rpms/policycoreutils
5
0
Fork 0
Code Issues Pull Requests Releases Activity

policycoreutils-3.2-2

Browse Source 
- Do not use Python slip
- dbus: use GLib.MainLoop
- fixfiles: do not exclude /dev and /run in -C mode
This commit is contained in:
Petr Lautrbach 2021-05-10 14:43:32 +02:00
parent 4e05786ea5
commit d7133c7185
5 changed files with 389 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

217
0018-Do-not-use-Python-slip.patch Normal file
View File

@ -0,0 +1,217 @@
From 02fd46cee210fc693ddf985d7d03674397f8342f Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Thu, 15 Apr 2021 17:39:39 +0200
Subject: [PATCH] Do not use Python slip
Python slip is not actively maintained anymore and it was use just as
polkit proxy. It looks like polkit dbus interface is quite simple to use
it directly via python dbus module.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
dbus/selinux_server.py | 69 ++++++++++++++++++------------
python/sepolicy/sepolicy/sedbus.py | 9 ----
2 files changed, 41 insertions(+), 37 deletions(-)
diff --git a/dbus/selinux_server.py b/dbus/selinux_server.py
index be4f4557a9fa..b7c9378bcb5d 100644
--- a/dbus/selinux_server.py
+++ b/dbus/selinux_server.py
@@ -4,26 +4,33 @@ import dbus
import dbus.service
import dbus.mainloop.glib
from gi.repository import GObject
-import slip.dbus.service
-from slip.dbus import polkit
import os
import selinux
from subprocess import Popen, PIPE, STDOUT
-class selinux_server(slip.dbus.service.Object):
+class selinux_server(dbus.service.Object):
default_polkit_auth_required = "org.selinux.semanage"
def __init__(self, *p, **k):
super(selinux_server, self).__init__(*p, **k)
+ def is_authorized(self, sender, action_id):
+ bus = dbus.SystemBus()
+ proxy = bus.get_object('org.freedesktop.PolicyKit1', '/org/freedesktop/PolicyKit1/Authority')
+ authority = dbus.Interface(proxy, dbus_interface='org.freedesktop.PolicyKit1.Authority')
+ subject = ('system-bus-name', {'name': sender})
+ result = authority.CheckAuthorization(subject, action_id, {}, 1, '')
+ return result[0]
+
#
# The semanage method runs a transaction on a series of semanage commands,
# these commands can take the output of customized
#
- @slip.dbus.polkit.require_auth("org.selinux.semanage")
- @dbus.service.method("org.selinux", in_signature='s')
- def semanage(self, buf):
+ @dbus.service.method("org.selinux", in_signature='s', sender_keyword="sender")
+ def semanage(self, buf, sender):
+ if not self.is_authorized(sender, "org.selinux.semanage"):
+ raise dbus.exceptions.DBusException("Not authorized")
p = Popen(["/usr/sbin/semanage", "import"], stdout=PIPE, stderr=PIPE, stdin=PIPE, universal_newlines=True)
p.stdin.write(buf)
output = p.communicate()
@@ -35,9 +42,10 @@ class selinux_server(slip.dbus.service.Object):
# on the server. This output can be used with the semanage method on
# another server to make the two systems have duplicate policy.
#
- @slip.dbus.polkit.require_auth("org.selinux.customized")
- @dbus.service.method("org.selinux", in_signature='', out_signature='s')
- def customized(self):
+ @dbus.service.method("org.selinux", in_signature='', out_signature='s', sender_keyword="sender")
+ def customized(self, sender):
+ if not self.is_authorized(sender, "org.selinux.customized"):
+ raise dbus.exceptions.DBusException("Not authorized")
p = Popen(["/usr/sbin/semanage", "export"], stdout=PIPE, stderr=PIPE, universal_newlines=True)
buf = p.stdout.read()
output = p.communicate()
@@ -49,9 +57,10 @@ class selinux_server(slip.dbus.service.Object):
# The semodule_list method will return the output of semodule --list=full, using the customized polkit,
# since this is a readonly behaviour
#
- @slip.dbus.polkit.require_auth("org.selinux.semodule_list")
- @dbus.service.method("org.selinux", in_signature='', out_signature='s')
- def semodule_list(self):
+ @dbus.service.method("org.selinux", in_signature='', out_signature='s', sender_keyword="sender")
+ def semodule_list(self, sender):
+ if not self.is_authorized(sender, "org.selinux.semodule_list"):
+ raise dbus.exceptions.DBusException("Not authorized")
p = Popen(["/usr/sbin/semodule", "--list=full"], stdout=PIPE, stderr=PIPE, universal_newlines=True)
buf = p.stdout.read()
output = p.communicate()
@@ -62,25 +71,28 @@ class selinux_server(slip.dbus.service.Object):
#
# The restorecon method modifies any file path to the default system label
#
- @slip.dbus.polkit.require_auth("org.selinux.restorecon")
- @dbus.service.method("org.selinux", in_signature='s')
- def restorecon(self, path):
+ @dbus.service.method("org.selinux", in_signature='s', sender_keyword="sender")
+ def restorecon(self, path, sender):
+ if not self.is_authorized(sender, "org.selinux.restorecon"):
+ raise dbus.exceptions.DBusException("Not authorized")
selinux.restorecon(str(path), recursive=1)
#
# The setenforce method turns off the current enforcement of SELinux
#
- @slip.dbus.polkit.require_auth("org.selinux.setenforce")
- @dbus.service.method("org.selinux", in_signature='i')
- def setenforce(self, value):
+ @dbus.service.method("org.selinux", in_signature='i', sender_keyword="sender")
+ def setenforce(self, value, sender):
+ if not self.is_authorized(sender, "org.selinux.setenforce"):
+ raise dbus.exceptions.DBusException("Not authorized")
selinux.security_setenforce(value)
#
# The setenforce method turns off the current enforcement of SELinux
#
- @slip.dbus.polkit.require_auth("org.selinux.relabel_on_boot")
- @dbus.service.method("org.selinux", in_signature='i')
- def relabel_on_boot(self, value):
+ @dbus.service.method("org.selinux", in_signature='i', sender_keyword="sender")
+ def relabel_on_boot(self, value, sender):
+ if not self.is_authorized(sender, "org.selinux.relabel_on_boot"):
+ raise dbus.exceptions.DBusException("Not authorized")
if value == 1:
fd = open("/.autorelabel", "w")
fd.close()
@@ -111,9 +123,10 @@ class selinux_server(slip.dbus.service.Object):
#
# The change_default_enforcement modifies the current enforcement mode
#
- @slip.dbus.polkit.require_auth("org.selinux.change_default_mode")
- @dbus.service.method("org.selinux", in_signature='s')
- def change_default_mode(self, value):
+ @dbus.service.method("org.selinux", in_signature='s', sender_keyword="sender")
+ def change_default_mode(self, value, sender):
+ if not self.is_authorized(sender, "org.selinux.change_default_mode"):
+ raise dbus.exceptions.DBusException("Not authorized")
values = ["enforcing", "permissive", "disabled"]
if value not in values:
raise ValueError("Enforcement mode must be %s" % ", ".join(values))
@@ -122,9 +135,10 @@ class selinux_server(slip.dbus.service.Object):
#
# The change_default_policy method modifies the policy type
#
- @slip.dbus.polkit.require_auth("org.selinux.change_default_policy")
- @dbus.service.method("org.selinux", in_signature='s')
- def change_default_policy(self, value):
+ @dbus.service.method("org.selinux", in_signature='s', sender_keyword="sender")
+ def change_default_policy(self, value, sender):
+ if not self.is_authorized(sender, "org.selinux.change_default_policy"):
+ raise dbus.exceptions.DBusException("Not authorized")
path = selinux.selinux_path() + value
if os.path.isdir(path):
return self.write_selinux_config(policy=value)
@@ -136,5 +150,4 @@ if __name__ == "__main__":
system_bus = dbus.SystemBus()
name = dbus.service.BusName("org.selinux", system_bus)
object = selinux_server(system_bus, "/org/selinux/object")
- slip.dbus.service.set_mainloop(mainloop)
mainloop.run()
diff --git a/python/sepolicy/sepolicy/sedbus.py b/python/sepolicy/sepolicy/sedbus.py
index 76b259ae27e8..39b53d47753a 100644
--- a/python/sepolicy/sepolicy/sedbus.py
+++ b/python/sepolicy/sepolicy/sedbus.py
@@ -2,7 +2,6 @@ import sys
import dbus
import dbus.service
import dbus.mainloop.glib
-from slip.dbus import polkit
class SELinuxDBus (object):
@@ -11,42 +10,34 @@ class SELinuxDBus (object):
self.bus = dbus.SystemBus()
self.dbus_object = self.bus.get_object("org.selinux", "/org/selinux/object")
- @polkit.enable_proxy
def semanage(self, buf):
ret = self.dbus_object.semanage(buf, dbus_interface="org.selinux")
return ret
- @polkit.enable_proxy
def restorecon(self, path):
ret = self.dbus_object.restorecon(path, dbus_interface="org.selinux")
return ret
- @polkit.enable_proxy
def setenforce(self, value):
ret = self.dbus_object.setenforce(value, dbus_interface="org.selinux")
return ret
- @polkit.enable_proxy
def customized(self):
ret = self.dbus_object.customized(dbus_interface="org.selinux")
return ret
- @polkit.enable_proxy
def semodule_list(self):
ret = self.dbus_object.semodule_list(dbus_interface="org.selinux")
return ret
- @polkit.enable_proxy
def relabel_on_boot(self, value):
ret = self.dbus_object.relabel_on_boot(value, dbus_interface="org.selinux")
return ret
- @polkit.enable_proxy
def change_default_mode(self, value):
ret = self.dbus_object.change_default_mode(value, dbus_interface="org.selinux")
return ret
- @polkit.enable_proxy
def change_default_policy(self, value):
ret = self.dbus_object.change_default_policy(value, dbus_interface="org.selinux")
return ret
--
2.31.1

43
0019-dbus-Use-GLib.MainLoop.patch Normal file
View File

@ -0,0 +1,43 @@
From 30b9e992819a2c94434a0a30d5ce96e642c84d20 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Wed, 12 May 2021 19:19:29 +0200
Subject: [PATCH] dbus: Use GLib.MainLoop()
Fixes:
PyGIDeprecationWarning: GObject.MainLoop is deprecated; use GLib.MainLoop instead
---
dbus/selinux_server.py | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/dbus/selinux_server.py b/dbus/selinux_server.py
index b7c9378bcb5d..a969f2268ceb 100644
--- a/dbus/selinux_server.py
+++ b/dbus/selinux_server.py
@@ -2,8 +2,9 @@
import dbus
import dbus.service
-import dbus.mainloop.glib
+from dbus.mainloop.glib import DBusGMainLoop
from gi.repository import GObject
+from gi.repository import GLib
import os
import selinux
from subprocess import Popen, PIPE, STDOUT
@@ -145,9 +146,10 @@ class selinux_server(dbus.service.Object):
raise ValueError("%s does not exist" % path)
if __name__ == "__main__":
- mainloop = GObject.MainLoop()
- dbus.mainloop.glib.DBusGMainLoop(set_as_default=True)
+ DBusGMainLoop(set_as_default=True)
+ mainloop = GLib.MainLoop()
+
system_bus = dbus.SystemBus()
name = dbus.service.BusName("org.selinux", system_bus)
- object = selinux_server(system_bus, "/org/selinux/object")
+ server = selinux_server(system_bus, "/org/selinux/object")
mainloop.run()
--
2.31.1

67
0020-policycoreutils-setfiles-do-not-create-useless-setfi.patch Normal file
View File

@ -0,0 +1,67 @@
From d36c5c43d17896ebd655f8bdc6e0303dcbf2f47b Mon Sep 17 00:00:00 2001
From: Ondrej Mosnacek <omosnace@redhat.com>
Date: Fri, 19 Mar 2021 22:30:59 +0100
Subject: [PATCH] policycoreutils/setfiles: do not create useless
setfiles.8.man file
Seems to have been there to allow for some sed substitution over the
text. Now that this is gone, the redundant intermediate file can be
removed, too.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
policycoreutils/setfiles/.gitignore | 1 -
policycoreutils/setfiles/Makefile | 9 +++------
2 files changed, 3 insertions(+), 7 deletions(-)
delete mode 100644 policycoreutils/setfiles/.gitignore
diff --git a/policycoreutils/setfiles/.gitignore b/policycoreutils/setfiles/.gitignore
deleted file mode 100644
index 5e899c95af23..000000000000
--- a/policycoreutils/setfiles/.gitignore
+++ /dev/null
@@ -1 +0,0 @@
-setfiles.8.man
diff --git a/policycoreutils/setfiles/Makefile b/policycoreutils/setfiles/Makefile
index a3bbbe116b7f..63d818509791 100644
--- a/policycoreutils/setfiles/Makefile
+++ b/policycoreutils/setfiles/Makefile
@@ -13,7 +13,7 @@ ifeq ($(AUDITH), y)
override LDLIBS += -laudit
endif
-all: setfiles restorecon restorecon_xattr man
+all: setfiles restorecon restorecon_xattr
setfiles: setfiles.o restore.o
@@ -22,16 +22,13 @@ restorecon: setfiles
restorecon_xattr: restorecon_xattr.o restore.o
-man:
- @cp -af setfiles.8 setfiles.8.man
-
install: all
[ -d $(DESTDIR)$(MANDIR)/man8 ] || mkdir -p $(DESTDIR)$(MANDIR)/man8
-mkdir -p $(DESTDIR)$(SBINDIR)
install -m 755 setfiles $(DESTDIR)$(SBINDIR)
(cd $(DESTDIR)$(SBINDIR) && ln -sf setfiles restorecon)
install -m 755 restorecon_xattr $(DESTDIR)$(SBINDIR)
- install -m 644 setfiles.8.man $(DESTDIR)$(MANDIR)/man8/setfiles.8
+ install -m 644 setfiles.8 $(DESTDIR)$(MANDIR)/man8/setfiles.8
install -m 644 restorecon.8 $(DESTDIR)$(MANDIR)/man8/restorecon.8
install -m 644 restorecon_xattr.8 $(DESTDIR)$(MANDIR)/man8/restorecon_xattr.8
for lang in $(LINGUAS) ; do \
@@ -42,7 +39,7 @@ install: all
done
clean:
- rm -f setfiles restorecon restorecon_xattr *.o setfiles.8.man
+ rm -f setfiles restorecon restorecon_xattr *.o
indent:
../../scripts/Lindent $(wildcard *.[ch])
--
2.31.1

50
0021-fixfiles-do-not-exclude-dev-and-run-in-C-mode.patch Normal file
View File

@ -0,0 +1,50 @@
From 38d88fc70844b6f5b02883172af6df7bbd05de24 Mon Sep 17 00:00:00 2001
From: Ondrej Mosnacek <omosnace@redhat.com>
Date: Mon, 1 Mar 2021 18:19:22 +0100
Subject: [PATCH] fixfiles: do not exclude /dev and /run in -C mode
I can't think of a good reason why they should be excluded. On the
contrary, excluding them can cause trouble very easily if some labeling
rules for these directories change. For example, we changed the label
for /dev/nvme* from nvme_device_t to fixed_disk_device_t in Fedora
(updating the allow rules accordingly) and after policy update they
ended up with an invalid context, causing denials.
Thus, remove /dev and /run from the excludes. While there, also add
/root to the basic excludes to match the regex that excludes fc rules
(that should be effectively no functional change).
I did a sanity check on my system by running `restorecon -nv /dev /run`
and it didn't report any label differences.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
---
policycoreutils/scripts/fixfiles | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles
index e73bb81c3336..cb20002ab613 100755
--- a/policycoreutils/scripts/fixfiles
+++ b/policycoreutils/scripts/fixfiles
@@ -163,7 +163,7 @@ newer() {
#
diff_filecontext() {
EXCLUDEDIRS="`exclude_dirs_from_relabelling`"
-for i in /sys /proc /dev /run /mnt /var/tmp /var/lib/BackupPC /home /tmp /dev; do
+for i in /sys /proc /mnt /var/tmp /var/lib/BackupPC /home /root /tmp; do
[ -e $i ] && EXCLUDEDIRS="${EXCLUDEDIRS} -e $i";
done
LogExcluded
@@ -176,7 +176,7 @@ if [ -f ${PREFC} -a -x /usr/bin/diff ]; then
sed -r -e 's,:s0, ,g' $FC | sort -u | \
/usr/bin/diff -b ${PREFCTEMPFILE} - | \
grep '^[<>]'|cut -c3-| grep ^/ | \
- egrep -v '(^/home|^/root|^/tmp|^/dev)' |\
+ egrep -v '(^/home|^/root|^/tmp)' |\
sed -r -e 's,[[:blank:]].*,,g' \
-e 's|\(([/[:alnum:]]+)\)\?|{\1,}|g' \
-e 's|([/[:alnum:]])\?|{\1,}|g' \
--
2.31.1

15
policycoreutils.spec
View File

@ -11,7 +11,7 @@
Summary: SELinux policy core utilities Summary: SELinux policy core utilities
Name: policycoreutils Name: policycoreutils
Version: 3.2 Version: 3.2
Release: 1%{?dist} Release: 2%{?dist}
License: GPLv2 License: GPLv2
# https://github.com/SELinuxProject/selinux/wiki/Releases # https://github.com/SELinuxProject/selinux/wiki/Releases
Source0: https://github.com/SELinuxProject/selinux/releases/download/3.2/selinux-3.2.tar.gz Source0: https://github.com/SELinuxProject/selinux/releases/download/3.2/selinux-3.2.tar.gz
@ -28,7 +28,7 @@ Source21: python-po.tgz
Source22: gui-po.tgz Source22: gui-po.tgz
Source23: sandbox-po.tgz Source23: sandbox-po.tgz
# https://github.com/fedora-selinux/selinux # https://github.com/fedora-selinux/selinux
# $ git format-patch -N 3.2-rc2 -- policycoreutils python gui sandbox dbus semodule-utils restorecond # $ git format-patch -N 3.2 -- policycoreutils python gui sandbox dbus semodule-utils restorecond
# $ for j in [0-9]*.patch; do printf "Patch%s: %s\n" ${j/-*/} $j; done # $ for j in [0-9]*.patch; do printf "Patch%s: %s\n" ${j/-*/} $j; done
# Patch list start # Patch list start
Patch0001: 0001-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch Patch0001: 0001-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch
@ -48,6 +48,10 @@ Patch0014: 0014-sepolicy-generate-Handle-more-reserved-port-types.patch
Patch0015: 0015-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch Patch0015: 0015-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch
Patch0016: 0016-sandbox-Use-matchbox-window-manager-instead-of-openb.patch Patch0016: 0016-sandbox-Use-matchbox-window-manager-instead-of-openb.patch
Patch0017: 0017-sepolicy-Fix-flake8-warnings-in-Fedora-only-code.patch Patch0017: 0017-sepolicy-Fix-flake8-warnings-in-Fedora-only-code.patch
Patch0018: 0018-Do-not-use-Python-slip.patch
Patch0019: 0019-dbus-Use-GLib.MainLoop.patch
Patch0020: 0020-policycoreutils-setfiles-do-not-create-useless-setfi.patch
Patch0021: 0021-fixfiles-do-not-exclude-dev-and-run-in-C-mode.patch
# Patch list end # Patch list end
Obsoletes: policycoreutils < 2.0.61-2 Obsoletes: policycoreutils < 2.0.61-2
@ -213,8 +217,8 @@ an SELinux environment.
%package dbus %package dbus
Summary: SELinux policy core DBUS api Summary: SELinux policy core DBUS api
Requires: python3-policycoreutils = %{version}-%{release} Requires: python3-policycoreutils = %{version}-%{release}
Requires: python3-slip-dbus
Requires: python3-gobject-base Requires: python3-gobject-base
Requires: polkit
BuildArch: noarch BuildArch: noarch
%description dbus %description dbus
@ -510,6 +514,11 @@ The policycoreutils-restorecond package contains the restorecond service.
%systemd_postun_with_restart restorecond.service %systemd_postun_with_restart restorecond.service
%changelog %changelog
* Mon May 10 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-2
- Do not use Python slip
- fixfiles: do not exclude /dev and /run in -C mode
- dbus: use GLib.MainLoop
* Mon Mar 8 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-1 * Mon Mar 8 2021 Petr Lautrbach <plautrba@redhat.com> - 3.2-1
- SELinux userspace 3.2 release - SELinux userspace 3.2 release