python: Harden tools against "rogue" modules

Python scripts present in "/usr/sbin" override regular modules. Make sure /usr/sbin is not present in PYTHONPATH. Fixes: #cat > /usr/sbin/audit.py <<EOF import sys print("BAD GUY!", file=sys.stderr) sys.exit(1) EOF #semanage boolean -l BAD GUY! Signed-off-by: Vit Mojzis <vmojzis@redhat.com> Acked-by: James Carter <jwcart2@gmail.com>
2025-04-01 23:08:09 +00:00 · 2022-10-18 22:36:59 +02:00 · 2022-10-18 22:36:59 +02:00 · 48602370ac
commit 48602370ac
parent 950cc5b54a
5 changed files with 5 additions and 5 deletions
--- a/python/audit2allow/audit2allow
+++ b/python/audit2allow/audit2allow
@ -1,4 +1,4 @@
-#!/usr/bin/python3 -Es
+#!/usr/bin/python3 -EsI
 # Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
 # Authors: Dan Walsh <dwalsh@redhat.com>
 #
--- a/python/audit2allow/sepolgen-ifgen
+++ b/python/audit2allow/sepolgen-ifgen
@ -1,4 +1,4 @@
-#!/usr/bin/python3 -Es
+#!/usr/bin/python3 -EsI
 #
 # Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
 #
--- a/python/chcat/chcat
+++ b/python/chcat/chcat
@ -1,4 +1,4 @@
-#!/usr/bin/python3 -Es
+#!/usr/bin/python3 -EsI
 # Copyright (C) 2005 Red Hat
 # see file 'COPYING' for use and warranty information
 #
--- a/python/semanage/semanage
+++ b/python/semanage/semanage
@ -1,4 +1,4 @@
-#!/usr/bin/python3 -Es
+#!/usr/bin/python3 -EsI
 # Copyright (C) 2012-2013 Red Hat
 # AUTHOR: Miroslav Grepl <mgrepl@redhat.com>
 # AUTHOR: David Quigley <selinux@davequigley.com>
--- a/python/sepolicy/sepolicy.py
+++ b/python/sepolicy/sepolicy.py
@ -1,4 +1,4 @@
-#!/usr/bin/python3 -Es
+#!/usr/bin/python3 -EsI
 # Copyright (C) 2012 Red Hat
 # AUTHOR: Dan Walsh <dwalsh@redhat.com>
 # see file 'COPYING' for use and warranty information