Re: [PATCH] chcat: don't crash if access to binary policy is prohibited

From: Nicolas Iooss <nicolas.iooss@m4x.org>
To: bauen1 <j2468h@googlemail.com>, SElinux list <selinux@vger.kernel.org>
Subject: Re: [PATCH] chcat: don't crash if access to binary policy is prohibited
Date: Sun, 10 May 2020 19:25:43 +0200	[thread overview]
Message-ID: <CAJfZ7=kn951BnLbJKKLKkzXaeGEnME1P=rBsczFumf3S7=3MjA@mail.gmail.com> (raw)
In-Reply-To: <d204aaea-ca46-49c2-f7cd-6f20889cecbf@gmail.com>

On Sat, May 9, 2020 at 4:06 PM bauen1 <j2468h@googlemail.com> wrote:
>
> sobject will crash if access to the binary policy is prohibited by
> selinux, e.g. refpolicy
> this also breaks file operations that don't require seobject.
>
> Signed-off-by: bauen1 <j2468h@gmail.com>

Hello,
This patch looks very hackish. In fact, an underlying issue that
exists with seobject is that "import seobject" raises an exception
when it is used from an environment that is not allowed to read the
policy:

>>> import seobject
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python3.8/site-packages/seobject.py", line 33, in <module>
    import sepolicy
  File "/usr/lib/python3.8/site-packages/sepolicy/__init__.py", line
186, in <module>
    raise e
  File "/usr/lib/python3.8/site-packages/sepolicy/__init__.py", line
182, in <module>
    policy_file = get_installed_policy()
  File "/usr/lib/python3.8/site-packages/sepolicy/__init__.py", line
137, in get_installed_policy
    raise ValueError(_("No SELinux Policy installed"))
ValueError: No SELinux Policy installed

Is this the issue you encountered when you write "seobject will crash"?

In my humble opinion, trying to hide such an issue by moving "import
seobject" makes maintaining the project more difficult. I would prefer
seeing a way to allow using "import seobject" without raising
exceptions, but working on this is unfortunately quite time-consuming
(I have not seen a straightforward way to deal with this, and there
exist several ways to solve this in not-very-direct ways, for example
with lazy loading of the policy when needed or with replacing some API
with stub functions if the policy cannot be loaded).

Therefore I will not ack this patch, but I will not block ("Nack") it
if another maintainer wants to include it.

Thanks,
Nicolas

> ---
>  python/chcat/chcat | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/python/chcat/chcat b/python/chcat/chcat
> index fdd2e46e..55408577 100755
> --- a/python/chcat/chcat
> +++ b/python/chcat/chcat
> @@ -28,7 +28,6 @@ import os
>  import pwd
>  import getopt
>  import selinux
> -import seobject
>
>  PROGNAME = "policycoreutils"
>  try:
> @@ -65,6 +64,7 @@ def verify_users(users):
>
>
>  def chcat_user_add(newcat, users):
> +    import seobject
>      errors = 0
>      logins = seobject.loginRecords()
>      seusers = logins.get_all()
> @@ -144,6 +144,7 @@ def chcat_add(orig, newcat, objects, login_ind):
>
>
>  def chcat_user_remove(newcat, users):
> +    import seobject
>      errors = 0
>      logins = seobject.loginRecords()
>      seusers = logins.get_all()
> @@ -233,6 +234,7 @@ def chcat_remove(orig, newcat, objects, login_ind):
>
>
>  def chcat_user_replace(newcat, users):
> +    import seobject
>      errors = 0
>      logins = seobject.loginRecords()
>      seusers = logins.get_all()
> @@ -376,6 +378,7 @@ def listcats():
>
>
>  def listusercats(users):
> +    import seobject
>      if len(users) == 0:
>          try:
>              users.append(os.getlogin())
> --
> 2.26.2
>