Commit Graph

8 Commits

Author SHA1 Message Date
Vit Mojzis
48602370ac python: Harden tools against "rogue" modules
Python scripts present in "/usr/sbin" override regular modules.
Make sure /usr/sbin is not present in PYTHONPATH.

Fixes:
  #cat > /usr/sbin/audit.py <<EOF
  import sys
  print("BAD GUY!", file=sys.stderr)
  sys.exit(1)
  EOF
  #semanage boolean -l
  BAD GUY!

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
2022-11-09 07:53:27 -05:00
Christian Göttsche
4613038d8e sepolgen-ifgen: refactor default policy path retrieval
On a SELinux disabled system the python call
`selinux.security_policyvers()` will fail.

Move the logic to find a binary policy from the python script
`sepolgen-ifgen` to the C-helper `sepolgen-ifgen-attr-helper`.
Change the helper command line interface to accept an optional policy
path as second argument.  If not given try the current loaded policy
(`selinux_current_policy_path`) and if running on a SELinux disabled
system iterate over the default store path appending policy versions
starting at the maximum supported policy version
(`sepol_policy_kern_vers_max`).

This changes the helper command line interface from:
    sepolgen-ifgen-attr-helper policy_file out_file
to
    sepolgen-ifgen-attr-helper out_file [policy_file]
and adds a linkage to libselinux.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
2020-06-18 19:32:07 +02:00
Nicolas Iooss
b550c0e202
Fix many misspellings
Use codespell (https://github.com/codespell-project/codespell) in order
to find many common misspellings that are present in English texts.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-18 22:47:35 +02:00
Nicolas Iooss
72dc5c6241
python: always use python3 in the shebang of programs using setools
setools 4.2.0 dropped support for Python 2. On systems where
/usr/bin/python is Python 2, several tools are now broken because of
this. Update the shebang of these tools to /usr/bin/python3.

For future reference, as semanage/seobject.py, sepolicy and sepolgen
import setools, every program that uses one of these modules need to be
run with Python 3. The following programs do not use any of these
modules so their shebangs have not been modified:

    dbus/selinux_server.py
    libsemanage/utils/semanage_migrate_store
    mcstrans/share/util/mlscolor-test
    mcstrans/share/util/mlstrans-test
    sandbox/start

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-02-17 22:34:50 +01:00
Nicolas Iooss
e1f2db5887 python/audit2allow: use local sepolgen-ifgen-attr-helper for tests
Introduce option --attr-helper to sepolgen-ifgen to make it possible to
override /usr/bin/sepolgen-ifgen-attr-helper and use it in the testuite
in order to test the helper which has been compiled from the project
instead of the one installed on the system.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-01-08 10:15:46 +01:00
Nicolas Iooss
621c406585 python/audit2allow/sepolgen-ifgen: show errors on stderr
This allows test_audit2allow.py to display the errors correctly.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-01-07 12:50:45 +01:00
Nicolas Iooss
c759912227 python/audit2allow/sepolgen-ifgen: add missing \n to error message
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-01-07 12:50:45 +01:00
Stephen Smalley
48dc232627 Move policycoreutils/{sepolicy,audit2allow,semanage,scripts/chcat*} and sepolgen to python.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2016-11-16 11:19:50 -05:00