From 3cbcbaf9531fa1e348d12a18b8f092ba90431c80 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Tue, 16 May 2023 06:16:51 +0000 Subject: [PATCH] import policycoreutils-2.9-24.el8 --- .policycoreutils.metadata | 8 +- ...n-Harden-tools-against-rogue-modules.patch | 79 ++++++++++++ ...ery-the-local-database-if-the-fconte.patch | 65 ++++++++++ ...cy-add-missing-booleans-to-man-pages.patch | 112 ++++++++++++++++++ ...olicy-Cache-conditional-rule-queries.patch | 73 ++++++++++++ SPECS/policycoreutils.spec | 22 +++- 6 files changed, 353 insertions(+), 6 deletions(-) create mode 100644 SOURCES/0049-python-Harden-tools-against-rogue-modules.patch create mode 100644 SOURCES/0050-python-Do-not-query-the-local-database-if-the-fconte.patch create mode 100644 SOURCES/0051-python-sepolicy-add-missing-booleans-to-man-pages.patch create mode 100644 SOURCES/0052-python-sepolicy-Cache-conditional-rule-queries.patch diff --git a/.policycoreutils.metadata b/.policycoreutils.metadata index f13ed2e..e530a47 100644 --- a/.policycoreutils.metadata +++ b/.policycoreutils.metadata @@ -1,9 +1,9 @@ -ab60ee590bb04c6172c12f60fd8fd730bb906dd6 SOURCES/gui-po.tgz +3f355f8cbfdf7be6f9a8190153090af95d2c7358 SOURCES/gui-po.tgz 6e64d9a38fb516738023eb429eef29af5383f443 SOURCES/policycoreutils-2.9.tar.gz -7bc3c564bdf9929ef396101d9bbcf366817f6b02 SOURCES/policycoreutils-po.tgz -37703412bf6e9d3ecc7a896ef0cc833bf4fa9426 SOURCES/python-po.tgz +51122ae6029657bf762d72bff94bab38890fd1e7 SOURCES/policycoreutils-po.tgz +c503e61733af54159d5950bbd9fa8080771ee938 SOURCES/python-po.tgz 0a34ef54394972870203832c8ce52d4405bd5330 SOURCES/restorecond-2.9.tar.gz -221c505bfd2cb67b87dd2c95001c4a7bbb072571 SOURCES/sandbox-po.tgz +7df1784ab0c6b0823943571d733b856d10a87f76 SOURCES/sandbox-po.tgz 8645509cdfc433278c2e4d29ee8f511625c7edcc SOURCES/selinux-dbus-2.9.tar.gz 5c155ae47692389d9fabaa154195e7f978f2a3f0 SOURCES/selinux-gui-2.9.tar.gz 660e1ab824ef80f7a69f0b70f61e231957fd398e SOURCES/selinux-python-2.9.tar.gz diff --git a/SOURCES/0049-python-Harden-tools-against-rogue-modules.patch b/SOURCES/0049-python-Harden-tools-against-rogue-modules.patch new file mode 100644 index 0000000..8796c90 --- /dev/null +++ b/SOURCES/0049-python-Harden-tools-against-rogue-modules.patch @@ -0,0 +1,79 @@ +From 72c7e9123980b003a21d51e2805529a3e90b2460 Mon Sep 17 00:00:00 2001 +From: Vit Mojzis +Date: Thu, 13 Oct 2022 17:33:18 +0200 +Subject: [PATCH] python: Harden tools against "rogue" modules + +Python scripts present in "/usr/sbin" override regular modules. +Make sure /usr/sbin is not present in PYTHONPATH. + +Fixes: + #cat > /usr/sbin/audit.py < +--- + python/audit2allow/audit2allow | 2 +- + python/audit2allow/sepolgen-ifgen | 2 +- + python/chcat/chcat | 2 +- + python/semanage/semanage | 2 +- + python/sepolicy/sepolicy.py | 2 +- + 5 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/python/audit2allow/audit2allow b/python/audit2allow/audit2allow +index 09b06f66..eafeea88 100644 +--- a/python/audit2allow/audit2allow ++++ b/python/audit2allow/audit2allow +@@ -1,4 +1,4 @@ +-#!/usr/bin/python3 -Es ++#!/usr/bin/python3 -EsI + # Authors: Karl MacMillan + # Authors: Dan Walsh + # +diff --git a/python/audit2allow/sepolgen-ifgen b/python/audit2allow/sepolgen-ifgen +index be2d093b..f25f8af1 100644 +--- a/python/audit2allow/sepolgen-ifgen ++++ b/python/audit2allow/sepolgen-ifgen +@@ -1,4 +1,4 @@ +-#!/usr/bin/python3 -Es ++#!/usr/bin/python3 -EsI + # + # Authors: Karl MacMillan + # +diff --git a/python/chcat/chcat b/python/chcat/chcat +index df2509f2..5671cec6 100755 +--- a/python/chcat/chcat ++++ b/python/chcat/chcat +@@ -1,4 +1,4 @@ +-#!/usr/bin/python3 -Es ++#!/usr/bin/python3 -EsI + # Copyright (C) 2005 Red Hat + # see file 'COPYING' for use and warranty information + # +diff --git a/python/semanage/semanage b/python/semanage/semanage +index b8842d28..1f170f60 100644 +--- a/python/semanage/semanage ++++ b/python/semanage/semanage +@@ -1,4 +1,4 @@ +-#!/usr/bin/python3 -Es ++#!/usr/bin/python3 -EsI + # Copyright (C) 2012-2013 Red Hat + # AUTHOR: Miroslav Grepl + # AUTHOR: David Quigley +diff --git a/python/sepolicy/sepolicy.py b/python/sepolicy/sepolicy.py +index 8bd6a579..0c1d9641 100755 +--- a/python/sepolicy/sepolicy.py ++++ b/python/sepolicy/sepolicy.py +@@ -1,4 +1,4 @@ +-#!/usr/bin/python3 -Es ++#!/usr/bin/python3 -EsI + # Copyright (C) 2012 Red Hat + # AUTHOR: Dan Walsh + # see file 'COPYING' for use and warranty information +-- +2.37.3 + diff --git a/SOURCES/0050-python-Do-not-query-the-local-database-if-the-fconte.patch b/SOURCES/0050-python-Do-not-query-the-local-database-if-the-fconte.patch new file mode 100644 index 0000000..eb08953 --- /dev/null +++ b/SOURCES/0050-python-Do-not-query-the-local-database-if-the-fconte.patch @@ -0,0 +1,65 @@ +From f33e40265d192e5d725e7b82e5f14f603e1fba48 Mon Sep 17 00:00:00 2001 +From: James Carter +Date: Wed, 19 Oct 2022 14:20:11 -0400 +Subject: [PATCH] python: Do not query the local database if the fcontext is + non-local + +Vit Mojzis reports that an error message is produced when modifying +a non-local fcontext. + +He gives the following example: + # semanage fcontext -f f -m -t passwd_file_t /etc/security/opasswd + libsemanage.dbase_llist_query: could not query record value (No such file or directory). + +When modifying an fcontext, the non-local database is checked for the +key and then, if it is not found there, the local database is checked. +If the key doesn't exist, then an error is raised. If the key exists +then the local database is queried first and, if that fails, the non- +local database is queried. + +The error is from querying the local database when the fcontext is in +the non-local database. + +Instead, if the fcontext is in the non-local database, just query +the non-local database. Only query the local database if the +fcontext was found in it. + +Reported-by: Vit Mojzis +Signed-off-by: James Carter +--- + python/semanage/seobject.py | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py +index 70ebfd08..0e923a0d 100644 +--- a/python/semanage/seobject.py ++++ b/python/semanage/seobject.py +@@ -2490,16 +2490,19 @@ class fcontextRecords(semanageRecords): + (rc, exists) = semanage_fcontext_exists(self.sh, k) + if rc < 0: + raise ValueError(_("Could not check if file context for %s is defined") % target) +- if not exists: ++ if exists: ++ try: ++ (rc, fcontext) = semanage_fcontext_query(self.sh, k) ++ except OSError: ++ raise ValueError(_("Could not query file context for %s") % target) ++ else: + (rc, exists) = semanage_fcontext_exists_local(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not check if file context for %s is defined") % target) + if not exists: + raise ValueError(_("File context for %s is not defined") % target) +- +- try: +- (rc, fcontext) = semanage_fcontext_query_local(self.sh, k) +- except OSError: + try: +- (rc, fcontext) = semanage_fcontext_query(self.sh, k) ++ (rc, fcontext) = semanage_fcontext_query_local(self.sh, k) + except OSError: + raise ValueError(_("Could not query file context for %s") % target) + +-- +2.37.3 + diff --git a/SOURCES/0051-python-sepolicy-add-missing-booleans-to-man-pages.patch b/SOURCES/0051-python-sepolicy-add-missing-booleans-to-man-pages.patch new file mode 100644 index 0000000..ccfe7da --- /dev/null +++ b/SOURCES/0051-python-sepolicy-add-missing-booleans-to-man-pages.patch @@ -0,0 +1,112 @@ +From f3ddbd8220d9646072c9a4c9ed37f2dff998a53c Mon Sep 17 00:00:00 2001 +From: Vit Mojzis +Date: Tue, 10 Jan 2023 11:37:26 +0100 +Subject: [PATCH] python/sepolicy: add missing booleans to man pages + +get_bools should return a list of booleans that can affect given type, +but it did not handle non trivial conditional statements properly +(returning the whole conditional statement instead of a list of booleans +in the statement). + +e.g. for +allow httpd_t spamc_t:process transition; [ httpd_can_check_spam && httpd_can_sendmail ]:True +get_bools used to return [("httpd_can_check_spam && httpd_can_sendmail", False)] instead of +[("httpd_can_check_spam", False), ("httpd_can_sendmail", False)] + +- rename "boolean" in sepolicy rule dictionary to "booleans" to suggest + it can contain multiple values and make sure it is populated correctly +- add "conditional" key to the rule dictionary to accommodate + get_conditionals, which requires the whole conditional statement +- extend get_bools search to dontaudit rules so that it covers booleans + like httpd_dontaudit_search_dirs + +Note: get_bools uses security_get_boolean_active to get the boolean + value, but the value is later used to represent the default. + Not ideal, but I'm not aware of a way to get the actual defaults. + +Fixes: + "sepolicy manpage" generates man pages that are missing booleans + which are included in non trivial conditional expressions + e.g. httpd_selinux(8) does not include httpd_can_check_spam, + httpd_tmp_exec, httpd_unified, or httpd_use_gpg + + This fix, however, also adds some not strictly related booleans + to some man pages. e.g. use_nfs_home_dirs and + use_samba_home_dirs are added to httpd_selinux(8) + +Signed-off-by: Vit Mojzis +Acked-by: Jason Zaman +--- + python/sepolicy/sepolicy/__init__.py | 21 +++++++++++++-------- + 1 file changed, 13 insertions(+), 8 deletions(-) + +diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py +index b6ca57c3..0f51174d 100644 +--- a/python/sepolicy/sepolicy/__init__.py ++++ b/python/sepolicy/sepolicy/__init__.py +@@ -324,7 +324,12 @@ def _setools_rule_to_dict(rule): + pass + + try: +- d['boolean'] = [(str(rule.conditional), enabled)] ++ d['booleans'] = [(str(b), b.state) for b in rule.conditional.booleans] ++ except AttributeError: ++ pass ++ ++ try: ++ d['conditional'] = str(rule.conditional) + except AttributeError: + pass + +@@ -426,12 +431,12 @@ def get_conditionals(src, dest, tclass, perm): + x['source'] in src_list and + x['target'] in dest_list and + set(perm).issubset(x[PERMS]) and +- 'boolean' in x, ++ 'conditional' in x, + get_all_allow_rules())) + + try: + for i in allows: +- tdict.update({'source': i['source'], 'boolean': i['boolean']}) ++ tdict.update({'source': i['source'], 'conditional': (i['conditional'], i['enabled'])}) + if tdict not in tlist: + tlist.append(tdict) + tdict = {} +@@ -445,10 +450,10 @@ def get_conditionals_format_text(cond): + + enabled = False + for x in cond: +- if x['boolean'][0][1]: ++ if x['conditional'][1]: + enabled = True + break +- return _("-- Allowed %s [ %s ]") % (enabled, " || ".join(set(map(lambda x: "%s=%d" % (x['boolean'][0][0], x['boolean'][0][1]), cond)))) ++ return _("-- Allowed %s [ %s ]") % (enabled, " || ".join(set(map(lambda x: "%s=%d" % (x['conditional'][0], x['conditional'][1]), cond)))) + + + def get_types_from_attribute(attribute): +@@ -703,9 +708,9 @@ def get_boolean_rules(setype, boolean): + boollist = [] + permlist = search([ALLOW], {'source': setype}) + for p in permlist: +- if "boolean" in p: ++ if "booleans" in p: + try: +- for b in p["boolean"]: ++ for b in p["booleans"]: + if boolean in b: + boollist.append(p) + except: +@@ -1124,7 +1129,7 @@ def get_bools(setype): + bools = [] + domainbools = [] + domainname, short_name = gen_short_name(setype) +- for i in map(lambda x: x['boolean'], filter(lambda x: 'boolean' in x and x['source'] == setype, get_all_allow_rules())): ++ for i in map(lambda x: x['booleans'], filter(lambda x: 'booleans' in x and x['source'] == setype, search([ALLOW, DONTAUDIT]))): + for b in i: + if not isinstance(b, tuple): + continue +-- +2.37.3 + diff --git a/SOURCES/0052-python-sepolicy-Cache-conditional-rule-queries.patch b/SOURCES/0052-python-sepolicy-Cache-conditional-rule-queries.patch new file mode 100644 index 0000000..0dac123 --- /dev/null +++ b/SOURCES/0052-python-sepolicy-Cache-conditional-rule-queries.patch @@ -0,0 +1,73 @@ +From 25373db5cac520b85350db91b8a7ed0737d3316c Mon Sep 17 00:00:00 2001 +From: Vit Mojzis +Date: Tue, 24 Jan 2023 21:05:05 +0100 +Subject: [PATCH] python/sepolicy: Cache conditional rule queries + +Commit 7506771e4b630fe0ab853f96574e039055cb72eb +"add missing booleans to man pages" dramatically slowed down +"sepolicy manpage -a" by removing caching of setools rule query. +Re-add said caching and update the query to only return conditional +rules. + +Before commit 7506771e: + #time sepolicy manpage -a + real 1m43.153s + # time sepolicy manpage -d httpd_t + real 0m4.493s + +After commit 7506771e: + #time sepolicy manpage -a + real 1h56m43.153s + # time sepolicy manpage -d httpd_t + real 0m8.352s + +After this commit: + #time sepolicy manpage -a + real 1m41.074s + # time sepolicy manpage -d httpd_t + real 0m7.358s + +Signed-off-by: Vit Mojzis +--- + python/sepolicy/sepolicy/__init__.py | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py +index 0f51174d..f48231e9 100644 +--- a/python/sepolicy/sepolicy/__init__.py ++++ b/python/sepolicy/sepolicy/__init__.py +@@ -114,6 +114,7 @@ all_attributes = None + booleans = None + booleans_dict = None + all_allow_rules = None ++all_bool_rules = None + all_transitions = None + + +@@ -1119,6 +1120,14 @@ def get_all_allow_rules(): + all_allow_rules = search([ALLOW]) + return all_allow_rules + ++def get_all_bool_rules(): ++ global all_bool_rules ++ if not all_bool_rules: ++ q = setools.TERuleQuery(_pol, boolean=".*", boolean_regex=True, ++ ruletype=[ALLOW, DONTAUDIT]) ++ all_bool_rules = [_setools_rule_to_dict(x) for x in q.results()] ++ return all_bool_rules ++ + def get_all_transitions(): + global all_transitions + if not all_transitions: +@@ -1129,7 +1138,7 @@ def get_bools(setype): + bools = [] + domainbools = [] + domainname, short_name = gen_short_name(setype) +- for i in map(lambda x: x['booleans'], filter(lambda x: 'booleans' in x and x['source'] == setype, search([ALLOW, DONTAUDIT]))): ++ for i in map(lambda x: x['booleans'], filter(lambda x: 'booleans' in x and x['source'] == setype, get_all_bool_rules())): + for b in i: + if not isinstance(b, tuple): + continue +-- +2.37.3 + diff --git a/SPECS/policycoreutils.spec b/SPECS/policycoreutils.spec index b9739c5..daf1197 100644 --- a/SPECS/policycoreutils.spec +++ b/SPECS/policycoreutils.spec @@ -12,7 +12,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 2.9 -Release: 20%{?dist} +Release: 24%{?dist} License: GPLv2 # https://github.com/SELinuxProject/selinux/wiki/Releases Source0: https://github.com/SELinuxProject/selinux/releases/download/20190315/policycoreutils-2.9.tar.gz @@ -86,6 +86,10 @@ Patch0045: 0045-semodule-libsemanage-move-module-hashing-into-libsem.patch Patch0046: 0046-semodule-add-command-line-option-to-detect-module-ch.patch Patch0047: 0047-python-Split-semanage-import-into-two-transactions.patch Patch0048: 0048-semodule-rename-rebuild-if-modules-changed-to-refres.patch +Patch0049: 0049-python-Harden-tools-against-rogue-modules.patch +Patch0050: 0050-python-Do-not-query-the-local-database-if-the-fconte.patch +Patch0051: 0051-python-sepolicy-add-missing-booleans-to-man-pages.patch +Patch0052: 0052-python-sepolicy-Cache-conditional-rule-queries.patch Obsoletes: policycoreutils < 2.0.61-2 Conflicts: filesystem < 3, selinux-policy-base < 3.13.1-138 @@ -214,7 +218,7 @@ install -m 755 -p %{SOURCE15} %{buildroot}/%{_libexecdir}/selinux/ pathfix.py -i "%{__python3} -Es" -p %{buildroot}%{python3_sitelib} # change /usr/bin/python to %%{__python3} in policycoreutils-python-utils -pathfix.py -i "%{__python3} -Es" -p \ +pathfix.py -i "%{__python3} -EsI" -p \ %{buildroot}%{_sbindir}/semanage \ %{buildroot}%{_bindir}/chcat \ %{buildroot}%{_bindir}/sandbox \ @@ -525,6 +529,20 @@ The policycoreutils-restorecond package contains the restorecond service. %systemd_postun_with_restart restorecond.service %changelog +* Wed Feb 15 2023 Vit Mojzis - 2.9-24 +- Update translations (#2124826) + +* Wed Feb 08 2023 Vit Mojzis - 2.9-23 +- python/sepolicy: Cache conditional rule queries (#2155540) + +* Mon Jan 09 2023 Vit Mojzis - 2.9-22 +- python/sepolicy: add missing booleans to man pages (#2155540) + +* Mon Dec 19 2022 Vit Mojzis - 2.9-21.1 +- python: Harden tools against "rogue" modules (#2128976) +- Update "pathfix" arguments to match ^^^ (#2128976) +- python: Do not query the local database if the fcontext is non-local (#2124825) + * Thu Jul 07 2022 Vit Mojzis - 2.9-20 - python: Split "semanage import" into two transactions (#2063353) - semodule: rename --rebuild-if-modules-changed to --refresh (#2089802)