Re: [PATCH v2] chcat: allow usage if binary policy is inaccessible

Petr Lautrbach <plautrba@xxxxxxxxxx> · Mon, 22 Feb 2021 19:27:57 +0100

bauen1 <j2468h@xxxxxxxxxxxxxx> writes:

> Currently, chcat will crash when run as regular user, because import
> sepolicy throws an Exception when failing to access the binary policy
> under /etc/selinux/${POLICYNAME}/policy/ which is inaccessible to
> regular users.
>

I'd rather follow Nicolas suggestion so I've prepared a patch, see
below, which moves the policy initialization in sepolicy module before
it's used for the first time. It seems to solve the same problem in more
generic way. I need to run some tests on that and then they pass I'll
propose it here on the mailing list.


https://github.com/bachradsusi/SELinuxProject-selinux/commit/6a12939b613b273a6e96e1cc4cc096cdf7db5ac6

--- a/python/sepolicy/sepolicy/__init__.py
+++ b/python/sepolicy/sepolicy/__init__.py
@@ -178,15 +178,14 @@ def load_store_policy(store):
         return None
     policy(policy_file)
 
-try:
+def init_policy():
     policy_file = get_installed_policy()
     policy(policy_file)
-except ValueError as e:
-    if selinux.is_selinux_enabled() == 1:
-        raise e
-
 
 def info(setype, name=None):
+    if not _pol:
+        init_policy()
+
     if setype == TYPE:
         q = setools.TypeQuery(_pol)
         q.name = name
@@ -337,6 +336,8 @@ def _setools_rule_to_dict(rule):
 
 
 def search(types, seinfo=None):
+    if not _pol:
+        init_policy()
     if not seinfo:
         seinfo = {}
     valid_types = set([ALLOW, AUDITALLOW, NEVERALLOW, DONTAUDIT, TRANSITION, ROLE_ALLOW])



> Signed-off-by: Jonathan Hettwer <j2468h@xxxxxxxxx>
> ---
>
> v2:
>  Fix signed-off-by, improve commit message, but otherwise unchanged
>
>  python/chcat/chcat | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/python/chcat/chcat b/python/chcat/chcat
> index fdd2e46e..55408577 100755
> --- a/python/chcat/chcat
> +++ b/python/chcat/chcat
> @@ -28,7 +28,6 @@ import os
>  import pwd
>  import getopt
>  import selinux
> -import seobject
>
>  PROGNAME = "policycoreutils"
>  try:
> @@ -65,6 +64,7 @@ def verify_users(users):
>
>
>  def chcat_user_add(newcat, users):
> +    import seobject
>      errors = 0
>      logins = seobject.loginRecords()
>      seusers = logins.get_all()
> @@ -144,6 +144,7 @@ def chcat_add(orig, newcat, objects, login_ind):
>
>
>  def chcat_user_remove(newcat, users):
> +    import seobject
>      errors = 0
>      logins = seobject.loginRecords()
>      seusers = logins.get_all()
> @@ -233,6 +234,7 @@ def chcat_remove(orig, newcat, objects, login_ind):
>
>
>  def chcat_user_replace(newcat, users):
> +    import seobject
>      errors = 0
>      logins = seobject.loginRecords()
>      seusers = logins.get_all()
> @@ -376,6 +378,7 @@ def listcats():
>
>
>  def listusercats(users):
> +    import seobject
>      if len(users) == 0:
>          try:
>              users.append(os.getlogin())
> --
> 2.30.1







