You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
80 lines
2.4 KiB
80 lines
2.4 KiB
From 72c7e9123980b003a21d51e2805529a3e90b2460 Mon Sep 17 00:00:00 2001
|
|
From: Vit Mojzis <vmojzis@redhat.com>
|
|
Date: Thu, 13 Oct 2022 17:33:18 +0200
|
|
Subject: [PATCH] python: Harden tools against "rogue" modules
|
|
|
|
Python scripts present in "/usr/sbin" override regular modules.
|
|
Make sure /usr/sbin is not present in PYTHONPATH.
|
|
|
|
Fixes:
|
|
#cat > /usr/sbin/audit.py <<EOF
|
|
import sys
|
|
print("BAD GUY!", file=sys.stderr)
|
|
sys.exit(1)
|
|
EOF
|
|
#semanage boolean -l
|
|
BAD GUY!
|
|
|
|
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
|
|
---
|
|
python/audit2allow/audit2allow | 2 +-
|
|
python/audit2allow/sepolgen-ifgen | 2 +-
|
|
python/chcat/chcat | 2 +-
|
|
python/semanage/semanage | 2 +-
|
|
python/sepolicy/sepolicy.py | 2 +-
|
|
5 files changed, 5 insertions(+), 5 deletions(-)
|
|
|
|
diff --git a/python/audit2allow/audit2allow b/python/audit2allow/audit2allow
|
|
index 09b06f66..eafeea88 100644
|
|
--- a/python/audit2allow/audit2allow
|
|
+++ b/python/audit2allow/audit2allow
|
|
@@ -1,4 +1,4 @@
|
|
-#!/usr/bin/python3 -Es
|
|
+#!/usr/bin/python3 -EsI
|
|
# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
|
|
# Authors: Dan Walsh <dwalsh@redhat.com>
|
|
#
|
|
diff --git a/python/audit2allow/sepolgen-ifgen b/python/audit2allow/sepolgen-ifgen
|
|
index be2d093b..f25f8af1 100644
|
|
--- a/python/audit2allow/sepolgen-ifgen
|
|
+++ b/python/audit2allow/sepolgen-ifgen
|
|
@@ -1,4 +1,4 @@
|
|
-#!/usr/bin/python3 -Es
|
|
+#!/usr/bin/python3 -EsI
|
|
#
|
|
# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
|
|
#
|
|
diff --git a/python/chcat/chcat b/python/chcat/chcat
|
|
index df2509f2..5671cec6 100755
|
|
--- a/python/chcat/chcat
|
|
+++ b/python/chcat/chcat
|
|
@@ -1,4 +1,4 @@
|
|
-#!/usr/bin/python3 -Es
|
|
+#!/usr/bin/python3 -EsI
|
|
# Copyright (C) 2005 Red Hat
|
|
# see file 'COPYING' for use and warranty information
|
|
#
|
|
diff --git a/python/semanage/semanage b/python/semanage/semanage
|
|
index b8842d28..1f170f60 100644
|
|
--- a/python/semanage/semanage
|
|
+++ b/python/semanage/semanage
|
|
@@ -1,4 +1,4 @@
|
|
-#!/usr/bin/python3 -Es
|
|
+#!/usr/bin/python3 -EsI
|
|
# Copyright (C) 2012-2013 Red Hat
|
|
# AUTHOR: Miroslav Grepl <mgrepl@redhat.com>
|
|
# AUTHOR: David Quigley <selinux@davequigley.com>
|
|
diff --git a/python/sepolicy/sepolicy.py b/python/sepolicy/sepolicy.py
|
|
index 8bd6a579..0c1d9641 100755
|
|
--- a/python/sepolicy/sepolicy.py
|
|
+++ b/python/sepolicy/sepolicy.py
|
|
@@ -1,4 +1,4 @@
|
|
-#!/usr/bin/python3 -Es
|
|
+#!/usr/bin/python3 -EsI
|
|
# Copyright (C) 2012 Red Hat
|
|
# AUTHOR: Dan Walsh <dwalsh@redhat.com>
|
|
# see file 'COPYING' for use and warranty information
|
|
--
|
|
2.37.3
|
|
|