Re: [PATCH] python: Harden tools against "rogue" modules

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tue, Oct 18, 2022 at 4:40 PM Vit Mojzis <vmojzis@xxxxxxxxxx> wrote:
>
> Python scripts present in "/usr/sbin" override regular modules.
> Make sure /usr/sbin is not present in PYTHONPATH.
>
> Fixes:
>   #cat > /usr/sbin/audit.py <<EOF
>   import sys
>   print("BAD GUY!", file=sys.stderr)
>   sys.exit(1)
>   EOF
>   #semanage boolean -l
>   BAD GUY!
>
> Signed-off-by: Vit Mojzis <vmojzis@xxxxxxxxxx>

Acked-by: James Carter <jwcart2@xxxxxxxxx>

> ---
>  python/audit2allow/audit2allow    | 2 +-
>  python/audit2allow/sepolgen-ifgen | 2 +-
>  python/chcat/chcat                | 2 +-
>  python/semanage/semanage          | 2 +-
>  python/sepolicy/sepolicy.py       | 2 +-
>  5 files changed, 5 insertions(+), 5 deletions(-)
>
> diff --git a/python/audit2allow/audit2allow b/python/audit2allow/audit2allow
> index 09b06f66..eafeea88 100644
> --- a/python/audit2allow/audit2allow
> +++ b/python/audit2allow/audit2allow
> @@ -1,4 +1,4 @@
> -#!/usr/bin/python3 -Es
> +#!/usr/bin/python3 -EsI
>  # Authors: Karl MacMillan <kmacmillan@xxxxxxxxxxxxxxxxx>
>  # Authors: Dan Walsh <dwalsh@xxxxxxxxxx>
>  #
> diff --git a/python/audit2allow/sepolgen-ifgen b/python/audit2allow/sepolgen-ifgen
> index b7a04c71..f2cc0c32 100644
> --- a/python/audit2allow/sepolgen-ifgen
> +++ b/python/audit2allow/sepolgen-ifgen
> @@ -1,4 +1,4 @@
> -#!/usr/bin/python3 -Es
> +#!/usr/bin/python3 -EsI
>  #
>  # Authors: Karl MacMillan <kmacmillan@xxxxxxxxxxxxxxxxx>
>  #
> diff --git a/python/chcat/chcat b/python/chcat/chcat
> index 952cb818..68718ec5 100755
> --- a/python/chcat/chcat
> +++ b/python/chcat/chcat
> @@ -1,4 +1,4 @@
> -#!/usr/bin/python3 -Es
> +#!/usr/bin/python3 -EsI
>  # Copyright (C) 2005 Red Hat
>  # see file 'COPYING' for use and warranty information
>  #
> diff --git a/python/semanage/semanage b/python/semanage/semanage
> index 10ab3fa6..b21d1484 100644
> --- a/python/semanage/semanage
> +++ b/python/semanage/semanage
> @@ -1,4 +1,4 @@
> -#!/usr/bin/python3 -Es
> +#!/usr/bin/python3 -EsI
>  # Copyright (C) 2012-2013 Red Hat
>  # AUTHOR: Miroslav Grepl <mgrepl@xxxxxxxxxx>
>  # AUTHOR: David Quigley <selinux@xxxxxxxxxxxxxxx>
> diff --git a/python/sepolicy/sepolicy.py b/python/sepolicy/sepolicy.py
> index c7a70e09..733d4048 100755
> --- a/python/sepolicy/sepolicy.py
> +++ b/python/sepolicy/sepolicy.py
> @@ -1,4 +1,4 @@
> -#!/usr/bin/python3 -Es
> +#!/usr/bin/python3 -EsI
>  # Copyright (C) 2012 Red Hat
>  # AUTHOR: Dan Walsh <dwalsh@xxxxxxxxxx>
>  # see file 'COPYING' for use and warranty information
> --
> 2.37.3
>
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux