Fix alias handling in sepolicy and semanage

Fix alias handling in sepolicy and semanage

[Vit Mojzis]

Sepolicy and semanage do not work with aliases properly (aliases are 
mostly treated as invalid types). Fix this by determining corresponding
type when an alias is used and working with the type instead.

python/semanage/seobject.py          | 21 ++++++++++-----------
python/sepolicy/sepolicy.py          |  8 +++-----
python/sepolicy/sepolicy/__init__.py | 22 ++++++++++++++++++----
3 files changed, 31 insertions(+), 20 deletions(-)

[PATCH 1/3] python/sepolicy: Fix "info" to search aliases as well

[Vit Mojzis]

Restore previous behaviour of "sepolicy.info()".

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
 python/sepolicy/sepolicy/__init__.py | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
index 5d0535b9..8484b28c 100644
--- a/python/sepolicy/sepolicy/__init__.py
+++ b/python/sepolicy/sepolicy/__init__.py
@@ -168,15 +168,21 @@ except ValueError as e:
 def info(setype, name=None):
     if setype == TYPE:
         q = setools.TypeQuery(_pol)
-        if name:
-            q.name = name
+        q.name = name
+        results = list(q.results())
+
+        if name and len(results) < 1:
+            #type not found, try alias
+            q.name = None
+            q.alias = name
+            results = list(q.results())
 
         return ({
             'aliases': list(map(str, x.aliases())),
             'name': str(x),
             'permissive': bool(x.ispermissive),
             'attributes': list(map(str, x.attributes()))
-        } for x in q.results())
+        } for x in results)
 
     elif setype == ROLE:
         q = setools.RoleQuery(_pol)
-- 
2.17.1

[PATCH 2/3] python/sepolicy: Stop rejecting aliases in sepolicy commands

[Vit Mojzis]

Fix CheckDomain and CheckPortType classes to properly deal with aliases.

Resolves:
   https://bugzilla.redhat.com/show_bug.cgi?id=1600009

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
 python/sepolicy/sepolicy.py          |  8 +++-----
 python/sepolicy/sepolicy/__init__.py | 10 +++++++++-
 2 files changed, 12 insertions(+), 6 deletions(-)

diff --git a/python/sepolicy/sepolicy.py b/python/sepolicy/sepolicy.py
index a000c1ad..01380fbe 100755
--- a/python/sepolicy/sepolicy.py
+++ b/python/sepolicy/sepolicy.py
@@ -60,8 +60,6 @@ class CheckPath(argparse.Action):
 class CheckType(argparse.Action):
 
     def __call__(self, parser, namespace, values, option_string=None):
-        domains = sepolicy.get_all_domains()
-
         if isinstance(values, str):
             setattr(namespace, self.dest, values)
         else:
@@ -103,7 +101,7 @@ class CheckDomain(argparse.Action):
         domains = sepolicy.get_all_domains()
 
         if isinstance(values, str):
-            if values not in domains:
+            if sepolicy.get_real_type_name(values) not in domains:
                 raise ValueError("%s must be an SELinux process domain:\nValid domains: %s" % (values, ", ".join(domains)))
             setattr(namespace, self.dest, values)
         else:
@@ -112,7 +110,7 @@ class CheckDomain(argparse.Action):
                 newval = []
 
             for v in values:
-                if v not in domains:
+                if sepolicy.get_real_type_name(v) not in domains:
                     raise ValueError("%s must be an SELinux process domain:\nValid domains: %s" % (v, ", ".join(domains)))
                 newval.append(v)
             setattr(namespace, self.dest, newval)
@@ -167,7 +165,7 @@ class CheckPortType(argparse.Action):
         if not newval:
             newval = []
         for v in values:
-            if v not in port_types:
+            if sepolicy.get_real_type_name(v) not in port_types:
                 raise ValueError("%s must be an SELinux port type:\nValid port types: %s" % (v, ", ".join(port_types)))
             newval.append(v)
         setattr(namespace, self.dest, values)
diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
index 8484b28c..0da3917b 100644
--- a/python/sepolicy/sepolicy/__init__.py
+++ b/python/sepolicy/sepolicy/__init__.py
@@ -447,6 +447,14 @@ def get_file_types(setype):
     return mpaths
 
 
+# determine if entered type is an alias
+# and return corresponding type name
+def get_real_type_name(name):
+    try:
+        return next(info(TYPE, name))["name"]
+    except (RuntimeError, StopIteration):
+        return None
+
 def get_writable_files(setype):
     file_types = get_all_file_types()
     all_writes = []
@@ -1061,7 +1069,7 @@ def gen_short_name(setype):
         domainname = setype[:-2]
     else:
         domainname = setype
-    if domainname + "_t" not in all_domains:
+    if get_real_type_name(domainname + "_t") not in all_domains:
         raise ValueError("domain %s_t does not exist" % domainname)
     if domainname[-1] == 'd':
         short_name = domainname[:-1] + "_"
-- 
2.17.1

[PATCH 3/3] python/semanage: Stop rejecting aliases in semanage commands

[Vit Mojzis]

Resolves:

\# semanage fcontext -a -t svirt_sandbox_file_t /pokus
ValueError: Type svirt_sandbox_file_t is invalid, must be a file or device type
\# semanage fcontext -d -t svirt_sandbox_file_t /pokus
ValueError: File context for /pokus is not defined

\# seinfo -tsvirt_sandbox_file_t -x
   TypeName container_file_t
   Aliases
      svirt_sandbox_file_t
      svirt_lxc_file_t

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
 python/semanage/seobject.py | 21 ++++++++++-----------
 1 file changed, 10 insertions(+), 11 deletions(-)

diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
index c1467185..5d34cdbe 100644
--- a/python/semanage/seobject.py
+++ b/python/semanage/seobject.py
@@ -1081,7 +1081,7 @@ class portRecords(semanageRecords):
         if type == "":
             raise ValueError(_("Type is required"))
 
-        if type not in self.valid_types:
+        if sepolicy.get_real_type_name(type) not in self.valid_types:
             raise ValueError(_("Type %s is invalid, must be a port type") % type)
 
         (k, proto_d, low, high) = self.__genkey(port, proto)
@@ -1145,7 +1145,7 @@ class portRecords(semanageRecords):
             else:
                 raise ValueError(_("Requires setype"))
 
-        if setype and setype not in self.valid_types:
+        if setype and sepolicy.get_real_type_name(setype) not in self.valid_types:
             raise ValueError(_("Type %s is invalid, must be a port type") % setype)
 
         (k, proto_d, low, high) = self.__genkey(port, proto)
@@ -1349,7 +1349,7 @@ class ibpkeyRecords(semanageRecords):
         if type == "":
             raise ValueError(_("Type is required"))
 
-        if type not in self.valid_types:
+        if sepolicy.get_real_type_name(type) not in self.valid_types:
             raise ValueError(_("Type %s is invalid, must be a ibpkey type") % type)
 
         (k, subnet_prefix, low, high) = self.__genkey(pkey, subnet_prefix)
@@ -1411,7 +1411,7 @@ class ibpkeyRecords(semanageRecords):
             else:
                 raise ValueError(_("Requires setype"))
 
-        if setype and setype not in self.valid_types:
+        if setype and sepolicy.get_real_type_name(setype) not in self.valid_types:
             raise ValueError(_("Type %s is invalid, must be a ibpkey type") % setype)
 
         (k, subnet_prefix, low, high) = self.__genkey(pkey, subnet_prefix)
@@ -1597,7 +1597,7 @@ class ibendportRecords(semanageRecords):
         if type == "":
             raise ValueError(_("Type is required"))
 
-        if type not in self.valid_types:
+        if sepolicy.get_real_type_name(type) not in self.valid_types:
             raise ValueError(_("Type %s is invalid, must be an ibendport type") % type)
         (k, ibendport, port) = self.__genkey(ibendport, ibdev_name)
 
@@ -1658,7 +1658,7 @@ class ibendportRecords(semanageRecords):
             else:
                 raise ValueError(_("Requires setype"))
 
-        if setype and setype not in self.valid_types:
+        if setype and sepolicy.get_real_type_name(setype) not in self.valid_types:
             raise ValueError(_("Type %s is invalid, must be an ibendport type") % setype)
 
         (k, ibdev_name, port) = self.__genkey(ibendport, ibdev_name)
@@ -1847,7 +1847,7 @@ class nodeRecords(semanageRecords):
         if ctype == "":
             raise ValueError(_("SELinux node type is required"))
 
-        if ctype not in self.valid_types:
+        if sepolicy.get_real_type_name(ctype) not in self.valid_types:
             raise ValueError(_("Type %s is invalid, must be a node type") % ctype)
 
         (rc, k) = semanage_node_key_create(self.sh, addr, mask, proto)
@@ -1916,7 +1916,7 @@ class nodeRecords(semanageRecords):
         if serange == "" and setype == "":
             raise ValueError(_("Requires setype or serange"))
 
-        if setype and setype not in self.valid_types:
+        if setype and sepolicy.get_real_type_name(setype) not in self.valid_types:
             raise ValueError(_("Type %s is invalid, must be a node type") % setype)
 
         (rc, k) = semanage_node_key_create(self.sh, addr, mask, proto)
@@ -2235,7 +2235,6 @@ class fcontextRecords(semanageRecords):
     try:
         valid_types = list(list(sepolicy.info(sepolicy.ATTRIBUTE, "file_type"))[0]["types"])
         valid_types += list(list(sepolicy.info(sepolicy.ATTRIBUTE, "device_node"))[0]["types"])
-        valid_types.append("<<none>>")
     except RuntimeError:
         valid_types = []
 
@@ -2363,7 +2362,7 @@ class fcontextRecords(semanageRecords):
         if type == "":
             raise ValueError(_("SELinux Type is required"))
 
-        if type not in self.valid_types:
+        if type != "<<none>>" and sepolicy.get_real_type_name(type) not in self.valid_types:
             raise ValueError(_("Type %s is invalid, must be a file or device type") % type)
 
         (rc, k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype])
@@ -2426,7 +2425,7 @@ class fcontextRecords(semanageRecords):
     def __modify(self, target, setype, ftype, serange, seuser):
         if serange == "" and setype == "" and seuser == "":
             raise ValueError(_("Requires setype, serange or seuser"))
-        if setype and setype not in self.valid_types:
+        if setype not in ["",  "<<none>>"] and sepolicy.get_real_type_name(setype) not in self.valid_types:
             raise ValueError(_("Type %s is invalid, must be a file or device type") % setype)
 
         self.validate(target)
-- 
2.17.1

Re: [PATCH 2/3] python/sepolicy: Stop rejecting aliases in sepolicy commands

[Nicolas Iooss]

On Tue, Oct 16, 2018 at 12:05 PM Vit Mojzis <vmojzis@redhat.com> wrote:
>
> Fix CheckDomain and CheckPortType classes to properly deal with aliases.
>
> Resolves:
>    https://bugzilla.redhat.com/show_bug.cgi?id=1600009
>
> Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
> ---
>  python/sepolicy/sepolicy.py          |  8 +++-----
>  python/sepolicy/sepolicy/__init__.py | 10 +++++++++-
>  2 files changed, 12 insertions(+), 6 deletions(-)
>
[...]
> diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
> index 8484b28c..0da3917b 100644
> --- a/python/sepolicy/sepolicy/__init__.py
> +++ b/python/sepolicy/sepolicy/__init__.py
> @@ -447,6 +447,14 @@ def get_file_types(setype):
>      return mpaths
>
>
> +# determine if entered type is an alias
> +# and return corresponding type name
> +def get_real_type_name(name):
> +    try:
> +        return next(info(TYPE, name))["name"]
> +    except (RuntimeError, StopIteration):
> +        return None
> +

When I first read the function comment, I did not understand whether
the returned value was a kind of SELinux type (like something which
would say "a file type", "a port type") or the SELinux type which is
aliased. It is the second interpretation which is implemented.
Moreover, this comment seems to be better in a function docstring. I
suggest changing this into the following:

def get_real_type_name(name):
    """Return the real name of a type:

    * If 'name' refers to a type, return the same name.
    * If 'name' refers to a type alias, return the corresponding name.
    * Otherwise return None.
    """

What do you think of this suggestion?

Moreover, when is RuntimeError triggered, in the exception that are caught?

Thanks for your patches,
Nicolas
PS: sorry for the delay, I have been quite busy the last days.

Re: [PATCH 2/3] python/sepolicy: Stop rejecting aliases in sepolicy commands

[Nicolas Iooss]

On Sun, Oct 21, 2018 at 11:10 AM Nicolas Iooss <nicolas.iooss@m4x.org> wrote:
>
> On Tue, Oct 16, 2018 at 12:05 PM Vit Mojzis <vmojzis@redhat.com> wrote:
> >
> > Fix CheckDomain and CheckPortType classes to properly deal with aliases.
> >
> > Resolves:
> >    https://bugzilla.redhat.com/show_bug.cgi?id=1600009
> >
> > Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
> > ---
> >  python/sepolicy/sepolicy.py          |  8 +++-----
> >  python/sepolicy/sepolicy/__init__.py | 10 +++++++++-
> >  2 files changed, 12 insertions(+), 6 deletions(-)
> >
> [...]
> > diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
> > index 8484b28c..0da3917b 100644
> > --- a/python/sepolicy/sepolicy/__init__.py
> > +++ b/python/sepolicy/sepolicy/__init__.py
> > @@ -447,6 +447,14 @@ def get_file_types(setype):
> >      return mpaths
> >
> >
> > +# determine if entered type is an alias
> > +# and return corresponding type name
> > +def get_real_type_name(name):
> > +    try:
> > +        return next(info(TYPE, name))["name"]
> > +    except (RuntimeError, StopIteration):
> > +        return None
> > +
>
> When I first read the function comment, I did not understand whether
> the returned value was a kind of SELinux type (like something which
> would say "a file type", "a port type") or the SELinux type which is
> aliased. It is the second interpretation which is implemented.
> Moreover, this comment seems to be better in a function docstring. I
> suggest changing this into the following:
>
> def get_real_type_name(name):
>     """Return the real name of a type:
>
>     * If 'name' refers to a type, return the same name.
>     * If 'name' refers to a type alias, return the corresponding name.
>     * Otherwise return None.
>     """
>
> What do you think of this suggestion?
>
> Moreover, when is RuntimeError triggered, in the exception that are caught?

Also, if name is empty, sepolicy.info(TYPE, name) returns all
available types, so get_real_type_name("") returns the first type in
the list of types defined in the policy. I saw that your patches use
"if setype and sepolicy.get_real_type_name(setype) not in
self.valid_types" in many places (which looks good). To increase the
robustness of the Python code, I would also add a test in
get_real_type_name as well, like:

    if not name:
        return None

Nicolas

Re: [PATCH 2/3] python/sepolicy: Stop rejecting aliases in sepolicy commands

[Vit Mojzis]

On 21. 10. 18 11:20, Nicolas Iooss wrote:> On Sun, Oct 21, 2018 at 11:10 AM Nicolas Iooss <nicolas.iooss@m4x.org> wrote:
>>
>> On Tue, Oct 16, 2018 at 12:05 PM Vit Mojzis <vmojzis@redhat.com> wrote:
>>>
>>> Fix CheckDomain and CheckPortType classes to properly deal with aliases.
>>>
>>> Resolves:
>>>     https://bugzilla.redhat.com/show_bug.cgi?id=1600009
>>>
>>> Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
>>> ---
>>>   python/sepolicy/sepolicy.py          |  8 +++-----
>>>   python/sepolicy/sepolicy/__init__.py | 10 +++++++++-
>>>   2 files changed, 12 insertions(+), 6 deletions(-)
>>>
>> [...]
>>> diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
>>> index 8484b28c..0da3917b 100644
>>> --- a/python/sepolicy/sepolicy/__init__.py
>>> +++ b/python/sepolicy/sepolicy/__init__.py
>>> @@ -447,6 +447,14 @@ def get_file_types(setype):
>>>       return mpaths
>>>
>>>
>>> +# determine if entered type is an alias
>>> +# and return corresponding type name
>>> +def get_real_type_name(name):
>>> +    try:
>>> +        return next(info(TYPE, name))["name"]
>>> +    except (RuntimeError, StopIteration):
>>> +        return None
>>> +
>>
>> When I first read the function comment, I did not understand whether
>> the returned value was a kind of SELinux type (like something which
>> would say "a file type", "a port type") or the SELinux type which is
>> aliased. It is the second interpretation which is implemented.
>> Moreover, this comment seems to be better in a function docstring. I
>> suggest changing this into the following:
>>
>> def get_real_type_name(name):
>>      """Return the real name of a type:
>>
>>      * If 'name' refers to a type, return the same name.
>>      * If 'name' refers to a type alias, return the corresponding name.
>>      * Otherwise return None.
>>      """
>>
>> What do you think of this suggestion?
>>
>> Moreover, when is RuntimeError triggered, in the exception that are caught?

Catching RuntimeError ensures compatibility with setools3, which
triggers this exception instead of returning empty list.

> 
> Also, if name is empty, sepolicy.info(TYPE, name) returns all
> available types, so get_real_type_name("") returns the first type in
> the list of types defined in the policy. I saw that your patches use
> "if setype and sepolicy.get_real_type_name(setype) not in
> self.valid_types" in many places (which looks good). To increase the
> robustness of the Python code, I would also add a test in
> get_real_type_name as well, like:
> 
>      if not name:
>          return None

Good point, thank you.

> 
> Nicolas
> 

[PATCH 2/3] python/sepolicy: Stop rejecting aliases in sepolicy commands

[Vit Mojzis]

Fix CheckDomain and CheckPortType classes to properly deal with aliases.

Resolves:
   https://bugzilla.redhat.com/show_bug.cgi?id=1600009

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
 python/sepolicy/sepolicy.py          |  8 +++-----
 python/sepolicy/sepolicy/__init__.py | 16 +++++++++++++++-
 2 files changed, 18 insertions(+), 6 deletions(-)

diff --git a/python/sepolicy/sepolicy.py b/python/sepolicy/sepolicy.py
index a000c1ad..01380fbe 100755
--- a/python/sepolicy/sepolicy.py
+++ b/python/sepolicy/sepolicy.py
@@ -60,8 +60,6 @@ class CheckPath(argparse.Action):
 class CheckType(argparse.Action):
 
     def __call__(self, parser, namespace, values, option_string=None):
-        domains = sepolicy.get_all_domains()
-
         if isinstance(values, str):
             setattr(namespace, self.dest, values)
         else:
@@ -103,7 +101,7 @@ class CheckDomain(argparse.Action):
         domains = sepolicy.get_all_domains()
 
         if isinstance(values, str):
-            if values not in domains:
+            if sepolicy.get_real_type_name(values) not in domains:
                 raise ValueError("%s must be an SELinux process domain:\nValid domains: %s" % (values, ", ".join(domains)))
             setattr(namespace, self.dest, values)
         else:
@@ -112,7 +110,7 @@ class CheckDomain(argparse.Action):
                 newval = []
 
             for v in values:
-                if v not in domains:
+                if sepolicy.get_real_type_name(v) not in domains:
                     raise ValueError("%s must be an SELinux process domain:\nValid domains: %s" % (v, ", ".join(domains)))
                 newval.append(v)
             setattr(namespace, self.dest, newval)
@@ -167,7 +165,7 @@ class CheckPortType(argparse.Action):
         if not newval:
             newval = []
         for v in values:
-            if v not in port_types:
+            if sepolicy.get_real_type_name(v) not in port_types:
                 raise ValueError("%s must be an SELinux port type:\nValid port types: %s" % (v, ", ".join(port_types)))
             newval.append(v)
         setattr(namespace, self.dest, values)
diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
index 8484b28c..9ea10835 100644
--- a/python/sepolicy/sepolicy/__init__.py
+++ b/python/sepolicy/sepolicy/__init__.py
@@ -446,6 +446,20 @@ def get_file_types(setype):
             mpaths[f] = []
     return mpaths
 
+def get_real_type_name(name):
+    """Return the real name of a type
+
+    * If 'name' refers to a type, return the same name.
+    * If 'name' refers to a type alias, return the corresponding type name.
+    * Otherwise return None.
+    """
+    if not name:
+        return None
+
+    try:
+        return next(info(TYPE, name))["name"]
+    except (RuntimeError, StopIteration):
+        return None
 
 def get_writable_files(setype):
     file_types = get_all_file_types()
@@ -1061,7 +1075,7 @@ def gen_short_name(setype):
         domainname = setype[:-2]
     else:
         domainname = setype
-    if domainname + "_t" not in all_domains:
+    if get_real_type_name(domainname + "_t") not in all_domains:
         raise ValueError("domain %s_t does not exist" % domainname)
     if domainname[-1] == 'd':
         short_name = domainname[:-1] + "_"
-- 
2.17.2

Re: [PATCH 2/3] python/sepolicy: Stop rejecting aliases in sepolicy commands

[Nicolas Iooss]

On Mon, Oct 22, 2018 at 5:43 PM Vit Mojzis <vmojzis@redhat.com> wrote:
>
> Fix CheckDomain and CheckPortType classes to properly deal with aliases.
>
> Resolves:
>    https://bugzilla.redhat.com/show_bug.cgi?id=1600009
>
> Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
> ---
>  python/sepolicy/sepolicy.py          |  8 +++-----
>  python/sepolicy/sepolicy/__init__.py | 16 +++++++++++++++-
>  2 files changed, 18 insertions(+), 6 deletions(-)
>
> diff --git a/python/sepolicy/sepolicy.py b/python/sepolicy/sepolicy.py
> index a000c1ad..01380fbe 100755
> --- a/python/sepolicy/sepolicy.py
> +++ b/python/sepolicy/sepolicy.py
> @@ -60,8 +60,6 @@ class CheckPath(argparse.Action):
>  class CheckType(argparse.Action):
>
>      def __call__(self, parser, namespace, values, option_string=None):
> -        domains = sepolicy.get_all_domains()
> -
>          if isinstance(values, str):
>              setattr(namespace, self.dest, values)
>          else:
> @@ -103,7 +101,7 @@ class CheckDomain(argparse.Action):
>          domains = sepolicy.get_all_domains()
>
>          if isinstance(values, str):
> -            if values not in domains:
> +            if sepolicy.get_real_type_name(values) not in domains:
>                  raise ValueError("%s must be an SELinux process domain:\nValid domains: %s" % (values, ", ".join(domains)))
>              setattr(namespace, self.dest, values)
>          else:
> @@ -112,7 +110,7 @@ class CheckDomain(argparse.Action):
>                  newval = []
>
>              for v in values:
> -                if v not in domains:
> +                if sepolicy.get_real_type_name(v) not in domains:
>                      raise ValueError("%s must be an SELinux process domain:\nValid domains: %s" % (v, ", ".join(domains)))
>                  newval.append(v)
>              setattr(namespace, self.dest, newval)
> @@ -167,7 +165,7 @@ class CheckPortType(argparse.Action):
>          if not newval:
>              newval = []
>          for v in values:
> -            if v not in port_types:
> +            if sepolicy.get_real_type_name(v) not in port_types:
>                  raise ValueError("%s must be an SELinux port type:\nValid port types: %s" % (v, ", ".join(port_types)))
>              newval.append(v)
>          setattr(namespace, self.dest, values)
> diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
> index 8484b28c..9ea10835 100644
> --- a/python/sepolicy/sepolicy/__init__.py
> +++ b/python/sepolicy/sepolicy/__init__.py
> @@ -446,6 +446,20 @@ def get_file_types(setype):
>              mpaths[f] = []
>      return mpaths
>
> +def get_real_type_name(name):
> +    """Return the real name of a type
> +
> +    * If 'name' refers to a type, return the same name.
> +    * If 'name' refers to a type alias, return the corresponding type name.
> +    * Otherwise return None.
> +    """
> +    if not name:
> +        return None
> +
> +    try:
> +        return next(info(TYPE, name))["name"]
> +    except (RuntimeError, StopIteration):
> +        return None
>
>  def get_writable_files(setype):
>      file_types = get_all_file_types()
> @@ -1061,7 +1075,7 @@ def gen_short_name(setype):
>          domainname = setype[:-2]
>      else:
>          domainname = setype
> -    if domainname + "_t" not in all_domains:
> +    if get_real_type_name(domainname + "_t") not in all_domains:
>          raise ValueError("domain %s_t does not exist" % domainname)
>      if domainname[-1] == 'd':
>          short_name = domainname[:-1] + "_"
> --
> 2.17.2
>
Looks good to me. I will let the possibility for others to comment and
will merge these patches tomorrow.

Thanks,
Nicolas

Re: [PATCH 2/3] python/sepolicy: Stop rejecting aliases in sepolicy commands

[Nicolas Iooss]

On Mon, Oct 22, 2018 at 7:53 PM Nicolas Iooss <nicolas.iooss@m4x.org> wrote:
>
> On Mon, Oct 22, 2018 at 5:43 PM Vit Mojzis <vmojzis@redhat.com> wrote:
> >
> > Fix CheckDomain and CheckPortType classes to properly deal with aliases.
> >
> > Resolves:
> >    https://bugzilla.redhat.com/show_bug.cgi?id=1600009
> >
> > Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
> > ---
> >  python/sepolicy/sepolicy.py          |  8 +++-----
> >  python/sepolicy/sepolicy/__init__.py | 16 +++++++++++++++-
> >  2 files changed, 18 insertions(+), 6 deletions(-)
> >
> > diff --git a/python/sepolicy/sepolicy.py b/python/sepolicy/sepolicy.py
> > index a000c1ad..01380fbe 100755
> > --- a/python/sepolicy/sepolicy.py
> > +++ b/python/sepolicy/sepolicy.py
> > @@ -60,8 +60,6 @@ class CheckPath(argparse.Action):
> >  class CheckType(argparse.Action):
> >
> >      def __call__(self, parser, namespace, values, option_string=None):
> > -        domains = sepolicy.get_all_domains()
> > -
> >          if isinstance(values, str):
> >              setattr(namespace, self.dest, values)
> >          else:
> > @@ -103,7 +101,7 @@ class CheckDomain(argparse.Action):
> >          domains = sepolicy.get_all_domains()
> >
> >          if isinstance(values, str):
> > -            if values not in domains:
> > +            if sepolicy.get_real_type_name(values) not in domains:
> >                  raise ValueError("%s must be an SELinux process domain:\nValid domains: %s" % (values, ", ".join(domains)))
> >              setattr(namespace, self.dest, values)
> >          else:
> > @@ -112,7 +110,7 @@ class CheckDomain(argparse.Action):
> >                  newval = []
> >
> >              for v in values:
> > -                if v not in domains:
> > +                if sepolicy.get_real_type_name(v) not in domains:
> >                      raise ValueError("%s must be an SELinux process domain:\nValid domains: %s" % (v, ", ".join(domains)))
> >                  newval.append(v)
> >              setattr(namespace, self.dest, newval)
> > @@ -167,7 +165,7 @@ class CheckPortType(argparse.Action):
> >          if not newval:
> >              newval = []
> >          for v in values:
> > -            if v not in port_types:
> > +            if sepolicy.get_real_type_name(v) not in port_types:
> >                  raise ValueError("%s must be an SELinux port type:\nValid port types: %s" % (v, ", ".join(port_types)))
> >              newval.append(v)
> >          setattr(namespace, self.dest, values)
> > diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
> > index 8484b28c..9ea10835 100644
> > --- a/python/sepolicy/sepolicy/__init__.py
> > +++ b/python/sepolicy/sepolicy/__init__.py
> > @@ -446,6 +446,20 @@ def get_file_types(setype):
> >              mpaths[f] = []
> >      return mpaths
> >
> > +def get_real_type_name(name):
> > +    """Return the real name of a type
> > +
> > +    * If 'name' refers to a type, return the same name.
> > +    * If 'name' refers to a type alias, return the corresponding type name.
> > +    * Otherwise return None.
> > +    """
> > +    if not name:
> > +        return None
> > +
> > +    try:
> > +        return next(info(TYPE, name))["name"]
> > +    except (RuntimeError, StopIteration):
> > +        return None
> >
> >  def get_writable_files(setype):
> >      file_types = get_all_file_types()
> > @@ -1061,7 +1075,7 @@ def gen_short_name(setype):
> >          domainname = setype[:-2]
> >      else:
> >          domainname = setype
> > -    if domainname + "_t" not in all_domains:
> > +    if get_real_type_name(domainname + "_t") not in all_domains:
> >          raise ValueError("domain %s_t does not exist" % domainname)
> >      if domainname[-1] == 'd':
> >          short_name = domainname[:-1] + "_"
> > --
> > 2.17.2
> >
> Looks good to me. I will let the possibility for others to comment and
> will merge these patches tomorrow.
>
> Thanks,
> Nicolas

Merged.
Nicolas

Re: [PATCH 2/3] python/sepolicy: Stop rejecting aliases in sepolicy commands

[Vit Mojzis]

The previous patches where written for older version of policycoreutils
and setools 3 and where not properly tested on upstream code. The
following patch is necessary for it to work properly here.
Sorry about this.

One thing that I'm not sure about is if there should be a warning when
user enters an alias instead of a type (the output will only contain the
corresponding type and not the alias, which may be confusing).

[PATCH] python: replace aliases with corresponding type names

[Vit Mojzis]

Aliases are not used in the selinux database. When user enters a type
alias as a parameter it should be converted to the corresponding type
in order to be processed correctly further in the userspace logic.

