policycoreutils-2.9-25
- Harden more tools against "rogue" modules (RHEL-17351) - sepolicy: port to dnf4 python API (RHEL-17398) Resolves: RHEL-17351, RHEL-17398
This commit is contained in:
parent
24a59b71ed
commit
06be41e1c3
98
0053-python-Harden-more-tools-against-rogue-modules.patch
Normal file
98
0053-python-Harden-more-tools-against-rogue-modules.patch
Normal file
@ -0,0 +1,98 @@
|
||||
From 7aef364bc6607953a34cb9e8fe9ea51c88379a5c Mon Sep 17 00:00:00 2001
|
||||
From: Vit Mojzis <vmojzis@redhat.com>
|
||||
Date: Wed, 6 Dec 2023 15:31:51 +0100
|
||||
Subject: [PATCH] python: Harden more tools against "rogue" modules
|
||||
|
||||
Python scripts present in the same directory as the tool
|
||||
override regular modules.
|
||||
|
||||
Fixes:
|
||||
#cat > /usr/bin/signal.py <<EOF
|
||||
import sys
|
||||
print("BAD GUY!", file=sys.stderr)
|
||||
sys.exit(1)
|
||||
EOF
|
||||
#sandbox date
|
||||
BAD GUY!
|
||||
|
||||
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
|
||||
Acked-by: James Carter <jwcart2@gmail.com>
|
||||
---
|
||||
dbus/selinux_server.py | 2 +-
|
||||
gui/polgengui.py | 2 +-
|
||||
gui/system-config-selinux.py | 6 +++---
|
||||
sandbox/sandbox | 2 +-
|
||||
sandbox/start | 2 +-
|
||||
5 files changed, 7 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/dbus/selinux_server.py b/dbus/selinux_server.py
|
||||
index 97bf91ba..eae38de5 100644
|
||||
--- a/dbus/selinux_server.py
|
||||
+++ b/dbus/selinux_server.py
|
||||
@@ -1,4 +1,4 @@
|
||||
-#!/usr/bin/python3
|
||||
+#!/usr/bin/python3 -EsI
|
||||
|
||||
import dbus
|
||||
import dbus.service
|
||||
diff --git a/gui/polgengui.py b/gui/polgengui.py
|
||||
index 46a1bd2c..0402e82c 100644
|
||||
--- a/gui/polgengui.py
|
||||
+++ b/gui/polgengui.py
|
||||
@@ -1,4 +1,4 @@
|
||||
-#!/usr/bin/python3 -Es
|
||||
+#!/usr/bin/python3 -EsI
|
||||
#
|
||||
# polgengui.py - GUI for SELinux Config tool in system-config-selinux
|
||||
#
|
||||
diff --git a/gui/system-config-selinux.py b/gui/system-config-selinux.py
|
||||
index 1e0d5eb1..c344c076 100644
|
||||
--- a/gui/system-config-selinux.py
|
||||
+++ b/gui/system-config-selinux.py
|
||||
@@ -1,4 +1,4 @@
|
||||
-#!/usr/bin/python3 -Es
|
||||
+#!/usr/bin/python3 -EsI
|
||||
#
|
||||
# system-config-selinux.py - GUI for SELinux Config tool in system-config-selinux
|
||||
#
|
||||
@@ -32,6 +32,8 @@ except RuntimeError as e:
|
||||
print("This is a graphical application and requires DISPLAY to be set.")
|
||||
sys.exit(1)
|
||||
|
||||
+sys.path.append('/usr/share/system-config-selinux')
|
||||
+
|
||||
from gi.repository import GObject
|
||||
import statusPage
|
||||
import booleansPage
|
||||
@@ -65,8 +67,6 @@ except:
|
||||
|
||||
version = "1.0"
|
||||
|
||||
-sys.path.append('/usr/share/system-config-selinux')
|
||||
-
|
||||
|
||||
##
|
||||
## Pull in the Glade file
|
||||
diff --git a/sandbox/sandbox b/sandbox/sandbox
|
||||
index 707959a6..e276e594 100644
|
||||
--- a/sandbox/sandbox
|
||||
+++ b/sandbox/sandbox
|
||||
@@ -1,4 +1,4 @@
|
||||
-#!/usr/bin/python3 -Es
|
||||
+#!/usr/bin/python3 -EsI
|
||||
# Authors: Dan Walsh <dwalsh@redhat.com>
|
||||
# Authors: Thomas Liu <tliu@fedoraproject.org>
|
||||
# Authors: Josh Cogliati
|
||||
diff --git a/sandbox/start b/sandbox/start
|
||||
index 4ed3cb5c..3c1a1783 100644
|
||||
--- a/sandbox/start
|
||||
+++ b/sandbox/start
|
||||
@@ -1,4 +1,4 @@
|
||||
-#!/usr/bin/python3 -Es
|
||||
+#!/usr/bin/python3 -EsI
|
||||
try:
|
||||
from subprocess import getstatusoutput
|
||||
except ImportError:
|
||||
--
|
||||
2.43.0
|
||||
|
95
0054-sepolicy-port-to-dnf4-python-API.patch
Normal file
95
0054-sepolicy-port-to-dnf4-python-API.patch
Normal file
@ -0,0 +1,95 @@
|
||||
From ea93da38a16eb44307b522f8a26f2d8f967fcc01 Mon Sep 17 00:00:00 2001
|
||||
From: Petr Lautrbach <lautrbach@redhat.com>
|
||||
Date: Wed, 22 Nov 2023 12:29:43 +0100
|
||||
Subject: [PATCH] sepolicy: port to dnf4 python API
|
||||
|
||||
yum module is not available since RHEL 7.
|
||||
|
||||
Drop -systemd related code as it's obsoleted these days - only 2
|
||||
packages ship their .service in -systemd subpackage
|
||||
|
||||
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
|
||||
Acked-by: James Carter <jwcart2@gmail.com>
|
||||
Acked-by: Ondrej Mosnacek <omosnace@redhat.com>
|
||||
---
|
||||
python/sepolicy/sepolicy/generate.py | 56 +++++++++++++---------------
|
||||
1 file changed, 25 insertions(+), 31 deletions(-)
|
||||
|
||||
diff --git a/python/sepolicy/sepolicy/generate.py b/python/sepolicy/sepolicy/generate.py
|
||||
index 93caedee..c841a499 100644
|
||||
--- a/python/sepolicy/sepolicy/generate.py
|
||||
+++ b/python/sepolicy/sepolicy/generate.py
|
||||
@@ -1265,24 +1265,20 @@ allow %s_t %s_t:%s_socket name_%s;
|
||||
return fcfile
|
||||
|
||||
def __extract_rpms(self):
|
||||
- import yum
|
||||
- yb = yum.YumBase()
|
||||
- yb.setCacheDir()
|
||||
-
|
||||
- for pkg in yb.rpmdb.searchProvides(self.program):
|
||||
- self.rpms.append(pkg.name)
|
||||
- for fname in pkg.dirlist + pkg.filelist + pkg.ghostlist:
|
||||
- for b in self.DEFAULT_DIRS:
|
||||
- if b == "/etc":
|
||||
- continue
|
||||
- if fname.startswith(b):
|
||||
- if os.path.isfile(fname):
|
||||
- self.add_file(fname)
|
||||
- else:
|
||||
- self.add_dir(fname)
|
||||
+ import dnf
|
||||
+
|
||||
+ with dnf.Base() as base:
|
||||
+ base.read_all_repos()
|
||||
+ base.fill_sack(load_system_repo=True)
|
||||
+
|
||||
+ query = base.sack.query()
|
||||
|
||||
- for bpkg in yb.rpmdb.searchNames([pkg.base_package_name]):
|
||||
- for fname in bpkg.dirlist + bpkg.filelist + bpkg.ghostlist:
|
||||
+ pq = query.available()
|
||||
+ pq = pq.filter(file=self.program)
|
||||
+
|
||||
+ for pkg in pq:
|
||||
+ self.rpms.append(pkg.name)
|
||||
+ for fname in pkg.files:
|
||||
for b in self.DEFAULT_DIRS:
|
||||
if b == "/etc":
|
||||
continue
|
||||
@@ -1291,20 +1287,18 @@ allow %s_t %s_t:%s_socket name_%s;
|
||||
self.add_file(fname)
|
||||
else:
|
||||
self.add_dir(fname)
|
||||
-
|
||||
- # some packages have own systemd subpackage
|
||||
- # tor-systemd for example
|
||||
- binary_name = self.program.split("/")[-1]
|
||||
- for bpkg in yb.rpmdb.searchNames(["%s-systemd" % binary_name]):
|
||||
- for fname in bpkg.filelist + bpkg.ghostlist + bpkg.dirlist:
|
||||
- for b in self.DEFAULT_DIRS:
|
||||
- if b == "/etc":
|
||||
- continue
|
||||
- if fname.startswith(b):
|
||||
- if os.path.isfile(fname):
|
||||
- self.add_file(fname)
|
||||
- else:
|
||||
- self.add_dir(fname)
|
||||
+ sq = query.available()
|
||||
+ sq = sq.filter(provides=pkg.source_name)
|
||||
+ for bpkg in sq:
|
||||
+ for fname in bpkg.files:
|
||||
+ for b in self.DEFAULT_DIRS:
|
||||
+ if b == "/etc":
|
||||
+ continue
|
||||
+ if fname.startswith(b):
|
||||
+ if os.path.isfile(fname):
|
||||
+ self.add_file(fname)
|
||||
+ else:
|
||||
+ self.add_dir(fname)
|
||||
|
||||
def gen_writeable(self):
|
||||
try:
|
||||
--
|
||||
2.43.0
|
||||
|
@ -12,7 +12,7 @@
|
||||
Summary: SELinux policy core utilities
|
||||
Name: policycoreutils
|
||||
Version: 2.9
|
||||
Release: 24%{?dist}
|
||||
Release: 25%{?dist}
|
||||
License: GPLv2
|
||||
# https://github.com/SELinuxProject/selinux/wiki/Releases
|
||||
Source0: https://github.com/SELinuxProject/selinux/releases/download/20190315/policycoreutils-2.9.tar.gz
|
||||
@ -90,6 +90,8 @@ Patch0049: 0049-python-Harden-tools-against-rogue-modules.patch
|
||||
Patch0050: 0050-python-Do-not-query-the-local-database-if-the-fconte.patch
|
||||
Patch0051: 0051-python-sepolicy-add-missing-booleans-to-man-pages.patch
|
||||
Patch0052: 0052-python-sepolicy-Cache-conditional-rule-queries.patch
|
||||
Patch0053: 0053-python-Harden-more-tools-against-rogue-modules.patch
|
||||
Patch0054: 0054-sepolicy-port-to-dnf4-python-API.patch
|
||||
|
||||
Obsoletes: policycoreutils < 2.0.61-2
|
||||
Conflicts: filesystem < 3, selinux-policy-base < 3.13.1-138
|
||||
@ -529,6 +531,10 @@ The policycoreutils-restorecond package contains the restorecond service.
|
||||
%systemd_postun_with_restart restorecond.service
|
||||
|
||||
%changelog
|
||||
* Tue Feb 06 2024 Vit Mojzis <vmojzis@redhat.com> - 2.9-25
|
||||
- Harden more tools against "rogue" modules (RHEL-17351)
|
||||
- sepolicy: port to dnf4 python API (RHEL-17398)
|
||||
|
||||
* Wed Feb 15 2023 Vit Mojzis <vmojzis@redhat.com> - 2.9-24
|
||||
- Update translations (#2124826)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user