From a28023b8cc03146e45f1af8a3d570083f13027e1 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 14 2016 10:43:59 +0000 Subject: import policycoreutils-2.5-9.el7 --- diff --git a/SOURCES/policycoreutils-rhel.patch b/SOURCES/policycoreutils-rhel.patch index e386376..461e662 100644 --- a/SOURCES/policycoreutils-rhel.patch +++ b/SOURCES/policycoreutils-rhel.patch @@ -1,8 +1,10 @@ diff --git policycoreutils-2.5/ChangeLog policycoreutils-2.5/ChangeLog -index d8fb067..636bcc7 100644 +index d8fb067..10f0cab 100644 --- policycoreutils-2.5/ChangeLog +++ policycoreutils-2.5/ChangeLog -@@ -1,3 +1,32 @@ +@@ -1,3 +1,34 @@ ++ * sandbox: create a new session for sandboxed processes, from Petr Lautrbach. ++ * sandbox: do not try to setup directories without -X or -M, from Petr Lautrbach. + * audit2allow: tests should use local copy not system, from Jason Zaman. + * audit2allow: fix audit2why import from seobject, from Jason Zaman. + * audit2allow: remove audit2why so that it gets symlinked, from Jason Zaman. @@ -681369,7 +681371,7 @@ index 37805bf..6e25ea3 100644 exit(EX_IOERR); } diff --git policycoreutils-2.5/sandbox/sandbox policycoreutils-2.5/sandbox/sandbox -index 9e0024f..66b132f 100644 +index 9e0024f..5b73629 100644 --- policycoreutils-2.5/sandbox/sandbox +++ policycoreutils-2.5/sandbox/sandbox @@ -108,30 +108,29 @@ def copyfile(file, srcdir, dest): @@ -681444,6 +681446,36 @@ index 9e0024f..66b132f 100644 help=_("alternate window manager")) parser.add_option("-l", "--level", dest="level", +@@ -467,10 +466,15 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [- + cmds += ["--"] + self.__paths + return subprocess.Popen(cmds).wait() + +- selinux.setexeccon(self.__execcon) +- rc = subprocess.Popen(self.__cmds).wait() +- selinux.setexeccon(None) +- return rc ++ pid = os.fork() ++ if pid == 0: ++ rc = os.setsid() ++ if rc: ++ return rc ++ selinux.setexeccon(self.__execcon) ++ os.execv(self.__cmds[0], self.__cmds) ++ rc = os.waitpid(pid, 0) ++ return os.WEXITSTATUS(rc[1]) + + finally: + for i in self.__paths: +@@ -499,7 +503,8 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [- + try: + self.__parse_options() + self.__gen_context() +- self.__setup_dir() ++ if self.__mount: ++ self.__setup_dir() + return self.__execute() + except KeyboardInterrupt: + sys.exit(0) diff --git policycoreutils-2.5/sandbox/sandbox.8 policycoreutils-2.5/sandbox/sandbox.8 index 0c8cd1e..90ef495 100644 --- policycoreutils-2.5/sandbox/sandbox.8 diff --git a/SPECS/policycoreutils.spec b/SPECS/policycoreutils.spec index b488cab..9faa74c 100644 --- a/SPECS/policycoreutils.spec +++ b/SPECS/policycoreutils.spec @@ -7,7 +7,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 2.5 -Release: 8%{?dist} +Release: 9%{?dist} License: GPLv2 Group: System Environment/Base # https://github.com/SELinuxProject/selinux/wiki/Releases @@ -17,7 +17,7 @@ URL: http://www.selinuxproject.org Source2: policycoreutils_man_ru2.tar.bz2 Source3: system-config-selinux.png Source4: sepolicy-icons.tgz -# HEAD 95ce251a24e80e884c69771a497589323be2223c +# HEAD b9a93db5cba0d9ea238069df45870819c187a063 Patch0: policycoreutils-rhel.patch Patch1: sepolgen-rhel.patch Patch10: policycoreutils-preserve-timestamps-for-.py-files.patch @@ -377,6 +377,10 @@ The policycoreutils-restorecond package contains the restorecond service. %systemd_postun_with_restart restorecond.service %changelog +* Wed Oct 05 2016 Petr Lautrbach 2.5-9 +- sandbox: create a new session for sandboxed processes - CVE-2016-7545 +- sandbox: do not try to setup directories without -X or -M + * Fri Aug 26 2016 Petr Lautrbach 2.5-8 - audit2allow: tests should use local copy not system - audit2allow: remove audit2why so that it gets symlinked