[policycoreutils] - Fix newrole hanlding of pcap
Daniel J Walsh
dwalsh at fedoraproject.org
Fri Jan 21 20:11:42 UTC 2011
commit e764b2d2b6a3e130213792df2a3ab364d3173e7b
Author: Dan Walsh <dwalsh at redhat.com>
Date: Fri Jan 21 15:11:31 2011 -0500
- Fix newrole hanlding of pcap
policycoreutils-rhat.patch | 1157 ++++++++++++++++++++++++++++++++++++++++++++
policycoreutils.spec | 5 +-
2 files changed, 1161 insertions(+), 1 deletions(-)
---
diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch
index d1f0a4d..424cfbd 100644
--- a/policycoreutils-rhat.patch
+++ b/policycoreutils-rhat.patch
@@ -288,6 +288,34 @@ index 03f95a1..5986b23 100644
if_set.to_file(f)
f.close()
+diff --git a/policycoreutils/newrole/newrole.c b/policycoreutils/newrole/newrole.c
+index 2d31d64..e985289 100644
+--- a/policycoreutils/newrole/newrole.c
++++ b/policycoreutils/newrole/newrole.c
+@@ -586,7 +586,7 @@ static int drop_capabilities(int full)
+ return -1;
+ }
+ if (! full)
+- capng_update(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_SYS_ADMIN | CAP_FOWNER | CAP_CHOWN | CAP_DAC_OVERRIDE);
++ capng_update(CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_SYS_ADMIN | CAP_FOWNER | CAP_CHOWN | CAP_DAC_OVERRIDE | CAP_SETPCAP );
+ return capng_apply(CAPNG_SELECT_BOTH);
+ }
+
+@@ -1030,8 +1030,13 @@ int main(int argc, char *argv[])
+ * if it makes sense to continue to run newrole, and setting up
+ * a scrubbed environment.
+ */
+- if (drop_capabilities(FALSE))
++
++/* if (drop_capabilities(FALSE)) {
++ fprintf(stderr, _("Sorry, newrole failed to drop capabilities\n"));
++ perror("");
+ return -1;
++ }
++*/
+ if (set_signal_handles())
+ return -1;
+
diff --git a/policycoreutils/restorecond/Makefile b/policycoreutils/restorecond/Makefile
index 3f235e6..7552668 100644
--- a/policycoreutils/restorecond/Makefile
@@ -338,6 +366,15 @@ index 3f235e6..7552668 100644
relabel: install
/sbin/restorecon $(SBINDIR)/restorecond
+diff --git a/policycoreutils/restorecond/org.selinux.Restorecond.service b/policycoreutils/restorecond/org.selinux.Restorecond.service
+new file mode 100644
+index 0000000..0ef5f0b
+--- /dev/null
++++ b/policycoreutils/restorecond/org.selinux.Restorecond.service
+@@ -0,0 +1,3 @@
++[D-BUS Service]
++Name=org.selinux.Restorecond
++Exec=/usr/sbin/restorecond -u
diff --git a/policycoreutils/restorecond/restorecond.8 b/policycoreutils/restorecond/restorecond.8
index b149dcb..0c14c94 100644
--- a/policycoreutils/restorecond/restorecond.8
@@ -896,6 +933,19 @@ index 3fc9376..58b723a 100644
/root/.ssh/*
-
-
+diff --git a/policycoreutils/restorecond/restorecond.desktop b/policycoreutils/restorecond/restorecond.desktop
+new file mode 100644
+index 0000000..23ff89d
+--- /dev/null
++++ b/policycoreutils/restorecond/restorecond.desktop
+@@ -0,0 +1,7 @@
++[Desktop Entry]
++Name=File Context maintainer
++Exec=/usr/sbin/restorecond -u
++Comment=Fix file context in owned by the user
++Encoding=UTF-8
++Type=Application
++StartupNotify=false
diff --git a/policycoreutils/restorecond/restorecond.h b/policycoreutils/restorecond/restorecond.h
index e1666bf..8c85ef0 100644
--- a/policycoreutils/restorecond/restorecond.h
@@ -957,6 +1007,264 @@ index b966db6..775c52b 100644
exit $RETVAL
-
+diff --git a/policycoreutils/restorecond/restorecond_user.conf b/policycoreutils/restorecond/restorecond_user.conf
+new file mode 100644
+index 0000000..f88a29a
+--- /dev/null
++++ b/policycoreutils/restorecond/restorecond_user.conf
+@@ -0,0 +1,7 @@
++~/*
++~/public_html/*
++~/.gnome2/*
++~/local/*
++~/.fonts/*
++~/.cache/*
++
+diff --git a/policycoreutils/restorecond/user.c b/policycoreutils/restorecond/user.c
+new file mode 100644
+index 0000000..272479a
+--- /dev/null
++++ b/policycoreutils/restorecond/user.c
+@@ -0,0 +1,239 @@
++/*
++ * restorecond
++ *
++ * Copyright (C) 2006-2009 Red Hat
++ * see file 'COPYING' for use and warranty information
++ *
++ * This program is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU General Public License as
++ * published by the Free Software Foundation; either version 2 of
++ * the License, or (at your option) any later version.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ * GNU General Public License for more details.
