commit policycoreutils for openSUSE:Factory

Source-Sync Thu, 11 Jun 2026 08:26:55 -0700

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package policycoreutils for openSUSE:Factory 
checked in at 2026-06-11 17:25:50
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/policycoreutils (Old)
 and      /work/SRC/openSUSE:Factory/.policycoreutils.new.1981 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "policycoreutils"

Thu Jun 11 17:25:50 2026 rev:90 rq:1358543 version:3.10

Changes:
--------
--- /work/SRC/openSUSE:Factory/policycoreutils/policycoreutils.changes  
2026-03-08 17:26:54.094847215 +0100
+++ 
/work/SRC/openSUSE:Factory/.policycoreutils.new.1981/policycoreutils.changes    
    2026-06-11 17:26:20.003744573 +0200
@@ -1,0 +2,8 @@
+Mon Jun  8 09:17:14 UTC 2026 - Robert Frohl <[email protected]>
+
+- Reintroduce sandbox package (bsc#1266226) and a couple quality of life
+  improvements:
+    add policycoreutils-sandbox-fix-cleanup.patch
+    add sandbox-sandbox-fix-saving-file-changes.patch
+
+-------------------------------------------------------------------

New:
----
  SANDBOX-README.md
  policycoreutils-sandbox-fix-cleanup.patch
  sandbox-sandbox-fix-saving-file-changes.patch
  selinux-sandbox-3.10.tar.gz
  selinux-sandbox-3.10.tar.gz.asc

----------(New B)----------
  New:  improvements:
    add policycoreutils-sandbox-fix-cleanup.patch
    add sandbox-sandbox-fix-saving-file-changes.patch
  New:    add policycoreutils-sandbox-fix-cleanup.patch
    add sandbox-sandbox-fix-saving-file-changes.patch
----------(New E)----------

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ policycoreutils.spec ++++++
--- /var/tmp/diff_new_pack.z1WGw0/_old  2026-06-11 17:26:21.255797078 +0200
+++ /var/tmp/diff_new_pack.z1WGw0/_new  2026-06-11 17:26:21.255797078 +0200
@@ -53,13 +53,18 @@
 Source15:       
https://github.com/SELinuxProject/selinux/releases/download/%{version}/selinux-gui-%{version}.tar.gz.asc
 Source16:       
https://github.com/SELinuxProject/selinux/releases/download/%{version}/selinux-dbus-%{version}.tar.gz
 Source17:       
https://github.com/SELinuxProject/selinux/releases/download/%{version}/selinux-dbus-%{version}.tar.gz.asc
-Source18:       policycoreutils-rpmlintrc
-Source19:       sepolgen.conf
+Source18:       
https://github.com/SELinuxProject/selinux/releases/download/%{version}/selinux-sandbox-%{version}.tar.gz
+Source19:       
https://github.com/SELinuxProject/selinux/releases/download/%{version}/selinux-sandbox-%{version}.tar.gz.asc
+Source20:       policycoreutils-rpmlintrc
+Source21:       sepolgen.conf
+Source22:       SANDBOX-README.md
 Patch0:         make_targets.patch
 Patch2:         get_os_version.patch
 Patch3:         run_init.pamd.patch
 Patch4:         usr_etc.patch
 Patch5:         sepolicy-build-isolation.patch
+Patch6:         policycoreutils-sandbox-fix-cleanup.patch
+Patch7:         sandbox-sandbox-fix-saving-file-changes.patch
 BuildRequires:  audit-devel >= %{libaudit_ver}
 BuildRequires:  bison
 BuildRequires:  dbus-1-glib-devel
@@ -203,8 +208,18 @@
 The policycoreutils-dbus package contains the management DBUS API use to manage
 an SELinux environment.
 
