RepoMirrors
/
selinux
mirror of https://github.com/SELinuxProject/selinux
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

sandbox: fix file labels on copied files 

Since python 3.3, shutil.copy2() tries to preserve extended file
system attributes. It means that when a user uses -i or -I, copied files
have the original labels and sandboxed process can't read them.

With this change, homedir and tmpdir is recursively relabeled with the
expected sandbox labels after all items are in their place.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1294020

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
This commit is contained in:
Petr Lautrbach 2016-09-15 16:39:29 +02:00 committed by Stephen Smalley
parent 6fcef9a09c
commit 964bf69a65
2 changed files with 12 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
policycoreutils/sandbox/sandbox
View File

@ -425,21 +425,20 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-
self.__filecon = "%s:object_r:sandbox_file_t:%s" % (con[0], level)
def __setup_dir(self):
selinux.setfscreatecon(self.__filecon)
if self.__options.homedir:
selinux.chcon(self.__options.homedir, self.__filecon, recursive=True)
self.__homedir = self.__options.homedir
else:
selinux.setfscreatecon(self.__filecon)
self.__homedir = mkdtemp(dir="/tmp", prefix=".sandbox_home_")
if self.__options.tmpdir:
selinux.chcon(self.__options.tmpdir, self.__filecon, recursive=True)
self.__tmpdir = self.__options.tmpdir
else:
selinux.setfscreatecon(self.__filecon)
self.__tmpdir = mkdtemp(dir="/tmp", prefix=".sandbox_tmp_")
selinux.setfscreatecon(None)
self.__copyfiles()
selinux.chcon(self.__homedir, self.__filecon, recursive=True)
selinux.chcon(self.__tmpdir, self.__filecon, recursive=True)
selinux.setfscreatecon(None)
def __execute(self):
try:

8
policycoreutils/sandbox/test_sandbox.py
View File

@ -97,6 +97,14 @@ class SandboxTests(unittest.TestCase):
shutil.rmtree(tmpdir)
self.assertSuccess(p.returncode, err)
def test_include_file(self):
"Verify that sandbox can copy a file in the sandbox home and use it"
p = Popen([sys.executable, 'sandbox', '-i' ,'test_sandbox.py' , '-M', '/bin/cat', 'test_sandbox.py'],
stdout=PIPE, stderr=PIPE)
out, err = p.communicate()
self.assertSuccess(p.returncode, err)
if __name__ == "__main__":
import selinux
if selinux.security_getenforce() == 1: