Re: [PATCH] python/semanage: Do not try to reload policy when SELinux is disabled

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 2017-11-02 at 15:17 +0100, Petr Lautrbach wrote:
> On Thu, Nov 02, 2017 at 09:52:25AM -0400, Stephen Smalley wrote:
> > On Thu, 2017-11-02 at 14:19 +0100, Petr Lautrbach wrote:
> > > When SELinux is disabled, semanage without -N fails with a quite
> > > complicated
> > > error message when it tries to reload a new policy. Since reload
> > > in
> > > this case
> > > doesn't make sense, we should probably try to avoid that.
> > 
> > I haven't looked closely at this yet, but I know libsemanage itself
> > internally sets ->do_reload to false if is_selinux_enabled() is 0
> > (or
> > -1), so why is it that seobject.py is manually deciding whether to
> > reload policy?
> 
> semanageRecords.commit() method calls semanage_set_reload(self.sh,
> self.load)
> and this overrides the default value set in semanage_handle_create()
> 
> the flow something like this:
> 
> seobject: __init__(self, store):
>     self.sh = self.get_handle(store)
> 
> semanage: semanageRecords.get_handle()
>     handle = semanage_handle_create()
> 
> libsemanage: semanage_handle_create()
>     sh->do_reload = (is_selinux_enabled() > 0);
> 
> seobject: commit()
>     semanage_set_reload(self.sh, self.load)
> 
> Looking into this, the check if SELinux is enabled could be moved to
> libsemanage: semanage_set_reload() and maybe with WARN message in
> case
> that it doesn't set a new value.

Hmm...why does seobject.py call semanage_set_reload() at all except in
the case where it is explicitly called with -N and wants to forcibly
suppress policy reload?  If we can avoid making the call except in that
case, then we don't need to change libsemanage at all.

> 
> 
> > > 
> > > Fixes:
> > > $ sudo umount /sys/fs/selinux
> > > 
> > > $ sudo semanage fcontext -a --type=postfix_local_tmp_t
> > > /var/opt/01789667
> > > SELinux:  Could not downgrade policy file
> > > /etc/selinux/targeted/policy/policy.31, searching for an older
> > > version.
> > > SELinux:  Could not open policy file <=
> > > /etc/selinux/targeted/policy/policy.31:  No such file or
> > > directory
> > > /sbin/load_policy:  Can't load policy:  No such file or directory
> > > libsemanage.semanage_reload_policy: load_policy returned error
> > > code
> > > 2. (No such file or directory).
> > > SELinux:  Could not downgrade policy file
> > > /etc/selinux/targeted/policy/policy.31, searching for an older
> > > version.
> > > SELinux:  Could not open policy file <=
> > > /etc/selinux/targeted/policy/policy.31:  No such file or
> > > directory
> > > /sbin/load_policy:  Can't load policy:  No such file or directory
> > > libsemanage.semanage_reload_policy: load_policy returned error
> > > code
> > > 2. (No such file or directory).
> > > FileNotFoundError: [Errno 2] No such file or directory
> > > 
> > > Signed-off-by: Petr Lautrbach <plautrba@xxxxxxxxxx>
> > > ---
> > >  python/semanage/seobject.py | 4 ++--
> > >  1 file changed, 2 insertions(+), 2 deletions(-)
> > > 
> > > diff --git a/python/semanage/seobject.py
> > > b/python/semanage/seobject.py
> > > index 1385315f..37f2b8c6 100644
> > > --- a/python/semanage/seobject.py
> > > +++ b/python/semanage/seobject.py
> > > @@ -241,7 +241,7 @@ class semanageRecords:
> > >  
> > >      def __init__(self, store):
> > >          global handle
> > > -        self.load = True
> > > +        self.load = selinux.is_selinux_enabled()
> > >          self.sh = self.get_handle(store)
> > >  
> > >          rc, localstore = selinux.selinux_getpolicytype()
> > > @@ -251,7 +251,7 @@ class semanageRecords:
> > >              self.mylog = nulllogger()
> > >  
> > >      def set_reload(self, load):
> > > -        self.load = load
> > > +        self.load = selinux.is_selinux_enabled() and load
> > >  
> > >      def get_handle(self, store):
> > >          global is_mls_enabled
> 
> 



[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux