[policycoreutils/f14/master] Return to original seunshare man page
Daniel J Walsh
dwalsh at fedoraproject.org
Wed Mar 16 13:57:37 UTC 2011
commit 63524354f9b9d6b8760a1cdf10be8a4ae32046c8
Author: Dan Walsh <dwalsh at redhat.com>
Date: Wed Mar 16 09:57:36 2011 -0400
Return to original seunshare man page
policycoreutils-rhat.patch | 98 +++++++++++++++++++++++++++++++------------
policycoreutils.spec | 16 ++++++-
2 files changed, 84 insertions(+), 30 deletions(-)
---
diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch
index ed69325..506acb0 100644
--- a/policycoreutils-rhat.patch
+++ b/policycoreutils-rhat.patch
@@ -192,7 +192,7 @@ index 6178cc8..b6f386d 100644
.PP
.SH AUTHOR
diff --git a/policycoreutils/audit2allow/sepolgen-ifgen b/policycoreutils/audit2allow/sepolgen-ifgen
-index 03f95a1..5986b23 100644
+index 03f95a1..dda432e 100644
--- a/policycoreutils/audit2allow/sepolgen-ifgen
+++ b/policycoreutils/audit2allow/sepolgen-ifgen
@@ -1,4 +1,4 @@
@@ -220,7 +220,7 @@ index 03f95a1..5986b23 100644
def parse_options():
from optparse import OptionParser
-@@ -44,14 +49,43 @@ def parse_options():
+@@ -44,14 +49,55 @@ def parse_options():
help="filename to store output")
parser.add_option("-i", "--interfaces", dest="headers", default=defaults.headers(),
help="location of the interface header files")
@@ -235,9 +235,21 @@ index 03f95a1..5986b23 100644
return options
++def get_policy():
++ p = selinux.selinux_binary_policy_path() + "." + str(i)
++ while i > 0 and not os.path.exists(p):
++ i = i - 1
++ p = selinux.selinux_binary_policy_path() + "." + str(i)
++ if i > 0:
++ return p
++ return None
++
+def get_attrs():
+ try:
-+ policy_path = selinux.selinux_binary_policy_path() + "." + str(selinux.security_policyvers())
++ policy_path = get_policy()
++ if not policy_path:
++ sys.stderr.write("No installed policy to check\n")
++ return None
+ outfile = tempfile.NamedTemporaryFile()
+ except IOError, e:
+ sys.stderr.write("could not open attribute output file\n")
@@ -264,7 +276,7 @@ index 03f95a1..5986b23 100644
def main():
options = parse_options()
-@@ -68,6 +102,14 @@ def main():
+@@ -68,6 +114,14 @@ def main():
else:
log = None
@@ -279,7 +291,7 @@ index 03f95a1..5986b23 100644
try:
headers = refparser.parse_headers(options.headers, output=log, debug=options.debug)
except ValueError, e:
-@@ -76,7 +118,7 @@ def main():
+@@ -76,7 +130,7 @@ def main():
return 1
if_set = interfaces.InterfaceSet(output=log)
@@ -414,7 +426,7 @@ index b149dcb..0c14c94 100644
.SH "SEE ALSO"
.BR restorecon (8),
diff --git a/policycoreutils/restorecond/restorecond.c b/policycoreutils/restorecond/restorecond.c
-index 58774e6..77c8013 100644
+index 58774e6..a588e5e 100644
--- a/policycoreutils/restorecond/restorecond.c
+++ b/policycoreutils/restorecond/restorecond.c
@@ -30,9 +30,11 @@
@@ -853,7 +865,7 @@ index 58774e6..77c8013 100644
/* Register sighandlers */
sa.sa_flags = 0;
-@@ -467,36 +174,56 @@ int main(int argc, char **argv)
+@@ -467,36 +174,59 @@ int main(int argc, char **argv)
set_matchpathcon_flags(MATCHPATHCON_NOTRANS);
@@ -891,6 +903,9 @@ index 58774e6..77c8013 100644
+
+ uid_t uid = getuid();
+ struct passwd *pwd = getpwuid(uid);
++ if (!pwd)
++ exitApp("getpwuid");
++
+ homedir = pwd->pw_dir;
+ if (uid != 0) {
+ if (run_as_user)
@@ -1624,7 +1639,7 @@ index ff0ee7c..0c8a085 100644
test:
@python test_sandbox.py -v
diff --git a/policycoreutils/sandbox/sandbox b/policycoreutils/sandbox/sandbox
-index 48a26c2..d1037bd 100644
+index 48a26c2..b815af2 100644
--- a/policycoreutils/sandbox/sandbox
+++ b/policycoreutils/sandbox/sandbox
@@ -1,5 +1,6 @@
@@ -1635,7 +1650,7 @@ index 48a26c2..d1037bd 100644
# Authors: Josh Cogliati
#
# Copyright (C) 2009,2010 Red Hat
-@@ -19,15 +20,18 @@
+@@ -19,15 +20,17 @@
# Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
#
@@ -1649,14 +1664,14 @@ index 48a26c2..d1037bd 100644
+import setools
PROGNAME = "policycoreutils"
- HOMEDIR=pwd.getpwuid(os.getuid()).pw_dir
+-HOMEDIR=pwd.getpwuid(os.getuid()).pw_dir
-
+SEUNSHARE = "/usr/sbin/seunshare"
+SANDBOXSH = "/usr/share/sandbox/sandboxX.sh"
import gettext
gettext.bindtextdomain(PROGNAME, "/usr/share/locale")
gettext.textdomain(PROGNAME)
-@@ -41,6 +45,7 @@ except IOError:
+@@ -41,6 +44,7 @@ except IOError:
import __builtin__
__builtin__.__dict__['_'] = unicode
@@ -1664,7 +1679,7 @@ index 48a26c2..d1037bd 100644
DEFAULT_TYPE = "sandbox_t"
DEFAULT_X_TYPE = "sandbox_x_t"
SAVE_FILES = {}
-@@ -63,15 +68,15 @@ def error_exit(msg):
+@@ -63,15 +67,15 @@ def error_exit(msg):
sys.stderr.flush()
sys.exit(1)
@@ -1684,7 +1699,7 @@ index 48a26c2..d1037bd 100644
if not os.path.exists(newdir):
os.makedirs(newdir)
dest = newdir + "/" + bname
-@@ -81,9 +86,10 @@ def copyfile(file, dir, dest):
+@@ -81,9 +85,10 @@ def copyfile(file, dir, dest):
shutil.copytree(file, dest)
else:
shutil.copy2(file, dest)
@@ -1697,7 +1712,7 @@ index 48a26c2..d1037bd 100644
SAVE_FILES[file] = (dest, os.path.getmtime(dest))
-@@ -161,10 +167,10 @@ class Sandbox:
+@@ -161,10 +166,10 @@ class Sandbox:
if not self.__options.homedir or not self.__options.tmpdir:
self.usage(_("Homedir and tempdir required for level mounts"))
@@ -1711,7 +1726,7 @@ index 48a26c2..d1037bd 100644
def __mount_callback(self, option, opt, value, parser):
self.__mount = True
-@@ -172,6 +178,15 @@ class Sandbox:
+@@ -172,6 +177,15 @@ class Sandbox:
def __x_callback(self, option, opt, value, parser):
self.__mount = True
setattr(parser.values, option.dest, True)
@@ -1727,7 +1742,7 @@ index 48a26c2..d1037bd 100644
def __validdir(self, option, opt, value, parser):
if not os.path.isdir(value):
-@@ -194,6 +209,8 @@ class Sandbox:
+@@ -194,6 +208,8 @@ class Sandbox:
self.__include(option, opt, i[:-1], parser)
except IOError, e:
sys.stderr.write(str(e))
@@ -1736,7 +1751,7 @@ index 48a26c2..d1037bd 100644
fd.close()
def __copyfiles(self):
-@@ -212,13 +229,15 @@ class Sandbox:
+@@ -212,13 +228,15 @@ class Sandbox:
/etc/gdm/Xsession
""")
else:
@@ -1754,7 +1769,7 @@ index 48a26c2..d1037bd 100644
kill -TERM $WM_PID 2> /dev/null
""" % (command, wm, command))
fd.close()
-@@ -226,14 +245,25 @@ kill -TERM $WM_PID 2> /dev/null
+@@ -226,14 +244,25 @@ kill -TERM $WM_PID 2> /dev/null
def usage(self, message = ""):
error_exit("%s\n%s" % (self.__parser.usage, message))
@@ -1784,7 +1799,7 @@ index 48a26c2..d1037bd 100644
parser = OptionParser(version=self.VERSION, usage=usage)
parser.disable_interspersed_args()
-@@ -268,6 +298,10 @@ sandbox [-h] [-[X|M] [-l level ] [-H homedir] [-T tempdir]] [-I includefile ] [-
+@@ -268,6 +297,10 @@ sandbox [-h] [-[X|M] [-l level ] [-H homedir] [-T tempdir]] [-I includefile ] [-
action="callback", callback=self.__validdir,
help=_("alternate /tmp directory to use for mounting"))
@@ -1795,7 +1810,7 @@ index 48a26c2..d1037bd 100644
parser.add_option("-W", "--windowmanager", dest="wm",
type="string",
default="/usr/bin/matchbox-window-manager -use_titlebar no",
-@@ -276,13 +310,17 @@ sandbox [-h] [-[X|M] [-l level ] [-H homedir] [-T tempdir]] [-I includefile ] [-
+@@ -276,13 +309,17 @@ sandbox [-h] [-[X|M] [-l level ] [-H homedir] [-T tempdir]] [-I includefile ] [-
parser.add_option("-l", "--level", dest="level",
help=_("MCS/MLS level for the sandbox"))
@@ -1814,7 +1829,7 @@ index 48a26c2..d1037bd 100644
if self.__options.setype:
self.setype = self.__options.setype
-@@ -299,6 +337,9 @@ sandbox [-h] [-[X|M] [-l level ] [-H homedir] [-T tempdir]] [-I includefile ] [-
+@@ -299,6 +336,9 @@ sandbox [-h] [-[X|M] [-l level ] [-H homedir] [-T tempdir]] [-I includefile ] [-
self.__options.X_ind = True
self.__homedir = self.__options.homedir
self.__tmpdir = self.__options.tmpdir
@@ -1824,7 +1839,31 @@ index 48a26c2..d1037bd 100644
else:
if len(cmds) == 0:
self.usage(_("Command required"))
-@@ -351,22 +392,24 @@ sandbox [-h] [-[X|M] [-l level ] [-H homedir] [-T tempdir]] [-I includefile ] [-
+@@ -329,44 +369,43 @@ sandbox [-h] [-[X|M] [-l level ] [-H homedir] [-T tempdir]] [-I includefile ] [-
+ def __setup_dir(self):
+ if self.__options.level or self.__options.session:
+ return
+- sandboxdir = HOMEDIR + "/.sandbox"
+- if not os.path.exists(sandboxdir):
+- os.mkdir(sandboxdir)
+
+ if self.__options.homedir:
+ selinux.chcon(self.__options.homedir, self.__filecon, recursive=True)
+ self.__homedir = self.__options.homedir
+ else:
+ selinux.setfscreatecon(self.__filecon)
+- self.__homedir = mkdtemp(dir=sandboxdir, prefix=".sandbox")
++ self.__homedir = mkdtemp(dir="/tmp", prefix=".sandbox_home_")
+
+ if self.__options.tmpdir:
+ selinux.chcon(self.__options.tmpdir, self.__filecon, recursive=True)
+ self.__tmpdir = self.__options.tmpdir
+ else:
+ selinux.setfscreatecon(self.__filecon)
+- self.__tmpdir = mkdtemp(dir="/tmp", prefix=".sandbox")
++ self.__tmpdir = mkdtemp(dir="/tmp", prefix=".sandbox_tmp_")
+ selinux.setfscreatecon(None)
+ self.__copyfiles()
def __execute(self):
try:
@@ -1864,7 +1903,7 @@ index 48a26c2..d1037bd 100644
selinux.setexeccon(self.__execcon)
rc = subprocess.Popen(self.__cmds).wait()
-@@ -404,7 +447,7 @@ if __name__ == '__main__':
+@@ -404,7 +443,7 @@ if __name__ == '__main__':
sandbox = Sandbox()
rc = sandbox.main()
except OSError, error:
@@ -2040,26 +2079,29 @@ index 8338203..e501b03 100644
break
diff --git a/policycoreutils/sandbox/seunshare.8 b/policycoreutils/sandbox/seunshare.8
new file mode 100644
-index 0000000..6063d6a
+index 0000000..e7b8991
--- /dev/null
+++ b/policycoreutils/sandbox/seunshare.8
-@@ -0,0 +1,34 @@
+@@ -0,0 +1,37 @@
+.TH SEUNSHARE "8" "May 2010" "seunshare" "User Commands"
+.SH NAME
+seunshare \- Run cmd with alternate homedir, tmpdir and/or SELinux context
+.SH SYNOPSIS
+.B seunshare
-+[ -v ] -h homedir [ -Z context ] -- executable [args]
++[ -v ] [ -t tmpdir ] [ -h homedir ] [ -Z context ] -- executable [args]
+.br
+.SH DESCRIPTION
+.PP
+Run the
+.I executable
-+within the specified context, using the alternate home directory and /tmp directory. The seunshare command unshares from the default namespace, then mounts the specified homedir over the default homedir. It also creates a temporary directori in /tmp and mounts it on top of /tmp and /var/tmp. Optionally it tells the kernel to execute the application under the specified SELinux context.
++within the specified context, using the alternate home directory and /tmp directory. The seunshare command unshares from the default namespace, then mounts the specified homedir and tmpdir over the default homedir and /tmp. Finally it tells the kernel to execute the application under the specified SELinux context.
+
+.TP
+\fB\-h homedir\fR
-+Alternate homedir to be used by the application. Homedir must be owned by the user. Can not be on /tmp. (seunsahre will create a new /tmp and copy the contents of homedir/.sandboxtmp into the newly created /tmp.
++Alternate homedir to be used by the application. Homedir must be owned by the user.
++.TP
++\fB\-t\ tmpdir
++Use alternate tempory directory to mount on /tmp. tmpdir must be owned by the user.
+.TP
+\fB\-c cgroups\fR
+Use cgroups to control this copy of seunshare. Specify parameters in /etc/sysconfig/sandbox. Max memory usage and cpu usage are to be specified in percent. You can specify which CPUs to use by numbering them 0,1,2... etc.
diff --git a/policycoreutils.spec b/policycoreutils.spec
index 5baf029..34edd0d 100644
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@@ -7,7 +7,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.0.85
-Release: 19%{?dist}
+Release: 22%{?dist}
License: GPLv2
Group: System Environment/Base
# Based on git repository with tag 20101221
@@ -318,7 +318,19 @@ fi
exit 0
%changelog
-* Wed Mar 8 2011 Dan Walsh <dwalsh at redhat.com> 2.0.85-19
+* Wed Mar 16 2011 Dan Walsh <dwalsh at redhat.com> 2.0.85-22
+- Return to original seunshare man page
+
+* Fri Mar 11 2011 Dan Walsh <dwalsh at redhat.com> 2.0.85-21
+- change default location of HOMEDIR in sandbox to /tmp/.sandbox_home_*
+- This will allow default sandboxes to work on NFS homedirs without allowing
+ access to homedir data
+
+* Fri Mar 11 2011 Dan Walsh <dwalsh at redhat.com> 2.0.85-20
+- Change sepolgen-ifgen to search all available policy files
+- Exit in restorecond if it can not find a UID in the passwd database
+
+* Wed Mar 9 2011 Dan Walsh <dwalsh at redhat.com> 2.0.85-19
- Fix portspage in system-config-selinux to not crash
- More fixes for seunshare from Tomas Hoger
More information about the scm-commits
mailing list