2231023 – setroubleshoot dies when an incompatible selinux python module exists in /usr/local/lib

Bug 2231023 - setroubleshoot dies when an incompatible selinux python module exists in /usr/local/lib

Summary: setroubleshoot dies when an incompatible selinux python module exists in /usr...

Keywords:
Status:	NEW
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	setroubleshoot
Sub Component:
Version:	8.8
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	Vit Mojzis
QA Contact:	BaseOS QE Security Team
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2023-08-10 11:33 UTC by Renaud Métrich
Modified:	2023-08-11 07:28 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-165487	0	None	None	None	2023-08-10 11:35:30 UTC

Description Renaud Métrich 2023-08-10 11:33:41 UTC

Description of problem:

All platform-python scripts should be protected from using custom paths such as /usr/local/lib/python3.6, or else failure may happen when 3rd party python modules are present in such directory.

We have a customer hitting this issue due to having his own  /usr/local/lib/python3.6/site-packages/selinux module taking precedence other our module (/usr/lib64/python3.6/site-packages/selinux).

In order to avoid the issue, /usr/share/setroubleshoot/SetroubleshootPrivileged.py shebang has to be modified as shown below:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
#!/usr/libexec/platform-python -Es
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Version-Release number of selected component (if applicable):

setroubleshoot-server-3.3.26-5.el8.x86_64

How reproducible:

Always

Steps to Reproduce:
1. Create a rogue selinux module

  -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
  # mkdir -p /usr/local/lib/python3.6/site-packages/selinux
  # echo "BUG" > /usr/local/lib/python3.6/site-packages/selinux/__init__.py
  -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

2. Trigger an AVC or use the following python inline script to illustrate what would happen

  -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
  # /usr/libexec/platform-python
  [...]
  >>> import selinux
  Traceback (most recent call last):
    File "<stdin>", line 1, in <module>
    File "/usr/local/lib/python3.6/site-packages/selinux/__init__.py", line 1, in <module>
      BUG
  NameError: name 'BUG' is not defined
  -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Actual results:

  Faulty /usr/local/lib/python3.6/site-packages/selinux loaded instead of /usr/lib64/python3.6/site-packages/selinux

Expected results:

  /usr/lib64/python3.6/site-packages/selinux being loaded, as seen with "/usr/libexec/platform-python -Es":

  -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
  # /usr/libexec/platform-python -Es
  [...]
  >>> import selinux
  >>> 
  -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Note You need to log in before you can comment on or make changes to this bug.