From 06be41e1c3198a26f4465ed4240151d23b432cf3 Mon Sep 17 00:00:00 2001 From: Vit Mojzis Date: Tue, 6 Feb 2024 18:13:36 +0100 Subject: [PATCH] policycoreutils-2.9-25 - Harden more tools against "rogue" modules (RHEL-17351) - sepolicy: port to dnf4 python API (RHEL-17398) Resolves: RHEL-17351, RHEL-17398 --- ...den-more-tools-against-rogue-modules.patch | 98 +++++++++++++++++++ 0054-sepolicy-port-to-dnf4-python-API.patch | 95 ++++++++++++++++++ policycoreutils.spec | 8 +- 3 files changed, 200 insertions(+), 1 deletion(-) create mode 100644 0053-python-Harden-more-tools-against-rogue-modules.patch create mode 100644 0054-sepolicy-port-to-dnf4-python-API.patch diff --git a/0053-python-Harden-more-tools-against-rogue-modules.patch b/0053-python-Harden-more-tools-against-rogue-modules.patch new file mode 100644 index 0000000..06db59d --- /dev/null +++ b/0053-python-Harden-more-tools-against-rogue-modules.patch @@ -0,0 +1,98 @@ +From 7aef364bc6607953a34cb9e8fe9ea51c88379a5c Mon Sep 17 00:00:00 2001 +From: Vit Mojzis +Date: Wed, 6 Dec 2023 15:31:51 +0100 +Subject: [PATCH] python: Harden more tools against "rogue" modules + +Python scripts present in the same directory as the tool +override regular modules. + +Fixes: + #cat > /usr/bin/signal.py < +Acked-by: James Carter +--- + dbus/selinux_server.py | 2 +- + gui/polgengui.py | 2 +- + gui/system-config-selinux.py | 6 +++--- + sandbox/sandbox | 2 +- + sandbox/start | 2 +- + 5 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/dbus/selinux_server.py b/dbus/selinux_server.py +index 97bf91ba..eae38de5 100644 +--- a/dbus/selinux_server.py ++++ b/dbus/selinux_server.py +@@ -1,4 +1,4 @@ +-#!/usr/bin/python3 ++#!/usr/bin/python3 -EsI + + import dbus + import dbus.service +diff --git a/gui/polgengui.py b/gui/polgengui.py +index 46a1bd2c..0402e82c 100644 +--- a/gui/polgengui.py ++++ b/gui/polgengui.py +@@ -1,4 +1,4 @@ +-#!/usr/bin/python3 -Es ++#!/usr/bin/python3 -EsI + # + # polgengui.py - GUI for SELinux Config tool in system-config-selinux + # +diff --git a/gui/system-config-selinux.py b/gui/system-config-selinux.py +index 1e0d5eb1..c344c076 100644 +--- a/gui/system-config-selinux.py ++++ b/gui/system-config-selinux.py +@@ -1,4 +1,4 @@ +-#!/usr/bin/python3 -Es ++#!/usr/bin/python3 -EsI + # + # system-config-selinux.py - GUI for SELinux Config tool in system-config-selinux + # +@@ -32,6 +32,8 @@ except RuntimeError as e: + print("This is a graphical application and requires DISPLAY to be set.") + sys.exit(1) + ++sys.path.append('/usr/share/system-config-selinux') ++ + from gi.repository import GObject + import statusPage + import booleansPage +@@ -65,8 +67,6 @@ except: + + version = "1.0" + +-sys.path.append('/usr/share/system-config-selinux') +- + + ## + ## Pull in the Glade file +diff --git a/sandbox/sandbox b/sandbox/sandbox +index 707959a6..e276e594 100644 +--- a/sandbox/sandbox ++++ b/sandbox/sandbox +@@ -1,4 +1,4 @@ +-#!/usr/bin/python3 -Es ++#!/usr/bin/python3 -EsI + # Authors: Dan Walsh + # Authors: Thomas Liu + # Authors: Josh Cogliati +diff --git a/sandbox/start b/sandbox/start +index 4ed3cb5c..3c1a1783 100644 +--- a/sandbox/start ++++ b/sandbox/start +@@ -1,4 +1,4 @@ +-#!/usr/bin/python3 -Es ++#!