++.*
++ * You should have received a copy of the GNU General Public License
++ * along with this program; if not, write to the Free Software
++ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
++ * 02111-1307 USA
++ *
++ * Authors:
++ * Dan Walsh <dwalsh at redhat.com>
++ *
++*/
++
++#define _GNU_SOURCE
++#include <sys/inotify.h>
++#include <errno.h>
++#include <stdio.h>
++#include <stdlib.h>
++#include <signal.h>
++#include <string.h>
++#include <unistd.h>
++#include <ctype.h>
++#include <sys/types.h>
++#include <sys/stat.h>
++#include <syslog.h>
++#include <limits.h>
++#include <fcntl.h>
++
++#include "restorecond.h"
++#include "stringslist.h"
++#include <glib.h>
++#ifdef HAVE_DBUS
++#include <dbus/dbus.h>
++#include <dbus/dbus-glib.h>
++#include <dbus/dbus-glib-lowlevel.h>
++
++static DBusHandlerResult signal_filter (DBusConnection *connection, DBusMessage *message, void *user_data);
++
++static const char *PATH="/org/selinux/Restorecond";
++//static const char *BUSNAME="org.selinux.Restorecond";
++static const char *INTERFACE="org.selinux.RestorecondIface";
++static const char *RULE="type='signal',interface='org.selinux.RestorecondIface'";
++
++
++static DBusHandlerResult
++signal_filter (DBusConnection *connection __attribute__ ((__unused__)), DBusMessage *message, void *user_data)
++{
++ /* User data is the event loop we are running in */
++ GMainLoop *loop = user_data;
++
++ /* A signal from the bus saying we are about to be disconnected */
++ if (dbus_message_is_signal
++ (message, INTERFACE, "Stop")) {
++
++ /* Tell the main loop to quit */
++ g_main_loop_quit (loop);
++ /* We have handled this message, don't pass it on */
++ return DBUS_HANDLER_RESULT_HANDLED;
++ }
++ /* A Ping signal on the com.burtonini.dbus.Signal interface */
++ else if (dbus_message_is_signal (message, INTERFACE, "Start")) {
++ DBusError error;
++ dbus_error_init (&error);
++ g_print("Start received\n");
++ return DBUS_HANDLER_RESULT_HANDLED;
++ }
++ return DBUS_HANDLER_RESULT_NOT_YET_HANDLED;
++}
++
++static int dbus_server(GMainLoop *loop) {
++ DBusConnection *bus;
++ DBusError error;
++ dbus_error_init (&error);
++ bus = dbus_bus_get (DBUS_BUS_SESSION, &error);
++ if (bus) {
++ dbus_connection_setup_with_g_main (bus, NULL);
++
++ /* listening to messages from all objects as no path is specified */
++ dbus_bus_add_match (bus, RULE, &error); // see signals from the given interfacey
++ dbus_connection_add_filter (bus, signal_filter, loop, NULL);
++ return 0;
++ }
++ return -1;
++}
++
++#endif
++#include <selinux/selinux.h>
++#include <sys/file.h>
++
++/* size of the event structure, not counting name */
++#define EVENT_SIZE (sizeof (struct inotify_event))
++/* reasonable guess as to size of 1024 events */
++#define BUF_LEN (1024 * (EVENT_SIZE + 16))
++
++static gboolean
++io_channel_callback
++ (GIOChannel *source,
++ GIOCondition condition,
++ gpointer data __attribute__((__unused__)))
++{
++
++ char buffer[BUF_LEN+1];
++ gsize bytes_read;
++ unsigned int i = 0;
++
++ if (condition & G_IO_IN) {
++ /* Data is available. */
++ g_io_channel_read
++ (source, buffer,
++ sizeof (buffer),
++ &bytes_read);
++
++ while (i < bytes_read) {
++ struct inotify_event *event;
++ event = (struct inotify_event *)&buffer[i];
++ if (debug_mode)
++ printf("wd=%d mask=%u cookie=%u len=%u\n",
++ event->wd, event->mask,
++ event->cookie, event->len);
++ if (event->len)
++ watch_list_find(event->wd, event->name);
++
++ i += EVENT_SIZE + event->len;
++ }
++ }
++
++ /* An error happened while reading
++ the file. */
++
++ if (condition & G_IO_NVAL)
++ return FALSE;
++
++ /* We have reached the end of the
++ file. */
++
++ if (condition & G_IO_HUP) {
++ g_io_channel_close (source);
++ return FALSE;
++ }
++
++ /* Returning TRUE will make sure
++ the callback remains associated
++ to the channel. */
++
++ return TRUE;
++}
++
++int start() {
++#ifdef HAVE_DBUS
++ DBusConnection *bus;
++ DBusError error;
++ DBusMessage *message;
++
++ /* Get a connection to the session bus */
++ dbus_error_init (&error);
++ bus = dbus_bus_get (DBUS_BUS_SESSION, &error);
++ if (!bus) {
++ if (debug_mode)
++ g_warning ("Failed to connect to the D-BUS daemon: %s", error.message);
++ dbus_error_free (&error);
++ return 1;
++ }
++
++
++ /* Create a new signal "Start" on the interface,
++ * from the object */
++ message = dbus_message_new_signal (PATH,
++ INTERFACE, "Start");
