rpms/policycoreutils/devel policycoreutils-gui.patch, 1.89, 1.90 policycoreutils-rhat.patch, 1.434, 1.435 policycoreutils.spec, 1.629, 1.630
Daniel J Walsh
dwalsh at fedoraproject.org
Wed Aug 26 18:05:34 UTC 2009
Author: dwalsh
Update of /cvs/extras/rpms/policycoreutils/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv10384
Modified Files:
policycoreutils-gui.patch policycoreutils-rhat.patch
policycoreutils.spec
Log Message:
* Wed Aug 26 2009 Dan Walsh <dwalsh at redhat.com> 2.0.71-11
- Add sandboxX
policycoreutils-gui.patch:
Makefile | 41
booleansPage.py | 247 +++
domainsPage.py | 154 +
fcontextPage.py | 223 ++
html_util.py | 164 ++
lockdown.glade | 771 +++++++++
lockdown.gladep | 7
lockdown.py | 382 ++++
loginsPage.py | 185 ++
mappingsPage.py | 56
modulesPage.py | 190 ++
polgen.glade | 3305 ++++++++++++++++++++++++++++++++++++++++++
polgen.gladep | 7
polgen.py | 1183 +++++++++++++++
polgengui.py | 627 ++++++++
portsPage.py | 259 +++
selinux.tbl | 234 +++
semanagePage.py | 168 ++
statusPage.py | 190 ++
system-config-selinux.glade | 3403 ++++++++++++++++++++++++++++++++++++++++++++
system-config-selinux.py | 189 ++
templates/__init__.py | 18
templates/boolean.py | 40
templates/etc_rw.py | 129 +
templates/executable.py | 374 ++++
templates/network.py | 80 +
templates/rw.py | 128 +
templates/script.py | 99 +
templates/semodule.py | 41
templates/tmp.py | 97 +
templates/user.py | 182 ++
templates/var_lib.py | 158 ++
templates/var_log.py | 110 +
templates/var_run.py | 118 +
templates/var_spool.py | 129 +
translationsPage.py | 118 +
usersPage.py | 150 +
37 files changed, 13956 insertions(+)
Index: policycoreutils-gui.patch
===================================================================
RCS file: /cvs/extras/rpms/policycoreutils/devel/policycoreutils-gui.patch,v
retrieving revision 1.89
retrieving revision 1.90
diff -u -p -r1.89 -r1.90
--- policycoreutils-gui.patch 26 Jun 2009 18:48:24 -0000 1.89
+++ policycoreutils-gui.patch 26 Aug 2009 18:05:32 -0000 1.90
@@ -1,6 +1,6 @@
-diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/booleansPage.py policycoreutils-2.0.64/gui/booleansPage.py
+diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/booleansPage.py policycoreutils-2.0.71/gui/booleansPage.py
--- nsapolicycoreutils/gui/booleansPage.py 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.64/gui/booleansPage.py 2009-06-23 16:24:31.000000000 -0400
++++ policycoreutils-2.0.71/gui/booleansPage.py 2009-08-20 12:53:16.000000000 -0400
@@ -0,0 +1,247 @@
+#
+# booleansPage.py - GUI for Booleans page in system-config-securitylevel
@@ -249,9 +249,9 @@ diff --exclude-from=exclude -N -u -r nsa
+ self.load(self.filter)
+ return True
+
-diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/domainsPage.py policycoreutils-2.0.64/gui/domainsPage.py
+diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/domainsPage.py policycoreutils-2.0.71/gui/domainsPage.py
--- nsapolicycoreutils/gui/domainsPage.py 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.64/gui/domainsPage.py 2009-06-23 16:24:31.000000000 -0400
++++ policycoreutils-2.0.71/gui/domainsPage.py 2009-08-20 12:53:16.000000000 -0400
@@ -0,0 +1,154 @@
+## domainsPage.py - show selinux domains
+## Copyright (C) 2009 Red Hat, Inc.
@@ -407,9 +407,9 @@ diff --exclude-from=exclude -N -u -r nsa
+
+ except ValueError, e:
+ self.error(e.args[0])
-diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/fcontextPage.py policycoreutils-2.0.64/gui/fcontextPage.py
+diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/fcontextPage.py policycoreutils-2.0.71/gui/fcontextPage.py
--- nsapolicycoreutils/gui/fcontextPage.py 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.64/gui/fcontextPage.py 2009-06-23 16:24:31.000000000 -0400
++++ policycoreutils-2.0.71/gui/fcontextPage.py 2009-08-20 12:53:16.000000000 -0400
@@ -0,0 +1,223 @@
+## fcontextPage.py - show selinux mappings
+## Copyright (C) 2006 Red Hat, Inc.
@@ -634,9 +634,9 @@ diff --exclude-from=exclude -N -u -r nsa
+ self.store.set_value(iter, SPEC_COL, fspec)
+ self.store.set_value(iter, FTYPE_COL, ftype)
+ self.store.set_value(iter, TYPE_COL, "%s:%s" % (type, mls))
-diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/html_util.py policycoreutils-2.0.64/gui/html_util.py
+diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/html_util.py policycoreutils-2.0.71/gui/html_util.py
--- nsapolicycoreutils/gui/html_util.py 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.64/gui/html_util.py 2009-06-23 16:24:31.000000000 -0400
++++ policycoreutils-2.0.71/gui/html_util.py 2009-08-20 12:53:16.000000000 -0400
@@ -0,0 +1,164 @@
+# Authors: John Dennis <jdennis at redhat.com>
+#
@@ -802,9 +802,9 @@ diff --exclude-from=exclude -N -u -r nsa
+ doc += tail
+ return doc
+
-diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/lockdown.glade policycoreutils-2.0.64/gui/lockdown.glade
+diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/lockdown.glade policycoreutils-2.0.71/gui/lockdown.glade
--- nsapolicycoreutils/gui/lockdown.glade 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.64/gui/lockdown.glade 2009-06-23 16:24:31.000000000 -0400
++++ policycoreutils-2.0.71/gui/lockdown.glade 2009-08-20 12:53:16.000000000 -0400
@@ -0,0 +1,771 @@
+<?xml version="1.0" standalone="no"?> <!--*- mode: xml -*-->
+<!DOCTYPE glade-interface SYSTEM "http://glade.gnome.org/glade-2.0.dtd">
@@ -1577,9 +1577,9 @@ diff --exclude-from=exclude -N -u -r nsa
+</widget>
+
+</glade-interface>
-diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/lockdown.gladep policycoreutils-2.0.64/gui/lockdown.gladep
+diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/lockdown.gladep policycoreutils-2.0.71/gui/lockdown.gladep
--- nsapolicycoreutils/gui/lockdown.gladep 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.64/gui/lockdown.gladep 2009-06-23 16:24:31.000000000 -0400
++++ policycoreutils-2.0.71/gui/lockdown.gladep 2009-08-20 12:53:16.000000000 -0400
@@ -0,0 +1,7 @@
+<?xml version="1.0" standalone="no"?> <!--*- mode: xml -*-->
+<!DOCTYPE glade-project SYSTEM "http://glade.gnome.org/glade-project-2.0.dtd">
@@ -1588,9 +1588,9 @@ diff --exclude-from=exclude -N -u -r nsa
+ <name></name>
+ <program_name></program_name>
+</glade-project>
-diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/lockdown.py policycoreutils-2.0.64/gui/lockdown.py
+diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/lockdown.py policycoreutils-2.0.71/gui/lockdown.py
--- nsapolicycoreutils/gui/lockdown.py 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.64/gui/lockdown.py 2009-06-23 16:24:31.000000000 -0400
++++ policycoreutils-2.0.71/gui/lockdown.py 2009-08-20 12:53:16.000000000 -0400
@@ -0,0 +1,382 @@
+#!/usr/bin/python
+#
@@ -1974,9 +1974,9 @@ diff --exclude-from=exclude -N -u -r nsa
+
+ app = booleanWindow()
+ app.stand_alone()
-diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/loginsPage.py policycoreutils-2.0.64/gui/loginsPage.py
+diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/loginsPage.py policycoreutils-2.0.71/gui/loginsPage.py
--- nsapolicycoreutils/gui/loginsPage.py 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.64/gui/loginsPage.py 2009-06-23 16:24:31.000000000 -0400
++++ policycoreutils-2.0.71/gui/loginsPage.py 2009-08-20 12:53:16.000000000 -0400
@@ -0,0 +1,185 @@
+## loginsPage.py - show selinux mappings
+## Copyright (C) 2006 Red Hat, Inc.
@@ -2163,9 +2163,9 @@ diff --exclude-from=exclude -N -u -r nsa
+ self.store.set_value(iter, 1, seuser)
+ self.store.set_value(iter, 2, seobject.translate(serange))
+
-diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/Makefile policycoreutils-2.0.64/gui/Makefile
+diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/Makefile policycoreutils-2.0.71/gui/Makefile
--- nsapolicycoreutils/gui/Makefile 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.64/gui/Makefile 2009-06-23 16:24:31.000000000 -0400
++++ policycoreutils-2.0.71/gui/Makefile 2009-08-20 12:53:16.000000000 -0400
@@ -0,0 +1,41 @@
+# Installation directories.
+PREFIX ?= ${DESTDIR}/usr
@@ -2208,9 +2208,9 @@ diff --exclude-from=exclude -N -u -r nsa
+indent:
+
+relabel:
-diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/mappingsPage.py policycoreutils-2.0.64/gui/mappingsPage.py
+diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/mappingsPage.py policycoreutils-2.0.71/gui/mappingsPage.py
--- nsapolicycoreutils/gui/mappingsPage.py 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.64/gui/mappingsPage.py 2009-06-23 16:24:31.000000000 -0400
++++ policycoreutils-2.0.71/gui/mappingsPage.py 2009-08-20 12:53:16.000000000 -0400
@@ -0,0 +1,56 @@
+## mappingsPage.py - show selinux mappings
+## Copyright (C) 2006 Red Hat, Inc.
@@ -2268,9 +2268,9 @@ diff --exclude-from=exclude -N -u -r nsa
+ for k in keys:
+ print "%-25s %-25s %-25s" % (k, dict[k][0], translate(dict[k][1]))
+
-diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/modulesPage.py policycoreutils-2.0.64/gui/modulesPage.py
+diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/modulesPage.py policycoreutils-2.0.71/gui/modulesPage.py
--- nsapolicycoreutils/gui/modulesPage.py 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.64/gui/modulesPage.py 2009-06-23 16:24:31.000000000 -0400
++++ policycoreutils-2.0.71/gui/modulesPage.py 2009-08-20 12:53:16.000000000 -0400
@@ -0,0 +1,190 @@
+## modulesPage.py - show selinux mappings
+## Copyright (C) 2006-2009 Red Hat, Inc.
@@ -2462,9 +2462,9 @@ diff --exclude-from=exclude -N -u -r nsa
+
+ except ValueError, e:
+ self.error(e.args[0])
-diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policycoreutils-2.0.64/gui/polgen.glade
+diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.glade policycoreutils-2.0.71/gui/polgen.glade
--- nsapolicycoreutils/gui/polgen.glade 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.64/gui/polgen.glade 2009-06-23 16:24:31.000000000 -0400
++++ policycoreutils-2.0.71/gui/polgen.glade 2009-08-20 12:53:16.000000000 -0400
@@ -0,0 +1,3305 @@
+<?xml version="1.0" standalone="no"?> <!--*- mode: xml -*-->
+<!DOCTYPE glade-interface SYSTEM "http://glade.gnome.org/glade-2.0.dtd">
@@ -5771,9 +5771,9 @@ diff --exclude-from=exclude -N -u -r nsa
+</widget>
+
+</glade-interface>
-diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.gladep policycoreutils-2.0.64/gui/polgen.gladep
+diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.gladep policycoreutils-2.0.71/gui/polgen.gladep
--- nsapolicycoreutils/gui/polgen.gladep 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.64/gui/polgen.gladep 2009-06-23 16:24:31.000000000 -0400
++++ policycoreutils-2.0.71/gui/polgen.gladep 2009-08-20 12:53:16.000000000 -0400
@@ -0,0 +1,7 @@
+<?xml version="1.0" standalone="no"?> <!--*- mode: xml -*-->
+<!DOCTYPE glade-project SYSTEM "http://glade.gnome.org/glade-project-2.0.dtd">
@@ -5782,9 +5782,9 @@ diff --exclude-from=exclude -N -u -r nsa
+ <name></name>
+ <program_name></program_name>
+</glade-project>
-diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgengui.py policycoreutils-2.0.64/gui/polgengui.py
+diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgengui.py policycoreutils-2.0.71/gui/polgengui.py
--- nsapolicycoreutils/gui/polgengui.py 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.64/gui/polgengui.py 2009-06-23 16:24:31.000000000 -0400
++++ policycoreutils-2.0.71/gui/polgengui.py 2009-08-20 12:53:16.000000000 -0400
@@ -0,0 +1,627 @@
+#!/usr/bin/python -E
+#
@@ -6413,10 +6413,10 @@ diff --exclude-from=exclude -N -u -r nsa
+
+ app = childWindow()
+ app.stand_alone()
-diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycoreutils-2.0.64/gui/polgen.py
+diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/polgen.py policycoreutils-2.0.71/gui/polgen.py
--- nsapolicycoreutils/gui/polgen.py 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.64/gui/polgen.py 2009-06-25 16:01:33.000000000 -0400
-@@ -0,0 +1,1179 @@
++++ policycoreutils-2.0.71/gui/polgen.py 2009-08-26 10:47:54.000000000 -0400
+@@ -0,0 +1,1183 @@
+#!/usr/bin/python
+#
+# Copyright (C) 2007, 2008, 2009 Red Hat
@@ -6747,6 +6747,7 @@ diff --exclude-from=exclude -N -u -r nsa
+ self.need_udp_type=False
+ self.admin_domains = []
+ self.transition_domains = []
++ self.transition_users = []
+ self.roles = []
+ self.all_roles = get_all_roles()
+
@@ -7548,9 +7549,10 @@ diff --exclude-from=exclude -N -u -r nsa
+
+if __name__ == '__main__':
+ setype = DAEMON
-+ gopts, cmds = getopt.getopt(sys.argv[1:], "t:m",
++ gopts, cmds = getopt.getopt(sys.argv[1:], "ht:m",
+ ["type=",
-+ "mount"])
++ "mount",
++ "help"])
+ for o, a in gopts:
+ if o == "-t" or o == "--type":
+ try:
@@ -7564,6 +7566,8 @@ diff --exclude-from=exclude -N -u -r nsa
+ if o == "-m" or o == "--mount":
+ mount_ind = True
+
++ if o == "-h" or o == "--help":
++ usage("");
+
+ if len(cmds) == 0:
+ usage(_("Executable required"))
@@ -7596,9 +7600,9 @@ diff --exclude-from=exclude -N -u -r nsa
+
+ print mypolicy.generate()
+ sys.exit(0)
-diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/portsPage.py policycoreutils-2.0.64/gui/portsPage.py
+diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/portsPage.py policycoreutils-2.0.71/gui/portsPage.py
--- nsapolicycoreutils/gui/portsPage.py 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.64/gui/portsPage.py 2009-06-23 16:24:31.000000000 -0400
++++ policycoreutils-2.0.71/gui/portsPage.py 2009-08-20 12:53:16.000000000 -0400
@@ -0,0 +1,259 @@
+## portsPage.py - show selinux mappings
+## Copyright (C) 2006 Red Hat, Inc.
