For `semanage node -l`, show also nodes which are not attributed with
`node_type`. Such nodes may exist in custom policies and even the
attribute `node_type` may not be defined.
Fix also bash completion to work with such policies and actually start
using __get_all_node_types().
This fixes the following error with `semanage node -l`:
Traceback (most recent call last):
File "/usr/sbin/semanage", line 975, in <module>
do_parser()
File "/usr/sbin/semanage", line 947, in do_parser
args.func(args)
File "/usr/sbin/semanage", line 652, in handleNode
OBJECT = object_dict['node'](args)
^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/seobject.py", line 1850, in __init__
self.valid_types = list(list(sepolicy.info(sepolicy.ATTRIBUTE, "node_type"))[0]["types"])
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^
IndexError: list index out of range
Signed-off-by: Topi Miettinen <toiwoton@xxxxxxxxx>
---
python/semanage/semanage-bash-completion.sh | 7 ++++++-
python/semanage/seobject.py | 2 +-
python/sepolicy/sepolicy/__init__.py | 13 +++++++++++++
3 files changed, 20 insertions(+), 2 deletions(-)
diff --git a/python/semanage/semanage-bash-completion.sh b/python/semanage/semanage-bash-completion.sh
index d0dd139f..54a4d8ad 100644
--- a/python/semanage/semanage-bash-completion.sh
+++ b/python/semanage/semanage-bash-completion.sh
@@ -43,7 +43,7 @@ __get_all_domains () {
seinfo -adomain -x 2>/dev/null | tail -n +2
}
__get_all_node_types () {
- seinfo -anode_type -x 2>/dev/null | tail -n +2
+ seinfo --nodecon -x 2>/dev/null | sed -n 's/^\s\+nodecon\s\+\S\+\s\+\S\+\s\+[^:]\+:[^:]\+:\([^:]\+\):\S\+$/\1/gp'
}
__get_all_file_types () {
seinfo -afile_type -x 2>/dev/null | tail -n +2
@@ -98,6 +98,11 @@ _semanage () {
COMPREPLY=( $(compgen -W "$( __get_all_modules ) " -- "$cur") )
return 0
fi
+ elif [ "$command" = "node" ]; then
+ if [ "$prev" = "-t" ] || [ "$prev" = "--type" ]; then
+ COMPREPLY=( $(compgen -W "$( __get_all_node_types ) " -- "$cur") )
+ return 0
+ fi
fi
if [ "$verb" = "" -a "$prev" = "semanage" ]; then
comps="${VERBS[*]}"
diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
index d82da494..cc208a81 100644
--- a/python/semanage/seobject.py
+++ b/python/semanage/seobject.py
@@ -1848,7 +1848,7 @@ class nodeRecords(semanageRecords):
semanageRecords.__init__(self, args)
self.protocol = ["ipv4", "ipv6"]
try:
- self.valid_types = list(list(sepolicy.info(sepolicy.ATTRIBUTE, "node_type"))[0]["types"])
+ self.valid_types = list(list(sepolicy.info(sepolicy.NODE)))
except RuntimeError:
pass
diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
index c177cdfc..829f5c61 100644
--- a/python/sepolicy/sepolicy/__init__.py
+++ b/python/sepolicy/sepolicy/__init__.py
@@ -13,6 +13,7 @@ import re
import gzip
from setools.boolquery import BoolQuery
+from setools.nodeconquery import NodeconQuery
from setools.portconquery import PortconQuery
from setools.policyrep import SELinuxPolicy
from setools.objclassquery import ObjClassQuery
@@ -49,6 +50,7 @@ PORT = 4
USER = 5
BOOLEAN = 6
TCLASS = 7
+NODE = 8
ALLOW = 'allow'
AUDITALLOW = 'auditallow'
@@ -299,6 +301,17 @@ def info(setype, name=None):
'permlist': list(x.perms),
} for x in q.results())
+ elif setype == NODE:
+ q = NodeconQuery(_pol)
+ if name:
+ q.name = name
+
+ return ({
+ 'address': re.fullmatch('nodecon (\S+) \S+ \S+', str(x)).group(1),
+ 'mask': re.fullmatch('nodecon \S+ (\S+) \S+', str(x)).group(1),
+ 'type': re.fullmatch('nodecon \S+ \S+ (\S+)', str(x)).group(1)
+ } for x in list(q.results()))
+
else:
raise ValueError("Invalid type")
--
2.39.2
