From patchwork Thu Sep 15 14:39:29 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Petr Lautrbach X-Patchwork-Id: 9333827 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 455306077A for ; Thu, 15 Sep 2016 14:42:38 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 38126298C1 for ; Thu, 15 Sep 2016 14:42:38 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 2A15A298C5; Thu, 15 Sep 2016 14:42:38 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=2.0 tests=BAYES_00 autolearn=ham version=3.3.1 Received: from emsm-gh1-uea10.nsa.gov (smtp.nsa.gov [8.44.101.8]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C76D5298C1 for ; Thu, 15 Sep 2016 14:42:35 +0000 (UTC) X-IronPort-AV: E=Sophos;i="5.30,339,1470700800"; d="scan'208";a="17619056" IronPort-PHdr: =?us-ascii?q?9a23=3A1pMrVxIXKk3l1hsjodmcpTZWNBhigK39O0sv0rFi?= =?us-ascii?q?tYgULfjxwZ3uMQTl6Ol3ixeRBMOAuqsC1Led7PyoGTRZp83Q6DZaKN0EfiRGoP?= =?us-ascii?q?1epxYnDs+BBB+zB9/RRAt+Iv5/UkR49WqwK0lfFZW2TVTTpnqv8WxaQU2nZkJL?= =?us-ascii?q?L+j4UrTfk96wn7jrvcaCOkMX2XHiPfsydEzw9lSJ8JFOwMNLEeUY8lPxuHxGeu?= =?us-ascii?q?BblytDBGm4uFLC3Pq254Np6C9KuvgspIZqWKT+eLkkH/QDVGx1e10v4IXXkTWL?= =?us-ascii?q?DU7WvjpPGlkRxwFFBwnD8QHSQob6siy8sPF0niadI57YV7cxDAyv870jbBb1lD?= =?us-ascii?q?0NPjU5uDXPjsVtkLhRqTq7qhB/ypKSa4aQYqktNpjBdM8XEDISFv1aUDZMV8bl?= =?us-ascii?q?N4Y=3D?= X-IPAS-Result: =?us-ascii?q?A2FbCADZstpX/wHyM5BcHAEBBAEBCgEBGAEFAQsBgw8BAQE?= =?us-ascii?q?BAR5XfLpVIguBcIVnTAEBAQEBAQEBAgECWyeCMgQDEwUFORArKgINIj0CBAECN?= =?us-ascii?q?xQgDgMJAQEXKQgIAwEtFREOCwUYBIgpDsFpCwEBASOGMYhhEQFohHMdBZlohiW?= =?us-ascii?q?JNAKBbIgMDIVfkFlUhGluAYRheIEnAQEB?= Received: from unknown (HELO tarius.tycho.ncsc.mil) ([144.51.242.1]) by emsm-gh1-uea10.nsa.gov with ESMTP; 15 Sep 2016 14:42:20 +0000 Received: from prometheus.infosec.tycho.ncsc.mil (prometheus [192.168.25.40]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u8FEgJo3022581; Thu, 15 Sep 2016 10:42:20 -0400 Received: from tarius.tycho.ncsc.mil (tarius.infosec.tycho.ncsc.mil [144.51.242.1]) by prometheus.infosec.tycho.ncsc.mil (8.15.2/8.15.2) with ESMTP id u8FEeI6x251126 for ; Thu, 15 Sep 2016 10:40:18 -0400 Received: from goalie.tycho.ncsc.mil (goalie [144.51.242.250]) by tarius.tycho.ncsc.mil (8.14.4/8.14.4) with ESMTP id u8FEeCDr022342 for ; Thu, 15 Sep 2016 10:40:17 -0400 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: A1DOAAD1sdpXhxy3hNFcHAYMgzwBAQEBAXV8pROROYQSJIV6AoFbTAECAQEBAQECEwEBAQoLCQkZhRECAQN5EFFXGYhKDsFoAQEBAQYCJYYxiVuEcx0FmWiGJYk0AoFsiBiFX5BZg2KBWzo0AYcAAQEB X-IPAS-Result: A1DOAAD1sdpXhxy3hNFcHAYMgzwBAQEBAXV8pROROYQSJIV6AoFbTAECAQEBAQECEwEBAQoLCQkZhRECAQN5EFFXGYhKDsFoAQEBAQYCJYYxiVuEcx0FmWiGJYk0AoFsiBiFX5BZg2KBWzo0AYcAAQEB X-IronPort-AV: E=Sophos;i="5.30,339,1470715200"; d="scan'208";a="5707731" Received: from emsm-gh1-uea11.corp.nsa.gov (HELO emsm-gh1-uea11.nsa.gov) ([10.208.41.37]) by goalie.tycho.ncsc.mil with ESMTP; 15 Sep 2016 10:40:17 -0400 IronPort-PHdr: =?us-ascii?q?9a23=3Ajf7G8B+/v3g4Mv9uRHKM819IXTAuvvDOBiVQ1KB9?= =?us-ascii?q?1uMcTK2v8tzYMVDF4r011RmSDNydtK8P1LWe8/i5HzdRudDZ6DFKWacPfidNsd?= =?us-ascii?q?8RkQ0kDZzNImzAB9muURYHGt9fXkRu5XCxPBsdMs//Y1rPvi/6tmZKSV3BPAZ4?= =?us-ascii?q?bt74BpTVx5zukbvjotuMPk4X23L9Oeo0d0Tu612J94E/ushLEu4J0BzHo39FKa?= =?us-ascii?q?x95FhDAhatpSv6/dq655V58i5d6LoL/s9EVrjmLexjFeQLRGduD2dg/8DvtB/e?= =?us-ascii?q?XSOT93AcVSMQiRMODA/bvz/gWZKkiibmrKJZ0TSGJ8f/RrB8DSym5rp3UhXhoD?= =?us-ascii?q?0KOz4w7Cfcjckm3/ETmw6ouxEqm92cW4qSLvcrJq4=3D?= X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0FYAQD1sdpXhxy3hNFcHAYMGgEFAQsBg?= =?us-ascii?q?w8BAQEBAXV8pROROYQSJIFwhAoCgVtMAQEBAQEBAQECAQIQAQEBCgsJCRkvgjI?= =?us-ascii?q?YDDkQKyoCDSI9AgEDeRBRVxmISg7BaAEBAQEGAgEkhjGJW4RzHQWZaIYliTQCg?= =?us-ascii?q?WyIGIVfkFmDYoFbOjQBhwABAQE?= X-IPAS-Result: =?us-ascii?q?A0FYAQD1sdpXhxy3hNFcHAYMGgEFAQsBgw8BAQEBAXV8pRO?= =?us-ascii?q?ROYQSJIFwhAoCgVtMAQEBAQEBAQECAQIQAQEBCgsJCRkvgjIYDDkQKyoCDSI9A?