From 10a970733c5b31c237abd7357421384597fe0510 Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Thu, 15 Apr 2021 17:39:39 +0200 Subject: [PATCH] Do not use Python slip Python slip is not actively maintained anymore and it was use just as polkit proxy. It looks like polkit dbus interface is quite simple to use it directly via python dbus module. Signed-off-by: Petr Lautrbach --- dbus/selinux_server.py | 69 ++++++++++++++++++------------ python/sepolicy/sepolicy/sedbus.py | 9 ---- 2 files changed, 41 insertions(+), 37 deletions(-) diff --git a/dbus/selinux_server.py b/dbus/selinux_server.py index be4f4557a9fa..b7c9378bcb5d 100644 --- a/dbus/selinux_server.py +++ b/dbus/selinux_server.py @@ -4,26 +4,33 @@ import dbus import dbus.service import dbus.mainloop.glib from gi.repository import GObject -import slip.dbus.service -from slip.dbus import polkit import os import selinux from subprocess import Popen, PIPE, STDOUT -class selinux_server(slip.dbus.service.Object): +class selinux_server(dbus.service.Object): default_polkit_auth_required = "org.selinux.semanage" def __init__(self, *p, **k): super(selinux_server, self).__init__(*p, **k) + def is_authorized(self, sender, action_id): + bus = dbus.SystemBus() + proxy = bus.get_object('org.freedesktop.PolicyKit1', '/org/freedesktop/PolicyKit1/Authority') + authority = dbus.Interface(proxy, dbus_interface='org.freedesktop.PolicyKit1.Authority') + subject = ('system-bus-name', {'name': sender}) + result = authority.CheckAuthorization(subject, action_id, {}, 1, '') + return result[0] + # # The semanage method runs a transaction on a series of semanage commands, # these commands can take the output of customized # - @slip.dbus.polkit.require_auth("org.selinux.semanage") - @dbus.service.method("org.selinux", in_signature='s') - def semanage(self, buf): + @dbus.service.method("org.selinux", in_signature='s', sender_keyword="sender") + def semanage(self, buf, sender): + if not self.is_authorized(sender, "org.selinux.semanage"): + raise dbus.exceptions.DBusException("Not authorized") p = Popen(["/usr/sbin/semanage", "import"], stdout=PIPE, stderr=PIPE, stdin=PIPE, universal_newlines=True) p.stdin.write(buf) output = p.communicate() @@ -35,9 +42,10 @@ class selinux_server(slip.dbus.service.Object): # on the server. This output can be used with the semanage method on # another server to make the two systems have duplicate policy. # - @slip.dbus.polkit.require_auth("org.selinux.customized") - @dbus.service.method("org.selinux", in_signature='', out_signature='s') - def customized(self): + @dbus.service.method("org.selinux", in_signature='', out_signature='s', sender_keyword="sender") + def customized(self, sender): + if not self.is_authorized(sender, "org.selinux.customized"): + raise dbus.exceptions.DBusException("Not authorized") p = Popen(["/usr/sbin/semanage", "export"], stdout=PIPE, stderr=PIPE, universal_newlines=True) buf = p.stdout.read() output = p.communicate() @@ -49,9 +57,10 @@ class selinux_server(slip.dbus.service.Object): # The semodule_list method will return the output of semodule --list=full, using the customized polkit, # since this is a readonly behaviour # - @slip.dbus.polkit.require_auth("org.selinux.semodule_list") - @dbus.service.method("org.selinux", in_signature='', out_signature='s') - def semodule_list(self): + @dbus.service.method("org.selinux", in_signature='', out_signature='s', sender_keyword="sender") + def semodule_list(self, sender): + if not self.is_authorized(sender, "org.selinux.semodule_list"): + raise dbus.exceptions.DBusException("Not authorized") p = Popen(["/usr/sbin/semodule", "--list=full"], stdout=PIPE, stderr=PIPE, universal_newlines=True) buf = p.stdout.read() output = p.communicate() @@ -62,25 +71,28 @@ class selinux_server(slip.dbus.service.Object): # # The restorecon method modifies any file path to the default system label # - @slip.dbus.polkit.require_auth("org.selinux.restorecon") - @dbus.service.method("org.selinux", in_signature='s') - def restorecon(self, path): + @dbus.service.method("org.selinux", in_signature='s', sender_keyword="sender") + def restorecon(self, path, sender): + if not self.is_authorized(sender, "org.selinux.restorecon"): + raise dbus.exceptions.DBusException("Not authorized") selinux.restorecon(str(path), recursive=1) # # The setenforce method turns off the current enforcement of SELinux # - @slip.dbus.polkit.require_auth("org.selinux.setenforce") - @dbus.service.method("org.selinux", in_signature='i') - def setenforce(self, value): + @dbus.service.method("org.selinux", in_signature='i', sender_keyword="sender") + def setenforce(self, value, sender): + if not self.is_authorized(sender, "org.selinux.setenforce"): + raise dbus.exceptions.DBusException("Not authorized") selinux.security_setenforce(value) # # The setenforce method turns off the current enforcement of SELinux # - @slip.dbus.polkit.require_auth("org.selinux.relabel_on_boot") - @dbus.service.method("org.selinux", in_signature='i') - def relabel_on_boot(self, value): + @dbus.service.method("org.selinux", in_signature='i', sender_keyword="sender") + def relabel_on_boot(self, value, sender): + if not self.is_authorized(sender, "org.selinux.relabel_on_boot"): + raise dbus.exceptions.DBusException("Not authorized") if value == 1: fd = open("/.autorelabel", "w") fd.close() @@ -111,9 +123,10 @@ class selinux_server(slip.dbus.service.Object): # # The change_default_enforcement modifies the current enforcement mode # - @slip.dbus.polkit.require_auth("org.selinux.change_default_mode") - @dbus.service.method("org.selinux", in_signature='s') - def change_default_mode(self, value): + @dbus.service.method("org.selinux", in_signature='s', sender_keyword="sender") + def change_default_mode(self, value, sender): + if not self.is_authorized(sender, "org.selinux.change_default_mode"): + raise dbus.exceptions.DBusException("Not authorized") values = ["enforcing", "permissive", "disabled"] if value not in values: raise ValueError("Enforcement mode must be %s" % ", ".join(values)) @@ -122,9 +135,10 @@ class selinux_server(slip.dbus.service.Object): # # The change_default_policy method modifies the policy type # - @slip.dbus.polkit.require_auth("org.selinux.change_default_policy") - @dbus.service.method("org.selinux", in_signature='s') - def change_default_policy(self, value): + @dbus.service.method("org.selinux", in_signature='s', sender_keyword="sender") + def change_default_policy(self, value, sender): + if not self.is_authorized(sender, "org.selinux.change_default_policy"): + raise dbus.exceptions.DBusException("Not authorized") path = selinux.selinux_path() + value if os.path.isdir(path): return self.write_selinux_config(policy=value) @@ -136,5 +150,4 @@ if __name__ == "__main__": system_bus = dbus.SystemBus() name = dbus.service.BusName("org.selinux", system_bus) object = selinux_server(system_bus, "/org/selinux/object") - slip.dbus.service.set_mainloop(mainloop) mainloop.run() diff --git a/python/sepolicy/sepolicy/sedbus.py b/python/sepolicy/sepolicy/sedbus.py index 76b259ae27e8..39b53d47753a 100644 --- a/python/sepolicy/sepolicy/sedbus.py +++ b/python/sepolicy/sepolicy/sedbus.py @@ -2,7 +2,6 @@ import sys import dbus import dbus.service import dbus.mainloop.glib -from slip.dbus import polkit class SELinuxDBus (object): @@ -11,42 +10,34 @@ class SELinuxDBus (object): self.bus = dbus.SystemBus() self.dbus_object = self.bus.get_object("org.selinux", "/org/selinux/object") - @polkit.enable_proxy def semanage(self, buf): ret = self.dbus_object.semanage(buf, dbus_interface="org.selinux") return ret - @polkit.enable_proxy def restorecon(self, path): ret = self.dbus_object.restorecon(path, dbus_interface="org.selinux") return ret - @polkit.enable_proxy def setenforce(self, value): ret = self.dbus_object.setenforce(value, dbus_interface="org.selinux") return ret - @polkit.enable_proxy def customized(self): ret = self.dbus_object.customized(dbus_interface="org.selinux") return ret - @polkit.enable_proxy def semodule_list(self): ret = self.dbus_object.semodule_list(dbus_interface="org.selinux") return ret - @polkit.enable_proxy def relabel_on_boot(self, value): ret = self.dbus_object.relabel_on_boot(value, dbus_interface="org.selinux") return ret - @polkit.enable_proxy def change_default_mode(self, value): ret = self.dbus_object.change_default_mode(value, dbus_interface="org.selinux") return ret - @polkit.enable_proxy def change_default_policy(self, value): ret = self.dbus_object.change_default_policy(value, dbus_interface="org.selinux") return ret -- 2.32.0