[policycoreutils/f20] - Apply patch for org.selinux.policy to not be desktop centric from stefw at redhat.com - at_console sh
Miroslav Grepl
mgrepl at fedoraproject.org
Wed May 7 08:24:25 UTC 2014
commit 9c179d530d2ffc4a39a3d5a7c9fc3ed38e376adf
Author: Miroslav Grepl <mgrepl at redhat.com>
Date: Wed May 7 10:24:43 2014 +0200
- Apply patch for org.selinux.policy to not be desktop centric from stefw at redhat.com
- at_console should not be used any longer
- seunshare: Use setcurrent before setexec
...hare-Try-to-use-setcurrent-before-setexec.patch | 62 +++++++++++++
...-at_console-should-not-be-used-any-longer.patch | 30 ++++++
...-for-org.selinux.policy-to-not-be-desktop.patch | 93 ++++++++++++++++++++
policycoreutils.spec | 13 +++-
4 files changed, 197 insertions(+), 1 deletions(-)
---
diff --git a/0001-seunshare-Try-to-use-setcurrent-before-setexec.patch b/0001-seunshare-Try-to-use-setcurrent-before-setexec.patch
new file mode 100644
index 0000000..ba42295
--- /dev/null
+++ b/0001-seunshare-Try-to-use-setcurrent-before-setexec.patch
@@ -0,0 +1,62 @@
+From 8b8915f36a1db76bbdd9695f0bb450132b67f2ca Mon Sep 17 00:00:00 2001
+From: Andy Lutomirski <luto at amacapital.net>
+Date: Wed, 30 Apr 2014 21:59:37 -0700
+Subject: [PATCH 1/3] seunshare: Try to use setcurrent before setexec
+
+If seunshare uses PR_SET_NO_NEW_PRIVS, which certain versions of
+libcap-ng set, setexeccon will cause execve to fail. This also
+makes setting selinux context the very last action taken by
+seunshare prior to exec, as it may otherwise cause things to fail.
+
+Note that this won't work without adjusting the system policy to
+allow this use of setcurrent. This rule appears to work:
+
+ allow unconfined_t sandbox_t:process dyntransition;
+
+although a better rule would probably relax the unconfined_t
+restriction.
+
+Signed-off-by: Andy Lutomirski <luto at amacapital.net>
+---
+ policycoreutils/sandbox/seunshare.c | 20 ++++++++++++++------
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+diff --git a/policycoreutils/sandbox/seunshare.c b/policycoreutils/sandbox/seunshare.c
+index 97f3920..fe40757 100644
+--- a/policycoreutils/sandbox/seunshare.c
++++ b/policycoreutils/sandbox/seunshare.c
+@@ -1032,17 +1032,25 @@ int main(int argc, char **argv) {
+ goto childerr;
+ }
+
+- /* selinux context */
+- if (execcon && setexeccon(execcon) != 0) {
+- fprintf(stderr, _("Could not set exec context to %s. %s\n"), execcon, strerror(errno));
+- goto childerr;
+- }
+-
+ if (chdir(pwd->pw_dir)) {
+ perror(_("Failed to change dir to homedir"));
+ goto childerr;
+ }
+ setsid();
++
++ /* selinux context */
++ if (execcon) {
++ /* try dyntransition, since no_new_privs can interfere
++ * with setexeccon */
++ if (setcon(execcon) != 0) {
++ /* failed; fall back to setexeccon */
++ if (setexeccon(execcon) != 0) {
++ fprintf(stderr, _("Could not set exec context to %s. %s\n"), execcon, strerror(errno));
++ goto childerr;
++ }
++ }
++ }
++
+ execv(argv[optind], argv + optind);
+ fprintf(stderr, _("Failed to execute command %s: %s\n"), argv[optind], strerror(errno));
+ childerr:
+--
+1.9.0
+
diff --git a/0002-at_console-should-not-be-used-any-longer.patch b/0002-at_console-should-not-be-used-any-longer.patch
new file mode 100644
index 0000000..dad20ef
--- /dev/null
+++ b/0002-at_console-should-not-be-used-any-longer.patch
@@ -0,0 +1,30 @@
+From 84bff58282256f52a25cec2f36c9831daea48987 Mon Sep 17 00:00:00 2001
+From: Dan Walsh <dwalsh at redhat.com>
+Date: Tue, 6 May 2014 14:38:41 -0400
+Subject: [PATCH 2/3] at_console should not be used any longer
+
+---
+ policycoreutils/sepolicy/org.selinux.conf | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/policycoreutils/sepolicy/org.selinux.conf b/policycoreutils/sepolicy/org.selinux.conf
+index a350978..1ae079d 100644
+--- a/policycoreutils/sepolicy/org.selinux.conf
++++ b/policycoreutils/sepolicy/org.selinux.conf
+@@ -12,12 +12,8 @@
+
+ <!-- Allow anyone to invoke methods on the interfaces,
+ authorization is performed by PolicyKit -->
+- <policy at_console="true">
+- <allow send_destination="org.selinux"/>
+- </policy>
+ <policy context="default">
+- <allow send_destination="org.selinux"
+- send_interface="org.freedesktop.DBus.Introspectable"/>
++ <allow send_destination="org.selinux"/>
+ </policy>
+
+ </busconfig>
+--
+1.9.0
+
diff --git a/0003-Apply-patch-for-org.selinux.policy-to-not-be-desktop.patch b/0003-Apply-patch-for-org.selinux.policy-to-not-be-desktop.patch
new file mode 100644
index 0000000..07c92cc
--- /dev/null
+++ b/0003-Apply-patch-for-org.selinux.policy-to-not-be-desktop.patch
@@ -0,0 +1,93 @@
+From 7a69cd9e185055fc8e096b466923d8712263a9e8 Mon Sep 17 00:00:00 2001
+From: Miroslav Grepl <mgrepl at redhat.com>
+Date: Wed, 7 May 2014 10:18:57 +0200
+Subject: [PATCH 3/3] Apply patch for org.selinux.policy to not be desktop
+ centric from stefw at redhat.com
+
+---
+ policycoreutils/sepolicy/org.selinux.policy | 20 ++++++++++----------
+ 1 file changed, 10 insertions(+), 10 deletions(-)
+
+diff --git a/policycoreutils/sepolicy/org.selinux.policy b/policycoreutils/sepolicy/org.selinux.policy
+index 4023bca..ddd9caa 100644
+--- a/policycoreutils/sepolicy/org.selinux.policy
++++ b/policycoreutils/sepolicy/org.selinux.policy
+@@ -11,7 +11,7 @@
+ <description>SELinux write access</description>
+ <message>System policy prevents restorecon access to SELinux</message>
+ <defaults>
+- <allow_any>no</allow_any>
++ <allow_any>auth_admin</allow_any>
+ <allow_inactive>no</allow_inactive>
+ <allow_active>auth_admin_keep</allow_active>
+ </defaults>
+@@ -20,7 +20,7 @@
+ <description>SELinux write access</description>
+ <message>System policy prevents setenforce access to SELinux</message>
+ <defaults>
+- <allow_any>no</allow_any>
++ <allow_any>auth_admin</allow_any>
+ <allow_inactive>no</allow_inactive>
+ <allow_active>auth_admin_keep</allow_active>
+ </defaults>
+@@ -29,7 +29,7 @@
+ <description>SELinux write access</description>
+ <message>System policy prevents semanage access to SELinux</message>
+ <defaults>
+- <allow_any>no</allow_any>
++ <allow_any>auth_admin</allow_any>
+ <allow_inactive>no</allow_inactive>
+ <allow_active>auth_admin_keep</allow_active>
+ </defaults>
+@@ -38,8 +38,8 @@
+ <description>SELinux Read access</description>
+ <message>System policy prevents read access to SELinux</message>
+ <defaults>
+- <allow_any>no</allow_any>
+- <allow_inactive>no</allow_inactive>
++ <allow_any>yes</allow_any>
++ <allow_inactive>yes</allow_inactive>
+ <allow_active>yes</allow_active>
+ </defaults>
+ </action>
+@@ -47,8 +47,8 @@
+ <description>SELinux list modules access</description>
+ <message>System policy prevents read access to SELinux modules</message>
+ <defaults>
+- <allow_any>no</allow_any>
+- <allow_inactive>no</allow_inactive>
++ <allow_any>yes</allow_any>
++ <allow_inactive>yes</allow_inactive>
+ <allow_active>yes</allow_active>
+ </defaults>
+ </action>
+@@ -56,7 +56,7 @@
+ <description>SELinux write access</description>
+ <message>System policy prevents relabel_on_boot access to SELinux</message>
+ <defaults>
+- <allow_any>no</allow_any>
++ <allow_any>auth_admin</allow_any>
+ <allow_inactive>no</allow_inactive>
+ <allow_active>auth_admin_keep</allow_active>
+ </defaults>
+@@ -65,7 +65,7 @@
+ <description>SELinux write access</description>
+ <message>System policy prevents change_default_policy access to SELinux</message>
+ <defaults>
+- <allow_any>no</allow_any>
++ <allow_any>auth_admin</allow_any>
+ <allow_inactive>no</allow_inactive>
+ <allow_active>auth_admin_keep</allow_active>
+ </defaults>
+@@ -74,7 +74,7 @@
+ <description>Change SELinux default enforcing mode</description>
+ <message>System policy prevents change_default_policy access to SELinux</message>
+ <defaults>
+- <allow_any>no</allow_any>
++ <allow_any>auth_admin</allow_any>
+ <allow_inactive>no</allow_inactive>
+ <allow_active>auth_admin_keep</allow_active>
+ </defaults>
+--
+1.9.0
+
diff --git a/policycoreutils.spec b/policycoreutils.spec
index 470718b..426c587 100644
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@@ -7,7 +7,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.2.5
-Release: 3%{?dist}
+Release: 4%{?dist}
License: GPLv2
Group: System Environment/Base
# Based on git repository with tag 20101221
@@ -18,6 +18,9 @@ Source2: policycoreutils_man_ru2.tar.bz2
Source3: system-config-selinux.png
Source4: sepolicy-icons.tgz
Patch: policycoreutils-rhat.patch
+Patch1: 0001-seunshare-Try-to-use-setcurrent-before-setexec.patch
+Patch2: 0002-at_console-should-not-be-used-any-longer.patch
+Patch3: 0003-Apply-patch-for-org.selinux.policy-to-not-be-desktop.patch
#Patch1: policycoreutils-sepolgen.patch
Obsoletes: policycoreutils < 2.0.61-2
Conflicts: filesystem < 3
@@ -49,6 +52,9 @@ to switch roles.
%prep
%setup -q -a 1
%patch -p2 -b .rhat
+%patch1 -p2 -b .seunshare
+%patch2 -p2 -b .at_console
+%patch3 -p2 -b .org.selinux
#%patch1 -p2 -b .sepolgen -d sepolgen-%{sepolgenver}
cp %{SOURCE3} gui/
tar xvf %{SOURCE4}
@@ -347,6 +353,11 @@ The policycoreutils-restorecond package contains the restorecond service.
%systemd_postun_with_restart restorecond.service
%changelog
+* Wed May 7 2014 Miroslav Grepl <mgrepl at redhat.com> - 2.2.5-4
+- Apply patch for org.selinux.policy to not be desktop centric from stefw at redhat.com
+- at_console should not be used any longer
+- seunshare: Use setcurrent before setexec
+
* Thu Jan 16 2014 Dan Walsh <dwalsh at redhat.com> - 2.2.5-3
- Add Miroslav patch to
- Fix previously_modified_initialize() to show modified changes properly for all selections
More information about the scm-commits
mailing list