sepolicy: Do not try to load policy on import

Message ID	20210223150328.56028-1-plautrba@redhat.com (mailing list archive)
State	Accepted
Headers	show Return-Path: <selinux-owner@kernel.org> From: Petr Lautrbach <plautrba@redhat.com> To: selinux@vger.kernel.org Cc: Petr Lautrbach <plautrba@redhat.com> Subject: [PATCH] sepolicy: Do not try to load policy on import Date: Tue, 23 Feb 2021 16:03:28 +0100 Message-Id: <20210223150328.56028-1-plautrba@redhat.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	sepolicy: Do not try to load policy on import \| expand sepolicy: Do not try to load policy on import

Message ID

20210223150328.56028-1-plautrba@redhat.com (mailing list archive)

State

Accepted

Headers

From: Petr Lautrbach <plautrba@redhat.com>
To: selinux@vger.kernel.org
Cc: Petr Lautrbach <plautrba@redhat.com>
Subject: [PATCH] sepolicy: Do not try to load policy on import
Date: Tue, 23 Feb 2021 16:03:28 +0100
Message-Id: <20210223150328.56028-1-plautrba@redhat.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

sepolicy: Do not try to load policy on import | expand

Commit Message

Petr Lautrbach Feb. 23, 2021, 3:03 p.m. UTC

When a policy is inaccessible, scripts fail right "import sepolicy". With
this change we let the "sepolicy" module to import and move the policy
initialization before it's used for the first time.

Fixes:
    >>> import seobject
    Traceback (most recent call last):
      File "/usr/lib/python3.9/site-packages/sepolicy/__init__.py", line 171, in policy
        _pol = setools.SELinuxPolicy(policy_file)
      File "setools/policyrep/selinuxpolicy.pxi", line 73, in setools.policyrep.SELinuxPolicy.__cinit__
      File "setools/policyrep/selinuxpolicy.pxi", line 695, in setools.policyrep.SELinuxPolicy._load_policy
    PermissionError: [Errno 13] Permission denied: '//etc/selinux/targeted/policy/policy.33'

    During handling of the above exception, another exception occurred:

    Traceback (most recent call last):
      File "<stdin>", line 1, in <module>
      File "/usr/lib/python3.9/site-packages/seobject.py", line 33, in <module>
        import sepolicy
      File "/usr/lib/python3.9/site-packages/sepolicy/__init__.py", line 186, in <module>
        raise e
      File "/usr/lib/python3.9/site-packages/sepolicy/__init__.py", line 183, in <module>
        policy(policy_file)
      File "/usr/lib/python3.9/site-packages/sepolicy/__init__.py", line 173, in policy
        raise ValueError(_("Failed to read %s policy file") % policy_file)
    ValueError: Failed to read //etc/selinux/targeted/policy/policy.33 policy file

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---

It's based on review from https://lore.kernel.org/selinux/CAEjxPJ5gK_DdNxpjMq8tvvhkq1hxsoE5vTNZAa=hiP-6s=an8Q@mail.gmail.com/T/#m88ed2c2522a5b3907b607fdf08fde5dbf8d48571


 python/sepolicy/sepolicy/__init__.py | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

Comments

Nicolas Iooss Feb. 28, 2021, 8:33 a.m. UTC | #1

On Tue, Feb 23, 2021 at 4:06 PM Petr Lautrbach <plautrba@redhat.com> wrote:
>
> When a policy is inaccessible, scripts fail right "import sepolicy". With
> this change we let the "sepolicy" module to import and move the policy
> initialization before it's used for the first time.
>
> Fixes:
>     >>> import seobject
>     Traceback (most recent call last):
>       File "/usr/lib/python3.9/site-packages/sepolicy/__init__.py", line 171, in policy
>         _pol = setools.SELinuxPolicy(policy_file)
>       File "setools/policyrep/selinuxpolicy.pxi", line 73, in setools.policyrep.SELinuxPolicy.__cinit__
>       File "setools/policyrep/selinuxpolicy.pxi", line 695, in setools.policyrep.SELinuxPolicy._load_policy
>     PermissionError: [Errno 13] Permission denied: '//etc/selinux/targeted/policy/policy.33'
>
>     During handling of the above exception, another exception occurred:
>
>     Traceback (most recent call last):
>       File "<stdin>", line 1, in <module>
>       File "/usr/lib/python3.9/site-packages/seobject.py", line 33, in <module>
>         import sepolicy
>       File "/usr/lib/python3.9/site-packages/sepolicy/__init__.py", line 186, in <module>
>         raise e
>       File "/usr/lib/python3.9/site-packages/sepolicy/__init__.py", line 183, in <module>
>         policy(policy_file)
>       File "/usr/lib/python3.9/site-packages/sepolicy/__init__.py", line 173, in policy
>         raise ValueError(_("Failed to read %s policy file") % policy_file)
>     ValueError: Failed to read //etc/selinux/targeted/policy/policy.33 policy file
>
> Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
> ---
>
> It's based on review from https://lore.kernel.org/selinux/CAEjxPJ5gK_DdNxpjMq8tvvhkq1hxsoE5vTNZAa=hiP-6s=an8Q@mail.gmail.com/T/#m88ed2c2522a5b3907b607fdf08fde5dbf8d48571

