policycoreutils-2.9-25

- Harden more tools against "rogue" modules (RHEL-17351)
- sepolicy: port to dnf4 python API (RHEL-17398)

Resolves: RHEL-17351, RHEL-17398
This commit is contained in:
Vit Mojzis 2024-02-06 18:13:36 +01:00
parent 24a59b71ed
commit 06be41e1c3
3 changed files with 200 additions and 1 deletions

View File

@ -0,0 +1,98 @@
From 7aef364bc6607953a34cb9e8fe9ea51c88379a5c Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Wed, 6 Dec 2023 15:31:51 +0100
Subject: [PATCH] python: Harden more tools against "rogue" modules
Python scripts present in the same directory as the tool
override regular modules.
Fixes:
#cat > /usr/bin/signal.py <<EOF
import sys
print("BAD GUY!", file=sys.stderr)
sys.exit(1)
EOF
#sandbox date
BAD GUY!
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
---
dbus/selinux_server.py | 2 +-
gui/polgengui.py | 2 +-
gui/system-config-selinux.py | 6 +++---
sandbox/sandbox | 2 +-
sandbox/start | 2 +-
5 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/dbus/selinux_server.py b/dbus/selinux_server.py
index 97bf91ba..eae38de5 100644
--- a/dbus/selinux_server.py
+++ b/dbus/selinux_server.py
@@ -1,4 +1,4 @@
-#!/usr/bin/python3
+#!/usr/bin/python3 -EsI
import dbus
import dbus.service
diff --git a/gui/polgengui.py b/gui/polgengui.py
index 46a1bd2c..0402e82c 100644
--- a/gui/polgengui.py
+++ b/gui/polgengui.py
@@ -1,4 +1,4 @@
-#!/usr/bin/python3 -Es
+#!/usr/bin/python3 -EsI
#
# polgengui.py - GUI for SELinux Config tool in system-config-selinux
#
diff --git a/gui/system-config-selinux.py b/gui/system-config-selinux.py
index 1e0d5eb1..c344c076 100644
--- a/gui/system-config-selinux.py
+++ b/gui/system-config-selinux.py
@@ -1,4 +1,4 @@
-#!/usr/bin/python3 -Es
+#!/usr/bin/python3 -EsI
#
# system-config-selinux.py - GUI for SELinux Config tool in system-config-selinux
#
@@ -32,6 +32,8 @@ except RuntimeError as e:
print("This is a graphical application and requires DISPLAY to be set.")
sys.exit(1)
+sys.path.append('/usr/share/system-config-selinux')
+
from gi.repository import GObject
import statusPage
import booleansPage
@@ -65,8 +67,6 @@ except:
version = "1.0"
-sys.path.append('/usr/share/system-config-selinux')
-
##
## Pull in the Glade file
diff --git a/sandbox/sandbox b/sandbox/sandbox
index 707959a6..e276e594 100644
--- a/sandbox/sandbox
+++ b/sandbox/sandbox
@@ -1,4 +1,4 @@
-#!/usr/bin/python3 -Es
+#!/usr/bin/python3 -EsI
# Authors: Dan Walsh <dwalsh@redhat.com>
# Authors: Thomas Liu <tliu@fedoraproject.org>
# Authors: Josh Cogliati
diff --git a/sandbox/start b/sandbox/start
index 4ed3cb5c..3c1a1783 100644
--- a/sandbox/start
+++ b/sandbox/start
@@ -1,4 +1,4 @@
-#!/usr/bin/python3 -Es
+#!/usr/bin/python3 -EsI
try:
from subprocess import getstatusoutput
except ImportError:
--
2.43.0

View File

@ -0,0 +1,95 @@
From ea93da38a16eb44307b522f8a26f2d8f967fcc01 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <lautrbach@redhat.com>
Date: Wed, 22 Nov 2023 12:29:43 +0100
Subject: [PATCH] sepolicy: port to dnf4 python API
yum module is not available since RHEL 7.
Drop -systemd related code as it's obsoleted these days - only 2
packages ship their .service in -systemd subpackage
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
Acked-by: Ondrej Mosnacek <omosnace@redhat.com>
---
python/sepolicy/sepolicy/generate.py | 56 +++++++++++++---------------
1 file changed, 25 insertions(+), 31 deletions(-)
diff --git a/python/sepolicy/sepolicy/generate.py b/python/sepolicy/sepolicy/generate.py
index 93caedee..c841a499 100644
--- a/python/sepolicy/sepolicy/generate.py
+++ b/python/sepolicy/sepolicy/generate.py
@@ -1265,24 +1265,20 @@ allow %s_t %s_t:%s_socket name_%s;
return fcfile
def __extract_rpms(self):
- import yum
- yb = yum.YumBase()
- yb.setCacheDir()
-
- for pkg in yb.rpmdb.searchProvides(self.program):
- self.rpms.append(pkg.name)
- for fname in pkg.dirlist + pkg.filelist + pkg.ghostlist:
- for b in self.DEFAULT_DIRS:
- if b == "/etc":
- continue
- if fname.startswith(b):
- if os.path.isfile(fname):
- self.add_file(fname)
- else:
- self.add_dir(fname)
+ import dnf
+
+ with dnf.Base() as base:
+ base.read_all_repos()
+ base.fill_sack(load_system_repo=True)
+
+ query = base.sack.query()
- for bpkg in yb.rpmdb.searchNames([pkg.base_package_name]):
- for fname in bpkg.dirlist + bpkg.filelist + bpkg.ghostlist:
+ pq = query.available()
+ pq = pq.filter(file=self.program)
+
+ for pkg in pq:
+ self.rpms.append(pkg.name)
+ for fname in pkg.files:
for b in self.DEFAULT_DIRS:
if b == "/etc":
continue
@@ -1291,20 +1287,18 @@ allow %s_t %s_t:%s_socket name_%s;
self.add_file(fname)
else:
self.add_dir(fname)
-
- # some packages have own systemd subpackage
- # tor-systemd for example
- binary_name = self.program.split("/")[-1]
- for bpkg in yb.rpmdb.searchNames(["%s-systemd" % binary_name]):
- for fname in bpkg.filelist + bpkg.ghostlist + bpkg.dirlist:
- for b in self.DEFAULT_DIRS:
- if b == "/etc":
- continue
- if fname.startswith(b):
- if os.path.isfile(fname):
- self.add_file(fname)
- else:
- self.add_dir(fname)
+ sq = query.available()
+ sq = sq.filter(provides=pkg.source_name)
+ for bpkg in sq:
+ for fname in bpkg.files:
+ for b in self.DEFAULT_DIRS:
+ if b == "/etc":
+ continue
+ if fname.startswith(b):
+ if os.path.isfile(fname):
+ self.add_file(fname)
+ else:
+ self.add_dir(fname)
def gen_writeable(self):
try:
--
2.43.0

View File

@ -12,7 +12,7 @@
Summary: SELinux policy core utilities
Name: policycoreutils
Version: 2.9
Release: 24%{?dist}
Release: 25%{?dist}
License: GPLv2
# https://github.com/SELinuxProject/selinux/wiki/Releases
Source0: https://github.com/SELinuxProject/selinux/releases/download/20190315/policycoreutils-2.9.tar.gz
@ -90,6 +90,8 @@ Patch0049: 0049-python-Harden-tools-against-rogue-modules.patch
Patch0050: 0050-python-Do-not-query-the-local-database-if-the-fconte.patch
Patch0051: 0051-python-sepolicy-add-missing-booleans-to-man-pages.patch
Patch0052: 0052-python-sepolicy-Cache-conditional-rule-queries.patch
Patch0053: 0053-python-Harden-more-tools-against-rogue-modules.patch
Patch0054: 0054-sepolicy-port-to-dnf4-python-API.patch
Obsoletes: policycoreutils < 2.0.61-2
Conflicts: filesystem < 3, selinux-policy-base < 3.13.1-138
@ -529,6 +531,10 @@ The policycoreutils-restorecond package contains the restorecond service.
%systemd_postun_with_restart restorecond.service
%changelog
* Tue Feb 06 2024 Vit Mojzis <vmojzis@redhat.com> - 2.9-25
- Harden more tools against "rogue" modules (RHEL-17351)
- sepolicy: port to dnf4 python API (RHEL-17398)
* Wed Feb 15 2023 Vit Mojzis <vmojzis@redhat.com> - 2.9-24
- Update translations (#2124826)