* [PATCH] python: Harden tools against "rogue" modules
@ 2022-10-18 20:36 Vit Mojzis
2022-11-04 20:03 ` James Carter
0 siblings, 1 reply; 3+ messages in thread
From: Vit Mojzis @ 2022-10-18 20:36 UTC (permalink / raw)
To: selinux
Python scripts present in "/usr/sbin" override regular modules.
Make sure /usr/sbin is not present in PYTHONPATH.
Fixes:
#cat > /usr/sbin/audit.py <<EOF
import sys
print("BAD GUY!", file=sys.stderr)
sys.exit(1)
EOF
#semanage boolean -l
BAD GUY!
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
python/audit2allow/audit2allow | 2 +-
python/audit2allow/sepolgen-ifgen | 2 +-
python/chcat/chcat | 2 +-
python/semanage/semanage | 2 +-
python/sepolicy/sepolicy.py | 2 +-
5 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/python/audit2allow/audit2allow b/python/audit2allow/audit2allow
index 09b06f66..eafeea88 100644
--- a/python/audit2allow/audit2allow
+++ b/python/audit2allow/audit2allow
@@ -1,4 +1,4 @@
-#!/usr/bin/python3 -Es
+#!/usr/bin/python3 -EsI
# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
# Authors: Dan Walsh <dwalsh@redhat.com>
#
diff --git a/python/audit2allow/sepolgen-ifgen b/python/audit2allow/sepolgen-ifgen
index b7a04c71..f2cc0c32 100644
--- a/python/audit2allow/sepolgen-ifgen
+++ b/python/audit2allow/sepolgen-ifgen
@@ -1,4 +1,4 @@
-#!/usr/bin/python3 -Es
+#!/usr/bin/python3 -EsI
#
# Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
#
diff --git a/python/chcat/chcat b/python/chcat/chcat
index 952cb818..68718ec5 100755
--- a/python/chcat/chcat
+++ b/python/chcat/chcat
@@ -1,4 +1,4 @@
-#!/usr/bin/python3 -Es
+#!/usr/bin/python3 -EsI
# Copyright (C) 2005 Red Hat
# see file 'COPYING' for use and warranty information
#
diff --git a/python/semanage/semanage b/python/semanage/semanage
index 10ab3fa6..b21d1484 100644
--- a/python/semanage/semanage
+++ b/python/semanage/semanage
@@ -1,4 +1,4 @@
-#!/usr/bin/python3 -Es
+#!/usr/bin/python3 -EsI
# Copyright (C) 2012-2013 Red Hat
# AUTHOR: Miroslav Grepl <mgrepl@redhat.com>
# AUTHOR: David Quigley <selinux@davequigley.com>
diff --git a/python/sepolicy/sepolicy.py b/python/sepolicy/sepolicy.py
index c7a70e09..733d4048 100755
--- a/python/sepolicy/sepolicy.py
+++ b/python/sepolicy/sepolicy.py
@@ -1,4 +1,4 @@
-#!/usr/bin/python3 -Es
+#!/usr/bin/python3 -EsI
# Copyright (C) 2012 Red Hat
# AUTHOR: Dan Walsh <dwalsh@redhat.com>
# see file 'COPYING' for use and warranty information
--
2.37.3
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] python: Harden tools against "rogue" modules
2022-10-18 20:36 [PATCH] python: Harden tools against "rogue" modules Vit Mojzis
@ 2022-11-04 20:03 ` James Carter
2022-11-09 13:47 ` James Carter
0 siblings, 1 reply; 3+ messages in thread
From: James Carter @ 2022-11-04 20:03 UTC (permalink / raw)
To: Vit Mojzis; +Cc: selinux
On Tue, Oct 18, 2022 at 4:40 PM Vit Mojzis <vmojzis@redhat.com> wrote:
>
> Python scripts present in "/usr/sbin" override regular modules.
> Make sure /usr/sbin is not present in PYTHONPATH.
>
> Fixes:
> #cat > /usr/sbin/audit.py <<EOF
> import sys
> print("BAD GUY!", file=sys.stderr)
> sys.exit(1)
> EOF
> #semanage boolean -l
> BAD GUY!
>
> Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Acked-by: James Carter <jwcart2@gmail.com>
> ---
> python/audit2allow/audit2allow | 2 +-
> python/audit2allow/sepolgen-ifgen | 2 +-
> python/chcat/chcat | 2 +-
> python/semanage/semanage | 2 +-
> python/sepolicy/sepolicy.py | 2 +-
> 5 files changed, 5 insertions(+), 5 deletions(-)
>
> diff --git a/python/audit2allow/audit2allow b/python/audit2allow/audit2allow
> index 09b06f66..eafeea88 100644
> --- a/python/audit2allow/audit2allow
> +++ b/python/audit2allow/audit2allow
> @@ -1,4 +1,4 @@
> -#!/usr/bin/python3 -Es
> +#!/usr/bin/python3 -EsI
> # Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
> # Authors: Dan Walsh <dwalsh@redhat.com>
> #
> diff --git a/python/audit2allow/sepolgen-ifgen b/python/audit2allow/sepolgen-ifgen
> index b7a04c71..f2cc0c32 100644
> --- a/python/audit2allow/sepolgen-ifgen
> +++ b/python/audit2allow/sepolgen-ifgen
> @@ -1,4 +1,4 @@
> -#!/usr/bin/python3 -Es
> +#!/usr/bin/python3 -EsI
> #
> # Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
> #
> diff --git a/python/chcat/chcat b/python/chcat/chcat
> index 952cb818..68718ec5 100755
> --- a/python/chcat/chcat
> +++ b/python/chcat/chcat
> @@ -1,4 +1,4 @@
> -#!/usr/bin/python3 -Es
> +#!/usr/bin/python3 -EsI
> # Copyright (C) 2005 Red Hat
> # see file 'COPYING' for use and warranty information
> #
> diff --git a/python/semanage/semanage b/python/semanage/semanage
> index 10ab3fa6..b21d1484 100644
> --- a/python/semanage/semanage
> +++ b/python/semanage/semanage
> @@ -1,4 +1,4 @@
> -#!/usr/bin/python3 -Es
> +#!/usr/bin/python3 -EsI
> # Copyright (C) 2012-2013 Red Hat
> # AUTHOR: Miroslav Grepl <mgrepl@redhat.com>
> # AUTHOR: David Quigley <selinux@davequigley.com>
> diff --git a/python/sepolicy/sepolicy.py b/python/sepolicy/sepolicy.py
> index c7a70e09..733d4048 100755
> --- a/python/sepolicy/sepolicy.py
> +++ b/python/sepolicy/sepolicy.py
> @@ -1,4 +1,4 @@
> -#!/usr/bin/python3 -Es
> +#!/usr/bin/python3 -EsI
> # Copyright (C) 2012 Red Hat
> # AUTHOR: Dan Walsh <dwalsh@redhat.com>
> # see file 'COPYING' for use and warranty information
> --
> 2.37.3
>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] python: Harden tools against "rogue" modules
2022-11-04 20:03 ` James Carter
@ 2022-11-09 13:47 ` James Carter
0 siblings, 0 replies; 3+ messages in thread
From: James Carter @ 2022-11-09 13:47 UTC (permalink / raw)
To: Vit Mojzis; +Cc: selinux
On Fri, Nov 4, 2022 at 4:03 PM James Carter <jwcart2@gmail.com> wrote:
>
> On Tue, Oct 18, 2022 at 4:40 PM Vit Mojzis <vmojzis@redhat.com> wrote:
> >
> > Python scripts present in "/usr/sbin" override regular modules.
> > Make sure /usr/sbin is not present in PYTHONPATH.
> >
> > Fixes:
> > #cat > /usr/sbin/audit.py <<EOF
> > import sys
> > print("BAD GUY!", file=sys.stderr)
> > sys.exit(1)
> > EOF
> > #semanage boolean -l
> > BAD GUY!
> >
> > Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
>
> Acked-by: James Carter <jwcart2@gmail.com>
>
Merged.
Thanks,
Jim
> > ---
> > python/audit2allow/audit2allow | 2 +-
> > python/audit2allow/sepolgen-ifgen | 2 +-
> > python/chcat/chcat | 2 +-
> > python/semanage/semanage | 2 +-
> > python/sepolicy/sepolicy.py | 2 +-
> > 5 files changed, 5 insertions(+), 5 deletions(-)
> >
> > diff --git a/python/audit2allow/audit2allow b/python/audit2allow/audit2allow
> > index 09b06f66..eafeea88 100644
> > --- a/python/audit2allow/audit2allow
> > +++ b/python/audit2allow/audit2allow
> > @@ -1,4 +1,4 @@
> > -#!/usr/bin/python3 -Es
> > +#!/usr/bin/python3 -EsI
> > # Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
> > # Authors: Dan Walsh <dwalsh@redhat.com>
> > #
> > diff --git a/python/audit2allow/sepolgen-ifgen b/python/audit2allow/sepolgen-ifgen
> > index b7a04c71..f2cc0c32 100644
> > --- a/python/audit2allow/sepolgen-ifgen
> > +++ b/python/audit2allow/sepolgen-ifgen
> > @@ -1,4 +1,4 @@
> > -#!/usr/bin/python3 -Es
> > +#!/usr/bin/python3 -EsI
> > #
> > # Authors: Karl MacMillan <kmacmillan@mentalrootkit.com>
> > #
> > diff --git a/python/chcat/chcat b/python/chcat/chcat
> > index 952cb818..68718ec5 100755
> > --- a/python/chcat/chcat
> > +++ b/python/chcat/chcat
> > @@ -1,4 +1,4 @@
> > -#!/usr/bin/python3 -Es
> > +#!/usr/bin/python3 -EsI
> > # Copyright (C) 2005 Red Hat
> > # see file 'COPYING' for use and warranty information
> > #
> > diff --git a/python/semanage/semanage b/python/semanage/semanage
> > index 10ab3fa6..b21d1484 100644
> > --- a/python/semanage/semanage
> > +++ b/python/semanage/semanage
> > @@ -1,4 +1,4 @@
> > -#!/usr/bin/python3 -Es
> > +#!/usr/bin/python3 -EsI
> > # Copyright (C) 2012-2013 Red Hat
> > # AUTHOR: Miroslav Grepl <mgrepl@redhat.com>
> > # AUTHOR: David Quigley <selinux@davequigley.com>
> > diff --git a/python/sepolicy/sepolicy.py b/python/sepolicy/sepolicy.py
> > index c7a70e09..733d4048 100755
> > --- a/python/sepolicy/sepolicy.py
> > +++ b/python/sepolicy/sepolicy.py
> > @@ -1,4 +1,4 @@
> > -#!/usr/bin/python3 -Es
> > +#!/usr/bin/python3 -EsI
> > # Copyright (C) 2012 Red Hat
> > # AUTHOR: Dan Walsh <dwalsh@redhat.com>
> > # see file 'COPYING' for use and warranty information
> > --
> > 2.37.3
> >
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-11-09 13:48 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-10-18 20:36 [PATCH] python: Harden tools against "rogue" modules Vit Mojzis
2022-11-04 20:03 ` James Carter
2022-11-09 13:47 ` James Carter
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.