On Wed, Jul 28, 2021 at 12:59 PM Petr Lautrbach <plautrba@xxxxxxxxxx> wrote:
>
> Python slip is not actively maintained anymore and it was used just as
> a polkit proxy. It looks like polkit dbus interface is quite simple to
> be used directly via python dbus module.
>
> Signed-off-by: Petr Lautrbach <plautrba@xxxxxxxxxx>
I am not very familiar with the python parts of the SELinux userspace,
but this patch looks good to me.
Acked-by: James Carter <jwcart2@xxxxxxxxx>
> ---
> dbus/selinux_server.py | 69 ++++++++++++++++++------------
> python/sepolicy/sepolicy/sedbus.py | 9 ----
> 2 files changed, 41 insertions(+), 37 deletions(-)
>
> diff --git a/dbus/selinux_server.py b/dbus/selinux_server.py
> index be4f4557a9fa..b7c9378bcb5d 100644
> --- a/dbus/selinux_server.py
> +++ b/dbus/selinux_server.py
> @@ -4,26 +4,33 @@ import dbus
> import dbus.service
> import dbus.mainloop.glib
> from gi.repository import GObject
> -import slip.dbus.service
> -from slip.dbus import polkit
> import os
> import selinux
> from subprocess import Popen, PIPE, STDOUT
>
>
> -class selinux_server(slip.dbus.service.Object):
> +class selinux_server(dbus.service.Object):
> default_polkit_auth_required = "org.selinux.semanage"
>
> def __init__(self, *p, **k):
> super(selinux_server, self).__init__(*p, **k)
>
> + def is_authorized(self, sender, action_id):
> + bus = dbus.SystemBus()
> + proxy = bus.get_object('org.freedesktop.PolicyKit1', '/org/freedesktop/PolicyKit1/Authority')
> + authority = dbus.Interface(proxy, dbus_interface='org.freedesktop.PolicyKit1.Authority')
> + subject = ('system-bus-name', {'name': sender})
> + result = authority.CheckAuthorization(subject, action_id, {}, 1, '')
> + return result[0]
> +
> #
> # The semanage method runs a transaction on a series of semanage commands,
> # these commands can take the output of customized
> #
> - @slip.dbus.polkit.require_auth("org.selinux.semanage")
> - @dbus.service.method("org.selinux", in_signature='s')
> - def semanage(self, buf):
> + @dbus.service.method("org.selinux", in_signature='s', sender_keyword="sender")
> + def semanage(self, buf, sender):
> + if not self.is_authorized(sender, "org.selinux.semanage"):
> + raise dbus.exceptions.DBusException("Not authorized")
> p = Popen(["/usr/sbin/semanage", "import"], stdout=PIPE, stderr=PIPE, stdin=PIPE, universal_newlines=True)
> p.stdin.write(buf)
> output = p.communicate()
> @@ -35,9 +42,10 @@ class selinux_server(slip.dbus.service.Object):
> # on the server. This output can be used with the semanage method on
> # another server to make the two systems have duplicate policy.
> #
> - @slip.dbus.polkit.require_auth("org.selinux.customized")
> - @dbus.service.method("org.selinux", in_signature='', out_signature='s')
> - def customized(self):
> + @dbus.service.method("org.selinux", in_signature='', out_signature='s', sender_keyword="sender")
> + def customized(self, sender):
> + if not self.is_authorized(sender, "org.selinux.customized"):
> + raise dbus.exceptions.DBusException("Not authorized")
> p = Popen(["/usr/sbin/semanage", "export"], stdout=PIPE, stderr=PIPE, universal_newlines=True)
> buf = p.stdout.read()
> output = p.communicate()
> @@ -49,9 +57,10 @@ class selinux_server(slip.dbus.service.Object):
> # The semodule_list method will return the output of semodule --list=full, using the customized polkit,
> # since this is a readonly behaviour
> #
> - @slip.dbus.polkit.require_auth("org.selinux.semodule_list")
> - @dbus.service.method("org.selinux", in_signature='', out_signature='s')
> - def semodule_list(self):
> + @dbus.service.method("org.selinux", in_signature='', out_signature='s', sender_keyword="sender")
> + def semodule_list(self, sender):
> + if not self.is_authorized(sender, "org.selinux.semodule_list"):
> + raise dbus.exceptions.DBusException("Not authorized")
> p = Popen(["/usr/sbin/semodule", "--list=full"], stdout=PIPE, stderr=PIPE, universal_newlines=True)
> buf = p.stdout.read()
> output = p.communicate()
> @@ -62,25 +71,28 @@ class selinux_server(slip.dbus.service.Object):
> #
> # The restorecon method modifies any file path to the default system label
> #
> - @slip.dbus.polkit.require_auth("org.selinux.restorecon")
> - @dbus.service.method("org.selinux", in_signature='s')
> - def restorecon(self, path):
> + @dbus.service.method("org.selinux", in_signature='s', sender_keyword="sender")
> + def restorecon(self, path, sender):
> + if not self.is_authorized(sender, "org.selinux.restorecon"):
> + raise dbus.exceptions.DBusException("Not authorized")
> selinux.restorecon(str(path), recursive=1)
>
> #
> # The setenforce method turns off the current enforcement of SELinux
> #
> - @slip.dbus.polkit.require_auth("org.selinux.setenforce")
> - @dbus.service.method("org.selinux", in_signature='i')
> - def setenforce(self, value):
> + @dbus.service.method("org.selinux", in_signature='i', sender_keyword="sender")
> + def setenforce(self, value, sender):
> + if not self.is_authorized(sender, "org.selinux.setenforce"):
> + raise dbus.exceptions.DBusException("Not authorized")
> selinux.security_setenforce(value)
>
> #
> # The setenforce method turns off the current enforcement of SELinux
> #
> - @slip.dbus.polkit.require_auth("org.selinux.relabel_on_boot")
> - @dbus.service.method("org.selinux", in_signature='i')
> - def relabel_on_boot(self, value):
> + @dbus.service.method("org.selinux", in_signature='i', sender_keyword="sender")
> + def relabel_on_boot(self, value, sender):
> + if not self.is_authorized(sender, "org.selinux.relabel_on_boot"):
> + raise dbus.exceptions.DBusException("Not authorized")
> if value == 1:
> fd = open("/.autorelabel", "w")
> fd.close()
> @@ -111,9 +123,10 @@ class selinux_server(slip.dbus.service.Object):
> #
> # The change_default_enforcement modifies the current enforcement mode
> #
> - @slip.dbus.polkit.require_auth("org.selinux.change_default_mode")
> - @dbus.service.method("org.selinux", in_signature='s')
> - def change_default_mode(self, value):
> + @dbus.service.method("org.selinux", in_signature='s', sender_keyword="sender")
> + def change_default_mode(self, value, sender):
> + if not self.is_authorized(sender, "org.selinux.change_default_mode"):
> + raise dbus.exceptions.DBusException("Not authorized")
> values = ["enforcing", "permissive", "disabled"]
> if value not in values:
> raise ValueError("Enforcement mode must be %s" % ", ".join(values))
> @@ -122,9 +135,10 @@ class selinux_server(slip.dbus.service.Object):
> #
> # The change_default_policy method modifies the policy type
> #
> - @slip.dbus.polkit.require_auth("org.selinux.change_default_policy")
> - @dbus.service.method("org.selinux", in_signature='s')
> - def change_default_policy(self, value):
> + @dbus.service.method("org.selinux", in_signature='s', sender_keyword="sender")
> + def change_default_policy(self, value, sender):
> + if not self.is_authorized(sender, "org.selinux.change_default_policy"):
> + raise dbus.exceptions.DBusException("Not authorized")
> path = selinux.selinux_path() + value
> if os.path.isdir(path):
> return self.write_selinux_config(policy=value)
> @@ -136,5 +150,4 @@ if __name__ == "__main__":
> system_bus = dbus.SystemBus()
> name = dbus.service.BusName("org.selinux", system_bus)
> object = selinux_server(system_bus, "/org/selinux/object")
> - slip.dbus.service.set_mainloop(mainloop)
> mainloop.run()
> diff --git a/python/sepolicy/sepolicy/sedbus.py b/python/sepolicy/sepolicy/sedbus.py
> index 76b259ae27e8..39b53d47753a 100644
> --- a/python/sepolicy/sepolicy/sedbus.py
> +++ b/python/sepolicy/sepolicy/sedbus.py
> @@ -2,7 +2,6 @@ import sys
> import dbus
> import dbus.service
> import dbus.mainloop.glib
> -from slip.dbus import polkit
>
>
> class SELinuxDBus (object):
> @@ -11,42 +10,34 @@ class SELinuxDBus (object):
> self.bus = dbus.SystemBus()
> self.dbus_object = self.bus.get_object("org.selinux", "/org/selinux/object")
>
> - @polkit.enable_proxy
> def semanage(self, buf):
> ret = self.dbus_object.semanage(buf, dbus_interface="org.selinux")
> return ret
>
> - @polkit.enable_proxy
> def restorecon(self, path):
> ret = self.dbus_object.restorecon(path, dbus_interface="org.selinux")
> return ret
>
> - @polkit.enable_proxy
> def setenforce(self, value):
> ret = self.dbus_object.setenforce(value, dbus_interface="org.selinux")
> return ret
>
> - @polkit.enable_proxy
> def customized(self):
> ret = self.dbus_object.customized(dbus_interface="org.selinux")
> return ret
>
> - @polkit.enable_proxy
> def semodule_list(self):
> ret = self.dbus_object.semodule_list(dbus_interface="org.selinux")
> return ret
>
> - @polkit.enable_proxy
> def relabel_on_boot(self, value):
> ret = self.dbus_object.relabel_on_boot(value, dbus_interface="org.selinux")
> return ret
>
> - @polkit.enable_proxy
> def change_default_mode(self, value):
> ret = self.dbus_object.change_default_mode(value, dbus_interface="org.selinux")
> return ret
>
> - @polkit.enable_proxy
> def change_default_policy(self, value):
> ret = self.dbus_object.change_default_policy(value, dbus_interface="org.selinux")
> return ret
> --
> 2.32.0
>
