Re: [PATCH] python/semanage: Do not try to reload policy when SELinux is disabled

Stephen Smalley <sds@xxxxxxxxxxxxx> · Thu, 02 Nov 2017 09:52:25 -0400



On Thu, 2017-11-02 at 14:19 +0100, Petr Lautrbach wrote:
> When SELinux is disabled, semanage without -N fails with a quite
> complicated
> error message when it tries to reload a new policy. Since reload in
> this case
> doesn't make sense, we should probably try to avoid that.

I haven't looked closely at this yet, but I know libsemanage itself
internally sets ->do_reload to false if is_selinux_enabled() is 0 (or
-1), so why is it that seobject.py is manually deciding whether to
reload policy?

> 
> Fixes:
> $ sudo umount /sys/fs/selinux
> 
> $ sudo semanage fcontext -a --type=postfix_local_tmp_t
> /var/opt/01789667
> SELinux:  Could not downgrade policy file
> /etc/selinux/targeted/policy/policy.31, searching for an older
> version.
> SELinux:  Could not open policy file <=
> /etc/selinux/targeted/policy/policy.31:  No such file or directory
> /sbin/load_policy:  Can't load policy:  No such file or directory
> libsemanage.semanage_reload_policy: load_policy returned error code
> 2. (No such file or directory).
> SELinux:  Could not downgrade policy file
> /etc/selinux/targeted/policy/policy.31, searching for an older
> version.
> SELinux:  Could not open policy file <=
> /etc/selinux/targeted/policy/policy.31:  No such file or directory
> /sbin/load_policy:  Can't load policy:  No such file or directory
> libsemanage.semanage_reload_policy: load_policy returned error code
> 2. (No such file or directory).
> FileNotFoundError: [Errno 2] No such file or directory
> 
> Signed-off-by: Petr Lautrbach <plautrba@xxxxxxxxxx>
> ---
>  python/semanage/seobject.py | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/python/semanage/seobject.py
> b/python/semanage/seobject.py
> index 1385315f..37f2b8c6 100644
> --- a/python/semanage/seobject.py
> +++ b/python/semanage/seobject.py
> @@ -241,7 +241,7 @@ class semanageRecords:
>  
>      def __init__(self, store):
>          global handle
> -        self.load = True
> +        self.load = selinux.is_selinux_enabled()
>          self.sh = self.get_handle(store)
>  
>          rc, localstore = selinux.selinux_getpolicytype()
> @@ -251,7 +251,7 @@ class semanageRecords:
>              self.mylog = nulllogger()
>  
>      def set_reload(self, load):
> -        self.load = load
> +        self.load = selinux.is_selinux_enabled() and load
>  
>      def get_handle(self, store):
>          global is_mls_enabled