Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-5202

setroubleshoot dies when an incompatible selinux python module exists in /usr/local/lib

XMLWordPrintable

    • None
    • Important
    • rhel-sst-security-selinux
    • ssg_security
    • 26
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • If docs needed, set a value
    • All
    • None

      Description of problem:

      All platform-python scripts should be protected from using custom paths such as /usr/local/lib/python3.6, or else failure may happen when 3rd party python modules are present in such directory.

      We have a customer hitting this issue due to having his own /usr/local/lib/python3.6/site-packages/selinux module taking precedence other our module (/usr/lib64/python3.6/site-packages/selinux).

      In order to avoid the issue, /usr/share/setroubleshoot/SetroubleshootPrivileged.py shebang has to be modified as shown below:
      -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
      #!/usr/libexec/platform-python -Es
      -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

      Version-Release number of selected component (if applicable):

      setroubleshoot-server-3.3.26-5.el8.x86_64

      How reproducible:

      Always

      Steps to Reproduce:
      1. Create a rogue selinux module

      -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

      1. mkdir -p /usr/local/lib/python3.6/site-packages/selinux
      2. echo "BUG" > /usr/local/lib/python3.6/site-packages/selinux/_init_.py
                    • 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

      2. Trigger an AVC or use the following python inline script to illustrate what would happen

      -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

      1. /usr/libexec/platform-python
        [...]
        >>> import selinux
        Traceback (most recent call last):
        File "<stdin>", line 1, in <module>
        File "/usr/local/lib/python3.6/site-packages/selinux/_init_.py", line 1, in <module>
        BUG
        NameError: name 'BUG' is not defined
                    • 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

      Actual results:

      Faulty /usr/local/lib/python3.6/site-packages/selinux loaded instead of /usr/lib64/python3.6/site-packages/selinux

      Expected results:

      /usr/lib64/python3.6/site-packages/selinux being loaded, as seen with "/usr/libexec/platform-python -Es":

      -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

      1. /usr/libexec/platform-python -Es
        [...]
        >>> import selinux
        >>>
                    • 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

              vmojzis@redhat.com Vit Mojzis
              rhn-support-rmetrich Renaud Métrich
              SSG Security QE SSG Security QE
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: