[policycoreutils] sandbox init script should always return 0 sandbox command needs to check range of categories and re
Daniel J Walsh
dwalsh at fedoraproject.org
Fri Nov 11 20:25:49 UTC 2011
commit 35a1c24b591d470bec305e1cdafcac55b36821e3
Author: Dan Walsh <dwalsh at redhat.com>
Date: Fri Nov 11 15:25:44 2011 -0500
sandbox init script should always return 0
sandbox command needs to check range of categories and report error if not big enough
policycoreutils-rhat.patch | 67 ++++++++++++++++++++++++++++++++++++++++----
policycoreutils.spec | 6 +++-
2 files changed, 66 insertions(+), 7 deletions(-)
---
diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch
index 9909014..cbe9f63 100644
--- a/policycoreutils-rhat.patch
+++ b/policycoreutils-rhat.patch
@@ -111,10 +111,56 @@ index 1c458f1..96c6795 100644
install -m 4755 seunshare $(SBINDIR)/
-mkdir -p $(SHAREDIR)
diff --git a/policycoreutils/sandbox/sandbox b/policycoreutils/sandbox/sandbox
-index 486cd4e..cdd4293 100644
+index 486cd4e..a21e508 100644
--- a/policycoreutils/sandbox/sandbox
+++ b/policycoreutils/sandbox/sandbox
-@@ -160,6 +160,17 @@ class Sandbox:
+@@ -118,10 +118,30 @@ def reserve(level):
+ sock.bind("\0%s" % level)
+ fcntl.fcntl(sock.fileno(), fcntl.F_SETFD, fcntl.FD_CLOEXEC)
+
++def get_range():
++ try:
++ level =selinux.getcon_raw()[1].split(":")[4]
++ lowc,highc = level.split(".")
++ low = int(lowc[1:])
++ high = int(highc[1:])+1
++ if high - low < 100:
++ raise IndexError
++
++ return low,high
++ except IndexError:
++ raise ValueError(_("User account must be setup with an MCS Range with more then 100 categories"))
++
+ def gen_mcs():
+- while True:
+- i1 = random.randrange(0, 1024)
+- i2 = random.randrange(0, 1024)
++ low, high = get_range()
++
++ level = None
++ ctr = 0
++ total = high-low
++ total = (total * total)/2 - total
++ while ctr < total:
++ ctr += 1
++ i1 = random.randrange(low, high)
++ i2 = random.randrange(low, high)
+ if i1 == i2:
+ continue
+ if i1 > i2:
+@@ -134,7 +154,10 @@ def gen_mcs():
+ except socket.error:
+ continue
+ break
+- return level
++ if level:
++ return level
++ raise ValueError(_("Failed to find any unused categories"))
++
+
+ def fullpath(cmd):
+ for i in [ "/", "./", "../" ]:
+@@ -160,6 +183,17 @@ class Sandbox:
self.__level = None
self.__homedir = None
self.__tmpdir = None
@@ -132,7 +178,7 @@ index 486cd4e..cdd4293 100644
def __validate_mount(self):
if self.__options.level:
-@@ -278,6 +289,9 @@ sandbox [-h] [-c] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile
+@@ -278,6 +312,9 @@ sandbox [-h] [-c] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile
action="callback", callback=self.__mount_callback,
help=_("mount new home and/or tmp directory"))
@@ -142,7 +188,7 @@ index 486cd4e..cdd4293 100644
parser.add_option("-S", "--session", action="store_true", dest="session",
default=False, help=_("run complete desktop session within sandbox"))
-@@ -322,7 +336,7 @@ sandbox [-h] [-c] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile
+@@ -322,7 +359,7 @@ sandbox [-h] [-c] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile
if self.__options.X_ind:
self.setype = DEFAULT_X_TYPE
@@ -151,7 +197,7 @@ index 486cd4e..cdd4293 100644
if self.__options.setype:
self.setype = self.__options.setype
-@@ -408,7 +422,7 @@ sandbox [-h] [-c] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile
+@@ -408,7 +445,7 @@ sandbox [-h] [-c] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile
self.__setup_sandboxrc(self.__options.wm)
@@ -281,7 +327,7 @@ index b3ee67d..0000000
-This manual page was written by
-.I Thomas Liu <tliu at fedoraproject.org>
diff --git a/policycoreutils/sandbox/sandbox.init b/policycoreutils/sandbox/sandbox.init
-index d1ccdc2..11c391c 100644
+index d1ccdc2..b3979bf 100644
--- a/policycoreutils/sandbox/sandbox.init
+++ b/policycoreutils/sandbox/sandbox.init
@@ -19,6 +19,7 @@
@@ -292,6 +338,15 @@ index d1ccdc2..11c391c 100644
LOCKFILE=/var/lock/subsys/sandbox
+@@ -27,7 +28,7 @@ base=${0##*/}
+ start() {
+ echo -n "Starting sandbox"
+
+- [ -f "$LOCKFILE" ] && return 1
++ [ -f "$LOCKFILE" ] && return 0
+
+ touch $LOCKFILE
+ mount --make-rshared / || return $?
diff --git a/policycoreutils/scripts/genhomedircon b/policycoreutils/scripts/genhomedircon
index ab696a7..58b19cd 100644
--- a/policycoreutils/scripts/genhomedircon
diff --git a/policycoreutils.spec b/policycoreutils.spec
index 4da08e0..fc43712 100644
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@@ -7,7 +7,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.1.8
-Release: 3%{?dist}
+Release: 4%{?dist}
License: GPLv2
Group: System Environment/Base
# Based on git repository with tag 20101221
@@ -352,6 +352,10 @@ fi
/bin/systemctl try-restart restorecond.service >/dev/null 2>&1 || :
%changelog
+* Fri Nov 11 2011 Dan Walsh <dwalsh at redhat.com> - 2.1.8-4
+- sandbox init script should always return 0
+- sandbox command needs to check range of categories and report error if not big enough
+
* Mon Nov 7 2011 Dan Walsh <dwalsh at redhat.com> - 2.1.8-3
- Allow user to specify DPI when running sandbox
More information about the scm-commits
mailing list