import policycoreutils-2.9-21.1.el8

This commit is contained in:
CentOS Sources 2023-01-11 14:12:47 +00:00 committed by Stepan Oksanichenko
parent 3147565686
commit 5573f1c903
3 changed files with 153 additions and 2 deletions

View File

@ -0,0 +1,79 @@
From 72c7e9123980b003a21d51e2805529a3e90b2460 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Thu, 13 Oct 2022 17:33:18 +0200
Subject: [PATCH] python: Harden tools against "rogue" modules
Python scripts present in "/usr/sbin" override regular modules.
Make sure /usr/sbin is not present in PYTHONPATH.
Fixes:
#cat > /usr/sbin/audit.py <<EOF
import sys
print("BAD GUY!", file=sys.stderr)
sys.exit(1)
EOF
#semanage boolean -l
BAD GUY!
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
python/audit2allow/audit2allow | 2 +-
python/audit2allow/sepolgen-ifgen | 2 +-
python/chcat/chcat | 2 +-
python/semanage/semanage | 2 +-
python/sepolicy/sepolicy.py | 2 +-
5 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/python/audit2allow/audit2allow b/python/audit2allow/audit2allow
index 09b06f66..eafeea88 100644
--- a/python/audit2allow/audit2allow
+++ b/python/audit2allow/audit2allow
@@ -1,4 +1,4 @@
-#!/usr/bin/python3 -Es
+#!/usr/bin/python3 -EsI
# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
# Authors: Dan Walsh <dwalsh@redhat.com>
#
diff --git a/python/audit2allow/sepolgen-ifgen b/python/audit2allow/sepolgen-ifgen
index be2d093b..f25f8af1 100644
--- a/python/audit2allow/sepolgen-ifgen
+++ b/python/audit2allow/sepolgen-ifgen
@@ -1,4 +1,4 @@
-#!/usr/bin/python3 -Es
+#!/usr/bin/python3 -EsI
#
# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
#
diff --git a/python/chcat/chcat b/python/chcat/chcat
index df2509f2..5671cec6 100755
--- a/python/chcat/chcat
+++ b/python/chcat/chcat
@@ -1,4 +1,4 @@
-#!/usr/bin/python3 -Es
+#!/usr/bin/python3 -EsI
# Copyright (C) 2005 Red Hat
# see file 'COPYING' for use and warranty information
#
diff --git a/python/semanage/semanage b/python/semanage/semanage
index b8842d28..1f170f60 100644
--- a/python/semanage/semanage
+++ b/python/semanage/semanage
@@ -1,4 +1,4 @@
-#!/usr/bin/python3 -Es
+#!/usr/bin/python3 -EsI
# Copyright (C) 2012-2013 Red Hat
# AUTHOR: Miroslav Grepl <mgrepl@redhat.com>
# AUTHOR: David Quigley <selinux@davequigley.com>
diff --git a/python/sepolicy/sepolicy.py b/python/sepolicy/sepolicy.py
index 8bd6a579..0c1d9641 100755
--- a/python/sepolicy/sepolicy.py
+++ b/python/sepolicy/sepolicy.py
@@ -1,4 +1,4 @@
-#!/usr/bin/python3 -Es
+#!/usr/bin/python3 -EsI
# Copyright (C) 2012 Red Hat
# AUTHOR: Dan Walsh <dwalsh@redhat.com>
# see file 'COPYING' for use and warranty information
--
2.37.3

View File

@ -0,0 +1,65 @@
From f33e40265d192e5d725e7b82e5f14f603e1fba48 Mon Sep 17 00:00:00 2001
From: James Carter <jwcart2@gmail.com>
Date: Wed, 19 Oct 2022 14:20:11 -0400
Subject: [PATCH] python: Do not query the local database if the fcontext is
non-local
Vit Mojzis reports that an error message is produced when modifying
a non-local fcontext.
He gives the following example:
# semanage fcontext -f f -m -t passwd_file_t /etc/security/opasswd
libsemanage.dbase_llist_query: could not query record value (No such file or directory).
When modifying an fcontext, the non-local database is checked for the
key and then, if it is not found there, the local database is checked.
If the key doesn't exist, then an error is raised. If the key exists
then the local database is queried first and, if that fails, the non-
local database is queried.
The error is from querying the local database when the fcontext is in
the non-local database.
Instead, if the fcontext is in the non-local database, just query
the non-local database. Only query the local database if the
fcontext was found in it.
Reported-by: Vit Mojzis <vmojzis@redhat.com>
Signed-off-by: James Carter <jwcart2@gmail.com>
---
python/semanage/seobject.py | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
index 70ebfd08..0e923a0d 100644
--- a/python/semanage/seobject.py
+++ b/python/semanage/seobject.py
@@ -2490,16 +2490,19 @@ class fcontextRecords(semanageRecords):
(rc, exists) = semanage_fcontext_exists(self.sh, k)
if rc < 0:
raise ValueError(_("Could not check if file context for %s is defined") % target)
- if not exists:
+ if exists:
+ try:
+ (rc, fcontext) = semanage_fcontext_query(self.sh, k)
+ except OSError:
+ raise ValueError(_("Could not query file context for %s") % target)
+ else:
(rc, exists) = semanage_fcontext_exists_local(self.sh, k)
+ if rc < 0:
+ raise ValueError(_("Could not check if file context for %s is defined") % target)
if not exists:
raise ValueError(_("File context for %s is not defined") % target)
-
- try:
- (rc, fcontext) = semanage_fcontext_query_local(self.sh, k)
- except OSError:
try:
- (rc, fcontext) = semanage_fcontext_query(self.sh, k)
+ (rc, fcontext) = semanage_fcontext_query_local(self.sh, k)
except OSError:
raise ValueError(_("Could not query file context for %s") % target)
--
2.37.3

