diff --git a/0018-Do-not-use-Python-slip.patch b/0018-Do-not-use-Python-slip.patch new file mode 100644 index 0000000..3062efd --- /dev/null +++ b/0018-Do-not-use-Python-slip.patch @@ -0,0 +1,217 @@ +From ebfdc2e9e1eebfa75f1c230085ea4def40905158 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Thu, 15 Apr 2021 17:39:39 +0200 +Subject: [PATCH] Do not use Python slip + +Python slip is not actively maintained anymore and it was use just as +polkit proxy. It looks like polkit dbus interface is quite simple to use +it directly via python dbus module. + +Signed-off-by: Petr Lautrbach +--- + dbus/selinux_server.py | 69 ++++++++++++++++++------------ + python/sepolicy/sepolicy/sedbus.py | 9 ---- + 2 files changed, 41 insertions(+), 37 deletions(-) + +diff --git a/dbus/selinux_server.py b/dbus/selinux_server.py +index be4f4557a9fa..f13f90cddbb6 100644 +--- a/dbus/selinux_server.py ++++ b/dbus/selinux_server.py +@@ -4,26 +4,33 @@ import dbus + import dbus.service + import dbus.mainloop.glib + from gi.repository import GObject +-import slip.dbus.service +-from slip.dbus import polkit + import os + import selinux + from subprocess import Popen, PIPE, STDOUT + + +-class selinux_server(slip.dbus.service.Object): ++class selinux_server(dbus.service.Object): + default_polkit_auth_required = "org.selinux.semanage" + + def __init__(self, *p, **k): + super(selinux_server, self).__init__(*p, **k) + ++ def is_authorized(self, sender, action_id): ++ bus = dbus.SystemBus() ++ proxy = bus.get_object('org.freedesktop.PolicyKit1', '/org/freedesktop/PolicyKit1/Authority') ++ authority = dbus.Interface(proxy, dbus_interface='org.freedesktop.PolicyKit1.Authority') ++ subject = ('system-bus-name', {'name': sender}) ++ result = authority.CheckAuthorization(subject, action_id, {}, 1, '') ++ return result[0] ++ + # + # The semanage method runs a transaction on a series of semanage commands, + # these commands can take the output of customized + # +- @slip.dbus.polkit.require_auth("org.selinux.semanage") +- @dbus.service.method("org.selinux", in_signature='s') +- def semanage(self, buf): ++ @dbus.service.method("org.selinux", in_signature='s', sender_keyword="sender") ++ def semanage(self, buf, sender): ++ if not self.is_authorized(sender, "org.selinux.semanage"): ++ raise dbus.exceptions.DBusException("Not authorized") + p = Popen(["/usr/sbin/semanage", "import"], stdout=PIPE, stderr=PIPE, stdin=PIPE, universal_newlines=True) + p.stdin.write(buf) + output = p.communicate() +@@ -35,9 +42,10 @@ class selinux_server(slip.dbus.service.Object): + # on the server. This output can be used with the semanage method on + # another server to make the two systems have duplicate policy. + # +- @slip.dbus.polkit.require_auth("org.selinux.customized") +- @dbus.service.method("org.selinux", in_signature='', out_signature='s') +- def customized(self): ++ @dbus.service.method("org.selinux", in_signature='', out_signature='s', sender_keyword="sender") ++ def customized(self, sender): ++ if not self.is_authorized(sender, "org.selinux.customized"): ++ raise dbus.exceptions.DBusException("Not authorized") + p = Popen(["/usr/sbin/semanage", "export"], stdout=PIPE, stderr=PIPE, universal_newlines=True) + buf = p.stdout.read() + output = p.communicate() +@@ -49,9 +57,10 @@ class selinux_server(slip.dbus.service.Object): + # The semodule_list method will return the output of semodule --list=full, using the customized polkit, + # since this is a readonly behaviour + # +- @slip.dbus.polkit.require_auth("org.selinux.semodule_list") +- @dbus.service.method("org.selinux", in_signature='', out_signature='s') +- def semodule_list(self): ++ @dbus.service.method("org.selinux", in_signature='', out_signature='s', sender_keyword="sender") ++ def semodule_list(self, sender): ++ if not self.is_authorized(sender, "org.selinux.semodule_list"): ++ raise dbus.exceptions.DBusException("Not authorized") + p = Popen(["/usr/sbin/semodule", "--list=full"], stdout=PIPE, stderr=PIPE, universal_newlines=True) + buf = p.stdout.read() + output = p.communicate() +@@ -62,25 +71,28 @@ class selinux_server(slip.dbus.service.Object): + # + # The restorecon method modifies any file path to the default system label + # +- @slip.dbus.polkit.require_auth("org.selinux.restorecon") +- @dbus.service.method("org.selinux", in_signature='s') +- def restorecon(self, path): ++ @dbus.service.method("org.selinux", in_signature='s', sender_keyword="sender") ++ def restorecon(self, path, sender): ++ if not self.is_authorized(sender, "org.selinux.restorecon"): ++ raise dbus.exceptions.DBusException("Not authorized") + selinux.restorecon(str(path), recursive=1) + + # + # The setenforce method turns off the current enforcement of SELinux + # +- @slip.dbus.polkit.require_auth("org.selinux.setenforce") +- @dbus.service.method("org.selinux", in_signature='i') +- def setenforce(self, value): ++ @dbus.service.method("org.selinux", in_signature='i', sender_keyword="sender") ++ def setenforce(self, value, sender): ++ if not self.is_authorized(sender, "org.selinux.setenforce"): ++ raise dbus.exceptions.DBusException("Not authorized") + selinux.security_setenforce(value) + + # + # The setenforce method turns off the current enforcement of SELinux + # +- @slip.dbus.polkit.require_auth("org.selinux.relabel_on_boot") +- @dbus.service.method("org.selinux", in_signature='i') +- def relabel_on_boot(self, value): ++ @dbus.service.method("org.selinux", in_signature='i', sender_keyword="sender") ++ def relabel_on_boot(self, value, sender): ++ if not self.is_authorized(sender, "org.selinux.relabel_on_reboot"): ++ raise dbus.exceptions.DBusException("Not authorized") + if value == 1: + fd = open("/.autorelabel", "w") + fd.close() +@@ -111,9 +123,10 @@ class selinux_server(slip.dbus.service.Object): + # + # The change_default_enforcement modifies the current enforcement mode + # +- @slip.dbus.polkit.require_auth("org.selinux.change_default_mode") +- @dbus.service.method("org.selinux", in_signature='s') +- def change_default_mode(self, value): ++ @dbus.service.method("org.selinux", in_signature='s', sender_keyword="sender") ++ def change_default_mode(self, value, sender): ++ if not self.is_authorized(sender, "org.selinux.change_default_mode"): ++ raise dbus.exceptions.DBusException("Not authorized") + values = ["enforcing", "permissive", "disabled"] + if value not in values: + raise ValueError("Enforcement mode must be %s" % ", ".join(values)) +@@ -122,9 +135,10 @@ class selinux_server(slip.dbus.service.Object): + # + # The change_default_policy method modifies the policy type + # +- @slip.dbus.polkit.require_auth("org.selinux.change_default_policy") +- @dbus.service.method("org.selinux", in_signature='s') +- def change_default_policy(self, value): ++ @dbus.service.method("org.selinux", in_signature='s', sender_keyword="sender") ++ def change_default_policy(self, value, sender): ++ if not self.is_authorized(sender, "org.selinux.change_default_policy"): ++ raise dbus.exceptions.DBusException("Not authorized") + path = selinux.selinux_path() + value + if os.path.isdir(path): + return self.write_selinux_config(policy=value) +@@ -136,5 +150,4 @@ if __name__ == "__main__": + system_bus = dbus.SystemBus() + name = dbus.service.BusName("org.selinux", system_bus) + object = selinux_server(system_bus, "/org/selinux/object") +- slip.dbus.service.set_mainloop(mainloop) + mainloop.run() +diff --git a/python/sepolicy/sepolicy/sedbus.py b/python/sepolicy/sepolicy/sedbus.py +index 76b259ae27e8..39b53d47753a 100644 +--- a/python/sepolicy/sepolicy/sedbus.py ++++ b/python/sepolicy/sepolicy/sedbus.py +@@ -2,7 +2,6 @@ import sys + import dbus + import dbus.service + import dbus.mainloop.glib +-from slip.dbus import polkit + + + class SELinuxDBus (object): +@@ -11,42 +10,34 @@ class SELinuxDBus (object): + self.bus = dbus.SystemBus() + self.dbus_object = self.bus.get_object("org.selinux", "/org/selinux/object") + +- @polkit.enable_proxy + def semanage(self, buf): + ret = self.dbus_object.semanage(buf, dbus_interface="org.selinux") + return ret + +- @polkit.enable_proxy + def restorecon(self, path): + ret = self.dbus_object.restorecon(path, dbus_interface="org.selinux") + return ret + +- @polkit.enable_proxy + def setenforce(self, value): + ret = self.dbus_object.setenforce(value, dbus_interface="org.selinux") + return ret + +- @polkit.enable_proxy + def customized(self): + ret = self.dbus_object.customized(dbus_interface="org.selinux") + return ret + +- @polkit.enable_proxy + def semodule_list(self): + ret = self.dbus_object.semodule_list(dbus_interface="org.selinux") + return ret + +- @polkit.enable_proxy + def relabel_on_boot(self, value): + ret = self.dbus_object.relabel_on_boot(value, dbus_interface="org.selinux") + return ret + +- @polkit.enable_proxy + def change_default_mode(self, value): + ret = self.dbus_object.change_default_mode(value, dbus_interface="org.selinux") + return ret + +- @polkit.enable_proxy + def change_default_policy(self, value): + ret = self.dbus_object.change_default_policy(value, dbus_interface="org.selinux") + return ret +-- +2.31.1 + diff --git a/policycoreutils.spec b/policycoreutils.spec index c2ab037..4e61564 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -28,7 +28,7 @@ Source21: python-po.tgz Source22: gui-po.tgz Source23: sandbox-po.tgz # https://github.com/fedora-selinux/selinux -# $ git format-patch -N 3.2-rc2 -- policycoreutils python gui sandbox dbus semodule-utils restorecond +# $ git format-patch -N 3.2 -- policycoreutils python gui sandbox dbus semodule-utils restorecond # $ for j in [0-9]*.patch; do printf "Patch%s: %s\n" ${j/-*/} $j; done # Patch list start Patch0001: 0001-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch @@ -48,6 +48,7 @@ Patch0014: 0014-sepolicy-generate-Handle-more-reserved-port-types.patch Patch0015: 0015-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch Patch0016: 0016-sandbox-Use-matchbox-window-manager-instead-of-openb.patch Patch0017: 0017-sepolicy-Fix-flake8-warnings-in-Fedora-only-code.patch +Patch0018: 0018-Do-not-use-Python-slip.patch # Patch list end Obsoletes: policycoreutils < 2.0.61-2