| Message ID | 20221018203659.2329808-1-vmojzis@redhat.com (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | 48602370acab |
| Headers | show |
| Series | python: Harden tools against "rogue" modules | expand |
On Tue, Oct 18, 2022 at 4:40 PM Vit Mojzis <vmojzis@redhat.com> wrote: > > Python scripts present in "/usr/sbin" override regular modules. > Make sure /usr/sbin is not present in PYTHONPATH. > > Fixes: > #cat > /usr/sbin/audit.py <<EOF > import sys > print("BAD GUY!", file=sys.stderr) > sys.exit(1) > EOF > #semanage boolean -l > BAD GUY! > > Signed-off-by: Vit Mojzis <vmojzis@redhat.com> Acked-by: James Carter <jwcart2@gmail.com> > --- > python/audit2allow/audit2allow | 2 +- > python/audit2allow/sepolgen-ifgen | 2 +- > python/chcat/chcat | 2 +- > python/semanage/semanage | 2 +- > python/sepolicy/sepolicy.py | 2 +- > 5 files changed, 5 insertions(+), 5 deletions(-) > > diff --git a/python/audit2allow/audit2allow b/python/audit2allow/audit2allow > index 09b06f66..eafeea88 100644 > --- a/python/audit2allow/audit2allow > +++ b/python/audit2allow/audit2allow > @@ -1,4 +1,4 @@ > -#!/usr/bin/python3 -Es > +#!/usr/bin/python3 -EsI > # Authors: Karl MacMillan <kmacmillan@mentalrootkit.com> > # Authors: Dan Walsh <dwalsh@redhat.com> > # > diff --git a/python/audit2allow/sepolgen-ifgen b/python/audit2allow/sepolgen-ifgen > index b7a04c71..f2cc0c32 100644 > --- a/python/audit2allow/sepolgen-ifgen > +++ b/python/audit2allow/sepolgen-ifgen > @@ -1,4 +1,4 @@ > -#!/usr/bin/python3 -Es > +#!/usr/bin/python3 -EsI > # > # Authors: Karl MacMillan <kmacmillan@mentalrootkit.com> > # > diff --git a/python/chcat/chcat b/python/chcat/chcat > index 952cb818..68718ec5 100755 > --- a/python/chcat/chcat > +++ b/python/chcat/chcat > @@ -1,4 +1,4 @@ > -#!/usr/bin/python3 -Es > +#!/usr/bin/python3 -EsI > # Copyright (C) 2005 Red Hat > # see file 'COPYING' for use and warranty information > # > diff --git a/python/semanage/semanage b/python/semanage/semanage > index 10ab3fa6..b21d1484 100644 > --- a/python/semanage/semanage > +++ b/python/semanage/semanage > @@ -1,4 +1,4 @@ > -#!/usr/bin/python3 -Es > +#!/usr/bin/python3 -EsI > # Copyright (C) 2012-2013 Red Hat > # AUTHOR: Miroslav Grepl <mgrepl@redhat.com> > # AUTHOR: David Quigley <selinux@davequigley.com> > diff --git a/python/sepolicy/sepolicy.py b/python/sepolicy/sepolicy.py > index c7a70e09..733d4048 100755 > --- a/python/sepolicy/sepolicy.py > +++ b/python/sepolicy/sepolicy.py > @@ -1,4 +1,4 @@ > -#!/usr/bin/python3 -Es > +#!/usr/bin/python3 -EsI > # Copyright (C) 2012 Red Hat > # AUTHOR: Dan Walsh <dwalsh@redhat.com> > # see file 'COPYING' for use and warranty information > -- > 2.37.3 >
On Fri, Nov 4, 2022 at 4:03 PM James Carter <jwcart2@gmail.com> wrote: > > On Tue, Oct 18, 2022 at 4:40 PM Vit Mojzis <vmojzis@redhat.com> wrote: > > > > Python scripts present in "/usr/sbin" override regular modules. > > Make sure /usr/sbin is not present in PYTHONPATH. > > > > Fixes: > > #cat > /usr/sbin/audit.py <<EOF > > import sys > > print("BAD GUY!", file=sys.stderr) > > sys.exit(1) > > EOF > > #semanage boolean -l > > BAD GUY! > > > > Signed-off-by: Vit Mojzis <vmojzis@redhat.com> > > Acked-by: James Carter <jwcart2@gmail.com> > Merged. Thanks, Jim > > --- > > python/audit2allow/audit2allow | 2 +- > > python/audit2allow/sepolgen-ifgen | 2 +- > > python/chcat/chcat | 2 +- > > python/semanage/semanage | 2 +- > > python/sepolicy/sepolicy.py | 2 +- > > 5 files changed, 5 insertions(+), 5 deletions(-) > > > > diff --git a/python/audit2allow/audit2allow b/python/audit2allow/audit2allow > > index 09b06f66..eafeea88 100644 > > --- a/python/audit2allow/audit2allow > > +++ b/python/audit2allow/audit2allow > > @@ -1,4 +1,4 @@ > > -#!/usr/bin/python3 -Es > > +#!/usr/bin/python3 -EsI > > # Authors: Karl MacMillan <kmacmillan@mentalrootkit.com> > > # Authors: Dan Walsh <dwalsh@redhat.com> > > # > > diff --git a/python/audit2allow/sepolgen-ifgen b/python/audit2allow/sepolgen-ifgen > > index b7a04c71..f2cc0c32 100644 > > --- a/python/audit2allow/sepolgen-ifgen > > +++ b/python/audit2allow/sepolgen-ifgen > > @@ -1,4 +1,4 @@ > > -#!/usr/bin/python3 -Es > > +#!/usr/bin/python3 -EsI > > # > > # Authors: Karl MacMillan <kmacmillan@mentalrootkit.com> > > # > > diff --git a/python/chcat/chcat b/python/chcat/chcat > > index 952cb818..68718ec5 100755 > > --- a/python/chcat/chcat > > +++ b/python/chcat/chcat > > @@ -1,4 +1,4 @@ > > -#!/usr/bin/python3 -Es > > +#!/usr/bin/python3 -EsI > > # Copyright (C) 2005 Red Hat > > # see file 'COPYING' for use and warranty information > > # > > diff --git a/python/semanage/semanage b/python/semanage/semanage > > index 10ab3fa6..b21d1484 100644 > > --- a/python/semanage/semanage > > +++ b/python/semanage/semanage > > @@ -1,4 +1,4 @@ > > -#!/usr/bin/python3 -Es > > +#!/usr/bin/python3 -EsI > > # Copyright (C) 2012-2013 Red Hat > > # AUTHOR: Miroslav Grepl <mgrepl@redhat.com> > > # AUTHOR: David Quigley <selinux@davequigley.com> > > diff --git a/python/sepolicy/sepolicy.py b/python/sepolicy/sepolicy.py > > index c7a70e09..733d4048 100755 > > --- a/python/sepolicy/sepolicy.py > > +++ b/python/sepolicy/sepolicy.py > > @@ -1,4 +1,4 @@ > > -#!/usr/bin/python3 -Es > > +#!/usr/bin/python3 -EsI > > # Copyright (C) 2012 Red Hat > > # AUTHOR: Dan Walsh <dwalsh@redhat.com> > > # see file 'COPYING' for use and warranty information > > -- > > 2.37.3 > >
diff --git a/python/audit2allow/audit2allow b/python/audit2allow/audit2allow index 09b06f66..eafeea88 100644 --- a/python/audit2allow/audit2allow +++ b/python/audit2allow/audit2allow @@ -1,4 +1,4 @@ -#!/usr/bin/python3 -Es +#!/usr/bin/python3 -EsI # Authors: Karl MacMillan <kmacmillan@mentalrootkit.com> # Authors: Dan Walsh <dwalsh@redhat.com> # diff --git a/python/audit2allow/sepolgen-ifgen b/python/audit2allow/sepolgen-ifgen index b7a04c71..f2cc0c32 100644 --- a/python/audit2allow/sepolgen-ifgen +++ b/python/audit2allow/sepolgen-ifgen @@ -1,4 +1,4 @@ -#!/usr/bin/python3 -Es +#!/usr/bin/python3 -EsI # # Authors: Karl MacMillan <kmacmillan@mentalrootkit.com> # diff --git a/python/chcat/chcat b/python/chcat/chcat index 952cb818..68718ec5 100755 --- a/python/chcat/chcat +++ b/python/chcat/chcat @@ -1,4 +1,4 @@ -#!/usr/bin/python3 -Es +#!/usr/bin/python3 -EsI # Copyright (C) 2005 Red Hat # see file 'COPYING' for use and warranty information # diff --git a/python/semanage/semanage b/python/semanage/semanage index 10ab3fa6..b21d1484 100644 --- a/python/semanage/semanage +++ b/python/semanage/semanage @@ -1,4 +1,4 @@ -#!/usr/bin/python3 -Es +#!/usr/bin/python3 -EsI # Copyright (C) 2012-2013 Red Hat # AUTHOR: Miroslav Grepl <mgrepl@redhat.com> # AUTHOR: David Quigley <selinux@davequigley.com> diff --git a/python/sepolicy/sepolicy.py b/python/sepolicy/sepolicy.py index c7a70e09..733d4048 100755 --- a/python/sepolicy/sepolicy.py +++ b/python/sepolicy/sepolicy.py @@ -1,4 +1,4 @@ -#!/usr/bin/python3 -Es +#!/usr/bin/python3 -EsI # Copyright (C) 2012 Red Hat # AUTHOR: Dan Walsh <dwalsh@redhat.com> # see file 'COPYING' for use and warranty information
Python scripts present in "/usr/sbin" override regular modules. Make sure /usr/sbin is not present in PYTHONPATH. Fixes: #cat > /usr/sbin/audit.py <<EOF import sys print("BAD GUY!", file=sys.stderr) sys.exit(1) EOF #semanage boolean -l BAD GUY! Signed-off-by: Vit Mojzis <vmojzis@redhat.com> --- python/audit2allow/audit2allow | 2 +- python/audit2allow/sepolgen-ifgen | 2 +- python/chcat/chcat | 2 +- python/semanage/semanage | 2 +- python/sepolicy/sepolicy.py | 2 +- 5 files changed, 5 insertions(+), 5 deletions(-)