mirror of
https://github.com/SELinuxProject/selinux
synced 2024-12-25 07:22:07 +00:00
sandbox: fix file labels on copied files
Since python 3.3, shutil.copy2() tries to preserve extended file system attributes. It means that when a user uses -i or -I, copied files have the original labels and sandboxed process can't read them. With this change, homedir and tmpdir is recursively relabeled with the expected sandbox labels after all items are in their place. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1294020 Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
This commit is contained in:
parent
6fcef9a09c
commit
964bf69a65
@ -425,21 +425,20 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-
|
||||
self.__filecon = "%s:object_r:sandbox_file_t:%s" % (con[0], level)
|
||||
|
||||
def __setup_dir(self):
|
||||
selinux.setfscreatecon(self.__filecon)
|
||||
if self.__options.homedir:
|
||||
selinux.chcon(self.__options.homedir, self.__filecon, recursive=True)
|
||||
self.__homedir = self.__options.homedir
|
||||
else:
|
||||
selinux.setfscreatecon(self.__filecon)
|
||||
self.__homedir = mkdtemp(dir="/tmp", prefix=".sandbox_home_")
|
||||
|
||||
if self.__options.tmpdir:
|
||||
selinux.chcon(self.__options.tmpdir, self.__filecon, recursive=True)
|
||||
self.__tmpdir = self.__options.tmpdir
|
||||
else:
|
||||
selinux.setfscreatecon(self.__filecon)
|
||||
self.__tmpdir = mkdtemp(dir="/tmp", prefix=".sandbox_tmp_")
|
||||
selinux.setfscreatecon(None)
|
||||
self.__copyfiles()
|
||||
selinux.chcon(self.__homedir, self.__filecon, recursive=True)
|
||||
selinux.chcon(self.__tmpdir, self.__filecon, recursive=True)
|
||||
selinux.setfscreatecon(None)
|
||||
|
||||
def __execute(self):
|
||||
try:
|
||||
|
@ -97,6 +97,14 @@ class SandboxTests(unittest.TestCase):
|
||||
shutil.rmtree(tmpdir)
|
||||
self.assertSuccess(p.returncode, err)
|
||||
|
||||
def test_include_file(self):
|
||||
"Verify that sandbox can copy a file in the sandbox home and use it"
|
||||
p = Popen([sys.executable, 'sandbox', '-i' ,'test_sandbox.py' , '-M', '/bin/cat', 'test_sandbox.py'],
|
||||
stdout=PIPE, stderr=PIPE)
|
||||
out, err = p.communicate()
|
||||
self.assertSuccess(p.returncode, err)
|
||||
|
||||
|
||||
if __name__ == "__main__":
|
||||
import selinux
|
||||
if selinux.security_getenforce() == 1:
|
||||
|
Loading…
Reference in New Issue
Block a user