Many thanks!! I have been thinking about this issue for quite some
time and your patch fixes it nicely :) Actually "global _pol"
statements are not required, because _pol is only read in the modified
functions, but they make the code more readable (in my humble opinion)
so I think it is better to introduce them anyway.

Acked-by: Nicolas Iooss <nicolas.iooss@m4x.org>

And I directly merged it. Thanks!
Nicolas

>  python/sepolicy/sepolicy/__init__.py | 17 ++++++++++++-----
>  1 file changed, 12 insertions(+), 5 deletions(-)
>
> diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
> index e4540977d042..7309875c7e27 100644
> --- a/python/sepolicy/sepolicy/__init__.py
> +++ b/python/sepolicy/sepolicy/__init__.py
> @@ -178,15 +178,15 @@ def load_store_policy(store):
>          return None
>      policy(policy_file)
>
> -try:
> +def init_policy():
>      policy_file = get_installed_policy()
>      policy(policy_file)
> -except ValueError as e:
> -    if selinux.is_selinux_enabled() == 1:
> -        raise e
> -
>
>  def info(setype, name=None):
> +    global _pol
> +    if not _pol:
> +        init_policy()
> +
>      if setype == TYPE:
>          q = setools.TypeQuery(_pol)
>          q.name = name
> @@ -337,6 +337,9 @@ def _setools_rule_to_dict(rule):
>
>
>  def search(types, seinfo=None):
> +    global _pol
> +    if not _pol:
> +        init_policy()
>      if not seinfo:
>          seinfo = {}
>      valid_types = set([ALLOW, AUDITALLOW, NEVERALLOW, DONTAUDIT, TRANSITION, ROLE_ALLOW])
> @@ -916,6 +919,10 @@ def get_all_roles():
>      if roles:
>          return roles
>
> +    global _pol
> +    if not _pol:
> +        init_policy()
> +
>      q = setools.RoleQuery(_pol)
>      roles = [str(x) for x in q.results() if str(x) != "object_r"]
>      return roles
> --
> 2.30.1
>

diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
index e4540977d042..7309875c7e27 100644
--- a/python/sepolicy/sepolicy/__init__.py
+++ b/python/sepolicy/sepolicy/__init__.py
@@ -178,15 +178,15 @@  def load_store_policy(store):
         return None
     policy(policy_file)
 
-try:
+def init_policy():
     policy_file = get_installed_policy()
     policy(policy_file)
-except ValueError as e:
-    if selinux.is_selinux_enabled() == 1:
-        raise e
-
 
 def info(setype, name=None):
+    global _pol
+    if not _pol:
+        init_policy()
+
     if setype == TYPE:
         q = setools.TypeQuery(_pol)
         q.name = name
@@ -337,6 +337,9 @@  def _setools_rule_to_dict(rule):
 
 
 def search(types, seinfo=None):
+    global _pol
+    if not _pol:
+        init_policy()
     if not seinfo:
         seinfo = {}
     valid_types = set([ALLOW, AUDITALLOW, NEVERALLOW, DONTAUDIT, TRANSITION, ROLE_ALLOW])
@@ -916,6 +919,10 @@  def get_all_roles():
     if roles:
         return roles
 
+    global _pol
+    if not _pol:
+        init_policy()
+
     q = setools.RoleQuery(_pol)
     roles = [str(x) for x in q.results() if str(x) != "object_r"]
     return roles

sepolicy: Do not try to load policy on import

Commit Message

Comments

Patch