rpms/policycoreutils/F-11 policycoreutils-F11.patch,NONE,1.1
Daniel J Walsh
dwalsh at fedoraproject.org
Fri May 22 18:31:02 UTC 2009
Author: dwalsh
Update of /cvs/extras/rpms/policycoreutils/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv10403
Added Files:
policycoreutils-F11.patch
Log Message:
* Fri May 22 2009 Dan Walsh <dwalsh at redhat.com> 2.0.62-12.6
- Add sandbox script
policycoreutils-F11.patch:
--- NEW FILE policycoreutils-F11.patch ---
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/Makefile policycoreutils-2.0.62/scripts/Makefile
--- nsapolicycoreutils/scripts/Makefile 2009-02-18 16:45:01.000000000 -0500
+++ policycoreutils-2.0.62/scripts/Makefile 2009-05-22 14:11:06.000000000 -0400
@@ -5,11 +5,12 @@
MANDIR ?= $(PREFIX)/share/man
LOCALEDIR ?= /usr/share/locale
-all: fixfiles genhomedircon
+all: fixfiles genhomedircon sandbox chcat
install: all
-mkdir -p $(BINDIR)
install -m 755 chcat $(BINDIR)
+ install -m 755 sandbox $(BINDIR)
install -m 755 fixfiles $(DESTDIR)/sbin
install -m 755 genhomedircon $(SBINDIR)
-mkdir -p $(MANDIR)/man8
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/sandbox policycoreutils-2.0.62/scripts/sandbox
--- nsapolicycoreutils/scripts/sandbox 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.62/scripts/sandbox 2009-05-22 14:11:10.000000000 -0400
@@ -0,0 +1,149 @@
+#!/usr/bin/python -E
+import os, sys, getopt, socket, random, fcntl
+import selinux
+
+PROGNAME = "policycoreutils"
+
+import gettext
+gettext.bindtextdomain(PROGNAME, "/usr/share/locale")
+gettext.textdomain(PROGNAME)
+
+try:
+ gettext.install(PROGNAME,
+ localedir = "/usr/share/locale",
+ unicode=False,
+ codeset = 'utf-8')
+except IOError:
+ import __builtin__
+ __builtin__.__dict__['_'] = unicode
+
+
+random.seed(None)
+
+def error_exit(msg):
+ sys.stderr.write("%s: " % sys.argv[0])
+ sys.stderr.write("%s\n" % msg)
+ sys.stderr.flush()
+ sys.exit(1)
+
+def mount(context):
+ if os.getuid() != 0:
+ usage(_("Mount options require root privileges"))
+ destdir = "/mnt/%s" % context
+ os.mkdir(destdir)
+ rc = os.system('/bin/mount -t tmpfs tmpfs %s' % (destdir))
+ selinux.setfilecon(destdir, context)
+ if rc != 0:
+ sys.exit(rc)
+ os.chdir(destdir)
+
+def umount(dest):
+ os.chdir("/")
+ destdir = "/mnt/%s" % dest
+ os.system('/bin/umount %s' % (destdir))
+ os.rmdir(destdir)
+
+
+def reserve(mcs):
+ sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
+ sock.bind("\0%s" % mcs)
+ fcntl.fcntl(sock.fileno(), fcntl.F_SETFD, fcntl.FD_CLOEXEC)
+
+def gen_context(setype):
+ while True:
+ i1 = random.randrange(0, 1024)
+ i2 = random.randrange(0, 1024)
+ if i1 == i2:
+ continue
+ if i1 > i2:
+ tmp = i1
+ i1 = i2
+ i2 = tmp
+ mcs = "s0:c%d,c%d" % (i1, i2)
+ reserve(mcs)
+ try:
+ reserve(mcs)
+ except:
+ continue
+ break
+ con = selinux.getcon()[1].split(":")
+
+ execcon = "%s:%s:%s:%s" % (con[0], con[1], setype, mcs)
+
+ filecon = "%s:%s:%s:%s" % (con[0],
+ "object_r",
+ "%s_file_t" % setype[:-2],
+ mcs)
+ return execcon, filecon
+
+
+if __name__ == '__main__':
+ if selinux.is_selinux_enabled() != 1:
+ error_exit("Requires an SELinux enabled system")
+
+ def usage(message = ""):
+ text = _("""
+sandbox [ -m ] [ -t type ] command
+""")
+ error_exit("%s\n%s" % (message, text))
+
+ setype = "sandbox_t"
+ mount_ind = False
+ gopts, cmds = getopt.getopt(sys.argv[1:], "t:m",
+ ["type=",
+ "mount"])
+ for o, a in gopts:
+ if o == "-t" or o == "--type":
+ setype = a
+
+ if o == "-m" or o == "--mount":
+ mount_ind = True
+
+
+ if len(cmds) == 0:
+ usage(_("Command required"))
+
+ os.chdir("/")
+ execcon, filecon = gen_context(setype)
+ rc = -1
+ try:
+ if mount_ind:
+ mount(filecon)
+
+ if cmds[0][0] != "/" and cmds[0][:2] != "./" and cmds[0][:3] != "../":
+ for i in os.environ["PATH"].split(':'):
+ f = "%s/%s" % (i, cmds[0])
+ if os.access(f, os.X_OK):
+ cmds[0] = f
+ break
+
+ setype = selinux.getfilecon(cmds[0])[1].split(":")[2]
+ if setype == "user_home_t" or setype == "user_tmp_t":
+ error_exit(_("""
+Sandboxed applications can not read/execute files labeled as user content; (%s)
+Temporarily label '%s" as bin_t, if you want it to run it under a sandbox.
+
+chcon -t bin_t %s
+
+restorecon %s
+
+Will set the executable back to the correct context.
+""") % (setype, cmds[0], cmds[0], cmds[0]) )
+
+ selinux.setexeccon(execcon)
+ rc = os.spawnvp(os.P_WAIT, cmds[0], cmds)
+ selinux.setexeccon(None)
+
+ if mount_ind:
+ umount(filecon)
+
+ except getopt.error, error:
+ usage(_("Options Error %s ") % error.msg)
+ except ValueError, error:
+ error_exit(error.args[0])
+ except KeyError, error:
+ error_exit(_("Invalid value %s") % error.args[0])
+ except IOError, error:
+ error_exit(error.args[1])
+
+ sys.exit(rc)
diff --exclude-from=exclude --exclude=sepolgen-1.0.16 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/sandbox.8 policycoreutils-2.0.62/scripts/sandbox.8
--- nsapolicycoreutils/scripts/sandbox.8 1969-12-31 19:00:00.000000000 -0500
+++ policycoreutils-2.0.62/scripts/sandbox.8 2009-05-22 14:11:10.000000000 -0400
@@ -0,0 +1,22 @@
+.TH SANDBOX "8" "May 2009" "chcat" "User Commands"
+.SH NAME
+sandbox \- Run cmd under an SELinux sandbox
+.SH SYNOPSIS
+.B sandbox
+[ -M ] [ -t type ] cmd
+.br
+.SH DESCRIPTION
+.PP
+Run application within a tightly confined SELinux domain, This application can only read and write stdin and stdout along with files handled to it by the shell.
+.PP
+.TP
+\fB\-m\fR
+Mount a temporary file system and change working directory to it, files will be removed when job completes.
+.TP
+\fB\-t type\fR
+Use alternate sandbox type, defaults to sandbox_t
+.TP
+.SH "SEE ALSO"
+.TP
+runcon(1)
+.PP
More information about the fedora-extras-commits
mailing list