Fixes e.g.:

\#sepolicy transition -s phpfpm_t
/* where phpfpm_t is a type alias of httpd_t */

Traceback (most recent call last):
  File "/usr/bin/sepolicy", line 691, in <module>
    args.func(args)
  File "/usr/bin/sepolicy", line 458, in transition
    mytrans = setrans(args.source, args.target)
  File "/usr/lib/python3.6/site-packages/sepolicy/transition.py", line 48, in __init__
    self._process(self.source)
  File "/usr/lib/python3.6/site-packages/sepolicy/transition.py", line 54, in _process
    trans = _get_trans(source)
  File "/usr/lib/python3.6/site-packages/sepolicy/transition.py", line 36, in _get_trans
    src_list = [src] + list(filter(lambda x: x['name'] == src, sepolicy.get_all_types_info()))[0]['attributes']
IndexError: list index out of range
---
 python/semanage/seobject.py          | 43 ++++++++++++++++++++--------
 python/sepolicy/sepolicy.py          | 11 ++++---
 python/sepolicy/sepolicy/__init__.py | 14 ++++-----
 3 files changed, 45 insertions(+), 23 deletions(-)

diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
index 5d34cdbe..c4c65621 100644
--- a/python/semanage/seobject.py
+++ b/python/semanage/seobject.py
@@ -1081,7 +1081,9 @@ class portRecords(semanageRecords):
         if type == "":
             raise ValueError(_("Type is required"))
 
-        if sepolicy.get_real_type_name(type) not in self.valid_types:
+        type = sepolicy.get_real_type_name(type)
+
+        if type not in self.valid_types:
             raise ValueError(_("Type %s is invalid, must be a port type") % type)
 
         (k, proto_d, low, high) = self.__genkey(port, proto)
@@ -1145,7 +1147,8 @@ class portRecords(semanageRecords):
             else:
                 raise ValueError(_("Requires setype"))
 
-        if setype and sepolicy.get_real_type_name(setype) not in self.valid_types:
+        setype = sepolicy.get_real_type_name(setype)
+        if setype and setype not in self.valid_types:
             raise ValueError(_("Type %s is invalid, must be a port type") % setype)
 
         (k, proto_d, low, high) = self.__genkey(port, proto)
@@ -1349,7 +1352,9 @@ class ibpkeyRecords(semanageRecords):
         if type == "":
             raise ValueError(_("Type is required"))
 
-        if sepolicy.get_real_type_name(type) not in self.valid_types:
+        type = sepolicy.get_real_type_name(type)
+
+        if type not in self.valid_types:
             raise ValueError(_("Type %s is invalid, must be a ibpkey type") % type)
 
         (k, subnet_prefix, low, high) = self.__genkey(pkey, subnet_prefix)
@@ -1411,7 +1416,9 @@ class ibpkeyRecords(semanageRecords):
             else:
                 raise ValueError(_("Requires setype"))
 
-        if setype and sepolicy.get_real_type_name(setype) not in self.valid_types:
+        setype = sepolicy.get_real_type_name(setype)
+
+        if setype and setype not in self.valid_types:
             raise ValueError(_("Type %s is invalid, must be a ibpkey type") % setype)
 
         (k, subnet_prefix, low, high) = self.__genkey(pkey, subnet_prefix)
@@ -1597,7 +1604,9 @@ class ibendportRecords(semanageRecords):
         if type == "":
             raise ValueError(_("Type is required"))
 
-        if sepolicy.get_real_type_name(type) not in self.valid_types:
+        type = sepolicy.get_real_type_name(type)
+
+        if type not in self.valid_types:
             raise ValueError(_("Type %s is invalid, must be an ibendport type") % type)
         (k, ibendport, port) = self.__genkey(ibendport, ibdev_name)
 
@@ -1658,7 +1667,9 @@ class ibendportRecords(semanageRecords):
             else:
                 raise ValueError(_("Requires setype"))
 
-        if setype and sepolicy.get_real_type_name(setype) not in self.valid_types:
+        setype = sepolicy.get_real_type_name(setype)
+
+        if setype and setype not in self.valid_types:
             raise ValueError(_("Type %s is invalid, must be an ibendport type") % setype)
 
         (k, ibdev_name, port) = self.__genkey(ibendport, ibdev_name)
@@ -1847,7 +1858,9 @@ class nodeRecords(semanageRecords):
         if ctype == "":
             raise ValueError(_("SELinux node type is required"))
 
-        if sepolicy.get_real_type_name(ctype) not in self.valid_types:
+        ctype = sepolicy.get_real_type_name(ctype)
+
+        if ctype not in self.valid_types:
             raise ValueError(_("Type %s is invalid, must be a node type") % ctype)
 
         (rc, k) = semanage_node_key_create(self.sh, addr, mask, proto)
@@ -1916,7 +1929,9 @@ class nodeRecords(semanageRecords):
         if serange == "" and setype == "":
             raise ValueError(_("Requires setype or serange"))
 
-        if setype and sepolicy.get_real_type_name(setype) not in self.valid_types:
+        setype = sepolicy.get_real_type_name(setype)
+
+        if setype and setype not in self.valid_types:
             raise ValueError(_("Type %s is invalid, must be a node type") % setype)
 
         (rc, k) = semanage_node_key_create(self.sh, addr, mask, proto)
@@ -2362,8 +2377,10 @@ class fcontextRecords(semanageRecords):
         if type == "":
             raise ValueError(_("SELinux Type is required"))
 
-        if type != "<<none>>" and sepolicy.get_real_type_name(type) not in self.valid_types:
-            raise ValueError(_("Type %s is invalid, must be a file or device type") % type)
+        if type != "<<none>>":
+            type = sepolicy.get_real_type_name(type)
+            if type not in self.valid_types:
+                raise ValueError(_("Type %s is invalid, must be a file or device type") % type)
 
         (rc, k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype])
         if rc < 0:
@@ -2425,8 +2442,10 @@ class fcontextRecords(semanageRecords):
     def __modify(self, target, setype, ftype, serange, seuser):
         if serange == "" and setype == "" and seuser == "":
             raise ValueError(_("Requires setype, serange or seuser"))
-        if setype not in ["",  "<<none>>"] and sepolicy.get_real_type_name(setype) not in self.valid_types:
-            raise ValueError(_("Type %s is invalid, must be a file or device type") % setype)
+        if setype not in ["",  "<<none>>"]:
+            setype = sepolicy.get_real_type_name(setype)
+            if setype not in self.valid_types:
+                raise ValueError(_("Type %s is invalid, must be a file or device type") % setype)
 
         self.validate(target)
 
diff --git a/python/sepolicy/sepolicy.py b/python/sepolicy/sepolicy.py
index 01380fbe..8cc7e8cc 100755
--- a/python/sepolicy/sepolicy.py
+++ b/python/sepolicy/sepolicy.py
@@ -101,7 +101,8 @@ class CheckDomain(argparse.Action):
         domains = sepolicy.get_all_domains()
 
         if isinstance(values, str):
-            if sepolicy.get_real_type_name(values) not in domains:
+            values = sepolicy.get_real_type_name(values)
+            if values not in domains:
                 raise ValueError("%s must be an SELinux process domain:\nValid domains: %s" % (values, ", ".join(domains)))
             setattr(namespace, self.dest, values)
         else:
@@ -110,7 +111,8 @@ class CheckDomain(argparse.Action):
                 newval = []
 
             for v in values:
-                if sepolicy.get_real_type_name(v) not in domains:
+                v = sepolicy.get_real_type_name(v)
+                if v not in domains:
                     raise ValueError("%s must be an SELinux process domain:\nValid domains: %s" % (v, ", ".join(domains)))
                 newval.append(v)
             setattr(namespace, self.dest, newval)
@@ -165,10 +167,11 @@ class CheckPortType(argparse.Action):
         if not newval:
             newval = []
         for v in values:
-            if sepolicy.get_real_type_name(v) not in port_types:
+            v = sepolicy.get_real_type_name(v)
+            if v not in port_types:
                 raise ValueError("%s must be an SELinux port type:\nValid port types: %s" % (v, ", ".join(port_types)))
             newval.append(v)
-        setattr(namespace, self.dest, values)
+        setattr(namespace, self.dest, newval)
 
 
 class LoadPolicy(argparse.Action):
diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
index b18683e4..7db43957 100644
--- a/python/sepolicy/sepolicy/__init__.py
+++ b/python/sepolicy/sepolicy/__init__.py
@@ -172,7 +172,7 @@ def info(setype, name=None):
         results = list(q.results())
 
         if name and len(results) < 1:
-            # type not found, try alias
+            #type not found, try alias
             q.name = None
             q.alias = name
             results = list(q.results())
@@ -450,18 +450,16 @@ def get_file_types(setype):
 def get_real_type_name(name):
     """Return the real name of a type
 
-    * If 'name' refers to a type, return the same name.
     * If 'name' refers to a type alias, return the corresponding type name.
-    * Otherwise return None.
+    * Otherwise return the original name (even if the type does not exist).
     """
     if not name:
-        return None
+        return name
 
     try:
         return next(info(TYPE, name))["name"]
     except (RuntimeError, StopIteration):
-        return None
-
+        return name
 
 def get_writable_files(setype):
     file_types = get_all_file_types()
@@ -1074,10 +1072,12 @@ def _dict_has_perms(dict, perms):
 def gen_short_name(setype):
     all_domains = get_all_domains()
     if setype.endswith("_t"):
+        #replace aliases with corresponding types
+        setype = get_real_type_name(setype)
         domainname = setype[:-2]
     else:
         domainname = setype
-    if get_real_type_name(domainname + "_t") not in all_domains:
+    if domainname + "_t" not in all_domains:
         raise ValueError("domain %s_t does not exist" % domainname)
     if domainname[-1] == 'd':
         short_name = domainname[:-1] + "_"
-- 
2.17.2

Re: [PATCH] python: replace aliases with corresponding type names

[Nicolas Iooss]

On Tue, Oct 30, 2018 at 4:27 PM Vit Mojzis <vmojzis@redhat.com> wrote:
>
> Aliases are not used in the selinux database. When user enters a type
> alias as a parameter it should be converted to the corresponding type
> in order to be processed correctly further in the userspace logic.
>
> Fixes e.g.:
>
> \#sepolicy transition -s phpfpm_t
> /* where phpfpm_t is a type alias of httpd_t */
>
> Traceback (most recent call last):
>   File "/usr/bin/sepolicy", line 691, in <module>
>     args.func(args)
>   File "/usr/bin/sepolicy", line 458, in transition
>     mytrans = setrans(args.source, args.target)
>   File "/usr/lib/python3.6/site-packages/sepolicy/transition.py", line 48, in __init__
>     self._process(self.source)
>   File "/usr/lib/python3.6/site-packages/sepolicy/transition.py", line 54, in _process
>     trans = _get_trans(source)
>   File "/usr/lib/python3.6/site-packages/sepolicy/transition.py", line 36, in _get_trans
>     src_list = [src] + list(filter(lambda x: x['name'] == src, sepolicy.get_all_types_info()))[0]['attributes']
> IndexError: list index out of range
> ---
>  python/semanage/seobject.py          | 43 ++++++++++++++++++++--------
>  python/sepolicy/sepolicy.py          | 11 ++++---
>  python/sepolicy/sepolicy/__init__.py | 14 ++++-----
>  3 files changed, 45 insertions(+), 23 deletions(-)
>
[...]
> diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
> index b18683e4..7db43957 100644
> --- a/python/sepolicy/sepolicy/__init__.py
> +++ b/python/sepolicy/sepolicy/__init__.py
> @@ -172,7 +172,7 @@ def info(setype, name=None):
>          results = list(q.results())
>
>          if name and len(results) < 1:
> -            # type not found, try alias
> +            #type not found, try alias
>              q.name = None
>              q.alias = name
>              results = list(q.results())

Hi, your patch looks good to me, but the comments you are using do not
follow PEP-8 (https://www.python.org/dev/peps/pep-0008/#block-comments)
and raise warnings in some linters that I am using. For example,
flake8 reports:

python/sepolicy/sepolicy/__init__.py:172:13: E265 block comment should
start with '# '
python/sepolicy/sepolicy/__init__.py:1072:9: E265 block comment should
start with '# '

I would like to apply the patch with the spaces added between "#" and
the comment line. Does it suits you? Otherwise, I will submit a patch
to fix the comments after applying this patch.

Thanks,
Nicolas

Re: [PATCH] python: replace aliases with corresponding type names

[Vit Mojzis]

On 05. 11. 18 21:51, Nicolas Iooss wrote:
> On Tue, Oct 30, 2018 at 4:27 PM Vit Mojzis <vmojzis@redhat.com> wrote:
>> Aliases are not used in the selinux database. When user enters a type
>> alias as a parameter it should be converted to the corresponding type
>> in order to be processed correctly further in the userspace logic.
>>
>> Fixes e.g.:
>>
>> \#sepolicy transition -s phpfpm_t
>> /* where phpfpm_t is a type alias of httpd_t */
>>
>> Traceback (most recent call last):
>>    File "/usr/bin/sepolicy", line 691, in <module>
>>      args.func(args)
>>    File "/usr/bin/sepolicy", line 458, in transition
>>      mytrans = setrans(args.source, args.target)
>>    File "/usr/lib/python3.6/site-packages/sepolicy/transition.py", line 48, in __init__
>>      self._process(self.source)
>>    File "/usr/lib/python3.6/site-packages/sepolicy/transition.py", line 54, in _process
>>      trans = _get_trans(source)
>>    File "/usr/lib/python3.6/site-packages/sepolicy/transition.py", line 36, in _get_trans
>>      src_list = [src] + list(filter(lambda x: x['name'] == src, sepolicy.get_all_types_info()))[0]['attributes']
>> IndexError: list index out of range
>> ---
>>   python/semanage/seobject.py          | 43 ++++++++++++++++++++--------
>>   python/sepolicy/sepolicy.py          | 11 ++++---
>>   python/sepolicy/sepolicy/__init__.py | 14 ++++-----
>>   3 files changed, 45 insertions(+), 23 deletions(-)
>>
> [...]
>> diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
>> index b18683e4..7db43957 100644
>> --- a/python/sepolicy/sepolicy/__init__.py
>> +++ b/python/sepolicy/sepolicy/__init__.py
>> @@ -172,7 +172,7 @@ def info(setype, name=None):
>>           results = list(q.results())
>>
>>           if name and len(results) < 1:
>> -            # type not found, try alias
>> +            #type not found, try alias
>>               q.name = None
>>               q.alias = name
>>               results = list(q.results())
> Hi, your patch looks good to me, but the comments you are using do not
> follow PEP-8 (https://www.python.org/dev/peps/pep-0008/#block-comments)
> and raise warnings in some linters that I am using. For example,
> flake8 reports:
>
> python/sepolicy/sepolicy/__init__.py:172:13: E265 block comment should
> start with '# '
> python/sepolicy/sepolicy/__init__.py:1072:9: E265 block comment should
> start with '# '
>
> I would like to apply the patch with the spaces added between "#" and
> the comment line. Does it suits you?


Sure, whatever needs fixing.

Thank you :)


> Otherwise, I will submit a patch
> to fix the comments after applying this patch.
>
> Thanks,
> Nicolas
>

Re: [PATCH] python: replace aliases with corresponding type names

[Nicolas Iooss]

On Fri, Nov 9, 2018 at 9:53 AM Vit Mojzis <vmojzis@redhat.com> wrote:
>
> On 05. 11. 18 21:51, Nicolas Iooss wrote:
> > On Tue, Oct 30, 2018 at 4:27 PM Vit Mojzis <vmojzis@redhat.com> wrote:
> >> Aliases are not used in the selinux database. When user enters a type
> >> alias as a parameter it should be converted to the corresponding type
> >> in order to be processed correctly further in the userspace logic.
> >>
> >> Fixes e.g.:
> >>
> >> \#sepolicy transition -s phpfpm_t
> >> /* where phpfpm_t is a type alias of httpd_t */
> >>
> >> Traceback (most recent call last):
> >>    File "/usr/bin/sepolicy", line 691, in <module>
> >>      args.func(args)
> >>    File "/usr/bin/sepolicy", line 458, in transition
> >>      mytrans = setrans(args.source, args.target)
> >>    File "/usr/lib/python3.6/site-packages/sepolicy/transition.py", line 48, in __init__
> >>      self._process(self.source)
> >>    File "/usr/lib/python3.6/site-packages/sepolicy/transition.py", line 54, in _process
> >>      trans = _get_trans(source)
> >>    File "/usr/lib/python3.6/site-packages/sepolicy/transition.py", line 36, in _get_trans
> >>      src_list = [src] + list(filter(lambda x: x['name'] == src, sepolicy.get_all_types_info()))[0]['attributes']
> >> IndexError: list index out of range
> >> ---
> >>   python/semanage/seobject.py          | 43 ++++++++++++++++++++--------
> >>   python/sepolicy/sepolicy.py          | 11 ++++---
> >>   python/sepolicy/sepolicy/__init__.py | 14 ++++-----
> >>   3 files changed, 45 insertions(+), 23 deletions(-)
> >>
> > [...]
> >> diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
> >> index b18683e4..7db43957 100644
> >> --- a/python/sepolicy/sepolicy/__init__.py
> >> +++ b/python/sepolicy/sepolicy/__init__.py
> >> @@ -172,7 +172,7 @@ def info(setype, name=None):
> >>           results = list(q.results())
> >>
> >>           if name and len(results) < 1:
> >> -            # type not found, try alias
> >> +            #type not found, try alias
> >>               q.name = None
> >>               q.alias = name
> >>               results = list(q.results())
> > Hi, your patch looks good to me, but the comments you are using do not
> > follow PEP-8 (https://www.python.org/dev/peps/pep-0008/#block-comments)
> > and raise warnings in some linters that I am using. For example,
> > flake8 reports:
> >
> > python/sepolicy/sepolicy/__init__.py:172:13: E265 block comment should
> > start with '# '
> > python/sepolicy/sepolicy/__init__.py:1072:9: E265 block comment should
> > start with '# '
> >
> > I would like to apply the patch with the spaces added between "#" and
> > the comment line. Does it suits you?
>
>
> Sure, whatever needs fixing.
>
> Thank you :)

All right, I merged this patch. Thanks!
Nicolas