rpms/policycoreutils/devel policycoreutils-rhat.patch, 1.444, 1.445 policycoreutils.spec, 1.644, 1.645

Daniel J Walsh dwalsh at fedoraproject.org
Sat Sep 19 01:40:58 UTC 2009 

Author: dwalsh

Update of /cvs/extras/rpms/policycoreutils/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv21487

Modified Files:
	policycoreutils-rhat.patch policycoreutils.spec 
Log Message:
* Fri Sep 18 2009 Dan Walsh <dwalsh at redhat.com> 2.0.74-3
- Security fixes for seunshare
- Fix Sandbox to handle non file input to command.


policycoreutils-rhat.patch:
 Makefile                                    |    2 
 audit2allow/audit2allow                     |   14 
 load_policy/Makefile                        |    2 
 restorecond/Makefile                        |   24 -
 restorecond/org.selinux.Restorecond.service |    3 
 restorecond/restorecond.c                   |  422 +++---------------
 restorecond/restorecond.conf                |    5 
 restorecond/restorecond.desktop             |    7 
 restorecond/restorecond.h                   |   18 
 restorecond/restorecond.init                |    5 
 restorecond/restorecond_user.conf           |    2 
 restorecond/user.c                          |  237 ++++++++++
 restorecond/watch.c                         |  254 +++++++++++
 sandbox/Makefile                            |   31 +
 sandbox/sandbox                             |  207 +++++++++
 sandbox/sandbox.8                           |   26 +
 sandbox/sandboxX.sh                         |   16 
 sandbox/seunshare.c                         |  265 +++++++++++
 scripts/Makefile                            |    2 
 scripts/chcat                               |    2 
 semanage/semanage                           |   27 +
 semanage/seobject.py                        |   11 
 semodule/semodule.8                         |    8 
 semodule/semodule.c                         |   53 ++
 setfiles/Makefile                           |    4 
 setfiles/restore.c                          |  519 ++++++++++++++++++++++
 setfiles/restore.h                          |   49 ++
 setfiles/setfiles.c                         |  643 +++-------------------------
 28 files changed, 1905 insertions(+), 953 deletions(-)

Index: policycoreutils-rhat.patch
===================================================================
RCS file: /cvs/extras/rpms/policycoreutils/devel/policycoreutils-rhat.patch,v
retrieving revision 1.444
retrieving revision 1.445
diff -u -p -r1.444 -r1.445
--- policycoreutils-rhat.patch	17 Sep 2009 19:19:53 -0000	1.444
+++ policycoreutils-rhat.patch	19 Sep 2009 01:40:53 -0000	1.445
@@ -1222,8 +1222,8 @@ diff --exclude-from=exclude --exclude=se
 +relabel:
 diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox policycoreutils-2.0.74/sandbox/sandbox
 --- nsapolicycoreutils/sandbox/sandbox	1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.74/sandbox/sandbox	2009-09-17 15:05:17.000000000 -0400
-@@ -0,0 +1,202 @@
++++ policycoreutils-2.0.74/sandbox/sandbox	2009-09-18 21:38:37.000000000 -0400
+@@ -0,0 +1,207 @@
 +#!/usr/bin/python -E
 +import os, sys, getopt, socket, random, fcntl, shutil
 +import selinux
@@ -1390,7 +1390,12 @@ diff --exclude-from=exclude --exclude=se
 +                         warnings.resetwarnings()
 +                         paths = []
 +                         for i in cmds:
-+                                paths.append(os.path.realpath(i))
++                                f = os.path.realpath(i)
++                                if os.path.exists(f):
++                                       paths.append(f)
++                                else:
++                                       paths.append(i)
++                                       
 +                         copyfiles(newhomedir, newtmpdir, init_files + paths)
 +                         execfile = newhomedir + "/.sandboxrc"
 +                         fd = open(execfile, "w+")
@@ -1478,8 +1483,8 @@ diff --exclude-from=exclude --exclude=se
 +done
 diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/seunshare.c policycoreutils-2.0.74/sandbox/seunshare.c
 --- nsapolicycoreutils/sandbox/seunshare.c	1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.74/sandbox/seunshare.c	2009-09-17 15:05:44.000000000 -0400
-@@ -0,0 +1,284 @@
++++ policycoreutils-2.0.74/sandbox/seunshare.c	2009-09-18 09:58:46.000000000 -0400
+@@ -0,0 +1,265 @@
 +#include <signal.h>
 +#include <sys/types.h>
 +#include <sys/wait.h>
@@ -1506,33 +1511,19 @@ diff --exclude-from=exclude --exclude=se
 +#include <unistd.h>
 +
 +/**
-+ * This function will drop the capabilities so that we are left
-+ * only with access to the audit system and the ability to raise
-+ * CAP_SYS_ADMIN before invoking unshare and mounting a couple of directories. 
-+ * These capabilities are needed for performing bind mounts/unmounts 
-+ * and to create potential new instance directories with appropriate 
-+ * DAC attributes. 
-+ *
++ * This function will drop all capabilities 
 + * Returns zero on success, non-zero otherwise
 + */
-+static int drop_capabilities(int all, uid_t uid)
++static int drop_capabilities(uid_t uid)
 +{
 +	capng_clear(CAPNG_SELECT_BOTH);
 +
-+	if (all) {
-+		if (capng_lock() < 0) 
-+			return -1;
-+		/* Change uid */
-+		if (setresuid(uid, uid, uid)) {
-+			fprintf(stderr, "Error changing uid, aborting.\n");
-+			return -1;
-+		}
-+	} else {
-+		if (capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED, CAP_SYS_ADMIN, CAP_DAC_OVERRIDE, CAP_SETPCAP, CAP_SETUID, -1) < 0) { 
-+			fprintf(stderr, "Error running capng_updatev\n");
-+			return -1;
-+		}
-+	}
++	if (capng_lock() < 0) 
++		return -1;
++	/* Change uid */
++	if (setresuid(uid, uid, uid)) {
++		fprintf(stderr, "Error changing uid, aborting.\n");
++		return -1;
 +
 +	return capng_apply(CAPNG_SELECT_BOTH);
 +}
@@ -1626,7 +1617,6 @@ diff --exclude-from=exclude --exclude=se
 +		{"tmpdir", 1, 0, 't'},
 +		{NULL, 0, 0, 0}
 +	};
-+	capng_print_caps_text(CAPNG_PRINT_STDOUT, CAPNG_EFFECTIVE);
 +
 +	uid_t uid = getuid();
 +
@@ -1643,10 +1633,6 @@ diff --exclude-from=exclude --exclude=se
 +
 +	if (verify_shell(pwd->pw_shell) == 0) {
 +		fprintf(stderr, "Error!  Shell is not valid.\n");
-+	}
-+
-+	if (drop_capabilities(FALSE, uid)) {
-+		perror("Failed to drop capabilities");
 +		return -1;
 +	}
 +
@@ -1710,7 +1696,7 @@ diff --exclude-from=exclude --exclude=se
 +	if (tmpdir_s && verify_mount("/tmp", pwd) < 0) 
 +		return -1;
 +
-+	if (drop_capabilities(TRUE, uid)) {
++	if (drop_capabilities(uid)) {
 +		perror("Failed to drop all capabilities");
 +		return -1;
 +	}


Index: policycoreutils.spec
===================================================================
RCS file: /cvs/extras/rpms/policycoreutils/devel/policycoreutils.spec,v
retrieving revision 1.644
retrieving revision 1.645
diff -u -p -r1.644 -r1.645
--- policycoreutils.spec	17 Sep 2009 19:19:55 -0000	1.644
+++ policycoreutils.spec	19 Sep 2009 01:40:56 -0000	1.645
@@ -6,7 +6,7 @@
 Summary: SELinux policy core utilities
 Name:	 policycoreutils
 Version: 2.0.74
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: GPLv2+
 Group:	 System Environment/Base
 Source:	 http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
@@ -297,6 +297,10 @@ fi
 exit 0
 
 %changelog
+* Fri Sep 18 2009 Dan Walsh <dwalsh at redhat.com> 2.0.74-3
+- Security fixes for seunshare
+- Fix Sandbox to handle non file input to command.
+
 * Thu Sep 17 2009 Dan Walsh <dwalsh at redhat.com> 2.0.74-2
 - Security fixes for seunshare

More information about the fedora-extras-commits mailing list