++ /* Send the signal */
++ dbus_connection_send (bus, message, NULL);
++ /* Free the signal now we have finished with it */
++ dbus_message_unref (message);
++#endif /* HAVE_DBUS */
++ return 0;
++}
++
++static int local_server() {
++ // ! dbus, run as local service
++ char *ptr=NULL;
++ asprintf(&ptr, "%s/.restorecond", homedir);
++ int fd = open(ptr, O_CREAT | O_WRONLY | O_NOFOLLOW, S_IRUSR | S_IWUSR);
++ if (debug_mode)
++ g_warning ("Lock file: %s", ptr);
++
++ free(ptr);
++ if (fd < 0) {
++ if (debug_mode)
++ perror("open");
++ return -1;
++ }
++ if (flock(fd, LOCK_EX | LOCK_NB) < 0) {
++ if (debug_mode)
++ perror("flock");
++ return -1;
++ }
++ return 0;
++}
++
++int server(int master_fd, const char *watch_file) {
++ GMainLoop *loop;
++
++ loop = g_main_loop_new (NULL, FALSE);
++
++#ifdef HAVE_DBUS
++ if (dbus_server(loop) != 0)
++#endif /* HAVE_DBUS */
++ if (local_server(loop) != 0)
++ return 0;
++
++ read_config(master_fd, watch_file);
++
++ if (watch_list_isempty()) return 0;
++
++ set_matchpathcon_flags(MATCHPATHCON_NOTRANS);
++
++ GIOChannel *c = g_io_channel_unix_new(master_fd);
++
++ g_io_add_watch_full( c,
++ G_PRIORITY_HIGH,
++ G_IO_IN|G_IO_ERR|G_IO_HUP,
++ io_channel_callback, NULL, NULL);
++
++ g_main_loop_run (loop);
++ return 0;
++}
++
diff --git a/policycoreutils/restorecond/utmpwatcher.c b/policycoreutils/restorecond/utmpwatcher.c
index f182c22..feddb5a 100644
--- a/policycoreutils/restorecond/utmpwatcher.c
@@ -971,6 +1279,282 @@ index f182c22..feddb5a 100644
strings_list_free(prev_utmp_ptr);
}
return changed;
+diff --git a/policycoreutils/restorecond/watch.c b/policycoreutils/restorecond/watch.c
+new file mode 100644
+index 0000000..c0caab2
+--- /dev/null
++++ b/policycoreutils/restorecond/watch.c
+@@ -0,0 +1,270 @@
++#define _GNU_SOURCE
++#include <sys/inotify.h>
++#include <errno.h>
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++#include <unistd.h>
++#include <ctype.h>
++#include <sys/types.h>
++#include <syslog.h>
++#include "../setfiles/restore.h"
++#include <glob.h>
++#include <libgen.h>
++#include <sys/stat.h>
++#include <string.h>
++#include <stdio.h>
++#include <fcntl.h>
++#include <selinux/selinux.h>
++#include "restorecond.h"
++#include "stringslist.h"
++#include "utmpwatcher.h"
++
++/* size of the event structure, not counting name */
++#define EVENT_SIZE (sizeof (struct inotify_event))
++/* reasonable guess as to size of 1024 events */
++#define BUF_LEN (1024 * (EVENT_SIZE + 16))
++
++
++struct watchList {
++ struct watchList *next;
++ int wd;
++ char *dir;
++ struct stringsList *files;
++};
++struct watchList *firstDir = NULL;
++
++int watch_list_isempty() {
++ return firstDir == NULL;
++}
++
++void watch_list_add(int fd, const char *path)
++{
++ struct watchList *ptr = NULL;
++ size_t i = 0;
++ struct watchList *prev = NULL;
++ glob_t globbuf;
++ char *x = strdup(path);
++ if (!x) exitApp("Out of Memory");
++ char *file = basename(x);
++ char *dir = dirname(x);
++ ptr = firstDir;
++
++ if (exclude(path)) return;
++
++ globbuf.gl_offs = 1;
++ if (glob(path,
++ GLOB_TILDE | GLOB_PERIOD,
++ NULL,
++ &globbuf) >= 0) {
++ for (i=0; i < globbuf.gl_pathc; i++) {
++ int len = strlen(globbuf.gl_pathv[i]) -2;
++ if (len > 0 && strcmp(&globbuf.gl_pathv[i][len--], "/.") == 0) continue;
++ if (len > 0 && strcmp(&globbuf.gl_pathv[i][len], "/..") == 0) continue;
++ if (process_one_realpath(globbuf.gl_pathv[i], 0) > 0)
++ process_one_realpath(globbuf.gl_pathv[i], 1);
++ }
++ globfree(&globbuf);
++ }
++
++ while (ptr != NULL) {
++ if (strcmp(dir, ptr->dir) == 0) {
++ strings_list_add(&ptr->files, file);
++ free(x);
++ return;
++ }
++ prev = ptr;
++ ptr = ptr->next;
++ }
++ ptr = calloc(1, sizeof(struct watchList));
++
++ if (!ptr) exitApp("Out of Memory");
++
++ ptr->wd = inotify_add_watch(fd, dir, IN_CREATE | IN_MOVED_TO);
++ if (ptr->wd == -1) {
++ free(ptr);
++ free(x);
++ if (! run_as_user)
++ syslog(LOG_ERR, "Unable to watch (%s) %s\n",
++ path, strerror(errno));
++ return;
++ }
++
++ ptr->dir = strdup(dir);
++ if (!ptr->dir)
++ exitApp("Out of Memory");
++
++ strings_list_add(&ptr->files, file);
++ if (prev)
++ prev->next = ptr;
++ else
++ firstDir = ptr;
++
++ if (debug_mode)
++ printf("%d: Dir=%s, File=%s\n", ptr->wd, ptr->dir, file);
++
++ free(x);
++}
++
++/*
++ A file was in a direcroty has been created. This function checks to
++ see if it is one that we are watching.
