policycoreutils/0018-Do-not-use-Python-slip.patch
Petr Lautrbach e96ebee816 Do not use Python slip
Python slip is not actively maintained anymore and it was use just as
polkit proxy. It looks like polkit dbus interface is quite simple to use
it directly via python dbus module.

Resolves: rhbz#1949841
2021-04-21 17:09:10 +02:00

218 lines
9.3 KiB
Diff

From ebfdc2e9e1eebfa75f1c230085ea4def40905158 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Thu, 15 Apr 2021 17:39:39 +0200
Subject: [PATCH] Do not use Python slip
Python slip is not actively maintained anymore and it was use just as
polkit proxy. It looks like polkit dbus interface is quite simple to use
it directly via python dbus module.
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
dbus/selinux_server.py | 69 ++++++++++++++++++------------
python/sepolicy/sepolicy/sedbus.py | 9 ----
2 files changed, 41 insertions(+), 37 deletions(-)
diff --git a/dbus/selinux_server.py b/dbus/selinux_server.py
index be4f4557a9fa..f13f90cddbb6 100644
--- a/dbus/selinux_server.py
+++ b/dbus/selinux_server.py
@@ -4,26 +4,33 @@ import dbus
import dbus.service
import dbus.mainloop.glib
from gi.repository import GObject
-import slip.dbus.service
-from slip.dbus import polkit
import os
import selinux
from subprocess import Popen, PIPE, STDOUT
-class selinux_server(slip.dbus.service.Object):
+class selinux_server(dbus.service.Object):
default_polkit_auth_required = "org.selinux.semanage"
def __init__(self, *p, **k):
super(selinux_server, self).__init__(*p, **k)
+ def is_authorized(self, sender, action_id):
+ bus = dbus.SystemBus()
+ proxy = bus.get_object('org.freedesktop.PolicyKit1', '/org/freedesktop/PolicyKit1/Authority')
+ authority = dbus.Interface(proxy, dbus_interface='org.freedesktop.PolicyKit1.Authority')
+ subject = ('system-bus-name', {'name': sender})
+ result = authority.CheckAuthorization(subject, action_id, {}, 1, '')
+ return result[0]
+
#
# The semanage method runs a transaction on a series of semanage commands,
# these commands can take the output of customized
#
- @slip.dbus.polkit.require_auth("org.selinux.semanage")
- @dbus.service.method("org.selinux", in_signature='s')
- def semanage(self, buf):
+ @dbus.service.method("org.selinux", in_signature='s', sender_keyword="sender")
+ def semanage(self, buf, sender):
+ if not self.is_authorized(sender, "org.selinux.semanage"):
+ raise dbus.exceptions.DBusException("Not authorized")
p = Popen(["/usr/sbin/semanage", "import"], stdout=PIPE, stderr=PIPE, stdin=PIPE, universal_newlines=True)
p.stdin.write(buf)
output = p.communicate()
@@ -35,9 +42,10 @@ class selinux_server(slip.dbus.service.Object):
# on the server. This output can be used with the semanage method on
# another server to make the two systems have duplicate policy.
#
- @slip.dbus.polkit.require_auth("org.selinux.customized")
- @dbus.service.method("org.selinux", in_signature='', out_signature='s')
- def customized(self):
+ @dbus.service.method("org.selinux", in_signature='', out_signature='s', sender_keyword="sender")
+ def customized(self, sender):
+ if not self.is_authorized(sender, "org.selinux.customized"):
+ raise dbus.exceptions.DBusException("Not authorized")
p = Popen(["/usr/sbin/semanage", "export"], stdout=PIPE, stderr=PIPE, universal_newlines=True)
buf = p.stdout.read()
output = p.communicate()
@@ -49,9 +57,10 @@ class selinux_server(slip.dbus.service.Object):
# The semodule_list method will return the output of semodule --list=full, using the customized polkit,
# since this is a readonly behaviour
#
- @slip.dbus.polkit.require_auth("org.selinux.semodule_list")
- @dbus.service.method("org.selinux", in_signature='', out_signature='s')
- def semodule_list(self):
+ @dbus.service.method("org.selinux", in_signature='', out_signature='s', sender_keyword="sender")
+ def semodule_list(self, sender):
+ if not self.is_authorized(sender, "org.selinux.semodule_list"):
+ raise dbus.exceptions.DBusException("Not authorized")
p = Popen(["/usr/sbin/semodule", "--list=full"], stdout=PIPE, stderr=PIPE, universal_newlines=True)
buf = p.stdout.read()
output = p.communicate()
@@ -62,25 +71,28 @@ class selinux_server(slip.dbus.service.Object):
#
# The restorecon method modifies any file path to the default system label
#
- @slip.dbus.polkit.require_auth("org.selinux.restorecon")
- @dbus.service.method("org.selinux", in_signature='s')
- def restorecon(self, path):
+ @dbus.service.method("org.selinux", in_signature='s', sender_keyword="sender")
+ def restorecon(self, path, sender):
+ if not self.is_authorized(sender, "org.selinux.restorecon"):
+ raise dbus.exceptions.DBusException("Not authorized")
selinux.restorecon(str(path), recursive=1)
#
# The setenforce method turns off the current enforcement of SELinux
#
- @slip.dbus.polkit.require_auth("org.selinux.setenforce")
- @dbus.service.method("org.selinux", in_signature='i')
- def setenforce(self, value):
+ @dbus.service.method("org.selinux", in_signature='i', sender_keyword="sender")
+ def setenforce(self, value, sender):
+ if not self.is_authorized(sender, "org.selinux.setenforce"):
+ raise dbus.exceptions.DBusException("Not authorized")
selinux.security_setenforce(value)
#
# The setenforce method turns off the current enforcement of SELinux
#
- @slip.dbus.polkit.require_auth("org.selinux.relabel_on_boot")
- @dbus.service.method("org.selinux", in_signature='i')
- def relabel_on_boot(self, value):
+ @dbus.service.method("org.selinux", in_signature='i', sender_keyword="sender")
+ def relabel_on_boot(self, value, sender):
+ if not self.is_authorized(sender, "org.selinux.relabel_on_reboot"):
+ raise dbus.exceptions.DBusException("Not authorized")
if value == 1:
fd = open("/.autorelabel", "w")
fd.close()
@@ -111,9 +123,10 @@ class selinux_server(slip.dbus.service.Object):
#
# The change_default_enforcement modifies the current enforcement mode
#
- @slip.dbus.polkit.require_auth("org.selinux.change_default_mode")
- @dbus.service.method("org.selinux", in_signature='s')
- def change_default_mode(self, value):
+ @dbus.service.method("org.selinux", in_signature='s', sender_keyword="sender")
+ def change_default_mode(self, value, sender):
+ if not self.is_authorized(sender, "org.selinux.change_default_mode"):
+ raise dbus.exceptions.DBusException("Not authorized")
values = ["enforcing", "permissive", "disabled"]
if value not in values:
raise ValueError("Enforcement mode must be %s" % ", ".join(values))
@@ -122,9 +135,10 @@ class selinux_server(slip.dbus.service.Object):
#
# The change_default_policy method modifies the policy type
#
- @slip.dbus.polkit.require_auth("org.selinux.change_default_policy")
- @dbus.service.method("org.selinux", in_signature='s')
- def change_default_policy(self, value):
+ @dbus.service.method("org.selinux", in_signature='s', sender_keyword="sender")
+ def change_default_policy(self, value, sender):
+ if not self.is_authorized(sender, "org.selinux.change_default_policy"):
+ raise dbus.exceptions.DBusException("Not authorized")
path = selinux.selinux_path() + value
if os.path.isdir(path):
return self.write_selinux_config(policy=value)
@@ -136,5 +150,4 @@ if __name__ == "__main__":
system_bus = dbus.SystemBus()
name = dbus.service.BusName("org.selinux", system_bus)
object = selinux_server(system_bus, "/org/selinux/object")
- slip.dbus.service.set_mainloop(mainloop)
mainloop.run()
diff --git a/python/sepolicy/sepolicy/sedbus.py b/python/sepolicy/sepolicy/sedbus.py
index 76b259ae27e8..39b53d47753a 100644
--- a/python/sepolicy/sepolicy/sedbus.py
+++ b/python/sepolicy/sepolicy/sedbus.py
@@ -2,7 +2,6 @@ import sys
import dbus
import dbus.service
import dbus.mainloop.glib
-from slip.dbus import polkit
class SELinuxDBus (object):
@@ -11,42 +10,34 @@ class SELinuxDBus (object):
self.bus = dbus.SystemBus()
self.dbus_object = self.bus.get_object("org.selinux", "/org/selinux/object")
- @polkit.enable_proxy
def semanage(self, buf):
ret = self.dbus_object.semanage(buf, dbus_interface="org.selinux")
return ret
- @polkit.enable_proxy
def restorecon(self, path):
ret = self.dbus_object.restorecon(path, dbus_interface="org.selinux")
return ret
- @polkit.enable_proxy
def setenforce(self, value):
ret = self.dbus_object.setenforce(value, dbus_interface="org.selinux")
return ret
- @polkit.enable_proxy
def customized(self):
ret = self.dbus_object.customized(dbus_interface="org.selinux")
return ret
- @polkit.enable_proxy
def semodule_list(self):
ret = self.dbus_object.semodule_list(dbus_interface="org.selinux")
return ret
- @polkit.enable_proxy
def relabel_on_boot(self, value):
ret = self.dbus_object.relabel_on_boot(value, dbus_interface="org.selinux")
return ret
- @polkit.enable_proxy
def change_default_mode(self, value):
ret = self.dbus_object.change_default_mode(value, dbus_interface="org.selinux")
return ret
- @polkit.enable_proxy
def change_default_policy(self, value):
ret = self.dbus_object.change_default_policy(value, dbus_interface="org.selinux")
return ret
--
2.31.1