From: "Christian Göttsche" <cgzones@googlemail.com>
To: selinux@vger.kernel.org
Subject: [PATCH v3 3/3] sepolgen-ifgen: refactor default policy path retrieval
Date: Fri, 5 Jun 2020 16:49:12 +0200 [thread overview]
Message-ID: <20200605144912.22522-3-cgzones@googlemail.com> (raw)
In-Reply-To: <20200605144912.22522-1-cgzones@googlemail.com>
On a SELinux disabled system the python call
`selinux.security_policyvers()` will fail.
Move the logic to find a binary policy by iterating over appended
version suffixes from the python script `sepolgen-ifgen` to the C
helper `sepolgen-ifgen-attr-helper` to make use of the libsepol
interface `sepol_policy_kern_vers_max()`.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
v3: Move the iteration logic from sepolgen-ifgen to
sepolgen-ifgen-attr-helper and use sepol_policy_kern_vers_max()
instead of selinux.security_policyvers(), to work on SELinux
disabled systems
python/audit2allow/sepolgen-ifgen | 26 ++-----------
.../audit2allow/sepolgen-ifgen-attr-helper.c | 39 ++++++++++++++++---
2 files changed, 37 insertions(+), 28 deletions(-)
diff --git a/python/audit2allow/sepolgen-ifgen b/python/audit2allow/sepolgen-ifgen
index 4a71cda4..19c3ee30 100644
--- a/python/audit2allow/sepolgen-ifgen
+++ b/python/audit2allow/sepolgen-ifgen
@@ -27,7 +27,6 @@
import sys
-import os
import tempfile
import subprocess
@@ -65,34 +64,15 @@ def parse_options():
return options
-def get_policy():
- p = selinux.selinux_current_policy_path()
- if p and os.path.exists(p):
- return p
- i = selinux.security_policyvers()
- p = selinux.selinux_binary_policy_path() + "." + str(i)
- while i > 0 and not os.path.exists(p):
- i = i - 1
- p = selinux.selinux_binary_policy_path() + "." + str(i)
- if i > 0:
- return p
- return None
-
-
def get_attrs(policy_path, attr_helper):
+ if not policy_path:
+ policy_path = selinux.selinux_binary_policy_path()
+
try:
- if not policy_path:
- policy_path = get_policy()
- if not policy_path:
- sys.stderr.write("No installed policy to check\n")
- return None
outfile = tempfile.NamedTemporaryFile()
except IOError as e:
sys.stderr.write("could not open attribute output file\n")
return None
- except OSError:
- # SELinux Disabled Machine
- return None
fd = open("/dev/null", "w")
ret = subprocess.Popen([attr_helper, policy_path, outfile.name], stdout=fd).wait()
diff --git a/python/audit2allow/sepolgen-ifgen-attr-helper.c b/python/audit2allow/sepolgen-ifgen-attr-helper.c
index 1ce37b0d..dab6fb15 100644
--- a/python/audit2allow/sepolgen-ifgen-attr-helper.c
+++ b/python/audit2allow/sepolgen-ifgen-attr-helper.c
@@ -147,13 +147,42 @@ static policydb_t *load_policy(const char *filename)
policydb_t *policydb;
struct policy_file pf;
FILE *fp;
+ char pathname[PATH_MAX];
+ int suffix_ver;
int ret;
- fp = fopen(filename, "r");
- if (fp == NULL) {
- fprintf(stderr, "Can't open '%s': %s\n",
- filename, strerror(errno));
- return NULL;
+ /*
+ * First use the pure given path.
+ * If it does not exist use paths with version suffixes,
+ * starting from the maximum supported policy version.
+ */
+ if (access(filename, F_OK) == 0) {
+ fp = fopen(filename, "r");
+ if (fp == NULL) {
+ fprintf(stderr, "Can't open '%s': %s\n",
+ filename, strerror(errno));
+ return NULL;
+ }
+ } else {
+ for (suffix_ver = sepol_policy_kern_vers_max(); suffix_ver > 0; suffix_ver--) {
+ snprintf(pathname, sizeof(pathname), "%s.%d", filename, suffix_ver);
+
+ if (access(pathname, F_OK) == 0)
+ break;
+ }
+
+ if (suffix_ver <= 0) {
+ fprintf(stderr, "Can't find any policy at '%s'\n",
+ filename);
+ return NULL;
+ }
+
+ fp = fopen(pathname, "r");
+ if (fp == NULL) {
+ fprintf(stderr, "Can't open '%s': %s\n",
+ pathname, strerror(errno));
+ return NULL;
+ }
}
policy_file_init(&pf);
--
2.27.0
next prev parent reply other threads:[~2020-06-05 14:49 UTC|newest]
Thread overview: 25+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-05-05 19:01 [PATCH] sepolgen: parse gen_tunable as bool Christian Göttsche
2020-05-27 15:04 ` Stephen Smalley
2020-05-28 12:51 ` [PATCH v2 1/3] " Christian Göttsche
2020-05-28 12:51 ` [PATCH v2 2/3] refparser: add missing newline after error message Christian Göttsche
2020-05-29 14:35 ` Stephen Smalley
2020-05-28 12:51 ` [PATCH v2 3/3] sepolgen-ifgen: refactor default policy path retrieval Christian Göttsche
2020-05-29 14:45 ` Stephen Smalley
2020-05-28 14:23 ` [PATCH v2 1/3] sepolgen: parse gen_tunable as bool Stephen Smalley
2020-05-28 14:51 ` Christian Göttsche
2020-06-04 20:26 ` Stephen Smalley
2020-06-05 14:49 ` [PATCH v3 " Christian Göttsche
2020-06-05 14:49 ` [PATCH v3 2/3] refparser: add missing newline after error message Christian Göttsche
2020-06-08 15:28 ` Stephen Smalley
2020-06-05 14:49 ` Christian Göttsche [this message]
2020-06-08 15:51 ` [PATCH v3 3/3] sepolgen-ifgen: refactor default policy path retrieval Stephen Smalley
2020-06-08 15:27 ` [PATCH v3 1/3] sepolgen: parse gen_tunable as bool Stephen Smalley
2020-06-11 13:53 ` [PATCH v4 " Christian Göttsche
2020-06-11 13:53 ` [PATCH v4 2/3] refparser: add missing newline after error message Christian Göttsche
2020-06-11 13:53 ` [PATCH v4 3/3] sepolgen-ifgen: refactor default policy path retrieval Christian Göttsche
2020-06-11 14:03 ` Stephen Smalley
2020-06-15 14:19 ` [PATCH v5 " Christian Göttsche
2020-06-15 15:07 ` [PATCH v6 " Christian Göttsche
2020-06-15 16:30 ` Stephen Smalley
2020-06-18 19:32 ` Petr Lautrbach
2020-05-28 12:54 ` [PATCH] sepolgen: parse gen_tunable as bool Christian Göttsche
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200605144912.22522-3-cgzones@googlemail.com \
--to=cgzones@googlemail.com \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.