Re: [RFC] mmap file_contexts and property_contexts:

[Jason Zaman]

On 20 Sep 2016 12:50 pm, "William Roberts"  wrote:
>
> On Sep 19, 2016 21:16, "Jason Zaman"  wrote:
> >
> > On 20 Sep 2016 5:47 am,  wrote:
> > >
> > > From: William Roberts 
> > >
> > > THIS IS WIP...
> > >
> > > Rather than using stdio and making copies, just mmap the files
> > > and use the pointers in place. The affect of this change, is that
> > > text file load time is now faster than binary load time by 4.7%
> > > when testing with a file_contexts file from the Android tree. Note
> > > that the Android doesn't use monstrous regexs.
> > >
> > > Times are the average of 3 runs.
> > >
> > > BEFORE:
> > > Text file allocs: 114803
> > > Text file load time: 0.266101
> > > Bin file allocs: 93073
> > > Bin file load time: 0.248757667
> > >
> > > AFTER:
> > > Text file allocs: 103933
> > > Text file load time: 0.236192667
> > > Bin file allocs: 87645
> > > Bin file load time: .247607333
> >
> > Do you have the scripts that generated these stats so I can play with
it too? These stats are from android right? Do you also have a comparison
for refpolicy too?
>
> For generating these I used checkfc.c from the Android tree. I used
valgrind to measure allocations and clock to measure the time in
selabel_open().

Okay cool I'll fetch that and give it a whirl when I get time.

> >
> > I haven't looked that closely yet but just realised, will this need new
perms because of the mmap? If it does, can you send a patch to refpolicy?
>
> I'm confused, mmap is not a permission, even if it was the binary path
already was doing an mmap, so the permission would have been there. We're
just making it so it always mmaps.

Yeah but mmap needs execute perms sometimes (always?). I am out so just
wanted to send an email before I forgot. If it was mmaping already then
there is nothing to worry about :).

-- Jason
> >
> > > THINGS TO DO:
> > > 1. What's arm performance like?
> > > 2. What interfaces to backends are busted by this (if any)?
> > > 3. Test Android Properties
> > > 4. Im pretty sure this breaks sefcontext_compile, fix.
> > > 5. Test with PCRE2 enabled.
> > > 6. Spell check this message!
> > > 7. Run checkpatch
> > >
> > > Signed-off-by: William Roberts 
> > > ---
> > >  libselinux/src/label.c  |   2 -
> > >  libselinux/src/label_android_property.c |  22 ++---
> > >  libselinux/src/label_file.c | 140
+++-
> > >  libselinux/src/label_file.h |  66 +--
> > >  libselinux/src/label_internal.h |   3 +-
> > >  libselinux/src/label_support.c  |  79 --
> > >  6 files changed, 172 insertions(+), 140 deletions(-)
> > >
> > > diff --git a/libselinux/src/label.c b/libselinux/src/label.c
> > > index 963bfcb..d767b49 100644
> > > --- a/libselinux/src/label.c
> > > +++ b/libselinux/src/label.c
> > > @@ -15,8 +15,6 @@
> > >  #include "callbacks.h"
> > >  #include "label_internal.h"
> > >
> > > -#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
> > > -
> > >  typedef int (*selabel_initfunc)(struct selabel_handle *rec,
> > > const struct selinux_opt *opts,
> > > unsigned nopts);
> > > diff --git a/libselinux/src/label_android_property.c
b/libselinux/src/label_android_property.c
> > > index 290b438..2aac394 100644
> > > --- a/libselinux/src/label_android_property.c
> > > +++ b/libselinux/src/label_android_property.c
> > > @@ -85,13 +85,19 @@ static int process_line(struct selabel_handle
*rec,
> > > int pass, unsigned lineno)
> > >  {
> > > int items;
> > > -   char *prop = NULL, *context = NULL;
> > > +   union {
> > > +   struct {
> > > +   char *prop;
> > > +   char *context;
> > > +   };
> > > +   char *array[2];
> > > +   } found = { .array = { 0 } };
> > > struct saved_data *data = (struct saved_data *)rec->data;
> > > spec_t *spec_arr = data->spec_arr;
> > > unsigned int nspec = data->nspec;
> > > const char *errbuf = NULL;
> > >
> > > -   items = read_spec_entries(line_buf, , 2, ,
);
> > > +   items = read_spec_entries(line_buf, ,
ARRAY_SIZE(found.array), found.array);
> > > if (items < 0) {
> > > items = errno;
> > > selinux_log(SELINUX_ERROR,
> > > @@ -108,18 +114,14 @@ static int process_line(struct selabel_handle
*rec,
> > > selinux_log(SELINUX_ERROR,
> > > "%s:  line %u is missing fields\n", path,
> > > lineno);
> > > -   free(prop);
> > > errno = EINVAL;
> > > return -1;
> > > }
> > >
> > > -   if (pass == 0) {
> > > -   free(prop);
> > > -   free(context);
> > > -   } else 

Re: [RFC] mmap file_contexts and property_contexts:

[William Roberts]

On Sep 19, 2016 21:16, "Jason Zaman"  wrote:
>
> On 20 Sep 2016 5:47 am,  wrote:
> >
> > From: William Roberts 
> >
> > THIS IS WIP...
> >
> > Rather than using stdio and making copies, just mmap the files
> > and use the pointers in place. The affect of this change, is that
> > text file load time is now faster than binary load time by 4.7%
> > when testing with a file_contexts file from the Android tree. Note
> > that the Android doesn't use monstrous regexs.
> >
> > Times are the average of 3 runs.
> >
> > BEFORE:
> > Text file allocs: 114803
> > Text file load time: 0.266101
> > Bin file allocs: 93073
> > Bin file load time: 0.248757667
> >
> > AFTER:
> > Text file allocs: 103933
> > Text file load time: 0.236192667
> > Bin file allocs: 87645
> > Bin file load time: .247607333
>
> Do you have the scripts that generated these stats so I can play with it
too? These stats are from android right? Do you also have a comparison for
refpolicy too?

For generating these I used checkfc.c from the Android tree. I used
valgrind to measure allocations and clock to measure the time in
selabel_open().

>
> I haven't looked that closely yet but just realised, will this need new
perms because of the mmap? If it does, can you send a patch to refpolicy?

I'm confused, mmap is not a permission, even if it was the binary path
already was doing an mmap, so the permission would have been there. We're
just making it so it always mmaps.

>
> -- Jason
>
> > THINGS TO DO:
> > 1. What's arm performance like?
> > 2. What interfaces to backends are busted by this (if any)?
> > 3. Test Android Properties
> > 4. Im pretty sure this breaks sefcontext_compile, fix.
> > 5. Test with PCRE2 enabled.
> > 6. Spell check this message!
> > 7. Run checkpatch
> >
> > Signed-off-by: William Roberts 
> > ---
> >  libselinux/src/label.c  |   2 -
> >  libselinux/src/label_android_property.c |  22 ++---
> >  libselinux/src/label_file.c | 140
+++-
> >  libselinux/src/label_file.h |  66 +--
> >  libselinux/src/label_internal.h |   3 +-
> >  libselinux/src/label_support.c  |  79 --
> >  6 files changed, 172 insertions(+), 140 deletions(-)
> >
> > diff --git a/libselinux/src/label.c b/libselinux/src/label.c
> > index 963bfcb..d767b49 100644
> > --- a/libselinux/src/label.c
> > +++ b/libselinux/src/label.c
> > @@ -15,8 +15,6 @@
> >  #include "callbacks.h"
> >  #include "label_internal.h"
> >
> > -#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
> > -
> >  typedef int (*selabel_initfunc)(struct selabel_handle *rec,
> > const struct selinux_opt *opts,
> > unsigned nopts);
> > diff --git a/libselinux/src/label_android_property.c
b/libselinux/src/label_android_property.c
> > index 290b438..2aac394 100644
> > --- a/libselinux/src/label_android_property.c
> > +++ b/libselinux/src/label_android_property.c
> > @@ -85,13 +85,19 @@ static int process_line(struct selabel_handle *rec,
> > int pass, unsigned lineno)
> >  {
> > int items;
> > -   char *prop = NULL, *context = NULL;
> > +   union {
> > +   struct {
> > +   char *prop;
> > +   char *context;
> > +   };
> > +   char *array[2];
> > +   } found = { .array = { 0 } };
> > struct saved_data *data = (struct saved_data *)rec->data;
> > spec_t *spec_arr = data->spec_arr;
> > unsigned int nspec = data->nspec;
> > const char *errbuf = NULL;
> >
> > -   items = read_spec_entries(line_buf, , 2, ,
);
> > +   items = read_spec_entries(line_buf, ,
ARRAY_SIZE(found.array), found.array);
> > if (items < 0) {
> > items = errno;
> > selinux_log(SELINUX_ERROR,
> > @@ -108,18 +114,14 @@ static int process_line(struct selabel_handle
*rec,
> > selinux_log(SELINUX_ERROR,
> > "%s:  line %u is missing fields\n", path,
> > lineno);
> > -   free(prop);
> > errno = EINVAL;
> > return -1;
> > }
> >
> > -   if (pass == 0) {
> > -   free(prop);
> > -   free(context);
> > -   } else if (pass == 1) {
> > +   if (pass == 1) {
> > /* On the second pass, process and store the
specification in spec. */
> > -   spec_arr[nspec].property_key = prop;
> > -   spec_arr[nspec].lr.ctx_raw = context;
> > +   spec_arr[nspec].property_key = found.prop;
> > +   spec_arr[nspec].lr.ctx_raw = found.context;
> >
> > if (rec->validating) {
> > if (selabel_validate(rec, _arr[nspec].lr)
< 0) {
> > @@ -234,7 +236,7 @@ 

Re: [RFC] mmap file_contexts and property_contexts:

[Jason Zaman]

On 20 Sep 2016 5:47 am,  wrote:
>
> From: William Roberts 
>
> THIS IS WIP...
>
> Rather than using stdio and making copies, just mmap the files
> and use the pointers in place. The affect of this change, is that
> text file load time is now faster than binary load time by 4.7%
> when testing with a file_contexts file from the Android tree. Note
> that the Android doesn't use monstrous regexs.
>
> Times are the average of 3 runs.
>
> BEFORE:
> Text file allocs: 114803
> Text file load time: 0.266101
> Bin file allocs: 93073
> Bin file load time: 0.248757667
>
> AFTER:
> Text file allocs: 103933
> Text file load time: 0.236192667
> Bin file allocs: 87645
> Bin file load time: .247607333

Do you have the scripts that generated these stats so I can play with it
too? These stats are from android right? Do you also have a comparison for
refpolicy too?

I haven't looked that closely yet but just realised, will this need new
perms because of the mmap? If it does, can you send a patch to refpolicy?

