[policycoreutils/f16] Fix the handling of namespaces in seunshare/sandbox. Currently mounting of directories within sandbo
Daniel J Walsh
dwalsh at fedoraproject.org
Fri Dec 23 10:58:05 UTC 2011
commit ffc2e23b19a921d9ea2db744e70634e99d590caf
Author: Dan Walsh <dwalsh at redhat.com>
Date: Fri Dec 23 10:58:01 2011 +0000
Fix the handling of namespaces in seunshare/sandbox.
Currently mounting of directories within sandbox is propogating to the
parent namesspace.
policycoreutils-f17.patch | 179 +++++++++++++++++++++++++++++----------------
policycoreutils.spec | 7 ++-
2 files changed, 123 insertions(+), 63 deletions(-)
---
diff --git a/policycoreutils-f17.patch b/policycoreutils-f17.patch
index b5ef36b..5e32472 100644
--- a/policycoreutils-f17.patch
+++ b/policycoreutils-f17.patch
@@ -1,6 +1,6 @@
diff -up policycoreutils-2.1.4/audit2allow/audit2allow.f17 policycoreutils-2.1.4/audit2allow/audit2allow
---- policycoreutils-2.1.4/audit2allow/audit2allow.f17 2011-11-29 15:40:33.174601367 -0500
-+++ policycoreutils-2.1.4/audit2allow/audit2allow 2011-11-29 15:40:33.541601556 -0500
+--- policycoreutils-2.1.4/audit2allow/audit2allow.f17 2011-12-23 10:54:40.518003992 +0000
++++ policycoreutils-2.1.4/audit2allow/audit2allow 2011-12-23 10:54:41.290004734 +0000
@@ -104,7 +104,7 @@ class AuditToPolicy:
if name:
options.requires = True
@@ -11,8 +11,8 @@ diff -up policycoreutils-2.1.4/audit2allow/audit2allow.f17 policycoreutils-2.1.4
# Make -M and -o conflict
diff -up policycoreutils-2.1.4/.gitignore.f17 policycoreutils-2.1.4/.gitignore
---- policycoreutils-2.1.4/.gitignore.f17 2011-08-18 06:52:31.000000000 -0400
-+++ policycoreutils-2.1.4/.gitignore 2011-11-29 15:40:33.542601556 -0500
+--- policycoreutils-2.1.4/.gitignore.f17 2011-08-18 10:52:31.000000000 +0000
++++ policycoreutils-2.1.4/.gitignore 2011-12-23 10:54:41.291004735 +0000
@@ -9,6 +9,7 @@ semodule_deps/semodule_deps
semodule_expand/semodule_expand
semodule_link/semodule_link
@@ -22,8 +22,8 @@ diff -up policycoreutils-2.1.4/.gitignore.f17 policycoreutils-2.1.4/.gitignore
setfiles/restorecon
setfiles/setfiles
diff -up policycoreutils-2.1.4/mcstrans/man/Makefile.f17 policycoreutils-2.1.4/mcstrans/man/Makefile
---- policycoreutils-2.1.4/mcstrans/man/Makefile.f17 2011-08-18 06:52:31.000000000 -0400
-+++ policycoreutils-2.1.4/mcstrans/man/Makefile 2011-11-29 15:40:33.543601557 -0500
+--- policycoreutils-2.1.4/mcstrans/man/Makefile.f17 2011-08-18 10:52:31.000000000 +0000
++++ policycoreutils-2.1.4/mcstrans/man/Makefile 2011-12-23 10:54:41.292004736 +0000
@@ -1,7 +1,9 @@
# Installation directories.
MAN8DIR ?= $(DESTDIR)/usr/share/man/man8
@@ -36,8 +36,8 @@ diff -up policycoreutils-2.1.4/mcstrans/man/Makefile.f17 policycoreutils-2.1.4/m
install -m 644 man8/*.8 $(MAN8DIR)
diff -up policycoreutils-2.1.4/newrole/newrole.c.f17 policycoreutils-2.1.4/newrole/newrole.c
---- policycoreutils-2.1.4/newrole/newrole.c.f17 2011-11-29 15:40:33.177601369 -0500
-+++ policycoreutils-2.1.4/newrole/newrole.c 2011-11-29 15:40:33.545601558 -0500
+--- policycoreutils-2.1.4/newrole/newrole.c.f17 2011-12-23 10:54:40.522003996 +0000
++++ policycoreutils-2.1.4/newrole/newrole.c 2011-12-23 10:54:41.294004738 +0000
@@ -543,13 +543,13 @@ static int restore_environment(int prese
#if defined(AUDIT_LOG_PRIV) && !defined(NAMESPACE_PRIV)
static int drop_capabilities(int full)
@@ -56,16 +56,16 @@ diff -up policycoreutils-2.1.4/newrole/newrole.c.f17 policycoreutils-2.1.4/newro
if (setresuid(uid, uid, uid)) {
fprintf(stderr, _("Error changing uid, aborting.\n"));
diff -up policycoreutils-2.1.4/restorecond/restorecond_user.conf.f17 policycoreutils-2.1.4/restorecond/restorecond_user.conf
---- policycoreutils-2.1.4/restorecond/restorecond_user.conf.f17 2011-11-29 15:40:33.183601372 -0500
-+++ policycoreutils-2.1.4/restorecond/restorecond_user.conf 2011-11-29 15:40:33.545601558 -0500
+--- policycoreutils-2.1.4/restorecond/restorecond_user.conf.f17 2011-12-23 10:54:40.529004003 +0000
++++ policycoreutils-2.1.4/restorecond/restorecond_user.conf 2011-12-23 10:54:41.295004739 +0000
@@ -5,3 +5,4 @@
~/.fonts/*
~/.cache/*
~/.config/*
+~/.local/share/*
diff -up policycoreutils-2.1.4/restorecond/user.c.f17 policycoreutils-2.1.4/restorecond/user.c
---- policycoreutils-2.1.4/restorecond/user.c.f17 2011-11-29 15:40:33.183601372 -0500
-+++ policycoreutils-2.1.4/restorecond/user.c 2011-11-29 15:40:33.546601558 -0500
+--- policycoreutils-2.1.4/restorecond/user.c.f17 2011-12-23 10:54:40.530004004 +0000
++++ policycoreutils-2.1.4/restorecond/user.c 2011-12-23 10:54:41.296004740 +0000
@@ -123,6 +123,11 @@ io_channel_callback
sizeof (buffer),
&bytes_read);
@@ -110,8 +110,8 @@ diff -up policycoreutils-2.1.4/restorecond/user.c.f17 policycoreutils-2.1.4/rest
read_config(master_fd, watch_file);
diff -up policycoreutils-2.1.4/sandbox/sandbox.8.f17 policycoreutils-2.1.4/sandbox/sandbox.8
---- policycoreutils-2.1.4/sandbox/sandbox.8.f17 2011-11-29 15:40:33.187601374 -0500
-+++ policycoreutils-2.1.4/sandbox/sandbox.8 2011-11-29 15:40:33.547601559 -0500
+--- policycoreutils-2.1.4/sandbox/sandbox.8.f17 2011-12-23 10:54:40.535004009 +0000
++++ policycoreutils-2.1.4/sandbox/sandbox.8 2011-12-23 10:54:41.297004741 +0000
@@ -3,11 +3,11 @@
sandbox \- Run cmd under an SELinux sandbox
.SH SYNOPSIS
@@ -137,8 +137,8 @@ diff -up policycoreutils-2.1.4/sandbox/sandbox.8.f17 policycoreutils-2.1.4/sandb
Use control groups to control this copy of sandbox. Specify parameters in /etc/sysconfig/sandbox. Max memory usage and cpu usage are to be specified in percent. You can specify which CPUs to use by numbering them 0,1,2... etc.
.TP
diff -up policycoreutils-2.1.4/sandbox/sandbox.f17 policycoreutils-2.1.4/sandbox/sandbox
---- policycoreutils-2.1.4/sandbox/sandbox.f17 2011-11-29 15:40:33.186601373 -0500
-+++ policycoreutils-2.1.4/sandbox/sandbox 2011-11-29 15:40:33.548601559 -0500
+--- policycoreutils-2.1.4/sandbox/sandbox.f17 2011-12-23 10:54:40.534004008 +0000
++++ policycoreutils-2.1.4/sandbox/sandbox 2011-12-23 10:55:51.334071589 +0000
@@ -118,10 +118,30 @@ def reserve(level):
sock.bind("\0%s" % level)
fcntl.fcntl(sock.fileno(), fcntl.F_SETFD, fcntl.FD_CLOEXEC)
@@ -149,12 +149,12 @@ diff -up policycoreutils-2.1.4/sandbox/sandbox.f17 policycoreutils-2.1.4/sandbox
+ lowc,highc = level.split(".")
