From 10a970733c5b31c237abd7357421384597fe0510 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Thu, 15 Apr 2021 17:39:39 +0200
Subject: [PATCH] Do not use Python slip

Python slip is not actively maintained anymore and it was use just as
polkit proxy. It looks like polkit dbus interface is quite simple to use
it directly via python dbus module.

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
 dbus/selinux_server.py             | 69 ++++++++++++++++++------------
 python/sepolicy/sepolicy/sedbus.py |  9 ----
 2 files changed, 41 insertions(+), 37 deletions(-)

diff --git a/dbus/selinux_server.py b/dbus/selinux_server.py
index be4f4557a9fa..b7c9378bcb5d 100644
--- a/dbus/selinux_server.py
+++ b/dbus/selinux_server.py
@@ -4,26 +4,33 @@ import dbus
 import dbus.service
 import dbus.mainloop.glib
 from gi.repository import GObject
-import slip.dbus.service
-from slip.dbus import polkit
 import os
 import selinux
 from subprocess import Popen, PIPE, STDOUT
 
 
-class selinux_server(slip.dbus.service.Object):
+class selinux_server(dbus.service.Object):
     default_polkit_auth_required = "org.selinux.semanage"
 
     def __init__(self, *p, **k):
         super(selinux_server, self).__init__(*p, **k)
 
+    def is_authorized(self, sender, action_id):
+        bus = dbus.SystemBus()
+        proxy = bus.get_object('org.freedesktop.PolicyKit1', '/org/freedesktop/PolicyKit1/Authority')
+        authority = dbus.Interface(proxy, dbus_interface='org.freedesktop.PolicyKit1.Authority')
+        subject = ('system-bus-name', {'name': sender})
+        result = authority.CheckAuthorization(subject, action_id, {}, 1, '')
+        return result[0]
+
     #
     # The semanage method runs a transaction on a series of semanage commands,
     # these commands can take the output of customized
     #
-    @slip.dbus.polkit.require_auth("org.selinux.semanage")
-    @dbus.service.method("org.selinux", in_signature='s')
-    def semanage(self, buf):
+    @dbus.service.method("org.selinux", in_signature='s', sender_keyword="sender")
+    def semanage(self, buf, sender):
+        if not self.is_authorized(sender, "org.selinux.semanage"):
+            raise dbus.exceptions.DBusException("Not authorized")
         p = Popen(["/usr/sbin/semanage", "import"], stdout=PIPE, stderr=PIPE, stdin=PIPE, universal_newlines=True)
         p.stdin.write(buf)
         output = p.communicate()
@@ -35,9 +42,10 @@ class selinux_server(slip.dbus.service.Object):
     # on the server.  This output can be used with the semanage method on
     # another server to make the two systems have duplicate policy.
     #
-    @slip.dbus.polkit.require_auth("org.selinux.customized")
-    @dbus.service.method("org.selinux", in_signature='', out_signature='s')
-    def customized(self):
+    @dbus.service.method("org.selinux", in_signature='', out_signature='s', sender_keyword="sender")
+    def customized(self, sender):
+        if not self.is_authorized(sender, "org.selinux.customized"):
+            raise dbus.exceptions.DBusException("Not authorized")
         p = Popen(["/usr/sbin/semanage", "export"], stdout=PIPE, stderr=PIPE, universal_newlines=True)
         buf = p.stdout.read()
         output = p.communicate()
@@ -49,9 +57,10 @@ class selinux_server(slip.dbus.service.Object):
     # The semodule_list method will return the output of semodule --list=full, using the customized polkit,
     # since this is a readonly behaviour
     #
-    @slip.dbus.polkit.require_auth("org.selinux.semodule_list")
-    @dbus.service.method("org.selinux", in_signature='', out_signature='s')
-    def semodule_list(self):
+    @dbus.service.method("org.selinux", in_signature='', out_signature='s', sender_keyword="sender")
+    def semodule_list(self, sender):
+        if not self.is_authorized(sender, "org.selinux.semodule_list"):
+            raise dbus.exceptions.DBusException("Not authorized")
         p = Popen(["/usr/sbin/semodule", "--list=full"], stdout=PIPE, stderr=PIPE, universal_newlines=True)
         buf = p.stdout.read()
         output = p.communicate()
@@ -62,25 +71,28 @@ class selinux_server(slip.dbus.service.Object):
     #
     # The restorecon method modifies any file path to the default system label
     #
-    @slip.dbus.polkit.require_auth("org.selinux.restorecon")
-    @dbus.service.method("org.selinux", in_signature='s')
-    def restorecon(self, path):
+    @dbus.service.method("org.selinux", in_signature='s', sender_keyword="sender")
+    def restorecon(self, path, sender):
+        if not self.is_authorized(sender, "org.selinux.restorecon"):
+            raise dbus.exceptions.DBusException("Not authorized")
         selinux.restorecon(str(path), recursive=1)
 
     #
     # The setenforce method turns off the current enforcement of SELinux
     #
-    @slip.dbus.polkit.require_auth("org.selinux.setenforce")
-    @dbus.service.method("org.selinux", in_signature='i')
-    def setenforce(self, value):
+    @dbus.service.method("org.selinux", in_signature='i', sender_keyword="sender")
+    def setenforce(self, value, sender):
+        if not self.is_authorized(sender, "org.selinux.setenforce"):
+            raise dbus.exceptions.DBusException("Not authorized")
         selinux.security_setenforce(value)
 
     #
     # The setenforce method turns off the current enforcement of SELinux
     #
-    @slip.dbus.polkit.require_auth("org.selinux.relabel_on_boot")
-    @dbus.service.method("org.selinux", in_signature='i')
-    def relabel_on_boot(self, value):
+    @dbus.service.method("org.selinux", in_signature='i', sender_keyword="sender")
+    def relabel_on_boot(self, value, sender):
+        if not self.is_authorized(sender, "org.selinux.relabel_on_boot"):
+            raise dbus.exceptions.DBusException("Not authorized")
         if value == 1:
             fd = open("/.autorelabel", "w")
             fd.close()
@@ -111,9 +123,10 @@ class selinux_server(slip.dbus.service.Object):
     #
     # The change_default_enforcement modifies the current enforcement mode
     #
-    @slip.dbus.polkit.require_auth("org.selinux.change_default_mode")
-    @dbus.service.method("org.selinux", in_signature='s')
-    def change_default_mode(self, value):
+    @dbus.service.method("org.selinux", in_signature='s', sender_keyword="sender")
+    def change_default_mode(self, value, sender):
+        if not self.is_authorized(sender, "org.selinux.change_default_mode"):
+            raise dbus.exceptions.DBusException("Not authorized")
         values = ["enforcing", "permissive", "disabled"]
         if value not in values:
             raise ValueError("Enforcement mode must be %s" % ", ".join(values))
@@ -122,9 +135,10 @@ class selinux_server(slip.dbus.service.Object):
     #
     # The change_default_policy method modifies the policy type
     #
-    @slip.dbus.polkit.require_auth("org.selinux.change_default_policy")
-    @dbus.service.method("org.selinux", in_signature='s')
-    def change_default_policy(self, value):
+    @dbus.service.method("org.selinux", in_signature='s', sender_keyword="sender")
+    def change_default_policy(self, value, sender):
+        if not self.is_authorized(sender, "org.selinux.change_default_policy"):
+            raise dbus.exceptions.DBusException("Not authorized")
         path = selinux.selinux_path() + value
         if os.path.isdir(path):
             return self.write_selinux_config(policy=value)
@@ -136,5 +150,4 @@ if __name__ == "__main__":
     system_bus = dbus.SystemBus()
     name = dbus.service.BusName("org.selinux", system_bus)
     object = selinux_server(system_bus, "/org/selinux/object")
-    slip.dbus.service.set_mainloop(mainloop)
     mainloop.run()
diff --git a/python/sepolicy/sepolicy/sedbus.py b/python/sepolicy/sepolicy/sedbus.py
index 76b259ae27e8..39b53d47753a 100644
--- a/python/sepolicy/sepolicy/sedbus.py
+++ b/python/sepolicy/sepolicy/sedbus.py
@@ -2,7 +2,6 @@ import sys
 import dbus
 import dbus.service
 import dbus.mainloop.glib
-from slip.dbus import polkit
 
 
 class SELinuxDBus (object):
@@ -11,42 +10,34 @@ class SELinuxDBus (object):
         self.bus = dbus.SystemBus()
         self.dbus_object = self.bus.get_object("org.selinux", "/org/selinux/object")
 
-    @polkit.enable_proxy
     def semanage(self, buf):
         ret = self.dbus_object.semanage(buf, dbus_interface="org.selinux")
         return ret
 
-    @polkit.enable_proxy
     def restorecon(self, path):
         ret = self.dbus_object.restorecon(path, dbus_interface="org.selinux")
         return ret
 
-    @polkit.enable_proxy
     def setenforce(self, value):
         ret = self.dbus_object.setenforce(value, dbus_interface="org.selinux")
         return ret
 
-    @polkit.enable_proxy
     def customized(self):
         ret = self.dbus_object.customized(dbus_interface="org.selinux")
         return ret
 
-    @polkit.enable_proxy
     def semodule_list(self):
         ret = self.dbus_object.semodule_list(dbus_interface="org.selinux")
         return ret
 
-    @polkit.enable_proxy
     def relabel_on_boot(self, value):
         ret = self.dbus_object.relabel_on_boot(value, dbus_interface="org.selinux")
         return ret
 
-    @polkit.enable_proxy
     def change_default_mode(self, value):
         ret = self.dbus_object.change_default_mode(value, dbus_interface="org.selinux")
         return ret
 
-    @polkit.enable_proxy
     def change_default_policy(self, value):
         ret = self.dbus_object.change_default_policy(value, dbus_interface="org.selinux")
         return ret
-- 
2.32.0