On Tue, Feb 23, 2021 at 4:06 PM Petr Lautrbach <plautrba@xxxxxxxxxx> wrote: > > When a policy is inaccessible, scripts fail right "import sepolicy". With > this change we let the "sepolicy" module to import and move the policy > initialization before it's used for the first time. > > Fixes: > >>> import seobject > Traceback (most recent call last): > File "/usr/lib/python3.9/site-packages/sepolicy/__init__.py", line 171, in policy > _pol = setools.SELinuxPolicy(policy_file) > File "setools/policyrep/selinuxpolicy.pxi", line 73, in setools.policyrep.SELinuxPolicy.__cinit__ > File "setools/policyrep/selinuxpolicy.pxi", line 695, in setools.policyrep.SELinuxPolicy._load_policy > PermissionError: [Errno 13] Permission denied: '//etc/selinux/targeted/policy/policy.33' > > During handling of the above exception, another exception occurred: > > Traceback (most recent call last): > File "<stdin>", line 1, in <module> > File "/usr/lib/python3.9/site-packages/seobject.py", line 33, in <module> > import sepolicy > File "/usr/lib/python3.9/site-packages/sepolicy/__init__.py", line 186, in <module> > raise e > File "/usr/lib/python3.9/site-packages/sepolicy/__init__.py", line 183, in <module> > policy(policy_file) > File "/usr/lib/python3.9/site-packages/sepolicy/__init__.py", line 173, in policy > raise ValueError(_("Failed to read %s policy file") % policy_file) > ValueError: Failed to read //etc/selinux/targeted/policy/policy.33 policy file > > Signed-off-by: Petr Lautrbach <plautrba@xxxxxxxxxx> > --- > > It's based on review from https://lore.kernel.org/selinux/CAEjxPJ5gK_DdNxpjMq8tvvhkq1hxsoE5vTNZAa=hiP-6s=an8Q@xxxxxxxxxxxxxx/T/#m88ed2c2522a5b3907b607fdf08fde5dbf8d48571 Many thanks!! I have been thinking about this issue for quite some time and your patch fixes it nicely :) Actually "global _pol" statements are not required, because _pol is only read in the modified functions, but they make the code more readable (in my humble opinion) so I think it is better to introduce them anyway. Acked-by: Nicolas Iooss <nicolas.iooss@xxxxxxx> And I directly merged it. Thanks! Nicolas > python/sepolicy/sepolicy/__init__.py | 17 ++++++++++++----- > 1 file changed, 12 insertions(+), 5 deletions(-) > > diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py > index e4540977d042..7309875c7e27 100644 > --- a/python/sepolicy/sepolicy/__init__.py > +++ b/python/sepolicy/sepolicy/__init__.py > @@ -178,15 +178,15 @@ def load_store_policy(store): > return None > policy(policy_file) > > -try: > +def init_policy(): > policy_file = get_installed_policy() > policy(policy_file) > -except ValueError as e: > - if selinux.is_selinux_enabled() == 1: > - raise e > - > > def info(setype, name=None): > + global _pol > + if not _pol: > + init_policy() > + > if setype == TYPE: > q = setools.TypeQuery(_pol) > q.name = name > @@ -337,6 +337,9 @@ def _setools_rule_to_dict(rule): > > > def search(types, seinfo=None): > + global _pol > + if not _pol: > + init_policy() > if not seinfo: > seinfo = {} > valid_types = set([ALLOW, AUDITALLOW, NEVERALLOW, DONTAUDIT, TRANSITION, ROLE_ALLOW]) > @@ -916,6 +919,10 @@ def get_all_roles(): > if roles: > return roles > > + global _pol > + if not _pol: > + init_policy() > + > q = setools.RoleQuery(_pol) > roles = [str(x) for x in q.results() if str(x) != "object_r"] > return roles > -- > 2.30.1 >