setroubleshoot-3.3.26-6
- Check that SELinux is enabled before running (#2178950) - Fix shebang of SetroubleshootPrivileged.py (#2231023) This effectively adds "-Es" to the shebang, making the script resilient to loading malicious 3rd party modules masquerading as genuine modules (e.g. "selinux"). Resolves: RHEL-5201 Resolves: RHEL-5203
This commit is contained in:
Vit Mojzis
parent
d2fc833caa
commit
3ecfb8abcc
48
0010-Check-that-SELinux-is-enabled-before-running.patch
Normal file
48
0010-Check-that-SELinux-is-enabled-before-running.patch
Normal file
@ -0,0 +1,48 @@
|
||||
From 9e2753d241bf0bccaf0b05984e7562a2ac2a70e6 Mon Sep 17 00:00:00 2001
|
||||
From: Vit Mojzis <vmojzis@redhat.com>
|
||||
Date: Thu, 24 Aug 2023 19:02:24 +0200
|
||||
Subject: [PATCH] Check that SELinux is enabled before running
|
||||
|
||||
Setroubleshootd will fail to run when selinux is disabled. Check that
|
||||
SELinux is enabled in setroubleshootd service file and in sealert (so
|
||||
that it does not wait for setroubleshootd to start).
|
||||
|
||||
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2178950
|
||||
|
||||
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
|
||||
---
|
||||
setroubleshootd.service | 1 +
|
||||
src/sealert | 6 ++++++
|
||||
2 files changed, 7 insertions(+)
|
||||
|
||||
diff --git a/framework/setroubleshootd.service b/framework/setroubleshootd.service
|
||||
index 81c75b1..7fc2ffb 100644
|
||||
--- a/framework/setroubleshootd.service
|
||||
+++ b/framework/setroubleshootd.service
|
||||
@@ -1,5 +1,6 @@
|
||||
[Unit]
|
||||
Description=SETroubleshoot daemon for processing new SELinux denial logs
|
||||
+ConditionSecurity=selinux
|
||||
|
||||
[Service]
|
||||
Type=dbus
|
||||
diff --git a/framework/src/sealert b/framework/src/sealert
|
||||
index 2663a21..5ce6463 100755
|
||||
--- a/framework/src/sealert
|
||||
+++ b/framework/src/sealert
|
||||
@@ -576,6 +576,12 @@ if __name__ == '__main__':
|
||||
setup_sighandlers()
|
||||
log_debug("main() args=%s" % sys.argv)
|
||||
|
||||
+ # Exit if selinux is disabled - setroubleshootd cannot start
|
||||
+ if not selinux.is_selinux_enabled():
|
||||
+ log_debug("SELinux not enabled, sealert will not run on non SELinux systems")
|
||||
+ print("SELinux not enabled, sealert will not run on non SELinux systems", file=sys.stderr)
|
||||
+ sys.exit(3)
|
||||
+
|
||||
def validate_invocation_style(opt, opts_instance, conflict_opts):
|
||||
global invocation_style
|
||||
conflict_opts.remove(opt)
|
||||
--
|
||||
2.41.0
|
||||
|
||||
@ -1,12 +1,12 @@
|
||||
Summary: Helps troubleshoot SELinux problems
|
||||
Name: setroubleshoot
|
||||
Version: 3.3.26
|
||||
Release: 5%{?dist}
|
||||
Release: 6%{?dist}
|
||||
License: GPLv2+
|
||||
URL: https://gitlab.com/setroubleshoot/framework
|
||||
Source0: https://releases.pagure.org/setroubleshoot/%{name}-%{version}.tar.gz
|
||||
Source1: %{name}.tmpfiles
|
||||
# git format-patch --src-prefix=a/framework/ --dst-prefix=b/framework/ -N setroubleshoot-3.3.26 -- . ':!doc/developers_guide.wiki' ':!test/README.testing'
|
||||
# git format-patch --src-prefix=a/framework/ --dst-prefix=b/framework/ -N setroubleshoot-3.3.26 -- . ':!doc/developers_guide.wiki' ':!test/README.testing' ':!.gitlab-ci.yml'
|
||||
# i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done
|
||||
Patch0001: 0001-Stop-SetroubleshootFixit-after-10-seconds-of-inactiv.patch
|
||||
Patch0002: 0002-Do-not-use-Python-slip-package.patch
|
||||
@ -17,6 +17,7 @@ Patch0006: 0006-Update-translations.patch
|
||||
Patch0007: 0007-Decrease-setroubleshootd-priority-and-limit-RAM-util.patch
|
||||
Patch0008: 0008-doc-Document-performance-related-changes.patch
|
||||
Patch0009: 0009-setroubleshoot-server-shutdown-RunFaultServer-nicely.patch
|
||||
Patch0010: 0010-Check-that-SELinux-is-enabled-before-running.patch
|
||||
BuildRequires: gcc
|
||||
BuildRequires: make
|
||||
BuildRequires: libcap-ng-devel
|
||||
@ -91,11 +92,13 @@ install -m644 -D %{SOURCE1} $RPM_BUILD_ROOT%{_tmpfilesdir}/%{name}.conf
|
||||
pathfix.py -i "%{__python3} -Es" -p \
|
||||
%{buildroot}%{_sbindir}/setroubleshootd \
|
||||
%{buildroot}%{_bindir}/{sealert,seapplet} \
|
||||
%{buildroot}/usr/share/setroubleshoot/SetroubleshootFixit.py
|
||||
%{buildroot}/usr/share/setroubleshoot/SetroubleshootFixit.py \
|
||||
%{buildroot}/usr/share/setroubleshoot/SetroubleshootPrivileged.py
|
||||
rm \
|
||||
%{buildroot}%{_sbindir}/setroubleshootd~ \
|
||||
%{buildroot}%{_bindir}/{sealert,seapplet}~ \
|
||||
%{buildroot}/usr/share/setroubleshoot/SetroubleshootFixit.py~
|
||||
%{buildroot}/usr/share/setroubleshoot/SetroubleshootFixit.py~ \
|
||||
%{buildroot}/usr/share/setroubleshoot/SetroubleshootPrivileged.py~
|
||||
|
||||
%find_lang %{name}
|
||||
|
||||
@ -208,6 +211,10 @@ chown -R setroubleshoot:setroubleshoot %{pkgvardatadir}
|
||||
%doc AUTHORS COPYING ChangeLog DBUS.md NEWS README TODO
|
||||
|
||||
%changelog
|
||||
* Thu Aug 24 2023 Vit Mojzis <vmojzis@redhat.com> - 3.3.26-6
|
||||
- Fix shebang of SetroubleshootPrivileged.py (#2231023)
|
||||
- Check that SELinux is enabled before running (#2178950)
|
||||
|
||||
* Mon Aug 22 2022 Vit Mojzis <vmojzis@redhat.com> - 3.3.26-5
|
||||
- Shutdown RunFaultServer nicely (#2119001)
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user