path);
++ if (ret) {
++ sandbox_error("Error while trying to get current controller path.\n");
++ } else {
++ struct cgroup *curr = cgroup_new_cgroup(curr_cpu_path);
++ cgroup_get_cgroup(curr);
++ cgroup_get_value_int64(cgroup_get_controller(curr, "cpu"), "cpu.rt_runtime_us", ¤t_runtime);
++ cgroup_get_value_int64(cgroup_get_controller(curr, "cpu"), "cpu.rt_period_us", ¤t_period);
++ }
++
++ ret = cgroup_get_current_controller_path(getpid(), "memory", &curr_mem_path);
++ if (ret) {
++ sandbox_error("Error while trying to get current controller path.\n");
++ } else {
++ struct cgroup *curr = cgroup_new_cgroup(curr_mem_path);
++ cgroup_get_cgroup(curr);
++ cgroup_get_value_int64(cgroup_get_controller(curr, "memory"), "memory.limit_in_bytes", ¤t_mem);
++ }
++
++ if (((float) cpupercentage) / 100.0> (float)current_runtime / (float) current_period) {
++ sandbox_error("CPU usage restricted!\n");
++ exit(-1);
++ }
++
++ if (mem == NULL) {
++ if (memusage > current_mem) {
++ sandbox_error("Attempting to use more memory than allowed!");
++ exit(-1);
++ }
++ }
++
++ long nprocs = sysconf(_SC_NPROCESSORS_ONLN);
++
++ struct sched_param sp;
++ sp.sched_priority = sched_get_priority_min(SCHED_FIFO);
++ sched_setscheduler(getpid(), SCHED_FIFO, &sp);
++ struct cgroup *sandbox_group = cgroup_new_cgroup(cgroupname);
++ cgroup_add_controller(sandbox_group, "memory");
++ cgroup_add_controller(sandbox_group, "cpu");
++
++ if (mem == NULL) {
++ if (memusage > 0) {
++ cgroup_set_value_uint64(cgroup_get_controller(sandbox_group, "memory"), "memory.limit_in_bytes", memusage);
++ }
++ } else {
++ cgroup_set_value_string(cgroup_get_controller(sandbox_group, "memory"), "memory.limit_in_bytes", mem);
++ }
++ if (cpupercentage > 0) {
++ cgroup_set_value_uint64(cgroup_get_controller(sandbox_group, "cpu"), "cpu.rt_runtime_us",
++ (float) cpupercentage / 100.0 * 60000);
++ cgroup_set_value_uint64(cgroup_get_controller(sandbox_group, "cpu"), "cpu.rt_period_us",60000 * nprocs);
++ }
++ if (cpus != NULL) {
++ cgroup_set_value_string(cgroup_get_controller(sandbox_group, "cpu"), "cgroup.procs",cpus);
++ }
++
++ uint64_t allocated_mem;
++ if (cgroup_get_value_uint64(cgroup_get_controller(sandbox_group, "memory"), "memory.limit_in_bytes", &allocated_mem) > current_mem) {
++ sandbox_error("Attempting to use more memory than allowed!\n");
++ exit(-1);
++ }
++
++
++ int r = cgroup_create_cgroup(sandbox_group, 1);
++ if (r != 0) {
++ sandbox_error("Failed to create group. Ensure that cgconfig service is running. \n");
++ exit(-1);
++ }
++
++
++ cgroup_attach_task(sandbox_group);
++
++ }
+
+ if (unshare(CLONE_NEWNS) < 0) {
+ perror(_("Failed to unshare"));
@@ -2513,11 +2786,13 @@ diff --exclude-from=exclude --exclude=se
+ exit(-1);
+ }
+
-+ if (setexeccon(scontext)) {
-+ fprintf(stderr, _("Could not set exec context to %s.\n"),
-+ scontext);
-+ free(display);
-+ exit(-1);
++ if (scontext) {
++ if (setexeccon(scontext)) {
++ fprintf(stderr, _("Could not set exec context to %s.\n"),
++ scontext);
++ free(display);
++ exit(-1);
++ }
+ }
+
+ if (display)
@@ -2533,8 +2808,10 @@ diff --exclude-from=exclude --exclude=se
+ exit(-1);
+ }
+ setsid();
++
+ execv(argv[optind], argv + optind);
+ free(display);
++ freecon(scontext);
+ perror("execv");
+ exit(-1);
+ } else {
Index: policycoreutils.spec
===================================================================
RCS file: /cvs/extras/rpms/policycoreutils/F-13/policycoreutils.spec,v
retrieving revision 1.722
retrieving revision 1.723
diff -u -p -r1.722 -r1.723
--- policycoreutils.spec 7 Jun 2010 21:15:17 -0000 1.722
+++ policycoreutils.spec 15 Jun 2010 17:16:38 -0000 1.723
@@ -7,7 +7,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.0.82
-Release: 29%{?dist}
+Release: 31%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
@@ -30,7 +30,7 @@ Obsoletes: policycoreutils < 2.0.61-2
%global pkgpythondir %{python_sitelib}/%{name}
-BuildRequires: pam-devel libsepol-static >= %{libsepolver} libsemanage-static >= %{libsemanagever} libselinux-devel >= %{libselinuxver} libcap-devel audit-libs-devel >= %{libauditver} gettext
+BuildRequires: pam-devel libcgroup-devel libsepol-static >= %{libsepolver} libsemanage-static >= %{libsemanagever} libselinux-devel >= %{libselinuxver} libcap-devel audit-libs-devel >= %{libauditver} gettext
BuildRequires: desktop-file-utils dbus-devel dbus-glib-devel
BuildRequires: python-devel
Requires: /bin/mount /bin/egrep /bin/awk /usr/bin/diff rpm /bin/sed
@@ -111,7 +111,7 @@ desktop-file-install --vendor fedora \
Summary: SELinux policy core python utilities
Group: System Environment/Base
Requires: policycoreutils = %{version}-%{release}
-Requires: libsemanage-python >= %{libsemanagever} libselinux-python
+Requires: libsemanage-python >= %{libsemanagever} libselinux-python libcgroup
Requires: audit-libs-python >= %{libauditver}
Requires: /usr/bin/make
Requires(pre): python >= 2.6
@@ -140,6 +140,7 @@ The policycoreutils-python package conta
%{_mandir}/man1/audit2allow.1*
%{_mandir}/ru/man1/audit2allow.1*
%{_mandir}/man1/audit2why.1*
+%{_mandir}/man5/sandbox.conf.5*
%{_mandir}/man8/chcat.8*
%{_mandir}/ru/man8/chcat.8*
%{_mandir}/man8/sandbox.8*
@@ -313,6 +314,13 @@ fi
exit 0
%changelog
+* Tue Jun 15 2010 Dan Walsh <dwalsh at redhat.com> 2.0.82-31
+- Fix sepolgen code generation
+Resolve: #603001
+
+* Tue Jun 8 2010 Dan Walsh <dwalsh at redhat.com> 2.0.82-30
+- Add cgroup support for sandbox
+
* Mon Jun 7 2010 Dan Walsh <dwalsh at redhat.com> 2.0.82-29
- Allow creation of /var/cache/DOMAIN from sepolgen
More information about the scm-commits
mailing list