-- Jason

> THINGS TO DO:
> 1. What's arm performance like?
> 2. What interfaces to backends are busted by this (if any)?
> 3. Test Android Properties
> 4. Im pretty sure this breaks sefcontext_compile, fix.
> 5. Test with PCRE2 enabled.
> 6. Spell check this message!
> 7. Run checkpatch
>
> Signed-off-by: William Roberts 
> ---
>  libselinux/src/label.c  |   2 -
>  libselinux/src/label_android_property.c |  22 ++---
>  libselinux/src/label_file.c | 140
+++-
>  libselinux/src/label_file.h |  66 +--
>  libselinux/src/label_internal.h |   3 +-
>  libselinux/src/label_support.c  |  79 --
>  6 files changed, 172 insertions(+), 140 deletions(-)
>
> diff --git a/libselinux/src/label.c b/libselinux/src/label.c
> index 963bfcb..d767b49 100644
> --- a/libselinux/src/label.c
> +++ b/libselinux/src/label.c
> @@ -15,8 +15,6 @@
>  #include "callbacks.h"
>  #include "label_internal.h"
>
> -#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
> -
>  typedef int (*selabel_initfunc)(struct selabel_handle *rec,
> const struct selinux_opt *opts,
> unsigned nopts);
> diff --git a/libselinux/src/label_android_property.c
b/libselinux/src/label_android_property.c
> index 290b438..2aac394 100644
> --- a/libselinux/src/label_android_property.c
> +++ b/libselinux/src/label_android_property.c
> @@ -85,13 +85,19 @@ static int process_line(struct selabel_handle *rec,
> int pass, unsigned lineno)
>  {
> int items;
> -   char *prop = NULL, *context = NULL;
> +   union {
> +   struct {
> +   char *prop;
> +   char *context;
> +   };
> +   char *array[2];
> +   } found = { .array = { 0 } };
> struct saved_data *data = (struct saved_data *)rec->data;
> spec_t *spec_arr = data->spec_arr;
> unsigned int nspec = data->nspec;
> const char *errbuf = NULL;
>
> -   items = read_spec_entries(line_buf, , 2, , );
> +   items = read_spec_entries(line_buf, ,
ARRAY_SIZE(found.array), found.array);
> if (items < 0) {
> items = errno;
> selinux_log(SELINUX_ERROR,
> @@ -108,18 +114,14 @@ static int process_line(struct selabel_handle *rec,
> selinux_log(SELINUX_ERROR,
> "%s:  line %u is missing fields\n", path,
> lineno);
> -   free(prop);
> errno = EINVAL;
> return -1;
> }
>
> -   if (pass == 0) {
> -   free(prop);
> -   free(context);
> -   } else if (pass == 1) {
> +   if (pass == 1) {
> /* On the second pass, process and store the
specification in spec. */
> -   spec_arr[nspec].property_key = prop;
> -   spec_arr[nspec].lr.ctx_raw = context;
> +   spec_arr[nspec].property_key = found.prop;
> +   spec_arr[nspec].lr.ctx_raw = found.context;
>
> if (rec->validating) {
> if (selabel_validate(rec, _arr[nspec].lr) <
0) {
> @@ -234,7 +236,7 @@ static void closef(struct selabel_handle *rec)
> for (i = 0; i < data->nspec; i++) {
> spec = >spec_arr[i];
> free(spec->property_key);
> -   free(spec->lr.ctx_raw);
> +   //free(spec->lr.ctx_raw);
> free(spec->lr.ctx_trans);
> }
>
> diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
> index 7156825..4dc440e 100644
> --- a/libselinux/src/label_file.c
> +++ b/libselinux/src/label_file.c
> @@ -96,43 +96,64 @@ static int nodups_specs(struct saved_data *data,
const char *path)
> return rc;
>  }
>
> -static int 

RE: [RFC] mmap file_contexts and property_contexts:

[Roberts, William C]

FYI I only tested this with checkfc...

> -Original Message-
> From: Roberts, William C
> Sent: Monday, September 19, 2016 2:45 PM
> To: selinux@tycho.nsa.gov; seandroid-l...@tycho.nsa.gov; s...@tycho.nsa.gov;
> jda...@google.com
> Cc: Roberts, William C 
> Subject: [RFC] mmap file_contexts and property_contexts:
> 
> From: William Roberts 
> 
> THIS IS WIP...
> 
> Rather than using stdio and making copies, just mmap the files and use the
> pointers in place. The affect of this change, is that text file load time is 
> now faster
> than binary load time by 4.7% when testing with a file_contexts file from the
> Android tree. Note that the Android doesn't use monstrous regexs.
> 
> Times are the average of 3 runs.
> 
> BEFORE:
> Text file allocs: 114803
> Text file load time: 0.266101
> Bin file allocs: 93073
> Bin file load time: 0.248757667
> 
> AFTER:
> Text file allocs: 103933
> Text file load time: 0.236192667
> Bin file allocs: 87645
> Bin file load time: .247607333
> 
> THINGS TO DO:
> 1. What's arm performance like?
> 2. What interfaces to backends are busted by this (if any)?
> 3. Test Android Properties
> 4. Im pretty sure this breaks sefcontext_compile, fix.
> 5. Test with PCRE2 enabled.
> 6. Spell check this message!
> 7. Run checkpatch
> 
> Signed-off-by: William Roberts 
> ---
>  libselinux/src/label.c  |   2 -
>  libselinux/src/label_android_property.c |  22 ++---
>  libselinux/src/label_file.c | 140 
> +++-
>  libselinux/src/label_file.h |  66 +--
>  libselinux/src/label_internal.h |   3 +-
>  libselinux/src/label_support.c  |  79 --
>  6 files changed, 172 insertions(+), 140 deletions(-)
> 
> diff --git a/libselinux/src/label.c b/libselinux/src/label.c index 
> 963bfcb..d767b49
> 100644
> --- a/libselinux/src/label.c
> +++ b/libselinux/src/label.c
> @@ -15,8 +15,6 @@
>  #include "callbacks.h"
>  #include "label_internal.h"
> 
> -#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
> -
>  typedef int (*selabel_initfunc)(struct selabel_handle *rec,
>   const struct selinux_opt *opts,
>   unsigned nopts);
> diff --git a/libselinux/src/label_android_property.c
> b/libselinux/src/label_android_property.c
> index 290b438..2aac394 100644
> --- a/libselinux/src/label_android_property.c
> +++ b/libselinux/src/label_android_property.c
> @@ -85,13 +85,19 @@ static int process_line(struct selabel_handle *rec,
>   int pass, unsigned lineno)
>  {
>   int items;
> - char *prop = NULL, *context = NULL;
> + union {
> + struct {
> + char *prop;
> + char *context;
> + };
> + char *array[2];
> + } found = { .array = { 0 } };
>   struct saved_data *data = (struct saved_data *)rec->data;
>   spec_t *spec_arr = data->spec_arr;
>   unsigned int nspec = data->nspec;
>   const char *errbuf = NULL;
> 
> - items = read_spec_entries(line_buf, , 2, , );
> + items = read_spec_entries(line_buf, , ARRAY_SIZE(found.array),
> +found.array);
>   if (items < 0) {
>   items = errno;
>   selinux_log(SELINUX_ERROR,
> @@ -108,18 +114,14 @@ static int process_line(struct selabel_handle *rec,
>   selinux_log(SELINUX_ERROR,
>   "%s:  line %u is missing fields\n", path,
>   lineno);
> - free(prop);
>   errno = EINVAL;
>   return -1;
>   }
> 
> - if (pass == 0) {
> - free(prop);
> - free(context);
> - } else if (pass == 1) {
> + if (pass == 1) {
>   /* On the second pass, process and store the specification in
> spec. */
> - spec_arr[nspec].property_key = prop;
> - spec_arr[nspec].lr.ctx_raw = context;
> + spec_arr[nspec].property_key = found.prop;
> + spec_arr[nspec].lr.ctx_raw = found.context;
> 
>   if (rec->validating) {
>   if (selabel_validate(rec, _arr[nspec].lr) < 0) { 
> @@ -
> 234,7 +236,7 @@ static void closef(struct selabel_handle *rec)
>   for (i = 0; i < data->nspec; i++) {
>   spec = >spec_arr[i];
>   free(spec->property_key);
> - free(spec->lr.ctx_raw);
> + //free(spec->lr.ctx_raw);
>   free(spec->lr.ctx_trans);
>   }
> 
> diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c index
> 7156825..4dc440e 100644
> --- a/libselinux/src/label_file.c
> +++ b/libselinux/src/label_file.c
> @@ -96,43 +96,64 @@ static int nodups_specs(struct saved_data *data, const
> char *path)
>   return rc;
>  }
> 
> -static int process_text_file(FILE *fp, const char *prefix,
> -  struct 

