selinux.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] sepolicy: Do not try to load policy on import
@ 2021-02-23 15:03 Petr Lautrbach
  2021-02-28  8:33 ` Nicolas Iooss
  0 siblings, 1 reply; 2+ messages in thread
From: Petr Lautrbach @ 2021-02-23 15:03 UTC (permalink / raw)
  To: selinux; +Cc: Petr Lautrbach

When a policy is inaccessible, scripts fail right "import sepolicy". With
this change we let the "sepolicy" module to import and move the policy
initialization before it's used for the first time.

Fixes:
    >>> import seobject
    Traceback (most recent call last):
      File "/usr/lib/python3.9/site-packages/sepolicy/__init__.py", line 171, in policy
        _pol = setools.SELinuxPolicy(policy_file)
      File "setools/policyrep/selinuxpolicy.pxi", line 73, in setools.policyrep.SELinuxPolicy.__cinit__
      File "setools/policyrep/selinuxpolicy.pxi", line 695, in setools.policyrep.SELinuxPolicy._load_policy
    PermissionError: [Errno 13] Permission denied: '//etc/selinux/targeted/policy/policy.33'

    During handling of the above exception, another exception occurred:

    Traceback (most recent call last):
      File "<stdin>", line 1, in <module>
      File "/usr/lib/python3.9/site-packages/seobject.py", line 33, in <module>
        import sepolicy
      File "/usr/lib/python3.9/site-packages/sepolicy/__init__.py", line 186, in <module>
        raise e
      File "/usr/lib/python3.9/site-packages/sepolicy/__init__.py", line 183, in <module>
        policy(policy_file)
      File "/usr/lib/python3.9/site-packages/sepolicy/__init__.py", line 173, in policy
        raise ValueError(_("Failed to read %s policy file") % policy_file)
    ValueError: Failed to read //etc/selinux/targeted/policy/policy.33 policy file

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---

It's based on review from https://lore.kernel.org/selinux/CAEjxPJ5gK_DdNxpjMq8tvvhkq1hxsoE5vTNZAa=hiP-6s=an8Q@mail.gmail.com/T/#m88ed2c2522a5b3907b607fdf08fde5dbf8d48571


 python/sepolicy/sepolicy/__init__.py | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
index e4540977d042..7309875c7e27 100644
--- a/python/sepolicy/sepolicy/__init__.py
+++ b/python/sepolicy/sepolicy/__init__.py
@@ -178,15 +178,15 @@ def load_store_policy(store):
         return None
     policy(policy_file)
 
-try:
+def init_policy():
     policy_file = get_installed_policy()
     policy(policy_file)
-except ValueError as e:
-    if selinux.is_selinux_enabled() == 1:
-        raise e
-
 
 def info(setype, name=None):
+    global _pol
+    if not _pol:
+        init_policy()
+
     if setype == TYPE:
         q = setools.TypeQuery(_pol)
         q.name = name
@@ -337,6 +337,9 @@ def _setools_rule_to_dict(rule):
 
 
 def search(types, seinfo=None):
+    global _pol
+    if not _pol:
+        init_policy()
     if not seinfo:
         seinfo = {}
     valid_types = set([ALLOW, AUDITALLOW, NEVERALLOW, DONTAUDIT, TRANSITION, ROLE_ALLOW])
@@ -916,6 +919,10 @@ def get_all_roles():
     if roles:
         return roles
 
+    global _pol
+    if not _pol:
+        init_policy()
+
     q = setools.RoleQuery(_pol)
     roles = [str(x) for x in q.results() if str(x) != "object_r"]
     return roles
-- 
2.30.1


^ permalink raw reply related	[flat|nested] 2+ messages in thread
* Re: [PATCH] sepolicy: Do not try to load policy on import
  2021-02-23 15:03 [PATCH] sepolicy: Do not try to load policy on import Petr Lautrbach
@ 2021-02-28  8:33 ` Nicolas Iooss
  0 siblings, 0 replies; 2+ messages in thread
From: Nicolas Iooss @ 2021-02-28  8:33 UTC (permalink / raw)
  To: Petr Lautrbach; +Cc: SElinux list

On Tue, Feb 23, 2021 at 4:06 PM Petr Lautrbach <plautrba@redhat.com> wrote:
>
> When a policy is inaccessible, scripts fail right "import sepolicy". With
> this change we let the "sepolicy" module to import and move the policy
> initialization before it's used for the first time.
>
> Fixes:
>     >>> import seobject
>     Traceback (most recent call last):
>       File "/usr/lib/python3.9/site-packages/sepolicy/__init__.py", line 171, in policy
>         _pol = setools.SELinuxPolicy(policy_file)
>       File "setools/policyrep/selinuxpolicy.pxi", line 73, in setools.policyrep.SELinuxPolicy.__cinit__
>       File "setools/policyrep/selinuxpolicy.pxi", line 695, in setools.policyrep.SELinuxPolicy._load_policy
>     PermissionError: [Errno 13] Permission denied: '//etc/selinux/targeted/policy/policy.33'
>
>     During handling of the above exception, another exception occurred:
>
>     Traceback (most recent call last):
>       File "<stdin>", line 1, in <module>
>       File "/usr/lib/python3.9/site-packages/seobject.py", line 33, in <module>
>         import sepolicy
>       File "/usr/lib/python3.9/site-packages/sepolicy/__init__.py", line 186, in <module>
>         raise e
>       File "/usr/lib/python3.9/site-packages/sepolicy/__init__.py", line 183, in <module>
>         policy(policy_file)
>       File "/usr/lib/python3.9/site-packages/sepolicy/__init__.py", line 173, in policy
>         raise ValueError(_("Failed to read %s policy file") % policy_file)
>     ValueError: Failed to read //etc/selinux/targeted/policy/policy.33 policy file
>
> Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
> ---
>
> It's based on review from https://lore.kernel.org/selinux/CAEjxPJ5gK_DdNxpjMq8tvvhkq1hxsoE5vTNZAa=hiP-6s=an8Q@mail.gmail.com/T/#m88ed2c2522a5b3907b607fdf08fde5dbf8d48571

Many thanks!! I have been thinking about this issue for quite some
time and your patch fixes it nicely :) Actually "global _pol"
statements are not required, because _pol is only read in the modified
functions, but they make the code more readable (in my humble opinion)
so I think it is better to introduce them anyway.

Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>

And I directly merged it. Thanks!
Nicolas

>  python/sepolicy/sepolicy/__init__.py | 17 ++++++++++++-----
>  1 file changed, 12 insertions(+), 5 deletions(-)
>
> diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
> index e4540977d042..7309875c7e27 100644
> --- a/python/sepolicy/sepolicy/__init__.py
> +++ b/python/sepolicy/sepolicy/__init__.py
> @@ -178,15 +178,15 @@ def load_store_policy(store):
>          return None
>      policy(policy_file)
>
> -try:
> +def init_policy():
>      policy_file = get_installed_policy()
>      policy(policy_file)
> -except ValueError as e:
> -    if selinux.is_selinux_enabled() == 1:
> -        raise e
> -
>
>  def info(setype, name=None):
> +    global _pol
> +    if not _pol:
> +        init_policy()
> +
>      if setype == TYPE:
>          q = setools.TypeQuery(_pol)
>          q.name = name
> @@ -337,6 +337,9 @@ def _setools_rule_to_dict(rule):
>
>
>  def search(types, seinfo=None):
> +    global _pol
> +    if not _pol:
> +        init_policy()
>      if not seinfo:
>          seinfo = {}
>      valid_types = set([ALLOW, AUDITALLOW, NEVERALLOW, DONTAUDIT, TRANSITION, ROLE_ALLOW])
> @@ -916,6 +919,10 @@ def get_all_roles():
>      if roles:
>          return roles
>
> +    global _pol
> +    if not _pol:
> +        init_policy()
> +
>      q = setools.RoleQuery(_pol)
>      roles = [str(x) for x in q.results() if str(x) != "object_r"]
>      return roles
> --
> 2.30.1
>


^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-02-28  8:34 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-02-23 15:03 [PATCH] sepolicy: Do not try to load policy on import Petr Lautrbach
2021-02-28  8:33 ` Nicolas Iooss

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).