| Message ID | 20200528125128.26915-3-cgzones@googlemail.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | [v2,1/3] sepolgen: parse gen_tunable as bool | expand |
On Thu, May 28, 2020 at 8:52 AM Christian Göttsche <cgzones@googlemail.com> wrote: > > On a SELinux disabled system `selinux.security_policyvers()` will fail; > do not bailout but use a fallback policy version to check if a binary > policy file with that extension exists. Technically we should be using sepol_policy_kern_vers_max() as the upper bound since this is for the purpose of reading the policy by sepolgen-ifgen-attr-helper and it requires that the policy version be known to the version of libsepol against which it was compiled but I guess there isn't a python wrapper for it. Not sure why we aren't just having sepolgen-ifgen-attr-helper itself find the policy file in which case it could call sepol_policy_kern_vers_max(). Not keen on hardcoding an upper bound here. > > Signed-off-by: Christian Göttsche <cgzones@googlemail.com> > --- > python/audit2allow/sepolgen-ifgen | 22 ++++++++++++---------- > 1 file changed, 12 insertions(+), 10 deletions(-) > > diff --git a/python/audit2allow/sepolgen-ifgen b/python/audit2allow/sepolgen-ifgen > index 4a71cda4..48e60f1d 100644 > --- a/python/audit2allow/sepolgen-ifgen > +++ b/python/audit2allow/sepolgen-ifgen > @@ -69,7 +69,11 @@ def get_policy(): > p = selinux.selinux_current_policy_path() > if p and os.path.exists(p): > return p > - i = selinux.security_policyvers() > + try: > + i = selinux.security_policyvers() > + except OSError: > + # SELinux Disabled Machine > + i = 50 # some high enough default value > p = selinux.selinux_binary_policy_path() + "." + str(i) > while i > 0 and not os.path.exists(p): > i = i - 1 > @@ -80,18 +84,16 @@ def get_policy(): > > > def get_attrs(policy_path, attr_helper): > + if not policy_path: > + policy_path = get_policy() > + if not policy_path: > + sys.stderr.write("No installed policy to check\n") > + return None > + > try: > - if not policy_path: > - policy_path = get_policy() > - if not policy_path: > - sys.stderr.write("No installed policy to check\n") > - return None > outfile = tempfile.NamedTemporaryFile() > except IOError as e: > - sys.stderr.write("could not open attribute output file\n") > - return None > - except OSError: > - # SELinux Disabled Machine > + sys.stderr.write("could not open attribute output file: %s\n" % e) > return None > > fd = open("/dev/null", "w") > -- > 2.27.0.rc2 >
diff --git a/python/audit2allow/sepolgen-ifgen b/python/audit2allow/sepolgen-ifgen index 4a71cda4..48e60f1d 100644 --- a/python/audit2allow/sepolgen-ifgen +++ b/python/audit2allow/sepolgen-ifgen @@ -69,7 +69,11 @@ def get_policy(): p = selinux.selinux_current_policy_path() if p and os.path.exists(p): return p - i = selinux.security_policyvers() + try: + i = selinux.security_policyvers() + except OSError: + # SELinux Disabled Machine + i = 50 # some high enough default value p = selinux.selinux_binary_policy_path() + "." + str(i) while i > 0 and not os.path.exists(p): i = i - 1 @@ -80,18 +84,16 @@ def get_policy(): def get_attrs(policy_path, attr_helper): + if not policy_path: + policy_path = get_policy() + if not policy_path: + sys.stderr.write("No installed policy to check\n") + return None + try: - if not policy_path: - policy_path = get_policy() - if not policy_path: - sys.stderr.write("No installed policy to check\n") - return None outfile = tempfile.NamedTemporaryFile() except IOError as e: - sys.stderr.write("could not open attribute output file\n") - return None - except OSError: - # SELinux Disabled Machine + sys.stderr.write("could not open attribute output file: %s\n" % e) return None fd = open("/dev/null", "w")
On a SELinux disabled system `selinux.security_policyvers()` will fail; do not bailout but use a fallback policy version to check if a binary policy file with that extension exists. Signed-off-by: Christian Göttsche <cgzones@googlemail.com> --- python/audit2allow/sepolgen-ifgen | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-)