[policycoreutils] Add umount code to seunshare to cleanup left over mounts of /var/tmp

Thu Dec 22 19:00:04 UTC 2011

commit 65250077476416d407ea7292ff6454fc5a27961b
Author: Dan Walsh <dwalsh at redhat.com>
Date:   Thu Dec 22 18:59:59 2011 +0000

    Add umount code to seunshare to cleanup left over mounts of /var/tmp

 policycoreutils-rhat.patch |   69 ++++++++++++++++++++++++++++++++++---------
 policycoreutils.spec       |   15 +++++++--
 2 files changed, 65 insertions(+), 19 deletions(-)
---

diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch
index a544da3..f73410d 100644
--- a/policycoreutils-rhat.patch
+++ b/policycoreutils-rhat.patch
@@ -63,27 +63,66 @@ index 89f5d97..dfd9629 100644
  
  	restore_init(&r_opts);
 diff --git a/policycoreutils/run_init/run_init.c b/policycoreutils/run_init/run_init.c
-index 9db766c..068e24c 100644
+index 9db766c..92034be 100644
 --- a/policycoreutils/run_init/run_init.c
 +++ b/policycoreutils/run_init/run_init.c
-@@ -414,10 +414,17 @@ int main(int argc, char *argv[])
- 	 * execvp or using a exec(1) recycles pty's, and does not open a new
- 	 * one. 
- 	 */
-+#ifdef USE_OPEN_INIT_PTY
- 	if (execvp("/usr/sbin/open_init_pty", argv)) {
- 		perror("execvp");
+@@ -406,6 +406,13 @@ int main(int argc, char *argv[])
+ 			new_context);
  		exit(-1);
  	}
-+#else
-+	if (execvp(argv[1], argv + 1)) {
-+		perror("execvp");
-+		exit(-1);
++	if (! access("/usr/sbin/open_init_pty", X_OK)) {
++		if (execvp(argv[1], argv + 1)) {
++			perror("execvp");
++			exit(-1);
++		}
++		return 0;
 +	}
-+#endif
- 	return 0;
+ 	/*
+ 	 * Do not execvp the command directly from run_init; since it would run
+ 	 * under with a pty under sysadm_devpts_t. Instead, we call open_init_tty,
+diff --git a/policycoreutils/sandbox/seunshare.c b/policycoreutils/sandbox/seunshare.c
+index c493e98..0bc35f3 100644
+--- a/policycoreutils/sandbox/seunshare.c
++++ b/policycoreutils/sandbox/seunshare.c
+@@ -59,7 +59,7 @@ static int verbose = 0;
+ static int child = 0;
+ 
+ static capng_select_t cap_set = CAPNG_SELECT_BOTH;
+-
++static int var_tmp_mounted = 0;
+ /**
+  * This function will drop all capabilities.
+  */
+@@ -292,6 +292,8 @@ static int seunshare_mount(const char *src, const char *dst, struct stat *src_st
+ 			fprintf(stderr, _("Failed to mount /var/tmp on /var/tmp: %s\n"), strerror(errno));
+ 			return -1;
+ 		}
++		var_tmp_mounted = 1;
++
+ 		if (mount("/var/tmp", "/var/tmp", NULL, MS_PRIVATE | flags, NULL) < 0) {
+ 			fprintf(stderr, _("Failed to make /var/tmp private: %s\n"), strerror(errno));
+ 			return -1;
+@@ -1031,12 +1033,18 @@ childerr:
+ 		exit(-1);
+ 	}
+ 
+-	drop_caps();
+-
+ 	/* parent waits for child exit to do the cleanup */
+ 	waitpid(child, &status, 0);
+ 	status_to_retval(status, status);
+ 
++	if (var_tmp_mounted) {
++		/* attempt to umount /var/tmp twice on exit */
++		if (umount("/var/tmp") < 0) perror("umount /var/tmp");
++		if (umount("/var/tmp") < 0) perror("umount /var/tmp");
++	}
++
++	drop_caps();
++
+ 	/* Make sure all child processes exit */
+ 	kill(-child,SIGTERM);
  
- }				/* main() */
 diff --git a/policycoreutils/scripts/genhomedircon b/policycoreutils/scripts/genhomedircon
 index ab696a7..58b19cd 100644
 --- a/policycoreutils/scripts/genhomedircon
diff --git a/policycoreutils.spec b/policycoreutils.spec
index 85ba308..4cd2c09 100644
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@@ -7,7 +7,7 @@
 Summary: SELinux policy core utilities
 Name:	 policycoreutils
 Version: 2.1.10
-Release: 1%{?dist}
+Release: 3%{?dist}
 License: GPLv2
 Group:	 System Environment/Base
 # Based on git repository with tag 20101221
@@ -107,6 +107,10 @@ install -m 644 %{SOURCE4} %{buildroot}%{_sysconfdir}/pam.d/selinux-polgengui
 install -m 644 %{SOURCE5} %{buildroot}%{_sysconfdir}/security/console.apps/system-config-selinux
 tar -jxf %{SOURCE8} -C %{buildroot}/
 rm -f %{buildroot}/usr/share/man/ru/man8/genhomedircon.8.gz
+rm -f %{buildroot}/usr/share/man/ru/man8/open_init_pty.8.gz
+rm -f %{buildroot}/usr/share/man/man8/open_init_pty.8
+rm -f %{buildroot}/usr/sbin/open_init_pty
+
 ln -sf consolehelper %{buildroot}%{_bindir}/system-config-selinux
 ln -sf /usr/share/system-config-selinux/polgengui.py %{buildroot}%{_bindir}/selinux-polgengui
 %{__mkdir} -p %{buildroot}%{_sysconfdir}/bash_completion.d/
@@ -267,7 +271,6 @@ rm -rf %{buildroot}
 %{_sbindir}/semodule
 %{_sbindir}/sestatus
 %{_sbindir}/run_init
-%{_sbindir}/open_init_pty
 %{_bindir}/secon
 %{_bindir}/semodule_deps
 %{_bindir}/semodule_expand
@@ -285,8 +288,6 @@ rm -rf %{buildroot}
 %{_mandir}/ru/man8/fixfiles.8*
 %{_mandir}/man8/load_policy.8*
 %{_mandir}/ru/man8/load_policy.8*
-%{_mandir}/man8/open_init_pty.8*
-%{_mandir}/ru/man8/open_init_pty.8*
 %{_mandir}/man8/restorecon.8*
 %{_mandir}/ru/man8/restorecon.8*
 %{_mandir}/man8/run_init.8*
@@ -355,6 +356,12 @@ fi
 /bin/systemctl try-restart restorecond.service >/dev/null 2>&1 || :
 
 %changelog
+* Thu Dec 22 2011 Dan Walsh <dwalsh at redhat.com> - 2.1.10-3
+- Add umount code to seunshare to cleanup left over mounts of /var/tmp
+
+* Wed Dec 21 2011 Dan Walsh <dwalsh at redhat.com> - 2.1.10-2
+- Remove open_init_pty
+
 * Wed Dec 21 2011 Dan Walsh <dwalsh at redhat.com> - 2.1.10-1
 -Update to upstream
 - sepolgen