+%package sandbox
+Summary:        SELinux sandbox utilities
+Group:          Productivity/Security
+Requires:       %{python_for_executables}-%{name} = %{version}
+Requires:       (xwayland or xorg-x11-server-extra)
+Requires:       selinux-policy-sandbox
+
+%description sandbox
+The sandbox package contains the scripts to create graphical sandboxes.
+
 %prep
-%setup -q -a3 -a5 -a14 -a16
+%setup -q -a3 -a5 -a14 -a16 -a18
 setools_python_pwd="$PWD/selinux-python-%{version}"
 semodule_utils_pwd="$PWD/semodule-utils-%{version}"
 %patch -P0 -p1
@@ -214,6 +229,8 @@
 mv ${setools_python_pwd}/audit2allow ${setools_python_pwd}/chcat 
${setools_python_pwd}/semanage ${setools_python_pwd}/sepolgen 
${setools_python_pwd}/sepolicy .
 mv ${semodule_utils_pwd}/semodule_expand ${semodule_utils_pwd}/semodule_link 
${semodule_utils_pwd}/semodule_package .
 %patch -P5 -p1
+%patch -P6 -p1
+%patch -P7 -p2
 
 %build
 export PYTHON="%{python_binary_for_executables}" LIBDIR="%{_libdir}" 
CFLAGS="%{optflags} -fPIE" LDFLAGS="-pie -Wl,-z,relro"
@@ -259,6 +276,11 @@
 mkdir -p %{buildroot}%{_datadir}/dbus-1/system.d
 mv %{buildroot}%{_sysconfdir}/dbus-1/system.d/org.selinux.conf 
%{buildroot}%{_datadir}/dbus-1/system.d/org.selinux.conf
 
+# Sandbox
+(cd selinux-sandbox-%{version} && make DESTDIR=%{buildroot} 
SYSCONFDIR=%{_fillupdir} install)
+mv %{buildroot}%{_fillupdir}/sandbox 
%{buildroot}%{_fillupdir}/sysconfig.sandbox
+cp -a %{SOURCE22} .
+
 # GUI apps
 (cd selinux-gui-%{version} && make DESTDIR=%{buildroot} install)
 %if 0%{?suse_version} > 1500
@@ -283,7 +305,7 @@
 
 (cd selinux-python-%{version}/po && make DESTDIR=%{buildroot} install)
 cp -a %{buildroot}%{_localstatedir}/lib/sepolgen 
%{buildroot}%{_datadir}/sepolgen
-install -m 644 %{SOURCE19} %{buildroot}%{_tmpfilesdir}
+install -m 644 %{SOURCE21} %{buildroot}%{_tmpfilesdir}
 %find_lang %{name}
 %find_lang selinux-python
 %find_lang selinux-gui
@@ -331,6 +353,9 @@
 %verifyscript newrole
 %verify_permissions -e %{_bindir}/newrole
 
+%post sandbox
+%{fillup_only -n sandbox}
+
 %files
 %{_bindir}/semodule_expand
 %{_bindir}/semodule_link
@@ -494,3 +519,16 @@
 %{_datadir}/polkit-1/actions/org.selinux.config.policy
 %{_datadir}/system-config-selinux/selinux_server.py
 
+%files sandbox
+%dir %{_datadir}/sandbox
+%doc SANDBOX-README.md
+%{_datadir}/locale/*/LC_MESSAGES/selinux-sandbox.mo
+%{_datadir}/sandbox/start
+%{_datadir}/sandbox/sandboxX.sh
+%{_mandir}/man5/sandbox.5%{?ext_man}
+%{_mandir}/man8/sandbox.8%{?ext_man}
+%{_mandir}/man8/seunshare.8%{?ext_man}
+%{_fillupdir}/sysconfig.sandbox
+%{_sbindir}/seunshare
+%{_bindir}/sandbox
+

++++++ SANDBOX-README.md ++++++
# policycoreutils-sandbox

Package for additional sandboxing of binaries.

