From 3ecfb8abcc82157432a8e18f1a6169209313c0c4 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Thu, 24 Aug 2023 16:39:50 +0200
Subject: [PATCH] setroubleshoot-3.3.26-6

- Check that SELinux is enabled before running (#2178950)
- Fix shebang of SetroubleshootPrivileged.py (#2231023)

This effectively adds "-Es" to the shebang, making the script resilient
to loading malicious 3rd party modules masquerading as genuine modules
(e.g. "selinux").

Resolves: RHEL-5201
Resolves: RHEL-5203
---
 ...at-SELinux-is-enabled-before-running.patch | 48 +++++++++++++++++++
 setroubleshoot.spec                           | 15 ++++--
 2 files changed, 59 insertions(+), 4 deletions(-)
 create mode 100644 0010-Check-that-SELinux-is-enabled-before-running.patch

diff --git a/0010-Check-that-SELinux-is-enabled-before-running.patch b/0010-Check-that-SELinux-is-enabled-before-running.patch
new file mode 100644
index 0000000..a571ee7
--- /dev/null
+++ b/0010-Check-that-SELinux-is-enabled-before-running.patch
@@ -0,0 +1,48 @@
+From 9e2753d241bf0bccaf0b05984e7562a2ac2a70e6 Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Thu, 24 Aug 2023 19:02:24 +0200
+Subject: [PATCH] Check that SELinux is enabled before running
+
+Setroubleshootd will fail to run when selinux is disabled. Check that
+SELinux is enabled in setroubleshootd service file and in sealert (so
+that it does not wait for setroubleshootd to start).
+
+Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2178950
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+---
+ setroubleshootd.service | 1 +
+ src/sealert             | 6 ++++++
+ 2 files changed, 7 insertions(+)
+
+diff --git a/framework/setroubleshootd.service b/framework/setroubleshootd.service
+index 81c75b1..7fc2ffb 100644
+--- a/framework/setroubleshootd.service
++++ b/framework/setroubleshootd.service
+@@ -1,5 +1,6 @@
+ [Unit]
+ Description=SETroubleshoot daemon for processing new SELinux denial logs
++ConditionSecurity=selinux
+ 
+ [Service]
+ Type=dbus
+diff --git a/framework/src/sealert b/framework/src/sealert
+index 2663a21..5ce6463 100755
+--- a/framework/src/sealert
++++ b/framework/src/sealert
+@@ -576,6 +576,12 @@ if __name__ == '__main__':
+     setup_sighandlers()
+     log_debug("main() args=%s" % sys.argv)
+ 
++    # Exit if selinux is disabled - setroubleshootd cannot start
++    if not selinux.is_selinux_enabled():
++        log_debug("SELinux not enabled, sealert will not run on non SELinux systems")
++        print("SELinux not enabled, sealert will not run on non SELinux systems", file=sys.stderr)
++        sys.exit(3)
++
+     def validate_invocation_style(opt, opts_instance, conflict_opts):
+         global invocation_style
+         conflict_opts.remove(opt)
+-- 
+2.41.0
+
diff --git a/setroubleshoot.spec b/setroubleshoot.spec
index 20bb133..d569877 100644
--- a/setroubleshoot.spec
+++ b/setroubleshoot.spec
@@ -1,12 +1,12 @@
 Summary: Helps troubleshoot SELinux problems
 Name: setroubleshoot
 Version: 3.3.26
-Release: 5%{?dist}
+Release: 6%{?dist}
 License: GPLv2+
 URL: https://gitlab.com/setroubleshoot/framework
 Source0: https://releases.pagure.org/setroubleshoot/%{name}-%{version}.tar.gz
 Source1: %{name}.tmpfiles
-# git format-patch --src-prefix=a/framework/ --dst-prefix=b/framework/ -N setroubleshoot-3.3.26 -- . ':!doc/developers_guide.wiki' ':!test/README.testing'
+# git format-patch --src-prefix=a/framework/ --dst-prefix=b/framework/ -N setroubleshoot-3.3.26 -- . ':!doc/developers_guide.wiki' ':!test/README.testing' ':!.gitlab-ci.yml'
 # i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done
 Patch0001: 0001-Stop-SetroubleshootFixit-after-10-seconds-of-inactiv.patch
 Patch0002: 0002-Do-not-use-Python-slip-package.patch
@@ -17,6 +17,7 @@ Patch0006: 0006-Update-translations.patch
 Patch0007: 0007-Decrease-setroubleshootd-priority-and-limit-RAM-util.patch
 Patch0008: 0008-doc-Document-performance-related-changes.patch
 Patch0009: 0009-setroubleshoot-server-shutdown-RunFaultServer-nicely.patch
+Patch0010: 0010-Check-that-SELinux-is-enabled-before-running.patch
 BuildRequires: gcc
 BuildRequires: make
 BuildRequires: libcap-ng-devel
@@ -91,11 +92,13 @@ install -m644 -D %{SOURCE1} $RPM_BUILD_ROOT%{_tmpfilesdir}/%{name}.conf
 pathfix.py -i "%{__python3} -Es" -p \
     %{buildroot}%{_sbindir}/setroubleshootd \
     %{buildroot}%{_bindir}/{sealert,seapplet} \
-    %{buildroot}/usr/share/setroubleshoot/SetroubleshootFixit.py
+    %{buildroot}/usr/share/setroubleshoot/SetroubleshootFixit.py \
+    %{buildroot}/usr/share/setroubleshoot/SetroubleshootPrivileged.py
 rm \
     %{buildroot}%{_sbindir}/setroubleshootd~ \
     %{buildroot}%{_bindir}/{sealert,seapplet}~ \
-    %{buildroot}/usr/share/setroubleshoot/SetroubleshootFixit.py~
+    %{buildroot}/usr/share/setroubleshoot/SetroubleshootFixit.py~ \
+    %{buildroot}/usr/share/setroubleshoot/SetroubleshootPrivileged.py~
 
 %find_lang %{name}
 
@@ -208,6 +211,10 @@ chown -R setroubleshoot:setroubleshoot %{pkgvardatadir}
 %doc AUTHORS COPYING ChangeLog DBUS.md NEWS README TODO
 
 %changelog
+* Thu Aug 24 2023 Vit Mojzis <vmojzis@redhat.com> - 3.3.26-6
+- Fix shebang of SetroubleshootPrivileged.py (#2231023)
+- Check that SELinux is enabled before running (#2178950)
+
 * Mon Aug 22 2022 Vit Mojzis <vmojzis@redhat.com> - 3.3.26-5
 - Shutdown RunFaultServer nicely (#2119001)