+ low = int(lowc[1:])
+ high = int(highc[1:])+1
-+ if high - low < 100:
++ if high - low == 0:
+ raise IndexError
-+
++
+ return low,high
+ except IndexError:
-+ raise ValueError(_("User account must be setup with an MCS Range with more then 100 categories"))
++ raise ValueError(_("User account must be setup with an MCS Range"))
+
def gen_mcs():
- while True:
@@ -164,8 +164,8 @@ diff -up policycoreutils-2.1.4/sandbox/sandbox.f17 policycoreutils-2.1.4/sandbox
+
+ level = None
+ ctr = 0
-+ total = high-low
-+ total = (total * total)/2 - total
++ total = high-low
++ total = (total * (total - 1))/2
+ while ctr < total:
+ ctr += 1
+ i1 = random.randrange(low, high)
@@ -180,20 +180,11 @@ diff -up policycoreutils-2.1.4/sandbox/sandbox.f17 policycoreutils-2.1.4/sandbox
- return level
+ if level:
+ return level
-+ raise ValueError(_("Failed to find any unused categories"))
-+
++ raise ValueError(_("Failed to find any unused category sets. Consider a larger MCS range for this user."))
++
def fullpath(cmd):
for i in [ "/", "./", "../" ]:
-@@ -160,7 +183,7 @@ class Sandbox:
- self.__level = None
- self.__homedir = None
- self.__tmpdir = None
--
-+
- def __validate_mount(self):
- if self.__options.level:
- if not self.__options.homedir or not self.__options.tmpdir:
@@ -263,7 +286,6 @@ sandbox [-h] [-c] [-l level ] [-[X|M] [-
%s
""") % types
@@ -206,7 +197,7 @@ diff -up policycoreutils-2.1.4/sandbox/sandbox.f17 policycoreutils-2.1.4/sandbox
action="callback", callback=self.__mount_callback,
help=_("mount new home and/or tmp directory"))
-+ parser.add_option("-d", "--dpi",
++ parser.add_option("-d", "--dpi",
+ dest="dpi", action="store",
+ help=_("dots per inch for X display"))
+
@@ -245,8 +236,8 @@ diff -up policycoreutils-2.1.4/sandbox/sandbox.f17 policycoreutils-2.1.4/sandbox
cmds += [ "--" ] + self.__paths
return subprocess.Popen(cmds).wait()
diff -up policycoreutils-2.1.4/sandbox/sandbox.init.f17 policycoreutils-2.1.4/sandbox/sandbox.init
---- policycoreutils-2.1.4/sandbox/sandbox.init.f17 2011-11-29 15:40:33.189601374 -0500
-+++ policycoreutils-2.1.4/sandbox/sandbox.init 2011-11-29 15:40:33.548601559 -0500
+--- policycoreutils-2.1.4/sandbox/sandbox.init.f17 2011-12-23 10:54:40.537004011 +0000
++++ policycoreutils-2.1.4/sandbox/sandbox.init 2011-12-23 10:54:41.299004743 +0000
@@ -13,7 +13,7 @@
# description: sandbox, xguest and other apps that want to use pam_namespace \
# require this script be run at boot. This service script does \
@@ -277,8 +268,8 @@ diff -up policycoreutils-2.1.4/sandbox/sandbox.init.f17 policycoreutils-2.1.4/sa
touch $LOCKFILE
mount --make-rshared / || return $?
diff -up policycoreutils-2.1.4/sandbox/seunshare.c.f17 policycoreutils-2.1.4/sandbox/seunshare.c
---- policycoreutils-2.1.4/sandbox/seunshare.c.f17 2011-11-29 15:40:33.191601375 -0500
-+++ policycoreutils-2.1.4/sandbox/seunshare.c 2011-11-29 15:40:33.549601559 -0500
+--- policycoreutils-2.1.4/sandbox/seunshare.c.f17 2011-12-23 10:54:40.541004015 +0000
++++ policycoreutils-2.1.4/sandbox/seunshare.c 2011-12-23 10:55:01.459024075 +0000
@@ -5,8 +5,9 @@
#define _GNU_SOURCE
@@ -298,6 +289,17 @@ diff -up policycoreutils-2.1.4/sandbox/seunshare.c.f17 policycoreutils-2.1.4/san
#include <stdlib.h>
#include <cap-ng.h>
#include <getopt.h> /* for getopt_long() form of getopt() */
+@@ -43,8 +43,8 @@
+ #define MS_REC 1<<14
+ #endif
+
+-#ifndef MS_PRIVATE
+-#define MS_PRIVATE 1<<18
++#ifndef MS_SLAVE
++#define MS_SLAVE 1<<19
+ #endif
+
+ #ifndef PACKAGE
@@ -53,7 +53,7 @@
#define BUF_SIZE 1024
@@ -307,7 +309,46 @@ diff -up policycoreutils-2.1.4/sandbox/seunshare.c.f17 policycoreutils-2.1.4/san
static int verbose = 0;
static int child = 0;
-@@ -959,6 +959,7 @@ int main(int argc, char **argv) {
+@@ -255,7 +255,7 @@ static int verify_shell(const char *shel
+ */
+ static int seunshare_mount(const char *src, const char *dst, struct stat *src_st)
+ {
+- int flags = MS_REC;
++ int flags = 0;
+ int is_tmp = 0;
+
+ if (verbose)
+@@ -267,14 +267,6 @@ static int seunshare_mount(const char *s
+ }
+
+ /* mount directory */
+- if (mount(dst, dst, NULL, MS_BIND | flags, NULL) < 0) {
+- fprintf(stderr, _("Failed to mount %s on %s: %s\n"), dst, dst, strerror(errno));
+- return -1;
+- }
+- if (mount(dst, dst, NULL, MS_PRIVATE | flags, NULL) < 0) {
+- fprintf(stderr, _("Failed to make %s private: %s\n"), dst, strerror(errno));
+- return -1;
+- }
+ if (mount(src, dst, NULL, MS_BIND | flags, NULL) < 0) {
+ fprintf(stderr, _("Failed to mount %s on %s: %s\n"), src, dst, strerror(errno));
+ return -1;
+@@ -288,14 +280,6 @@ static int seunshare_mount(const char *s
+ if (verbose)
+ printf(_("Mounting /tmp on /var/tmp\n"));
+
+- if (mount("/var/tmp", "/var/tmp", NULL, MS_BIND | flags, NULL) < 0) {
+- fprintf(stderr, _("Failed to mount /var/tmp on /var/tmp: %s\n"), strerror(errno));
+- return -1;
+- }
+- if (mount("/var/tmp", "/var/tmp", NULL, MS_PRIVATE | flags, NULL) < 0) {
+- fprintf(stderr, _("Failed to make /var/tmp private: %s\n"), strerror(errno));
+- return -1;
+- }
+ if (mount("/tmp", "/var/tmp", NULL, MS_BIND | flags, NULL) < 0) {
+ fprintf(stderr, _("Failed to mount /tmp on /var/tmp: %s\n"), strerror(errno));
+ return -1;
+@@ -959,6 +943,7 @@ int main(int argc, char **argv) {
if (child == 0) {
char *display = NULL;
@@ -315,7 +356,21 @@ diff -up policycoreutils-2.1.4/sandbox/seunshare.c.f17 policycoreutils-2.1.4/san
int rc = -1;
if (unshare(CLONE_NEWNS) < 0) {
-@@ -984,12 +985,23 @@ int main(int argc, char **argv) {
+@@ -966,6 +951,13 @@ int main(int argc, char **argv) {
+ goto childerr;
+ }
+
++ /* Remount / as SLAVE so that nothing mounted in the namespace
++ shows up in the parent */
++ if (mount("/", "/", NULL, MS_SLAVE | MS_REC , NULL) < 0) {
++ fprintf(stderr, _("Failed to make / a SLAVE mountpoint\n"));
++ goto childerr;
++ }
++
+ /* assume fsuid==ruid after this point */
+ setfsuid(uid);
+
+@@ -984,12 +976,23 @@ int main(int argc, char **argv) {
goto childerr;
}
}
@@ -339,7 +394,7 @@ diff -up policycoreutils-2.1.4/sandbox/seunshare.c.f17 policycoreutils-2.1.4/san
rc |= setenv("HOME", pwd->pw_dir, 1);
rc |= setenv("SHELL", pwd->pw_shell, 1);
rc |= setenv("USER", pwd->pw_name, 1);
-@@ -1015,6 +1027,7 @@ int main(int argc, char **argv) {
+@@ -1015,6 +1018,7 @@ int main(int argc, char **argv) {
fprintf(stderr, _("Failed to execute command %s: %s\n"), argv[optind], strerror(errno));
childerr:
free(display);
@@ -348,8 +403,8 @@ diff -up policycoreutils-2.1.4/sandbox/seunshare.c.f17 policycoreutils-2.1.4/san
}
diff -up policycoreutils-2.1.4/semanage/default_encoding/default_encoding.c.f17 policycoreutils-2.1.4/semanage/default_encoding/default_encoding.c
---- policycoreutils-2.1.4/semanage/default_encoding/default_encoding.c.f17 2011-11-29 15:40:33.193601377 -0500
-+++ policycoreutils-2.1.4/semanage/default_encoding/default_encoding.c 2011-11-29 15:40:33.551601560 -0500
+--- policycoreutils-2.1.4/semanage/default_encoding/default_encoding.c.f17 2011-12-23 10:54:40.545004018 +0000
++++ policycoreutils-2.1.4/semanage/default_encoding/default_encoding.c 2011-12-23 10:54:41.301004745 +0000
@@ -52,8 +52,6 @@ static PyMethodDef methods[] = {
PyMODINIT_FUNC
initdefault_encoding_utf8(void)
@@ -361,8 +416,8 @@ diff -up policycoreutils-2.1.4/semanage/default_encoding/default_encoding.c.f17
+ Py_InitModule3("default_encoding_utf8", methods, "Forces the default encoding to utf-8");
}
diff -up policycoreutils-2.1.4/semanage/semanage.8.f17 policycoreutils-2.1.4/semanage/semanage.8
---- policycoreutils-2.1.4/semanage/semanage.8.f17 2011-08-18 06:52:31.000000000 -0400
-+++ policycoreutils-2.1.4/semanage/semanage.8 2011-11-29 15:40:33.552601561 -0500
+--- policycoreutils-2.1.4/semanage/semanage.8.f17 2011-08-18 10:52:31.000000000 +0000
++++ policycoreutils-2.1.4/semanage/semanage.8 2011-12-23 10:54:41.302004746 +0000
@@ -163,6 +163,9 @@ SELinux Type for the object
.I \-i, \-\-input
Take a set of commands from a specified file and load them in a single
@@ -374,8 +429,8 @@ diff -up policycoreutils-2.1.4/semanage/semanage.8.f17 policycoreutils-2.1.4/sem
.SH EXAMPLE
.nf
diff -up policycoreutils-2.1.4/semanage/semanage.f17 policycoreutils-2.1.4/semanage/semanage
---- policycoreutils-2.1.4/semanage/semanage.f17 2011-11-29 15:40:33.195601379 -0500
-+++ policycoreutils-2.1.4/semanage/semanage 2011-11-29 15:40:33.553601562 -0500
+--- policycoreutils-2.1.4/semanage/semanage.f17 2011-12-23 10:54:40.547004020 +0000
++++ policycoreutils-2.1.4/semanage/semanage 2011-12-23 10:54:41.303004747 +0000
@@ -575,3 +575,5 @@ Object-specific Options (see above):
errorExit(error.args[1])
except OSError, error:
@@ -383,8 +438,8 @@ diff -up policycoreutils-2.1.4/semanage/semanage.f17 policycoreutils-2.1.4/seman
+ except RuntimeError, error:
+ errorExit(error.args[0])
diff -up policycoreutils-2.1.4/semanage/seobject.py.f17 policycoreutils-2.1.4/semanage/seobject.py
---- policycoreutils-2.1.4/semanage/seobject.py.f17 2011-11-29 15:40:33.197601379 -0500
-+++ policycoreutils-2.1.4/semanage/seobject.py 2011-11-29 15:58:16.766275247 -0500
+--- policycoreutils-2.1.4/semanage/seobject.py.f17 2011-12-23 10:54:40.550004023 +0000
++++ policycoreutils-2.1.4/semanage/seobject.py 2011-12-23 10:54:41.307004751 +0000
@@ -1,5 +1,5 @@
#! /usr/bin/python -E
-# Copyright (C) 2005, 2006, 2007, 2008, 2009 Red Hat
@@ -606,8 +661,8 @@ diff -up policycoreutils-2.1.4/semanage/seobject.py.f17 policycoreutils-2.1.4/se
-
+ print "%-30s (%-5s,%5s) %s" % (k, on_off[selinux.security_get_boolean_active(k)], on_off[ddict[k][2]], self.get_desc(k))
diff -up policycoreutils-2.1.4/semodule_package/Makefile.f17 policycoreutils-2.1.4/semodule_package/Makefile
---- policycoreutils-2.1.4/semodule_package/Makefile.f17 2011-11-29 15:40:33.198601379 -0500
-+++ policycoreutils-2.1.4/semodule_package/Makefile 2011-11-29 15:40:33.555601564 -0500
+--- policycoreutils-2.1.4/semodule_package/Makefile.f17 2011-12-23 10:54:40.551004024 +0000
++++ policycoreutils-2.1.4/semodule_package/Makefile 2011-12-23 10:54:41.308004752 +0000
@@ -24,7 +24,7 @@ install: all
relabel:
@@ -618,8 +673,8 @@ diff -up policycoreutils-2.1.4/semodule_package/Makefile.f17 policycoreutils-2.1
indent:
../../scripts/Lindent $(wildcard *.[ch])
diff -up policycoreutils-2.1.4/semodule/semodule.8.f17 policycoreutils-2.1.4/semodule/semodule.8
---- policycoreutils-2.1.4/semodule/semodule.8.f17 2011-08-18 06:52:31.000000000 -0400
-+++ policycoreutils-2.1.4/semodule/semodule.8 2011-11-29 15:40:33.556601564 -0500
+--- policycoreutils-2.1.4/semodule/semodule.8.f17 2011-08-18 10:52:31.000000000 +0000
++++ policycoreutils-2.1.4/semodule/semodule.8 2011-12-23 10:54:41.309004752 +0000
@@ -41,6 +41,9 @@ disable existing module
.B \-e,\-\-enable=MODULE_NAME
enable existing module
@@ -631,8 +686,8 @@ diff -up policycoreutils-2.1.4/semodule/semodule.8.f17 policycoreutils-2.1.4/sem
remove existing module
.TP
diff -up policycoreutils-2.1.4/setfiles/restore.c.f17 policycoreutils-2.1.4/setfiles/restore.c
---- policycoreutils-2.1.4/setfiles/restore.c.f17 2011-11-29 15:40:33.202601381 -0500
-+++ policycoreutils-2.1.4/setfiles/restore.c 2011-11-29 15:40:33.556601564 -0500
+--- policycoreutils-2.1.4/setfiles/restore.c.f17 2011-12-23 10:54:40.556004029 +0000
++++ policycoreutils-2.1.4/setfiles/restore.c 2011-12-23 10:54:41.310004753 +0000
@@ -1,5 +1,6 @@
#include "restore.h"
#include <glob.h>
@@ -854,8 +909,8 @@ diff -up policycoreutils-2.1.4/setfiles/restore.c.f17 policycoreutils-2.1.4/setf
* Evaluate the association hash table distribution.
*/
diff -up policycoreutils-2.1.4/setfiles/restorecon.8.f17 policycoreutils-2.1.4/setfiles/restorecon.8
---- policycoreutils-2.1.4/setfiles/restorecon.8.f17 2011-08-18 06:52:32.000000000 -0400
-+++ policycoreutils-2.1.4/setfiles/restorecon.8 2011-11-29 15:40:33.557601564 -0500
+--- policycoreutils-2.1.4/setfiles/restorecon.8.f17 2011-08-18 10:52:32.000000000 +0000
++++ policycoreutils-2.1.4/setfiles/restorecon.8 2011-12-23 10:54:41.311004754 +0000
@@ -4,22 +4,27 @@ restorecon \- restore file(s) default SE
.SH "SYNOPSIS"
@@ -914,8 +969,8 @@ diff -up policycoreutils-2.1.4/setfiles/restorecon.8.f17 policycoreutils-2.1.4/s
.SH "ARGUMENTS"
.B pathname...
diff -up policycoreutils-2.1.4/setfiles/restore.h.f17 policycoreutils-2.1.4/setfiles/restore.h
---- policycoreutils-2.1.4/setfiles/restore.h.f17 2011-11-29 15:40:33.203601382 -0500
-+++ policycoreutils-2.1.4/setfiles/restore.h 2011-11-29 15:40:33.558601564 -0500
+--- policycoreutils-2.1.4/setfiles/restore.h.f17 2011-12-23 10:54:40.557004030 +0000
++++ policycoreutils-2.1.4/setfiles/restore.h 2011-12-23 10:54:41.312004755 +0000
@@ -40,6 +40,7 @@ struct restore_opts {
int fts_flags; /* Flags to fts, e.g. follow links, follow mounts */
const char *selabel_opt_validate;
@@ -925,8 +980,8 @@ diff -up policycoreutils-2.1.4/setfiles/restore.h.f17 policycoreutils-2.1.4/setf
void restore_init(struct restore_opts *opts);
diff -up policycoreutils-2.1.4/setfiles/setfiles.8.f17 policycoreutils-2.1.4/setfiles/setfiles.8
---- policycoreutils-2.1.4/setfiles/setfiles.8.f17 2011-08-18 06:52:32.000000000 -0400
-+++ policycoreutils-2.1.4/setfiles/setfiles.8 2011-11-29 15:40:33.558601564 -0500
+--- policycoreutils-2.1.4/setfiles/setfiles.8.f17 2011-08-18 10:52:32.000000000 +0000
++++ policycoreutils-2.1.4/setfiles/setfiles.8 2011-12-23 10:54:41.313004756 +0000
@@ -4,7 +4,7 @@ setfiles \- set file SELinux security co
.SH "SYNOPSIS"
@@ -973,8 +1028,8 @@ diff -up policycoreutils-2.1.4/setfiles/setfiles.8.f17 policycoreutils-2.1.4/set
.B \-W
display warnings about entries that had no matching files.
diff -up policycoreutils-2.1.4/setfiles/setfiles.c.f17 policycoreutils-2.1.4/setfiles/setfiles.c
---- policycoreutils-2.1.4/setfiles/setfiles.c.f17 2011-11-29 15:40:33.203601382 -0500
-+++ policycoreutils-2.1.4/setfiles/setfiles.c 2011-11-29 15:40:33.559601564 -0500
+--- policycoreutils-2.1.4/setfiles/setfiles.c.f17 2011-12-23 10:54:40.558004031 +0000
++++ policycoreutils-2.1.4/setfiles/setfiles.c 2011-12-23 10:54:41.314004757 +0000
@@ -39,7 +39,7 @@ void usage(const char *const name)
{
if (iamrestorecon) {
diff --git a/policycoreutils.spec b/policycoreutils.spec
index 00e5f35..036ee0f 100644
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@@ -7,7 +7,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.1.4
-Release: 12%{?dist}
+Release: 13%{?dist}
License: GPLv2
Group: System Environment/Base
# Based on git repository with tag 20101221
@@ -354,6 +354,11 @@ fi
/bin/systemctl try-restart restorecond.service >/dev/null 2>&1 || :
%changelog
+* Fri Dec 23 2011 Dan Walsh <dwalsh at redhat.com> - 2.1.4-13
+- Fix the handling of namespaces in seunshare/sandbox.
+- Currently mounting of directories within sandbox is propogating to the
+- parent namesspace.
+
* Tue Nov 29 2011 Dan Walsh <dwalsh at redhat.com> - 2.1.4-12
- Fix dpi handling in sandbox
- Make sure semanage fcontext -l -C prints if only local equiv have changed
More information about the scm-commits
mailing list