From: Vit Mojzis <vmojzis@redhat.com>
To: selinux@tycho.nsa.gov
Subject: Re: [PATCH 1/1] python/sepolicy: fix compatibility with setools 4.2.0
Date: Thu, 20 Sep 2018 09:47:24 +0200 [thread overview]
Message-ID: <e3e0ae6a-4433-5b66-6410-f25f010a69f3@redhat.com> (raw)
In-Reply-To: <20180919205114.2683-1-nicolas.iooss@m4x.org>
On 19/09/2018 22:51, Nicolas Iooss wrote:
> When testing sepolicy gui with setools 4.2.0-beta, the following error
> happened:
>
> File "python/sepolicy/sepolicy/__init__.py", line 277, in _setools_rule_to_dict
> if isinstance(rule, setools.policyrep.terule.AVRule):
> AttributeError: module 'setools.policyrep' has no attribute 'terule'
>
> This is due to a reorganization of files in setools 4.2. After reporting
> the issue on https://github.com/SELinuxProject/setools/issues/8 , it
> appears that sepolicy has not been using setools API properly. Fix this
> by:
> * replacing exception types internal to setools with AttributeError, as
> they all inherit from it ;
> * using rule.conditional.evaluate(...) in order to find out whether a
> conditional rule is enabled, instead of relying on
> rule.qpol_symbol.is_enabled() (which disappeared).
>
> This last point required knowing the states of the booleans in the
> policy. As sepolicy already retrieves all boolean states in
> get_all_bools(), put them in a dict which can be used by
> rule.conditional.evaluate().
>
> This code has been tested with setools 4.1.1 and setools 4.2.0-beta.
>
> Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
> ---
> python/sepolicy/sepolicy/__init__.py | 30 +++++++++++++++++++---------
> 1 file changed, 21 insertions(+), 9 deletions(-)
>
> diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
> index 89346aba0b15..ed6dfea9718a 100644
> --- a/python/sepolicy/sepolicy/__init__.py
> +++ b/python/sepolicy/sepolicy/__init__.py
> @@ -112,6 +112,7 @@ login_mappings = None
> file_types = None
> port_types = None
> bools = None
> +bools_dict = None
> all_attributes = None
> booleans = None
> booleans_dict = None
> @@ -134,6 +135,7 @@ def policy(policy_file):
> global all_domains
> global all_attributes
> global bools
> + global bools_dict
> global all_types
> global role_allows
> global users
> @@ -143,6 +145,7 @@ def policy(policy_file):
> all_domains = None
> all_attributes = None
> bools = None
> + bools_dict = None
> all_types = None
> role_allows = None
> users = None
> @@ -272,34 +275,35 @@ def _setools_rule_to_dict(rule):
> 'class': str(rule.tclass),
> }
>
> + # Evaluate the boolean condition if it is a conditional rule.
> + # In order to do this, extract the booleans which are used in the condition first.
> try:
> - enabled = bool(rule.qpol_symbol.is_enabled(rule.policy))
> + all_bools = get_all_bools_as_dict()
> + used_bools = dict((str(name), all_bools[name]) for name in rule.conditional.booleans)
> + enabled = rule.conditional.evaluate(**used_bools) == rule.conditional_block
Thank you for the patch, I've just been testing my version (almost
identical except for this block).
Why don't you get the boolean state directly from the booleans inside
the conditional?
try:
#get state of all booleans in the conditional expression
used_bools = {}
for boolean in rule.conditional.booleans:
used_bools[str(boolean)] = boolean.state
#evaluate if the rule is enabled
enabled = rule.conditional.evaluate(**used_bools) ==
rule.conditional_block
> except AttributeError:
> enabled = True
>
> - if isinstance(rule, setools.policyrep.terule.AVRule):
> - d['enabled'] = enabled
> + d['enabled'] = enabled
>
> try:
> d['permlist'] = list(map(str, rule.perms))
> - except setools.policyrep.exception.RuleUseError:
> + except AttributeError:
> pass
>
> try:
> d['transtype'] = str(rule.default)
> - except setools.policyrep.exception.RuleUseError:
> + except AttributeError:
> pass
>
> try:
> d['boolean'] = [(str(rule.conditional), enabled)]
> - except (AttributeError, setools.policyrep.exception.RuleNotConditional):
> + except AttributeError:
> pass
>
> try:
> d['filename'] = rule.filename
> - except (AttributeError,
> - setools.policyrep.exception.RuleNotConditional,
> - setools.policyrep.exception.TERuleNoFilename):
> + except AttributeError:
> pass
>
> return d
> @@ -930,6 +934,14 @@ def get_all_bools():
> return bools
>
>
> +def get_all_bools_as_dict():
> + """Return a name->state dict of the booleans defined in the policy"""
> + global bools_dict
> + if not bools_dict:
> + bools_dict = dict((b['name'], b['state']) for b in get_all_bools())
> + return bools_dict
> +
> +
> def prettyprint(f, trim):
> return " ".join(f[:-len(trim)].split("_"))
>
next prev parent reply other threads:[~2018-09-20 7:47 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-19 20:51 [PATCH 1/1] python/sepolicy: fix compatibility with setools 4.2.0 Nicolas Iooss
2018-09-20 7:47 ` Vit Mojzis [this message]
2018-09-21 19:52 ` Nicolas Iooss
2018-09-24 9:05 ` [PATCH] python/sepolicy: Update to work with setools-4.2.0 Vit Mojzis
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e3e0ae6a-4433-5b66-6410-f25f010a69f3@redhat.com \
--to=vmojzis@redhat.com \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).