From: Nicolas Iooss <nicolas.iooss@m4x.org>
To: Vit Mojzis <vmojzis@redhat.com>
Cc: selinux@vger.kernel.org
Subject: Re: [PATCH 2/3] python/sepolicy: Stop rejecting aliases in sepolicy commands
Date: Tue, 23 Oct 2018 21:23:21 +0200 [thread overview]
Message-ID: <CAJfZ7==UCR-a=mfLY1TRad++g+nbpZ6QMxFz5N6JV5_W6QomDQ@mail.gmail.com> (raw)
In-Reply-To: <CAJfZ7==tKhuWAmzgw+O5fhX9n8h0Jo_0zgmn3zbcqW=yf_JaJw@mail.gmail.com>
On Mon, Oct 22, 2018 at 7:53 PM Nicolas Iooss <nicolas.iooss@m4x.org> wrote:
>
> On Mon, Oct 22, 2018 at 5:43 PM Vit Mojzis <vmojzis@redhat.com> wrote:
> >
> > Fix CheckDomain and CheckPortType classes to properly deal with aliases.
> >
> > Resolves:
> > https://bugzilla.redhat.com/show_bug.cgi?id=1600009
> >
> > Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
> > ---
> > python/sepolicy/sepolicy.py | 8 +++-----
> > python/sepolicy/sepolicy/__init__.py | 16 +++++++++++++++-
> > 2 files changed, 18 insertions(+), 6 deletions(-)
> >
> > diff --git a/python/sepolicy/sepolicy.py b/python/sepolicy/sepolicy.py
> > index a000c1ad..01380fbe 100755
> > --- a/python/sepolicy/sepolicy.py
> > +++ b/python/sepolicy/sepolicy.py
> > @@ -60,8 +60,6 @@ class CheckPath(argparse.Action):
> > class CheckType(argparse.Action):
> >
> > def __call__(self, parser, namespace, values, option_string=None):
> > - domains = sepolicy.get_all_domains()
> > -
> > if isinstance(values, str):
> > setattr(namespace, self.dest, values)
> > else:
> > @@ -103,7 +101,7 @@ class CheckDomain(argparse.Action):
> > domains = sepolicy.get_all_domains()
> >
> > if isinstance(values, str):
> > - if values not in domains:
> > + if sepolicy.get_real_type_name(values) not in domains:
> > raise ValueError("%s must be an SELinux process domain:\nValid domains: %s" % (values, ", ".join(domains)))
> > setattr(namespace, self.dest, values)
> > else:
> > @@ -112,7 +110,7 @@ class CheckDomain(argparse.Action):
> > newval = []
> >
> > for v in values:
> > - if v not in domains:
> > + if sepolicy.get_real_type_name(v) not in domains:
> > raise ValueError("%s must be an SELinux process domain:\nValid domains: %s" % (v, ", ".join(domains)))
> > newval.append(v)
> > setattr(namespace, self.dest, newval)
> > @@ -167,7 +165,7 @@ class CheckPortType(argparse.Action):
> > if not newval:
> > newval = []
> > for v in values:
> > - if v not in port_types:
> > + if sepolicy.get_real_type_name(v) not in port_types:
> > raise ValueError("%s must be an SELinux port type:\nValid port types: %s" % (v, ", ".join(port_types)))
> > newval.append(v)
> > setattr(namespace, self.dest, values)
> > diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
> > index 8484b28c..9ea10835 100644
> > --- a/python/sepolicy/sepolicy/__init__.py
> > +++ b/python/sepolicy/sepolicy/__init__.py
> > @@ -446,6 +446,20 @@ def get_file_types(setype):
> > mpaths[f] = []
> > return mpaths
> >
> > +def get_real_type_name(name):
> > + """Return the real name of a type
> > +
> > + * If 'name' refers to a type, return the same name.
> > + * If 'name' refers to a type alias, return the corresponding type name.
> > + * Otherwise return None.
> > + """
> > + if not name:
> > + return None
> > +
> > + try:
> > + return next(info(TYPE, name))["name"]
> > + except (RuntimeError, StopIteration):
> > + return None
> >
> > def get_writable_files(setype):
> > file_types = get_all_file_types()
> > @@ -1061,7 +1075,7 @@ def gen_short_name(setype):
> > domainname = setype[:-2]
> > else:
> > domainname = setype
> > - if domainname + "_t" not in all_domains:
> > + if get_real_type_name(domainname + "_t") not in all_domains:
> > raise ValueError("domain %s_t does not exist" % domainname)
> > if domainname[-1] == 'd':
> > short_name = domainname[:-1] + "_"
> > --
> > 2.17.2
> >
> Looks good to me. I will let the possibility for others to comment and
> will merge these patches tomorrow.
>
> Thanks,
> Nicolas
Merged.
Nicolas
next prev parent reply other threads:[~2018-10-23 19:23 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-10-16 10:05 Fix alias handling in sepolicy and semanage Vit Mojzis
2018-10-16 10:05 ` [PATCH 1/3] python/sepolicy: Fix "info" to search aliases as well Vit Mojzis
2018-10-16 10:05 ` [PATCH 2/3] python/sepolicy: Stop rejecting aliases in sepolicy commands Vit Mojzis
2018-10-21 9:10 ` Nicolas Iooss
2018-10-21 9:20 ` Nicolas Iooss
2018-10-22 15:40 ` Vit Mojzis
2018-10-22 15:43 ` Vit Mojzis
2018-10-22 17:53 ` Nicolas Iooss
2018-10-23 19:23 ` Nicolas Iooss [this message]
2018-10-30 15:26 ` Vit Mojzis
2018-10-30 15:26 ` [PATCH] python: replace aliases with corresponding type names Vit Mojzis
2018-11-05 20:51 ` Nicolas Iooss
2018-11-09 8:53 ` Vit Mojzis
2018-11-11 20:48 ` Nicolas Iooss
2018-10-16 10:05 ` [PATCH 3/3] python/semanage: Stop rejecting aliases in semanage commands Vit Mojzis
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAJfZ7==UCR-a=mfLY1TRad++g+nbpZ6QMxFz5N6JV5_W6QomDQ@mail.gmail.com' \
--to=nicolas.iooss@m4x.org \
--cc=selinux@vger.kernel.org \
--cc=vmojzis@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).