setroubleshoot-3.3.22-5

- root user doesn't need to use SetroubleshootPrivileged API

0010-Use-pydbus-a-modern-Python-dbus-API-for-Setroublesho.patch

@@ -0,0 +1,116 @@
+From 25dd8cee2841d0be01756b6c600ea887fad0c67d Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Fri, 28 Feb 2020 13:22:32 +0100
+Subject: [PATCH] Use pydbus, a modern Python dbus API, for
+ SetroubleshootPrivileged
+
+According to https://wiki.python.org/moin/DbusExamples dbus-python is a legacy API.
+---
+ framework/src/SetroubleshootPrivileged.py | 36 +++++++++++++----------
+ framework/src/setroubleshoot/util.py      | 17 +++--------
+ 2 files changed, 25 insertions(+), 28 deletions(-)
+
+diff --git a/framework/src/SetroubleshootPrivileged.py b/framework/src/SetroubleshootPrivileged.py
+index 858115bbe5ae..899e68770880 100644
+--- a/framework/src/SetroubleshootPrivileged.py
++++ b/framework/src/SetroubleshootPrivileged.py
+@@ -18,31 +18,35 @@
+ # with this program; if not, write to the Free Software Foundation, Inc.,
+ # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+ 
+-import dbus
+-import dbus.service
+-from dbus.mainloop.glib import DBusGMainLoop
+ from gi.repository import GLib
++from pydbus import SystemBus
+ import setroubleshoot.util
+ import signal
+ 
+-DBusGMainLoop(set_as_default=True)
+-
+-class Privileged(dbus.service.Object):
++loop = GLib.MainLoop()
++
++class Privileged(object):
++    """
++		<node>
++			<interface name='org.fedoraproject.SetroubleshootPrivileged'>
++				<method name='get_rpm_nvr_by_scontext'>
++					<arg type='s' name='scontext' direction='in'/>
++    				<arg type='s' name='rpmnvr' direction='out'/>
++				</method>
++				<method name='finish'/>
++			</interface>
++		</node>
++    """
+ 
+     def __init__(self, timeout=10):
+         self.timeout = timeout
+         self.alarm(self.timeout)
+ 
+-        bus = dbus.SystemBus()
+-        bus.request_name("org.fedoraproject.SetroubleshootPrivileged")
+-        bus_name = dbus.service.BusName("org.fedoraproject.SetroubleshootPrivileged", bus=bus)
+-        dbus.service.Object.__init__(self, bus_name, "/org/fedoraproject/SetroubleshootPrivileged/object")
+-
+     def alarm(self, timeout=10):
+         signal.alarm(timeout)
+ 
+-    @dbus.service.method("org.fedoraproject.SetroubleshootPrivileged", in_signature='s', out_signature='s')
+     def get_rpm_nvr_by_scontext(self, scontext):
++        """Finds an SELinux module which defines given SELinux context"""
+         signal.alarm(self.timeout)
+         rpmnvr = setroubleshoot.util.get_rpm_nvr_by_scontext(scontext)
+         if rpmnvr is None:
+@@ -50,8 +54,10 @@ class Privileged(dbus.service.Object):
+ 
+         return rpmnvr
+ 
+-if __name__ == "__main__":
+-    privileged = Privileged()
++    def finish(self):
++        loop.quit()
+ 
+-    loop = GLib.MainLoop()
++if __name__ == "__main__":
++    bus = SystemBus()
++    bus.publish("org.fedoraproject.SetroubleshootPrivileged", Privileged())
+     loop.run()
+diff --git a/framework/src/setroubleshoot/util.py b/framework/src/setroubleshoot/util.py
+index 77b3668afa86..4d18555fb9e4 100755
+--- a/framework/src/setroubleshoot/util.py
++++ b/framework/src/setroubleshoot/util.py
+@@ -68,7 +68,7 @@ __all__ = [
+ import bz2
+ import six
+ import datetime
+-import dbus
++from pydbus import SystemBus
+ import glob
+ from gi.repository import GObject
+ import os
+@@ -484,18 +484,9 @@ Finds an SELinux module which defines given SELinux context
+ 
+     """
+     if use_dbus:
+-        bus = dbus.SystemBus()
+-
+-        try:
+-            remote_object = bus.get_object("org.fedoraproject.SetroubleshootPrivileged",
+-                                       "/org/fedoraproject/SetroubleshootPrivileged/object")
+-
+-            return str(remote_object.get_rpm_nvr_by_scontext(str(scontext),
+-                    dbus_interface = "org.fedoraproject.SetroubleshootPrivileged"))
+-        except dbus.DBusException:
+-            from traceback import print_exc
+-            print_exc()
+-            return None
++        bus = SystemBus()
++        remote_object = bus.get("org.fedoraproject.SetroubleshootPrivileged")
++        return str(remote_object.get_rpm_nvr_by_scontext(str(scontext)))
+     else:
+         context = selinux.context_new(str(scontext))
+         return get_rpm_nvr_by_type(str(selinux.context_type_get(context)))
+-- 
+2.25.1
+

0011-root-user-doesn-t-need-to-use-SetroubleshootPrivileg.patch

@@ -0,0 +1,47 @@
+From 945838998d84dcd8f0aab147f228e244dc08a54e Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Fri, 28 Feb 2020 13:25:59 +0100
+Subject: [PATCH] root user doesn't need to use SetroubleshootPrivileged API
+
+Fixes:
+$ sudo sealert -a ./short.log 2>&1 | tee /tmp/tmp.956wzqmMcR, with 15 seconds timeout
+ERROR:dbus.proxies:Introspect error on :1.38:/org/fedoraproject/SetroubleshootPrivileged/object: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.AccessDenied: Sender is not authorized to send message
+Traceback (most recent call last):
+  File "/usr/lib/python3.7/site-packages/setroubleshoot/util.py", line 494, in get_rpm_nvr_by_scontext
+    dbus_interface = "org.fedoraproject.SetroubleshootPrivileged"))
+  File "/usr/lib64/python3.7/site-packages/dbus/proxies.py", line 70, in __call__
+    return self._proxy_method(*args, **keywords)
+  File "/usr/lib64/python3.7/site-packages/dbus/proxies.py", line 145, in __call__
+    **keywords)
+  File "/usr/lib64/python3.7/site-packages/dbus/connection.py", line 651, in call_blocking
+    message, timeout)
+dbus.exceptions.DBusException: org.freedesktop.DBus.Error.AccessDenied: Sender is not authorized to send message
+---
+ framework/src/setroubleshoot/signature.py | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/framework/src/setroubleshoot/signature.py b/framework/src/setroubleshoot/signature.py
+index 7287eec8af61..bcc37408c29c 100755
+--- a/framework/src/setroubleshoot/signature.py
++++ b/framework/src/setroubleshoot/signature.py
+@@ -314,7 +314,16 @@ class SEFaultSignatureInfo(XmlSerialize):
+             setattr(self, k, v)
+         self.report_count = 1
+         self.plugin_list = []
+-        self.environment.local_policy_rpm = get_rpm_nvr_by_scontext(self.scontext, use_dbus=True)
++
++        use_dbus=True
++        if os.getuid() == 0:
++            # root doesn't need to use dbus
++            use_dbus=False
++        try:
++            self.environment.local_policy_rpm = get_rpm_nvr_by_scontext(self.scontext, use_dbus=use_dbus)
++        except:
++            # leave it as it is
++            pass
+ 
+     def update_merge(self, siginfo):
+         if siginfo.last_seen_date != self.last_seen_date:
+-- 
+2.25.1
+

setroubleshoot.spec

@@ -4,7 +4,7 @@
 Summary: Helps troubleshoot SELinux problems
 Name: setroubleshoot
 Version: 3.3.22
-Release: 4%{?dist}
+Release: 5%{?dist}
 License: GPLv2+
 URL: https://pagure.io/setroubleshoot
 Source0: https://releases.pagure.org/setroubleshoot/%{name}-%{version}.tar.gz
@@ -20,6 +20,8 @@ Patch0006: 0006-Export-setroubleshoot.utils.get_rpm_nvr_by_scontext-.patch
 Patch0007: 0007-setroubleshoot.utils.get_rpm_nvr_by_scontext-add-opt.patch
 Patch0008: 0008-Add-Local-SELinux-policy-package-version-to-analyses.patch
 Patch0009: 0009-Report-bug-on-a-package-which-owns-the-related-SELin.patch
+Patch0010: 0010-Use-pydbus-a-modern-Python-dbus-API-for-Setroublesho.patch
+Patch0011: 0011-root-user-doesn-t-need-to-use-SetroubleshootPrivileg.patch
 BuildRequires: gcc
 BuildRequires: libcap-ng-devel
 BuildRequires: intltool gettext python3 python3-devel
@@ -209,6 +211,9 @@ SELinux troubleshoot legacy applet
 %{_bindir}/seappletlegacy
 
 %changelog
+* Fri Feb 28 2020 Petr Lautrbach <plautrba@redhat.com> - 3.3.22-5
+- root user doesn't need to use SetroubleshootPrivileged API
+
 * Thu Feb 27 2020 Petr Lautrbach <plautrba@redhat.com> - 3.3.22-4
 - sealert to report a bug on a package which owns the related SELinux domain
   https://pagure.io/setroubleshoot/issue/18