3ecfb8abcc
- Check that SELinux is enabled before running (#2178950) - Fix shebang of SetroubleshootPrivileged.py (#2231023) This effectively adds "-Es" to the shebang, making the script resilient to loading malicious 3rd party modules masquerading as genuine modules (e.g. "selinux"). Resolves: RHEL-5201 Resolves: RHEL-5203
49 lines
1.7 KiB
Diff
49 lines
1.7 KiB
Diff
From 9e2753d241bf0bccaf0b05984e7562a2ac2a70e6 Mon Sep 17 00:00:00 2001
|
|
From: Vit Mojzis <vmojzis@redhat.com>
|
|
Date: Thu, 24 Aug 2023 19:02:24 +0200
|
|
Subject: [PATCH] Check that SELinux is enabled before running
|
|
|
|
Setroubleshootd will fail to run when selinux is disabled. Check that
|
|
SELinux is enabled in setroubleshootd service file and in sealert (so
|
|
that it does not wait for setroubleshootd to start).
|
|
|
|
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2178950
|
|
|
|
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
|
|
---
|
|
setroubleshootd.service | 1 +
|
|
src/sealert | 6 ++++++
|
|
2 files changed, 7 insertions(+)
|
|
|
|
diff --git a/framework/setroubleshootd.service b/framework/setroubleshootd.service
|
|
index 81c75b1..7fc2ffb 100644
|
|
--- a/framework/setroubleshootd.service
|
|
+++ b/framework/setroubleshootd.service
|
|
@@ -1,5 +1,6 @@
|
|
[Unit]
|
|
Description=SETroubleshoot daemon for processing new SELinux denial logs
|
|
+ConditionSecurity=selinux
|
|
|
|
[Service]
|
|
Type=dbus
|
|
diff --git a/framework/src/sealert b/framework/src/sealert
|
|
index 2663a21..5ce6463 100755
|
|
--- a/framework/src/sealert
|
|
+++ b/framework/src/sealert
|
|
@@ -576,6 +576,12 @@ if __name__ == '__main__':
|
|
setup_sighandlers()
|
|
log_debug("main() args=%s" % sys.argv)
|
|
|
|
+ # Exit if selinux is disabled - setroubleshootd cannot start
|
|
+ if not selinux.is_selinux_enabled():
|
|
+ log_debug("SELinux not enabled, sealert will not run on non SELinux systems")
|
|
+ print("SELinux not enabled, sealert will not run on non SELinux systems", file=sys.stderr)
|
|
+ sys.exit(3)
|
|
+
|
|
def validate_invocation_style(opt, opts_instance, conflict_opts):
|
|
global invocation_style
|
|
conflict_opts.remove(opt)
|
|
--
|
|
2.41.0
|
|
|