[policycoreutils/f16] sandbox init script should always return 0 sandbox command needs to check range of categories and re
Daniel J Walsh
dwalsh at fedoraproject.org
Fri Nov 11 20:30:53 UTC 2011
commit fd962b4a18472a87bfaafeb5868bc1c906484906
Author: Dan Walsh <dwalsh at redhat.com>
Date: Fri Nov 11 15:30:41 2011 -0500
sandbox init script should always return 0
sandbox command needs to check range of categories and report error if not big enough
Allow DPI to be passed into the sandbox
policycoreutils-f17.patch | 134 ++++++++++++++++++++++++++++++++++++++++++++-
policycoreutils.spec | 9 ++-
2 files changed, 138 insertions(+), 5 deletions(-)
---
diff --git a/policycoreutils-f17.patch b/policycoreutils-f17.patch
index 4a12ec9..85cd9ab 100644
--- a/policycoreutils-f17.patch
+++ b/policycoreutils-f17.patch
@@ -109,10 +109,101 @@ diff -up policycoreutils-2.1.4/restorecond/user.c.f17 policycoreutils-2.1.4/rest
goto end;
read_config(master_fd, watch_file);
+diff -up policycoreutils-2.1.4/sandbox/sandbox.8.f17 policycoreutils-2.1.4/sandbox/sandbox.8
+--- policycoreutils-2.1.4/sandbox/sandbox.8.f17 2011-11-11 15:27:33.999851089 -0500
++++ policycoreutils-2.1.4/sandbox/sandbox.8 2011-11-11 15:27:39.190859121 -0500
+@@ -3,11 +3,11 @@
+ sandbox \- Run cmd under an SELinux sandbox
+ .SH SYNOPSIS
+ .B sandbox
+-[-C] [-c] [-l level ] [[-M | -X] -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [ -w windowsize ] [[-i file ]...] [ -t type ] cmd
++[-C] [-c] [ -d DPI ] [-l level ] [[-M | -X] -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [ -w windowsize ] [[-i file ]...] [ -t type ] cmd
+
+ .br
+ .B sandbox
+-[-C] [-c] [-l level ] [[-M | -X] -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [ -w windowsize ] [[-i file ]...] [ -t type ] -S
++[-C] [-c] [ -d DPI ] [-l level ] [[-M | -X] -H homedir -T tempdir ] [-I includefile ] [ -W windowmanager ] [ -w windowsize ] [[-i file ]...] [ -t type ] -S
+ .br
+ .SH DESCRIPTION
+ .PP
+@@ -60,6 +60,9 @@ Default to /usr/bin/matchbox-window-mana
+ Create an X based Sandbox for gui apps, temporary files for
+ $HOME and /tmp, secondary Xserver, defaults to sandbox_x_t
+ .TP
++\fB\-d\fR
++Set the DPI value for the sanbox X Server. Defaults to the current X Sever DPI.
++.TP
+ \fB\-c\fR
+ Use control groups to control this copy of sandbox. Specify parameters in /etc/sysconfig/sandbox. Max memory usage and cpu usage are to be specified in percent. You can specify which CPUs to use by numbering them 0,1,2... etc.
+ .TP
diff -up policycoreutils-2.1.4/sandbox/sandbox.f17 policycoreutils-2.1.4/sandbox/sandbox
--- policycoreutils-2.1.4/sandbox/sandbox.f17 2011-10-31 11:12:36.860781127 -0400
-+++ policycoreutils-2.1.4/sandbox/sandbox 2011-10-31 11:12:37.171780966 -0400
-@@ -263,7 +263,6 @@ sandbox [-h] [-c] [-l level ] [-[X|M] [-
++++ policycoreutils-2.1.4/sandbox/sandbox 2011-11-11 15:28:06.707901631 -0500
+@@ -118,10 +118,30 @@ def reserve(level):
+ sock.bind("\0%s" % level)
+ fcntl.fcntl(sock.fileno(), fcntl.F_SETFD, fcntl.FD_CLOEXEC)
+
++def get_range():
++ try:
++ level =selinux.getcon_raw()[1].split(":")[4]
++ lowc,highc = level.split(".")
++ low = int(lowc[1:])
++ high = int(highc[1:])+1
++ if high - low < 100:
++ raise IndexError
++
++ return low,high
++ except IndexError:
++ raise ValueError(_("User account must be setup with an MCS Range with more then 100 categories"))
++
+ def gen_mcs():
+- while True:
+- i1 = random.randrange(0, 1024)
+- i2 = random.randrange(0, 1024)
++ low, high = get_range()
++
++ level = None
++ ctr = 0
++ total = high-low
++ total = (total * total)/2 - total
++ while ctr < total:
++ ctr += 1
++ i1 = random.randrange(low, high)
++ i2 = random.randrange(low, high)
+ if i1 == i2:
+ continue
+ if i1 > i2:
+@@ -134,7 +154,10 @@ def gen_mcs():
+ except socket.error:
+ continue
+ break
+- return level
++ if level:
++ return level
++ raise ValueError(_("Failed to find any unused categories"))
++
+
+ def fullpath(cmd):
+ for i in [ "/", "./", "../" ]:
+@@ -160,6 +183,17 @@ class Sandbox:
+ self.__level = None
+ self.__homedir = None
+ self.__tmpdir = None
++ self.__set_dpi()
++
++ def __set_dpi(self):
++ rc, out = commands.getstatusoutput("/usr/bin/xrdb -query")
++ if rc != 0:
++ self.dpi = 96
++ else:
++ for i in out.split("\n"):
++ if i.startswith("Xft.dpi:"):
++ self.dpi = i.split()[1]
++ break;
+
+ def __validate_mount(self):
+ if self.__options.level:
+@@ -263,7 +297,6 @@ sandbox [-h] [-c] [-l level ] [-[X|M] [-
%s
""") % types
@@ -120,9 +211,37 @@ diff -up policycoreutils-2.1.4/sandbox/sandbox.f17 policycoreutils-2.1.4/sandbox
parser = OptionParser(version=self.VERSION, usage=usage)
parser.disable_interspersed_args()
parser.add_option("-i", "--include",
+@@ -279,6 +312,9 @@ sandbox [-h] [-c] [-l level ] [-[X|M] [-
+ action="callback", callback=self.__mount_callback,
+ help=_("mount new home and/or tmp directory"))
+
++ parser.add_option("-d", "--dpi",
++ dest="dpi", action="store",default=self.dpi,
++ help=_("dots per inch for X display: (%s)" % self.dpi))
+ parser.add_option("-S", "--session", action="store_true", dest="session",
+ default=False, help=_("run complete desktop session within sandbox"))
+
+@@ -323,7 +359,7 @@ sandbox [-h] [-c] [-l level ] [-[X|M] [-
+
+ if self.__options.X_ind:
+ self.setype = DEFAULT_X_TYPE
+- self.dpi=commands.getoutput("xrdb -query | grep dpi | /bin/cut -f 2")
++
+ if self.__options.setype:
+ self.setype = self.__options.setype
+
+@@ -409,7 +445,7 @@ sandbox [-h] [-c] [-l level ] [-[X|M] [-
+
+ self.__setup_sandboxrc(self.__options.wm)
+
+- cmds += [ "--", SANDBOXSH, self.__options.windowsize, self.dpi ]
++ cmds += [ "--", SANDBOXSH, self.__options.windowsize, self.__options.dpi ]
+ else:
+ cmds += [ "--" ] + self.__paths
+ return subprocess.Popen(cmds).wait()
diff -up policycoreutils-2.1.4/sandbox/sandbox.init.f17 policycoreutils-2.1.4/sandbox/sandbox.init
--- policycoreutils-2.1.4/sandbox/sandbox.init.f17 2011-10-31 11:12:36.861781127 -0400
-+++ policycoreutils-2.1.4/sandbox/sandbox.init 2011-10-31 11:12:37.171780966 -0400
++++ policycoreutils-2.1.4/sandbox/sandbox.init 2011-11-11 15:26:49.845782455 -0500
@@ -13,7 +13,7 @@
# description: sandbox, xguest and other apps that want to use pam_namespace \
# require this script be run at boot. This service script does \
@@ -143,6 +262,15 @@ diff -up policycoreutils-2.1.4/sandbox/sandbox.init.f17 policycoreutils-2.1.4/sa
LOCKFILE=/var/lock/subsys/sandbox
base=${0##*/}
+@@ -32,7 +28,7 @@ base=${0##*/}
+ start() {
+ echo -n "Starting sandbox"
+
+- [ -f "$LOCKFILE" ] && return 1
++ [ -f "$LOCKFILE" ] && return 0
+
+ touch $LOCKFILE
+ mount --make-rshared / || return $?
diff -up policycoreutils-2.1.4/sandbox/seunshare.c.f17 policycoreutils-2.1.4/sandbox/seunshare.c
--- policycoreutils-2.1.4/sandbox/seunshare.c.f17 2011-10-31 11:12:36.862781127 -0400
+++ policycoreutils-2.1.4/sandbox/seunshare.c 2011-10-31 11:12:37.171780966 -0400
diff --git a/policycoreutils.spec b/policycoreutils.spec
index bdbf31a..b837719 100644
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@@ -7,7 +7,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.1.4
-Release: 7%{?dist}
+Release: 8%{?dist}
License: GPLv2
Group: System Environment/Base
# Based on git repository with tag 20101221
@@ -354,6 +354,11 @@ fi
/bin/systemctl try-restart restorecond.service >/dev/null 2>&1 || :
%changelog
+* Fri Nov 11 2011 Dan Walsh <dwalsh at redhat.com> - 2.1.4-8
+- sandbox init script should always return 0
+- sandbox command needs to check range of categories and report error if not big enough
+- Allow DPI to be passed into the sandbox
+
* Mon Oct 31 2011 Dan Walsh <dwalsh at redhat.com> - 2.1.4-7
- Backport fixes from restorecond to handle being run within a terminal session
- Add ~/.local/share/* to restorecond_users.conf
@@ -361,7 +366,7 @@ fi
- Fix a couple of problems found by coverity
* Mon Oct 24 2011 Dan Walsh <dwalsh at redhat.com> - 2.1.4-6
-- Inlcude the patch this time to fix sandbox.init
+- Include the patch this time to fix sandbox.init
* Mon Oct 24 2011 Dan Walsh <dwalsh at redhat.com> - 2.1.4-5
- Fix sandbox.init script
More information about the scm-commits
mailing list