On Tue, Feb 23, 2021 at 4:06 PM Petr Lautrbach <plautrba@xxxxxxxxxx> wrote:
>
> When a policy is inaccessible, scripts fail right "import sepolicy". With
> this change we let the "sepolicy" module to import and move the policy
> initialization before it's used for the first time.
>
> Fixes:
> >>> import seobject
> Traceback (most recent call last):
> File "/usr/lib/python3.9/site-packages/sepolicy/__init__.py", line 171, in policy
> _pol = setools.SELinuxPolicy(policy_file)
> File "setools/policyrep/selinuxpolicy.pxi", line 73, in setools.policyrep.SELinuxPolicy.__cinit__
> File "setools/policyrep/selinuxpolicy.pxi", line 695, in setools.policyrep.SELinuxPolicy._load_policy
> PermissionError: [Errno 13] Permission denied: '//etc/selinux/targeted/policy/policy.33'
>
> During handling of the above exception, another exception occurred:
>
> Traceback (most recent call last):
> File "<stdin>", line 1, in <module>
> File "/usr/lib/python3.9/site-packages/seobject.py", line 33, in <module>
> import sepolicy
> File "/usr/lib/python3.9/site-packages/sepolicy/__init__.py", line 186, in <module>
> raise e
> File "/usr/lib/python3.9/site-packages/sepolicy/__init__.py", line 183, in <module>
> policy(policy_file)
> File "/usr/lib/python3.9/site-packages/sepolicy/__init__.py", line 173, in policy
> raise ValueError(_("Failed to read %s policy file") % policy_file)
> ValueError: Failed to read //etc/selinux/targeted/policy/policy.33 policy file
>
> Signed-off-by: Petr Lautrbach <plautrba@xxxxxxxxxx>
> ---
>
> It's based on review from https://lore.kernel.org/selinux/CAEjxPJ5gK_DdNxpjMq8tvvhkq1hxsoE5vTNZAa=hiP-6s=an8Q@xxxxxxxxxxxxxx/T/#m88ed2c2522a5b3907b607fdf08fde5dbf8d48571
Many thanks!! I have been thinking about this issue for quite some
time and your patch fixes it nicely :) Actually "global _pol"
statements are not required, because _pol is only read in the modified
functions, but they make the code more readable (in my humble opinion)
so I think it is better to introduce them anyway.
Acked-by: Nicolas Iooss <nicolas.iooss@xxxxxxx>
And I directly merged it. Thanks!
Nicolas
> python/sepolicy/sepolicy/__init__.py | 17 ++++++++++++-----
> 1 file changed, 12 insertions(+), 5 deletions(-)
>
> diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
> index e4540977d042..7309875c7e27 100644
> --- a/python/sepolicy/sepolicy/__init__.py
> +++ b/python/sepolicy/sepolicy/__init__.py
> @@ -178,15 +178,15 @@ def load_store_policy(store):
> return None
> policy(policy_file)
>
> -try:
> +def init_policy():
> policy_file = get_installed_policy()
> policy(policy_file)
> -except ValueError as e:
> - if selinux.is_selinux_enabled() == 1:
> - raise e
> -
>
> def info(setype, name=None):
> + global _pol
> + if not _pol:
> + init_policy()
> +
> if setype == TYPE:
> q = setools.TypeQuery(_pol)
> q.name = name
> @@ -337,6 +337,9 @@ def _setools_rule_to_dict(rule):
>
>
> def search(types, seinfo=None):
> + global _pol
> + if not _pol:
> + init_policy()
> if not seinfo:
> seinfo = {}
> valid_types = set([ALLOW, AUDITALLOW, NEVERALLOW, DONTAUDIT, TRANSITION, ROLE_ALLOW])
> @@ -916,6 +919,10 @@ def get_all_roles():
> if roles:
> return roles
>
> + global _pol
> + if not _pol:
> + init_policy()
> +
> q = setools.RoleQuery(_pol)
> roles = [str(x) for x in q.results() if str(x) != "object_r"]
> return roles
> --
> 2.30.1
>
