[1/2] Sandbox: Use next() over the sepolicy.info() result

Message ID	20161107080117.24030-1-bigon@debian.org (mailing list archive)
State	Not Applicable
Headers	show Return-Path: <selinux-bounces@tycho.nsa.gov> IronPort-PHdr: =?us-ascii?q?9a23=3AZQ9U/Rx/UjA4VCTXCy+O+j09IxM/srCxBDY+r6Qd?= =?us-ascii?q?0e8VIJqq85mqBkHD//Il1AaPBtSBraMfwLCJ4+jJYi8p2d65qncMcZhBBVcuqP?= =?us-ascii?q?49uEgeOvODElDxN/XwbiY3T4xoXV5h+GynYwAOQJ6tL2PbrnD61zMOABK3bVMz?= =?us-ascii?q?fbWvXN+JxJ7oh6ibwN76W01wnj2zYLd/fl2djD76kY0ou7ZkMbs70RDTo3FFKK?= =?us-ascii?q?x8zGJsIk+PzV6nvp/jtKN592xsn95pt4sZCeSpN5g/GKdVCDUgLnAd+NzgtR6F?= =?us-ascii?q?SxCGoHQbTDY4iB1NVizM8Qv3WIu5mCr1sexj2S2eMIWiR7E7XjKK46phSRbuzi?= =?us-ascii?q?AdOGhqoynslsVsgfcD81qarBtlztuROdmY?= IronPort-PHdr: =?us-ascii?q?9a23=3AESxlMRUxq+fhM832cC9IxFujX4DV8LGtZVwlr6E/?= =?us-ascii?q?grcLSJyIuqrYZhePt8tkgFKBZ4jH8fUM07OQ6PG6Hz1bqsze4DgrS99lb1c9k8?= =?us-ascii?q?IYnggtUoauKHbQC7rUVRE8B9lIT1R//nu2YgB/Ecf6YEDO8DXptWZBUiv2OQc9?= =?us-ascii?q?HOnpAIma153xjLHovcyIKF8X1HKUWvBbFF2OtwLft80b08NJC50a7V/3mEZOYP?= =?us-ascii?q?lc3mhyJFiezF7W78a0+4N/oWwL46pyv50IbaKvZKk8TLpFHBw6Ims144vtrhCF?= =?us-ascii?q?QgyRtVUGVWBDthNVGQXD8FnQX5j2tDX7su5wkH2QPMLxS5g4VD6j5qEtTwXn3n?= =?us-ascii?q?RUfwUl+X3a35QjxJlQpwis8kRy?= sender: bigon) by anor.bigon.be (Postfix) with ESMTPSA id 2C8D01A1AE for <selinux@tycho.nsa.gov>; Mon, 7 Nov 2016 09:01:18 +0100 (CET) From: Laurent Bigonville <bigon@debian.org> To: selinux@tycho.nsa.gov Subject: [PATCH 1/2] Sandbox: Use next() over the sepolicy.info() result Date: Mon, 7 Nov 2016 09:01:16 +0100 Message-Id: <20161107080117.24030-1-bigon@debian.org> Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: selinux-bounces@tycho.nsa.gov Sender: "Selinux" <selinux-bounces@tycho.nsa.gov>

Laurent Bigonville Nov. 7, 2016, 8:01 a.m. UTC

From: Laurent Bigonville <bigon@bigon.be>

sepolicy.info() now returns a generator, use next() to get the results.

Signed-off-by: Laurent Bigonville <bigon@bigon.be>
---
 policycoreutils/sandbox/sandbox | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

Stephen Smalley Nov. 7, 2016, 9:13 p.m. UTC | #1

On 11/07/2016 03:01 AM, Laurent Bigonville wrote:
> From: Laurent Bigonville <bigon@bigon.be>
> 
> sepolicy.info() now returns a generator, use next() to get the results.

