Re: [PATCH v2 3/3] sepolgen-ifgen: refactor default policy path retrieval

Stephen Smalley <stephen.smalley.work@xxxxxxxxx> · Fri, 29 May 2020 10:45:49 -0400

On Thu, May 28, 2020 at 8:52 AM Christian Göttsche
<cgzones@xxxxxxxxxxxxxx> wrote:
>
> On a SELinux disabled system `selinux.security_policyvers()` will fail;
> do not bailout but use a fallback policy version to check if a binary
> policy file with that extension exists.

Technically we should be using sepol_policy_kern_vers_max() as the
upper bound since this is for the purpose of reading the policy by
sepolgen-ifgen-attr-helper and it requires that the policy version be
known to the version of libsepol against which it was compiled but I
guess there isn't a python wrapper for it.  Not sure why we aren't
just having sepolgen-ifgen-attr-helper itself find the policy file in
which case it could call sepol_policy_kern_vers_max().  Not keen on
hardcoding an upper bound here.

>
> Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
> ---
>  python/audit2allow/sepolgen-ifgen | 22 ++++++++++++----------
>  1 file changed, 12 insertions(+), 10 deletions(-)
>
> diff --git a/python/audit2allow/sepolgen-ifgen b/python/audit2allow/sepolgen-ifgen
> index 4a71cda4..48e60f1d 100644
> --- a/python/audit2allow/sepolgen-ifgen
> +++ b/python/audit2allow/sepolgen-ifgen
> @@ -69,7 +69,11 @@ def get_policy():
>      p = selinux.selinux_current_policy_path()
>      if p and os.path.exists(p):
>          return p
> -    i = selinux.security_policyvers()
> +    try:
> +        i = selinux.security_policyvers()
> +    except OSError:
> +        # SELinux Disabled Machine
> +        i = 50 # some high enough default value
>      p = selinux.selinux_binary_policy_path() + "." + str(i)
>      while i > 0 and not os.path.exists(p):
>          i = i - 1
> @@ -80,18 +84,16 @@ def get_policy():
>
>
>  def get_attrs(policy_path, attr_helper):
> +    if not policy_path:
> +        policy_path = get_policy()
> +    if not policy_path:
> +        sys.stderr.write("No installed policy to check\n")
> +        return None
> +
>      try:
> -        if not policy_path:
> -            policy_path = get_policy()
> -        if not policy_path:
> -            sys.stderr.write("No installed policy to check\n")
> -            return None
>          outfile = tempfile.NamedTemporaryFile()
>      except IOError as e:
> -        sys.stderr.write("could not open attribute output file\n")
> -        return None
> -    except OSError:
> -        # SELinux Disabled Machine
> +        sys.stderr.write("could not open attribute output file: %s\n" % e)
>          return None
>
>      fd = open("/dev/null", "w")
> --
> 2.27.0.rc2
>