import policycoreutils-2.9-21.1.el8

2023-01-11 14:12:47 +00:00 · 2023-01-11 14:12:47 +00:00 · 5573f1c903
parent 3147565686
commit 5573f1c903
3 changed files with 153 additions and 2 deletions
--- a/SOURCES/0049-python-Harden-tools-against-rogue-modules.patch
+++ b/SOURCES/0049-python-Harden-tools-against-rogue-modules.patch
@ -0,0 +1,79 @@
+From 72c7e9123980b003a21d51e2805529a3e90b2460 Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Thu, 13 Oct 2022 17:33:18 +0200
+Subject: [PATCH] python: Harden tools against "rogue" modules
+
+Python scripts present in "/usr/sbin" override regular modules.
+Make sure /usr/sbin is not present in PYTHONPATH.
+
+Fixes:
+  #cat > /usr/sbin/audit.py <<EOF
+  import sys
+  print("BAD GUY!", file=sys.stderr)
+  sys.exit(1)
+  EOF
+  #semanage boolean -l
+  BAD GUY!
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+---
+ python/audit2allow/audit2allow    | 2 +-
+ python/audit2allow/sepolgen-ifgen | 2 +-
+ python/chcat/chcat                | 2 +-
+ python/semanage/semanage          | 2 +-
+ python/sepolicy/sepolicy.py       | 2 +-
+ 5 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/python/audit2allow/audit2allow b/python/audit2allow/audit2allow
+index 09b06f66..eafeea88 100644
+--- a/python/audit2allow/audit2allow
+++ b/python/audit2allow/audit2allow
+@@ -1,4 +1,4 @@
+-#!/usr/bin/python3 -Es
+#!/usr/bin/python3 -EsI
+ # Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
+ # Authors: Dan Walsh <dwalsh@redhat.com>
+ #
+diff --git a/python/audit2allow/sepolgen-ifgen b/python/audit2allow/sepolgen-ifgen
+index be2d093b..f25f8af1 100644
+--- a/python/audit2allow/sepolgen-ifgen
+++ b/python/audit2allow/sepolgen-ifgen
+@@ -1,4 +1,4 @@
+-#!/usr/bin/python3 -Es
+#!/usr/bin/python3 -EsI
+ #
+ # Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
+ #
+diff --git a/python/chcat/chcat b/python/chcat/chcat
+index df2509f2..5671cec6 100755
+--- a/python/chcat/chcat
+++ b/python/chcat/chcat
+@@ -1,4 +1,4 @@
+-#!/usr/bin/python3 -Es
+#!/usr/bin/python3 -EsI
+ # Copyright (C) 2005 Red Hat
+ # see file 'COPYING' for use and warranty information
+ #
+diff --git a/python/semanage/semanage b/python/semanage/semanage
+index b8842d28..1f170f60 100644
+--- a/python/semanage/semanage
+++ b/python/semanage/semanage
+@@ -1,4 +1,4 @@
+-#!/usr/bin/python3 -Es
+#!/usr/bin/python3 -EsI
+ # Copyright (C) 2012-2013 Red Hat
+ # AUTHOR: Miroslav Grepl <mgrepl@redhat.com>
+ # AUTHOR: David Quigley <selinux@davequigley.com>
+diff --git a/python/sepolicy/sepolicy.py b/python/sepolicy/sepolicy.py
+index 8bd6a579..0c1d9641 100755
+--- a/python/sepolicy/sepolicy.py
+++ b/python/sepolicy/sepolicy.py
+@@ -1,4 +1,4 @@
+-#!/usr/bin/python3 -Es
+#!/usr/bin/python3 -EsI
+ # Copyright (C) 2012 Red Hat
+ # AUTHOR: Dan Walsh <dwalsh@redhat.com>
+ # see file 'COPYING' for use and warranty information
+-- 
+2.37.3
+
--- a/SOURCES/0050-python-Do-not-query-the-local-database-if-the-fconte.patch
+++ b/SOURCES/0050-python-Do-not-query-the-local-database-if-the-fconte.patch
@ -0,0 +1,65 @@
+From f33e40265d192e5d725e7b82e5f14f603e1fba48 Mon Sep 17 00:00:00 2001
+From: James Carter <jwcart2@gmail.com>
+Date: Wed, 19 Oct 2022 14:20:11 -0400
+Subject: [PATCH] python: Do not query the local database if the fcontext is
+ non-local
+
+Vit Mojzis reports that an error message is produced when modifying
+a non-local fcontext.
+
+He gives the following example:
+  # semanage fcontext -f f -m -t passwd_file_t /etc/security/opasswd
+  libsemanage.dbase_llist_query: could not query record value (No such file or directory).
+
+When modifying an fcontext, the non-local database is checked for the
+key and then, if it is not found there, the local database is checked.
+If the key doesn't exist, then an error is raised. If the key exists
+then the local database is queried first and, if that fails, the non-
+local database is queried.
+
+The error is from querying the local database when the fcontext is in
+the non-local database.
+
+Instead, if the fcontext is in the non-local database, just query
+the non-local database. Only query the local database if the
+fcontext was found in it.
+
+Reported-by: Vit Mojzis <vmojzis@redhat.com>
+Signed-off-by: James Carter <jwcart2@gmail.com>
+---
+ python/semanage/seobject.py | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
+index 70ebfd08..0e923a0d 100644
+--- a/python/semanage/seobject.py
+++ b/python/semanage/seobject.py
+@@ -2490,16 +2490,19 @@ class fcontextRecords(semanageRecords):
+         (rc, exists) = semanage_fcontext_exists(self.sh, k)
+         if rc < 0:
+             raise ValueError(_("Could not check if file context for %s is defined") % target)
+-        if not exists:
+        if exists:
+            try:
+                (rc, fcontext) = semanage_fcontext_query(self.sh, k)
+            except OSError:
+                raise ValueError(_("Could not query file context for %s") % target)
+        else:
+             (rc, exists) = semanage_fcontext_exists_local(self.sh, k)
+            if rc < 0:
+                raise ValueError(_("Could not check if file context for %s is defined") % target)
+             if not exists:
+                 raise ValueError(_("File context for %s is not defined") % target)
+-
+-        try:
+-            (rc, fcontext) = semanage_fcontext_query_local(self.sh, k)
+-        except OSError:
+             try:
+-                (rc, fcontext) = semanage_fcontext_query(self.sh, k)
+                (rc, fcontext) = semanage_fcontext_query_local(self.sh, k)
+             except OSError:
+                 raise ValueError(_("Could not query file context for %s") % target)
+ 
+-- 
+2.37.3
+
--- a/SPECS/policycoreutils.spec
+++ b/SPECS/policycoreutils.spec
@ -12,7 +12,7 @@
 Summary: SELinux policy core utilities
 Name:    policycoreutils
 Version: 2.9
-Release: 20%{?dist}
+Release: 21.1%{?dist}
 License: GPLv2
 # https://github.com/SELinuxProject/selinux/wiki/Releases
 Source0: https://github.com/SELinuxProject/selinux/releases/download/20190315/policycoreutils-2.9.tar.gz
@ -86,6 +86,8 @@ Patch0045: 0045-semodule-libsemanage-move-module-hashing-into-libsem.patch
 Patch0046: 0046-semodule-add-command-line-option-to-detect-module-ch.patch
 Patch0047: 0047-python-Split-semanage-import-into-two-transactions.patch
 Patch0048: 0048-semodule-rename-rebuild-if-modules-changed-to-refres.patch
+Patch0049: 0049-python-Harden-tools-against-rogue-modules.patch
+Patch0050: 0050-python-Do-not-query-the-local-database-if-the-fconte.patch

 Obsoletes: policycoreutils < 2.0.61-2
 Conflicts: filesystem < 3, selinux-policy-base < 3.13.1-138
@ -214,7 +216,7 @@ install -m 755 -p %{SOURCE15} %{buildroot}/%{_libexecdir}/selinux/
 pathfix.py -i "%{__python3} -Es" -p %{buildroot}%{python3_sitelib}

 # change /usr/bin/python to %%{__python3} in policycoreutils-python-utils
-pathfix.py -i "%{__python3} -Es" -p \
+pathfix.py -i "%{__python3} -EsI" -p \
    %{buildroot}%{_sbindir}/semanage \
    %{buildroot}%{_bindir}/chcat \
    %{buildroot}%{_bindir}/sandbox \
@ -525,6 +527,11 @@ The policycoreutils-restorecond package contains the restorecond service.
 %systemd_postun_with_restart restorecond.service

 %changelog
+* Mon Dec 19 2022 Vit Mojzis <vmojzis@redhat.com> - 2.9-21.1
+- python: Harden tools against "rogue" modules (#2128976)
+- Update "pathfix" arguments to match ^^^ (#2128976)
+- python: Do not query the local database if the fcontext is non-local (#2124825)
+
 * Thu Jul 07 2022 Vit Mojzis <vmojzis@redhat.com> - 2.9-20
 - python: Split "semanage import" into two transactions (#2063353)
 - semodule: rename --rebuild-if-modules-changed to --refresh (#2089802)