[policycoreutils] * Tue May 6 2014 Miroslav Grepl <mgreplh at redhat.com> - 2.2.5-15 - Apply patch to use setcon in seuns
Miroslav Grepl
mgrepl at fedoraproject.org
Tue May 6 16:54:52 UTC 2014
commit 998c56497f0e9451461f1ef2f1059ba3fd6fd7b8
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Tue May 6 18:55:08 2014 +0200
* Tue May 6 2014 Miroslav Grepl <mgreplh at redhat.com> - 2.2.5-15
- Apply patch to use setcon in seunshare from luto at mit.edu
...hare-Try-to-use-setcurrent-before-setexec.patch | 63 ++++++++++++++++++++
policycoreutils.spec | 8 ++-
2 files changed, 70 insertions(+), 1 deletions(-)
---
diff --git a/0002-seunshare-Try-to-use-setcurrent-before-setexec.patch b/0002-seunshare-Try-to-use-setcurrent-before-setexec.patch
new file mode 100644
index 0000000..450ad2e
--- /dev/null
+++ b/0002-seunshare-Try-to-use-setcurrent-before-setexec.patch
@@ -0,0 +1,63 @@
+From d355fd3326286a01f82c5c46a8eb99ae2f4a11bb Mon Sep 17 00:00:00 2001
+Message-Id: <d355fd3326286a01f82c5c46a8eb99ae2f4a11bb.1398921725.git.luto at amacapital.net>
+From: Andy Lutomirski <luto at amacapital.net>
+Date: Wed, 30 Apr 2014 21:59:37 -0700
+Subject: [PATCH] seunshare: Try to use setcurrent before setexec
+
+If seunshare uses PR_SET_NO_NEW_PRIVS, which certain versions of
+libcap-ng set, setexeccon will cause execve to fail. This also
+makes setting selinux context the very last action taken by
+seunshare prior to exec, as it may otherwise cause things to fail.
+
+Note that this won't work without adjusting the system policy to
+allow this use of setcurrent. This rule appears to work:
+
+ allow unconfined_t sandbox_t:process dyntransition;
+
+although a better rule would probably relax the unconfined_t
+restriction.
+
+Signed-off-by: Andy Lutomirski <luto at amacapital.net>
+---
+ policycoreutils/sandbox/seunshare.c | 20 ++++++++++++++------
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+diff --git a/policycoreutils/sandbox/seunshare.c b/policycoreutils/sandbox/seunshare.c
+index 97f3920..fe40757 100644
+--- a/policycoreutils/sandbox/seunshare.c
++++ b/policycoreutils/sandbox/seunshare.c
+@@ -1032,17 +1032,25 @@ int main(int argc, char **argv) {
+ goto childerr;
+ }
+
+- /* selinux context */
+- if (execcon && setexeccon(execcon) != 0) {
+- fprintf(stderr, _("Could not set exec context to %s. %s\n"), execcon, strerror(errno));
+- goto childerr;
+- }
+-
+ if (chdir(pwd->pw_dir)) {
+ perror(_("Failed to change dir to homedir"));
+ goto childerr;
+ }
+ setsid();
++
++ /* selinux context */
++ if (execcon) {
++ /* try dyntransition, since no_new_privs can interfere
++ * with setexeccon */
++ if (setcon(execcon) != 0) {
++ /* failed; fall back to setexeccon */
++ if (setexeccon(execcon) != 0) {
++ fprintf(stderr, _("Could not set exec context to %s. %s\n"), execcon, strerror(errno));
++ goto childerr;
++ }
++ }
++ }
++
+ execv(argv[optind], argv + optind);
+ fprintf(stderr, _("Failed to execute command %s: %s\n"), argv[optind], strerror(errno));
+ childerr:
+--
+1.9.0
+
diff --git a/policycoreutils.spec b/policycoreutils.spec
index f3f0c24..aabfbe0 100644
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@@ -7,7 +7,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.2.5
-Release: 14%{?dist}
+Release: 15%{?dist}
License: GPLv2
Group: System Environment/Base
# Based on git repository with tag 20101221
@@ -21,6 +21,7 @@ Source4: sepolicy-icons.tgz
Patch: policycoreutils-rhat-revert.patch
Patch1: policycoreutils-sepolicy-manpage.patch
Patch2: 0001-Fix-STANDARD_FILE_CONTEXT-section-in-man-pages.patch
+Patch3: 0002-seunshare-Try-to-use-setcurrent-before-setexec.patch
#Patch1: policycoreutils-sepolgen.patch
Obsoletes: policycoreutils < 2.0.61-2
Conflicts: filesystem < 3
@@ -53,6 +54,8 @@ to switch roles.
%setup -q -a 1
%patch -p2 -b .rhat
%patch2 -p2 -b .man-pages
+%patch3 -p2 -b .seunshare
+#%patch1 -p2 -b .sepolgen -d sepolgen-%{sepolgenver}
#%patch1 -p2 -b .sepolgen -d sepolgen-%{sepolgenver}
cp %{SOURCE3} gui/
tar xvf %{SOURCE4}
@@ -384,6 +387,9 @@ The policycoreutils-restorecond package contains the restorecond service.
%systemd_postun_with_restart restorecond.service
%changelog
+* Tue May 6 2014 Miroslav Grepl <mgreplh at redhat.com> - 2.2.5-15
+- Apply patch to use setcon in seunshare from luto at mit.edu
+
* Wed Apr 30 2014 Dan Walsh <dwalsh at redhat.com> - 2.2.5-14
- Remove requirement for systemd-units
More information about the scm-commits
mailing list