This breaks sandbox for me,
$ /usr/bin/sandbox -X firefox
Traceback (most recent call last):
  File "/usr/bin/sandbox", line 529, in <module>
    rc = sandbox.main()
  File "/usr/bin/sandbox", line 513, in main
    self.__parse_options()
  File "/usr/bin/sandbox", line 308, in __parse_options
    """) % "\n\t".join(next(sepolicy.info(sepolicy.ATTRIBUTE,
"sandbox_type"))['types'])
TypeError: list object is not an iterator

> 
> Signed-off-by: Laurent Bigonville <bigon@bigon.be>
> ---
>  policycoreutils/sandbox/sandbox | 8 ++++----
>  1 file changed, 4 insertions(+), 4 deletions(-)
> 
> diff --git a/policycoreutils/sandbox/sandbox b/policycoreutils/sandbox/sandbox
> index 4010e83..c07a1d8 100644
> --- a/policycoreutils/sandbox/sandbox
> +++ b/policycoreutils/sandbox/sandbox
> @@ -305,8 +305,8 @@ kill -TERM $WM_PID  2> /dev/null
>              types = _("""
>  Policy defines the following types for use with the -t:
>  \t%s
> -""") % "\n\t".join(list(sepolicy.info(sepolicy.ATTRIBUTE, "sandbox_type"))[0]['types'])
> -        except RuntimeError:
> +""") % "\n\t".join(next(sepolicy.info(sepolicy.ATTRIBUTE, "sandbox_type"))['types'])
> +        except StopIteration:
>              pass
>  
>          usage = _("""
> @@ -380,8 +380,8 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-
>              self.setype = DEFAULT_X_TYPE
>          else:
>              try:
> -                sepolicy.info(sepolicy.TYPE, "sandbox_t")
> -            except RuntimeError:
> +                next(sepolicy.info(sepolicy.TYPE, "sandbox_t"))
> +            except StopIteration:
>                  raise ValueError(_("Sandbox Policy is not currently installed.\nYou need to install the selinux-policy-sandbox package in order to run this command"))
>  
>          if self.__options.setype:
>

Laurent Bigonville Nov. 7, 2016, 11:09 p.m. UTC | #2

Le 07/11/16 à 22:13, Stephen Smalley a écrit :
> On 11/07/2016 03:01 AM, Laurent Bigonville wrote:
>> From: Laurent Bigonville <bigon@bigon.be>
>>
>> sepolicy.info() now returns a generator, use next() to get the results.
> This breaks sandbox for me,
> $ /usr/bin/sandbox -X firefox
> Traceback (most recent call last):
>    File "/usr/bin/sandbox", line 529, in <module>
>      rc = sandbox.main()
>    File "/usr/bin/sandbox", line 513, in main
>      self.__parse_options()
>    File "/usr/bin/sandbox", line 308, in __parse_options
>      """) % "\n\t".join(next(sepolicy.info(sepolicy.ATTRIBUTE,
> "sandbox_type"))['types'])
> TypeError: list object is not an iterator

Which version of python and setools are you using?

>
>> Signed-off-by: Laurent Bigonville <bigon@bigon.be>
>> ---
>>   policycoreutils/sandbox/sandbox | 8 ++++----
>>   1 file changed, 4 insertions(+), 4 deletions(-)
>>
>> diff --git a/policycoreutils/sandbox/sandbox b/policycoreutils/sandbox/sandbox
>> index 4010e83..c07a1d8 100644
>> --- a/policycoreutils/sandbox/sandbox
>> +++ b/policycoreutils/sandbox/sandbox
>> @@ -305,8 +305,8 @@ kill -TERM $WM_PID  2> /dev/null
>>               types = _("""
>>   Policy defines the following types for use with the -t:
>>   \t%s
>> -""") % "\n\t".join(list(sepolicy.info(sepolicy.ATTRIBUTE, "sandbox_type"))[0]['types'])
>> -        except RuntimeError:
>> +""") % "\n\t".join(next(sepolicy.info(sepolicy.ATTRIBUTE, "sandbox_type"))['types'])
>> +        except StopIteration:
>>               pass
>>   
>>           usage = _("""
>> @@ -380,8 +380,8 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T tempdir]] [-I includefile ] [-
>>               self.setype = DEFAULT_X_TYPE
>>           else:
>>               try:
>> -                sepolicy.info(sepolicy.TYPE, "sandbox_t")
>> -            except RuntimeError:
>> +                next(sepolicy.info(sepolicy.TYPE, "sandbox_t"))
>> +            except StopIteration:
>>                   raise ValueError(_("Sandbox Policy is not currently installed.\nYou need to install the selinux-policy-sandbox package in order to run this command"))
>>   
>>           if self.__options.setype:
>>