View File

@ -12,7 +12,7 @@
Summary: SELinux policy core utilities Summary: SELinux policy core utilities
Name: policycoreutils Name: policycoreutils
Version: 2.9 Version: 2.9
Release: 20%{?dist} Release: 21.1%{?dist}
License: GPLv2 License: GPLv2
# https://github.com/SELinuxProject/selinux/wiki/Releases # https://github.com/SELinuxProject/selinux/wiki/Releases
Source0: https://github.com/SELinuxProject/selinux/releases/download/20190315/policycoreutils-2.9.tar.gz Source0: https://github.com/SELinuxProject/selinux/releases/download/20190315/policycoreutils-2.9.tar.gz
@ -86,6 +86,8 @@ Patch0045: 0045-semodule-libsemanage-move-module-hashing-into-libsem.patch
Patch0046: 0046-semodule-add-command-line-option-to-detect-module-ch.patch Patch0046: 0046-semodule-add-command-line-option-to-detect-module-ch.patch
Patch0047: 0047-python-Split-semanage-import-into-two-transactions.patch Patch0047: 0047-python-Split-semanage-import-into-two-transactions.patch
Patch0048: 0048-semodule-rename-rebuild-if-modules-changed-to-refres.patch Patch0048: 0048-semodule-rename-rebuild-if-modules-changed-to-refres.patch
Patch0049: 0049-python-Harden-tools-against-rogue-modules.patch
Patch0050: 0050-python-Do-not-query-the-local-database-if-the-fconte.patch
Obsoletes: policycoreutils < 2.0.61-2 Obsoletes: policycoreutils < 2.0.61-2
Conflicts: filesystem < 3, selinux-policy-base < 3.13.1-138 Conflicts: filesystem < 3, selinux-policy-base < 3.13.1-138
@ -214,7 +216,7 @@ install -m 755 -p %{SOURCE15} %{buildroot}/%{_libexecdir}/selinux/
pathfix.py -i "%{__python3} -Es" -p %{buildroot}%{python3_sitelib} pathfix.py -i "%{__python3} -Es" -p %{buildroot}%{python3_sitelib}
# change /usr/bin/python to %%{__python3} in policycoreutils-python-utils # change /usr/bin/python to %%{__python3} in policycoreutils-python-utils
pathfix.py -i "%{__python3} -Es" -p \ pathfix.py -i "%{__python3} -EsI" -p \
%{buildroot}%{_sbindir}/semanage \ %{buildroot}%{_sbindir}/semanage \
%{buildroot}%{_bindir}/chcat \ %{buildroot}%{_bindir}/chcat \
%{buildroot}%{_bindir}/sandbox \ %{buildroot}%{_bindir}/sandbox \
@ -525,6 +527,11 @@ The policycoreutils-restorecond package contains the restorecond service.
%systemd_postun_with_restart restorecond.service %systemd_postun_with_restart restorecond.service
%changelog %changelog
* Mon Dec 19 2022 Vit Mojzis <vmojzis@redhat.com> - 2.9-21.1
- python: Harden tools against "rogue" modules (#2128976)
- Update "pathfix" arguments to match ^^^ (#2128976)
- python: Do not query the local database if the fcontext is non-local (#2124825)
* Thu Jul 07 2022 Vit Mojzis <vmojzis@redhat.com> - 2.9-20 * Thu Jul 07 2022 Vit Mojzis <vmojzis@redhat.com> - 2.9-20
- python: Split "semanage import" into two transactions (#2063353) - python: Split "semanage import" into two transactions (#2063353)
- semodule: rename --rebuild-if-modules-changed to --refresh (#2089802) - semodule: rename --rebuild-if-modules-changed to --refresh (#2089802)