diff --git a/policycoreutils-rhat.patch b/policycoreutils-rhat.patch index 6955be6..e49a441 100644 --- a/policycoreutils-rhat.patch +++ b/policycoreutils-rhat.patch @@ -2125,7 +2125,7 @@ index 0000000..e7b8991 +and +.I Thomas Liu diff --git a/policycoreutils/sandbox/seunshare.c b/policycoreutils/sandbox/seunshare.c -index ec692e7..d8171d8 100644 +index ec692e7..49dad71 100644 --- a/policycoreutils/sandbox/seunshare.c +++ b/policycoreutils/sandbox/seunshare.c @@ -1,28 +1,35 @@ @@ -2256,14 +2256,10 @@ index ec692e7..d8171d8 100644 + retval = -1; \ + } while(0) + - /** -- * This function makes sure the mounted directory is owned by the user executing -- * seunshare. -- * If so, it returns 0. If it can not figure this out or they are different, it returns -1. ++/** + * Spawn external command using system() with dropped privileges. + * TODO: avoid system() and use exec*() instead - */ --static int verify_mount(const char *mntdir, struct passwd *pwd) { ++ */ +static int spawn_command(const char *cmd, uid_t uid){ + int child; + int status = -1; @@ -2323,11 +2319,15 @@ index ec692e7..d8171d8 100644 + (one)->st_uid == (two)->st_uid && (one)->st_gid == (two)->st_gid && \ + (one)->st_mode == (two)->st_mode) + -+/** + /** +- * This function makes sure the mounted directory is owned by the user executing +- * seunshare. +- * If so, it returns 0. If it can not figure this out or they are different, it returns -1. + * Sanity check specified directory. Store stat info for future comparison, or + * compare with previously saved info to detect replaced directories. + * Note: This function does not perform owner checks. -+ */ + */ +-static int verify_mount(const char *mntdir, struct passwd *pwd) { +static int verify_directory(const char *dir, struct stat *st_in, struct stat *st_out) { struct stat sb; - if (stat(mntdir, &sb) == -1) { @@ -2364,7 +2364,7 @@ index ec692e7..d8171d8 100644 break; } } -@@ -131,45 +236,520 @@ static int verify_shell(const char *shell_name) +@@ -131,45 +236,525 @@ static int verify_shell(const char *shell_name) return rc; } @@ -2797,10 +2797,6 @@ index ec692e7..d8171d8 100644 + goto err; + } + -+ if (rsynccmd(src, tmpdir, &cmdbuf) < 0) { -+ goto err; -+ } -+ + /* ok to not reach this if there is an error */ + setfsuid(0); + } @@ -2853,6 +2849,15 @@ index ec692e7..d8171d8 100644 + } + } + ++ setfsuid(pwd->pw_uid); ++ ++ if (rsynccmd(src, tmpdir, &cmdbuf) < 0) { ++ goto err; ++ } ++ ++ /* ok to not reach this if there is an error */ ++ setfsuid(0); ++ + if (cmdbuf && spawn_command(cmdbuf, pwd->pw_uid) != 0) { + fprintf(stderr, _("Failed to populate runtime temporary directory\n")); + cleanup_tmpdir(tmpdir, src, pwd, 0); @@ -2899,7 +2904,7 @@ index ec692e7..d8171d8 100644 {NULL, 0, 0, 0} }; -@@ -180,6 +760,12 @@ int main(int argc, char **argv) { +@@ -180,6 +765,12 @@ int main(int argc, char **argv) { return -1; } @@ -2912,7 +2917,7 @@ index ec692e7..d8171d8 100644 struct passwd *pwd=getpwuid(uid); if (!pwd) { perror(_("getpwduid failed")); -@@ -187,34 +773,30 @@ int main(int argc, char **argv) { +@@ -187,34 +778,30 @@ int main(int argc, char **argv) { } if (verify_shell(pwd->pw_shell) < 0) { @@ -2958,7 +2963,7 @@ index ec692e7..d8171d8 100644 break; default: fprintf(stderr, "%s\n", USAGE_STRING); -@@ -223,76 +805,84 @@ int main(int argc, char **argv) { +@@ -223,76 +810,84 @@ int main(int argc, char **argv) { } if (! homedir_s && ! tmpdir_s) { @@ -3092,7 +3097,7 @@ index ec692e7..d8171d8 100644 if (display) rc |= setenv("DISPLAY", display, 1); rc |= setenv("HOME", pwd->pw_dir, 1); -@@ -300,22 +890,41 @@ int main(int argc, char **argv) { +@@ -300,22 +895,41 @@ int main(int argc, char **argv) { rc |= setenv("USER", pwd->pw_name, 1); rc |= setenv("LOGNAME", pwd->pw_name, 1); rc |= setenv("PATH", DEFAULT_PATH, 1); diff --git a/policycoreutils.spec b/policycoreutils.spec index c73a2cd..eb45bd1 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -7,7 +7,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 2.0.85 -Release: 27%{?dist} +Release: 28%{?dist} License: GPLv2 Group: System Environment/Base # Based on git repository with tag 20101221 @@ -318,6 +318,9 @@ fi exit 0 %changelog +* Tue Mar 29 2011 Dan Walsh 2.0.85-28 +- rsynccmd should run outside of execcon + * Thu Mar 24 2011 Dan Walsh 2.0.85-27 - Fix semange node handling of ipv6 addresses