= =?us-ascii?q?gEDeRBRVxmISg7BaAEBAQEGAgEkhjGJW4RzHQWZaIYliTQCgWyIGIVfkFmDYoF?= =?us-ascii?q?bOjQBhwABAQE?= X-IronPort-AV: E=Sophos;i="5.30,339,1470700800"; d="scan'208";a="19274612" Received: from mx1.redhat.com ([209.132.183.28]) by emsm-gh1-uea11.nsa.gov with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 15 Sep 2016 14:40:00 +0000 Received: from int-mx13.intmail.prod.int.phx2.redhat.com (int-mx13.intmail.prod.int.phx2.redhat.com [10.5.11.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 24BE97F0A7 for ; Thu, 15 Sep 2016 14:39:59 +0000 (UTC) Received: from rhel-at-redhat.localdomain.com ([10.40.2.167]) by int-mx13.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u8FEdmJL003247; Thu, 15 Sep 2016 10:39:58 -0400 From: Petr Lautrbach To: selinux@tycho.nsa.gov Subject: [PATCH 3/3] sandbox: fix file labels on copied files Date: Thu, 15 Sep 2016 16:39:29 +0200 Message-Id: <1473950369-2547-3-git-send-email-plautrba@redhat.com> In-Reply-To: <1473950369-2547-1-git-send-email-plautrba@redhat.com> References: <1473950369-2547-1-git-send-email-plautrba@redhat.com> X-Scanned-By: MIMEDefang 2.68 on 10.5.11.26 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.26]); Thu, 15 Sep 2016 14:39:59 +0000 (UTC) X-BeenThere: selinux@tycho.nsa.gov X-Mailman-Version: 2.1.20 Precedence: list List-Id: "Security-Enhanced Linux \(SELinux\) mailing list" List-Post: List-Help: MIME-Version: 1.0 Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" X-Virus-Scanned: ClamAV using ClamSMTP Since python 3.3, shutil.copy2() tries to preserve extended file system attributes. It means that when a user uses -i or -I, copied files have the original labels and sandboxed process can't read them. With this change, homedir and tmpdir is recursively relabeled with the expected sandbox labels after all items are in their place. Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1294020 Signed-off-by: Petr Lautrbach --- policycoreutils/sandbox/sandbox | 9 ++++----- policycoreutils/sandbox/test_sandbox.py | 8 ++++++++ 2 files changed, 12 insertions(+), 5 deletions(-) diff --git a/policycoreutils/sandbox/sandbox b/policycoreutils/sandbox/sandbox index 4f5128a..9f200d5 100644 --- a/policycoreutils/sandbox/sandbox +++ b/policycoreutils/sandbox/sandbox @@ -425,21 +425,20 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [- self.__filecon = "%s:object_r:sandbox_file_t:%s" % (con[0], level) def __setup_dir(self): + selinux.setfscreatecon(self.__filecon) if self.__options.homedir: - selinux.chcon(self.__options.homedir, self.__filecon, recursive=True) self.__homedir = self.__options.homedir else: - selinux.setfscreatecon(self.__filecon) self.__homedir = mkdtemp(dir="/tmp", prefix=".sandbox_home_") if self.__options.tmpdir: - selinux.chcon(self.__options.tmpdir, self.__filecon, recursive=True) self.__tmpdir = self.__options.tmpdir else: - selinux.setfscreatecon(self.__filecon) self.__tmpdir = mkdtemp(dir="/tmp", prefix=".sandbox_tmp_") - selinux.setfscreatecon(None) self.__copyfiles() + selinux.chcon(self.__homedir, self.__filecon, recursive=True) + selinux.chcon(self.__tmpdir, self.__filecon, recursive=True) + selinux.setfscreatecon(None) def __execute(self): try: diff --git a/policycoreutils/sandbox/test_sandbox.py b/policycoreutils/sandbox/test_sandbox.py index 98c04a7..bcecf66 100644 --- a/policycoreutils/sandbox/test_sandbox.py +++ b/policycoreutils/sandbox/test_sandbox.py @@ -97,6 +97,14 @@ class SandboxTests(unittest.TestCase): shutil.rmtree(tmpdir) self.assertSuccess(p.returncode, err) + def test_include_file(self): + "Verify that sandbox can copy a file in the sandbox home and use it" + p = Popen([sys.executable, 'sandbox', '-i' ,'test_sandbox.py' , '-M', '/bin/cat', 'test_sandbox.py'], + stdout=PIPE, stderr=PIPE) + out, err = p.communicate() + self.assertSuccess(p.returncode, err) + + if __name__ == "__main__": import selinux if selinux.security_getenforce() == 1: