From d7133c7185dd2244524ee6e1b58823398c19eae1 Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: May 13 2021 06:48:18 +0000 Subject: policycoreutils-3.2-2 - Do not use Python slip - dbus: use GLib.MainLoop - fixfiles: do not exclude /dev and /run in -C mode --- diff --git a/0018-Do-not-use-Python-slip.patch b/0018-Do-not-use-Python-slip.patch new file mode 100644 index 0000000..fc4bd6d --- /dev/null +++ b/0018-Do-not-use-Python-slip.patch @@ -0,0 +1,217 @@ +From 02fd46cee210fc693ddf985d7d03674397f8342f Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Thu, 15 Apr 2021 17:39:39 +0200 +Subject: [PATCH] Do not use Python slip + +Python slip is not actively maintained anymore and it was use just as +polkit proxy. It looks like polkit dbus interface is quite simple to use +it directly via python dbus module. + +Signed-off-by: Petr Lautrbach +--- + dbus/selinux_server.py | 69 ++++++++++++++++++------------ + python/sepolicy/sepolicy/sedbus.py | 9 ---- + 2 files changed, 41 insertions(+), 37 deletions(-) + +diff --git a/dbus/selinux_server.py b/dbus/selinux_server.py +index be4f4557a9fa..b7c9378bcb5d 100644 +--- a/dbus/selinux_server.py ++++ b/dbus/selinux_server.py +@@ -4,26 +4,33 @@ import dbus + import dbus.service + import dbus.mainloop.glib + from gi.repository import GObject +-import slip.dbus.service +-from slip.dbus import polkit + import os + import selinux + from subprocess import Popen, PIPE, STDOUT + + +-class selinux_server(slip.dbus.service.Object): ++class selinux_server(dbus.service.Object): + default_polkit_auth_required = "org.selinux.semanage" + + def __init__(self, *p, **k): + super(selinux_server, self).__init__(*p, **k) + ++ def is_authorized(self, sender, action_id): ++ bus = dbus.SystemBus() ++ proxy = bus.get_object('org.freedesktop.PolicyKit1', '/org/freedesktop/PolicyKit1/Authority') ++ authority = dbus.Interface(proxy, dbus_interface='org.freedesktop.PolicyKit1.Authority') ++ subject = ('system-bus-name', {'name': sender}) ++ result = authority.CheckAuthorization(subject, action_id, {}, 1, '') ++ return result[0] ++ + # + # The semanage method runs a transaction on a series of semanage commands, + # these commands can take the output of customized + # +- @slip.dbus.polkit.require_auth("org.selinux.semanage") +- @dbus.service.method("org.selinux", in_signature='s') +- def semanage(self, buf): ++ @dbus.service.method("org.selinux", in_signature='s', sender_keyword="sender") ++ def semanage(self, buf, sender): ++ if not self.is_authorized(sender, "org.selinux.semanage"): ++ raise dbus.exceptions.DBusException("Not authorized") + p = Popen(["/usr/sbin/semanage", "import"], stdout=PIPE, stderr=PIPE, stdin=PIPE, universal_newlines=True) + p.stdin.write(buf) + output = p.communicate() +@@ -35,9 +42,10 @@ class selinux_server(slip.dbus.service.Object): + # on the server. This output can be used with the semanage method on + # another server to make the two systems have duplicate policy. + # +- @slip.dbus.polkit.require_auth("org.selinux.customized") +- @dbus.service.method("org.selinux", in_signature='', out_signature='s') +- def customized(self): ++ @dbus.service.method("org.selinux", in_signature='', out_signature='s', sender_keyword="sender") ++ def customized(self, sender): ++ if not self.is_authorized(sender, "org.selinux.customized"): ++ raise dbus.exceptions.DBusException("Not authorized") + p = Popen(["/usr/sbin/semanage", "export"], stdout=PIPE, stderr=PIPE, universal_newlines=True) + buf = p.stdout.read() + output = p.communicate() +@@ -49,9 +57,10 @@ class selinux_server(slip.dbus.service.Object): + # The semodule_list method will return the output of semodule --list=full, using the customized polkit, + # since this is a readonly behaviour + # +- @slip.dbus.polkit.require_auth("org.selinux.semodule_list") +- @dbus.service.method("org.selinux", in_signature='', out_signature='s') +- def semodule_list(self): ++ @dbus.service.method("org.selinux", in_signature='', out_signature='s', sender_keyword="sender") ++ def semodule_list(self, sender): ++ if not self.is_authorized(sender, "org.selinux.semodule_list"): ++ raise dbus.exceptions.DBusException("Not authorized") + p = Popen(["/usr/sbin/semodule", "--list=full"], stdout=PIPE, stderr=PIPE, universal_newlines=True) + buf = p.stdout.read() + output = p.communicate() +@@ -62,25 +71,28 @@ class selinux_server(slip.dbus.service.Object): + # + # The restorecon method modifies any file path to the default system label + # +- @slip.dbus.polkit.require_auth("org.selinux.restorecon") +- @dbus.service.method("org.selinux", in_signature='s') +- def restorecon(self, path): ++ @dbus.service.method("org.selinux", in_signature='s', sender_keyword="sender") ++ def restorecon(self, path, sender): ++ if not self.is_authorized(sender, "org.selinux.restorecon"): ++ raise dbus.exceptions.DBusException("Not authorized") + selinux.restorecon(str(path), recursive=1) + + # + # The setenforce method turns off the current enforcement of SELinux + # +- @slip.dbus.polkit.require_auth("org.selinux.setenforce") +- @dbus.service.method("org.selinux", in_signature='i') +- def setenforce(self, value): ++ @dbus.service.method("org.selinux", in_signature='i', sender_keyword="sender") ++ def setenforce(self, value, sender): ++ if not self.is_authorized(sender, "org.selinux.setenforce"): ++ raise dbus.exceptions.DBusException("Not authorized") + selinux.security_setenforce(value) + + # + # The setenforce method turns off the current enforcement of SELinux + # +- @slip.dbus.polkit.require_auth("org.selinux.relabel_on_boot") +- @dbus.service.method("org.selinux", in_signature='i') +- def relabel_on_boot(self, value): ++ @dbus.service.method("org.selinux", in_signature='i', sender_keyword="sender") ++ def relabel_on_boot(self, value, sender): ++ if not self.is_authorized(sender, "org.selinux.relabel_on_boot"): ++ raise dbus.exceptions.DBusException("Not authorized") + if value == 1: + fd = open("/.autorelabel", "w") + fd.close() +@@ -111,9 +123,10 @@ class selinux_server(slip.dbus.service.Object): + # + # The change_default_enforcement modifies the current enforcement mode + # +- @slip.dbus.polkit.require_auth("org.selinux.change_default_mode") +- @dbus.service.method("org.selinux", in_signature='s') +- def change_default_mode(self, value): ++ @dbus.service.method("org.selinux", in_signature='s', sender_keyword="sender") ++ def change_default_mode(self, value, sender): ++ if not self.is_authorized(sender, "org.selinux.change_default_mode"): ++ raise dbus.exceptions.DBusException("Not authorized") + values = ["enforcing", "permissive", "disabled"] + if value not in values: + raise ValueError("Enforcement mode must be %s" % ", ".join(values)) +@@ -122,9 +135,10 @@ class selinux_server(slip.dbus.service.Object): + # + # The change_default_policy method modifies the policy type + # +- @slip.dbus.polkit.require_auth("org.selinux.change_default_policy") +- @dbus.service.method("org.selinux", in_signature='s') +- def change_default_policy(self, value): ++ @dbus.service.method("org.selinux", in_signature='s', sender_keyword="sender") ++ def change_default_policy(self, value, sender): ++ if not self.is_authorized(sender, "org.selinux.change_default_policy"): ++ raise dbus.exceptions.DBusException("Not authorized") + path = selinux.selinux_path() + value + if os.path.isdir(path): + return self.write_selinux_config(policy=value) +@@ -136,5 +150,4 @@ if __name__ == "__main__": + system_bus = dbus.SystemBus() + name = dbus.service.BusName("org.selinux", system_bus) + object = selinux_server(system_bus, "/org/selinux/object") +- slip.dbus.service.set_mainloop(mainloop) + mainloop.run() +diff --git a/python/sepolicy/sepolicy/sedbus.py b/python/sepolicy/sepolicy/sedbus.py +index 76b259ae27e8..39b53d47753a 100644 +--- a/python/sepolicy/sepolicy/sedbus.py ++++ b/python/sepolicy/sepolicy/sedbus.py +@@ -2,7 +2,6 @@ import sys + import dbus + import dbus.service + import dbus.mainloop.glib +-from slip.dbus import polkit + + + class SELinuxDBus (object): +@@ -11,42 +10,34 @@ class SELinuxDBus (object): + self.bus = dbus.SystemBus() + self.dbus_object = self.bus.get_object("org.selinux", "/org/selinux/object") + +- @polkit.enable_proxy + def semanage(self, buf): + ret = self.dbus_object.semanage(buf, dbus_interface="org.selinux") + return ret + +- @polkit.enable_proxy + def restorecon(self, path): + ret = self.dbus_object.restorecon(path, dbus_interface="org.selinux") + return ret + +- @polkit.enable_proxy + def setenforce(self, value): + ret = self.dbus_object.setenforce(value, dbus_interface="org.selinux") + return ret + +- @polkit.enable_proxy + def customized(self): + ret = self.dbus_object.customized(dbus_interface="org.selinux") + return ret + +- @polkit.enable_proxy + def semodule_list(self): + ret = self.dbus_object.semodule_list(dbus_interface="org.selinux") + return ret + +- @polkit.enable_proxy + def relabel_on_boot(self, value): + ret = self.dbus_object.relabel_on_boot(value, dbus_interface="org.selinux") + return ret + +- @polkit.enable_proxy + def change_default_mode(self, value): + ret = self.dbus_object.change_default_mode(value, dbus_interface="org.selinux") + return ret + +- @polkit.enable_proxy + def change_default_policy(self, value): + ret = self.dbus_object.change_default_policy(value, dbus_interface="org.selinux") + return ret +-- +2.31.1 + diff --git a/0019-dbus-Use-GLib.MainLoop.patch b/0019-dbus-Use-GLib.MainLoop.patch new file mode 100644 index 0000000..be546f3 --- /dev/null +++ b/0019-dbus-Use-GLib.MainLoop.patch @@ -0,0 +1,43 @@ +From 30b9e992819a2c94434a0a30d5ce96e642c84d20 Mon Sep 17 00:00:00 2001 +From: Petr Lautrbach +Date: Wed, 12 May 2021 19:19:29 +0200 +Subject: [PATCH] dbus: Use GLib.MainLoop() + +Fixes: + PyGIDeprecationWarning: GObject.MainLoop is deprecated; use GLib.MainLoop instead +--- + dbus/selinux_server.py | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/dbus/selinux_server.py b/dbus/selinux_server.py +index b7c9378bcb5d..a969f2268ceb 100644 +--- a/dbus/selinux_server.py ++++ b/dbus/selinux_server.py +@@ -2,8 +2,9 @@ + + import dbus + import dbus.service +-import dbus.mainloop.glib ++from dbus.mainloop.glib import DBusGMainLoop + from gi.repository import GObject ++from gi.repository import GLib + import os + import selinux + from subprocess import Popen, PIPE, STDOUT +@@ -145,9 +146,10 @@ class selinux_server(dbus.service.Object): + raise ValueError("%s does not exist" % path) + + if __name__ == "__main__": +- mainloop = GObject.MainLoop() +- dbus.mainloop.glib.DBusGMainLoop(set_as_default=True) ++ DBusGMainLoop(set_as_default=True) ++ mainloop = GLib.MainLoop() ++ + system_bus = dbus.SystemBus() + name = dbus.service.BusName("org.selinux", system_bus) +- object = selinux_server(system_bus, "/org/selinux/object") ++ server = selinux_server(system_bus, "/org/selinux/object") + mainloop.run() +-- +2.31.1 + diff --git a/0020-policycoreutils-setfiles-do-not-create-useless-setfi.patch b/0020-policycoreutils-setfiles-do-not-create-useless-setfi.patch new file mode 100644 index 0000000..bdc6287 --- /dev/null +++ b/0020-policycoreutils-setfiles-do-not-create-useless-setfi.patch @@ -0,0 +1,67 @@ +From d36c5c43d17896ebd655f8bdc6e0303dcbf2f47b Mon Sep 17 00:00:00 2001 +From: Ondrej Mosnacek +Date: Fri, 19 Mar 2021 22:30:59 +0100 +Subject: [PATCH] policycoreutils/setfiles: do not create useless + setfiles.8.man file + +Seems to have been there to allow for some sed substitution over the +text. Now that this is gone, the redundant intermediate file can be +removed, too. + +Signed-off-by: Ondrej Mosnacek +--- + policycoreutils/setfiles/.gitignore | 1 - + policycoreutils/setfiles/Makefile | 9 +++------ + 2 files changed, 3 insertions(+), 7 deletions(-) + delete mode 100644 policycoreutils/setfiles/.gitignore + +diff --git a/policycoreutils/setfiles/.gitignore b/policycoreutils/setfiles/.gitignore +deleted file mode 100644 +index 5e899c95af23..000000000000 +--- a/policycoreutils/setfiles/.gitignore ++++ /dev/null +@@ -1 +0,0 @@ +-setfiles.8.man +diff --git a/policycoreutils/setfiles/Makefile b/policycoreutils/setfiles/Makefile +index a3bbbe116b7f..63d818509791 100644 +--- a/policycoreutils/setfiles/Makefile ++++ b/policycoreutils/setfiles/Makefile +@@ -13,7 +13,7 @@ ifeq ($(AUDITH), y) + override LDLIBS += -laudit + endif + +-all: setfiles restorecon restorecon_xattr man ++all: setfiles restorecon restorecon_xattr + + setfiles: setfiles.o restore.o + +@@ -22,16 +22,13 @@ restorecon: setfiles + + restorecon_xattr: restorecon_xattr.o restore.o + +-man: +- @cp -af setfiles.8 setfiles.8.man +- + install: all + [ -d $(DESTDIR)$(MANDIR)/man8 ] || mkdir -p $(DESTDIR)$(MANDIR)/man8 + -mkdir -p $(DESTDIR)$(SBINDIR) + install -m 755 setfiles $(DESTDIR)$(SBINDIR) + (cd $(DESTDIR)$(SBINDIR) && ln -sf setfiles restorecon) + install -m 755 restorecon_xattr $(DESTDIR)$(SBINDIR) +- install -m 644 setfiles.8.man $(DESTDIR)$(MANDIR)/man8/setfiles.8 ++ install -m 644 setfiles.8 $(DESTDIR)$(MANDIR)/man8/setfiles.8 + install -m 644 restorecon.8 $(DESTDIR)$(MANDIR)/man8/restorecon.8 + install -m 644 restorecon_xattr.8 $(DESTDIR)$(MANDIR)/man8/restorecon_xattr.8 + for lang in $(LINGUAS) ; do \ +@@ -42,7 +39,7 @@ install: all + done + + clean: +- rm -f setfiles restorecon restorecon_xattr *.o setfiles.8.man ++ rm -f setfiles restorecon restorecon_xattr *.o + + indent: + ../../scripts/Lindent $(wildcard *.[ch]) +-- +2.31.1 + diff --git a/0021-fixfiles-do-not-exclude-dev-and-run-in-C-mode.patch b/0021-fixfiles-do-not-exclude-dev-and-run-in-C-mode.patch new file mode 100644 index 0000000..d798348 --- /dev/null +++ b/0021-fixfiles-do-not-exclude-dev-and-run-in-C-mode.patch @@ -0,0 +1,50 @@ +From 38d88fc70844b6f5b02883172af6df7bbd05de24 Mon Sep 17 00:00:00 2001 +From: Ondrej Mosnacek +Date: Mon, 1 Mar 2021 18:19:22 +0100 +Subject: [PATCH] fixfiles: do not exclude /dev and /run in -C mode + +I can't think of a good reason why they should be excluded. On the +contrary, excluding them can cause trouble very easily if some labeling +rules for these directories change. For example, we changed the label +for /dev/nvme* from nvme_device_t to fixed_disk_device_t in Fedora +(updating the allow rules accordingly) and after policy update they +ended up with an invalid context, causing denials. + +Thus, remove /dev and /run from the excludes. While there, also add +/root to the basic excludes to match the regex that excludes fc rules +(that should be effectively no functional change). + +I did a sanity check on my system by running `restorecon -nv /dev /run` +and it didn't report any label differences. + +Signed-off-by: Ondrej Mosnacek +Acked-by: Petr Lautrbach +--- + policycoreutils/scripts/fixfiles | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/policycoreutils/scripts/fixfiles b/policycoreutils/scripts/fixfiles +index e73bb81c3336..cb20002ab613 100755 +--- a/policycoreutils/scripts/fixfiles ++++ b/policycoreutils/scripts/fixfiles +@@ -163,7 +163,7 @@ newer() { + # + diff_filecontext() { + EXCLUDEDIRS="`exclude_dirs_from_relabelling`" +-for i in /sys /proc /dev /run /mnt /var/tmp /var/lib/BackupPC /home /tmp /dev; do ++for i in /sys /proc /mnt /var/tmp /var/lib/BackupPC /home /root /tmp; do + [ -e $i ] && EXCLUDEDIRS="${EXCLUDEDIRS} -e $i"; + done + LogExcluded +@@ -176,7 +176,7 @@ if [ -f ${PREFC} -a -x /usr/bin/diff ]; then + sed -r -e 's,:s0, ,g' $FC | sort -u | \ + /usr/bin/diff -b ${PREFCTEMPFILE} - | \ + grep '^[<>]'|cut -c3-| grep ^/ | \ +- egrep -v '(^/home|^/root|^/tmp|^/dev)' |\ ++ egrep -v '(^/home|^/root|^/tmp)' |\ + sed -r -e 's,[[:blank:]].*,,g' \ + -e 's|\(([/[:alnum:]]+)\)\?|{\1,}|g' \ + -e 's|([/[:alnum:]])\?|{\1,}|g' \ +-- +2.31.1 + diff --git a/policycoreutils.spec b/policycoreutils.spec index cf5b53b..25ab59d 100644 --- a/policycoreutils.spec +++ b/policycoreutils.spec @@ -11,7 +11,7 @@ Summary: SELinux policy core utilities Name: policycoreutils Version: 3.2 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2 # https://github.com/SELinuxProject/selinux/wiki/Releases Source0: https://github.com/SELinuxProject/selinux/releases/download/3.2/selinux-3.2.tar.gz @@ -28,7 +28,7 @@ Source21: python-po.tgz Source22: gui-po.tgz Source23: sandbox-po.tgz # https://github.com/fedora-selinux/selinux -# $ git format-patch -N 3.2-rc2 -- policycoreutils python gui sandbox dbus semodule-utils restorecond +# $ git format-patch -N 3.2 -- policycoreutils python gui sandbox dbus semodule-utils restorecond # $ for j in [0-9]*.patch; do printf "Patch%s: %s\n" ${j/-*/} $j; done # Patch list start Patch0001: 0001-sandbox-add-reset-to-Xephyr-as-it-works-better-with-.patch @@ -48,6 +48,10 @@ Patch0014: 0014-sepolicy-generate-Handle-more-reserved-port-types.patch Patch0015: 0015-semodule-utils-Fix-RESOURCE_LEAK-coverity-scan-defec.patch Patch0016: 0016-sandbox-Use-matchbox-window-manager-instead-of-openb.patch Patch0017: 0017-sepolicy-Fix-flake8-warnings-in-Fedora-only-code.patch +Patch0018: 0018-Do-not-use-Python-slip.patch +Patch0019: 0019-dbus-Use-GLib.MainLoop.patch +Patch0020: 0020-policycoreutils-setfiles-do-not-create-useless-setfi.patch +Patch0021: 0021-fixfiles-do-not-exclude-dev-and-run-in-C-mode.patch # Patch list end Obsoletes: policycoreutils < 2.0.61-2 @@ -213,8 +217,8 @@ an SELinux environment. %package dbus Summary: SELinux policy core DBUS api Requires: python3-policycoreutils = %{version}-%{release} -Requires: python3-slip-dbus Requires: python3-gobject-base +Requires: polkit BuildArch: noarch %description dbus @@ -510,6 +514,11 @@ The policycoreutils-restorecond package contains the restorecond service. %systemd_postun_with_restart restorecond.service %changelog +* Mon May 10 2021 Petr Lautrbach - 3.2-2 +- Do not use Python slip +- fixfiles: do not exclude /dev and /run in -C mode +- dbus: use GLib.MainLoop + * Mon Mar 8 2021 Petr Lautrbach - 3.2-1 - SELinux userspace 3.2 release