policycoreutils/0017-python-Harden-tools-against-rogue-modules.patch
Petr Lautrbach 577b79db7e policycoreutils-3.4-7
- Rebase on upstream f56a72ac9e86
- sepolicy: fix sepolicy manpage -w
- sandbox: add -R option to alternate XDG_RUNTIME_DIR
- Remove dependency on the Python module distutils
2022-11-21 16:06:48 +01:00

82 lines
2.5 KiB
Diff

From 48602370acabffea96759bf66edd00ca829f5d17 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Tue, 18 Oct 2022 22:36:59 +0200
Subject: [PATCH] python: Harden tools against "rogue" modules
Content-type: text/plain
Python scripts present in "/usr/sbin" override regular modules.
Make sure /usr/sbin is not present in PYTHONPATH.
Fixes:
#cat > /usr/sbin/audit.py <<EOF
import sys
print("BAD GUY!", file=sys.stderr)
sys.exit(1)
EOF
#semanage boolean -l
BAD GUY!
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
---
python/audit2allow/audit2allow | 2 +-
python/audit2allow/sepolgen-ifgen | 2 +-
python/chcat/chcat | 2 +-
python/semanage/semanage | 2 +-
python/sepolicy/sepolicy.py | 2 +-
5 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/python/audit2allow/audit2allow b/python/audit2allow/audit2allow
index 09b06f664bc4..eafeea88aa21 100644
--- a/python/audit2allow/audit2allow
+++ b/python/audit2allow/audit2allow
@@ -1,4 +1,4 @@
-#!/usr/bin/python3 -Es
+#!/usr/bin/python3 -EsI
# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
# Authors: Dan Walsh <dwalsh@redhat.com>
#
diff --git a/python/audit2allow/sepolgen-ifgen b/python/audit2allow/sepolgen-ifgen
index b7a04c719acc..f2cc0c32f2b0 100644
--- a/python/audit2allow/sepolgen-ifgen
+++ b/python/audit2allow/sepolgen-ifgen
@@ -1,4 +1,4 @@
-#!/usr/bin/python3 -Es
+#!/usr/bin/python3 -EsI
#
# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
#
diff --git a/python/chcat/chcat b/python/chcat/chcat
index 952cb8187599..68718ec5f102 100755
--- a/python/chcat/chcat
+++ b/python/chcat/chcat
@@ -1,4 +1,4 @@
-#!/usr/bin/python3 -Es
+#!/usr/bin/python3 -EsI
# Copyright (C) 2005 Red Hat
# see file 'COPYING' for use and warranty information
#
diff --git a/python/semanage/semanage b/python/semanage/semanage
index 10ab3fa67d7f..b21d1484ab85 100644
--- a/python/semanage/semanage
+++ b/python/semanage/semanage
@@ -1,4 +1,4 @@
-#!/usr/bin/python3 -Es
+#!/usr/bin/python3 -EsI
# Copyright (C) 2012-2013 Red Hat
# AUTHOR: Miroslav Grepl <mgrepl@redhat.com>
# AUTHOR: David Quigley <selinux@davequigley.com>
diff --git a/python/sepolicy/sepolicy.py b/python/sepolicy/sepolicy.py
index c7a70e094b0c..733d40484709 100755
--- a/python/sepolicy/sepolicy.py
+++ b/python/sepolicy/sepolicy.py
@@ -1,4 +1,4 @@
-#!/usr/bin/python3 -Es
+#!/usr/bin/python3 -EsI
# Copyright (C) 2012 Red Hat
# AUTHOR: Dan Walsh <dwalsh@redhat.com>
# see file 'COPYING' for use and warranty information
--
2.38.1