[RFC] mmap file_contexts and property_contexts:

[william . c . roberts]

From: William Roberts 

THIS IS WIP...

Rather than using stdio and making copies, just mmap the files
and use the pointers in place. The affect of this change, is that
text file load time is now faster than binary load time by 4.7%
when testing with a file_contexts file from the Android tree. Note
that the Android doesn't use monstrous regexs.

Times are the average of 3 runs.

BEFORE:
Text file allocs: 114803
Text file load time: 0.266101
Bin file allocs: 93073
Bin file load time: 0.248757667

AFTER:
Text file allocs: 103933
Text file load time: 0.236192667
Bin file allocs: 87645
Bin file load time: .247607333

THINGS TO DO:
1. What's arm performance like?
2. What interfaces to backends are busted by this (if any)?
3. Test Android Properties
4. Im pretty sure this breaks sefcontext_compile, fix.
5. Test with PCRE2 enabled.
6. Spell check this message!
7. Run checkpatch

Signed-off-by: William Roberts 
---
 libselinux/src/label.c  |   2 -
 libselinux/src/label_android_property.c |  22 ++---
 libselinux/src/label_file.c | 140 +++-
 libselinux/src/label_file.h |  66 +--
 libselinux/src/label_internal.h |   3 +-
 libselinux/src/label_support.c  |  79 --
 6 files changed, 172 insertions(+), 140 deletions(-)

diff --git a/libselinux/src/label.c b/libselinux/src/label.c
index 963bfcb..d767b49 100644
--- a/libselinux/src/label.c
+++ b/libselinux/src/label.c
@@ -15,8 +15,6 @@
 #include "callbacks.h"
 #include "label_internal.h"
 
-#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
-
 typedef int (*selabel_initfunc)(struct selabel_handle *rec,
const struct selinux_opt *opts,
unsigned nopts);
diff --git a/libselinux/src/label_android_property.c 
b/libselinux/src/label_android_property.c
index 290b438..2aac394 100644
--- a/libselinux/src/label_android_property.c
+++ b/libselinux/src/label_android_property.c
@@ -85,13 +85,19 @@ static int process_line(struct selabel_handle *rec,
int pass, unsigned lineno)
 {
int items;
-   char *prop = NULL, *context = NULL;
+   union {
+   struct {
+   char *prop;
+   char *context;
+   };
+   char *array[2];
+   } found = { .array = { 0 } };
struct saved_data *data = (struct saved_data *)rec->data;
spec_t *spec_arr = data->spec_arr;
unsigned int nspec = data->nspec;
const char *errbuf = NULL;
 
-   items = read_spec_entries(line_buf, , 2, , );
+   items = read_spec_entries(line_buf, , ARRAY_SIZE(found.array), 
found.array);
if (items < 0) {
items = errno;
selinux_log(SELINUX_ERROR,
@@ -108,18 +114,14 @@ static int process_line(struct selabel_handle *rec,
selinux_log(SELINUX_ERROR,
"%s:  line %u is missing fields\n", path,
lineno);
-   free(prop);
errno = EINVAL;
return -1;
}
 
-   if (pass == 0) {
-   free(prop);
-   free(context);
-   } else if (pass == 1) {
+   if (pass == 1) {
/* On the second pass, process and store the specification in 
spec. */
-   spec_arr[nspec].property_key = prop;
-   spec_arr[nspec].lr.ctx_raw = context;
+   spec_arr[nspec].property_key = found.prop;
+   spec_arr[nspec].lr.ctx_raw = found.context;
 
if (rec->validating) {
if (selabel_validate(rec, _arr[nspec].lr) < 0) {
@@ -234,7 +236,7 @@ static void closef(struct selabel_handle *rec)
for (i = 0; i < data->nspec; i++) {
spec = >spec_arr[i];
free(spec->property_key);
-   free(spec->lr.ctx_raw);
+   //free(spec->lr.ctx_raw);
free(spec->lr.ctx_trans);
}
 
diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
index 7156825..4dc440e 100644
--- a/libselinux/src/label_file.c
+++ b/libselinux/src/label_file.c
@@ -96,43 +96,64 @@ static int nodups_specs(struct saved_data *data, const char 
*path)
return rc;
 }
 
-static int process_text_file(FILE *fp, const char *prefix,
-struct selabel_handle *rec, const char *path)
+static inline struct saved_data *rec_to_data(struct selabel_handle *rec)
+{
+   return (struct saved_data *)rec->data;
+}
+
+static char *mmap_area_get_line(struct mmap_area *area)
+{
+   size_t len = area->next_len;
+   if (!len)
+   return NULL;
+
+   char *start = area->next_addr;
+   char *end = memchr(start, '\n', len);
+
+   /* the file may not end with a newline */
+   if (!end)
+   end = (char *)area->next_addr + 

Re: sandox -X not working with recent Xephyr

[Laurent Bigonville]

Le 19/09/16 à 20:26, Stephen Smalley a écrit :

On 09/19/2016 02:02 PM, Petr Lautrbach wrote:

On Mon, Sep 19, 2016 at 10:39:45AM -0400, Stephen Smalley wrote:

On 09/18/2016 02:39 PM, Laurent Bigonville wrote:

Hi,

It seems that sandbox -X is not working anymore on debian.

Xephyr (1.18.4) is giving me the following error:

_XSERVTransmkdir: ERROR: euid != 0,directory /tmp/.X11-unix will not be
created.

The X socket is not created inside the sandbox and then the application
can obviously not connect to it.

I'm not sure how this could be fixed, maybe let's seunshare create that
directory?

I don't see this error on Fedora, which also has Xephyr 1.18.4, so maybe
they have a fix?

That is using the Fedora policycoreutils-sandbox package, which yields a
functioning sandbox -X, e.g. sandbox -X firefox works correctly.

However, if I install sandbox from upstream, e.g.

cd selinux
sudo make LIBDIR=/usr/lib64 SHLIBDIR=/lib64 install install-pywrap relabel

then sandbox -X firefox fails immediately, and I have the following in
the audit log:
type=SELINUX_ERR msg=audit(1474295659.424:2189):
op=security_bounded_transition seresult=denied
oldcontext=unconfined_u:unconfined_r:sandbox_x_t:s0:c658,c1002
newcontext=unconfined_u:unconfined_r:sandbox_x_client_t:s0:c658,c1002

It's most likely not related. Same error can be seen in stock Fedora.


So I guess there are other patches in the Fedora package that are needed?

It's this patch
https://github.com/fedora-selinux/selinux/commit/2540625875ebdfe0ef48798437288e8a07aa853d

But the patch bellow works too:

--- a/policycoreutils/sandbox/sandboxX.sh
+++ b/policycoreutils/sandbox/sandboxX.sh
@@ -20,7 +20,7 @@ cat > ~/.config/openbox/rc.xml << EOF
  
  EOF
  
-(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -screen $SCREENSIZE -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do

+(/usr/bin/Xephyr -resizeable -title "$TITLE" -screen $SCREENSIZE -dpi $DPI -nolisten tcp 
-displayfd 5 5>&1 2>/dev/null) | while read D; do
  export DISPLAY=:$D
  cat > ~/seremote << __EOF
  #!/bin/sh



I'm not sure which one is correct.

I don't know either, but the one above does work and seems simpler, so
let's go with that one.

I don't really understand why it's working outside of the sandbox and 
why it was working before.


But indeed removing -terminate or add -reset seems to fix it
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: sandox -X not working with recent Xephyr

[Stephen Smalley]

On 09/19/2016 02:02 PM, Petr Lautrbach wrote:
> On Mon, Sep 19, 2016 at 10:39:45AM -0400, Stephen Smalley wrote:
>> On 09/18/2016 02:39 PM, Laurent Bigonville wrote:
>>> Hi,
>>>
>>> It seems that sandbox -X is not working anymore on debian.
>>>
>>> Xephyr (1.18.4) is giving me the following error:
>>>
>>> _XSERVTransmkdir: ERROR: euid != 0,directory /tmp/.X11-unix will not be
>>> created.
>>>
>>> The X socket is not created inside the sandbox and then the application
>>> can obviously not connect to it.
>>>
>>> I'm not sure how this could be fixed, maybe let's seunshare create that
>>> directory?
>>
>> I don't see this error on Fedora, which also has Xephyr 1.18.4, so maybe
>> they have a fix?
>>
>> That is using the Fedora policycoreutils-sandbox package, which yields a
>> functioning sandbox -X, e.g. sandbox -X firefox works correctly.
>>
>> However, if I install sandbox from upstream, e.g.
>>
>> cd selinux
>> sudo make LIBDIR=/usr/lib64 SHLIBDIR=/lib64 install install-pywrap relabel
>>
>> then sandbox -X firefox fails immediately, and I have the following in
>> the audit log:
>> type=SELINUX_ERR msg=audit(1474295659.424:2189):
>> op=security_bounded_transition seresult=denied
>> oldcontext=unconfined_u:unconfined_r:sandbox_x_t:s0:c658,c1002
>> newcontext=unconfined_u:unconfined_r:sandbox_x_client_t:s0:c658,c1002
> 
> It's most likely not related. Same error can be seen in stock Fedora.
> 
>> So I guess there are other patches in the Fedora package that are needed?
> 
> It's this patch
> https://github.com/fedora-selinux/selinux/commit/2540625875ebdfe0ef48798437288e8a07aa853d
> 
> But the patch bellow works too:
> 
> --- a/policycoreutils/sandbox/sandboxX.sh
> +++ b/policycoreutils/sandbox/sandboxX.sh
> @@ -20,7 +20,7 @@ cat > ~/.config/openbox/rc.xml << EOF
>  
>  EOF
>  
> -(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -screen $SCREENSIZE 
> -dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do
> +(/usr/bin/Xephyr -resizeable -title "$TITLE" -screen $SCREENSIZE -dpi $DPI 
> -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do
>  export DISPLAY=:$D
>  cat > ~/seremote << __EOF
>  #!/bin/sh
> 
> 
> 
> I'm not sure which one is correct.

I don't know either, but the one above does work and seems simpler, so
let's go with that one.


___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: sandox -X not working with recent Xephyr

[Petr Lautrbach]

On Mon, Sep 19, 2016 at 10:39:45AM -0400, Stephen Smalley wrote:
> On 09/18/2016 02:39 PM, Laurent Bigonville wrote:
> > Hi,
> > 
> > It seems that sandbox -X is not working anymore on debian.
> > 
> > Xephyr (1.18.4) is giving me the following error:
> > 
> > _XSERVTransmkdir: ERROR: euid != 0,directory /tmp/.X11-unix will not be
> > created.
> > 
> > The X socket is not created inside the sandbox and then the application
> > can obviously not connect to it.
> > 
> > I'm not sure how this could be fixed, maybe let's seunshare create that
> > directory?
> 
> I don't see this error on Fedora, which also has Xephyr 1.18.4, so maybe
> they have a fix?
> 
> That is using the Fedora policycoreutils-sandbox package, which yields a
> functioning sandbox -X, e.g. sandbox -X firefox works correctly.
> 
> However, if I install sandbox from upstream, e.g.
> 
> cd selinux
> sudo make LIBDIR=/usr/lib64 SHLIBDIR=/lib64 install install-pywrap relabel
> 
> then sandbox -X firefox fails immediately, and I have the following in
> the audit log:
> type=SELINUX_ERR msg=audit(1474295659.424:2189):
> op=security_bounded_transition seresult=denied
> oldcontext=unconfined_u:unconfined_r:sandbox_x_t:s0:c658,c1002
> newcontext=unconfined_u:unconfined_r:sandbox_x_client_t:s0:c658,c1002

It's most likely not related. Same error can be seen in stock Fedora.

> So I guess there are other patches in the Fedora package that are needed?

It's this patch
https://github.com/fedora-selinux/selinux/commit/2540625875ebdfe0ef48798437288e8a07aa853d

But the patch bellow works too:

--- a/policycoreutils/sandbox/sandboxX.sh
+++ b/policycoreutils/sandbox/sandboxX.sh
@@ -20,7 +20,7 @@ cat > ~/.config/openbox/rc.xml << EOF
 
 EOF
 
-(/usr/bin/Xephyr -resizeable -title "$TITLE" -terminate -screen $SCREENSIZE 
-dpi $DPI -nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do
+(/usr/bin/Xephyr -resizeable -title "$TITLE" -screen $SCREENSIZE -dpi $DPI 
-nolisten tcp -displayfd 5 5>&1 2>/dev/null) | while read D; do
 export DISPLAY=:$D
 cat > ~/seremote << __EOF
 #!/bin/sh



I'm not sure which one is correct.

Petr
-- 
Petr Lautrbach
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

[PATCH v2] sandbox: Use GObject introspection binding instead of pygtk2

[Laurent Bigonville]

From: Petr Lautrbach 

sandbox command is also now using GTK 3.0

This patch comes from Fedora patch set

Signed-off-by: Laurent Bigonville 
---
 policycoreutils/sandbox/sandbox | 18 +++---
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/policycoreutils/sandbox/sandbox b/policycoreutils/sandbox/sandbox
index 9f200d5..726ba9b 100644
--- a/policycoreutils/sandbox/sandbox
+++ b/policycoreutils/sandbox/sandbox
@@ -111,16 +111,18 @@ def copyfile(file, srcdir, dest):
 def savefile(new, orig, X_ind):
 copy = False
 if(X_ind):
-import gtk
-dlg = gtk.MessageDialog(None, 0, gtk.MESSAGE_INFO,
-gtk.BUTTONS_YES_NO,
+import gi
+gi.require_version('Gtk', '3.0')
+from gi.repository import Gtk
+dlg = Gtk.MessageDialog(None, 0, Gtk.MessageType.INFO,
+Gtk.ButtonsType.YES_NO,
 _("Do you want to save changes to '%s' (Y/N): 
") % orig)
 dlg.set_title(_("Sandbox Message"))
-dlg.set_position(gtk.WIN_POS_MOUSE)
+dlg.set_position(Gtk.WindowPosition.MOUSE)
 dlg.show_all()
 rc = dlg.run()
 dlg.destroy()
-if rc == gtk.RESPONSE_YES:
+if rc == Gtk.ResponseType.YES:
 copy = True
 else:
 try:
@@ -452,8 +454,10 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T 
tempdir]] [-I includefile ] [-
 if self.__options.dpi:
 dpi = self.__options.dpi
 else:
-import gtk
-dpi = str(gtk.settings_get_default().props.gtk_xft_dpi 
/ 1024)
+import gi
+gi.require_version('Gtk', '3.0')
+from gi.repository import Gtk
+dpi = str(Gtk.Settings.get_default().props.gtk_xft_dpi 
/ 1024)
 
 xmodmapfile = self.__homedir + "/.xmodmap"
 xd = open(xmodmapfile, "w")
-- 
2.9.3

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH] sandbox: Use GObject introspection binding instead of pygtk2

[Petr Lautrbach]

On Mon, Sep 19, 2016 at 10:58:10AM -0400, Stephen Smalley wrote:
> On 09/18/2016 11:46 AM, Laurent Bigonville wrote:
> > From: Laurent Bigonville 
> > 
> > sandbox command is also now using GTK 3.0
> > 
> > This patch comes from Fedora patch set
> 
> Need a Signed-off-by.  If you can extract the actual original patch with
> its author and signed-off-by, that's preferable.

I'm the author of the original patches. However I consider the new patch
better and we'll adopt it in Fedora as soon as it's pushed upstream.

I'm completely fine with Laurent resend this patch again with his
Signed-Off-By


Petr

> 
> > ---
> >  policycoreutils/sandbox/sandbox | 18 +++---
> >  1 file changed, 11 insertions(+), 7 deletions(-)
> > 
> > diff --git a/policycoreutils/sandbox/sandbox 
> > b/policycoreutils/sandbox/sandbox
> > index 9f200d5..726ba9b 100644
> > --- a/policycoreutils/sandbox/sandbox
> > +++ b/policycoreutils/sandbox/sandbox
> > @@ -111,16 +111,18 @@ def copyfile(file, srcdir, dest):
> >  def savefile(new, orig, X_ind):
> >  copy = False
> >  if(X_ind):
> > -import gtk
> > -dlg = gtk.MessageDialog(None, 0, gtk.MESSAGE_INFO,
> > -gtk.BUTTONS_YES_NO,
> > +import gi
> > +gi.require_version('Gtk', '3.0')
> > +from gi.repository import Gtk
> > +dlg = Gtk.MessageDialog(None, 0, Gtk.MessageType.INFO,
> > +Gtk.ButtonsType.YES_NO,
> >  _("Do you want to save changes to '%s' 
> > (Y/N): ") % orig)
> >  dlg.set_title(_("Sandbox Message"))
> > -dlg.set_position(gtk.WIN_POS_MOUSE)
> > +dlg.set_position(Gtk.WindowPosition.MOUSE)
> >  dlg.show_all()
> >  rc = dlg.run()
> >  dlg.destroy()
> > -if rc == gtk.RESPONSE_YES:
> > +if rc == Gtk.ResponseType.YES:
> >  copy = True
> >  else:
> >  try:
> > @@ -452,8 +454,10 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T 
> > tempdir]] [-I includefile ] [-
> >  if self.__options.dpi:
> >  dpi = self.__options.dpi
> >  else:
> > -import gtk
> > -dpi = 
> > str(gtk.settings_get_default().props.gtk_xft_dpi / 1024)
> > +import gi
> > +gi.require_version('Gtk', '3.0')
> > +from gi.repository import Gtk
> > +dpi = 
> > str(Gtk.Settings.get_default().props.gtk_xft_dpi / 1024)
> >  
> >  xmodmapfile = self.__homedir + "/.xmodmap"
> >  xd = open(xmodmapfile, "w")
> > 
> 

-- 
Petr Lautrbach
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH] sandbox: Use GObject introspection binding instead of pygtk2

[Stephen Smalley]

On 09/18/2016 11:46 AM, Laurent Bigonville wrote:
> From: Laurent Bigonville 
> 
> sandbox command is also now using GTK 3.0
> 
> This patch comes from Fedora patch set

Need a Signed-off-by.  If you can extract the actual original patch with
its author and signed-off-by, that's preferable.

> ---
>  policycoreutils/sandbox/sandbox | 18 +++---
>  1 file changed, 11 insertions(+), 7 deletions(-)
> 
> diff --git a/policycoreutils/sandbox/sandbox b/policycoreutils/sandbox/sandbox
> index 9f200d5..726ba9b 100644
> --- a/policycoreutils/sandbox/sandbox
> +++ b/policycoreutils/sandbox/sandbox
> @@ -111,16 +111,18 @@ def copyfile(file, srcdir, dest):
>  def savefile(new, orig, X_ind):
>  copy = False
>  if(X_ind):
> -import gtk
> -dlg = gtk.MessageDialog(None, 0, gtk.MESSAGE_INFO,
> -gtk.BUTTONS_YES_NO,
> +import gi
> +gi.require_version('Gtk', '3.0')
> +from gi.repository import Gtk
> +dlg = Gtk.MessageDialog(None, 0, Gtk.MessageType.INFO,
> +Gtk.ButtonsType.YES_NO,
>  _("Do you want to save changes to '%s' 
> (Y/N): ") % orig)
>  dlg.set_title(_("Sandbox Message"))
> -dlg.set_position(gtk.WIN_POS_MOUSE)
> +dlg.set_position(Gtk.WindowPosition.MOUSE)
>  dlg.show_all()
>  rc = dlg.run()
>  dlg.destroy()
> -if rc == gtk.RESPONSE_YES:
> +if rc == Gtk.ResponseType.YES:
>  copy = True
>  else:
>  try:
> @@ -452,8 +454,10 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T 
> tempdir]] [-I includefile ] [-
>  if self.__options.dpi:
>  dpi = self.__options.dpi
>  else:
> -import gtk
> -dpi = 
> str(gtk.settings_get_default().props.gtk_xft_dpi / 1024)
> +import gi
> +gi.require_version('Gtk', '3.0')
> +from gi.repository import Gtk
> +dpi = 
> str(Gtk.Settings.get_default().props.gtk_xft_dpi / 1024)
>  
>  xmodmapfile = self.__homedir + "/.xmodmap"
>  xd = open(xmodmapfile, "w")
> 

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: sandox -X not working with recent Xephyr

[Stephen Smalley]

On 09/18/2016 02:39 PM, Laurent Bigonville wrote:
> Hi,
> 
> It seems that sandbox -X is not working anymore on debian.
> 
> Xephyr (1.18.4) is giving me the following error:
> 
> _XSERVTransmkdir: ERROR: euid != 0,directory /tmp/.X11-unix will not be
> created.
> 
> The X socket is not created inside the sandbox and then the application
> can obviously not connect to it.
> 
> I'm not sure how this could be fixed, maybe let's seunshare create that
> directory?

I don't see this error on Fedora, which also has Xephyr 1.18.4, so maybe
they have a fix?

That is using the Fedora policycoreutils-sandbox package, which yields a
functioning sandbox -X, e.g. sandbox -X firefox works correctly.

However, if I install sandbox from upstream, e.g.

cd selinux
sudo make LIBDIR=/usr/lib64 SHLIBDIR=/lib64 install install-pywrap relabel

then sandbox -X firefox fails immediately, and I have the following in
the audit log:
type=SELINUX_ERR msg=audit(1474295659.424:2189):
op=security_bounded_transition seresult=denied
oldcontext=unconfined_u:unconfined_r:sandbox_x_t:s0:c658,c1002
newcontext=unconfined_u:unconfined_r:sandbox_x_client_t:s0:c658,c1002

So I guess there are other patches in the Fedora package that are needed?
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH v5] libselinux: correct error path to always try text

[Stephen Smalley]

On 09/16/2016 03:37 PM, william.c.robe...@intel.com wrote:
> From: William Roberts 
> 
> patch 5e15a52aaa cleans up the process_file() routine,
> but introduced a bug. If the binary file cannot be
> opened, always attempt to fall back to the textual file,
> this was not occurring.
> 
> The logic should be:
> 1. Open the newest file between base path + suffix and
>base_path + suffix + ".bin"
> 2. If anything fails, attempt to load the oldest file.
> 
> The result, with a concrete example, would be:
> If file_contexts is the newest file, and it cannot be
> processed, the code will fall back to file_contexts.bin
> and vice versa.
> 
> Signed-off-by: William Roberts 

Thanks, applied.

> ---
>  libselinux/src/label_file.c | 47 
> ++---
>  1 file changed, 32 insertions(+), 15 deletions(-)
> 
> diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
> index 9faecdb..ff6bc94 100644
> --- a/libselinux/src/label_file.c
> +++ b/libselinux/src/label_file.c
> @@ -447,7 +447,7 @@ static bool fcontext_is_binary(FILE *fp)
>  #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
>  
>  static FILE *open_file(const char *path, const char *suffix,
> -char *save_path, size_t len, struct stat *sb)
> +char *save_path, size_t len, struct stat *sb, bool open_oldest)
>  {
>   unsigned int i;
>   int rc;
> @@ -493,9 +493,15 @@ static FILE *open_file(const char *path, const char 
> *suffix,
>* includes equality. This provides a precedence on
>* secondary suffixes even when the timestamp is the
>* same. Ie choose file_contexts.bin over file_contexts
> -  * even if the time stamp is the same.
> +  * even if the time stamp is the same. Invert this logic
> +  * on open_oldest set to true. The idea is that if the
> +  * newest file failed to process, we can attempt to
> +  * process the oldest. The logic here is subtle and depends
> +  * on the array ordering in fdetails for the case when time
> +  * stamps are the same.
>*/
> - if (fdetails[i].sb.st_mtime >= found->sb.st_mtime) {
> + if (open_oldest ^
> + (fdetails[i].sb.st_mtime >= found->sb.st_mtime)) {
>   found = [i];
>   strcpy(save_path, path);
>   }
> @@ -515,24 +521,35 @@ static int process_file(const char *path, const char 
> *suffix,
> const char *prefix, struct selabel_digest *digest)
>  {
>   int rc;
> + unsigned int i;
>   struct stat sb;
>   FILE *fp = NULL;
>   char found_path[PATH_MAX];
>  
> - fp = open_file(path, suffix, found_path, sizeof(found_path), );
> - if (fp == NULL)
> - return -1;
> + /*
> +  * On the first pass open the newest modified file. If it fails to
> +  * process, then the second pass shall open the oldest file. If both
> +  * passes fail, then it's a fatal error.
> +  */
> + for (i = 0; i < 2; i++) {
> + fp = open_file(path, suffix, found_path, sizeof(found_path),
> + , i > 0);
> + if (fp == NULL)
> + return -1;
>  
> - rc = fcontext_is_binary(fp) ?
> - load_mmap(fp, sb.st_size, rec, found_path) :
> - process_text_file(fp, prefix, rec, found_path);
> - if (rc < 0)
> - goto out;
> + rc = fcontext_is_binary(fp) ?
> + load_mmap(fp, sb.st_size, rec, found_path) :
> + process_text_file(fp, prefix, rec, found_path);
> + if (!rc)
> + rc = digest_add_specfile(digest, fp, NULL, sb.st_size,
> + found_path);
>  
> - rc = digest_add_specfile(digest, fp, NULL, sb.st_size, found_path);
> -out:
> - fclose(fp);
> - return rc;
> + fclose(fp);
> +
> + if (!rc)
> + return 0;
> + }
> + return -1;
>  }
>  
>  static void closef(struct selabel_handle *rec);
> 

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH] sandbox: Use dbus-launch instead of dbus-run-session

[Petr Lautrbach]

On 09/19/2016 12:32 AM, Laurent Bigonville wrote:
> From: Laurent Bigonville 
> 
> According to dbus upstream: "dbus-launch is fairly horrible code,
> complicated by the historical need for it to support X11 autolaunching,
> so the D-Bus maintainers would like to move it out of the critical path
> and minimize its use."
> 
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=836289

dbus-run-session was introduced in dbus-1.8.0. This change would break
systems with older dbus, e.g., rhel-7 ships dbus-1.6.12.

Would it make sense to do a test whether dbus-run-session is available
or not?

Petr

> ---
>  policycoreutils/sandbox/sandbox | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/policycoreutils/sandbox/sandbox b/policycoreutils/sandbox/sandbox
> index 726ba9b..f537dc6 100644
> --- a/policycoreutils/sandbox/sandbox
> +++ b/policycoreutils/sandbox/sandbox
> @@ -285,7 +285,7 @@ class Sandbox:
>  /usr/bin/test -r ~/.xmodmap && /usr/bin/xmodmap ~/.xmodmap
>  %s &
>  WM_PID=$!
> -dbus-launch --exit-with-session %s
> +dbus-run-session -- %s
>  kill -TERM $WM_PID  2> /dev/null
>  """ % (command, wm, command))
>  fd.close()
> 

___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Re: [PATCH] sandbox: Use GObject introspection binding instead of pygtk2

[Petr Lautrbach]

On Sun, Sep 18, 2016 at 05:46:09PM +0200, Laurent Bigonville wrote:
> From: Laurent Bigonville 
> 
> sandbox command is also now using GTK 3.0
> 
> This patch comes from Fedora patch set

Works for me on Fedora with python 3 and on latest RHEL-7 with python 2 as well.

Note: the original patchset is based on suggestions from
https://wiki.gnome.org/action/show/Projects/PyGObject/IntrospectionPorting#Porting_from_PyGTK_2_to_PyGI_GTK_3

and created by the referenced script
http://git.gnome.org/browse/pygobject/tree/pygi-convert.sh


Petr


> ---
>  policycoreutils/sandbox/sandbox | 18 +++---
>  1 file changed, 11 insertions(+), 7 deletions(-)
> 
> diff --git a/policycoreutils/sandbox/sandbox b/policycoreutils/sandbox/sandbox
> index 9f200d5..726ba9b 100644
> --- a/policycoreutils/sandbox/sandbox
> +++ b/policycoreutils/sandbox/sandbox
> @@ -111,16 +111,18 @@ def copyfile(file, srcdir, dest):
>  def savefile(new, orig, X_ind):
>  copy = False
>  if(X_ind):
> -import gtk
> -dlg = gtk.MessageDialog(None, 0, gtk.MESSAGE_INFO,
> -gtk.BUTTONS_YES_NO,
> +import gi
> +gi.require_version('Gtk', '3.0')
> +from gi.repository import Gtk
> +dlg = Gtk.MessageDialog(None, 0, Gtk.MessageType.INFO,
> +Gtk.ButtonsType.YES_NO,
>  _("Do you want to save changes to '%s' 
> (Y/N): ") % orig)
>  dlg.set_title(_("Sandbox Message"))
> -dlg.set_position(gtk.WIN_POS_MOUSE)
> +dlg.set_position(Gtk.WindowPosition.MOUSE)
>  dlg.show_all()
>  rc = dlg.run()
>  dlg.destroy()
> -if rc == gtk.RESPONSE_YES:
> +if rc == Gtk.ResponseType.YES:
>  copy = True
>  else:
>  try:
> @@ -452,8 +454,10 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T 
> tempdir]] [-I includefile ] [-
>  if self.__options.dpi:
>  dpi = self.__options.dpi
>  else:
> -import gtk
> -dpi = 
> str(gtk.settings_get_default().props.gtk_xft_dpi / 1024)
> +import gi
> +gi.require_version('Gtk', '3.0')
> +from gi.repository import Gtk
> +dpi = 
> str(Gtk.Settings.get_default().props.gtk_xft_dpi / 1024)
>  
>  xmodmapfile = self.__homedir + "/.xmodmap"
>  xd = open(xmodmapfile, "w")
> -- 
> 2.9.3
> 
> ___
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
> To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

-- 
Petr Lautrbach
___
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.