[policycoreutils/f19] * Wed Apr 7 2014 Miroslav Grepl <mgrepl at redhat.com> - 2.1.14-46.8 - seunshare: Use setcurrent before

Miroslav Grepl mgrepl at fedoraproject.org
Wed May 7 14:36:13 UTC 2014 

commit e2585817b9b29175a07c43df17f7ebaee9ee18cc
Author: Miroslav Grepl <mgrepl at redhat.com>
Date:   Wed May 7 16:36:28 2014 +0200

    * Wed Apr 7 2014 Miroslav Grepl <mgrepl at redhat.com> - 2.1.14-46.8
    - seunshare: Use setcurrent before setexec from luto at amacapital.net

 ...hare-Try-to-use-setcurrent-before-setexec.patch |   62 ++++++++++++++++++++
 policycoreutils.spec                               |    7 ++-
 2 files changed, 68 insertions(+), 1 deletions(-)
---
diff --git a/0001-seunshare-Try-to-use-setcurrent-before-setexec.patch b/0001-seunshare-Try-to-use-setcurrent-before-setexec.patch
new file mode 100644
index 0000000..c70b85c
--- /dev/null
+++ b/0001-seunshare-Try-to-use-setcurrent-before-setexec.patch
@@ -0,0 +1,62 @@
+From 4f9823d2f21473f42ddf12fd8d4ea01cf95b564a Mon Sep 17 00:00:00 2001
+From: Andy Lutomirski <luto at amacapital.net>
+Date: Wed, 30 Apr 2014 21:59:37 -0700
+Subject: [PATCH] seunshare: Try to use setcurrent before setexec
+
+If seunshare uses PR_SET_NO_NEW_PRIVS, which certain versions of
+libcap-ng set, setexeccon will cause execve to fail.  This also
+makes setting selinux context the very last action taken by
+seunshare prior to exec, as it may otherwise cause things to fail.
+
+Note that this won't work without adjusting the system policy to
+allow this use of setcurrent.  This rule appears to work:
+
+    allow unconfined_t sandbox_t:process dyntransition;
+
+although a better rule would probably relax the unconfined_t
+restriction.
+
+Signed-off-by: Andy Lutomirski <luto at amacapital.net>
+---
+ policycoreutils/sandbox/seunshare.c | 20 ++++++++++++++------
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+diff --git a/policycoreutils/sandbox/seunshare.c b/policycoreutils/sandbox/seunshare.c
+index 35e5a5e..529b6a6 100644
+--- a/policycoreutils/sandbox/seunshare.c
++++ b/policycoreutils/sandbox/seunshare.c
+@@ -1032,17 +1032,25 @@ int main(int argc, char **argv) {
+ 			goto childerr;
+ 		}
+ 
+-		/* selinux context */
+-		if (execcon && setexeccon(execcon) != 0) {
+-			fprintf(stderr, _("Could not set exec context to %s. %s\n"), execcon, strerror(errno));
+-			goto childerr;
+-		}
+-
+ 		if (chdir(pwd->pw_dir)) {
+ 			perror(_("Failed to change dir to homedir"));
+ 			goto childerr;
+ 		}
+ 		setsid();
++
++		/* selinux context */
++		if (execcon) {
++			/* try dyntransition, since no_new_privs can interfere
++			 * with setexeccon */
++			if (setcon(execcon) != 0) {
++				/* failed; fall back to setexeccon */
++				if (setexeccon(execcon) != 0) {
++					fprintf(stderr, _("Could not set exec context to %s. %s\n"), execcon, strerror(errno));
++					goto childerr;
++				}
++			}
++		}
++
+ 		execv(argv[optind], argv + optind);
+ 		fprintf(stderr, _("Failed to execute command %s: %s\n"), argv[optind], strerror(errno));
+ childerr:
+-- 
+1.9.0
+
diff --git a/policycoreutils.spec b/policycoreutils.spec
index ba43ad1..f392e8a 100644
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@@ -7,7 +7,7 @@
 Summary: SELinux policy core utilities
 Name:	 policycoreutils
 Version: 2.1.14
-Release: 46.7%{?dist}
+Release: 46.8%{?dist}
 License: GPLv2
 Group:	 System Environment/Base
 # Based on git repository with tag 20101221
@@ -19,6 +19,7 @@ Source3: system-config-selinux.png
 Patch:	 policycoreutils-rhat.patch
 Patch1:	 policycoreutils-sepolgen.patch
 Patch2:	 policycoreutils-f20.patch
+Patch3:  0001-seunshare-Try-to-use-setcurrent-before-setexec.patch
 Obsoletes: policycoreutils < 2.0.61-2
 Conflicts: filesystem < 3
 Provides: /sbin/fixfiles
@@ -51,6 +52,7 @@ to switch roles.
 %patch -p2 -b .rhat
 %patch1 -p2 -b .sepolgen -d sepolgen-%{sepolgenver}
 %patch2 -p1 -b .f20
+%patch3 -p2 -b .seunshare
 
 %build
 cp %{SOURCE3} gui/
@@ -312,6 +314,9 @@ The policycoreutils-restorecond package contains the restorecond service.
 %systemd_postun_with_restart restorecond.service
 
 %changelog
+* Wed Apr 7 2014 Miroslav Grepl <mgrepl at redhat.com> - 2.1.14-46.8
+- seunshare: Use setcurrent before setexec from luto at amacapital.net
+
 * Mon Jan 3 2014 Miroslav Grepl <mgrepl at redhat.com> - 2.1.14-46.7
 - policycoreutils-python should require checkpolicy

More information about the scm-commits mailing list