Hide Forgot
Cloning for Fedora Rawhide, where we probably want to fix this first. +++ This bug was initially created as a clone of Bug #679789 +++ Description of problem: seunshare utility is setuid and is part of the main policycoreutils subpackage. As this utility is used by sandbox feature, it's quite useless on most of the systems that need to have policycoreutils installed. We should consider moving it out of the main subpackage so it can be easily removed by those who do not need it, in the similar way setuid newrole has its own subpackage. The current way various sandbox components are split across subpackages may make this somewhat tricky: - seunshare - policycoreutils - sandbox - policycoreutils-python - sandboxX - policycoreutils-sandbox Version-Release number of selected component (if applicable): policycoreutils-2.0.83-19.1.el6
Bug #679798 affects Rawhide too.
(In reply to comment #0) > The current way various sandbox components are split across subpackages may > make this somewhat tricky: > - seunshare - policycoreutils > - sandbox - policycoreutils-python > - sandboxX - policycoreutils-sandbox If we had no released packages, I'd consider using -sandbox for sandbox and seunshare, and -sandbox-x (or similar) for sandboxX. Taking current package split into account, I suggest -sandbox-core (or -sandbox-base) with sandbox and seunshare. -sandbox will be left for sandboxX, just with an extra Require: -sandbox-core.
In F15 we have the following. rpm -qf /usr/sbin/seunshare policycoreutils-sandbox-2.0.85-14.fc15.x86_64 I see no reason not to do this. sandbox -X requires seunshare, sandbox Does not. So we can leave sandbox in policycoreutils-python
Oh, I see, sorry. It should be ok to leave sandbox in -python, if we don't need to make -python require -sandbox. I'm personally less concerned about (non-X) sandbox + seunshare require all the dependencies of sandboxX, it sounds fair to not do extra split unless there's explicit request to do so to avoid extra requires. Feel free to close this if you prefer to not to do this change in released Fedora.
Also assuming /etc/{init.d,sysconfig}/sandbox are expected to stay where they are currently. I'm not entirely sure what is the purpose of that script, as sandbox + seunshare seems to work fine on system that does not have that service enabled.
It is needed by xguest and any other uses of pam_namespace. I have an open bug on pam_namespace to implement the same fix we have added to seunshare. In order to make namespacing work you have to set the file system as private. So you need a file system for this. If ~dwalsh is on the main file system you do not want to do this. But the hack you can do is to bind mount ~dwalsh on ~dwalsh Then set the bind mount private. Now you can namespace. If you look at the sandbox init script, it is doing this for /tmp and $HOME. If you look at the seunshare code, it is also doing the bindmount/make private calls. If pam_namespace did this, we could eliminate the sandbox init script all together.
I need a bugzilla like this to get policycoreutils update into RHEL6 though.
(In reply to comment #7) > I need a bugzilla like this to get policycoreutils update into RHEL6 though. Original bug #679789 is for RHEL-6.