++*/
++
++int watch_list_find(int wd, const char *file)
++{
++ struct watchList *ptr = NULL;
++ ptr = firstDir;
++ if (debug_mode)
++ printf("%d: File=%s\n", wd, file);
++ while (ptr != NULL) {
++ if (ptr->wd == wd) {
++ int exact=0;
++ if (strings_list_find(ptr->files, file, &exact) == 0) {
++ char *path = NULL;
++ if (asprintf(&path, "%s/%s", ptr->dir, file) <
++ 0)
++ exitApp("Error allocating memory.");
++
++ process_one_realpath(path, 0);
++ free(path);
++ return 0;
++ }
++ if (debug_mode)
++ strings_list_print(ptr->files);
++
++ /* Not found in this directory */
++ return -1;
++ }
++ ptr = ptr->next;
++ }
++ /* Did not find a directory */
++ return -1;
++}
++
++void watch_list_free(int fd)
++{
++ struct watchList *ptr = NULL;
++ struct watchList *prev = NULL;
++ ptr = firstDir;
++
++ while (ptr != NULL) {
++ inotify_rm_watch(fd, ptr->wd);
++ strings_list_free(ptr->files);
++ free(ptr->dir);
++ prev = ptr;
++ ptr = ptr->next;
++ free(prev);
++ }
++ firstDir = NULL;
++}
++
++/*
++ Inotify watch loop
++*/
++int watch(int fd, const char *watch_file)
++{
++ char buf[BUF_LEN];
++ int len, i = 0;
++ if (firstDir == NULL) return 0;
++
++ len = read(fd, buf, BUF_LEN);
++ if (len < 0) {
++ if (terminate == 0) {
++ syslog(LOG_ERR, "Read error (%s)", strerror(errno));
++ return 0;
++ }
++ syslog(LOG_ERR, "terminated");
++ return -1;
++ } else if (!len)
++ /* BUF_LEN too small? */
++ return -1;
++ while (i < len) {
++ struct inotify_event *event;
++ event = (struct inotify_event *)&buf[i];
++ if (debug_mode)
++ printf("wd=%d mask=%u cookie=%u len=%u\n",
++ event->wd, event->mask,
++ event->cookie, event->len);
++ if (event->wd == master_wd)
++ read_config(fd, watch_file);
++ else {
++ switch (utmpwatcher_handle(fd, event->wd)) {
++ case -1: /* Message was not for utmpwatcher */
++ if (event->len)
++ watch_list_find(event->wd, event->name);
++ break;
++ case 1: /* utmp has changed need to reload */
++ read_config(fd, watch_file);
++ break;
++
++ default: /* No users logged in or out */
++ break;
++ }
++ }
++
++ i += EVENT_SIZE + event->len;
++ }
++ return 0;
++}
++
++static void process_config(int fd, FILE * cfg)
++{
++ char *line_buf = NULL;
++ size_t len = 0;
++
++ while (getline(&line_buf, &len, cfg) > 0) {
++ char *buffer = line_buf;
++ while (isspace(*buffer))
++ buffer++;
++ if (buffer[0] == '#')
++ continue;
++ int l = strlen(buffer) - 1;
++ if (l <= 0)
++ continue;
++ buffer[l] = 0;
++ if (buffer[0] == '~') {
++ if (run_as_user) {
++ char *ptr=NULL;
++ asprintf(&ptr, "%s%s", homedir, &buffer[1]);
++ watch_list_add(fd, ptr);
++ free(ptr);
++ } else {
++ utmpwatcher_add(fd, &buffer[1]);
++ }
++ } else {
++ watch_list_add(fd, buffer);
++ }
++ }
++ free(line_buf);
++}
++
++/*
++ Read config file ignoring Comment lines
++ Files specified one per line. Files with "~" will be expanded to the logged in users
++ homedirs.
++*/
++
++void read_config(int fd, const char *watch_file_path)
++{
++
++ FILE *cfg = NULL;
++ if (debug_mode)
++ printf("Read Config\n");
++
++ watch_list_free(fd);
++
++ cfg = fopen(watch_file_path, "r");
++ if (!cfg){
++ perror(watch_file_path);
++ exitApp("Error reading config file");
++ }
++ process_config(fd, cfg);
++ fclose(cfg);
++
++ inotify_rm_watch(fd, master_wd);
++ master_wd =
++ inotify_add_watch(fd, watch_file_path, IN_MOVED_FROM | IN_MODIFY);
++ if (master_wd == -1)
++ exitApp("Error watching config file.");
++}
diff --git a/policycoreutils/sandbox/Makefile b/policycoreutils/sandbox/Makefile
index ff0ee7c..0c8a085 100644
--- a/policycoreutils/sandbox/Makefile
@@ -1303,6 +1887,65 @@ index 1479364..73d33b3 100644
+.I Dan Walsh <dwalsh at redhat.com>
+and
+.I Thomas Liu <tliu at fedoraproject.org>
+diff --git a/policycoreutils/sandbox/sandbox.conf b/policycoreutils/sandbox/sandbox.conf
+new file mode 100644
+index 0000000..7c35808
+--- /dev/null
++++ b/policycoreutils/sandbox/sandbox.conf
+@@ -0,0 +1,7 @@
++# Space separate list of homedirs
++HOMEDIRS="/home"
++# Control group configuration
++NAME=sandbox
++CPUAFFINITY=ALL
++MEMUSAGE=80%
++CPUUSAGE=80%
+diff --git a/policycoreutils/sandbox/sandbox.conf.5 b/policycoreutils/sandbox/sandbox.conf.5
+new file mode 100644
+index 0000000..ee97e10
+--- /dev/null
++++ b/policycoreutils/sandbox/sandbox.conf.5
+@@ -0,0 +1,40 @@
++.TH sandbox.conf "5" "June 2010" "sandbox.conf" "Linux System Administration"
++.SH NAME
++sandbox.conf \- user config file for the SELinux sandbox
++.SH DESCRIPTION
++.PP
++When running sandbox with the -C argument, it will be confined using control groups and a system administrator can specify how the sandbox is confined.
++
++.PP
++Everything after "#" is ignored, as are empty lines. All arguments should be separated by and equals sign ("=").
++
++.PP
++These keywords are allowed.
++
++.RS
++.TP
++.B NAME
++The name of the sandbox control group. Default is "sandbox".
++
++.TP
++.B CPUAFFINITY
++Which cpus to assign sandbox to. The default is ALL, but users can specify a comma-separated list with dashes ("-") to represent ranges. Ex: 0-2,5
++
++.TP
++.B MEMUSAGE
++How much memory to allow sandbox to use. The default is 80%. Users can specify either a percentage or a value in the form of a number followed by one of the suffixes K, M, G to denote kilobytes, megabytes or gigabytes respectively. Ex: 50% or 100M
++
++.TP
++.B CPUUSAGE
++Percentage of cpu sandbox should be allowed to use. The default is 80%. Specify a value followed by a percent sign ("%"). Ex: 50%
++
++
++
++.SH "SEE ALSO"
++.TP
++sandbox(8)
++.PP
++
++.SH AUTHOR
++This manual page was written by
++.I Thomas Liu <tliu at fedoraproject.org>
diff --git a/policycoreutils/sandbox/sandbox.init b/policycoreutils/sandbox/sandbox.init
index ff8b3ef..8508647 100644
--- a/policycoreutils/sandbox/sandbox.init
@@ -1356,6 +1999,49 @@ index 8338203..e501b03 100644
export EXITCODE=$?
kill -HUP 0
break
+diff --git a/policycoreutils/sandbox/seunshare.8 b/policycoreutils/sandbox/seunshare.8
+new file mode 100644
+index 0000000..e7b8991
+--- /dev/null
++++ b/policycoreutils/sandbox/seunshare.8
+@@ -0,0 +1,37 @@
++.TH SEUNSHARE "8" "May 2010" "seunshare" "User Commands"
++.SH NAME
++seunshare \- Run cmd with alternate homedir, tmpdir and/or SELinux context
++.SH SYNOPSIS
++.B seunshare
++[ -v ] [ -t tmpdir ] [ -h homedir ] [ -Z context ] -- executable [args]
++.br
++.SH DESCRIPTION
++.PP
++Run the
++.I executable
++within the specified context, using the alternate home directory and /tmp directory. The seunshare command unshares from the default namespace, then mounts the specified homedir and tmpdir over the default homedir and /tmp. Finally it tells the kernel to execute the application under the specified SELinux context.
++
++.TP
++\fB\-h homedir\fR
++Alternate homedir to be used by the application. Homedir must be owned by the user.
++.TP
++\fB\-t\ tmpdir
++Use alternate tempory directory to mount on /tmp. tmpdir must be owned by the user.
++.TP
++\fB\-c cgroups\fR
++Use cgroups to control this copy of seunshare. Specify parameters in /etc/sysconfig/sandbox. Max memory usage and cpu usage are to be specified in percent. You can specify which CPUs to use by numbering them 0,1,2... etc.
++.TP
++\fB\-Z\ context
++Use alternate SELinux context while runing the executable.
++.TP
++\fB\-v\fR
++Verbose output
++.SH "SEE ALSO"
++.TP
++runcon(1), sandbox(8), selinux(8)
++.PP
++.SH AUTHOR
++This manual page was written by
++.I Dan Walsh <dwalsh at redhat.com>
++and
++.I Thomas Liu <tliu at fedoraproject.org>
diff --git a/policycoreutils/sandbox/seunshare.c b/policycoreutils/sandbox/seunshare.c
index ec692e7..de694ad 100644
--- a/policycoreutils/sandbox/seunshare.c
@@ -1810,6 +2496,21 @@ index ec692e7..de694ad 100644
-
return status;
}
+diff --git a/policycoreutils/sandbox/start b/policycoreutils/sandbox/start
+new file mode 100644
+index 0000000..52950d7
+--- /dev/null
++++ b/policycoreutils/sandbox/start
+@@ -0,0 +1,9 @@
++#! /usr/bin/python -Es
++import gtk, commands, sys
++rc = [-1,'']
++try:
++ rc=commands.getstatusoutput(sys.argv[1])
++except:
++ pass
++if rc[0] == 0:
++ print rc[1]
diff --git a/policycoreutils/scripts/Makefile b/policycoreutils/scripts/Makefile
index 53b65b6..cc75a96 100644
--- a/policycoreutils/scripts/Makefile
@@ -1935,6 +2636,195 @@ index ae519fc..0890811 100755
restore
}
+diff --git a/policycoreutils/scripts/genhomedircon.8 b/policycoreutils/scripts/genhomedircon.8
+new file mode 100644
+index 0000000..6331660
+--- /dev/null
++++ b/policycoreutils/scripts/genhomedircon.8
+@@ -0,0 +1,37 @@
++.\" Hey, Emacs! This is an -*- nroff -*- source file.
