diff --git a/SOURCES/0049-python-Harden-tools-against-rogue-modules.patch b/SOURCES/0049-python-Harden-tools-against-rogue-modules.patch new file mode 100644 index 0000000..8796c90 --- /dev/null +++ b/SOURCES/0049-python-Harden-tools-against-rogue-modules.patch @@ -0,0 +1,79 @@ +From 72c7e9123980b003a21d51e2805529a3e90b2460 Mon Sep 17 00:00:00 2001 +From: Vit Mojzis +Date: Thu, 13 Oct 2022 17:33:18 +0200 +Subject: [PATCH] python: Harden tools against "rogue" modules + +Python scripts present in "/usr/sbin" override regular modules. +Make sure /usr/sbin is not present in PYTHONPATH. + +Fixes: + #cat > /usr/sbin/audit.py < +--- + python/audit2allow/audit2allow | 2 +- + python/audit2allow/sepolgen-ifgen | 2 +- + python/chcat/chcat | 2 +- + python/semanage/semanage | 2 +- + python/sepolicy/sepolicy.py | 2 +- + 5 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/python/audit2allow/audit2allow b/python/audit2allow/audit2allow +index 09b06f66..eafeea88 100644 +--- a/python/audit2allow/audit2allow ++++ b/python/audit2allow/audit2allow +@@ -1,4 +1,4 @@ +-#!/usr/bin/python3 -Es ++#!/usr/bin/python3 -EsI + # Authors: Karl MacMillan + # Authors: Dan Walsh + # +diff --git a/python/audit2allow/sepolgen-ifgen b/python/audit2allow/sepolgen-ifgen +index be2d093b..f25f8af1 100644 +--- a/python/audit2allow/sepolgen-ifgen ++++ b/python/audit2allow/sepolgen-ifgen +@@ -1,4 +1,4 @@ +-#!/usr/bin/python3 -Es ++#!/usr/bin/python3 -EsI + # + # Authors: Karl MacMillan + # +diff --git a/python/chcat/chcat b/python/chcat/chcat +index df2509f2..5671cec6 100755 +--- a/python/chcat/chcat ++++ b/python/chcat/chcat +@@ -1,4 +1,4 @@ +-#!/usr/bin/python3 -Es ++#!/usr/bin/python3 -EsI + # Copyright (C) 2005 Red Hat + # see file 'COPYING' for use and warranty information + # +diff --git a/python/semanage/semanage b/python/semanage/semanage +index b8842d28..1f170f60 100644 +--- a/python/semanage/semanage ++++ b/python/semanage/semanage +@@ -1,4 +1,4 @@ +-#!/usr/bin/python3 -Es ++#!/usr/bin/python3 -EsI + # Copyright (C) 2012-2013 Red Hat + # AUTHOR: Miroslav Grepl + # AUTHOR: David Quigley +diff --git a/python/sepolicy/sepolicy.py b/python/sepolicy/sepolicy.py +index 8bd6a579..0c1d9641 100755 +--- a/python/sepolicy/sepolicy.py ++++ b/python/sepolicy/sepolicy.py +@@ -1,4 +1,4 @@ +-#!/usr/bin/python3 -Es ++#!/usr/bin/python3 -EsI + # Copyright (C) 2012 Red Hat + # AUTHOR: Dan Walsh + # see file 'COPYING' for use and warranty information +-- +2.37.3 + diff --git a/SOURCES/0050-python-Do-not-query-the-local-database-if-the-fconte.patch b/SOURCES/0050-python-Do-not-query-the-local-database-if-the-fconte.patch new file mode 100644 index 0000000..eb08953 --- /dev/null +++ b/SOURCES/0050-python-Do-not-query-the-local-database-if-the-fconte.patch @@ -0,0 +1,65 @@ +From f33e40265d192e5d725e7b82e5f14f603e1fba48 Mon Sep 17 00:00:00 2001 +From: James Carter +Date: Wed, 19 Oct 2022 14:20:11 -0400 +Subject: [PATCH] python: Do not query the local database if the fcontext is + non-local + +Vit Mojzis reports that an error message is produced when modifying +a non-local fcontext. + +He gives the following example: + # semanage fcontext -f f -m -t passwd_file_t /etc/security/opasswd + libsemanage.dbase_llist_query: could not query record value (No such file or directory). + +When modifying an fcontext, the non-local database is checked for the +key and then, if it is not found there, the local database is checked. +If the key doesn't exist, then an error is raised. If the key exists +then the local database is queried first and, if that fails, the non- +local database is queried. + +The error is from querying the local database when the fcontext is in +the non-local database. + +Instead, if the fcontext is in the non-local database, just query +the non-local database. Only query the local database if the +fcontext was found in it. + +Reported-by: Vit Mojzis +Signed-off-by: James Carter +--- + python/semanage/seobject.py | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py +index 70ebfd08..0e923a0d 100644 +--- a/python/semanage/seobject.py ++++ b/python/semanage/seobject.py +@@ -2490,16 +2490,19 @@ class fcontextRecords(semanageRecords): + (rc, exists) = semanage_fcontext_exists(self.sh, k) + if rc < 0: + raise ValueError(_("Could not check if file context for %s is defined") % target) +- if not exists: ++ if exists: ++ try: ++ (rc, fcontext) = semanage_fcontext_query(self.sh, k) ++ except OSError: ++ raise ValueError(_("Could not query file context for %s") % target) ++ else: + (rc, exists) = semanage_fcontext_exists_local(self.sh, k) ++ if rc < 0: ++ raise ValueError(_("Could not check if file context for %s is defined") % target) + if not exists: + raise ValueError(_("File context for %s is not defined") % target) +- +- try: +- (rc, fcontext) = semanage_fcontext_query_local(self.sh, k) +- except OSError: + try: +- (rc, fcontext) = semanage_fcontext_query(self.sh, k) ++ (rc, fcontext) = semanage_fcontext_query_local(self.sh, k) + except OSError: + raise ValueError(_("Could not query file context for %s") % target) + +-- +2.37.3 + diff --git a/SPECS/policycoreutils.spec b/SPECS/policycoreutils.spec index b9739c5..54f2f69 100644 --- a/SPECS/policycoreutils.spec +++ b/SPECS/policycoreutils.spec @@ -12,7 +12,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 2.9 -Release: 20%{?dist} +Release: 21.1%{?dist} License: GPLv2 # https://github.com/SELinuxProject/selinux/wiki/Releases Source0: https://github.com/SELinuxProject/selinux/releases/download/20190315/policycoreutils-2.9.tar.gz @@ -86,6 +86,8 @@ Patch0045: 0045-semodule-libsemanage-move-module-hashing-into-libsem.patch Patch0046: 0046-semodule-add-command-line-option-to-detect-module-ch.patch Patch0047: 0047-python-Split-semanage-import-into-two-transactions.patch Patch0048: 0048-semodule-rename-rebuild-if-modules-changed-to-refres.patch +Patch0049: 0049-python-Harden-tools-against-rogue-modules.patch +Patch0050: 0050-python-Do-not-query-the-local-database-if-the-fconte.patch Obsoletes: policycoreutils < 2.0.61-2 Conflicts: filesystem < 3, selinux-policy-base < 3.13.1-138 @@ -214,7 +216,7 @@ install -m 755 -p %{SOURCE15} %{buildroot}/%{_libexecdir}/selinux/ pathfix.py -i "%{__python3} -Es" -p %{buildroot}%{python3_sitelib} # change /usr/bin/python to %%{__python3} in policycoreutils-python-utils -pathfix.py -i "%{__python3} -Es" -p \ +pathfix.py -i "%{__python3} -EsI" -p \ %{buildroot}%{_sbindir}/semanage \ %{buildroot}%{_bindir}/chcat \ %{buildroot}%{_bindir}/sandbox \ @@ -525,6 +527,11 @@ The policycoreutils-restorecond package contains the restorecond service. %systemd_postun_with_restart restorecond.service %changelog +* Mon Dec 19 2022 Vit Mojzis - 2.9-21.1 +- python: Harden tools against "rogue" modules (#2128976) +- Update "pathfix" arguments to match ^^^ (#2128976) +- python: Do not query the local database if the fcontext is non-local (#2124825) + * Thu Jul 07 2022 Vit Mojzis - 2.9-20 - python: Split "semanage import" into two transactions (#2063353) - semodule: rename --rebuild-if-modules-changed to --refresh (#2089802)