On Mon, 20 Jun 2022 11:04:17 -0700 Petr Lautrbach <plautrba@xxxxxxxxxx> wrote > Could you please provide more details about the certain cases, > preferably with a reproducer? Yes, I can. In this patch, I change two files: python/semanage/semanage and sandbox/sandbox In sandbox/sandbox, IOError is unreachable as OSError always takes precedence, so it serves as useless code. The ambiguous nature of IOError and OSError, despite both serving the same purpose, is why I've submitted this patch. To reproduce, if the Sandbox() function were to be called, and an IOError occurred, OSError would handle the error_exit, not IOError (which is fine enough, since both exceptions lead to the same result, but IOError is redundant here). On the contrary, if an OSError exception occurred in the createCommandParser() function in python/semanage/semanage file while attempting to call do_parser(), since IOError is an alias of OSError in 3.3, the IOError exception would actually take precedence over the OSError exception. I'm not entirely sure what version SELinux is attempting to target, but the try except block in do_parser() is ambiguous and its implementation should be reconsidered. In that file, I've had OSError directly handle the exception. This, however, does change this function a little bit; the second argument will be displayed as an error, not the error itself. This might need to be changed. Thanks, Elijah