++.\" Copyright (c) 2010 Dan Walsh <dwalsh at redhat.com>
++.\"
++.\" This is free documentation; you can redistribute it and/or
++.\" modify it under the terms of the GNU General Public License as
++.\" published by the Free Software Foundation; either version 2 of
++.\" the License, or (at your option) any later version.
++.\"
++.\" The GNU General Public License's references to "object code"
++.\" and "executables" are to be interpreted as the output of any
++.\" document formatting or typesetting system, including
++.\" intermediate and printed output.
++.\"
++.\" This manual is distributed in the hope that it will be useful,
++.\" but WITHOUT ANY WARRANTY; without even the implied warranty of
++.\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++.\" GNU General Public License for more details.
++.\"
++.\" You should have received a copy of the GNU General Public
++.\" License along with this manual; if not, write to the Free
++.\" Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139,
++.\" USA.
++.\"
++.\"
++.TH GENHOMEDIRCON "8" "May 2010" "Security Enhanced Linux" "SELinux"
++.SH NAME
++genhomedircon \- generate SELinux file context configuration entries for user home directories
++.SH SYNOPSIS
++.B genhomedircon
++is a script that executes semodule to rebuild policy and create the
++labels for HOMEDIRS based on home directories returned by the getpw calls.
++
++This functionality is enabled via the usepasswd flag in /etc/selinux/semanage.conf.
++
++.SH AUTHOR
++This manual page was written by
++.I Dan Walsh <dwalsh at redhat.com>
+diff --git a/policycoreutils/semanage/default_encoding/Makefile b/policycoreutils/semanage/default_encoding/Makefile
+new file mode 100644
+index 0000000..176b11f
+--- /dev/null
++++ b/policycoreutils/semanage/default_encoding/Makefile
+@@ -0,0 +1,8 @@
++all:
++ LDFLAGS="" python setup.py build
++
++install: all
++ LDFLAGS="" python setup.py install --root=$(DESTDIR)/
++
++clean:
++ rm -rf build *~
+diff --git a/policycoreutils/semanage/default_encoding/default_encoding.c b/policycoreutils/semanage/default_encoding/default_encoding.c
+new file mode 100644
+index 0000000..c3cdd4e
+--- /dev/null
++++ b/policycoreutils/semanage/default_encoding/default_encoding.c
+@@ -0,0 +1,59 @@
++/*
++ * Authors:
++ * John Dennis <jdennis at redhat.com>
++ *
++ * Copyright (C) 2009 Red Hat
++ * see file 'COPYING' for use and warranty information
++ *
++ * This program is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU General Public License as
++ * published by the Free Software Foundation.
++ *
++ * This program is distributed in the hope that it will be useful,
++ * but WITHOUT ANY WARRANTY; without even the implied warranty of
++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++ * GNU General Public License for more details.
++ *
++ * You should have received a copy of the GNU General Public License
++ * along with this program; if not, write to the Free Software
++ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
++ */
++
++#include <Python.h>
++
++PyDoc_STRVAR(setdefaultencoding_doc,
++"setdefaultencoding(encoding='utf-8')\n\
++\n\
++Set the current default string encoding used by the Unicode implementation.\n\
++Defaults to utf-8."
++);
++
++static PyObject *
++setdefaultencoding(PyObject *self, PyObject *args, PyObject *kwds)
++{
++ static char *kwlist[] = {"utf-8", NULL};
++ char *encoding;
++
++ if (!PyArg_ParseTupleAndKeywords(args, kwds, "s:setdefaultencoding", kwlist, &encoding))
++ return NULL;
++
++ if (PyUnicode_SetDefaultEncoding(encoding))
++ return NULL;
++
++ Py_RETURN_NONE;
++}
++
++static PyMethodDef methods[] = {
++ {"setdefaultencoding", (PyCFunction)setdefaultencoding, METH_VARARGS|METH_KEYWORDS, setdefaultencoding_doc},
++ {NULL, NULL} /* sentinel */
++};
++
++
++PyMODINIT_FUNC
++initdefault_encoding_utf8(void)
++{
++ PyObject* m;
++
++ PyUnicode_SetDefaultEncoding("utf-8");
++ m = Py_InitModule3("default_encoding_utf8", methods, "Forces the default encoding to utf-8");
++}
+diff --git a/policycoreutils/semanage/default_encoding/policycoreutils/__init__.py b/policycoreutils/semanage/default_encoding/policycoreutils/__init__.py
+new file mode 100644
+index 0000000..ccb6b8b
+--- /dev/null
++++ b/policycoreutils/semanage/default_encoding/policycoreutils/__init__.py
+@@ -0,0 +1,17 @@
++#
++# Copyright (C) 2006,2007,2008, 2009 Red Hat, Inc.
++#
++# This program is free software; you can redistribute it and/or modify
++# it under the terms of the GNU General Public License as published by
++# the Free Software Foundation; either version 2 of the License, or
++# (at your option) any later version.
++#
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++# GNU General Public License for more details.
++#
++# You should have received a copy of the GNU General Public License
++# along with this program; if not, write to the Free Software
++# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
++#
+diff --git a/policycoreutils/semanage/default_encoding/setup.py b/policycoreutils/semanage/default_encoding/setup.py
+new file mode 100644
+index 0000000..e2befdb
+--- /dev/null
++++ b/policycoreutils/semanage/default_encoding/setup.py
+@@ -0,0 +1,38 @@
++# Authors:
++# John Dennis <jdennis at redhat.com>
++#
++# Copyright (C) 2009 Red Hat
++# see file 'COPYING' for use and warranty information
++#
++# This program is free software; you can redistribute it and/or
++# modify it under the terms of the GNU General Public License as
++# published by the Free Software Foundation.
++#
++# This program is distributed in the hope that it will be useful,
++# but WITHOUT ANY WARRANTY; without even the implied warranty of
++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
++# GNU General Public License for more details.
++#
++# You should have received a copy of the GNU General Public License
++# along with this program; if not, write to the Free Software
++# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
++
++from distutils.core import setup, Extension
++
++default_encoding_utf8 = Extension('policycoreutils.default_encoding_utf8', ['default_encoding.c'])
++
++setup(name = 'policycoreutils-default-encoding',
++ version = '0.1',
++ description = 'Forces the default encoding in Python to be utf-8',
++ long_description = 'Forces the default encoding in Python to be utf-8',
++ author = 'John Dennis',
++ author_email = 'jdennis at redhat.com',
++ maintainer = 'John Dennis',
++ maintainer_email = 'jdennis at redhat.com',
++ license = 'GPLv3+',
++ platforms = 'posix',
++ url = '',
++ download_url = '',
++ ext_modules = [default_encoding_utf8],
++ packages=["policycoreutils"],
++)
diff --git a/policycoreutils/semanage/semanage b/policycoreutils/semanage/semanage
index ffaca5b..bc989bf 100644
--- a/policycoreutils/semanage/semanage
@@ -3417,6 +4307,273 @@ index b7d257b..735c1ba 100644
def list(self, heading = True, locallist = False, use_file = False):
on_off = (_("off"), _("on"))
if use_file:
+diff --git a/policycoreutils/sepolgen-ifgen/Makefile b/policycoreutils/sepolgen-ifgen/Makefile
+new file mode 100644
+index 0000000..211580d
+--- /dev/null
++++ b/policycoreutils/sepolgen-ifgen/Makefile
+@@ -0,0 +1,25 @@
++# Installation directories.
++PREFIX ?= ${DESTDIR}/usr
++BINDIR ?= $(PREFIX)/bin
++LIBDIR ?= ${PREFIX}/lib
++INCLUDEDIR ?= $(PREFIX)/include
++
++CFLAGS ?= -Wall -W
++override CFLAGS += -I$(INCLUDEDIR)
++LDLIBS = $(LIBDIR)/libsepol.a
++
++all: sepolgen-ifgen-attr-helper
++
++sepolgen-ifgen-attr-helper: sepolgen-ifgen-attr-helper.o
++
++install: all
++ -mkdir -p $(BINDIR)
++ install -m 755 sepolgen-ifgen-attr-helper $(BINDIR)
++
++clean:
++ rm -f *~ *.o sepolgen-ifgen-attr-helper
++
++indent:
++ ../../scripts/Lindent $(wildcard *.[ch])
++
++relabel: ;
+diff --git a/policycoreutils/sepolgen-ifgen/sepolgen-ifgen-attr-helper.c b/policycoreutils/sepolgen-ifgen/sepolgen-ifgen-attr-helper.c
+new file mode 100644
+index 0000000..995b270
+--- /dev/null
++++ b/policycoreutils/sepolgen-ifgen/sepolgen-ifgen-attr-helper.c
+@@ -0,0 +1,230 @@
++/* Authors: Frank Mayer <mayerf at tresys.com>
++ * and Karl MacMillan <kmacmillan at tresys.com>
++ *
++ * Copyright (C) 2003,2010 Tresys Technology, LLC
++ *
++ * This program is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU General Public License as
++ * published by the Free Software Foundation, version 2.
++ *
++ * Adapted from dispol.c.
++ *
++ * This program is used by sepolgen-ifgen to get the access for all of
++ * the attributes in the policy so that it can resolve the
++ * typeattribute statements in the interfaces.
++ *
++ * It outputs the attribute access in a similar format to what sepolgen
++ * uses to store interface vectors:
++ * [Attribute sandbox_x_domain]
++ * sandbox_x_domain,samba_var_t,file,ioctl,read,getattr,lock,open
++ * sandbox_x_domain,samba_var_t,dir,getattr,search,open
++ * sandbox_x_domain,initrc_var_run_t,file,ioctl,read,getattr,lock,open
++ *
++ */
++
++#include <sepol/policydb/policydb.h>
++#include <sepol/policydb/avtab.h>
++#include <sepol/policydb/util.h>
++
++#include <stdio.h>
++#include <sys/types.h>
++#include <sys/stat.h>
++#include <fcntl.h>
++#include <sys/mman.h>
++#include <unistd.h>
++
++struct val_to_name {
++ unsigned int val;
++ char *name;
++};
++
++static int perm_name(hashtab_key_t key, hashtab_datum_t datum, void *data)
++{
++ struct val_to_name *v = data;
++ perm_datum_t *perdatum;
++
++ perdatum = (perm_datum_t *) datum;
++
++ if (v->val == perdatum->s.value) {
++ v->name = key;
++ return 1;
++ }
++
++ return 0;
++}
++
++int render_access_mask(uint32_t av, avtab_key_t *key, policydb_t *policydbp,
++ FILE *fp)
++{
++ struct val_to_name v;
++ class_datum_t *cladatum;
++ char *perm = NULL;
++ unsigned int i;
++ int rc;
++ uint32_t tclass = key->target_class;
++
++ cladatum = policydbp->class_val_to_struct[tclass - 1];
