import policycoreutils-2.9-21.1.el8

2023-01-11 14:12:47 +00:00 · 2023-01-11 14:12:47 +00:00 · 5573f1c903
commit 5573f1c903
parent 3147565686
3 changed files with 153 additions and 2 deletions
--- a/SOURCES/0049-python-Harden-tools-against-rogue-modules.patch
+++ b/SOURCES/0049-python-Harden-tools-against-rogue-modules.patch
@ -0,0 +1,79 @@
 From 72c7e9123980b003a21d51e2805529a3e90b2460 Mon Sep 17 00:00:00 2001
 From: Vit Mojzis <vmojzis@redhat.com>
 Date: Thu, 13 Oct 2022 17:33:18 +0200
 Subject: [PATCH] python: Harden tools against "rogue" modules
 Python scripts present in "/usr/sbin" override regular modules.
 Make sure /usr/sbin is not present in PYTHONPATH.
 Fixes:
  #cat > /usr/sbin/audit.py <<EOF
  import sys
  print("BAD GUY!", file=sys.stderr)
  sys.exit(1)
  EOF
  #semanage boolean -l
  BAD GUY!
 Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
 ---
 python/audit2allow/audit2allow    | 2 +-
 python/audit2allow/sepolgen-ifgen | 2 +-
 python/chcat/chcat                | 2 +-
 python/semanage/semanage          | 2 +-
 python/sepolicy/sepolicy.py       | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)
 diff --git a/python/audit2allow/audit2allow b/python/audit2allow/audit2allow
 index 09b06f66..eafeea88 100644
 --- a/python/audit2allow/audit2allow
 +++ b/python/audit2allow/audit2allow
@@ -1,4 +1,4 @@
 -#!/usr/bin/python3 -Es
 +#!/usr/bin/python3 -EsI
 # Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
 # Authors: Dan Walsh <dwalsh@redhat.com>
 #
 diff --git a/python/audit2allow/sepolgen-ifgen b/python/audit2allow/sepolgen-ifgen
 index be2d093b..f25f8af1 100644
 --- a/python/audit2allow/sepolgen-ifgen
 +++ b/python/audit2allow/sepolgen-ifgen
@@ -1,4 +1,4 @@
 -#!/usr/bin/python3 -Es
 +#!/usr/bin/python3 -EsI
 #
 # Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
 #
 diff --git a/python/chcat/chcat b/python/chcat/chcat
 index df2509f2..5671cec6 100755
 --- a/python/chcat/chcat
 +++ b/python/chcat/chcat
@@ -1,4 +1,4 @@
 -#!/usr/bin/python3 -Es
 +#!/usr/bin/python3 -EsI
 # Copyright (C) 2005 Red Hat
 # see file 'COPYING' for use and warranty information
 #
 diff --git a/python/semanage/semanage b/python/semanage/semanage
 index b8842d28..1f170f60 100644
 --- a/python/semanage/semanage
 +++ b/python/semanage/semanage
@@ -1,4 +1,4 @@
 -#!/usr/bin/python3 -Es
 +#!/usr/bin/python3 -EsI
 # Copyright (C) 2012-2013 Red Hat
 # AUTHOR: Miroslav Grepl <mgrepl@redhat.com>
 # AUTHOR: David Quigley <selinux@davequigley.com>
 diff --git a/python/sepolicy/sepolicy.py b/python/sepolicy/sepolicy.py
 index 8bd6a579..0c1d9641 100755
 --- a/python/sepolicy/sepolicy.py
 +++ b/python/sepolicy/sepolicy.py
@@ -1,4 +1,4 @@
 -#!/usr/bin/python3 -Es
 +#!/usr/bin/python3 -EsI
 # Copyright (C) 2012 Red Hat
 # AUTHOR: Dan Walsh <dwalsh@redhat.com>
 # see file 'COPYING' for use and warranty information
 -- 
 2.37.3
--- a/SOURCES/0050-python-Do-not-query-the-local-database-if-the-fconte.patch
+++ b/SOURCES/0050-python-Do-not-query-the-local-database-if-the-fconte.patch
@ -0,0 +1,65 @@
 From f33e40265d192e5d725e7b82e5f14f603e1fba48 Mon Sep 17 00:00:00 2001
 From: James Carter <jwcart2@gmail.com>
 Date: Wed, 19 Oct 2022 14:20:11 -0400
 Subject: [PATCH] python: Do not query the local database if the fcontext is
 non-local
 Vit Mojzis reports that an error message is produced when modifying
 a non-local fcontext.
 He gives the following example:
  # semanage fcontext -f f -m -t passwd_file_t /etc/security/opasswd
  libsemanage.dbase_llist_query: could not query record value (No such file or directory).
 When modifying an fcontext, the non-local database is checked for the
 key and then, if it is not found there, the local database is checked.
 If the key doesn't exist, then an error is raised. If the key exists
 then the local database is queried first and, if that fails, the non-
 local database is queried.
 The error is from querying the local database when the fcontext is in
 the non-local database.
 Instead, if the fcontext is in the non-local database, just query
 the non-local database. Only query the local database if the
 fcontext was found in it.
 Reported-by: Vit Mojzis <vmojzis@redhat.com>
 Signed-off-by: James Carter <jwcart2@gmail.com>
 ---
 python/semanage/seobject.py | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)
 diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
 index 70ebfd08..0e923a0d 100644
 --- a/python/semanage/seobject.py
 +++ b/python/semanage/seobject.py
@@ -2490,16 +2490,19 @@ class fcontextRecords(semanageRecords):
         (rc, exists) = semanage_fcontext_exists(self.sh, k)
         if rc < 0:
             raise ValueError(_("Could not check if file context for %s is defined") % target)
 -        if not exists:
 +        if exists:
 +            try:
 +                (rc, fcontext) = semanage_fcontext_query(self.sh, k)
 +            except OSError:
 +                raise ValueError(_("Could not query file context for %s") % target)
 +        else:
             (rc, exists) = semanage_fcontext_exists_local(self.sh, k)
 +            if rc < 0:
 +                raise ValueError(_("Could not check if file context for %s is defined") % target)
             if not exists:
                 raise ValueError(_("File context for %s is not defined") % target)
 -
 -        try:
 -            (rc, fcontext) = semanage_fcontext_query_local(self.sh, k)
 -        except OSError:
             try:
 -                (rc, fcontext) = semanage_fcontext_query(self.sh, k)
 +                (rc, fcontext) = semanage_fcontext_query_local(self.sh, k)
             except OSError:
                 raise ValueError(_("Could not query file context for %s") % target)
 -- 
 2.37.3
--- a/SPECS/policycoreutils.spec
+++ b/SPECS/policycoreutils.spec
@ -12,7 +12,7 @@
 Summary: SELinux policy core utilities
 Name:    policycoreutils
 Version: 2.9
-Release: 20%{?dist}
+Release: 21.1%{?dist}
 License: GPLv2
 # https://github.com/SELinuxProject/selinux/wiki/Releases
 Source0: https://github.com/SELinuxProject/selinux/releases/download/20190315/policycoreutils-2.9.tar.gz
@ -86,6 +86,8 @@ Patch0045: 0045-semodule-libsemanage-move-module-hashing-into-libsem.patch
 Patch0046: 0046-semodule-add-command-line-option-to-detect-module-ch.patch
 Patch0047: 0047-python-Split-semanage-import-into-two-transactions.patch
 Patch0048: 0048-semodule-rename-rebuild-if-modules-changed-to-refres.patch
 Patch0049: 0049-python-Harden-tools-against-rogue-modules.patch
 Patch0050: 0050-python-Do-not-query-the-local-database-if-the-fconte.patch
 Obsoletes: policycoreutils < 2.0.61-2
 Conflicts: filesystem < 3, selinux-policy-base < 3.13.1-138
@ -214,7 +216,7 @@ install -m 755 -p %{SOURCE15} %{buildroot}/%{_libexecdir}/selinux/
 pathfix.py -i "%{__python3} -Es" -p %{buildroot}%{python3_sitelib}
 # change /usr/bin/python to %%{__python3} in policycoreutils-python-utils
-pathfix.py -i "%{__python3} -Es" -p \
+pathfix.py -i "%{__python3} -EsI" -p \
    %{buildroot}%{_sbindir}/semanage \
    %{buildroot}%{_bindir}/chcat \
    %{buildroot}%{_bindir}/sandbox \
@ -525,6 +527,11 @@ The policycoreutils-restorecond package contains the restorecond service.
 %systemd_postun_with_restart restorecond.service
 %changelog
 * Mon Dec 19 2022 Vit Mojzis <vmojzis@redhat.com> - 2.9-21.1
 - python: Harden tools against "rogue" modules (#2128976)
 - Update "pathfix" arguments to match ^^^ (#2128976)
 - python: Do not query the local database if the fcontext is non-local (#2124825)
 * Thu Jul 07 2022 Vit Mojzis <vmojzis@redhat.com> - 2.9-20
 - python: Split "semanage import" into two transactions (#2063353)
 - semodule: rename --rebuild-if-modules-changed to --refresh (#2089802)