e96ebee816
Python slip is not actively maintained anymore and it was use just as polkit proxy. It looks like polkit dbus interface is quite simple to use it directly via python dbus module. Resolves: rhbz#1949841
218 lines
9.3 KiB
Diff
218 lines
9.3 KiB
Diff
From ebfdc2e9e1eebfa75f1c230085ea4def40905158 Mon Sep 17 00:00:00 2001
|
|
From: Petr Lautrbach <plautrba@redhat.com>
|
|
Date: Thu, 15 Apr 2021 17:39:39 +0200
|
|
Subject: [PATCH] Do not use Python slip
|
|
|
|
Python slip is not actively maintained anymore and it was use just as
|
|
polkit proxy. It looks like polkit dbus interface is quite simple to use
|
|
it directly via python dbus module.
|
|
|
|
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
|
|
---
|
|
dbus/selinux_server.py | 69 ++++++++++++++++++------------
|
|
python/sepolicy/sepolicy/sedbus.py | 9 ----
|
|
2 files changed, 41 insertions(+), 37 deletions(-)
|
|
|
|
diff --git a/dbus/selinux_server.py b/dbus/selinux_server.py
|
|
index be4f4557a9fa..f13f90cddbb6 100644
|
|
--- a/dbus/selinux_server.py
|
|
+++ b/dbus/selinux_server.py
|
|
@@ -4,26 +4,33 @@ import dbus
|
|
import dbus.service
|
|
import dbus.mainloop.glib
|
|
from gi.repository import GObject
|
|
-import slip.dbus.service
|
|
-from slip.dbus import polkit
|
|
import os
|
|
import selinux
|
|
from subprocess import Popen, PIPE, STDOUT
|
|
|
|
|
|
-class selinux_server(slip.dbus.service.Object):
|
|
+class selinux_server(dbus.service.Object):
|
|
default_polkit_auth_required = "org.selinux.semanage"
|
|
|
|
def __init__(self, *p, **k):
|
|
super(selinux_server, self).__init__(*p, **k)
|
|
|
|
+ def is_authorized(self, sender, action_id):
|
|
+ bus = dbus.SystemBus()
|
|
+ proxy = bus.get_object('org.freedesktop.PolicyKit1', '/org/freedesktop/PolicyKit1/Authority')
|
|
+ authority = dbus.Interface(proxy, dbus_interface='org.freedesktop.PolicyKit1.Authority')
|
|
+ subject = ('system-bus-name', {'name': sender})
|
|
+ result = authority.CheckAuthorization(subject, action_id, {}, 1, '')
|
|
+ return result[0]
|
|
+
|
|
#
|
|
# The semanage method runs a transaction on a series of semanage commands,
|
|
# these commands can take the output of customized
|
|
#
|
|
- @slip.dbus.polkit.require_auth("org.selinux.semanage")
|
|
- @dbus.service.method("org.selinux", in_signature='s')
|
|
- def semanage(self, buf):
|
|
+ @dbus.service.method("org.selinux", in_signature='s', sender_keyword="sender")
|
|
+ def semanage(self, buf, sender):
|
|
+ if not self.is_authorized(sender, "org.selinux.semanage"):
|
|
+ raise dbus.exceptions.DBusException("Not authorized")
|
|
p = Popen(["/usr/sbin/semanage", "import"], stdout=PIPE, stderr=PIPE, stdin=PIPE, universal_newlines=True)
|
|
p.stdin.write(buf)
|
|
output = p.communicate()
|
|
@@ -35,9 +42,10 @@ class selinux_server(slip.dbus.service.Object):
|
|
# on the server. This output can be used with the semanage method on
|
|
# another server to make the two systems have duplicate policy.
|
|
#
|
|
- @slip.dbus.polkit.require_auth("org.selinux.customized")
|
|
- @dbus.service.method("org.selinux", in_signature='', out_signature='s')
|
|
- def customized(self):
|
|
+ @dbus.service.method("org.selinux", in_signature='', out_signature='s', sender_keyword="sender")
|
|
+ def customized(self, sender):
|
|
+ if not self.is_authorized(sender, "org.selinux.customized"):
|
|
+ raise dbus.exceptions.DBusException("Not authorized")
|
|
p = Popen(["/usr/sbin/semanage", "export"], stdout=PIPE, stderr=PIPE, universal_newlines=True)
|
|
buf = p.stdout.read()
|
|
output = p.communicate()
|
|
@@ -49,9 +57,10 @@ class selinux_server(slip.dbus.service.Object):
|
|
# The semodule_list method will return the output of semodule --list=full, using the customized polkit,
|
|
# since this is a readonly behaviour
|
|
#
|
|
- @slip.dbus.polkit.require_auth("org.selinux.semodule_list")
|
|
- @dbus.service.method("org.selinux", in_signature='', out_signature='s')
|
|
- def semodule_list(self):
|
|
+ @dbus.service.method("org.selinux", in_signature='', out_signature='s', sender_keyword="sender")
|
|
+ def semodule_list(self, sender):
|
|
+ if not self.is_authorized(sender, "org.selinux.semodule_list"):
|
|
+ raise dbus.exceptions.DBusException("Not authorized")
|
|
p = Popen(["/usr/sbin/semodule", "--list=full"], stdout=PIPE, stderr=PIPE, universal_newlines=True)
|
|
buf = p.stdout.read()
|
|
output = p.communicate()
|
|
@@ -62,25 +71,28 @@ class selinux_server(slip.dbus.service.Object):
|
|
#
|
|
# The restorecon method modifies any file path to the default system label
|
|
#
|
|
- @slip.dbus.polkit.require_auth("org.selinux.restorecon")
|
|
- @dbus.service.method("org.selinux", in_signature='s')
|
|
- def restorecon(self, path):
|
|
+ @dbus.service.method("org.selinux", in_signature='s', sender_keyword="sender")
|
|
+ def restorecon(self, path, sender):
|
|
+ if not self.is_authorized(sender, "org.selinux.restorecon"):
|
|
+ raise dbus.exceptions.DBusException("Not authorized")
|
|
selinux.restorecon(str(path), recursive=1)
|
|
|
|
#
|
|
# The setenforce method turns off the current enforcement of SELinux
|
|
#
|
|
- @slip.dbus.polkit.require_auth("org.selinux.setenforce")
|
|
- @dbus.service.method("org.selinux", in_signature='i')
|
|
- def setenforce(self, value):
|
|
+ @dbus.service.method("org.selinux", in_signature='i', sender_keyword="sender")
|
|
+ def setenforce(self, value, sender):
|
|
+ if not self.is_authorized(sender, "org.selinux.setenforce"):
|
|
+ raise dbus.exceptions.DBusException("Not authorized")
|
|
selinux.security_setenforce(value)
|
|
|
|
#
|
|
# The setenforce method turns off the current enforcement of SELinux
|
|
#
|
|
- @slip.dbus.polkit.require_auth("org.selinux.relabel_on_boot")
|
|
- @dbus.service.method("org.selinux", in_signature='i')
|
|
- def relabel_on_boot(self, value):
|
|
+ @dbus.service.method("org.selinux", in_signature='i', sender_keyword="sender")
|
|
+ def relabel_on_boot(self, value, sender):
|
|
+ if not self.is_authorized(sender, "org.selinux.relabel_on_reboot"):
|
|
+ raise dbus.exceptions.DBusException("Not authorized")
|
|
if value == 1:
|
|
fd = open("/.autorelabel", "w")
|
|
fd.close()
|
|
@@ -111,9 +123,10 @@ class selinux_server(slip.dbus.service.Object):
|
|
#
|
|
# The change_default_enforcement modifies the current enforcement mode
|
|
#
|
|
- @slip.dbus.polkit.require_auth("org.selinux.change_default_mode")
|
|
- @dbus.service.method("org.selinux", in_signature='s')
|
|
- def change_default_mode(self, value):
|
|
+ @dbus.service.method("org.selinux", in_signature='s', sender_keyword="sender")
|
|
+ def change_default_mode(self, value, sender):
|
|
+ if not self.is_authorized(sender, "org.selinux.change_default_mode"):
|
|
+ raise dbus.exceptions.DBusException("Not authorized")
|
|
values = ["enforcing", "permissive", "disabled"]
|
|
if value not in values:
|
|
raise ValueError("Enforcement mode must be %s" % ", ".join(values))
|
|
@@ -122,9 +135,10 @@ class selinux_server(slip.dbus.service.Object):
|
|
#
|
|
# The change_default_policy method modifies the policy type
|
|
#
|
|
- @slip.dbus.polkit.require_auth("org.selinux.change_default_policy")
|
|
- @dbus.service.method("org.selinux", in_signature='s')
|
|
- def change_default_policy(self, value):
|
|
+ @dbus.service.method("org.selinux", in_signature='s', sender_keyword="sender")
|
|
+ def change_default_policy(self, value, sender):
|
|
+ if not self.is_authorized(sender, "org.selinux.change_default_policy"):
|
|
+ raise dbus.exceptions.DBusException("Not authorized")
|
|
path = selinux.selinux_path() + value
|
|
if os.path.isdir(path):
|
|
return self.write_selinux_config(policy=value)
|
|
@@ -136,5 +150,4 @@ if __name__ == "__main__":
|
|
system_bus = dbus.SystemBus()
|
|
name = dbus.service.BusName("org.selinux", system_bus)
|
|
object = selinux_server(system_bus, "/org/selinux/object")
|
|
- slip.dbus.service.set_mainloop(mainloop)
|
|
mainloop.run()
|
|
diff --git a/python/sepolicy/sepolicy/sedbus.py b/python/sepolicy/sepolicy/sedbus.py
|
|
index 76b259ae27e8..39b53d47753a 100644
|
|
--- a/python/sepolicy/sepolicy/sedbus.py
|
|
+++ b/python/sepolicy/sepolicy/sedbus.py
|
|
@@ -2,7 +2,6 @@ import sys
|
|
import dbus
|
|
import dbus.service
|
|
import dbus.mainloop.glib
|
|
-from slip.dbus import polkit
|
|
|
|
|
|
class SELinuxDBus (object):
|
|
@@ -11,42 +10,34 @@ class SELinuxDBus (object):
|
|
self.bus = dbus.SystemBus()
|
|
self.dbus_object = self.bus.get_object("org.selinux", "/org/selinux/object")
|
|
|
|
- @polkit.enable_proxy
|
|
def semanage(self, buf):
|
|
ret = self.dbus_object.semanage(buf, dbus_interface="org.selinux")
|
|
return ret
|
|
|
|
- @polkit.enable_proxy
|
|
def restorecon(self, path):
|
|
ret = self.dbus_object.restorecon(path, dbus_interface="org.selinux")
|
|
return ret
|
|
|
|
- @polkit.enable_proxy
|
|
def setenforce(self, value):
|
|
ret = self.dbus_object.setenforce(value, dbus_interface="org.selinux")
|
|
return ret
|
|
|
|
- @polkit.enable_proxy
|
|
def customized(self):
|
|
ret = self.dbus_object.customized(dbus_interface="org.selinux")
|
|
return ret
|
|
|
|
- @polkit.enable_proxy
|
|
def semodule_list(self):
|
|
ret = self.dbus_object.semodule_list(dbus_interface="org.selinux")
|
|
return ret
|
|
|
|
- @polkit.enable_proxy
|
|
def relabel_on_boot(self, value):
|
|
ret = self.dbus_object.relabel_on_boot(value, dbus_interface="org.selinux")
|
|
return ret
|
|
|
|
- @polkit.enable_proxy
|
|
def change_default_mode(self, value):
|
|
ret = self.dbus_object.change_default_mode(value, dbus_interface="org.selinux")
|
|
return ret
|
|
|
|
- @polkit.enable_proxy
|
|
def change_default_policy(self, value):
|
|
ret = self.dbus_object.change_default_policy(value, dbus_interface="org.selinux")
|
|
return ret
|
|
--
|
|
2.31.1
|
|
|