python: Harden more tools against "rogue" modules

Python scripts present in the same directory as the tool override regular modules. Fixes: #cat > /usr/bin/signal.py <<EOF import sys print("BAD GUY!", file=sys.stderr) sys.exit(1) EOF #sandbox date BAD GUY! Signed-off-by: Vit Mojzis <[email protected]> Acked-by: James Carter <[email protected]>
SELinuxProject · Dec 12, 2023 · 94389f2 · 94389f2
1 parent 2752043
commit 94389f2
Show file tree

Hide file tree

Showing 5 changed files with 7 additions and 7 deletions.
diff --git a/dbus/selinux_server.py b/dbus/selinux_server.py
@@ -1,4 +1,4 @@
-#!/usr/bin/python3
+#!/usr/bin/python3 -EsI
 
 import dbus
 import dbus.service

diff --git a/gui/polgengui.py b/gui/polgengui.py
@@ -1,4 +1,4 @@
-#!/usr/bin/python3 -Es
+#!/usr/bin/python3 -EsI
 #
 # polgengui.py - GUI for SELinux Config tool in system-config-selinux
 #

diff --git a/gui/system-config-selinux.py b/gui/system-config-selinux.py
@@ -1,4 +1,4 @@
-#!/usr/bin/python3 -Es
+#!/usr/bin/python3 -EsI
 #
 # system-config-selinux.py - GUI for SELinux Config tool in system-config-selinux
 #
@@ -32,6 +32,8 @@
  print("This is a graphical application and requires DISPLAY to be set.")
  sys.exit(1)
 
+sys.path.append('/usr/share/system-config-selinux')
+
 from gi.repository import GObject
 import statusPage
 import booleansPage
@@ -66,8 +68,6 @@
 
 version = "1.0"
 
-sys.path.append('/usr/share/system-config-selinux')
-
 
 ##
 ## Pull in the Glade file

diff --git a/sandbox/sandbox b/sandbox/sandbox
@@ -1,4 +1,4 @@
-#!/usr/bin/python3 -Es
+#!/usr/bin/python3 -EsI
 # Authors: Dan Walsh <[email protected]>
 # Authors: Thomas Liu <[email protected]>
 # Authors: Josh Cogliati

diff --git a/sandbox/start b/sandbox/start
@@ -1,4 +1,4 @@
-#!/usr/bin/python3 -Es
+#!/usr/bin/python3 -EsI
 try:
  from subprocess import getstatusoutput
 except ImportError: