Message ID | 20210728165835.186338-1-plautrba@redhat.com (mailing list archive) |
---|---|
State | Accepted |
Headers | show |
Series | Do not use Python slip | expand |
On Wed, Jul 28, 2021 at 12:59 PM Petr Lautrbach <plautrba@redhat.com> wrote: > > Python slip is not actively maintained anymore and it was used just as > a polkit proxy. It looks like polkit dbus interface is quite simple to > be used directly via python dbus module. > > Signed-off-by: Petr Lautrbach <plautrba@redhat.com> I am not very familiar with the python parts of the SELinux userspace, but this patch looks good to me. Acked-by: James Carter <jwcart2@gmail.com> > --- > dbus/selinux_server.py | 69 ++++++++++++++++++------------ > python/sepolicy/sepolicy/sedbus.py | 9 ---- > 2 files changed, 41 insertions(+), 37 deletions(-) > > diff --git a/dbus/selinux_server.py b/dbus/selinux_server.py > index be4f4557a9fa..b7c9378bcb5d 100644 > --- a/dbus/selinux_server.py > +++ b/dbus/selinux_server.py > @@ -4,26 +4,33 @@ import dbus > import dbus.service > import dbus.mainloop.glib > from gi.repository import GObject > -import slip.dbus.service > -from slip.dbus import polkit > import os > import selinux > from subprocess import Popen, PIPE, STDOUT > > > -class selinux_server(slip.dbus.service.Object): > +class selinux_server(dbus.service.Object): > default_polkit_auth_required = "org.selinux.semanage" > > def __init__(self, *p, **k): > super(selinux_server, self).__init__(*p, **k) > > + def is_authorized(self, sender, action_id): > + bus = dbus.SystemBus() > + proxy = bus.get_object('org.freedesktop.PolicyKit1', '/org/freedesktop/PolicyKit1/Authority') > + authority = dbus.Interface(proxy, dbus_interface='org.freedesktop.PolicyKit1.Authority') > + subject = ('system-bus-name', {'name': sender}) > + result = authority.CheckAuthorization(subject, action_id, {}, 1, '') > + return result[0] > + > # > # The semanage method runs a transaction on a series of semanage commands, > # these commands can take the output of customized > # > - @slip.dbus.polkit.require_auth("org.selinux.semanage") > - @dbus.service.method("org.selinux", in_signature='s') > - def semanage(self, buf): > + @dbus.service.method("org.selinux", in_signature='s', sender_keyword="sender") > + def semanage(self, buf, sender): > + if not self.is_authorized(sender, "org.selinux.semanage"): > + raise dbus.exceptions.DBusException("Not authorized") > p = Popen(["/usr/sbin/semanage", "import"], stdout=PIPE, stderr=PIPE, stdin=PIPE, universal_newlines=True) > p.stdin.write(buf) > output = p.communicate() > @@ -35,9 +42,10 @@ class selinux_server(slip.dbus.service.Object): > # on the server. This output can be used with the semanage method on > # another server to make the two systems have duplicate policy. > # > - @slip.dbus.polkit.require_auth("org.selinux.customized") > - @dbus.service.method("org.selinux", in_signature='', out_signature='s') > - def customized(self): > + @dbus.service.method("org.selinux", in_signature='', out_signature='s', sender_keyword="sender") > + def customized(self, sender): > + if not self.is_authorized(sender, "org.selinux.customized"): > + raise dbus.exceptions.DBusException("Not authorized") > p = Popen(["/usr/sbin/semanage", "export"], stdout=PIPE, stderr=PIPE, universal_newlines=True) > buf = p.stdout.read() > output = p.communicate() > @@ -49,9 +57,10 @@ class selinux_server(slip.dbus.service.Object): > # The semodule_list method will return the output of semodule --list=full, using the customized polkit, > # since this is a readonly behaviour > # > - @slip.dbus.polkit.require_auth("org.selinux.semodule_list") > - @dbus.service.method("org.selinux", in_signature='', out_signature='s') > - def semodule_list(self): > + @dbus.service.method("org.selinux", in_signature='', out_signature='s', sender_keyword="sender") > + def semodule_list(self, sender): > + if not self.is_authorized(sender, "org.selinux.semodule_list"): > + raise dbus.exceptions.DBusException("Not authorized") > p = Popen(["/usr/sbin/semodule", "--list=full"], stdout=PIPE, stderr=PIPE, universal_newlines=True) > buf = p.stdout.read() > output = p.communicate() > @@ -62,25 +71,28 @@ class selinux_server(slip.dbus.service.Object): > # > # The restorecon method modifies any file path to the default system label > # > - @slip.dbus.polkit.require_auth("org.selinux.restorecon") > - @dbus.service.method("org.selinux", in_signature='s') > - def restorecon(self, path): > + @dbus.service.method("org.selinux", in_signature='s', sender_keyword="sender") > + def restorecon(self, path, sender): > + if not self.is_authorized(sender, "org.selinux.restorecon"): > + raise dbus.exceptions.DBusException("Not authorized") > selinux.restorecon(str(path), recursive=1) > > # > # The setenforce method turns off the current enforcement of SELinux > # > - @slip.dbus.polkit.require_auth("org.selinux.setenforce") > - @dbus.service.method("org.selinux", in_signature='i') > - def setenforce(self, value): > + @dbus.service.method("org.selinux", in_signature='i', sender_keyword="sender") > + def setenforce(self, value, sender): > + if not self.is_authorized(sender, "org.selinux.setenforce"): > + raise dbus.exceptions.DBusException("Not authorized") > selinux.security_setenforce(value) > > # > # The setenforce method turns off the current enforcement of SELinux > # > - @slip.dbus.polkit.require_auth("org.selinux.relabel_on_boot") > - @dbus.service.method("org.selinux", in_signature='i') > - def relabel_on_boot(self, value): > + @dbus.service.method("org.selinux", in_signature='i', sender_keyword="sender") > + def relabel_on_boot(self, value, sender): > + if not self.is_authorized(sender, "org.selinux.relabel_on_boot"): > + raise dbus.exceptions.DBusException("Not authorized") > if value == 1: > fd = open("/.autorelabel", "w") > fd.close() > @@ -111,9 +123,10 @@ class selinux_server(slip.dbus.service.Object): > # > # The change_default_enforcement modifies the current enforcement mode > # > - @slip.dbus.polkit.require_auth("org.selinux.change_default_mode") > - @dbus.service.method("org.selinux", in_signature='s') > - def change_default_mode(self, value): > + @dbus.service.method("org.selinux", in_signature='s', sender_keyword="sender") > + def change_default_mode(self, value, sender): > + if not self.is_authorized(sender, "org.selinux.change_default_mode"): > + raise dbus.exceptions.DBusException("Not authorized") > values = ["enforcing", "permissive", "disabled"] > if value not in values: > raise ValueError("Enforcement mode must be %s" % ", ".join(values)) > @@ -122,9 +135,10 @@ class selinux_server(slip.dbus.service.Object): > # > # The change_default_policy method modifies the policy type > # > - @slip.dbus.polkit.require_auth("org.selinux.change_default_policy") > - @dbus.service.method("org.selinux", in_signature='s') > - def change_default_policy(self, value): > + @dbus.service.method("org.selinux", in_signature='s', sender_keyword="sender") > + def change_default_policy(self, value, sender): > + if not self.is_authorized(sender, "org.selinux.change_default_policy"): > + raise dbus.exceptions.DBusException("Not authorized") > path = selinux.selinux_path() + value > if os.path.isdir(path): > return self.write_selinux_config(policy=value) > @@ -136,5 +150,4 @@ if __name__ == "__main__": > system_bus = dbus.SystemBus() > name = dbus.service.BusName("org.selinux", system_bus) > object = selinux_server(system_bus, "/org/selinux/object") > - slip.dbus.service.set_mainloop(mainloop) > mainloop.run() > diff --git a/python/sepolicy/sepolicy/sedbus.py b/python/sepolicy/sepolicy/sedbus.py > index 76b259ae27e8..39b53d47753a 100644 > --- a/python/sepolicy/sepolicy/sedbus.py > +++ b/python/sepolicy/sepolicy/sedbus.py > @@ -2,7 +2,6 @@ import sys > import dbus > import dbus.service > import dbus.mainloop.glib > -from slip.dbus import polkit > > > class SELinuxDBus (object): > @@ -11,42 +10,34 @@ class SELinuxDBus (object): > self.bus = dbus.SystemBus() > self.dbus_object = self.bus.get_object("org.selinux", "/org/selinux/object") > > - @polkit.enable_proxy > def semanage(self, buf): > ret = self.dbus_object.semanage(buf, dbus_interface="org.selinux") > return ret > > - @polkit.enable_proxy > def restorecon(self, path): > ret = self.dbus_object.restorecon(path, dbus_interface="org.selinux") > return ret > > - @polkit.enable_proxy > def setenforce(self, value): > ret = self.dbus_object.setenforce(value, dbus_interface="org.selinux") > return ret > > - @polkit.enable_proxy > def customized(self): > ret = self.dbus_object.customized(dbus_interface="org.selinux") > return ret > > - @polkit.enable_proxy > def semodule_list(self): > ret = self.dbus_object.semodule_list(dbus_interface="org.selinux") > return ret > > - @polkit.enable_proxy > def relabel_on_boot(self, value): > ret = self.dbus_object.relabel_on_boot(value, dbus_interface="org.selinux") > return ret > > - @polkit.enable_proxy > def change_default_mode(self, value): > ret = self.dbus_object.change_default_mode(value, dbus_interface="org.selinux") > return ret > > - @polkit.enable_proxy > def change_default_policy(self, value): > ret = self.dbus_object.change_default_policy(value, dbus_interface="org.selinux") > return ret > -- > 2.32.0 >
On Fri, Jul 30, 2021 at 10:19 AM James Carter <jwcart2@gmail.com> wrote: > > On Wed, Jul 28, 2021 at 12:59 PM Petr Lautrbach <plautrba@redhat.com> wrote: > > > > Python slip is not actively maintained anymore and it was used just as > > a polkit proxy. It looks like polkit dbus interface is quite simple to > > be used directly via python dbus module. > > > > Signed-off-by: Petr Lautrbach <plautrba@redhat.com> > > I am not very familiar with the python parts of the SELinux userspace, > but this patch looks good to me. > > Acked-by: James Carter <jwcart2@gmail.com> > Merged. Thanks, Jim > > --- > > dbus/selinux_server.py | 69 ++++++++++++++++++------------ > > python/sepolicy/sepolicy/sedbus.py | 9 ---- > > 2 files changed, 41 insertions(+), 37 deletions(-) > > > > diff --git a/dbus/selinux_server.py b/dbus/selinux_server.py > > index be4f4557a9fa..b7c9378bcb5d 100644 > > --- a/dbus/selinux_server.py > > +++ b/dbus/selinux_server.py > > @@ -4,26 +4,33 @@ import dbus > > import dbus.service > > import dbus.mainloop.glib > > from gi.repository import GObject > > -import slip.dbus.service > > -from slip.dbus import polkit > > import os > > import selinux > > from subprocess import Popen, PIPE, STDOUT > > > > > > -class selinux_server(slip.dbus.service.Object): > > +class selinux_server(dbus.service.Object): > > default_polkit_auth_required = "org.selinux.semanage" > > > > def __init__(self, *p, **k): > > super(selinux_server, self).__init__(*p, **k) > > > > + def is_authorized(self, sender, action_id): > > + bus = dbus.SystemBus() > > + proxy = bus.get_object('org.freedesktop.PolicyKit1', '/org/freedesktop/PolicyKit1/Authority') > > + authority = dbus.Interface(proxy, dbus_interface='org.freedesktop.PolicyKit1.Authority') > > + subject = ('system-bus-name', {'name': sender}) > > + result = authority.CheckAuthorization(subject, action_id, {}, 1, '') > > + return result[0] > > + > > # > > # The semanage method runs a transaction on a series of semanage commands, > > # these commands can take the output of customized > > # > > - @slip.dbus.polkit.require_auth("org.selinux.semanage") > > - @dbus.service.method("org.selinux", in_signature='s') > > - def semanage(self, buf): > > + @dbus.service.method("org.selinux", in_signature='s', sender_keyword="sender") > > + def semanage(self, buf, sender): > > + if not self.is_authorized(sender, "org.selinux.semanage"): > > + raise dbus.exceptions.DBusException("Not authorized") > > p = Popen(["/usr/sbin/semanage", "import"], stdout=PIPE, stderr=PIPE, stdin=PIPE, universal_newlines=True) > > p.stdin.write(buf) > > output = p.communicate() > > @@ -35,9 +42,10 @@ class selinux_server(slip.dbus.service.Object): > > # on the server. This output can be used with the semanage method on > > # another server to make the two systems have duplicate policy. > > # > > - @slip.dbus.polkit.require_auth("org.selinux.customized") > > - @dbus.service.method("org.selinux", in_signature='', out_signature='s') > > - def customized(self): > > + @dbus.service.method("org.selinux", in_signature='', out_signature='s', sender_keyword="sender") > > + def customized(self, sender): > > + if not self.is_authorized(sender, "org.selinux.customized"): > > + raise dbus.exceptions.DBusException("Not authorized") > > p = Popen(["/usr/sbin/semanage", "export"], stdout=PIPE, stderr=PIPE, universal_newlines=True) > > buf = p.stdout.read() > > output = p.communicate() > > @@ -49,9 +57,10 @@ class selinux_server(slip.dbus.service.Object): > > # The semodule_list method will return the output of semodule --list=full, using the customized polkit, > > # since this is a readonly behaviour > > # > > - @slip.dbus.polkit.require_auth("org.selinux.semodule_list") > > - @dbus.service.method("org.selinux", in_signature='', out_signature='s') > > - def semodule_list(self): > > + @dbus.service.method("org.selinux", in_signature='', out_signature='s', sender_keyword="sender") > > + def semodule_list(self, sender): > > + if not self.is_authorized(sender, "org.selinux.semodule_list"): > > + raise dbus.exceptions.DBusException("Not authorized") > > p = Popen(["/usr/sbin/semodule", "--list=full"], stdout=PIPE, stderr=PIPE, universal_newlines=True) > > buf = p.stdout.read() > > output = p.communicate() > > @@ -62,25 +71,28 @@ class selinux_server(slip.dbus.service.Object): > > # > > # The restorecon method modifies any file path to the default system label > > # > > - @slip.dbus.polkit.require_auth("org.selinux.restorecon") > > - @dbus.service.method("org.selinux", in_signature='s') > > - def restorecon(self, path): > > + @dbus.service.method("org.selinux", in_signature='s', sender_keyword="sender") > > + def restorecon(self, path, sender): > > + if not self.is_authorized(sender, "org.selinux.restorecon"): > > + raise dbus.exceptions.DBusException("Not authorized") > > selinux.restorecon(str(path), recursive=1) > > > > # > > # The setenforce method turns off the current enforcement of SELinux > > # > > - @slip.dbus.polkit.require_auth("org.selinux.setenforce") > > - @dbus.service.method("org.selinux", in_signature='i') > > - def setenforce(self, value): > > + @dbus.service.method("org.selinux", in_signature='i', sender_keyword="sender") > > + def setenforce(self, value, sender): > > + if not self.is_authorized(sender, "org.selinux.setenforce"): > > + raise dbus.exceptions.DBusException("Not authorized") > > selinux.security_setenforce(value) > > > > # > > # The setenforce method turns off the current enforcement of SELinux > > # > > - @slip.dbus.polkit.require_auth("org.selinux.relabel_on_boot") > > - @dbus.service.method("org.selinux", in_signature='i') > > - def relabel_on_boot(self, value): > > + @dbus.service.method("org.selinux", in_signature='i', sender_keyword="sender") > > + def relabel_on_boot(self, value, sender): > > + if not self.is_authorized(sender, "org.selinux.relabel_on_boot"): > > + raise dbus.exceptions.DBusException("Not authorized") > > if value == 1: > > fd = open("/.autorelabel", "w") > > fd.close() > > @@ -111,9 +123,10 @@ class selinux_server(slip.dbus.service.Object): > > # > > # The change_default_enforcement modifies the current enforcement mode > > # > > - @slip.dbus.polkit.require_auth("org.selinux.change_default_mode") > > - @dbus.service.method("org.selinux", in_signature='s') > > - def change_default_mode(self, value): > > + @dbus.service.method("org.selinux", in_signature='s', sender_keyword="sender") > > + def change_default_mode(self, value, sender): > > + if not self.is_authorized(sender, "org.selinux.change_default_mode"): > > + raise dbus.exceptions.DBusException("Not authorized") > > values = ["enforcing", "permissive", "disabled"] > > if value not in values: > > raise ValueError("Enforcement mode must be %s" % ", ".join(values)) > > @@ -122,9 +135,10 @@ class selinux_server(slip.dbus.service.Object): > > # > > # The change_default_policy method modifies the policy type > > # > > - @slip.dbus.polkit.require_auth("org.selinux.change_default_policy") > > - @dbus.service.method("org.selinux", in_signature='s') > > - def change_default_policy(self, value): > > + @dbus.service.method("org.selinux", in_signature='s', sender_keyword="sender") > > + def change_default_policy(self, value, sender): > > + if not self.is_authorized(sender, "org.selinux.change_default_policy"): > > + raise dbus.exceptions.DBusException("Not authorized") > > path = selinux.selinux_path() + value > > if os.path.isdir(path): > > return self.write_selinux_config(policy=value) > > @@ -136,5 +150,4 @@ if __name__ == "__main__": > > system_bus = dbus.SystemBus() > > name = dbus.service.BusName("org.selinux", system_bus) > > object = selinux_server(system_bus, "/org/selinux/object") > > - slip.dbus.service.set_mainloop(mainloop) > > mainloop.run() > > diff --git a/python/sepolicy/sepolicy/sedbus.py b/python/sepolicy/sepolicy/sedbus.py > > index 76b259ae27e8..39b53d47753a 100644 > > --- a/python/sepolicy/sepolicy/sedbus.py > > +++ b/python/sepolicy/sepolicy/sedbus.py > > @@ -2,7 +2,6 @@ import sys > > import dbus > > import dbus.service > > import dbus.mainloop.glib > > -from slip.dbus import polkit > > > > > > class SELinuxDBus (object): > > @@ -11,42 +10,34 @@ class SELinuxDBus (object): > > self.bus = dbus.SystemBus() > > self.dbus_object = self.bus.get_object("org.selinux", "/org/selinux/object") > > > > - @polkit.enable_proxy > > def semanage(self, buf): > > ret = self.dbus_object.semanage(buf, dbus_interface="org.selinux") > > return ret > > > > - @polkit.enable_proxy > > def restorecon(self, path): > > ret = self.dbus_object.restorecon(path, dbus_interface="org.selinux") > > return ret > > > > - @polkit.enable_proxy > > def setenforce(self, value): > > ret = self.dbus_object.setenforce(value, dbus_interface="org.selinux") > > return ret > > > > - @polkit.enable_proxy > > def customized(self): > > ret = self.dbus_object.customized(dbus_interface="org.selinux") > > return ret > > > > - @polkit.enable_proxy > > def semodule_list(self): > > ret = self.dbus_object.semodule_list(dbus_interface="org.selinux") > > return ret > > > > - @polkit.enable_proxy > > def relabel_on_boot(self, value): > > ret = self.dbus_object.relabel_on_boot(value, dbus_interface="org.selinux") > > return ret > > > > - @polkit.enable_proxy > > def change_default_mode(self, value): > > ret = self.dbus_object.change_default_mode(value, dbus_interface="org.selinux") > > return ret > > > > - @polkit.enable_proxy > > def change_default_policy(self, value): > > ret = self.dbus_object.change_default_policy(value, dbus_interface="org.selinux") > > return ret > > -- > > 2.32.0 > >
diff --git a/dbus/selinux_server.py b/dbus/selinux_server.py index be4f4557a9fa..b7c9378bcb5d 100644 --- a/dbus/selinux_server.py +++ b/dbus/selinux_server.py @@ -4,26 +4,33 @@ import dbus import dbus.service import dbus.mainloop.glib from gi.repository import GObject -import slip.dbus.service -from slip.dbus import polkit import os import selinux from subprocess import Popen, PIPE, STDOUT -class selinux_server(slip.dbus.service.Object): +class selinux_server(dbus.service.Object): default_polkit_auth_required = "org.selinux.semanage" def __init__(self, *p, **k): super(selinux_server, self).__init__(*p, **k) + def is_authorized(self, sender, action_id): + bus = dbus.SystemBus() + proxy = bus.get_object('org.freedesktop.PolicyKit1', '/org/freedesktop/PolicyKit1/Authority') + authority = dbus.Interface(proxy, dbus_interface='org.freedesktop.PolicyKit1.Authority') + subject = ('system-bus-name', {'name': sender}) + result = authority.CheckAuthorization(subject, action_id, {}, 1, '') + return result[0] + # # The semanage method runs a transaction on a series of semanage commands, # these commands can take the output of customized # - @slip.dbus.polkit.require_auth("org.selinux.semanage") - @dbus.service.method("org.selinux", in_signature='s') - def semanage(self, buf): + @dbus.service.method("org.selinux", in_signature='s', sender_keyword="sender") + def semanage(self, buf, sender): + if not self.is_authorized(sender, "org.selinux.semanage"): + raise dbus.exceptions.DBusException("Not authorized") p = Popen(["/usr/sbin/semanage", "import"], stdout=PIPE, stderr=PIPE, stdin=PIPE, universal_newlines=True) p.stdin.write(buf) output = p.communicate() @@ -35,9 +42,10 @@ class selinux_server(slip.dbus.service.Object): # on the server. This output can be used with the semanage method on # another server to make the two systems have duplicate policy. # - @slip.dbus.polkit.require_auth("org.selinux.customized") - @dbus.service.method("org.selinux", in_signature='', out_signature='s') - def customized(self): + @dbus.service.method("org.selinux", in_signature='', out_signature='s', sender_keyword="sender") + def customized(self, sender): + if not self.is_authorized(sender, "org.selinux.customized"): + raise dbus.exceptions.DBusException("Not authorized") p = Popen(["/usr/sbin/semanage", "export"], stdout=PIPE, stderr=PIPE, universal_newlines=True) buf = p.stdout.read() output = p.communicate() @@ -49,9 +57,10 @@ class selinux_server(slip.dbus.service.Object): # The semodule_list method will return the output of semodule --list=full, using the customized polkit, # since this is a readonly behaviour # - @slip.dbus.polkit.require_auth("org.selinux.semodule_list") - @dbus.service.method("org.selinux", in_signature='', out_signature='s') - def semodule_list(self): + @dbus.service.method("org.selinux", in_signature='', out_signature='s', sender_keyword="sender") + def semodule_list(self, sender): + if not self.is_authorized(sender, "org.selinux.semodule_list"): + raise dbus.exceptions.DBusException("Not authorized") p = Popen(["/usr/sbin/semodule", "--list=full"], stdout=PIPE, stderr=PIPE, universal_newlines=True) buf = p.stdout.read() output = p.communicate() @@ -62,25 +71,28 @@ class selinux_server(slip.dbus.service.Object): # # The restorecon method modifies any file path to the default system label # - @slip.dbus.polkit.require_auth("org.selinux.restorecon") - @dbus.service.method("org.selinux", in_signature='s') - def restorecon(self, path): + @dbus.service.method("org.selinux", in_signature='s', sender_keyword="sender") + def restorecon(self, path, sender): + if not self.is_authorized(sender, "org.selinux.restorecon"): + raise dbus.exceptions.DBusException("Not authorized") selinux.restorecon(str(path), recursive=1) # # The setenforce method turns off the current enforcement of SELinux # - @slip.dbus.polkit.require_auth("org.selinux.setenforce") - @dbus.service.method("org.selinux", in_signature='i') - def setenforce(self, value): + @dbus.service.method("org.selinux", in_signature='i', sender_keyword="sender") + def setenforce(self, value, sender): + if not self.is_authorized(sender, "org.selinux.setenforce"): + raise dbus.exceptions.DBusException("Not authorized") selinux.security_setenforce(value) # # The setenforce method turns off the current enforcement of SELinux # - @slip.dbus.polkit.require_auth("org.selinux.relabel_on_boot") - @dbus.service.method("org.selinux", in_signature='i') - def relabel_on_boot(self, value): + @dbus.service.method("org.selinux", in_signature='i', sender_keyword="sender") + def relabel_on_boot(self, value, sender): + if not self.is_authorized(sender, "org.selinux.relabel_on_boot"): + raise dbus.exceptions.DBusException("Not authorized") if value == 1: fd = open("/.autorelabel", "w") fd.close() @@ -111,9 +123,10 @@ class selinux_server(slip.dbus.service.Object): # # The change_default_enforcement modifies the current enforcement mode # - @slip.dbus.polkit.require_auth("org.selinux.change_default_mode") - @dbus.service.method("org.selinux", in_signature='s') - def change_default_mode(self, value): + @dbus.service.method("org.selinux", in_signature='s', sender_keyword="sender") + def change_default_mode(self, value, sender): + if not self.is_authorized(sender, "org.selinux.change_default_mode"): + raise dbus.exceptions.DBusException("Not authorized") values = ["enforcing", "permissive", "disabled"] if value not in values: raise ValueError("Enforcement mode must be %s" % ", ".join(values)) @@ -122,9 +135,10 @@ class selinux_server(slip.dbus.service.Object): # # The change_default_policy method modifies the policy type # - @slip.dbus.polkit.require_auth("org.selinux.change_default_policy") - @dbus.service.method("org.selinux", in_signature='s') - def change_default_policy(self, value): + @dbus.service.method("org.selinux", in_signature='s', sender_keyword="sender") + def change_default_policy(self, value, sender): + if not self.is_authorized(sender, "org.selinux.change_default_policy"): + raise dbus.exceptions.DBusException("Not authorized") path = selinux.selinux_path() + value if os.path.isdir(path): return self.write_selinux_config(policy=value) @@ -136,5 +150,4 @@ if __name__ == "__main__": system_bus = dbus.SystemBus() name = dbus.service.BusName("org.selinux", system_bus) object = selinux_server(system_bus, "/org/selinux/object") - slip.dbus.service.set_mainloop(mainloop) mainloop.run() diff --git a/python/sepolicy/sepolicy/sedbus.py b/python/sepolicy/sepolicy/sedbus.py index 76b259ae27e8..39b53d47753a 100644 --- a/python/sepolicy/sepolicy/sedbus.py +++ b/python/sepolicy/sepolicy/sedbus.py @@ -2,7 +2,6 @@ import sys import dbus import dbus.service import dbus.mainloop.glib -from slip.dbus import polkit class SELinuxDBus (object): @@ -11,42 +10,34 @@ class SELinuxDBus (object): self.bus = dbus.SystemBus() self.dbus_object = self.bus.get_object("org.selinux", "/org/selinux/object") - @polkit.enable_proxy def semanage(self, buf): ret = self.dbus_object.semanage(buf, dbus_interface="org.selinux") return ret - @polkit.enable_proxy def restorecon(self, path): ret = self.dbus_object.restorecon(path, dbus_interface="org.selinux") return ret - @polkit.enable_proxy def setenforce(self, value): ret = self.dbus_object.setenforce(value, dbus_interface="org.selinux") return ret - @polkit.enable_proxy def customized(self): ret = self.dbus_object.customized(dbus_interface="org.selinux") return ret - @polkit.enable_proxy def semodule_list(self): ret = self.dbus_object.semodule_list(dbus_interface="org.selinux") return ret - @polkit.enable_proxy def relabel_on_boot(self, value): ret = self.dbus_object.relabel_on_boot(value, dbus_interface="org.selinux") return ret - @polkit.enable_proxy def change_default_mode(self, value): ret = self.dbus_object.change_default_mode(value, dbus_interface="org.selinux") return ret - @polkit.enable_proxy def change_default_policy(self, value): ret = self.dbus_object.change_default_policy(value, dbus_interface="org.selinux") return ret
Python slip is not actively maintained anymore and it was used just as a polkit proxy. It looks like polkit dbus interface is quite simple to be used directly via python dbus module. Signed-off-by: Petr Lautrbach <plautrba@redhat.com> --- dbus/selinux_server.py | 69 ++++++++++++++++++------------ python/sepolicy/sepolicy/sedbus.py | 9 ---- 2 files changed, 41 insertions(+), 37 deletions(-)