577b79db7e
- Rebase on upstream f56a72ac9e86 - sepolicy: fix sepolicy manpage -w - sandbox: add -R option to alternate XDG_RUNTIME_DIR - Remove dependency on the Python module distutils
82 lines
2.5 KiB
Diff
82 lines
2.5 KiB
Diff
From 48602370acabffea96759bf66edd00ca829f5d17 Mon Sep 17 00:00:00 2001
|
|
From: Vit Mojzis <vmojzis@redhat.com>
|
|
Date: Tue, 18 Oct 2022 22:36:59 +0200
|
|
Subject: [PATCH] python: Harden tools against "rogue" modules
|
|
Content-type: text/plain
|
|
|
|
Python scripts present in "/usr/sbin" override regular modules.
|
|
Make sure /usr/sbin is not present in PYTHONPATH.
|
|
|
|
Fixes:
|
|
#cat > /usr/sbin/audit.py <<EOF
|
|
import sys
|
|
print("BAD GUY!", file=sys.stderr)
|
|
sys.exit(1)
|
|
EOF
|
|
#semanage boolean -l
|
|
BAD GUY!
|
|
|
|
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
|
|
Acked-by: James Carter <jwcart2@gmail.com>
|
|
---
|
|
python/audit2allow/audit2allow | 2 +-
|
|
python/audit2allow/sepolgen-ifgen | 2 +-
|
|
python/chcat/chcat | 2 +-
|
|
python/semanage/semanage | 2 +-
|
|
python/sepolicy/sepolicy.py | 2 +-
|
|
5 files changed, 5 insertions(+), 5 deletions(-)
|
|
|
|
diff --git a/python/audit2allow/audit2allow b/python/audit2allow/audit2allow
|
|
index 09b06f664bc4..eafeea88aa21 100644
|
|
--- a/python/audit2allow/audit2allow
|
|
+++ b/python/audit2allow/audit2allow
|
|
@@ -1,4 +1,4 @@
|
|
-#!/usr/bin/python3 -Es
|
|
+#!/usr/bin/python3 -EsI
|
|
# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
|
|
# Authors: Dan Walsh <dwalsh@redhat.com>
|
|
#
|
|
diff --git a/python/audit2allow/sepolgen-ifgen b/python/audit2allow/sepolgen-ifgen
|
|
index b7a04c719acc..f2cc0c32f2b0 100644
|
|
--- a/python/audit2allow/sepolgen-ifgen
|
|
+++ b/python/audit2allow/sepolgen-ifgen
|
|
@@ -1,4 +1,4 @@
|
|
-#!/usr/bin/python3 -Es
|
|
+#!/usr/bin/python3 -EsI
|
|
#
|
|
# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
|
|
#
|
|
diff --git a/python/chcat/chcat b/python/chcat/chcat
|
|
index 952cb8187599..68718ec5f102 100755
|
|
--- a/python/chcat/chcat
|
|
+++ b/python/chcat/chcat
|
|
@@ -1,4 +1,4 @@
|
|
-#!/usr/bin/python3 -Es
|
|
+#!/usr/bin/python3 -EsI
|
|
# Copyright (C) 2005 Red Hat
|
|
# see file 'COPYING' for use and warranty information
|
|
#
|
|
diff --git a/python/semanage/semanage b/python/semanage/semanage
|
|
index 10ab3fa67d7f..b21d1484ab85 100644
|
|
--- a/python/semanage/semanage
|
|
+++ b/python/semanage/semanage
|
|
@@ -1,4 +1,4 @@
|
|
-#!/usr/bin/python3 -Es
|
|
+#!/usr/bin/python3 -EsI
|
|
# Copyright (C) 2012-2013 Red Hat
|
|
# AUTHOR: Miroslav Grepl <mgrepl@redhat.com>
|
|
# AUTHOR: David Quigley <selinux@davequigley.com>
|
|
diff --git a/python/sepolicy/sepolicy.py b/python/sepolicy/sepolicy.py
|
|
index c7a70e094b0c..733d40484709 100755
|
|
--- a/python/sepolicy/sepolicy.py
|
|
+++ b/python/sepolicy/sepolicy.py
|
|
@@ -1,4 +1,4 @@
|
|
-#!/usr/bin/python3 -Es
|
|
+#!/usr/bin/python3 -EsI
|
|
# Copyright (C) 2012 Red Hat
|
|
# AUTHOR: Dan Walsh <dwalsh@redhat.com>
|
|
# see file 'COPYING' for use and warranty information
|
|
--
|
|
2.38.1
|
|
|