[PATCH 52/77] policycoreutils: sandbox: do not require selinux

Daniel J Walsh <dwalsh@xxxxxxxxxx> · Thu, 25 Aug 2011 16:43:08 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


This patch looks good to me. acked.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk5Ws9wACgkQrlYvE4MpobOFAQCgjMYNMWj1gYz9hkuo07BWCnA0
svQAoLkhXQzHC3083z6BqWtaLeFs4sZP
=SdgI
-----END PGP SIGNATURE-----
>From 896f220fafcc486b8708a35cf6edbbbe9eeb9bc0 Mon Sep 17 00:00:00 2001
From: Eric Paris <eparis@xxxxxxxxxx>
Date: Mon, 15 Aug 2011 16:00:04 -0400
Subject: [PATCH 52/77] policycoreutils: sandbox: do not require selinux
 context

seunshare can be used on non-selinux systems.  It can also be used
without transition to a new context.  Thus we should not require that a
context be set.

Signed-off-by: Eric Paris <eparis@xxxxxxxxxx>
---
 policycoreutils/sandbox/sandbox     |    7 +++++--
 policycoreutils/sandbox/seunshare.c |   32 ++++++++++++++++++--------------
 2 files changed, 23 insertions(+), 16 deletions(-)

diff --git a/policycoreutils/sandbox/sandbox b/policycoreutils/sandbox/sandbox
index e2f210a..c0003f0 100644
--- a/policycoreutils/sandbox/sandbox
+++ b/policycoreutils/sandbox/sandbox
@@ -371,6 +371,7 @@ sandbox [-h] [-[X|M] [-c] [-l level ] [-H homedir] [-T tempdir]] [-I includefile
 
     def __execute(self):
            try:
+                  cmds = [ SEUNSHARE,  "-Z", self.__execcon ]
                   if self.__options.X_ind:
                          xmodmapfile = self.__homedir + "/.xmodmap"
                          xd = open(xmodmapfile,"w")
@@ -379,7 +380,8 @@ sandbox [-h] [-[X|M] [-c] [-l level ] [-H homedir] [-T tempdir]] [-I includefile
 
                          self.__setup_sandboxrc(self.__options.wm)
                          
-                         cmds = [ SEUNSHARE, "-t", self.__tmpdir, "-h", self.__homedir, "--", self.__execcon, SANDBOXSH, self.__options.windowsize ]
+                         cmds += [ "-t", self.__tmpdir, "-h", self.__homedir ]
+                         cmds += [ "--", SANDBOXSH, self.__options.windowsize ]
                          rc = subprocess.Popen(cmds).wait()
                          return rc
 
@@ -387,7 +389,8 @@ sandbox [-h] [-[X|M] [-c] [-l level ] [-H homedir] [-T tempdir]] [-I includefile
                          cmds.append('-c')
 
                   if self.__mount:
-                         cmds =  [ SEUNSHARE, "-t", self.__tmpdir, "-h", self.__homedir, "--", self.__execcon ] + self.__paths
+                         cmds += [ SEUNSHARE, "-t", self.__tmpdir, "-h", self.__homedir ]
+                         cmds += [ "--", self.__execcon ] + self.__paths
                          rc = subprocess.Popen(cmds).wait()
                          return rc
 
diff --git a/policycoreutils/sandbox/seunshare.c b/policycoreutils/sandbox/seunshare.c
index dad7a1c..9482ecc 100644
--- a/policycoreutils/sandbox/seunshare.c
+++ b/policycoreutils/sandbox/seunshare.c
@@ -43,7 +43,7 @@
 
 #define BUF_SIZE 1024
 #define DEFAULT_PATH "/usr/bin:/bin"
-#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -c ] [ -t tmpdir ] [ -h homedir ] -- CONTEXT executable [args] ")
+#define USAGE_STRING _("USAGE: seunshare [ -v ] [ -c ] [ -t tmpdir ] [ -h homedir ] [ -Z CONTEXT ] -- executable [args] ")
 
 static int verbose = 0;
 
@@ -370,7 +370,7 @@ int main(int argc, char **argv) {
 	int rc;
 	int status = -1;
 
-	security_context_t scontext;
+	security_context_t scontext = NULL;
 
 	int flag_index;		/* flag index in argv[] */
 	int clflag;		/* holds codes for command line flags */
@@ -383,6 +383,7 @@ int main(int argc, char **argv) {
 		{"tmpdir", 1, 0, 't'},
 		{"verbose", 1, 0, 'v'},
 		{"cgroups", 1, 0, 'c'},
+		{"context", 1, 0, 'Z'},
 		{NULL, 0, 0, 0}
 	};
 
@@ -405,7 +406,7 @@ int main(int argc, char **argv) {
 	}
 
 	while (1) {
-		clflag = getopt_long(argc, argv, "h:t:", long_options,
+		clflag = getopt_long(argc, argv, "cvh:t:Z:", long_options,
 				     &flag_index);
 		if (clflag == -1)
 			break;
@@ -432,6 +433,9 @@ int main(int argc, char **argv) {
 		case 'c':
 			usecgroups = 1;
 			break;
+		case 'Z':
+			scontext = strdup(optarg);
+			break;
 		default:
 			fprintf(stderr, "%s\n", USAGE_STRING);
 			return -1;
@@ -444,14 +448,11 @@ int main(int argc, char **argv) {
 		return -1;
 	}
 
-	if (argc - optind < 2) {
-		fprintf(stderr, _("Error: context and executable required \n"),
-			"%s\n", USAGE_STRING);
+	if (argc - optind < 1) {
+		fprintf(stderr, _("Error: executable required \n %s \n"), USAGE_STRING);
 		return -1;
 	}
 
-	scontext = argv[optind++];
-	
 	if (set_signal_handles())
 		return -1;
 
@@ -504,12 +505,14 @@ int main(int argc, char **argv) {
 			free(display);
 			exit(-1);
 		}
-		
-		if (setexeccon(scontext)) {
-			fprintf(stderr, _("Could not set exec context to %s.\n"),
-				scontext);
-			free(display);
-			exit(-1);
+
+		if (scontext) {
+			if (setexeccon(scontext)) {
+				fprintf(stderr, _("Could not set exec context to %s.\n"),
+					scontext);
+				free(display);
+				exit(-1);
+			}
 		}
 
 		if (display) 
@@ -535,6 +538,7 @@ int main(int argc, char **argv) {
 
 	free(tmpdir_s);
 	free(homedir_s);
+	free(scontext);
 
 	return status;
 }
-- 
1.7.6





