selinux.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Nicolas Iooss <nicolas.iooss@m4x.org>
To: Vit Mojzis <vmojzis@redhat.com>
Cc: selinux <selinux@tycho.nsa.gov>
Subject: Re: [PATCH 1/1] python/sepolicy: fix compatibility with setools 4.2.0
Date: Fri, 21 Sep 2018 21:52:05 +0200	[thread overview]
Message-ID: <CAJfZ7==sczRmbFRVnLhQyNsQ=nQXEJwWUELZgpJANqxr-3J+eA@mail.gmail.com> (raw)
In-Reply-To: <e3e0ae6a-4433-5b66-6410-f25f010a69f3@redhat.com>

On Thu, Sep 20, 2018 at 9:48 AM Vit Mojzis <vmojzis@redhat.com> wrote:
>
>
> On 19/09/2018 22:51, Nicolas Iooss wrote:
> > When testing sepolicy gui with setools 4.2.0-beta, the following error
> > happened:
> >
> >        File "python/sepolicy/sepolicy/__init__.py", line 277, in _setools_rule_to_dict
> >          if isinstance(rule, setools.policyrep.terule.AVRule):
> >      AttributeError: module 'setools.policyrep' has no attribute 'terule'
> >
> > This is due to a reorganization of files in setools 4.2. After reporting
> > the issue on https://github.com/SELinuxProject/setools/issues/8 , it
> > appears that sepolicy has not been using setools API properly. Fix this
> > by:
> > * replacing exception types internal to setools with AttributeError, as
> >    they all inherit from it ;
> > * using rule.conditional.evaluate(...) in order to find out whether a
> >    conditional rule is enabled, instead of relying on
> >    rule.qpol_symbol.is_enabled() (which disappeared).
> >
> > This last point required knowing the states of the booleans in the
> > policy. As sepolicy already retrieves all boolean states in
> > get_all_bools(), put them in a dict which can be used by
> > rule.conditional.evaluate().
> >
> > This code has been tested with setools 4.1.1 and setools 4.2.0-beta.
> >
> > Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
> > ---
> >   python/sepolicy/sepolicy/__init__.py | 30 +++++++++++++++++++---------
> >   1 file changed, 21 insertions(+), 9 deletions(-)
> >
> > diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
> > index 89346aba0b15..ed6dfea9718a 100644
> > --- a/python/sepolicy/sepolicy/__init__.py
> > +++ b/python/sepolicy/sepolicy/__init__.py
> > @@ -112,6 +112,7 @@ login_mappings = None
> >   file_types = None
> >   port_types = None
> >   bools = None
> > +bools_dict = None
> >   all_attributes = None
> >   booleans = None
> >   booleans_dict = None
> > @@ -134,6 +135,7 @@ def policy(policy_file):
> >       global all_domains
> >       global all_attributes
> >       global bools
> > +    global bools_dict
> >       global all_types
> >       global role_allows
> >       global users
> > @@ -143,6 +145,7 @@ def policy(policy_file):
> >       all_domains = None
> >       all_attributes = None
> >       bools = None
> > +    bools_dict = None
> >       all_types = None
> >       role_allows = None
> >       users = None
> > @@ -272,34 +275,35 @@ def _setools_rule_to_dict(rule):
> >           'class': str(rule.tclass),
> >       }
> >
> > +    # Evaluate the boolean condition if it is a conditional rule.
> > +    # In order to do this, extract the booleans which are used in the condition first.
> >       try:
> > -        enabled = bool(rule.qpol_symbol.is_enabled(rule.policy))
> > +        all_bools = get_all_bools_as_dict()
> > +        used_bools = dict((str(name), all_bools[name]) for name in rule.conditional.booleans)
> > +        enabled = rule.conditional.evaluate(**used_bools) == rule.conditional_block
>
>
> Thank you for the patch, I've just been testing my version (almost
> identical except for this block).
> Why don't you get the boolean state directly from the booleans inside
> the conditional?

Thanks for your review. I missed that "boolean.state" was available
when looking for a way to replace rule.qpol_symbol.is_enabled(), as it
does not appear in "repr(boolean)". If you send your patch, I will
accept it. Otherwise I will send a v2 that will most likely be exactly
like your version. How do you want to proceed?

By the way, I have tested that boolean.state is available in both
setools 4.1.1 and setools 4.2.0-beta.

Nicolas

  reply	other threads:[~2018-09-21 19:53 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-09-19 20:51 [PATCH 1/1] python/sepolicy: fix compatibility with setools 4.2.0 Nicolas Iooss
2018-09-20  7:47 ` Vit Mojzis
2018-09-21 19:52   ` Nicolas Iooss [this message]
2018-09-24  9:05     ` [PATCH] python/sepolicy: Update to work with setools-4.2.0 Vit Mojzis

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAJfZ7==sczRmbFRVnLhQyNsQ=nQXEJwWUELZgpJANqxr-3J+eA@mail.gmail.com' \
    --to=nicolas.iooss@m4x.org \
    --cc=selinux@tycho.nsa.gov \
    --cc=vmojzis@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).