From e96ebee816b48df3df7794cf5c861c5d232d40f4 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Wed, 21 Apr 2021 17:09:10 +0200
Subject: [PATCH] Do not use Python slip

Python slip is not actively maintained anymore and it was use just as
polkit proxy. It looks like polkit dbus interface is quite simple to use
it directly via python dbus module.

Resolves: rhbz#1949841
---
 0018-Do-not-use-Python-slip.patch | 217 ++++++++++++++++++++++++++++++
 policycoreutils.spec              |   3 +-
 2 files changed, 219 insertions(+), 1 deletion(-)
 create mode 100644 0018-Do-not-use-Python-slip.patch

diff --git a/0018-Do-not-use-Python-slip.patch b/0018-Do-not-use-Python-slip.patch
new file mode 100644
index 0000000..3062efd
--- /dev/null
+++ b/0018-Do-not-use-Python-slip.patch
@@ -0,0 +1,217 @@
+From ebfdc2e9e1eebfa75f1c230085ea4def40905158 Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Thu, 15 Apr 2021 17:39:39 +0200
+Subject: [PATCH] Do not use Python slip
+
+Python slip is not actively maintained anymore and it was use just as
+polkit proxy. It looks like polkit dbus interface is quite simple to use
+it directly via python dbus module.
+
+Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
+---
+ dbus/selinux_server.py             | 69 ++++++++++++++++++------------
+ python/sepolicy/sepolicy/sedbus.py |  9 ----
+ 2 files changed, 41 insertions(+), 37 deletions(-)
+
+diff --git a/dbus/selinux_server.py b/dbus/selinux_server.py
+index be4f4557a9fa..f13f90cddbb6 100644
+--- a/dbus/selinux_server.py
++++ b/dbus/selinux_server.py
+@@ -4,26 +4,33 @@ import dbus
+ import dbus.service
+ import dbus.mainloop.glib
+ from gi.repository import GObject
+-import slip.dbus.service
+-from slip.dbus import polkit
+ import os
+ import selinux
+ from subprocess import Popen, PIPE, STDOUT
+ 
+ 
+-class selinux_server(slip.dbus.service.Object):
++class selinux_server(dbus.service.Object):
+     default_polkit_auth_required = "org.selinux.semanage"
+ 
+     def __init__(self, *p, **k):
+         super(selinux_server, self).__init__(*p, **k)
+ 
++    def is_authorized(self, sender, action_id):
++        bus = dbus.SystemBus()
++        proxy = bus.get_object('org.freedesktop.PolicyKit1', '/org/freedesktop/PolicyKit1/Authority')
++        authority = dbus.Interface(proxy, dbus_interface='org.freedesktop.PolicyKit1.Authority')
++        subject = ('system-bus-name', {'name': sender})
++        result = authority.CheckAuthorization(subject, action_id, {}, 1, '')
++        return result[0]
++
+     #
+     # The semanage method runs a transaction on a series of semanage commands,
+     # these commands can take the output of customized
+     #
+-    @slip.dbus.polkit.require_auth("org.selinux.semanage")
+-    @dbus.service.method("org.selinux", in_signature='s')
+-    def semanage(self, buf):
++    @dbus.service.method("org.selinux", in_signature='s', sender_keyword="sender")
++    def semanage(self, buf, sender):
++        if not self.is_authorized(sender, "org.selinux.semanage"):
++            raise dbus.exceptions.DBusException("Not authorized")
+         p = Popen(["/usr/sbin/semanage", "import"], stdout=PIPE, stderr=PIPE, stdin=PIPE, universal_newlines=True)
+         p.stdin.write(buf)
+         output = p.communicate()
+@@ -35,9 +42,10 @@ class selinux_server(slip.dbus.service.Object):
+     # on the server.  This output can be used with the semanage method on
+     # another server to make the two systems have duplicate policy.
+     #
+-    @slip.dbus.polkit.require_auth("org.selinux.customized")
+-    @dbus.service.method("org.selinux", in_signature='', out_signature='s')
+-    def customized(self):
++    @dbus.service.method("org.selinux", in_signature='', out_signature='s', sender_keyword="sender")
++    def customized(self, sender):
++        if not self.is_authorized(sender, "org.selinux.customized"):
++            raise dbus.exceptions.DBusException("Not authorized")
+         p = Popen(["/usr/sbin/semanage", "export"], stdout=PIPE, stderr=PIPE, universal_newlines=True)
+         buf = p.stdout.read()
+         output = p.communicate()
+@@ -49,9 +57,10 @@ class selinux_server(slip.dbus.service.Object):
+     # The semodule_list method will return the output of semodule --list=full, using the customized polkit,
+     # since this is a readonly behaviour
+     #
+-    @slip.dbus.polkit.require_auth("org.selinux.semodule_list")
+-    @dbus.service.method("org.selinux", in_signature='', out_signature='s')
+-    def semodule_list(self):
++    @dbus.service.method("org.selinux", in_signature='', out_signature='s', sender_keyword="sender")
++    def semodule_list(self, sender):
++        if not self.is_authorized(sender, "org.selinux.semodule_list"):
++            raise dbus.exceptions.DBusException("Not authorized")
+         p = Popen(["/usr/sbin/semodule", "--list=full"], stdout=PIPE, stderr=PIPE, universal_newlines=True)
+         buf = p.stdout.read()
+         output = p.communicate()
+@@ -62,25 +71,28 @@ class selinux_server(slip.dbus.service.Object):
+     #
+     # The restorecon method modifies any file path to the default system label
+     #
+-    @slip.dbus.polkit.require_auth("org.selinux.restorecon")
+-    @dbus.service.method("org.selinux", in_signature='s')
+-    def restorecon(self, path):
++    @dbus.service.method("org.selinux", in_signature='s', sender_keyword="sender")
++    def restorecon(self, path, sender):
++        if not self.is_authorized(sender, "org.selinux.restorecon"):
++            raise dbus.exceptions.DBusException("Not authorized")
+         selinux.restorecon(str(path), recursive=1)
+ 
+     #
+     # The setenforce method turns off the current enforcement of SELinux
+     #
+-    @slip.dbus.polkit.require_auth("org.selinux.setenforce")
+-    @dbus.service.method("org.selinux", in_signature='i')
+-    def setenforce(self, value):
++    @dbus.service.method("org.selinux", in_signature='i', sender_keyword="sender")
++    def setenforce(self, value, sender):
++        if not self.is_authorized(sender, "org.selinux.setenforce"):
++            raise dbus.exceptions.DBusException("Not authorized")
+         selinux.security_setenforce(value)
+ 
+     #
+     # The setenforce method turns off the current enforcement of SELinux
+     #
+-    @slip.dbus.polkit.require_auth("org.selinux.relabel_on_boot")
+-    @dbus.service.method("org.selinux", in_signature='i')
+-    def relabel_on_boot(self, value):
++    @dbus.service.method("org.selinux", in_signature='i', sender_keyword="sender")
++    def relabel_on_boot(self, value, sender):
++        if not self.is_authorized(sender, "org.selinux.relabel_on_reboot"):
++            raise dbus.exceptions.DBusException("Not authorized")
+         if value == 1:
+             fd = open("/.autorelabel", "w")
+             fd.close()
+@@ -111,9 +123,10 @@ class selinux_server(slip.dbus.service.Object):
+     #
+     # The change_default_enforcement modifies the current enforcement mode
+     #
+-    @slip.dbus.polkit.require_auth("org.selinux.change_default_mode")
+-    @dbus.service.method("org.selinux", in_signature='s')
+-    def change_default_mode(self, value):
++    @dbus.service.method("org.selinux", in_signature='s', sender_keyword="sender")
++    def change_default_mode(self, value, sender):
++        if not self.is_authorized(sender, "org.selinux.change_default_mode"):
++            raise dbus.exceptions.DBusException("Not authorized")
+         values = ["enforcing", "permissive", "disabled"]
+         if value not in values:
+             raise ValueError("Enforcement mode must be %s" % ", ".join(values))
+@@ -122,9 +135,10 @@ class selinux_server(slip.dbus.service.Object):
+     #
+     # The change_default_policy method modifies the policy type
+     #
+-    @slip.dbus.polkit.require_auth("org.selinux.change_default_policy")
+-    @dbus.service.method("org.selinux", in_signature='s')
+-    def change_default_policy(self, value):
++    @dbus.service.method("org.selinux", in_signature='s', sender_keyword="sender")
++    def change_default_policy(self, value, sender):
++        if not self.is_authorized(sender, "org.selinux.change_default_policy"):
++            raise dbus.exceptions.DBusException("Not authorized")
+         path = selinux.selinux_path() + value
+         if os.path.isdir(path):
+             return self.write_selinux_config(policy=value)
+@@ -136,5 +150,4 @@ if __name__ == "__main__":
+     system_bus = dbus.SystemBus()
+     name = dbus.service.BusName("org.selinux", system_bus)
+     object = selinux_server(system_bus, "/org/selinux/object")
+-    slip.dbus.service.set_mainloop(mainloop)
+     mainloop.run()
+diff --git a/python/sepolicy/sepolicy/sedbus.py b/python/sepolicy/sepolicy/sedbus.py
+index 76b259ae27e8..39b53d47753a 100644
+--- a/python/sepolicy/sepolicy/sedbus.py
++++ b/python/sepolicy/sepolicy/sedbus.py
+@@ -2,7 +2,6 @@ import sys
+ import dbus
+ import dbus.service
+ import dbus.mainloop.glib
+-from slip.dbus import polkit
+ 
+ 
+ class SELinuxDBus (object):
+@@ -11,42 +10,34 @@ class SELinuxDBus (object):
+         self.bus = dbus.SystemBus()
+         self.dbus_object = self.bus.get_object("org.selinux", "/org/selinux/object")
+ 
+-    @polkit.enable_proxy
+     def semanage(self, buf):
+         ret = self.dbus_object.semanage(buf, dbus_interface="org.selinux")
+         return ret
+ 
+-    @polkit.enable_proxy
+     def restorecon(self, path):
+         ret = self.dbus_object.restorecon(path, dbus_interface="org.selinux")
+         return ret
+ 
+-    @polkit.enable_proxy
+     def setenforce(self, value):
+         ret = self.dbus_object.setenforce(value, dbus_interface="org.selinux")
+         return ret
+ 
+-    @polkit.enable_proxy
+     def customized(self):
+         ret = self.dbus_object.customized(dbus_interface="org.selinux")
+         return ret
+ 
+-    @polkit.enable_proxy
+     def semodule_list(self):
+         ret = self.dbus_object.semodule_list(dbus_interface="org.selinux")
+         return ret
+ 
+-    @polkit.enable_proxy
+     def relabel_on_boot(self, value):
+         ret = self.dbus_object.relabel_on_boot(value, dbus_interface="org.selinux")
+         return ret
+ 
+-    @polkit.enable_proxy
+     def change_default_mode(self, value):
+         ret = self.dbus_object.change_default_mode(value, dbus_interface="org.selinux")
+         return ret
+ 
+-    @polkit.enable_proxy
+     def change_default_policy(self, value):
+         ret = self.dbus_object.change_default_policy(value, dbus_interface="org.selinux")
+         return ret
+-- 
+2.31.1
+
diff --git a/policycoreutils.spec b/policycoreutils.spec
index c2ab037..4e61564 100644
--- a/policycoreutils.spec
+++ b/policycoreutils.spec
@@ -28,7 +28,7 @@ Source21: python-po.tgz
 Source22: gui-po.tgz
 Source23: sandbox-po.tgz
 # https://github.com/fedora-selinux/selinux
-# $ git format-patch -N 3.2-rc2 -- policycoreutils python gui sandbox dbus semodule-utils restorecond
+# $ git format-patch -N 3.2 -- policycoreutils python gui sandbox dbus semodule-utils restorecond
 # $ for j in [0-9]*.patch; do printf "Patch%s: %s\n" ${j/-*/} $j; done
 # Patch list start
 Patch0001: 0001-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch
@@ -48,6 +48,7 @@ Patch0014: 0014-sepolicy-generate-Handle-more-reserved-port-types.patch
 Patch0015: 0015-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch
 Patch0016: 0016-sandbox-Use-matchbox-window-manager-instead-of-openb.patch
 Patch0017: 0017-sepolicy-Fix-flake8-warnings-in-Fedora-only-code.patch
+Patch0018: 0018-Do-not-use-Python-slip.patch
 # Patch list end
 
 Obsoletes: policycoreutils < 2.0.61-2