|
 |
5b70e6 |
From 10a970733c5b31c237abd7357421384597fe0510 Mon Sep 17 00:00:00 2001
|
|
|
5b70e6 |
From: Petr Lautrbach <plautrba@redhat.com>
|
|
|
5b70e6 |
Date: Thu, 15 Apr 2021 17:39:39 +0200
|
|
|
5b70e6 |
Subject: [PATCH] Do not use Python slip
|
|
|
5b70e6 |
|
|
|
5b70e6 |
Python slip is not actively maintained anymore and it was use just as
|
|
|
5b70e6 |
polkit proxy. It looks like polkit dbus interface is quite simple to use
|
|
|
5b70e6 |
it directly via python dbus module.
|
|
|
5b70e6 |
|
|
|
5b70e6 |
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
|
|
|
5b70e6 |
---
|
|
|
5b70e6 |
dbus/selinux_server.py | 69 ++++++++++++++++++------------
|
|
|
5b70e6 |
python/sepolicy/sepolicy/sedbus.py | 9 ----
|
|
|
5b70e6 |
2 files changed, 41 insertions(+), 37 deletions(-)
|
|
|
5b70e6 |
|
|
|
5b70e6 |
diff --git a/dbus/selinux_server.py b/dbus/selinux_server.py
|
|
|
5b70e6 |
index be4f4557a9fa..b7c9378bcb5d 100644
|
|
|
5b70e6 |
--- a/dbus/selinux_server.py
|
|
|
5b70e6 |
+++ b/dbus/selinux_server.py
|
|
|
5b70e6 |
@@ -4,26 +4,33 @@ import dbus
|
|
|
5b70e6 |
import dbus.service
|
|
|
5b70e6 |
import dbus.mainloop.glib
|
|
|
5b70e6 |
from gi.repository import GObject
|
|
|
5b70e6 |
-import slip.dbus.service
|
|
|
5b70e6 |
-from slip.dbus import polkit
|
|
|
5b70e6 |
import os
|
|
|
5b70e6 |
import selinux
|
|
|
5b70e6 |
from subprocess import Popen, PIPE, STDOUT
|
|
|
5b70e6 |
|
|
|
5b70e6 |
|
|
|
5b70e6 |
-class selinux_server(slip.dbus.service.Object):
|
|
|
5b70e6 |
+class selinux_server(dbus.service.Object):
|
|
|
5b70e6 |
default_polkit_auth_required = "org.selinux.semanage"
|
|
|
5b70e6 |
|
|
|
5b70e6 |
def __init__(self, *p, **k):
|
|
|
5b70e6 |
super(selinux_server, self).__init__(*p, **k)
|
|
|
5b70e6 |
|
|
|
5b70e6 |
+ def is_authorized(self, sender, action_id):
|
|
|
5b70e6 |
+ bus = dbus.SystemBus()
|
|
|
5b70e6 |
+ proxy = bus.get_object('org.freedesktop.PolicyKit1', '/org/freedesktop/PolicyKit1/Authority')
|
|
|
5b70e6 |
+ authority = dbus.Interface(proxy, dbus_interface='org.freedesktop.PolicyKit1.Authority')
|
|
|
5b70e6 |
+ subject = ('system-bus-name', {'name': sender})
|
|
|
5b70e6 |
+ result = authority.CheckAuthorization(subject, action_id, {}, 1, '')
|
|
|
5b70e6 |
+ return result[0]
|
|
|
5b70e6 |
+
|
|
|
5b70e6 |
#
|
|
|
5b70e6 |
# The semanage method runs a transaction on a series of semanage commands,
|
|
|
5b70e6 |
# these commands can take the output of customized
|
|
|
5b70e6 |
#
|
|
|
5b70e6 |
- @slip.dbus.polkit.require_auth("org.selinux.semanage")
|
|
|
5b70e6 |
- @dbus.service.method("org.selinux", in_signature='s')
|
|
|
5b70e6 |
- def semanage(self, buf):
|
|
|
5b70e6 |
+ @dbus.service.method("org.selinux", in_signature='s', sender_keyword="sender")
|
|
|
5b70e6 |
+ def semanage(self, buf, sender):
|
|
|
5b70e6 |
+ if not self.is_authorized(sender, "org.selinux.semanage"):
|
|
|
5b70e6 |
+ raise dbus.exceptions.DBusException("Not authorized")
|
|
|
5b70e6 |
p = Popen(["/usr/sbin/semanage", "import"], stdout=PIPE, stderr=PIPE, stdin=PIPE, universal_newlines=True)
|
|
|
5b70e6 |
p.stdin.write(buf)
|
|
|
5b70e6 |
output = p.communicate()
|
|
|
5b70e6 |
@@ -35,9 +42,10 @@ class selinux_server(slip.dbus.service.Object):
|
|
|
5b70e6 |
# on the server. This output can be used with the semanage method on
|
|
|
5b70e6 |
# another server to make the two systems have duplicate policy.
|
|
|
5b70e6 |
#
|
|
|
5b70e6 |
- @slip.dbus.polkit.require_auth("org.selinux.customized")
|
|
|
5b70e6 |
- @dbus.service.method("org.selinux", in_signature='', out_signature='s')
|
|
|
5b70e6 |
- def customized(self):
|
|
|
5b70e6 |
+ @dbus.service.method("org.selinux", in_signature='', out_signature='s', sender_keyword="sender")
|
|
|
5b70e6 |
+ def customized(self, sender):
|
|
|
5b70e6 |
+ if not self.is_authorized(sender, "org.selinux.customized"):
|
|
|
5b70e6 |
+ raise dbus.exceptions.DBusException("Not authorized")
|
|
|
5b70e6 |
p = Popen(["/usr/sbin/semanage", "export"], stdout=PIPE, stderr=PIPE, universal_newlines=True)
|
|
|
5b70e6 |
buf = p.stdout.read()
|
|
|
5b70e6 |
output = p.communicate()
|
|
|
5b70e6 |
@@ -49,9 +57,10 @@ class selinux_server(slip.dbus.service.Object):
|
|
|
5b70e6 |
# The semodule_list method will return the output of semodule --list=full, using the customized polkit,
|
|
|
5b70e6 |
# since this is a readonly behaviour
|
|
|
5b70e6 |
#
|
|
|
5b70e6 |
- @slip.dbus.polkit.require_auth("org.selinux.semodule_list")
|
|
|
5b70e6 |
- @dbus.service.method("org.selinux", in_signature='', out_signature='s')
|
|
|
5b70e6 |
- def semodule_list(self):
|
|
|
5b70e6 |
+ @dbus.service.method("org.selinux", in_signature='', out_signature='s', sender_keyword="sender")
|
|
|
5b70e6 |
+ def semodule_list(self, sender):
|
|
|
5b70e6 |
+ if not self.is_authorized(sender, "org.selinux.semodule_list"):
|
|
|
5b70e6 |
+ raise dbus.exceptions.DBusException("Not authorized")
|
|
|
5b70e6 |
p = Popen(["/usr/sbin/semodule", "--list=full"], stdout=PIPE, stderr=PIPE, universal_newlines=True)
|
|
|
5b70e6 |
buf = p.stdout.read()
|
|
|
5b70e6 |
output = p.communicate()
|
|
|
5b70e6 |
@@ -62,25 +71,28 @@ class selinux_server(slip.dbus.service.Object):
|
|
|
5b70e6 |
#
|
|
|
5b70e6 |
# The restorecon method modifies any file path to the default system label
|
|
|
5b70e6 |
#
|
|
|
5b70e6 |
- @slip.dbus.polkit.require_auth("org.selinux.restorecon")
|
|
|
5b70e6 |
- @dbus.service.method("org.selinux", in_signature='s')
|
|
|
5b70e6 |
- def restorecon(self, path):
|
|
|
5b70e6 |
+ @dbus.service.method("org.selinux", in_signature='s', sender_keyword="sender")
|
|
|
5b70e6 |
+ def restorecon(self, path, sender):
|
|
|
5b70e6 |
+ if not self.is_authorized(sender, "org.selinux.restorecon"):
|
|
|
5b70e6 |
+ raise dbus.exceptions.DBusException("Not authorized")
|
|
|
5b70e6 |
selinux.restorecon(str(path), recursive=1)
|
|
|
5b70e6 |
|
|
|
5b70e6 |
#
|
|
|
5b70e6 |
# The setenforce method turns off the current enforcement of SELinux
|
|
|
5b70e6 |
#
|
|
|
5b70e6 |
- @slip.dbus.polkit.require_auth("org.selinux.setenforce")
|
|
|
5b70e6 |
- @dbus.service.method("org.selinux", in_signature='i')
|
|
|
5b70e6 |
- def setenforce(self, value):
|
|
|
5b70e6 |
+ @dbus.service.method("org.selinux", in_signature='i', sender_keyword="sender")
|
|
|
5b70e6 |
+ def setenforce(self, value, sender):
|
|
|
5b70e6 |
+ if not self.is_authorized(sender, "org.selinux.setenforce"):
|
|
|
5b70e6 |
+ raise dbus.exceptions.DBusException("Not authorized")
|
|
|
5b70e6 |
selinux.security_setenforce(value)
|
|
|
5b70e6 |
|
|
|
5b70e6 |
#
|
|
|
5b70e6 |
# The setenforce method turns off the current enforcement of SELinux
|
|
|
5b70e6 |
#
|
|
|
5b70e6 |
- @slip.dbus.polkit.require_auth("org.selinux.relabel_on_boot")
|
|
|
5b70e6 |
- @dbus.service.method("org.selinux", in_signature='i')
|
|
|
5b70e6 |
- def relabel_on_boot(self, value):
|
|
|
5b70e6 |
+ @dbus.service.method("org.selinux", in_signature='i', sender_keyword="sender")
|
|
|
5b70e6 |
+ def relabel_on_boot(self, value, sender):
|
|
|
5b70e6 |
+ if not self.is_authorized(sender, "org.selinux.relabel_on_boot"):
|
|
|
5b70e6 |
+ raise dbus.exceptions.DBusException("Not authorized")
|
|
|
5b70e6 |
if value == 1:
|
|
|
5b70e6 |
fd = open("/.autorelabel", "w")
|
|
|
5b70e6 |
fd.close()
|
|
|
5b70e6 |
@@ -111,9 +123,10 @@ class selinux_server(slip.dbus.service.Object):
|
|
|
5b70e6 |
#
|
|
|
5b70e6 |
# The change_default_enforcement modifies the current enforcement mode
|
|
|
5b70e6 |
#
|
|
|
5b70e6 |
- @slip.dbus.polkit.require_auth("org.selinux.change_default_mode")
|
|
|
5b70e6 |
- @dbus.service.method("org.selinux", in_signature='s')
|
|
|
5b70e6 |
- def change_default_mode(self, value):
|
|
|
5b70e6 |
+ @dbus.service.method("org.selinux", in_signature='s', sender_keyword="sender")
|
|
|
5b70e6 |
+ def change_default_mode(self, value, sender):
|
|
|
5b70e6 |
+ if not self.is_authorized(sender, "org.selinux.change_default_mode"):
|
|
|
5b70e6 |
+ raise dbus.exceptions.DBusException("Not authorized")
|
|
|
5b70e6 |
values = ["enforcing", "permissive", "disabled"]
|
|
|
5b70e6 |
if value not in values:
|
|
|
5b70e6 |
raise ValueError("Enforcement mode must be %s" % ", ".join(values))
|
|
|
5b70e6 |
@@ -122,9 +135,10 @@ class selinux_server(slip.dbus.service.Object):
|
|
|
5b70e6 |
#
|
|
|
5b70e6 |
# The change_default_policy method modifies the policy type
|
|
|
5b70e6 |
#
|
|
|
5b70e6 |
- @slip.dbus.polkit.require_auth("org.selinux.change_default_policy")
|
|
|
5b70e6 |
- @dbus.service.method("org.selinux", in_signature='s')
|
|
|
5b70e6 |
- def change_default_policy(self, value):
|
|
|
5b70e6 |
+ @dbus.service.method("org.selinux", in_signature='s', sender_keyword="sender")
|
|
|
5b70e6 |
+ def change_default_policy(self, value, sender):
|
|
|
5b70e6 |
+ if not self.is_authorized(sender, "org.selinux.change_default_policy"):
|
|
|
5b70e6 |
+ raise dbus.exceptions.DBusException("Not authorized")
|
|
|
5b70e6 |
path = selinux.selinux_path() + value
|
|
|
5b70e6 |
if os.path.isdir(path):
|
|
|
5b70e6 |
return self.write_selinux_config(policy=value)
|
|
|
5b70e6 |
@@ -136,5 +150,4 @@ if __name__ == "__main__":
|
|
|
5b70e6 |
system_bus = dbus.SystemBus()
|
|
|
5b70e6 |
name = dbus.service.BusName("org.selinux", system_bus)
|
|
|
5b70e6 |
object = selinux_server(system_bus, "/org/selinux/object")
|
|
|
5b70e6 |
- slip.dbus.service.set_mainloop(mainloop)
|
|
|
5b70e6 |
mainloop.run()
|
|
|
5b70e6 |
diff --git a/python/sepolicy/sepolicy/sedbus.py b/python/sepolicy/sepolicy/sedbus.py
|
|
|
5b70e6 |
index 76b259ae27e8..39b53d47753a 100644
|
|
|
5b70e6 |
--- a/python/sepolicy/sepolicy/sedbus.py
|
|
|
5b70e6 |
+++ b/python/sepolicy/sepolicy/sedbus.py
|
|
|
5b70e6 |
@@ -2,7 +2,6 @@ import sys
|
|
|
5b70e6 |
import dbus
|
|
|
5b70e6 |
import dbus.service
|
|
|
5b70e6 |
import dbus.mainloop.glib
|
|
|
5b70e6 |
-from slip.dbus import polkit
|
|
|
5b70e6 |
|
|
|
5b70e6 |
|
|
|
5b70e6 |
class SELinuxDBus (object):
|
|
|
5b70e6 |
@@ -11,42 +10,34 @@ class SELinuxDBus (object):
|
|
|
5b70e6 |
self.bus = dbus.SystemBus()
|
|
|
5b70e6 |
self.dbus_object = self.bus.get_object("org.selinux", "/org/selinux/object")
|
|
|
5b70e6 |
|
|
|
5b70e6 |
- @polkit.enable_proxy
|
|
|
5b70e6 |
def semanage(self, buf):
|
|
|
5b70e6 |
ret = self.dbus_object.semanage(buf, dbus_interface="org.selinux")
|
|
|
5b70e6 |
return ret
|
|
|
5b70e6 |
|
|
|
5b70e6 |
- @polkit.enable_proxy
|
|
|
5b70e6 |
def restorecon(self, path):
|
|
|
5b70e6 |
ret = self.dbus_object.restorecon(path, dbus_interface="org.selinux")
|
|
|
5b70e6 |
return ret
|
|
|
5b70e6 |
|
|
|
5b70e6 |
- @polkit.enable_proxy
|
|
|
5b70e6 |
def setenforce(self, value):
|
|
|
5b70e6 |
ret = self.dbus_object.setenforce(value, dbus_interface="org.selinux")
|
|
|
5b70e6 |
return ret
|
|
|
5b70e6 |
|
|
|
5b70e6 |
- @polkit.enable_proxy
|
|
|
5b70e6 |
def customized(self):
|
|
|
5b70e6 |
ret = self.dbus_object.customized(dbus_interface="org.selinux")
|
|
|
5b70e6 |
return ret
|
|
|
5b70e6 |
|
|
|
5b70e6 |
- @polkit.enable_proxy
|
|
|
5b70e6 |
def semodule_list(self):
|
|
|
5b70e6 |
ret = self.dbus_object.semodule_list(dbus_interface="org.selinux")
|
|
|
5b70e6 |
return ret
|
|
|
5b70e6 |
|
|
|
5b70e6 |
- @polkit.enable_proxy
|
|
|
5b70e6 |
def relabel_on_boot(self, value):
|
|
|
5b70e6 |
ret = self.dbus_object.relabel_on_boot(value, dbus_interface="org.selinux")
|
|
|
5b70e6 |
return ret
|
|
|
5b70e6 |
|
|
|
5b70e6 |
- @polkit.enable_proxy
|
|
|
5b70e6 |
def change_default_mode(self, value):
|
|
|
5b70e6 |
ret = self.dbus_object.change_default_mode(value, dbus_interface="org.selinux")
|
|
|
5b70e6 |
return ret
|
|
|
5b70e6 |
|
|
|
5b70e6 |
- @polkit.enable_proxy
|
|
|
5b70e6 |
def change_default_policy(self, value):
|
|
|
5b70e6 |
ret = self.dbus_object.change_default_policy(value, dbus_interface="org.selinux")
|
|
|
5b70e6 |
return ret
|
|
|
5b70e6 |
--
|
|
|
5b70e6 |
2.32.0
|
|
|
5b70e6 |
|