Stephen Smalley Nov. 8, 2016, 1:34 p.m. UTC | #3

On 11/07/2016 06:09 PM, Laurent Bigonville wrote:
> Le 07/11/16 à 22:13, Stephen Smalley a écrit :
>> On 11/07/2016 03:01 AM, Laurent Bigonville wrote:
>>> From: Laurent Bigonville <bigon@bigon.be>
>>>
>>> sepolicy.info() now returns a generator, use next() to get the results.
>> This breaks sandbox for me,
>> $ /usr/bin/sandbox -X firefox
>> Traceback (most recent call last):
>>    File "/usr/bin/sandbox", line 529, in <module>
>>      rc = sandbox.main()
>>    File "/usr/bin/sandbox", line 513, in main
>>      self.__parse_options()
>>    File "/usr/bin/sandbox", line 308, in __parse_options
>>      """) % "\n\t".join(next(sepolicy.info(sepolicy.ATTRIBUTE,
>> "sandbox_type"))['types'])
>> TypeError: list object is not an iterator
> 
> Which version of python and setools are you using?

I have installed setools4 from source, both running setup.py via python
and via python3 to install it for python 2.7 and python 3.5 (both are
installed on Fedora, with python referencing 2.7 by default).  I have
likewise built and installed the selinux userspace with PYTHON=python
and with PYTHON=python3. I have tried running sandbox via python and via
python3, and it yields the same exception in both cases with your patch,
and works fine without your patch.

>>
>>> Signed-off-by: Laurent Bigonville <bigon@bigon.be>
>>> ---
>>>   policycoreutils/sandbox/sandbox | 8 ++++----
>>>   1 file changed, 4 insertions(+), 4 deletions(-)
>>>
>>> diff --git a/policycoreutils/sandbox/sandbox
>>> b/policycoreutils/sandbox/sandbox
>>> index 4010e83..c07a1d8 100644
>>> --- a/policycoreutils/sandbox/sandbox
>>> +++ b/policycoreutils/sandbox/sandbox
>>> @@ -305,8 +305,8 @@ kill -TERM $WM_PID  2> /dev/null
>>>               types = _("""
>>>   Policy defines the following types for use with the -t:
>>>   \t%s
>>> -""") % "\n\t".join(list(sepolicy.info(sepolicy.ATTRIBUTE,
>>> "sandbox_type"))[0]['types'])
>>> -        except RuntimeError:
>>> +""") % "\n\t".join(next(sepolicy.info(sepolicy.ATTRIBUTE,
>>> "sandbox_type"))['types'])
>>> +        except StopIteration:
>>>               pass
>>>             usage = _("""
>>> @@ -380,8 +380,8 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T
>>> tempdir]] [-I includefile ] [-
>>>               self.setype = DEFAULT_X_TYPE
>>>           else:
>>>               try:
>>> -                sepolicy.info(sepolicy.TYPE, "sandbox_t")
>>> -            except RuntimeError:
>>> +                next(sepolicy.info(sepolicy.TYPE, "sandbox_t"))
>>> +            except StopIteration:
>>>                   raise ValueError(_("Sandbox Policy is not currently
>>> installed.\nYou need to install the selinux-policy-sandbox package in
>>> order to run this command"))
>>>             if self.__options.setype:
>>>
> 
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to
> Selinux-request@tycho.nsa.gov.
>

Stephen Smalley Nov. 8, 2016, 2:57 p.m. UTC | #4

On 11/08/2016 08:34 AM, Stephen Smalley wrote:
> On 11/07/2016 06:09 PM, Laurent Bigonville wrote:
>> Le 07/11/16 à 22:13, Stephen Smalley a écrit :
>>> On 11/07/2016 03:01 AM, Laurent Bigonville wrote:
>>>> From: Laurent Bigonville <bigon@bigon.be>
>>>>
>>>> sepolicy.info() now returns a generator, use next() to get the results.
>>> This breaks sandbox for me,
>>> $ /usr/bin/sandbox -X firefox
>>> Traceback (most recent call last):
>>>    File "/usr/bin/sandbox", line 529, in <module>
>>>      rc = sandbox.main()
>>>    File "/usr/bin/sandbox", line 513, in main
>>>      self.__parse_options()
>>>    File "/usr/bin/sandbox", line 308, in __parse_options
>>>      """) % "\n\t".join(next(sepolicy.info(sepolicy.ATTRIBUTE,
>>> "sandbox_type"))['types'])
>>> TypeError: list object is not an iterator
>>
>> Which version of python and setools are you using?
> 
> I have installed setools4 from source, both running setup.py via python
> and via python3 to install it for python 2.7 and python 3.5 (both are
> installed on Fedora, with python referencing 2.7 by default).  I have
> likewise built and installed the selinux userspace with PYTHON=python
> and with PYTHON=python3. I have tried running sandbox via python and via
> python3, and it yields the same exception in both cases with your patch,
> and works fine without your patch.

Ok, I forcibly removed the Fedora setools* packages (which also
uninstalled policycoreutils) and built and installed setools4 and
policycoreutils from upstream source again.  Now I do not get that
exception with your patch, but it also works fine without your patch - I
see no difference in behavior.  Not sure what I am missing.

> 
>>>
>>>> Signed-off-by: Laurent Bigonville <bigon@bigon.be>
>>>> ---
>>>>   policycoreutils/sandbox/sandbox | 8 ++++----
>>>>   1 file changed, 4 insertions(+), 4 deletions(-)
>>>>
>>>> diff --git a/policycoreutils/sandbox/sandbox
>>>> b/policycoreutils/sandbox/sandbox
>>>> index 4010e83..c07a1d8 100644
>>>> --- a/policycoreutils/sandbox/sandbox
>>>> +++ b/policycoreutils/sandbox/sandbox
>>>> @@ -305,8 +305,8 @@ kill -TERM $WM_PID  2> /dev/null
>>>>               types = _("""
>>>>   Policy defines the following types for use with the -t:
>>>>   \t%s
>>>> -""") % "\n\t".join(list(sepolicy.info(sepolicy.ATTRIBUTE,
>>>> "sandbox_type"))[0]['types'])
>>>> -        except RuntimeError:
>>>> +""") % "\n\t".join(next(sepolicy.info(sepolicy.ATTRIBUTE,
>>>> "sandbox_type"))['types'])
>>>> +        except StopIteration:
>>>>               pass
>>>>             usage = _("""
>>>> @@ -380,8 +380,8 @@ sandbox [-h] [-l level ] [-[X|M] [-H homedir] [-T
>>>> tempdir]] [-I includefile ] [-
>>>>               self.setype = DEFAULT_X_TYPE
>>>>           else:
>>>>               try:
>>>> -                sepolicy.info(sepolicy.TYPE, "sandbox_t")
>>>> -            except RuntimeError:
>>>> +                next(sepolicy.info(sepolicy.TYPE, "sandbox_t"))
>>>> +            except StopIteration:
>>>>                   raise ValueError(_("Sandbox Policy is not currently
>>>> installed.\nYou need to install the selinux-policy-sandbox package in
>>>> order to run this command"))
>>>>             if self.__options.setype:
>>>>
>>
>> _______________________________________________
>> Selinux mailing list
>> Selinux@tycho.nsa.gov
>> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
>> To get help, send an email containing "help" to
>> Selinux-request@tycho.nsa.gov.
>>
> 
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to Selinux-leave@tycho.nsa.gov.
> To get help, send an email containing "help" to Selinux-request@tycho.nsa.gov.
>

Laurent Bigonville Nov. 8, 2016, 2:58 p.m. UTC | #5

Le 08/11/16 à 15:57, Stephen Smalley a écrit :
> On 11/08/2016 08:34 AM, Stephen Smalley wrote:
>> On 11/07/2016 06:09 PM, Laurent Bigonville wrote:
>>> Le 07/11/16 à 22:13, Stephen Smalley a écrit :
>>>> On 11/07/2016 03:01 AM, Laurent Bigonville wrote:
>>>>> From: Laurent Bigonville <bigon@bigon.be>
>>>>>
>>>>> sepolicy.info() now returns a generator, use next() to get the results.
>>>> This breaks sandbox for me,
>>>> $ /usr/bin/sandbox -X firefox
>>>> Traceback (most recent call last):
>>>>     File "/usr/bin/sandbox", line 529, in <module>
>>>>       rc = sandbox.main()
>>>>     File "/usr/bin/sandbox", line 513, in main
>>>>       self.__parse_options()
>>>>     File "/usr/bin/sandbox", line 308, in __parse_options
>>>>       """) % "\n\t".join(next(sepolicy.info(sepolicy.ATTRIBUTE,
>>>> "sandbox_type"))['types'])
>>>> TypeError: list object is not an iterator
>>> Which version of python and setools are you using?
>> I have installed setools4 from source, both running setup.py via python
>> and via python3 to install it for python 2.7 and python 3.5 (both are
>> installed on Fedora, with python referencing 2.7 by default).  I have
>> likewise built and installed the selinux userspace with PYTHON=python
>> and with PYTHON=python3. I have tried running sandbox via python and via
>> python3, and it yields the same exception in both cases with your patch,
>> and works fine without your patch.
> Ok, I forcibly removed the Fedora setools* packages (which also
> uninstalled policycoreutils) and built and installed setools4 and
> policycoreutils from upstream source again.  Now I do not get that
> exception with your patch, but it also works fine without your patch - I
> see no difference in behavior.  Not sure what I am missing.

If I don't have the sandbox policy installed I get a backtrace instead 
of a nice error:

Traceback (most recent call last):
   File "sandbox", line 529, in <module>
     rc = sandbox.main()
   File "sandbox", line 513, in main
     self.__parse_options()
   File "sandbox", line 308, in __parse_options
     """) % "\n\t".join(list(sepolicy.info(sepolicy.ATTRIBUTE, "sandbox_type"))[0]['types'])
IndexError: list index out of range

Stephen Smalley Nov. 8, 2016, 3:08 p.m. UTC | #6

On 11/08/2016 09:58 AM, Laurent Bigonville wrote:
> Le 08/11/16 à 15:57, Stephen Smalley a écrit :
>> On 11/08/2016 08:34 AM, Stephen Smalley wrote:
>>> On 11/07/2016 06:09 PM, Laurent Bigonville wrote:
>>>> Le 07/11/16 à 22:13, Stephen Smalley a écrit :
>>>>> On 11/07/2016 03:01 AM, Laurent Bigonville wrote:
>>>>>> From: Laurent Bigonville <bigon@bigon.be>
>>>>>>
>>>>>> sepolicy.info() now returns a generator, use next() to get the
>>>>>> results.
>>>>> This breaks sandbox for me,
>>>>> $ /usr/bin/sandbox -X firefox
>>>>> Traceback (most recent call last):
>>>>>     File "/usr/bin/sandbox", line 529, in <module>
>>>>>       rc = sandbox.main()
>>>>>     File "/usr/bin/sandbox", line 513, in main
>>>>>       self.__parse_options()
>>>>>     File "/usr/bin/sandbox", line 308, in __parse_options
>>>>>       """) % "\n\t".join(next(sepolicy.info(sepolicy.ATTRIBUTE,
>>>>> "sandbox_type"))['types'])
>>>>> TypeError: list object is not an iterator
>>>> Which version of python and setools are you using?
>>> I have installed setools4 from source, both running setup.py via python
>>> and via python3 to install it for python 2.7 and python 3.5 (both are
>>> installed on Fedora, with python referencing 2.7 by default).  I have
>>> likewise built and installed the selinux userspace with PYTHON=python
>>> and with PYTHON=python3. I have tried running sandbox via python and via
>>> python3, and it yields the same exception in both cases with your patch,
>>> and works fine without your patch.
>> Ok, I forcibly removed the Fedora setools* packages (which also
>> uninstalled policycoreutils) and built and installed setools4 and
>> policycoreutils from upstream source again.  Now I do not get that
>> exception with your patch, but it also works fine without your patch - I
>> see no difference in behavior.  Not sure what I am missing.
> 
> If I don't have the sandbox policy installed I get a backtrace instead
> of a nice error:
> 
> Traceback (most recent call last):
>   File "sandbox", line 529, in <module>
>     rc = sandbox.main()
>   File "sandbox", line 513, in main
>     self.__parse_options()
>   File "sandbox", line 308, in __parse_options
>     """) % "\n\t".join(list(sepolicy.info(sepolicy.ATTRIBUTE,
> "sandbox_type"))[0]['types'])
> IndexError: list index out of range

Ok, got it.  If you could include reproducer information in your patch
descriptions, that would help.  Applied this one.

[1/2] Sandbox: Use next() over the sepolicy.info() result

Commit Message

Comments

Patch