diff mbox series

sepolicy: Do not try to load policy on import

Message ID 20210223150328.56028-1-plautrba@redhat.com (mailing list archive)
State Accepted
Headers show
Series sepolicy: Do not try to load policy on import | expand

Commit Message

Petr Lautrbach Feb. 23, 2021, 3:03 p.m. UTC
When a policy is inaccessible, scripts fail right "import sepolicy". With
this change we let the "sepolicy" module to import and move the policy
initialization before it's used for the first time.

Fixes:
    >>> import seobject
    Traceback (most recent call last):
      File "/usr/lib/python3.9/site-packages/sepolicy/__init__.py", line 171, in policy
        _pol = setools.SELinuxPolicy(policy_file)
      File "setools/policyrep/selinuxpolicy.pxi", line 73, in setools.policyrep.SELinuxPolicy.__cinit__
      File "setools/policyrep/selinuxpolicy.pxi", line 695, in setools.policyrep.SELinuxPolicy._load_policy
    PermissionError: [Errno 13] Permission denied: '//etc/selinux/targeted/policy/policy.33'

    During handling of the above exception, another exception occurred:

    Traceback (most recent call last):
      File "<stdin>", line 1, in <module>
      File "/usr/lib/python3.9/site-packages/seobject.py", line 33, in <module>
        import sepolicy
      File "/usr/lib/python3.9/site-packages/sepolicy/__init__.py", line 186, in <module>
        raise e
      File "/usr/lib/python3.9/site-packages/sepolicy/__init__.py", line 183, in <module>
        policy(policy_file)
      File "/usr/lib/python3.9/site-packages/sepolicy/__init__.py", line 173, in policy
        raise ValueError(_("Failed to read %s policy file") % policy_file)
    ValueError: Failed to read //etc/selinux/targeted/policy/policy.33 policy file

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---

It's based on review from https://lore.kernel.org/selinux/CAEjxPJ5gK_DdNxpjMq8tvvhkq1hxsoE5vTNZAa=hiP-6s=an8Q@mail.gmail.com/T/#m88ed2c2522a5b3907b607fdf08fde5dbf8d48571


 python/sepolicy/sepolicy/__init__.py | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

Comments

Nicolas Iooss Feb. 28, 2021, 8:33 a.m. UTC | #1
On Tue, Feb 23, 2021 at 4:06 PM Petr Lautrbach <plautrba@redhat.com> wrote:
>
> When a policy is inaccessible, scripts fail right "import sepolicy". With
> this change we let the "sepolicy" module to import and move the policy
> initialization before it's used for the first time.
>
> Fixes:
>     >>> import seobject
>     Traceback (most recent call last):
>       File "/usr/lib/python3.9/site-packages/sepolicy/__init__.py", line 171, in policy
>         _pol = setools.SELinuxPolicy(policy_file)
>       File "setools/policyrep/selinuxpolicy.pxi", line 73, in setools.policyrep.SELinuxPolicy.__cinit__
>       File "setools/policyrep/selinuxpolicy.pxi", line 695, in setools.policyrep.SELinuxPolicy._load_policy
>     PermissionError: [Errno 13] Permission denied: '//etc/selinux/targeted/policy/policy.33'
>
>     During handling of the above exception, another exception occurred:
>
>     Traceback (most recent call last):
>       File "<stdin>", line 1, in <module>
>       File "/usr/lib/python3.9/site-packages/seobject.py", line 33, in <module>
>         import sepolicy
>       File "/usr/lib/python3.9/site-packages/sepolicy/__init__.py", line 186, in <module>
>         raise e
>       File "/usr/lib/python3.9/site-packages/sepolicy/__init__.py", line 183, in <module>
>         policy(policy_file)
>       File "/usr/lib/python3.9/site-packages/sepolicy/__init__.py", line 173, in policy
>         raise ValueError(_("Failed to read %s policy file") % policy_file)
>     ValueError: Failed to read //etc/selinux/targeted/policy/policy.33 policy file
>
> Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
> ---
>
> It's based on review from https://lore.kernel.org/selinux/CAEjxPJ5gK_DdNxpjMq8tvvhkq1hxsoE5vTNZAa=hiP-6s=an8Q@mail.gmail.com/T/#m88ed2c2522a5b3907b607fdf08fde5dbf8d48571

Many thanks!! I have been thinking about this issue for quite some
time and your patch fixes it nicely :) Actually "global _pol"
statements are not required, because _pol is only read in the modified
functions, but they make the code more readable (in my humble opinion)
so I think it is better to introduce them anyway.

Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>

And I directly merged it. Thanks!
Nicolas

>  python/sepolicy/sepolicy/__init__.py | 17 ++++++++++++-----
>  1 file changed, 12 insertions(+), 5 deletions(-)
>
> diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
> index e4540977d042..7309875c7e27 100644
> --- a/python/sepolicy/sepolicy/__init__.py
> +++ b/python/sepolicy/sepolicy/__init__.py
> @@ -178,15 +178,15 @@ def load_store_policy(store):
>          return None
>      policy(policy_file)
>
> -try:
> +def init_policy():
>      policy_file = get_installed_policy()
>      policy(policy_file)
> -except ValueError as e:
> -    if selinux.is_selinux_enabled() == 1:
> -        raise e
> -
>
>  def info(setype, name=None):
> +    global _pol
> +    if not _pol:
> +        init_policy()
> +
>      if setype == TYPE:
>          q = setools.TypeQuery(_pol)
>          q.name = name
> @@ -337,6 +337,9 @@ def _setools_rule_to_dict(rule):
>
>
>  def search(types, seinfo=None):
> +    global _pol
> +    if not _pol:
> +        init_policy()
>      if not seinfo:
>          seinfo = {}
>      valid_types = set([ALLOW, AUDITALLOW, NEVERALLOW, DONTAUDIT, TRANSITION, ROLE_ALLOW])
> @@ -916,6 +919,10 @@ def get_all_roles():
>      if roles:
>          return roles
>
> +    global _pol
> +    if not _pol:
> +        init_policy()
> +
>      q = setools.RoleQuery(_pol)
>      roles = [str(x) for x in q.results() if str(x) != "object_r"]
>      return roles
> --
> 2.30.1
>
diff mbox series

Patch

diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
index e4540977d042..7309875c7e27 100644
--- a/python/sepolicy/sepolicy/__init__.py
+++ b/python/sepolicy/sepolicy/__init__.py
@@ -178,15 +178,15 @@  def load_store_policy(store):
         return None
     policy(policy_file)
 
-try:
+def init_policy():
     policy_file = get_installed_policy()
     policy(policy_file)
-except ValueError as e:
-    if selinux.is_selinux_enabled() == 1:
-        raise e
-
 
 def info(setype, name=None):
+    global _pol
+    if not _pol:
+        init_policy()
+
     if setype == TYPE:
         q = setools.TypeQuery(_pol)
         q.name = name
@@ -337,6 +337,9 @@  def _setools_rule_to_dict(rule):
 
 
 def search(types, seinfo=None):
+    global _pol
+    if not _pol:
+        init_policy()
     if not seinfo:
         seinfo = {}
     valid_types = set([ALLOW, AUDITALLOW, NEVERALLOW, DONTAUDIT, TRANSITION, ROLE_ALLOW])
@@ -916,6 +919,10 @@  def get_all_roles():
     if roles:
         return roles
 
+    global _pol
+    if not _pol:
+        init_policy()
+
     q = setools.RoleQuery(_pol)
     roles = [str(x) for x in q.results() if str(x) != "object_r"]
     return roles