Re: [PATCH v3] semanage, sepolicy: list also ports not attributed with port_type

Petr Lautrbach <plautrba@xxxxxxxxxx> · Fri, 16 Jun 2023 08:08:07 +0200

Topi Miettinen <toiwoton@xxxxxxxxx> writes:

> On 14.6.2023 13.03, Petr Lautrbach wrote:
>> Topi Miettinen <toiwoton@xxxxxxxxx> writes:
>> 
>>> For `semanage port -l` and `sepolicy network -t type`, show also ports
>>> which are not attributed with `port_type`. Such ports may exist in
>>> custom policies and even the attribute `port_type` may not be defined.
>>>
>>> This fixes the following error with `semanage port -l` (and similar
>>> error with `sepolicy network -t type`):
>>>
>>> Traceback (most recent call last):
>>>    File "/usr/sbin/semanage", line 975, in <module>
>>>      do_parser()
>>>    File "/usr/sbin/semanage", line 947, in do_parser
>>>      args.func(args)
>>>    File "/usr/sbin/semanage", line 441, in handlePort
>>>      OBJECT = object_dict['port'](args)
>>>               ^^^^^^^^^^^^^^^^^^^^^^^^^
>>>    File "/usr/lib/python3/dist-packages/seobject.py", line 1057, in __init__
>>>      self.valid_types = list(list(sepolicy.info(sepolicy.ATTRIBUTE, "port_type"))[0]["types"])
>>>                              ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^
>>> IndexError: list index out of range
>>>
>>> Signed-off-by: Topi Miettinen <toiwoton@xxxxxxxxx>
>>>
>>> ---
>>>
>>> v3: use even better version, thanks to Petr Lautrbach
>>> v2: fix other cases and use better version courtesy of Petr Lautrbach
>>> ---
>>>   python/semanage/semanage-bash-completion.sh | 2 +-
>>>   python/semanage/seobject.py                 | 2 +-
>>>   python/sepolicy/sepolicy-bash-completion.sh | 2 +-
>>>   python/sepolicy/sepolicy/__init__.py        | 2 +-
>>>   4 files changed, 4 insertions(+), 4 deletions(-)
>>>
>>> diff --git a/python/semanage/semanage-bash-completion.sh b/python/semanage/semanage-bash-completion.sh
>>> index d0dd139f..1e3f6f9d 100644
>>> --- a/python/semanage/semanage-bash-completion.sh
>>> +++ b/python/semanage/semanage-bash-completion.sh
>>> @@ -37,7 +37,7 @@ __get_all_types () {
>>>       seinfo -t 2> /dev/null | tail -n +3
>>>   }
>>>   __get_all_port_types () {
>>> -    seinfo -aport_type -x 2>/dev/null | tail -n +2
>>> +    sepolicy network -l
>>>   }
>>>   __get_all_domains () {
>>>       seinfo -adomain -x 2>/dev/null | tail -n +2
>>> diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
>>> index d82da494..323aae3f 100644
>>> --- a/python/semanage/seobject.py
>>> +++ b/python/semanage/seobject.py
>>> @@ -1055,7 +1055,7 @@ class portRecords(semanageRecords):
>>>       def __init__(self, args = None):
>>>           semanageRecords.__init__(self, args)
>>>           try:
>>> -            self.valid_types = list(list(sepolicy.info(sepolicy.ATTRIBUTE, "port_type"))[0]["types"])
>>> +            self.valid_types = [x["type"] for x in sepolicy.info(sepolicy.PORT)]
>>>           except RuntimeError:
>>>               pass
>> 
>> It looked good to me but I was getting different number of types when I
>> searched for `port_type` attribute method and for `portcon` (seinfo
>> --portcon).
>> 
>> So I compared lists and checked differences and it turned out that this
>> would break using `semanage port -a ...` for all policies based on
>> refpolicy.
>> 
>> In refpolicy there are types with `port_type` attribute but without any
>> `portcon` statement, see this commit
>> https://github.com/SELinuxProject/refpolicy/commit/a108d9db60747a887f626b99cce37738462dd3cd
>> 
>> SELinux notebook uses `port_type` attribute too -
>> https://github.com/SELinuxProject/selinux-notebook/blob/main/src/network_support.md#socket-controls-access-control-for-network-ports
>> 
>> I.e. using this change it would not be possible to add a new port mapping for
>> types like `stunnel_port_t`:
>> 
>>      # seinfo -aport_type -x | grep stunnel
>>          stunnel_port_t
>> 
>>      # semanage port -a -t stunnel_port_t -p tcp 12345
>>      ValueError: Type stunnel_port_t is invalid, must be a port type
>
> Perhaps both plain types attributed with `port_type` and actual portcon 
> types could be considered? Then the tools should work with refpolicy and 
> custom policies.
>

I guess it could work. 

>
>> 
>> 
>> Thanks,
>> 
>> Petr
>> 
>> 
>>> diff --git a/python/sepolicy/sepolicy-bash-completion.sh b/python/sepolicy/sepolicy-bash-completion.sh
>>> index 13638e4d..467333b8 100644
>>> --- a/python/sepolicy/sepolicy-bash-completion.sh
>>> +++ b/python/sepolicy/sepolicy-bash-completion.sh
>>> @@ -52,7 +52,7 @@ __get_all_classes () {
>>>       seinfo -c 2> /dev/null | tail -n +2
>>>   }
>>>   __get_all_port_types () {
>>> -    seinfo -aport_type -x 2> /dev/null | tail -n +2
>>> +    sepolicy network -l
>>>   }
>>>   __get_all_domain_types () {
>>>       seinfo -adomain -x 2> /dev/null | tail -n +2
>>> diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
>>> index c177cdfc..9d3b640b 100644
>>> --- a/python/sepolicy/sepolicy/__init__.py
>>> +++ b/python/sepolicy/sepolicy/__init__.py
>>> @@ -989,7 +989,7 @@ def get_all_port_types():
>>>       global port_types
>>>       if port_types:
>>>           return port_types
>>> -    port_types = list(sorted(info(ATTRIBUTE, "port_type"))[0]["types"])
>>> +    port_types = [x["type"] for x in info(PORT)]
>>>       return port_types
>>>   
>>>   
>>> -- 
>>> 2.39.2
>> 