diff --git a/policycoreutils/sandbox/sandbox b/policycoreutils/sandbox/sandbox index 4f5128ac..9f200d5f 100644 --- a/policycoreutils/sandbox/sandbox +++ b/policycoreutils/sandbox/sandbox @@ -425,21 +425,20 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [- self.__filecon = "%s:object_r:sandbox_file_t:%s" % (con[0], level) def __setup_dir(self): + selinux.setfscreatecon(self.__filecon) if self.__options.homedir: - selinux.chcon(self.__options.homedir, self.__filecon, recursive=True) self.__homedir = self.__options.homedir else: - selinux.setfscreatecon(self.__filecon) self.__homedir = mkdtemp(dir="/tmp", prefix=".sandbox_home_") if self.__options.tmpdir: - selinux.chcon(self.__options.tmpdir, self.__filecon, recursive=True) self.__tmpdir = self.__options.tmpdir else: - selinux.setfscreatecon(self.__filecon) self.__tmpdir = mkdtemp(dir="/tmp", prefix=".sandbox_tmp_") - selinux.setfscreatecon(None) self.__copyfiles() + selinux.chcon(self.__homedir, self.__filecon, recursive=True) + selinux.chcon(self.__tmpdir, self.__filecon, recursive=True) + selinux.setfscreatecon(None) def __execute(self): try: diff --git a/policycoreutils/sandbox/test_sandbox.py b/policycoreutils/sandbox/test_sandbox.py index 98c04a78..bcecf66e 100644 --- a/policycoreutils/sandbox/test_sandbox.py +++ b/policycoreutils/sandbox/test_sandbox.py @@ -97,6 +97,14 @@ class SandboxTests(unittest.TestCase): shutil.rmtree(tmpdir) self.assertSuccess(p.returncode, err) + def test_include_file(self): + "Verify that sandbox can copy a file in the sandbox home and use it" + p = Popen([sys.executable, 'sandbox', '-i' ,'test_sandbox.py' , '-M', '/bin/cat', 'test_sandbox.py'], + stdout=PIPE, stderr=PIPE) + out, err = p.communicate() + self.assertSuccess(p.returncode, err) + + if __name__ == "__main__": import selinux if selinux.security_getenforce() == 1: