import setroubleshoot-3.3.26-5.el9

2021-11-03 15:32:36 -04:00 · 2021-11-03 15:32:36 -04:00 · 471151908a
commit 471151908a
9 changed files with 2417 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1 @@
+SOURCES/setroubleshoot-3.3.26.tar.gz
--- a/.setroubleshoot.metadata
+++ b/.setroubleshoot.metadata
@ -0,0 +1 @@
+dab49dd85f3d8489fef60d2b94c4931cc9c473ea SOURCES/setroubleshoot-3.3.26.tar.gz
--- a/SOURCES/0001-Stop-SetroubleshootFixit-after-10-seconds-of-inactiv.patch
+++ b/SOURCES/0001-Stop-SetroubleshootFixit-after-10-seconds-of-inactiv.patch
@ -0,0 +1,45 @@
+From 56cf1525b5ebeb3591d4a3ded5299fe82d0f9208 Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Wed, 14 Apr 2021 17:03:39 +0200
+Subject: [PATCH] Stop SetroubleshootFixit after 10 seconds of inactivity
+
+---
+ framework/src/SetroubleshootFixit.py | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/framework/src/SetroubleshootFixit.py b/framework/src/SetroubleshootFixit.py
+index 15c6cab1cda4..f7cbf95f182f 100644
+--- a/framework/src/SetroubleshootFixit.py
+++ b/framework/src/SetroubleshootFixit.py
+@@ -7,6 +7,7 @@ from gi.repository import GLib
+ import slip.dbus.service
+ from slip.dbus import polkit
+ import os
+import signal
+ 
+ 
+ class RunFix(slip.dbus.service.Object):
+@@ -14,12 +15,20 @@ class RunFix(slip.dbus.service.Object):
+ 
+     def __init__(self, *p, **k):
+         super(RunFix, self).__init__(*p, **k)
+        self.timeout = 10
+        self.alarm(self.timeout)
+
+    def alarm(self, timeout=10):
+        signal.alarm(timeout)
+
+ 
+     @dbus.service.method("org.fedoraproject.SetroubleshootFixit", in_signature='ss', out_signature='s')
+     def run_fix(self, local_id, analysis_id):
+         import subprocess
+        self.alarm(0)
+         command = ["sealert", "-f", local_id, "-P", analysis_id]
+         return subprocess.check_output(command, universal_newlines=True)
+        self.alarm(self.timeout)
+ 
+ if __name__ == "__main__":
+     mainloop = GLib.MainLoop()
+-- 
+2.31.1
+
--- a/SOURCES/0002-Do-not-use-Python-slip-package.patch
+++ b/SOURCES/0002-Do-not-use-Python-slip-package.patch
@ -0,0 +1,103 @@
+From 65145c512908badc45fbab8f3b329e9923b42fb1 Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Wed, 14 Apr 2021 17:04:59 +0200
+Subject: [PATCH] Do not use Python slip package
+
+It's not maintained anymore and it allows us to drop dependency on
+Python slip package
+
+Use DBUS polkit interface instead -
+https://www.freedesktop.org/software/polkit/docs/latest/eggdbus-interface-org.freedesktop.PolicyKit1.Authority.html
+---
+ framework/src/SetroubleshootFixit.py    | 35 ++++++++++++++++++-------
+ framework/src/setroubleshoot/browser.py |  3 ---
+ 2 files changed, 25 insertions(+), 13 deletions(-)
+
+diff --git a/framework/src/SetroubleshootFixit.py b/framework/src/SetroubleshootFixit.py
+index f7cbf95f182f..ab0ad2bf632c 100644
+--- a/framework/src/SetroubleshootFixit.py
+++ b/framework/src/SetroubleshootFixit.py
+@@ -4,13 +4,11 @@ import dbus
+ import dbus.service
+ import dbus.mainloop.glib
+ from gi.repository import GLib
+-import slip.dbus.service
+-from slip.dbus import polkit
+ import os
+ import signal
+import subprocess
+ 
+-
+-class RunFix(slip.dbus.service.Object):
+class RunFix(dbus.service.Object):
+     default_polkit_auth_required = "org.fedoraproject.setroubleshootfixit.write"
+ 
+     def __init__(self, *p, **k):
+@@ -21,14 +19,32 @@ class RunFix(slip.dbus.service.Object):
+     def alarm(self, timeout=10):
+         signal.alarm(timeout)
+ 
+-
+-    @dbus.service.method("org.fedoraproject.SetroubleshootFixit", in_signature='ss', out_signature='s')
+-    def run_fix(self, local_id, analysis_id):
+-        import subprocess
+    def is_authorized(self, sender):
+        bus = dbus.SystemBus()
+
+        proxy = bus.get_object('org.freedesktop.PolicyKit1', '/org/freedesktop/PolicyKit1/Authority')
+        authority = dbus.Interface(proxy, dbus_interface='org.freedesktop.PolicyKit1.Authority')
+        subject = ('system-bus-name', {'name' : sender})
+        action_id = 'org.fedoraproject.setroubleshootfixit.write'
+        details = {}
+        flags = 1            # AllowUserInteraction flag
+        cancellation_id = '' # No cancellation id
+        result = authority.CheckAuthorization(subject, action_id, details, flags, cancellation_id)
+        return result[0]
+
+    @dbus.service.method("org.fedoraproject.SetroubleshootFixit", sender_keyword="sender", in_signature='ss', out_signature='s')
+    def run_fix(self, local_id, analysis_id, sender):
+         self.alarm(0)
+         command = ["sealert", "-f", local_id, "-P", analysis_id]
+-        return subprocess.check_output(command, universal_newlines=True)
+
+        if self.is_authorized(sender):
+            result = subprocess.check_output(command, universal_newlines=True)
+        else:
+            result = "Authorization failed"
+
+         self.alarm(self.timeout)
+        return result
+
+ 
+ if __name__ == "__main__":
+     mainloop = GLib.MainLoop()
+@@ -36,5 +52,4 @@ if __name__ == "__main__":
+     system_bus = dbus.SystemBus()
+     name = dbus.service.BusName("org.fedoraproject.SetroubleshootFixit", system_bus)
+     object = RunFix(system_bus, "/org/fedoraproject/SetroubleshootFixit/object")
+-    slip.dbus.service.set_mainloop(mainloop)
+     mainloop.run()
+diff --git a/framework/src/setroubleshoot/browser.py b/framework/src/setroubleshoot/browser.py
+index 2d37bb43df02..3203f75e0c17 100644
+--- a/framework/src/setroubleshoot/browser.py
+++ b/framework/src/setroubleshoot/browser.py
+@@ -65,8 +65,6 @@ from setroubleshoot.util import *
+ from setroubleshoot.html_util import html_to_text
+ import re
+ import dbus
+-import slip.dbus.service
+-from slip.dbus import polkit
+ import report
+ import report.io
+ import report.io.GTKIO
+@@ -933,7 +931,6 @@ class DBusProxy (object):
+         self.bus = dbus.SystemBus()
+         self.dbus_object = self.bus.get_object("org.fedoraproject.SetroubleshootFixit", "/org/fedoraproject/SetroubleshootFixit/object")
+ 
+-    @polkit.enable_proxy
+     def run_fix(self, local_id, plugin_name):
+         return self.dbus_object.run_fix(local_id, plugin_name, dbus_interface="org.fedoraproject.SetroubleshootFixit")
+ 
+-- 
+2.31.1
+
--- a/SOURCES/0003-sedispatch-improve-performance.patch
+++ b/SOURCES/0003-sedispatch-improve-performance.patch
@ -0,0 +1,163 @@
+From 46369d08223e06fb7884a4e65ff47a3b0b828f25 Mon Sep 17 00:00:00 2001
+From: Steve Grubb <sgrubb@redhat.com>
+Date: Thu, 15 Jul 2021 13:22:59 +0200
+Subject: [PATCH] sedispatch: improve performance
+
+sedispatch is pretty much the slowest audit relatedplugin. It was mixing
+descriptors (select) and FILE functions (fgets) which is not a good recipe.
+
+It's reworked to only use descriptors. Also the flow is updated to
+follow the latest plugin recommendations. This makes it run almost twice
+as fast. The call to auparse_set_eoe_timeout() requires audit 3.0.1.
+---
+ src/sedispatch.c | 72 +++++++++++++++++++++++++-----------------------
+ 1 file changed, 38 insertions(+), 34 deletions(-)
+
+diff --git a/framework/src/sedispatch.c b/framework/src/sedispatch.c
+index 2fa94fd85cc3..49c2fce2a333 100644
+--- a/framework/src/sedispatch.c
+++ b/framework/src/sedispatch.c
+@@ -1,5 +1,5 @@
+ /* sedispatch.c --
+- * Copyright 2009 Red Hat Inc., Durham, North Carolina.
+ * Copyright 2009,2021 Red Hat Inc.
+  * All Rights Reserved.
+  *
+  * This program is free software; you can redistribute it and/or modify
+@@ -30,14 +30,14 @@
+  *
+  */
+ 
+-#define _GNU_SOURCE
+-#include <stdio.h>
+ #include <stdlib.h>
+ #include <signal.h>
+ #include <string.h>
+ #include <sys/time.h>
+ #include <sys/types.h>
+ #include <unistd.h>
+#include <fcntl.h>
+#include <errno.h>
+ #include "libaudit.h"
+ #include "auparse.h"
+ #include "sedbus.h"
+@@ -101,8 +101,6 @@ int main(int argc __attribute__((unused)), char *argv[] __attribute__((unused)))
+ {
+ 	char tmp[MAX_AUDIT_MESSAGE_LENGTH+1];
+ 	struct sigaction sa;
+-	fd_set rfds;
+-	struct timeval tv;
+ 
+ 	/* Register sighandlers */
+ 	sa.sa_flags = 0;
+@@ -113,6 +111,9 @@ int main(int argc __attribute__((unused)), char *argv[] __attribute__((unused)))
+ 	sa.sa_handler = hup_handler;
+ 	sigaction(SIGHUP, &sa, NULL);
+ 
+	/* Set STDIN non-blocking */
+	fcntl(0, F_SETFL, O_NONBLOCK);
+
+ 	/* Initialize the auparse library */
+ 	au = auparse_init(AUSOURCE_FEED, 0);
+ 	if (au == NULL) {
+@@ -120,37 +121,49 @@ int main(int argc __attribute__((unused)), char *argv[] __attribute__((unused)))
+ 		return -1;
+ 	}
+ 
+	auparse_set_eoe_timeout(2);
+ 	auparse_add_callback(au, handle_event, NULL, NULL);
+
+ #ifdef HAVE_LIBCAP_NG
+ 	capng_clear(CAPNG_SELECT_BOTH);
+ 	capng_apply(CAPNG_SELECT_BOTH);
+ #endif
+
+ 	do {
+		fd_set rfds;
+		int retval;
+		int read_size = 1; /* Set to 1 so it's not EOF */
+
+ 		/* Load configuration */
+ 		if (hup) {
+ 			reload_config();
+ 		}
+ 
+-		/* Now the event loop */
+-		while (fgets_unlocked(tmp, MAX_AUDIT_MESSAGE_LENGTH, stdin) &&
+-							hup==0 && stop==0) {
+-			auparse_feed(au, tmp, strnlen(tmp,
+-						MAX_AUDIT_MESSAGE_LENGTH));
+-
+-			/* Wait for 3 seconds and if nothing has happen expect that the event
+-			 * is complete and flush parser's feed
+-			 * FIXME: in future, libaudit will provide a better mechanism for aging
+-			 * events
+-			 */
+		do {
+ 			FD_ZERO(&rfds);
+ 			FD_SET(0, &rfds);
+-			tv.tv_sec = 3;
+-			tv.tv_usec = 0;
+-			if (select(1, &rfds, NULL, NULL, &tv) == 0)
+-				/* The timeout occurred, the event is probably complete */
+-				auparse_flush_feed(au);
+
+			if (auparse_feed_has_data(au)) {
+				// We'll do a 1 second timeout to try to
+				// age events as quick as possible
+				struct timeval tv;
+				tv.tv_sec = 1;
+				tv.tv_usec = 0;
+				retval = select(1, &rfds, NULL, NULL, &tv);
+			} else
+				retval = select(1, &rfds, NULL, NULL, NULL);
+
+			/* If we timed out & have events, shake them loose */
+			if (retval == 0 && auparse_feed_has_data(au))
+				auparse_feed_age_events(au);
+		} while (retval == -1 && errno == EINTR && !hup && !stop);
+
+		/* Handle the event */
+		if (!hup && !stop && retval > 0) {
+			read_size = read(0, tmp, MAX_AUDIT_MESSAGE_LENGTH);
+			auparse_feed(au, tmp, read_size);
+ 		}
+-		if (feof(stdin))
+		if (read_size == 0) /* EOF */
+ 			break;
+ 	} while (stop == 0);
+ 
+@@ -178,7 +191,6 @@ static void dump_whole_record(auparse_state_t *au, void *conn)
+ {
+ 	size_t size = 1;
+         char *tmp = NULL, *end=NULL;
+-	int i = 0;
+ 	const char * rec = NULL;
+ 	const char *scon = auparse_find_field(au, "scontext");
+ 	const char *tcon = auparse_find_field(au, "tcontext");
+@@ -234,19 +246,11 @@ static void handle_event(auparse_state_t *au,
+ 	   move the cursor accidentally skipping a record. */
+ 	while (auparse_goto_record_num(au, num) > 0) {
+ 		type = auparse_get_type(au);
+-		/* Now we can branch based on what record type we find.
+-		   This is just a few suggestions, but it could be anything. */
+		/* Only handle AVCs. */
+ 		switch (type) {
+ 			case AUDIT_AVC:
+-				dump_whole_record(au, conn); 
+-				break;
+-			case AUDIT_SYSCALL:
+-				break;
+-			case AUDIT_USER_LOGIN:
+-				break;
+-			case AUDIT_ANOM_ABEND:
+-				break;
+-			case AUDIT_MAC_STATUS:
+				dump_whole_record(au, conn);
+				return;
+ 				break;
+ 			default:
+ 				break;
+-- 
+2.32.0
+
--- a/SOURCES/0004-sedispatch-improve-performance-using-cache-friendly-.patch
+++ b/SOURCES/0004-sedispatch-improve-performance-using-cache-friendly-.patch
@ -0,0 +1,83 @@
+From ed6c940c8b05baaf8a4318beccde896893cc32dd Mon Sep 17 00:00:00 2001
+From: Steve Grubb <sgrubb@redhat.com>
+Date: Thu, 15 Jul 2021 13:29:32 +0200
+Subject: [PATCH] sedispatch: improve performance using cache friendly api
+
+It turns out that using auparse_goto_record_num() is not cache friendly.
+Since it is only processing AVC events, there is no chance of seeking
+around and missing the AVC record. So, that part of the program is
+switched out to use auparse_next_record() which only moves through the
+event once.
+
+Also unused variables were remove and the loop simplified.
+
+This change gets about 9% more speed. For reference, this
+is how I checked the speed:
+
+time ./sedispatch < /var/log/audit/audit.log >/dev/null
+---
+ src/sedispatch.c | 36 +++++++++++-------------------------
+ 1 file changed, 11 insertions(+), 25 deletions(-)
+
+diff --git a/framework/src/sedispatch.c b/framework/src/sedispatch.c
+index 49c2fce2a333..f2e9fbaf0743 100644
+--- a/framework/src/sedispatch.c
+++ b/framework/src/sedispatch.c
+@@ -187,7 +187,7 @@ static int is_setroubleshoot(const char *context) {
+ }
+ 
+ /* This function shows how to dump a whole record's text */
+-static void dump_whole_record(auparse_state_t *au, void *conn)
+static void dump_whole_record(auparse_state_t *au)
+ {
+ 	size_t size = 1;
+         char *tmp = NULL, *end=NULL;
+@@ -228,35 +228,21 @@ static void dump_whole_record(auparse_state_t *au, void *conn)
+ }
+ 
+ 
+-/* This function receives a single complete event at a time from the auparse
+- * library. This is where the main analysis code would be added. */
+/* This function receives a single complete event from auparse. Internal
+ * cursors are on the first record. This is where the analysis occurs. */
+ static void handle_event(auparse_state_t *au,
+ 		auparse_cb_event_t cb_event_type, void *user_data)
+ {
+-	int type, num=0;
+-
+-	DBusConnection* conn = 
+-		(DBusConnection*) user_data; 
+-
+-	if (cb_event_type != AUPARSE_CB_EVENT_READY)
+-		return;
+-
+-	/* Loop through the records in the event looking for one to process.
+-	   We use physical record number because we may search around and
+-	   move the cursor accidentally skipping a record. */
+-	while (auparse_goto_record_num(au, num) > 0) {
+-		type = auparse_get_type(au);
+	/* Loop through the records looking for an AVC. If we ever process
+	 * other record types without directly returning, we may need to use
+	 * auparse_goto_record_num() to ensure seeing each record. */
+	do {
+ 		/* Only handle AVCs. */
+-		switch (type) {
+-			case AUDIT_AVC:
+-				dump_whole_record(au, conn);
+-				return;
+-				break;
+-			default:
+-				break;
+		if (auparse_get_type(au) == AUDIT_AVC) {
+			dump_whole_record(au);
+			return;
+ 		}
+-		num++;
+-	}
+	} while (auparse_next_record(au) > 0);
+ }
+ 
+ #ifdef NOTUSED
+-- 
+2.32.0
+
--- a/SOURCES/0005-auparse_set_eoe_timeout-requires-audit-libauparse-3..patch
+++ b/SOURCES/0005-auparse_set_eoe_timeout-requires-audit-libauparse-3..patch
@ -0,0 +1,25 @@
+From 4041744bc94ee94a5d6ba59dd398e2eaae790b97 Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Fri, 16 Jul 2021 11:03:47 +0200
+Subject: [PATCH] auparse_set_eoe_timeout() requires audit / libauparse 3.0.1
+
+---
+ configure.ac | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/framework/configure.ac b/framework/configure.ac
+index d1d01766e4a0..0fba58dca9d2 100644
+--- a/framework/configure.ac
+++ b/framework/configure.ac
+@@ -13,6 +13,8 @@ PKG_CHECK_MODULES([NOTIFY], [libnotify])
+ PKG_CHECK_MODULES([SEAPPLETLEGACY], [gtk+-2.0 gio-unix-2.0 libnotify dbus-glib-1],
+ 				    [seappletlegacy=yes], [seappletlegacy=no])
+ PKG_CHECK_MODULES([SEAPPLET], [gtk+-3.0])
+# auparse_set_eoe_timeout() requires libauparse 3.0.1
+PKG_CHECK_MODULES([SEDISPATCH], [auparse >= 3.0.1])
+ 
+ # make sure we keep ACLOCAL_FLAGS around for maintainer builds to work
+ AC_SUBST(ACLOCAL_AMFLAGS, "\${ACLOCAL_FLAGS}")
+-- 
+2.32.0
+
--- a/SOURCES/setroubleshoot.tmpfiles
+++ b/SOURCES/setroubleshoot.tmpfiles
@ -0,0 +1 @@
+d /run/setroubleshoot 711 setroubleshoot setroubleshoot -
--- a/SPECS/setroubleshoot.spec
+++ b/SPECS/setroubleshoot.spec
				`@ -0,0 +1 @@`
				`dab49dd85f3d8489fef60d2b94c4931cc9c473ea SOURCES/setroubleshoot-3.3.26.tar.gz`
				`@ -0,0 +1 @@`
				`d /run/setroubleshoot 711 setroubleshoot setroubleshoot -`