Re: [PATCH] sepolicy: Do not try to load policy on import

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Feb 23, 2021 at 4:06 PM Petr Lautrbach <plautrba@xxxxxxxxxx> wrote:
>
> When a policy is inaccessible, scripts fail right "import sepolicy". With
> this change we let the "sepolicy" module to import and move the policy
> initialization before it's used for the first time.
>
> Fixes:
>     >>> import seobject
>     Traceback (most recent call last):
>       File "/usr/lib/python3.9/site-packages/sepolicy/__init__.py", line 171, in policy
>         _pol = setools.SELinuxPolicy(policy_file)
>       File "setools/policyrep/selinuxpolicy.pxi", line 73, in setools.policyrep.SELinuxPolicy.__cinit__
>       File "setools/policyrep/selinuxpolicy.pxi", line 695, in setools.policyrep.SELinuxPolicy._load_policy
>     PermissionError: [Errno 13] Permission denied: '//etc/selinux/targeted/policy/policy.33'
>
>     During handling of the above exception, another exception occurred:
>
>     Traceback (most recent call last):
>       File "<stdin>", line 1, in <module>
>       File "/usr/lib/python3.9/site-packages/seobject.py", line 33, in <module>
>         import sepolicy
>       File "/usr/lib/python3.9/site-packages/sepolicy/__init__.py", line 186, in <module>
>         raise e
>       File "/usr/lib/python3.9/site-packages/sepolicy/__init__.py", line 183, in <module>
>         policy(policy_file)
>       File "/usr/lib/python3.9/site-packages/sepolicy/__init__.py", line 173, in policy
>         raise ValueError(_("Failed to read %s policy file") % policy_file)
>     ValueError: Failed to read //etc/selinux/targeted/policy/policy.33 policy file
>
> Signed-off-by: Petr Lautrbach <plautrba@xxxxxxxxxx>
> ---
>
> It's based on review from https://lore.kernel.org/selinux/CAEjxPJ5gK_DdNxpjMq8tvvhkq1hxsoE5vTNZAa=hiP-6s=an8Q@xxxxxxxxxxxxxx/T/#m88ed2c2522a5b3907b607fdf08fde5dbf8d48571

Many thanks!! I have been thinking about this issue for quite some
time and your patch fixes it nicely :) Actually "global _pol"
statements are not required, because _pol is only read in the modified
functions, but they make the code more readable (in my humble opinion)
so I think it is better to introduce them anyway.

Acked-by: Nicolas Iooss <nicolas.iooss@xxxxxxx>

And I directly merged it. Thanks!
Nicolas

>  python/sepolicy/sepolicy/__init__.py | 17 ++++++++++++-----
>  1 file changed, 12 insertions(+), 5 deletions(-)
>
> diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
> index e4540977d042..7309875c7e27 100644
> --- a/python/sepolicy/sepolicy/__init__.py
> +++ b/python/sepolicy/sepolicy/__init__.py
> @@ -178,15 +178,15 @@ def load_store_policy(store):
>          return None
>      policy(policy_file)
>
> -try:
> +def init_policy():
>      policy_file = get_installed_policy()
>      policy(policy_file)
> -except ValueError as e:
> -    if selinux.is_selinux_enabled() == 1:
> -        raise e
> -
>
>  def info(setype, name=None):
> +    global _pol
> +    if not _pol:
> +        init_policy()
> +
>      if setype == TYPE:
>          q = setools.TypeQuery(_pol)
>          q.name = name
> @@ -337,6 +337,9 @@ def _setools_rule_to_dict(rule):
>
>
>  def search(types, seinfo=None):
> +    global _pol
> +    if not _pol:
> +        init_policy()
>      if not seinfo:
>          seinfo = {}
>      valid_types = set([ALLOW, AUDITALLOW, NEVERALLOW, DONTAUDIT, TRANSITION, ROLE_ALLOW])
> @@ -916,6 +919,10 @@ def get_all_roles():
>      if roles:
>          return roles
>
> +    global _pol
> +    if not _pol:
> +        init_policy()
> +
>      q = setools.RoleQuery(_pol)
>      roles = [str(x) for x in q.results() if str(x) != "object_r"]
>      return roles
> --
> 2.30.1
>




[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux