Bug 2231023

Summary: setroubleshoot dies when an incompatible selinux python module exists in /usr/local/lib
Product: Red Hat Enterprise Linux 8 Reporter: Renaud Métrich <rmetrich>
Component: setroubleshootAssignee: Vit Mojzis <vmojzis>
Status: CLOSED MIGRATED QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: high Docs Contact:
Priority: high    
Version: 8.8CC: jgalipea, lvrabec, mmalik, plautrba, vmojzis
Target Milestone: rcKeywords: MigratedToJIRA, Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-09-19 20:21:07 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Renaud Métrich 2023-08-10 11:33:41 UTC 
Description of problem:

All platform-python scripts should be protected from using custom paths such as /usr/local/lib/python3.6, or else failure may happen when 3rd party python modules are present in such directory.

We have a customer hitting this issue due to having his own  /usr/local/lib/python3.6/site-packages/selinux module taking precedence other our module (/usr/lib64/python3.6/site-packages/selinux).

In order to avoid the issue, /usr/share/setroubleshoot/SetroubleshootPrivileged.py shebang has to be modified as shown below:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
#!/usr/libexec/platform-python -Es
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Version-Release number of selected component (if applicable):

setroubleshoot-server-3.3.26-5.el8.x86_64

How reproducible:

Always

Steps to Reproduce:
1. Create a rogue selinux module

  -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
  # mkdir -p /usr/local/lib/python3.6/site-packages/selinux
  # echo "BUG" > /usr/local/lib/python3.6/site-packages/selinux/__init__.py
  -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

2. Trigger an AVC or use the following python inline script to illustrate what would happen

  -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
  # /usr/libexec/platform-python
  [...]
  >>> import selinux
  Traceback (most recent call last):
    File "<stdin>", line 1, in <module>
    File "/usr/local/lib/python3.6/site-packages/selinux/__init__.py", line 1, in <module>
      BUG
  NameError: name 'BUG' is not defined
  -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Actual results:

  Faulty /usr/local/lib/python3.6/site-packages/selinux loaded instead of /usr/lib64/python3.6/site-packages/selinux

Expected results:

  /usr/lib64/python3.6/site-packages/selinux being loaded, as seen with "/usr/libexec/platform-python -Es":

  -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
  # /usr/libexec/platform-python -Es
  [...]
  >>> import selinux
  >>> 
  -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
Comment 2 RHEL Program Management 2023-09-19 17:51:53 UTC 
Issue migration from Bugzilla to Jira is in process at this time. This will be the last message in Jira copied from the Bugzilla bug.