Import from CS git
This commit is contained in:
parent
7090ea7164
commit
223cab4156
@ -0,0 +1,98 @@
|
|||||||
|
From 7aef364bc6607953a34cb9e8fe9ea51c88379a5c Mon Sep 17 00:00:00 2001
|
||||||
|
From: Vit Mojzis <vmojzis@redhat.com>
|
||||||
|
Date: Wed, 6 Dec 2023 15:31:51 +0100
|
||||||
|
Subject: [PATCH] python: Harden more tools against "rogue" modules
|
||||||
|
|
||||||
|
Python scripts present in the same directory as the tool
|
||||||
|
override regular modules.
|
||||||
|
|
||||||
|
Fixes:
|
||||||
|
#cat > /usr/bin/signal.py <<EOF
|
||||||
|
import sys
|
||||||
|
print("BAD GUY!", file=sys.stderr)
|
||||||
|
sys.exit(1)
|
||||||
|
EOF
|
||||||
|
#sandbox date
|
||||||
|
BAD GUY!
|
||||||
|
|
||||||
|
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
|
||||||
|
Acked-by: James Carter <jwcart2@gmail.com>
|
||||||
|
---
|
||||||
|
dbus/selinux_server.py | 2 +-
|
||||||
|
gui/polgengui.py | 2 +-
|
||||||
|
gui/system-config-selinux.py | 6 +++---
|
||||||
|
sandbox/sandbox | 2 +-
|
||||||
|
sandbox/start | 2 +-
|
||||||
|
5 files changed, 7 insertions(+), 7 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/dbus/selinux_server.py b/dbus/selinux_server.py
|
||||||
|
index 97bf91ba..eae38de5 100644
|
||||||
|
--- a/dbus/selinux_server.py
|
||||||
|
+++ b/dbus/selinux_server.py
|
||||||
|
@@ -1,4 +1,4 @@
|
||||||
|
-#!/usr/bin/python3
|
||||||
|
+#!/usr/bin/python3 -EsI
|
||||||
|
|
||||||
|
import dbus
|
||||||
|
import dbus.service
|
||||||
|
diff --git a/gui/polgengui.py b/gui/polgengui.py
|
||||||
|
index 46a1bd2c..0402e82c 100644
|
||||||
|
--- a/gui/polgengui.py
|
||||||
|
+++ b/gui/polgengui.py
|
||||||
|
@@ -1,4 +1,4 @@
|
||||||
|
-#!/usr/bin/python3 -Es
|
||||||
|
+#!/usr/bin/python3 -EsI
|
||||||
|
#
|
||||||
|
# polgengui.py - GUI for SELinux Config tool in system-config-selinux
|
||||||
|
#
|
||||||
|
diff --git a/gui/system-config-selinux.py b/gui/system-config-selinux.py
|
||||||
|
index 1e0d5eb1..c344c076 100644
|
||||||
|
--- a/gui/system-config-selinux.py
|
||||||
|
+++ b/gui/system-config-selinux.py
|
||||||
|
@@ -1,4 +1,4 @@
|
||||||
|
-#!/usr/bin/python3 -Es
|
||||||
|
+#!/usr/bin/python3 -EsI
|
||||||
|
#
|
||||||
|
# system-config-selinux.py - GUI for SELinux Config tool in system-config-selinux
|
||||||
|
#
|
||||||
|
@@ -32,6 +32,8 @@ except RuntimeError as e:
|
||||||
|
print("This is a graphical application and requires DISPLAY to be set.")
|
||||||
|
sys.exit(1)
|
||||||
|
|
||||||
|
+sys.path.append('/usr/share/system-config-selinux')
|
||||||
|
+
|
||||||
|
from gi.repository import GObject
|
||||||
|
import statusPage
|
||||||
|
import booleansPage
|
||||||
|
@@ -65,8 +67,6 @@ except:
|
||||||
|
|
||||||
|
version = "1.0"
|
||||||
|
|
||||||
|
-sys.path.append('/usr/share/system-config-selinux')
|
||||||
|
-
|
||||||
|
|
||||||
|
##
|
||||||
|
## Pull in the Glade file
|
||||||
|
diff --git a/sandbox/sandbox b/sandbox/sandbox
|
||||||
|
index 707959a6..e276e594 100644
|
||||||
|
--- a/sandbox/sandbox
|
||||||
|
+++ b/sandbox/sandbox
|
||||||
|
@@ -1,4 +1,4 @@
|
||||||
|
-#!/usr/bin/python3 -Es
|
||||||
|
+#!/usr/bin/python3 -EsI
|
||||||
|
# Authors: Dan Walsh <dwalsh@redhat.com>
|
||||||
|
# Authors: Thomas Liu <tliu@fedoraproject.org>
|
||||||
|
# Authors: Josh Cogliati
|
||||||
|
diff --git a/sandbox/start b/sandbox/start
|
||||||
|
index 4ed3cb5c..3c1a1783 100644
|
||||||
|
--- a/sandbox/start
|
||||||
|
+++ b/sandbox/start
|
||||||
|
@@ -1,4 +1,4 @@
|
||||||
|
-#!/usr/bin/python3 -Es
|
||||||
|
+#!/usr/bin/python3 -EsI
|
||||||
|
try:
|
||||||
|
from subprocess import getstatusoutput
|
||||||
|
except ImportError:
|
||||||
|
--
|
||||||
|
2.43.0
|
||||||
|
|
95
SOURCES/0054-sepolicy-port-to-dnf4-python-API.patch
Normal file
95
SOURCES/0054-sepolicy-port-to-dnf4-python-API.patch
Normal file
@ -0,0 +1,95 @@
|
|||||||
|
From ea93da38a16eb44307b522f8a26f2d8f967fcc01 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Petr Lautrbach <lautrbach@redhat.com>
|
||||||
|
Date: Wed, 22 Nov 2023 12:29:43 +0100
|
||||||
|
Subject: [PATCH] sepolicy: port to dnf4 python API
|
||||||
|
|
||||||
|
yum module is not available since RHEL 7.
|
||||||
|
|
||||||
|
Drop -systemd related code as it's obsoleted these days - only 2
|
||||||
|
packages ship their .service in -systemd subpackage
|
||||||
|
|
||||||
|
Signed-off-by: Petr Lautrbach <lautrbach@redhat.com>
|
||||||
|
Acked-by: James Carter <jwcart2@gmail.com>
|
||||||
|
Acked-by: Ondrej Mosnacek <omosnace@redhat.com>
|
||||||
|
---
|
||||||
|
python/sepolicy/sepolicy/generate.py | 56 +++++++++++++---------------
|
||||||
|
1 file changed, 25 insertions(+), 31 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/python/sepolicy/sepolicy/generate.py b/python/sepolicy/sepolicy/generate.py
|
||||||
|
index 93caedee..c841a499 100644
|
||||||
|
--- a/python/sepolicy/sepolicy/generate.py
|
||||||
|
+++ b/python/sepolicy/sepolicy/generate.py
|
||||||
|
@@ -1265,24 +1265,20 @@ allow %s_t %s_t:%s_socket name_%s;
|
||||||
|
return fcfile
|
||||||
|
|
||||||
|
def __extract_rpms(self):
|
||||||
|
- import yum
|
||||||
|
- yb = yum.YumBase()
|
||||||
|
- yb.setCacheDir()
|
||||||
|
-
|
||||||
|
- for pkg in yb.rpmdb.searchProvides(self.program):
|
||||||
|
- self.rpms.append(pkg.name)
|
||||||
|
- for fname in pkg.dirlist + pkg.filelist + pkg.ghostlist:
|
||||||
|
- for b in self.DEFAULT_DIRS:
|
||||||
|
- if b == "/etc":
|
||||||
|
- continue
|
||||||
|
- if fname.startswith(b):
|
||||||
|
- if os.path.isfile(fname):
|
||||||
|
- self.add_file(fname)
|
||||||
|
- else:
|
||||||
|
- self.add_dir(fname)
|
||||||
|
+ import dnf
|
||||||
|
+
|
||||||
|
+ with dnf.Base() as base:
|
||||||
|
+ base.read_all_repos()
|
||||||
|
+ base.fill_sack(load_system_repo=True)
|
||||||
|
+
|
||||||
|
+ query = base.sack.query()
|
||||||
|
|
||||||
|
- for bpkg in yb.rpmdb.searchNames([pkg.base_package_name]):
|
||||||
|
- for fname in bpkg.dirlist + bpkg.filelist + bpkg.ghostlist:
|
||||||
|
+ pq = query.available()
|
||||||
|
+ pq = pq.filter(file=self.program)
|
||||||
|
+
|
||||||
|
+ for pkg in pq:
|
||||||
|
+ self.rpms.append(pkg.name)
|
||||||
|
+ for fname in pkg.files:
|
||||||
|
for b in self.DEFAULT_DIRS:
|
||||||
|
if b == "/etc":
|
||||||
|
continue
|
||||||
|
@@ -1291,20 +1287,18 @@ allow %s_t %s_t:%s_socket name_%s;
|
||||||
|
self.add_file(fname)
|
||||||
|
else:
|
||||||
|
self.add_dir(fname)
|
||||||
|
-
|
||||||
|
- # some packages have own systemd subpackage
|
||||||
|
- # tor-systemd for example
|
||||||
|
- binary_name = self.program.split("/")[-1]
|
||||||
|
- for bpkg in yb.rpmdb.searchNames(["%s-systemd" % binary_name]):
|
||||||
|
- for fname in bpkg.filelist + bpkg.ghostlist + bpkg.dirlist:
|
||||||
|
- for b in self.DEFAULT_DIRS:
|
||||||
|
- if b == "/etc":
|
||||||
|
- continue
|
||||||
|
- if fname.startswith(b):
|
||||||
|
- if os.path.isfile(fname):
|
||||||
|
- self.add_file(fname)
|
||||||
|
- else:
|
||||||
|
- self.add_dir(fname)
|
||||||
|
+ sq = query.available()
|
||||||
|
+ sq = sq.filter(provides=pkg.source_name)
|
||||||
|
+ for bpkg in sq:
|
||||||
|
+ for fname in bpkg.files:
|
||||||
|
+ for b in self.DEFAULT_DIRS:
|
||||||
|
+ if b == "/etc":
|
||||||
|
+ continue
|
||||||
|
+ if fname.startswith(b):
|
||||||
|
+ if os.path.isfile(fname):
|
||||||
|
+ self.add_file(fname)
|
||||||
|
+ else:
|
||||||
|
+ self.add_dir(fname)
|
||||||
|
|
||||||
|
def gen_writeable(self):
|
||||||
|
try:
|
||||||
|
--
|
||||||
|
2.43.0
|
||||||
|
|
@ -12,7 +12,7 @@
|
|||||||
Summary: SELinux policy core utilities
|
Summary: SELinux policy core utilities
|
||||||
Name: policycoreutils
|
Name: policycoreutils
|
||||||
Version: 2.9
|
Version: 2.9
|
||||||
Release: 24%{?dist}
|
Release: 25%{?dist}
|
||||||
License: GPLv2
|
License: GPLv2
|
||||||
# https://github.com/SELinuxProject/selinux/wiki/Releases
|
# https://github.com/SELinuxProject/selinux/wiki/Releases
|
||||||
Source0: https://github.com/SELinuxProject/selinux/releases/download/20190315/policycoreutils-2.9.tar.gz
|
Source0: https://github.com/SELinuxProject/selinux/releases/download/20190315/policycoreutils-2.9.tar.gz
|
||||||
@ -90,6 +90,8 @@ Patch0049: 0049-python-Harden-tools-against-rogue-modules.patch
|
|||||||
Patch0050: 0050-python-Do-not-query-the-local-database-if-the-fconte.patch
|
Patch0050: 0050-python-Do-not-query-the-local-database-if-the-fconte.patch
|
||||||
Patch0051: 0051-python-sepolicy-add-missing-booleans-to-man-pages.patch
|
Patch0051: 0051-python-sepolicy-add-missing-booleans-to-man-pages.patch
|
||||||
Patch0052: 0052-python-sepolicy-Cache-conditional-rule-queries.patch
|
Patch0052: 0052-python-sepolicy-Cache-conditional-rule-queries.patch
|
||||||
|
Patch0053: 0053-python-Harden-more-tools-against-rogue-modules.patch
|
||||||
|
Patch0054: 0054-sepolicy-port-to-dnf4-python-API.patch
|
||||||
|
|
||||||
Obsoletes: policycoreutils < 2.0.61-2
|
Obsoletes: policycoreutils < 2.0.61-2
|
||||||
Conflicts: filesystem < 3, selinux-policy-base < 3.13.1-138
|
Conflicts: filesystem < 3, selinux-policy-base < 3.13.1-138
|
||||||
@ -529,6 +531,10 @@ The policycoreutils-restorecond package contains the restorecond service.
|
|||||||
%systemd_postun_with_restart restorecond.service
|
%systemd_postun_with_restart restorecond.service
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Feb 06 2024 Vit Mojzis <vmojzis@redhat.com> - 2.9-25
|
||||||
|
- Harden more tools against "rogue" modules (RHEL-17351)
|
||||||
|
- sepolicy: port to dnf4 python API (RHEL-17398)
|
||||||
|
|
||||||
* Wed Feb 15 2023 Vit Mojzis <vmojzis@redhat.com> - 2.9-24
|
* Wed Feb 15 2023 Vit Mojzis <vmojzis@redhat.com> - 2.9-24
|
||||||
- Update translations (#2124826)
|
- Update translations (#2124826)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user