++ for (i = 0; i < cladatum->permissions.nprim; i++) {
++ if (av & (1 << i)) {
++ v.val = i + 1;
++ rc = hashtab_map(cladatum->permissions.table,
++ perm_name, &v);
++ if (!rc && cladatum->comdatum) {
++ rc = hashtab_map(cladatum->comdatum->
++ permissions.table, perm_name,
++ &v);
++ }
++ if (rc)
++ perm = v.name;
++ if (perm) {
++ fprintf(fp, ",%s", perm);
++ }
++ }
++ }
++
++ return 0;
++}
++
++static int render_key(avtab_key_t *key, policydb_t *p, FILE *fp)
++{
++ char *stype, *ttype, *tclass;
++ stype = p->p_type_val_to_name[key->source_type - 1];
++ ttype = p->p_type_val_to_name[key->target_type - 1];
++ tclass = p->p_class_val_to_name[key->target_class - 1];
++ if (stype && ttype) {
++ fprintf(fp, "%s,%s,%s", stype, ttype, tclass);
++ } else {
++ fprintf(stderr, "error rendering key\n");
++ exit(1);
++ }
++
++ return 0;
++}
++
++struct callback_data
++{
++ uint32_t attr;
++ policydb_t *policy;
++ FILE *fp;
++};
++
++int output_avrule(avtab_key_t *key, avtab_datum_t *datum, void *args)
++{
++ struct callback_data *cb_data = (struct callback_data *)args;
++
++ if (key->source_type != cb_data->attr)
++ return 0;
++
++ if (!(key->specified & AVTAB_AV && key->specified & AVTAB_ALLOWED))
++ return 0;
++
++ render_key(key, cb_data->policy, cb_data->fp);
++ render_access_mask(datum->data, key, cb_data->policy, cb_data->fp);
++ fprintf(cb_data->fp, "\n");
++
++ return 0;
++}
++
++static int attribute_callback(hashtab_key_t key, hashtab_datum_t datum, void *datap)
++{
++ struct callback_data *cb_data = (struct callback_data *)datap;
++ type_datum_t *t = (type_datum_t *)datum;
++
++ if (t->flavor == TYPE_ATTRIB) {
++ fprintf(cb_data->fp, "[Attribute %s]\n", key);
++ cb_data->attr = t->s.value;
++ if (avtab_map(&cb_data->policy->te_avtab, output_avrule, cb_data) < 0)
++ return -1;
++ if (avtab_map(&cb_data->policy->te_cond_avtab, output_avrule, cb_data) < 0)
++ return -1;
++ }
++
++ return 0;
++}
++
++static policydb_t *load_policy(const char *filename)
++{
++ policydb_t *policydb;
++ struct policy_file pf;
++ FILE *fp;
++ int ret;
++
++ fp = fopen(filename, "r");
++ if (fp == NULL) {
++ fprintf(stderr, "Can't open '%s': %s\n",
++ filename, strerror(errno));
++ return NULL;
++ }
++
++ policy_file_init(&pf);
++ pf.type = PF_USE_STDIO;
++ pf.fp = fp;
++
++ policydb = malloc(sizeof(policydb_t));
++ if (policydb == NULL) {
++ fprintf(stderr, "Out of memory!\n");
++ return NULL;
++ }
++
++ if (policydb_init(policydb)) {
++ fprintf(stderr, "Out of memory!\n");
++ return NULL;
++ }
++
++ ret = policydb_read(policydb, &pf, 1);
++ if (ret) {
++ fprintf(stderr,
++ "error(s) encountered while parsing configuration\n");
++ return NULL;
++ }
++
++ fclose(fp);
++
++ return policydb;
++
++}
++
++void usage(char *progname)
++{
++ printf("usage: %s policy_file out_file\n", progname);
++}
++
++int main(int argc, char **argv)
++{
++ policydb_t *p;
++ struct callback_data cb_data;
++ FILE *fp;
++
++ if (argc != 3) {
++ usage(argv[0]);
++ exit(1);
++ }
++
++ /* Open the policy. */
++ p = load_policy(argv[1]);
++ if (p == NULL) {
++ exit(1);
++ }
++
++ /* Open the output policy. */
++ fp = fopen(argv[2], "w");
++ if (fp == NULL) {
++ fprintf(stderr, "error opening output file\n");
++ policydb_destroy(p);
++ free(p);
++ }
++
++ /* Find all of the attributes and output their access. */
++ cb_data.policy = p;
++ cb_data.fp = fp;
++
++ if (hashtab_map(p->p_types.table, attribute_callback, &cb_data)) {
++ printf("error finding attributes\n");
++ }
++
++ policydb_destroy(p);
++ free(p);
++ fclose(fp);
++
++ return 0;
++}
diff --git a/policycoreutils/setfiles/restore.c b/policycoreutils/setfiles/restore.c
index b649d8f..38416d8 100644
--- a/policycoreutils/setfiles/restore.c
diff --git a/policycoreutils.spec b/policycoreutils.spec
index 1b92535..7a99daf 100644
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@@ -7,7 +7,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.0.85
-Release: 7%{?dist}
+Release: 8%{?dist}
License: GPLv2
Group: System Environment/Base
# Based on git repository with tag 20101221
@@ -329,6 +329,9 @@ fi
exit 0
%changelog
+* Wed Jan 21 2011 Dan Walsh <dwalsh at redhat.com> 2.0.85-8
+- Fix newrole hanlding of pcap
+
* Wed Jan 19 2011 Dan Walsh <dwalsh at redhat.com> 2.0.85-7
- Have restorecond watch more directories in homedir
More information about the scm-commits
mailing list