/usr/bin/python3 -EsI + try: + from subprocess import getstatusoutput + except ImportError: +-- +2.43.0 + diff --git a/0054-sepolicy-port-to-dnf4-python-API.patch b/0054-sepolicy-port-to-dnf4-python-API.patch new file mode 100644 index 0000000..587caea --- /dev/null +++ b/0054-sepolicy-port-to-dnf4-python-API.patch @@ -0,0 +1,95 @@ +From ea93da38a16eb44307b522f8a26f2d8f967fcc01 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Wed, 22 Nov 2023 12:29:43 +0100 +Subject: [PATCH] sepolicy: port to dnf4 python API + +yum module is not available since RHEL 7. + +Drop -systemd related code as it's obsoleted these days - only 2 +packages ship their .service in -systemd subpackage + +Signed-off-by: Petr Lautrbach +Acked-by: James Carter +Acked-by: Ondrej Mosnacek +--- + python/sepolicy/sepolicy/generate.py | 56 +++++++++++++--------------- + 1 file changed, 25 insertions(+), 31 deletions(-) + +diff --git a/python/sepolicy/sepolicy/generate.py b/python/sepolicy/sepolicy/generate.py +index 93caedee..c841a499 100644 +--- a/python/sepolicy/sepolicy/generate.py ++++ b/python/sepolicy/sepolicy/generate.py +@@ -1265,24 +1265,20 @@ allow %s_t %s_t:%s_socket name_%s; + return fcfile + + def __extract_rpms(self): +- import yum +- yb = yum.YumBase() +- yb.setCacheDir() +- +- for pkg in yb.rpmdb.searchProvides(self.program): +- self.rpms.append(pkg.name) +- for fname in pkg.dirlist + pkg.filelist + pkg.ghostlist: +- for b in self.DEFAULT_DIRS: +- if b == "/etc": +- continue +- if fname.startswith(b): +- if os.path.isfile(fname): +- self.add_file(fname) +- else: +- self.add_dir(fname) ++ import dnf ++ ++ with dnf.Base() as base: ++ base.read_all_repos() ++ base.fill_sack(load_system_repo=True) ++ ++ query = base.sack.query() + +- for bpkg in yb.rpmdb.searchNames([pkg.base_package_name]): +- for fname in bpkg.dirlist + bpkg.filelist + bpkg.ghostlist: ++ pq = query.available() ++ pq = pq.filter(file=self.program) ++ ++ for pkg in pq: ++ self.rpms.append(pkg.name) ++ for fname in pkg.files: + for b in self.DEFAULT_DIRS: + if b == "/etc": + continue +@@ -1291,20 +1287,18 @@ allow %s_t %s_t:%s_socket name_%s; + self.add_file(fname) + else: + self.add_dir(fname) +- +- # some packages have own systemd subpackage +- # tor-systemd for example +- binary_name = self.program.split("/")[-1] +- for bpkg in yb.rpmdb.searchNames(["%s-systemd" % binary_name]): +- for fname in bpkg.filelist + bpkg.ghostlist + bpkg.dirlist: +- for b in self.DEFAULT_DIRS: +- if b == "/etc": +- continue +- if fname.startswith(b): +- if os.path.isfile(fname): +- self.add_file(fname) +- else: +- self.add_dir(fname) ++ sq = query.available() ++ sq = sq.filter(provides=pkg.source_name) ++ for bpkg in sq: ++ for fname in bpkg.files: ++ for b in self.DEFAULT_DIRS: ++ if b == "/etc": ++ continue ++ if fname.startswith(b): ++ if os.path.isfile(fname): ++ self.add_file(fname) ++ else: ++ self.add_dir(fname) + + def gen_writeable(self): + try: +-- +2.43.0 + diff --git a/policycoreutils.spec b/policycoreutils.spec index daf1197..eee2b04 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -12,7 +12,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 2.9 -Release: 24%{?dist} +Release: 25%{?dist} License: GPLv2 # https://github.com/SELinuxProject/selinux/wiki/Releases Source0: https://github.com/SELinuxProject/selinux/releases/download/20190315/policycoreutils-2.9.tar.gz @@ -90,6 +90,8 @@ Patch0049: 0049-python-Harden-tools-against-rogue-modules.patch Patch0050: 0050-python-Do-not-query-the-local-database-if-the-fconte.patch Patch0051: 0051-python-sepolicy-add-missing-booleans-to-man-pages.patch Patch0052: 0052-python-sepolicy-Cache-conditional-rule-queries.patch +Patch0053: 0053-python-Harden-more-tools-against-rogue-modules.patch +Patch0054: 0054-sepolicy-port-to-dnf4-python-API.patch Obsoletes: policycoreutils < 2.0.61-2 Conflicts: filesystem < 3, selinux-policy-base < 3.13.1-138 @@ -529,6 +531,10 @@ The policycoreutils-restorecond package contains the restorecond service. %systemd_postun_with_restart restorecond.service %changelog +* Tue Feb 06 2024 Vit Mojzis - 2.9-25 +- Harden more tools against "rogue" modules (RHEL-17351) +- sepolicy: port to dnf4 python API (RHEL-17398) + * Wed Feb 15 2023 Vit Mojzis - 2.9-24 - Update translations (#2124826)