## Setup

To get the 'sandbox' binary to work setting a setuid bit manually is currently
needed:

  chmod u+s /usr/sbin/seunshare

## Hints

The selinux-policy-sandbox package ships with multiple types:

- sandbox_x_t
- sandbox_web_t
- sandbox_net_t

To be used with the '-t' flag:

  sandbox -t sandbox_x_t <binary>



++++++ policycoreutils-sandbox-fix-cleanup.patch ++++++
Index: policycoreutils-3.10/selinux-sandbox-3.10/sandbox
===================================================================
--- policycoreutils-3.10.orig/selinux-sandbox-3.10/sandbox
+++ policycoreutils-3.10/selinux-sandbox-3.10/sandbox
@@ -535,8 +535,12 @@ sandbox [-h] [-l level ] [-[X|M] [-H hom
                 shutil.rmtree(self.__homedir)
             if self.__tmpdir and not self.__options.tmpdir:
                 if self.__options.shred:
-                    self.shred(self.__homedir)
+                    self.shred(self.__tmpdir)
                 shutil.rmtree(self.__tmpdir)
+            if self.__runuserdir and not self.__options.runuserdir:
+                if self.__options.shred:
+                    self.shred(self.__runuserdir)
+                shutil.rmtree(self.__runuserdir)
 
     def shred(self, path):
         for root, dirs, files in os.walk(path):
Index: policycoreutils-3.10/selinux-sandbox-3.10/seunshare.c
===================================================================
--- policycoreutils-3.10.orig/selinux-sandbox-3.10/seunshare.c
+++ policycoreutils-3.10/selinux-sandbox-3.10/seunshare.c
@@ -1079,6 +1079,7 @@ childerr:
                killall(execcon);
 
        if (tmpdir_r) cleanup_tmpdir(tmpdir_r, tmpdir_s, pwd, 1);
+       if (runuserdir_r) cleanup_tmpdir(runuserdir_r, runuserdir_s, pwd, 1);
 
 err:
        free(tmpdir_r);


++++++ sandbox-sandbox-fix-saving-file-changes.patch ++++++
>From 265ec8e191e11e0feaadc632feec48ec8f22a9f9 Mon Sep 17 00:00:00 2001
From: Robert Frohl <[email protected]>
Date: Tue, 9 Jun 2026 18:03:11 +0200
Subject: [PATCH] sandbox/sandbox: fix saving file changes

Fixes the following backtrace on saving files:

  $ sandbox -M -H sandbox_home/ -T sandbox_tmp/ /usr/bin/vim sandbox_home/cmd
  [edit file and save]
  Traceback (most recent call last):
    File "/usr/bin/sandbox", line 565, in <module>
      rc = sandbox.main()
    File "/usr/bin/sandbox", line 553, in main
      return self.__execute()
             ~~~~~~~~~~~~~~^^
    File "/usr/bin/sandbox", line 530, in __execute
      savefile(dest, i, self.__options.X_ind)
      ~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    File "/usr/bin/sandbox", line 133, in savefile
      ans = input(_("Do you want to save changes to '%s' (y/N): ") % orig)
            ^^^^^
  UnboundLocalError: cannot access local variable 'input' where it is not 
associated with a value

Signed-off-by: Robert Frohl <[email protected]>
---
 sandbox/sandbox | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/sandbox/sandbox b/sandbox/sandbox
index e3fd6119..4e7d56fd 100644
--- a/policycoreutils-3.10/selinux-sandbox-3.10/sandbox
+++ b/policycoreutils-3.10/selinux-sandbox-3.10/sandbox
@@ -126,10 +126,6 @@ def savefile(new, orig, X_ind):
         if rc == Gtk.ResponseType.YES:
             copy = True
     else:
-        try:
-            input = raw_input
-        except NameError:
-            pass
         ans = input(_("Do you want to save changes to '%s' (y/N): ") % orig)
         if re.match(_("[yY]"), ans):
             copy = True
-- 
2.53.0

commit policycoreutils for openSUSE:Factory

Reply via email to