On 09/15/2016 10:39 AM, Petr Lautrbach wrote: > Since python 3.3, shutil.copy2() tries to preserve extended file > system attributes. It means that when a user uses -i or -I, copied files > have the original labels and sandboxed process can't read them. > > With this change, homedir and tmpdir is recursively relabeled with the > expected sandbox labels after all items are in their place. > > Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1294020 > > Signed-off-by: Petr Lautrbach <plautrba@xxxxxxxxxx> Thanks, applied. > --- > policycoreutils/sandbox/sandbox | 9 ++++----- > policycoreutils/sandbox/test_sandbox.py | 8 ++++++++ > 2 files changed, 12 insertions(+), 5 deletions(-) > > diff --git a/policycoreutils/sandbox/sandbox b/policycoreutils/sandbox/sandbox > index 4f5128a..9f200d5 100644 > --- a/policycoreutils/sandbox/sandbox > +++ b/policycoreutils/sandbox/sandbox > @@ -425,21 +425,20 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [- > self.__filecon = "%s:object_r:sandbox_file_t:%s" % (con[0], level) > > def __setup_dir(self): > + selinux.setfscreatecon(self.__filecon) > if self.__options.homedir: > - selinux.chcon(self.__options.homedir, self.__filecon, recursive=True) > self.__homedir = self.__options.homedir > else: > - selinux.setfscreatecon(self.__filecon) > self.__homedir = mkdtemp(dir="/tmp", prefix=".sandbox_home_") > > if self.__options.tmpdir: > - selinux.chcon(self.__options.tmpdir, self.__filecon, recursive=True) > self.__tmpdir = self.__options.tmpdir > else: > - selinux.setfscreatecon(self.__filecon) > self.__tmpdir = mkdtemp(dir="/tmp", prefix=".sandbox_tmp_") > - selinux.setfscreatecon(None) > self.__copyfiles() > + selinux.chcon(self.__homedir, self.__filecon, recursive=True) > + selinux.chcon(self.__tmpdir, self.__filecon, recursive=True) > + selinux.setfscreatecon(None) > > def __execute(self): > try: > diff --git a/policycoreutils/sandbox/test_sandbox.py b/policycoreutils/sandbox/test_sandbox.py > index 98c04a7..bcecf66 100644 > --- a/policycoreutils/sandbox/test_sandbox.py > +++ b/policycoreutils/sandbox/test_sandbox.py > @@ -97,6 +97,14 @@ class SandboxTests(unittest.TestCase): > shutil.rmtree(tmpdir) > self.assertSuccess(p.returncode, err) > > + def test_include_file(self): > + "Verify that sandbox can copy a file in the sandbox home and use it" > + p = Popen([sys.executable, 'sandbox', '-i' ,'test_sandbox.py' , '-M', '/bin/cat', 'test_sandbox.py'], > + stdout=PIPE, stderr=PIPE) > + out, err = p.communicate() > + self.assertSuccess(p.returncode, err) > + > + > if __name__ == "__main__": > import selinux > if selinux.security_getenforce() == 1: > _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
