rpms/policycoreutils/devel policycoreutils-rhat.patch, 1.444, 1.445 policycoreutils.spec, 1.644, 1.645
Daniel J Walsh
dwalsh at fedoraproject.org
Sat Sep 19 01:40:58 UTC 2009
Author: dwalsh
Update of /cvs/extras/rpms/policycoreutils/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv21487
Modified Files:
policycoreutils-rhat.patch policycoreutils.spec
Log Message:
* Fri Sep 18 2009 Dan Walsh <dwalsh at redhat.com> 2.0.74-3
- Security fixes for seunshare
- Fix Sandbox to handle non file input to command.
policycoreutils-rhat.patch:
Makefile | 2
audit2allow/audit2allow | 14
load_policy/Makefile | 2
restorecond/Makefile | 24 -
restorecond/org.selinux.Restorecond.service | 3
restorecond/restorecond.c | 422 +++---------------
restorecond/restorecond.conf | 5
restorecond/restorecond.desktop | 7
restorecond/restorecond.h | 18
restorecond/restorecond.init | 5
restorecond/restorecond_user.conf | 2
restorecond/user.c | 237 ++++++++++
restorecond/watch.c | 254 +++++++++++
sandbox/Makefile | 31 +
sandbox/sandbox | 207 +++++++++
sandbox/sandbox.8 | 26 +
sandbox/sandboxX.sh | 16
sandbox/seunshare.c | 265 +++++++++++
scripts/Makefile | 2
scripts/chcat | 2
semanage/semanage | 27 +
semanage/seobject.py | 11
semodule/semodule.8 | 8
semodule/semodule.c | 53 ++
setfiles/Makefile | 4
setfiles/restore.c | 519 ++++++++++++++++++++++
setfiles/restore.h | 49 ++
setfiles/setfiles.c | 643 +++-------------------------
28 files changed, 1905 insertions(+), 953 deletions(-)
Index: policycoreutils-rhat.patch
===================================================================
RCS file: /cvs/extras/rpms/policycoreutils/devel/policycoreutils-rhat.patch,v
retrieving revision 1.444
retrieving revision 1.445
diff -u -p -r1.444 -r1.445
--- policycoreutils-rhat.patch 17 Sep 2009 19:19:53 -0000 1.444
+++ policycoreutils-rhat.patch 19 Sep 2009 01:40:53 -0000 1.445
@@ -1222,8 +1222,8 @@ diff --exclude-from=exclude --exclude=se
+relabel:
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/sandbox policycoreutils-2.0.74/sandbox/sandbox
--- nsapolicycoreutils/sandbox/sandbox 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.74/sandbox/sandbox 2009-09-17 15:05:17.000000000 -0400
-@@ -0,0 +1,202 @@
++++ policycoreutils-2.0.74/sandbox/sandbox 2009-09-18 21:38:37.000000000 -0400
+@@ -0,0 +1,207 @@
+#!/usr/bin/python -E
+import os, sys, getopt, socket, random, fcntl, shutil
+import selinux
@@ -1390,7 +1390,12 @@ diff --exclude-from=exclude --exclude=se
+ warnings.resetwarnings()
+ paths = []
+ for i in cmds:
-+ paths.append(os.path.realpath(i))
++ f = os.path.realpath(i)
++ if os.path.exists(f):
++ paths.append(f)
++ else:
++ paths.append(i)
++
+ copyfiles(newhomedir, newtmpdir, init_files + paths)
+ execfile = newhomedir + "/.sandboxrc"
+ fd = open(execfile, "w+")
@@ -1478,8 +1483,8 @@ diff --exclude-from=exclude --exclude=se
+done
diff --exclude-from=exclude --exclude=sepolgen-1.0.17 --exclude=gui --exclude=po -N -u -r nsapolicycoreutils/sandbox/seunshare.c policycoreutils-2.0.74/sandbox/seunshare.c
--- nsapolicycoreutils/sandbox/seunshare.c 1969-12-31 19:00:00.000000000 -0500
-+++ policycoreutils-2.0.74/sandbox/seunshare.c 2009-09-17 15:05:44.000000000 -0400
-@@ -0,0 +1,284 @@
++++ policycoreutils-2.0.74/sandbox/seunshare.c 2009-09-18 09:58:46.000000000 -0400
+@@ -0,0 +1,265 @@
+#include <signal.h>
+#include <sys/types.h>
+#include <sys/wait.h>
@@ -1506,33 +1511,19 @@ diff --exclude-from=exclude --exclude=se
+#include <unistd.h>
+
+/**
-+ * This function will drop the capabilities so that we are left
-+ * only with access to the audit system and the ability to raise
-+ * CAP_SYS_ADMIN before invoking unshare and mounting a couple of directories.
-+ * These capabilities are needed for performing bind mounts/unmounts
-+ * and to create potential new instance directories with appropriate
-+ * DAC attributes.
-+ *
++ * This function will drop all capabilities
+ * Returns zero on success, non-zero otherwise
+ */
-+static int drop_capabilities(int all, uid_t uid)
++static int drop_capabilities(uid_t uid)
+{
+ capng_clear(CAPNG_SELECT_BOTH);
+
-+ if (all) {
-+ if (capng_lock() < 0)
-+ return -1;
-+ /* Change uid */
-+ if (setresuid(uid, uid, uid)) {
-+ fprintf(stderr, "Error changing uid, aborting.\n");
-+ return -1;
-+ }
-+ } else {
-+ if (capng_updatev(CAPNG_ADD, CAPNG_EFFECTIVE|CAPNG_PERMITTED, CAP_SYS_ADMIN, CAP_DAC_OVERRIDE, CAP_SETPCAP, CAP_SETUID, -1) < 0) {
-+ fprintf(stderr, "Error running capng_updatev\n");
-+ return -1;
-+ }
-+ }
++ if (capng_lock() < 0)
++ return -1;
++ /* Change uid */
++ if (setresuid(uid, uid, uid)) {
++ fprintf(stderr, "Error changing uid, aborting.\n");
++ return -1;
+
+ return capng_apply(CAPNG_SELECT_BOTH);
+}
@@ -1626,7 +1617,6 @@ diff --exclude-from=exclude --exclude=se
+ {"tmpdir", 1, 0, 't'},
+ {NULL, 0, 0, 0}
+ };
-+ capng_print_caps_text(CAPNG_PRINT_STDOUT, CAPNG_EFFECTIVE);
+
+ uid_t uid = getuid();
+
@@ -1643,10 +1633,6 @@ diff --exclude-from=exclude --exclude=se
+
+ if (verify_shell(pwd->pw_shell) == 0) {
+ fprintf(stderr, "Error! Shell is not valid.\n");
-+ }
-+
-+ if (drop_capabilities(FALSE, uid)) {
-+ perror("Failed to drop capabilities");
+ return -1;
+ }
+
@@ -1710,7 +1696,7 @@ diff --exclude-from=exclude --exclude=se
+ if (tmpdir_s && verify_mount("/tmp", pwd) < 0)
+ return -1;
+
-+ if (drop_capabilities(TRUE, uid)) {
++ if (drop_capabilities(uid)) {
+ perror("Failed to drop all capabilities");
+ return -1;
+ }
Index: policycoreutils.spec
===================================================================
RCS file: /cvs/extras/rpms/policycoreutils/devel/policycoreutils.spec,v
retrieving revision 1.644
retrieving revision 1.645
diff -u -p -r1.644 -r1.645
--- policycoreutils.spec 17 Sep 2009 19:19:55 -0000 1.644
+++ policycoreutils.spec 19 Sep 2009 01:40:56 -0000 1.645
@@ -6,7 +6,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.0.74
-Release: 2%{?dist}
+Release: 3%{?dist}
License: GPLv2+
Group: System Environment/Base
Source: http://www.nsa.gov/selinux/archives/policycoreutils-%{version}.tgz
@@ -297,6 +297,10 @@ fi
exit 0
%changelog
+* Fri Sep 18 2009 Dan Walsh <dwalsh at redhat.com> 2.0.74-3
+- Security fixes for seunshare
+- Fix Sandbox to handle non file input to command.
+
* Thu Sep 17 2009 Dan Walsh <dwalsh at redhat.com> 2.0.74-2
- Security fixes for seunshare
More information about the fedora-extras-commits
mailing list