From 678fd233e34261cbe2869999eda769104cb3754c Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Fri, 28 Feb 2020 13:37:14 +0100 Subject: [PATCH] setroubleshoot-3.3.22-5 - root user doesn't need to use SetroubleshootPrivileged API --- ...ern-Python-dbus-API-for-Setroublesho.patch | 116 ++++++++++++++++++ ...t-need-to-use-SetroubleshootPrivileg.patch | 47 +++++++ setroubleshoot.spec | 7 +- 3 files changed, 169 insertions(+), 1 deletion(-) create mode 100644 0010-Use-pydbus-a-modern-Python-dbus-API-for-Setroublesho.patch create mode 100644 0011-root-user-doesn-t-need-to-use-SetroubleshootPrivileg.patch diff --git a/0010-Use-pydbus-a-modern-Python-dbus-API-for-Setroublesho.patch b/0010-Use-pydbus-a-modern-Python-dbus-API-for-Setroublesho.patch new file mode 100644 index 0000000..ac1e865 --- /dev/null +++ b/0010-Use-pydbus-a-modern-Python-dbus-API-for-Setroublesho.patch @@ -0,0 +1,116 @@ +From 25dd8cee2841d0be01756b6c600ea887fad0c67d Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Fri, 28 Feb 2020 13:22:32 +0100 +Subject: [PATCH] Use pydbus, a modern Python dbus API, for + SetroubleshootPrivileged + +According to https://wiki.python.org/moin/DbusExamples dbus-python is a legacy API. +--- + framework/src/SetroubleshootPrivileged.py | 36 +++++++++++++---------- + framework/src/setroubleshoot/util.py | 17 +++-------- + 2 files changed, 25 insertions(+), 28 deletions(-) + +diff --git a/framework/src/SetroubleshootPrivileged.py b/framework/src/SetroubleshootPrivileged.py +index 858115bbe5ae..899e68770880 100644 +--- a/framework/src/SetroubleshootPrivileged.py ++++ b/framework/src/SetroubleshootPrivileged.py +@@ -18,31 +18,35 @@ + # with this program; if not, write to the Free Software Foundation, Inc., + # 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + +-import dbus +-import dbus.service +-from dbus.mainloop.glib import DBusGMainLoop + from gi.repository import GLib ++from pydbus import SystemBus + import setroubleshoot.util + import signal + +-DBusGMainLoop(set_as_default=True) +- +-class Privileged(dbus.service.Object): ++loop = GLib.MainLoop() ++ ++class Privileged(object): ++ """ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ """ + + def __init__(self, timeout=10): + self.timeout = timeout + self.alarm(self.timeout) + +- bus = dbus.SystemBus() +- bus.request_name("org.fedoraproject.SetroubleshootPrivileged") +- bus_name = dbus.service.BusName("org.fedoraproject.SetroubleshootPrivileged", bus=bus) +- dbus.service.Object.__init__(self, bus_name, "/org/fedoraproject/SetroubleshootPrivileged/object") +- + def alarm(self, timeout=10): + signal.alarm(timeout) + +- @dbus.service.method("org.fedoraproject.SetroubleshootPrivileged", in_signature='s', out_signature='s') + def get_rpm_nvr_by_scontext(self, scontext): ++ """Finds an SELinux module which defines given SELinux context""" + signal.alarm(self.timeout) + rpmnvr = setroubleshoot.util.get_rpm_nvr_by_scontext(scontext) + if rpmnvr is None: +@@ -50,8 +54,10 @@ class Privileged(dbus.service.Object): + + return rpmnvr + +-if __name__ == "__main__": +- privileged = Privileged() ++ def finish(self): ++ loop.quit() + +- loop = GLib.MainLoop() ++if __name__ == "__main__": ++ bus = SystemBus() ++ bus.publish("org.fedoraproject.SetroubleshootPrivileged", Privileged()) + loop.run() +diff --git a/framework/src/setroubleshoot/util.py b/framework/src/setroubleshoot/util.py +index 77b3668afa86..4d18555fb9e4 100755 +--- a/framework/src/setroubleshoot/util.py ++++ b/framework/src/setroubleshoot/util.py +@@ -68,7 +68,7 @@ __all__ = [ + import bz2 + import six + import datetime +-import dbus ++from pydbus import SystemBus + import glob + from gi.repository import GObject + import os +@@ -484,18 +484,9 @@ Finds an SELinux module which defines given SELinux context + + """ + if use_dbus: +- bus = dbus.SystemBus() +- +- try: +- remote_object = bus.get_object("org.fedoraproject.SetroubleshootPrivileged", +- "/org/fedoraproject/SetroubleshootPrivileged/object") +- +- return str(remote_object.get_rpm_nvr_by_scontext(str(scontext), +- dbus_interface = "org.fedoraproject.SetroubleshootPrivileged")) +- except dbus.DBusException: +- from traceback import print_exc +- print_exc() +- return None ++ bus = SystemBus() ++ remote_object = bus.get("org.fedoraproject.SetroubleshootPrivileged") ++ return str(remote_object.get_rpm_nvr_by_scontext(str(scontext))) + else: + context = selinux.context_new(str(scontext)) + return get_rpm_nvr_by_type(str(selinux.context_type_get(context))) +-- +2.25.1 + diff --git a/0011-root-user-doesn-t-need-to-use-SetroubleshootPrivileg.patch b/0011-root-user-doesn-t-need-to-use-SetroubleshootPrivileg.patch new file mode 100644 index 0000000..08c1d61 --- /dev/null +++ b/0011-root-user-doesn-t-need-to-use-SetroubleshootPrivileg.patch @@ -0,0 +1,47 @@ +From 945838998d84dcd8f0aab147f228e244dc08a54e Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Fri, 28 Feb 2020 13:25:59 +0100 +Subject: [PATCH] root user doesn't need to use SetroubleshootPrivileged API + +Fixes: +$ sudo sealert -a ./short.log 2>&1 | tee /tmp/tmp.956wzqmMcR, with 15 seconds timeout +ERROR:dbus.proxies:Introspect error on :1.38:/org/fedoraproject/SetroubleshootPrivileged/object: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.AccessDenied: Sender is not authorized to send message +Traceback (most recent call last): + File "/usr/lib/python3.7/site-packages/setroubleshoot/util.py", line 494, in get_rpm_nvr_by_scontext + dbus_interface = "org.fedoraproject.SetroubleshootPrivileged")) + File "/usr/lib64/python3.7/site-packages/dbus/proxies.py", line 70, in __call__ + return self._proxy_method(*args, **keywords) + File "/usr/lib64/python3.7/site-packages/dbus/proxies.py", line 145, in __call__ + **keywords) + File "/usr/lib64/python3.7/site-packages/dbus/connection.py", line 651, in call_blocking + message, timeout) +dbus.exceptions.DBusException: org.freedesktop.DBus.Error.AccessDenied: Sender is not authorized to send message +--- + framework/src/setroubleshoot/signature.py | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/framework/src/setroubleshoot/signature.py b/framework/src/setroubleshoot/signature.py +index 7287eec8af61..bcc37408c29c 100755 +--- a/framework/src/setroubleshoot/signature.py ++++ b/framework/src/setroubleshoot/signature.py +@@ -314,7 +314,16 @@ class SEFaultSignatureInfo(XmlSerialize): + setattr(self, k, v) + self.report_count = 1 + self.plugin_list = [] +- self.environment.local_policy_rpm = get_rpm_nvr_by_scontext(self.scontext, use_dbus=True) ++ ++ use_dbus=True ++ if os.getuid() == 0: ++ # root doesn't need to use dbus ++ use_dbus=False ++ try: ++ self.environment.local_policy_rpm = get_rpm_nvr_by_scontext(self.scontext, use_dbus=use_dbus) ++ except: ++ # leave it as it is ++ pass + + def update_merge(self, siginfo): + if siginfo.last_seen_date != self.last_seen_date: +-- +2.25.1 + diff --git a/setroubleshoot.spec b/setroubleshoot.spec index f77122e..a104bf1 100644 --- a/setroubleshoot.spec +++ b/setroubleshoot.spec @@ -4,7 +4,7 @@ Summary: Helps troubleshoot SELinux problems Name: setroubleshoot Version: 3.3.22 -Release: 4%{?dist} +Release: 5%{?dist} License: GPLv2+ URL: https://pagure.io/setroubleshoot Source0: https://releases.pagure.org/setroubleshoot/%{name}-%{version}.tar.gz @@ -20,6 +20,8 @@ Patch0006: 0006-Export-setroubleshoot.utils.get_rpm_nvr_by_scontext-.patch Patch0007: 0007-setroubleshoot.utils.get_rpm_nvr_by_scontext-add-opt.patch Patch0008: 0008-Add-Local-SELinux-policy-package-version-to-analyses.patch Patch0009: 0009-Report-bug-on-a-package-which-owns-the-related-SELin.patch +Patch0010: 0010-Use-pydbus-a-modern-Python-dbus-API-for-Setroublesho.patch +Patch0011: 0011-root-user-doesn-t-need-to-use-SetroubleshootPrivileg.patch BuildRequires: gcc BuildRequires: libcap-ng-devel BuildRequires: intltool gettext python3 python3-devel @@ -209,6 +211,9 @@ SELinux troubleshoot legacy applet %{_bindir}/seappletlegacy %changelog +* Fri Feb 28 2020 Petr Lautrbach - 3.3.22-5 +- root user doesn't need to use SetroubleshootPrivileged API + * Thu Feb 27 2020 Petr Lautrbach - 3.3.22-4 - sealert to report a bug on a package which owns the related SELinux domain https://pagure.io/setroubleshoot/issue/18