@@ -7859,9 +7863,9 @@ diff --exclude-from=exclude -N -u -r nsa
+
+ return True
+
-diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/selinux.tbl policycoreutils-2.0.64/gui/selinux.tbl
+diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/selinux.tbl policycoreutils-2.0.71/gui/selinux.tbl
--- nsapolicycoreutils/gui/selinux.tbl 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.64/gui/selinux.tbl 2009-06-23 16:24:31.000000000 -0400
++++ policycoreutils-2.0.71/gui/selinux.tbl 2009-08-20 12:53:16.000000000 -0400
@@ -0,0 +1,234 @@
+acct_disable_trans _("SELinux Service Protection") _("Disable SELinux protection for acct daemon")
+allow_daemons_dump_core _("Admin") _("Allow all daemons to write corefiles to /")
@@ -8097,9 +8101,9 @@ diff --exclude-from=exclude -N -u -r nsa
+webadm_manage_user_files _("HTTPD Service") _("Allow SELinux webadm user to manage unprivileged users home directories")
+webadm_read_user_files _("HTTPD Service") _("Allow SELinux webadm user to read unprivileged users home directories")
+
-diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/semanagePage.py policycoreutils-2.0.64/gui/semanagePage.py
+diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/semanagePage.py policycoreutils-2.0.71/gui/semanagePage.py
--- nsapolicycoreutils/gui/semanagePage.py 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.64/gui/semanagePage.py 2009-06-23 16:24:31.000000000 -0400
++++ policycoreutils-2.0.71/gui/semanagePage.py 2009-08-20 12:53:16.000000000 -0400
@@ -0,0 +1,168 @@
+## semanagePage.py - show selinux mappings
+## Copyright (C) 2006 Red Hat, Inc.
@@ -8269,9 +8273,9 @@ diff --exclude-from=exclude -N -u -r nsa
+ self.load(self.filter)
+ return True
+
-diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/statusPage.py policycoreutils-2.0.64/gui/statusPage.py
+diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/statusPage.py policycoreutils-2.0.71/gui/statusPage.py
--- nsapolicycoreutils/gui/statusPage.py 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.64/gui/statusPage.py 2009-06-23 16:24:31.000000000 -0400
++++ policycoreutils-2.0.71/gui/statusPage.py 2009-08-20 12:53:16.000000000 -0400
@@ -0,0 +1,190 @@
+# statusPage.py - show selinux status
+## Copyright (C) 2006-2009 Red Hat, Inc.
@@ -8463,9 +8467,9 @@ diff --exclude-from=exclude -N -u -r nsa
+ return self.types[self.selinuxTypeOptionMenu.get_active()]
+
+
-diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/system-config-selinux.glade policycoreutils-2.0.64/gui/system-config-selinux.glade
+diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/system-config-selinux.glade policycoreutils-2.0.71/gui/system-config-selinux.glade
--- nsapolicycoreutils/gui/system-config-selinux.glade 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.64/gui/system-config-selinux.glade 2009-06-23 16:24:31.000000000 -0400
++++ policycoreutils-2.0.71/gui/system-config-selinux.glade 2009-08-20 12:53:16.000000000 -0400
@@ -0,0 +1,3403 @@
+<?xml version="1.0" standalone="no"?> <!--*- mode: xml -*-->
+<!DOCTYPE glade-interface SYSTEM "http://glade.gnome.org/glade-2.0.dtd">
@@ -11870,9 +11874,9 @@ diff --exclude-from=exclude -N -u -r nsa
+</widget>
+
+</glade-interface>
-diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/system-config-selinux.py policycoreutils-2.0.64/gui/system-config-selinux.py
+diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/system-config-selinux.py policycoreutils-2.0.71/gui/system-config-selinux.py
--- nsapolicycoreutils/gui/system-config-selinux.py 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.64/gui/system-config-selinux.py 2009-06-23 16:24:31.000000000 -0400
++++ policycoreutils-2.0.71/gui/system-config-selinux.py 2009-08-20 12:53:16.000000000 -0400
@@ -0,0 +1,189 @@
+#!/usr/bin/python
+#
@@ -12063,9 +12067,9 @@ diff --exclude-from=exclude -N -u -r nsa
+
+ app = childWindow()
+ app.stand_alone()
-diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/boolean.py policycoreutils-2.0.64/gui/templates/boolean.py
+diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/boolean.py policycoreutils-2.0.71/gui/templates/boolean.py
--- nsapolicycoreutils/gui/templates/boolean.py 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.64/gui/templates/boolean.py 2009-06-23 16:24:31.000000000 -0400
++++ policycoreutils-2.0.71/gui/templates/boolean.py 2009-08-20 12:53:16.000000000 -0400
@@ -0,0 +1,40 @@
+# Copyright (C) 2007 Red Hat
+# see file 'COPYING' for use and warranty information
@@ -12107,9 +12111,9 @@ diff --exclude-from=exclude -N -u -r nsa
+')
+"""
+
-diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/etc_rw.py policycoreutils-2.0.64/gui/templates/etc_rw.py
+diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/etc_rw.py policycoreutils-2.0.71/gui/templates/etc_rw.py
--- nsapolicycoreutils/gui/templates/etc_rw.py 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.64/gui/templates/etc_rw.py 2009-06-23 16:24:31.000000000 -0400
++++ policycoreutils-2.0.71/gui/templates/etc_rw.py 2009-08-20 12:53:16.000000000 -0400
@@ -0,0 +1,129 @@
+# Copyright (C) 2007 Red Hat
+# see file 'COPYING' for use and warranty information
@@ -12240,10 +12244,10 @@ diff --exclude-from=exclude -N -u -r nsa
+fc_dir="""\
+FILENAME(/.*)? gen_context(system_u:object_r:TEMPLATETYPE_etc_rw_t,s0)
+"""
-diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/executable.py policycoreutils-2.0.64/gui/templates/executable.py
+diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/executable.py policycoreutils-2.0.71/gui/templates/executable.py
--- nsapolicycoreutils/gui/templates/executable.py 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.64/gui/templates/executable.py 2009-06-23 16:24:31.000000000 -0400
-@@ -0,0 +1,376 @@
++++ policycoreutils-2.0.71/gui/templates/executable.py 2009-08-26 10:48:18.000000000 -0400
+@@ -0,0 +1,374 @@
+# Copyright (C) 2007-2009 Red Hat
+# see file 'COPYING' for use and warranty information
+#
@@ -12356,7 +12360,6 @@ diff --exclude-from=exclude -N -u -r nsa
+files_read_etc_files(TEMPLATETYPE_t)
+
+miscfiles_read_localization(TEMPLATETYPE_t)
-+
+"""
+
+te_inetd_rules="""
@@ -12381,7 +12384,6 @@ diff --exclude-from=exclude -N -u -r nsa
+libs_use_shared_libs(TEMPLATETYPE_t)
+
+miscfiles_read_localization(TEMPLATETYPE_t)
-+
+"""
+
+te_cgi_rules="""
@@ -12620,9 +12622,9 @@ diff --exclude-from=exclude -N -u -r nsa
+EXECUTABLE -- gen_context(system_u:object_r:TEMPLATETYPE_initrc_exec_t,s0)
+"""
+
-diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/__init__.py policycoreutils-2.0.64/gui/templates/__init__.py
+diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/__init__.py policycoreutils-2.0.71/gui/templates/__init__.py
--- nsapolicycoreutils/gui/templates/__init__.py 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.64/gui/templates/__init__.py 2009-06-23 16:24:31.000000000 -0400
++++ policycoreutils-2.0.71/gui/templates/__init__.py 2009-08-20 12:53:16.000000000 -0400
@@ -0,0 +1,18 @@
+#
+# Copyright (C) 2007 Red Hat, Inc.
@@ -12642,9 +12644,9 @@ diff --exclude-from=exclude -N -u -r nsa
+# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+#
+
-diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/network.py policycoreutils-2.0.64/gui/templates/network.py
+diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/network.py policycoreutils-2.0.71/gui/templates/network.py
--- nsapolicycoreutils/gui/templates/network.py 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.64/gui/templates/network.py 2009-06-23 16:24:31.000000000 -0400
++++ policycoreutils-2.0.71/gui/templates/network.py 2009-08-20 12:53:16.000000000 -0400
@@ -0,0 +1,80 @@
+te_port_types="""
+type TEMPLATETYPE_port_t;
@@ -12726,9 +12728,9 @@ diff --exclude-from=exclude -N -u -r nsa
+corenet_udp_bind_all_unreserved_ports(TEMPLATETYPE_t)
+"""
+
-diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/rw.py policycoreutils-2.0.64/gui/templates/rw.py
+diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/rw.py policycoreutils-2.0.71/gui/templates/rw.py
--- nsapolicycoreutils/gui/templates/rw.py 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.64/gui/templates/rw.py 2009-06-23 16:24:31.000000000 -0400
++++ policycoreutils-2.0.71/gui/templates/rw.py 2009-08-20 12:53:16.000000000 -0400
@@ -0,0 +1,128 @@
+# Copyright (C) 2007 Red Hat
+# see file 'COPYING' for use and warranty information
@@ -12858,9 +12860,9 @@ diff --exclude-from=exclude -N -u -r nsa
+fc_dir="""
+FILENAME(/.*)? gen_context(system_u:object_r:TEMPLATETYPE_rw_t,s0)
+"""
-diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/script.py policycoreutils-2.0.64/gui/templates/script.py
+diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/script.py policycoreutils-2.0.71/gui/templates/script.py
--- nsapolicycoreutils/gui/templates/script.py 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.64/gui/templates/script.py 2009-06-25 16:00:57.000000000 -0400
++++ policycoreutils-2.0.71/gui/templates/script.py 2009-08-20 12:53:16.000000000 -0400
@@ -0,0 +1,99 @@
+# Copyright (C) 2007 Red Hat
+# see file 'COPYING' for use and warranty information
@@ -12961,9 +12963,9 @@ diff --exclude-from=exclude -N -u -r nsa
+# Adding roles to SELinux user USER
+/usr/sbin/semanage user -m -R +TEMPLATETYPE_r USER
+"""
-diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/semodule.py policycoreutils-2.0.64/gui/templates/semodule.py
+diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/semodule.py policycoreutils-2.0.71/gui/templates/semodule.py
--- nsapolicycoreutils/gui/templates/semodule.py 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.64/gui/templates/semodule.py 2009-06-23 16:24:31.000000000 -0400
++++ policycoreutils-2.0.71/gui/templates/semodule.py 2009-08-20 12:53:16.000000000 -0400
@@ -0,0 +1,41 @@
+# Copyright (C) 2007 Red Hat
+# see file 'COPYING' for use and warranty information
@@ -13006,9 +13008,9 @@ diff --exclude-from=exclude -N -u -r nsa
+semanage ports -a -t TEMPLATETYPE_port_t -p udp PORTNUM
+"""
+
-diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/tmp.py policycoreutils-2.0.64/gui/templates/tmp.py
+diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/tmp.py policycoreutils-2.0.71/gui/templates/tmp.py
--- nsapolicycoreutils/gui/templates/tmp.py 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.64/gui/templates/tmp.py 2009-06-23 16:24:31.000000000 -0400
++++ policycoreutils-2.0.71/gui/templates/tmp.py 2009-08-20 12:53:16.000000000 -0400
@@ -0,0 +1,97 @@
+# Copyright (C) 2007 Red Hat
+# see file 'COPYING' for use and warranty information
@@ -13107,9 +13109,9 @@ diff --exclude-from=exclude -N -u -r nsa
+ TEMPLATETYPE_manage_tmp($1)
+"""
+
-diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/user.py policycoreutils-2.0.64/gui/templates/user.py
+diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/user.py policycoreutils-2.0.71/gui/templates/user.py
--- nsapolicycoreutils/gui/templates/user.py 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.64/gui/templates/user.py 2009-06-23 16:24:31.000000000 -0400
++++ policycoreutils-2.0.71/gui/templates/user.py 2009-08-20 12:53:16.000000000 -0400
@@ -0,0 +1,182 @@
+# Copyright (C) 2007 Red Hat
+# see file 'COPYING' for use and warranty information
@@ -13293,9 +13295,9 @@ diff --exclude-from=exclude -N -u -r nsa
+te_newrole_rules="""
+seutil_run_newrole(TEMPLATETYPE_t,TEMPLATETYPE_r,{ TEMPLATETYPE_devpts_t TEMPLATETYPE_tty_device_t })
+"""
-diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_lib.py policycoreutils-2.0.64/gui/templates/var_lib.py
+diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_lib.py policycoreutils-2.0.71/gui/templates/var_lib.py
--- nsapolicycoreutils/gui/templates/var_lib.py 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.64/gui/templates/var_lib.py 2009-06-23 16:24:31.000000000 -0400
++++ policycoreutils-2.0.71/gui/templates/var_lib.py 2009-08-20 12:53:16.000000000 -0400
@@ -0,0 +1,158 @@
+# Copyright (C) 2007 Red Hat
+# see file 'COPYING' for use and warranty information
@@ -13455,9 +13457,9 @@ diff --exclude-from=exclude -N -u -r nsa
+fc_dir="""\
+FILENAME(/.*)? gen_context(system_u:object_r:TEMPLATETYPE_var_lib_t,s0)
+"""
-diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_log.py policycoreutils-2.0.64/gui/templates/var_log.py
+diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_log.py policycoreutils-2.0.71/gui/templates/var_log.py
--- nsapolicycoreutils/gui/templates/var_log.py 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.64/gui/templates/var_log.py 2009-06-23 16:24:31.000000000 -0400
++++ policycoreutils-2.0.71/gui/templates/var_log.py 2009-08-20 12:53:16.000000000 -0400
@@ -0,0 +1,110 @@
+# Copyright (C) 2007 Red Hat
+# see file 'COPYING' for use and warranty information
@@ -13569,9 +13571,9 @@ diff --exclude-from=exclude -N -u -r nsa
+fc_dir="""\
+FILENAME(/.*)? gen_context(system_u:object_r:TEMPLATETYPE_log_t,s0)
+"""
-diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_run.py policycoreutils-2.0.64/gui/templates/var_run.py
+diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_run.py policycoreutils-2.0.71/gui/templates/var_run.py
--- nsapolicycoreutils/gui/templates/var_run.py 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.64/gui/templates/var_run.py 2009-06-23 16:24:31.000000000 -0400
++++ policycoreutils-2.0.71/gui/templates/var_run.py 2009-08-20 12:53:16.000000000 -0400
@@ -0,0 +1,118 @@
+# Copyright (C) 2007 Red Hat
+# see file 'COPYING' for use and warranty information
@@ -13691,9 +13693,9 @@ diff --exclude-from=exclude -N -u -r nsa
+FILENAME(/.*)? gen_context(system_u:object_r:TEMPLATETYPE_var_run_t,s0)
+"""
+
-diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_spool.py policycoreutils-2.0.64/gui/templates/var_spool.py
+diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/templates/var_spool.py policycoreutils-2.0.71/gui/templates/var_spool.py
--- nsapolicycoreutils/gui/templates/var_spool.py 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.64/gui/templates/var_spool.py 2009-06-23 16:24:31.000000000 -0400
++++ policycoreutils-2.0.71/gui/templates/var_spool.py 2009-08-20 12:53:16.000000000 -0400
@@ -0,0 +1,129 @@
+# Copyright (C) 2007 Red Hat
+# see file 'COPYING' for use and warranty information
@@ -13824,9 +13826,9 @@ diff --exclude-from=exclude -N -u -r nsa
+fc_dir="""\
+FILENAME(/.*)? gen_context(system_u:object_r:TEMPLATETYPE_spool_t,s0)
+"""
-diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/translationsPage.py policycoreutils-2.0.64/gui/translationsPage.py
+diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/translationsPage.py policycoreutils-2.0.71/gui/translationsPage.py
--- nsapolicycoreutils/gui/translationsPage.py 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.64/gui/translationsPage.py 2009-06-23 16:24:31.000000000 -0400
++++ policycoreutils-2.0.71/gui/translationsPage.py 2009-08-20 12:53:16.000000000 -0400
@@ -0,0 +1,118 @@
+## translationsPage.py - show selinux translations
+## Copyright (C) 2006 Red Hat, Inc.
@@ -13946,9 +13948,9 @@ diff --exclude-from=exclude -N -u -r nsa
+ store, iter = self.view.get_selection().get_selected()
+ self.store.set_value(iter, 0, level)
+ self.store.set_value(iter, 1, translation)
-diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/usersPage.py policycoreutils-2.0.64/gui/usersPage.py
+diff --exclude-from=exclude -N -u -r nsapolicycoreutils/gui/usersPage.py policycoreutils-2.0.71/gui/usersPage.py
--- nsapolicycoreutils/gui/usersPage.py 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.64/gui/usersPage.py 2009-06-23 16:24:31.000000000 -0400
++++ policycoreutils-2.0.71/gui/usersPage.py 2009-08-20 12:53:16.000000000 -0400
@@ -0,0 +1,150 @@
+## usersPage.py - show selinux mappings
+## Copyright (C) 2006,2007,2008 Red Hat, Inc.
policycoreutils-rhat.patch:
Makefile | 2
audit2allow/audit2allow | 14
restorecond/Makefile | 24
restorecond/org.selinux.Restorecond.service | 3
restorecond/restorecond.c | 422 ++---------------
restorecond/restorecond.conf | 5
restorecond/restorecond.desktop | 7
restorecond/restorecond.h | 18
restorecond/restorecond_user.conf | 2
restorecond/user.c | 237 +++++++++
restorecond/watch.c | 254 ++++++++++
sandbox/Makefile | 31 +
sandbox/sandbox | 193 +++++++
sandbox/sandbox.8 | 26 +
sandbox/sandboxX.sh | 13
sandbox/seunshare |binary
sandbox/seunshare.c | 188 +++++++
sandbox/seunshare.o |binary
scripts/Makefile | 2
scripts/chcat | 2
semanage/semanage | 34 +
semanage/seobject.py | 66 ++
setfiles/Makefile | 4
setfiles/restore.c | 519 +++++++++++++++++++++
setfiles/restore.h | 49 +
setfiles/setfiles.c | 687 +++-------------------------
26 files changed, 1832 insertions(+), 970 deletions(-)
Index: policycoreutils-rhat.patch
===================================================================
RCS file: /cvs/extras/rpms/policycoreutils/devel/policycoreutils-rhat.patch,v
retrieving revision 1.434
retrieving revision 1.435
diff -u -p -r1.434 -r1.435
--- policycoreutils-rhat.patch 22 Aug 2009 12:08:34 -0000 1.434
+++ policycoreutils-rhat.patch 26 Aug 2009 18:05:33 -0000 1.435
@@ -40,10 +40,10 @@ diff --exclude-from=exclude --exclude=se
f = sys.stdin
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/Makefile policycoreutils-2.0.71/Makefile
--- nsapolicycoreutils/Makefile 2008-08-28 09:34:24.000000000 -0400
-+++ policycoreutils-2.0.71/Makefile 2009-08-20 12:53:16.000000000 -0400
++++ policycoreutils-2.0.71/Makefile 2009-08-26 10:04:47.000000000 -0400
@@ -1,4 +1,4 @@
-SUBDIRS = setfiles semanage load_policy newrole run_init secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po
-+SUBDIRS = setfiles semanage load_policy newrole run_init secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po gui
++SUBDIRS = setfiles semanage load_policy newrole run_init sandbox secon audit2allow audit2why scripts sestatus semodule_package semodule semodule_link semodule_expand semodule_deps setsebool po gui
INOTIFYH = $(shell ls /usr/include/sys/inotify.h 2>/dev/null)
@@ -1152,41 +1152,47 @@ diff --exclude-from=exclude --exclude=se
+ exitApp("Error watching config file.");
+}
+
-diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/chcat policycoreutils-2.0.71/scripts/chcat
---- nsapolicycoreutils/scripts/chcat 2009-06-23 15:36:07.000000000 -0400
-+++ policycoreutils-2.0.71/scripts/chcat 2009-08-20 12:53:16.000000000 -0400
-@@ -435,6 +435,8 @@
- continue
- except ValueError, e:
- error(e)
-+ except OSError, e:
-+ error(e)
-
- sys.exit(errors)
-
-diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/Makefile policycoreutils-2.0.71/scripts/Makefile
---- nsapolicycoreutils/scripts/Makefile 2008-08-28 09:34:24.000000000 -0400
-+++ policycoreutils-2.0.71/scripts/Makefile 2009-08-20 12:53:16.000000000 -0400
-@@ -5,11 +5,12 @@
- MANDIR ?= $(PREFIX)/share/man
- LOCALEDIR ?= /usr/share/locale
-
--all: fixfiles genhomedircon
-+all: fixfiles genhomedircon sandbox chcat
-
- install: all
- -mkdir -p $(BINDIR)
- install -m 755 chcat $(BINDIR)
+diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/Makefile policycoreutils-2.0.71/sandbox/Makefile
+--- nsapolicycoreutils/sandbox/Makefile 1969-12-31 19:00:00.000000000 -0500
++++ policycoreutils-2.0.71/sandbox/Makefile 2009-08-26 10:50:50.000000000 -0400
+@@ -0,0 +1,31 @@
++# Installation directories.
++PREFIX ?= ${DESTDIR}/usr
++BINDIR ?= $(PREFIX)/bin
++SBINDIR ?= $(PREFIX)/sbin
++MANDIR ?= $(PREFIX)/share/man
++LOCALEDIR ?= /usr/share/locale
++SHAREDIR ?= $(PREFIX)/share/sandbox
++override CFLAGS += $(LDFLAGS) -I$(PREFIX)/include -DPACKAGE="\"policycoreutils\""
++LDLIBS += -lselinux -lcap-ng
++
++all: sandbox seunshare sandboxX.sh
++
++seunshare: seunshare.o $(EXTRA_OBJS)
++ $(CC) $(LDFLAGS) -o $@ $^ $(LDLIBS)
++
++install: all
++ -mkdir -p $(BINDIR)
+ install -m 755 sandbox $(BINDIR)
- install -m 755 fixfiles $(DESTDIR)/sbin
- install -m 755 genhomedircon $(SBINDIR)
- -mkdir -p $(MANDIR)/man8
-diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/sandbox policycoreutils-2.0.71/scripts/sandbox
---- nsapolicycoreutils/scripts/sandbox 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.71/scripts/sandbox 2009-08-20 12:53:16.000000000 -0400
-@@ -0,0 +1,139 @@
++ -mkdir -p $(MANDIR)/man8
++ install -m 644 sandbox.8 $(MANDIR)/man8/
++ install -m 4755 seunshare $(SBINDIR)/
++ -mkdir -p $(SHAREDIR)
++ install -m 755 sandboxX.sh $(SHAREDIR)
++
++clean:
++ -rm -f seunshare *.o *~
++
++indent:
++ ../../scripts/Lindent $(wildcard *.[ch])
++
++relabel:
+diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox policycoreutils-2.0.71/sandbox/sandbox
+--- nsapolicycoreutils/sandbox/sandbox 1969-12-31 19:00:00.000000000 -0500
++++ policycoreutils-2.0.71/sandbox/sandbox 2009-08-26 10:03:24.000000000 -0400
+@@ -0,0 +1,193 @@
+#!/usr/bin/python -E
-+import os, sys, getopt, socket, random, fcntl
++import os, sys, getopt, socket, random, fcntl, shutil
+import selinux
+
+PROGNAME = "policycoreutils"
@@ -1205,6 +1211,9 @@ diff --exclude-from=exclude --exclude=se
+ __builtin__.__dict__['_'] = unicode
+
+
++DEFAULT_TYPE = "sandbox_t"
++DEFAULT_X_TYPE = "sandbox_x_t"
++
+random.seed(None)
+
+def error_exit(msg):
@@ -1213,24 +1222,6 @@ diff --exclude-from=exclude --exclude=se
+ sys.stderr.flush()
+ sys.exit(1)
+
-+def mount(context):
-+ if os.getuid() != 0:
-+ usage(_("Mount options require root privileges"))
-+ destdir = "/mnt/%s" % context
-+ os.mkdir(destdir)
-+ rc = os.system('/bin/mount -t tmpfs tmpfs %s' % (destdir))
-+ selinux.setfilecon(destdir, context)
-+ if rc != 0:
-+ sys.exit(rc)
-+ os.chdir(destdir)
-+
-+def umount(dest):
-+ os.chdir("/")
-+ destdir = "/mnt/%s" % dest
-+ os.system('/bin/umount %s' % (destdir))
-+ os.rmdir(destdir)
-+
-+
+def reserve(mcs):
+ sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
+ sock.bind("\0%s" % mcs)
@@ -1263,30 +1254,75 @@ diff --exclude-from=exclude --exclude=se
+ mcs)
+ return execcon, filecon
+
++def copyfile(file, dir, dest):
++ import re
++ if file.startswith(dir):
++ dname = os.path.dirname(file)
++ bname = os.path.basename(file)
++ if dname == dir:
++ dest = dest + "/" + bname
++ else:
++ newdir = re.sub(dir, dest, dname)
++ os.makedirs(newdir)
++ dest = newdir + "/" + bname
++
++ if os.path.isdir(file):
++ shutil.copytree(file, dest)
++ else:
++ shutil.copy2(file, dest)
++
++def copyfiles(newhomedir, newtmpdir, files):
++ import pwd
++ homedir=pwd.getpwuid(os.getuid()).pw_dir
++
++ for f in files:
++ copyfile(f,homedir, newhomedir)
++ copyfile(f,"/tmp", newtmpdir)
+
+if __name__ == '__main__':
+ if selinux.is_selinux_enabled() != 1:
+ error_exit("Requires an SELinux enabled system")
+
++ init_files = []
++
+ def usage(message = ""):
+ text = _("""
-+sandbox [ -m ] [ -t type ] command
++sandbox [-h] [-I includefile ] [[-i file ] ...] [ -t type ] command
+""")
+ error_exit("%s\n%s" % (message, text))
+
-+ setype = "sandbox_t"
-+ mount_ind = False
++ setype = DEFAULT_TYPE
++ X_ind = False
+ try:
-+ gopts, cmds = getopt.getopt(sys.argv[1:], "ht:m",
++ gopts, cmds = getopt.getopt(sys.argv[1:], "i:ht:XI:",
+ ["help",
-+ "type=",
-+ "mount"])
++ "include=",
++ "includefile=",
++ "type="
++ ])
+ for o, a in gopts:
+ if o == "-t" or o == "--type":
+ setype = a
+
-+ if o == "-m" or o == "--mount":
-+ mount_ind = True
++ if o == "-i" or o == "--include":
++ rp = os.path.realpath(a)
++ if rp not in init_files:
++ init_files.append(rp)
++
++ if o == "-I" or o == "--includefile":
++ fd = open(a, "r")
++ for i in fd.read().split("\n"):
++ if os.path.exists(i):
++ rp = os.path.realpath(i)
++ if rp not in init_files:
++ init_files.append(rp)
++
++ fd.close
++
++ if o == "-X":
++ if DEFAULT_TYPE == setype:
++ setype = DEFAULT_X_TYPE
++ X_ind = True
+
+ if o == "-h" or o == "--help":
+ usage(_("Usage"));
@@ -1296,8 +1332,6 @@ diff --exclude-from=exclude --exclude=se
+
+ execcon, filecon = gen_context(setype)
+ rc = -1
-+ if mount_ind:
-+ mount(filecon)
+
+ if cmds[0][0] != "/" and cmds[0][:2] != "./" and cmds[0][:3] != "../":
+ for i in os.environ["PATH"].split(':'):
@@ -1306,121 +1340,315 @@ diff --exclude-from=exclude --exclude=se
+ cmds[0] = f
+ break
+
-+ selinux.setexeccon(execcon)
-+ rc = os.spawnvp(os.P_WAIT, cmds[0], cmds)
-+ selinux.setexeccon(None)
-+
-+ if mount_ind:
-+ umount(filecon)
++ try:
++ if X_ind:
++ import warnings
++ warnings.simplefilter("ignore")
++ newhomedir = os.tempnam(".", ".sandbox%s")
++ os.mkdir(newhomedir)
++ selinux.setfilecon(newhomedir, filecon)
++ newtmpdir = os.tempnam("/tmp", ".sandbox")
++ os.mkdir(newtmpdir)
++ selinux.setfilecon(newtmpdir, filecon)
++ warnings.resetwarnings()
++ copyfiles(newhomedir, newtmpdir, init_files + cmds)
++ execfile = newhomedir + "/.sandboxrc"
++ fd = open(execfile, "w+")
++ fd.write("""#! /bin/sh
++%s
++""" % " ".join(cmds))
++ fd.close()
++ os.chmod(execfile, 0700)
++
++ cmds = ("/usr/sbin/seunshare -t %s -h %s -- %s /usr/share/sandbox/sandboxX.sh" % (newtmpdir, newhomedir, execcon)).split()
++ rc = os.spawnvp(os.P_WAIT, cmds[0], cmds)
++ else:
++ selinux.setexeccon(execcon)
++ rc = os.spawnvp(os.P_WAIT, cmds[0], cmds)
++ selinux.setexeccon(None)
++ finally:
++ if X_ind:
++ shutil.rmtree(newhomedir)
++ shutil.rmtree(newtmpdir)
++
+ except getopt.GetoptError, error:
-+ usage(_("Options Error %s ") % error.msg)
++ usage(_("Options Error %s ") % error.msg)
++ except OSError, error:
++ error_exit(error.args[1])
+ except ValueError, error:
-+ error_exit(error.args[0])
++ error_exit(error.args[0])
+ except KeyError, error:
-+ error_exit(_("Invalid value %s") % error.args[0])
++ error_exit(_("Invalid value %s") % error.args[0])
+ except IOError, error:
-+ error_exit(error.args[1])
-+ except OSError, error:
-+ error_exit(error.args[1])
++ error_exit(error.args[1])
+
+ sys.exit(rc)
-diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/sandbox.8 policycoreutils-2.0.71/scripts/sandbox.8
---- nsapolicycoreutils/scripts/sandbox.8 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.71/scripts/sandbox.8 2009-08-20 12:53:16.000000000 -0400
-@@ -0,0 +1,22 @@
++
+diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox.8 policycoreutils-2.0.71/sandbox/sandbox.8
+--- nsapolicycoreutils/sandbox/sandbox.8 1969-12-31 19:00:00.000000000 -0500
++++ policycoreutils-2.0.71/sandbox/sandbox.8 2009-08-26 10:03:24.000000000 -0400
+@@ -0,0 +1,26 @@
+.TH SANDBOX "8" "May 2009" "chcat" "User Commands"
+.SH NAME
+sandbox \- Run cmd under an SELinux sandbox
+.SH SYNOPSIS
+.B sandbox
-+[ -M ] [ -t type ] cmd
++[-X] [[-i file ]...] [ -t type ] cmd
+.br
+.SH DESCRIPTION
+.PP
-+Run application within a tightly confined SELinux domain, This application can only read and write stdin and stdout along with files handled to it by the shell.
++Run application within a tightly confined SELinux domain, The default sandbox allows the application to only read and write stdin and stdout along with files handled to it by the shell.
++Additionaly a -X qualifier allows you to run sandboxed X applications. These apps will start up their own X Server and create a temporary homedir and /tmp. The default policy does not allow any capabilities or network access. Also prevents all access to the users other processes and files. Any file specified on the command line will be copied into the sandbox.
+.PP
+.TP
-+\fB\-m\fR
-+Mount a temporary file system and change working directory to it, files will be removed when job completes.
-+.TP
+\fB\-t type\fR
-+Use alternate sandbox type, defaults to sandbox_t
++Use alternate sandbox type, defaults to sandbox_t or sandbox_x_t for -X.
++.TP
++\fB\-i file\fR
++Copy this file into the temporary sandbox homedir. Command can be repeated.
++.TP
++\fB\-X\fR
++Create an X based Sandbox for gui apps, temporary files for $HOME and /tmp, seconday Xserver, defaults to sandbox_x_t
+.TP
+.SH "SEE ALSO"
+.TP
+runcon(1)
+.PP
-diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/sandbox.py policycoreutils-2.0.71/scripts/sandbox.py
---- nsapolicycoreutils/scripts/sandbox.py 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.71/scripts/sandbox.py 2009-08-20 12:53:16.000000000 -0400
-@@ -0,0 +1,67 @@
-+#!/usr/bin/python
-+import os, sys, getopt, socket, random, fcntl
-+import selinux
+diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandboxX.sh policycoreutils-2.0.71/sandbox/sandboxX.sh
+--- nsapolicycoreutils/sandbox/sandboxX.sh 1969-12-31 19:00:00.000000000 -0500
++++ policycoreutils-2.0.71/sandbox/sandboxX.sh 2009-08-26 10:03:24.000000000 -0400
+@@ -0,0 +1,13 @@
++#!/bin/bash
++(Xephyr -terminate -screen 1000x700 -displayfd 5 5>&1 2>/dev/null) | while read D; do
++export DISPLAY=:$D
++matchbox-window-manager -use_titlebar no &
++WM_PID=$!
++~/.sandboxrc &
++CLIENT_PID=$!
++wait $CLIENT_PID
++export EXITCODE=$?
++kill -TERM $WM_PID
++exit $EXITCODE
++break
++done
+Binary files nsapolicycoreutils/sandbox/seunshare and policycoreutils-2.0.71/sandbox/seunshare differ
+diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/seunshare.c policycoreutils-2.0.71/sandbox/seunshare.c
+--- nsapolicycoreutils/sandbox/seunshare.c 1969-12-31 19:00:00.000000000 -0500
++++ policycoreutils-2.0.71/sandbox/seunshare.c 2009-08-26 10:06:05.000000000 -0400
+@@ -0,0 +1,188 @@
++#include <signal.h>
++#include <sys/types.h>
++#include <sys/wait.h>
++#include <sys/mount.h>
++#include <pwd.h>
++#define _GNU_SOURCE
++#include <sched.h>
++#include <string.h>
++#include <stdio.h>
++#include <unistd.h>
++#include <stdlib.h>
++#include <cap-ng.h>
++#include <getopt.h> /* for getopt_long() form of getopt() */
+
-+random.seed(None)
++#include <selinux/selinux.h>
++#include <selinux/context.h> /* for context-mangling functions */
+
-+def mount(src, context):
-+ destdir="/mnt/%s" % context
-+ os.mkdir(destdir)
-+ print 'mount -n -o "context=%s" %s %s' % (context, src, destdir)
-+ os.chdir(destdir)
-+
-+def umount(dest):
-+ os.chdir("/")
-+ destdir="/mnt/%s" % dest
-+ print ('umount -n %s' % destdir)
-+ os.rmdir(destdir)
++/**
++ * This function will drop the capabilities so that we are left
++ * only with access to the audit system and the ability to raise
++ * CAP_SYS_ADMIN, CAP_DAC_OVERRIDE, CAP_FOWNER and CAP_CHOWN,
++ * before invoking unshare and mounting a couple of directories.
++ * These capabilities are needed for performing bind mounts/unmounts
++ * and to create potential new instance directories with appropriate
++ * DAC attributes.
++ *
++ * Returns zero on success, non-zero otherwise
++ */
++static int drop_capabilities(int all)
++{
++ capng_clear(CAPNG_SELECT_BOTH);
+
++ if (all) {
++ if ((getuid() == 0) && (capng_lock() < 0))
++ return -1;
++ } else {
++ if (capng_updatev(CAPNG_ADD, CAP_DAC_OVERRIDE|CAPNG_EFFECTIVE|CAPNG_PERMITTED, CAP_SYS_ADMIN, -1) < 0)
++ return -1;
++
++ }
+
-+def reserve(mcs):
-+ sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
-+ sock.bind("\0%s" % mcs)
-+ fcntl.fcntl(sock.fileno(), fcntl.F_SETFD, fcntl.FD_CLOEXEC)
++ return capng_apply(CAPNG_SELECT_BOTH);
++}
+
-+def gen_context(type):
-+ while True:
-+ i1 = random.randrange(0,1024)
-+ i2 = random.randrange(0,1024)
-+ if i1 == i2:
-+ continue
-+ if i1 > i2:
-+ tmp = i1
-+ i1 = i2
-+ i2 = tmp
-+ mcs = "s0:c%d,c%d" % (i1, i2)
-+ reserve(mcs)
-+ try:
-+ reserve(mcs)
-+ except:
-+ continue
-+ break
-+ con = selinux.getcon()[1].split(":")
++#define DEFAULT_PATH "/usr/bin:/bin"
++#define TRUE 1
++#define FALSE 0
+
-+ execcon="%s:%s:%s:%s" % (con[0], con[1], type, mcs)
-+
-+ filecon="%s:%s:%s:%s" % (con[0], "object_r", "%s_file_t" % type[:-2], mcs)
-+ return execcon, filecon
++/**
++ * Take care of any signal setup
++ */
++static int set_signal_handles()
++{
++ sigset_t empty;
+
++ /* Empty the signal mask in case someone is blocking a signal */
++ if (sigemptyset(&empty)) {
++ fprintf(stderr, "Unable to obtain empty signal set\n");
++ return -1;
++ }
+
-+type = "sandbox_t"
-+mount_src = None
-+gopts, cmds = getopt.getopt(sys.argv[1:],"t:m:",
-+ ["type",
-+ "mount"])
-+for o, a in gopts:
-+ if o == "-t" or o == "--type":
-+ type = a
-+ if o == "-m" or o == "--mount":
-+ mount_src = a
++ (void)sigprocmask(SIG_SETMASK, &empty, NULL);
+
-+execcon, filecon = gen_context(type)
-+selinux.setexeccon(execcon)
-+
-+if mount_src != None:
-+ mount(mount_src, filecon)
-+ umount(filecon)
-+os.execvp(cmds[0], cmds)
++ /* Terminate on SIGHUP. */
++ if (signal(SIGHUP, SIG_DFL) == SIG_ERR) {
++ perror("Unable to set SIGHUP handler");
++ return -1;
++ }
++
++ return 0;
++}
++#define USAGE_STRING "USAGE: seunshare [ -t tmpdir ] [ -h homedir ] -- CONTEXT executable [args] "
++
++int main(int argc, char **argv) {
++ int rc;
++ int status = -1;
++
++ struct passwd *pwd=getpwuid(getuid());
++ security_context_t scontext;
++
++ int flag_index; /* flag index in argv[] */
++ int clflag; /* holds codes for command line flags */
++ char *tmpdir_s = NULL; /* tmpdir spec'd by user in argv[] */
++ char *homedir_s = NULL; /* homedir spec'd by user in argv[] */
++
++ const struct option long_options[] = {
++ {"homedir", 1, 0, 'h'},
++ {"tmpdir", 1, 0, 't'},
++ {NULL, 0, 0, 0}
++ };
++
++ if (drop_capabilities(FALSE)) {
++ perror("Failed to drop capabilities");
++ return -1;
++ }
++
++ while (1) {
++ clflag = getopt_long(argc, argv, "h:t:", long_options,
++ &flag_index);
++ if (clflag == -1)
++ break;
++
++ switch (clflag) {
++ case 't':
++ tmpdir_s = optarg;
++ break;
++ case 'h':
++ homedir_s = optarg;
++ break;
++ default:
++ fprintf(stderr, "%s\n", USAGE_STRING);
++ return -1;
++ }
++ }
++
++ if (! homedir_s && ! tmpdir_s) {
++ fprintf(stderr, "Error: tmpdir and/or homedir required \n"
++ "%s\n", USAGE_STRING);
++ return -1;
++ }
++
++ if (argc - optind < 2) {
++ fprintf(stderr, "Error: executable required \n"
++ "%s\n", USAGE_STRING);
++ return -1;
++ }
++
++ scontext = argv[optind++];
++
++ if (set_signal_handles())
++ return -1;
++
++ if (unshare(CLONE_NEWNS) < 0) {
++ perror("Failed to unshare");
++ return -1;
++ }
++
++ if (homedir_s && mount(homedir_s, pwd->pw_dir, NULL, MS_BIND, NULL) < 0) {
++ perror("Failed to mount HOMEDIR");
++ return -1;
++ }
++
++ if (tmpdir_s && mount(tmpdir_s, "/tmp", NULL, MS_BIND, NULL) < 0) {
++ perror("Failed to mount /tmp");
++ return -1;
++ }
++
++ if (drop_capabilities(TRUE)) {
++ perror("Failed to drop all capabilities");
++ return -1;
++ }
++
++ int child = fork();
++ if (!child) {
++ /* Construct a new environment */
++ char *display = strdup(getenv("DISPLAY"));
++ if (!display) {
++ perror("Out of memory");
++ exit(-1);
++ }
++ if ((rc = clearenv())) {
++ perror("Unable to clear environment");
++ exit(-1);
++ }
++
++ if (setexeccon(scontext)) {
++ fprintf(stderr, "Could not set exec context to %s.\n",
++ scontext);
++ exit(-1);
++ }
++
++ rc |= setenv("DISPLAY", display, 1);
++ rc |= setenv("HOME", pwd->pw_dir, 1);
++ rc |= setenv("SHELL", pwd->pw_shell, 1);
++ rc |= setenv("USER", pwd->pw_name, 1);
++ rc |= setenv("LOGNAME", pwd->pw_name, 1);
++ rc |= setenv("PATH", DEFAULT_PATH, 1);
++
++ chdir(pwd->pw_dir);
++ execv(argv[optind], argv + optind);
++ perror("execv");
++ exit(-1);
++ } else {
++ waitpid(child, &status, 0);
++ }
++
++ return status;
++}
+Binary files nsapolicycoreutils/sandbox/seunshare.o and policycoreutils-2.0.71/sandbox/seunshare.o differ
+diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/chcat policycoreutils-2.0.71/scripts/chcat
+--- nsapolicycoreutils/scripts/chcat 2009-06-23 15:36:07.000000000 -0400
++++ policycoreutils-2.0.71/scripts/chcat 2009-08-20 12:53:16.000000000 -0400
+@@ -435,6 +435,8 @@
+ continue
+ except ValueError, e:
+ error(e)
++ except OSError, e:
++ error(e)
+
+ sys.exit(errors)
+
+diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/scripts/Makefile policycoreutils-2.0.71/scripts/Makefile
+--- nsapolicycoreutils/scripts/Makefile 2008-08-28 09:34:24.000000000 -0400
++++ policycoreutils-2.0.71/scripts/Makefile 2009-08-26 10:04:11.000000000 -0400
+@@ -5,7 +5,7 @@
+ MANDIR ?= $(PREFIX)/share/man
+ LOCALEDIR ?= /usr/share/locale
+
+-all: fixfiles genhomedircon
++all: fixfiles genhomedircon chcat
+
+ install: all
+ -mkdir -p $(BINDIR)
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/semanage/semanage policycoreutils-2.0.71/semanage/semanage
--- nsapolicycoreutils/semanage/semanage 2009-08-19 16:35:03.000000000 -0400
+++ policycoreutils-2.0.71/semanage/semanage 2009-08-20 12:53:16.000000000 -0400
Index: policycoreutils.spec
===================================================================
RCS file: /cvs/extras/rpms/policycoreutils/devel/policycoreutils.spec,v
retrieving revision 1.629
retrieving revision 1.630
diff -u -p -r1.629 -r1.630
--- policycoreutils.spec 22 Aug 2009 12:08:36 -0000 1.629
+++ policycoreutils.spec 26 Aug 2009 18:05:34 -0000 1.630
@@ -6,7 +6,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.0.71
-Release: 10%{?dist}
+Release: 11%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
@@ -19,6 +19,7 @@ Source5: system-config-selinux.console
Source6: selinux-polgengui.desktop
Source7: selinux-polgengui.console
Source8: policycoreutils_man_ru2.tar.bz2
+Source9: sandbox.init
Patch: policycoreutils-rhat.patch
Patch1: policycoreutils-po.patch
Patch3: policycoreutils-gui.patch
@@ -72,6 +73,8 @@ mkdir -p %{buildroot}%{_mandir}/man1
mkdir -p %{buildroot}%{_mandir}/man8
mkdir -p %{buildroot}%{_sysconfdir}/pam.d
mkdir -p %{buildroot}%{_sysconfdir}/security/console.apps
+%{__mkdir} -p %{buildroot}/%{_sysconfdir}/rc.d/init.d
+install -m0755 %{SOURCE9} %{buildroot}/%{_sysconfdir}/rc.d/init.d/sandbox
make LSPP_PRIV=y DESTDIR="%{buildroot}" LIBDIR="%{buildroot}%{_libdir}" install
make -C sepolgen-%{sepolgenver} DESTDIR="%{buildroot}" LIBDIR="%{buildroot}%{_libdir}" install
@@ -137,6 +140,22 @@ The policycoreutils-python package conta
[ -f /usr/share/selinux/devel/include/build.conf ] && /usr/bin/sepolgen-ifgen
exit 0
+%package sandbox
+Summary: SELinux sandbox utilities
+Group: System Environment/Base
+Requires: policycoreutils-python = %{version}-%{release}
+Requires: xorg-x11-server-Xephyr
+Requires: matchbox-window-manager
+
+%description sandbox
+The policycoreutils-python package contains the scripts to create graphical sandboxes
+
+%files sandbox
+%{_sysconfdir}/rc.d/init.d/sandbox
+%{_mandir}/man8/sandbox.8*
+%{_sbindir}/seunshare
+%{_datadir}/sandbox/sandboxX.sh
+
%triggerin python -- selinux-policy
[ -f /usr/share/selinux/devel/include/build.conf ] && /usr/bin/sepolgen-ifgen
exit 0
@@ -265,6 +284,9 @@ fi
exit 0
%changelog
+* Wed Aug 26 2009 Dan Walsh <dwalsh at redhat.com> 2.0.71-11
+- Add sandboxX
+
* Sat Aug 22 2009 Dan Walsh <dwalsh at redhat.com> 2.0.71-10
- Fix realpath usage to only happen on argv input from user
More information about the fedora-extras-commits
mailing list