[PR#394] semanage: list all ports even if not attributed with port_type

Commit Message

Topi Miettinen May 30, 2023, 5:49 p.m. UTC

Show also ports which are not attributed with `port_type`. Such ports
may exist in custom policies and even the attribute `port_type` may
not be defined.

This fixes the following error:

Traceback (most recent call last):
  File "/usr/sbin/semanage", line 975, in <module>
    do_parser()
  File "/usr/sbin/semanage", line 947, in do_parser
    args.func(args)
  File "/usr/sbin/semanage", line 441, in handlePort
    OBJECT = object_dict['port'](args)
             ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/seobject.py", line 1057, in __init__
    self.valid_types = list(list(sepolicy.info(sepolicy.ATTRIBUTE, "port_type"))[0]["types"])
                            ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^
IndexError: list index out of range

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
---
 python/semanage/seobject.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Petr Lautrbach June 2, 2023, 12:13 p.m. UTC | #1

Topi Miettinen <toiwoton@gmail.com> writes:

> Show also ports which are not attributed with `port_type`. Such ports
> may exist in custom policies and even the attribute `port_type` may
> not be defined.
>
> This fixes the following error:
>
> Traceback (most recent call last):
>   File "/usr/sbin/semanage", line 975, in <module>
>     do_parser()
>   File "/usr/sbin/semanage", line 947, in do_parser
>     args.func(args)
>   File "/usr/sbin/semanage", line 441, in handlePort
>     OBJECT = object_dict['port'](args)
>              ^^^^^^^^^^^^^^^^^^^^^^^^^
>   File "/usr/lib/python3/dist-packages/seobject.py", line 1057, in __init__
>     self.valid_types = list(list(sepolicy.info(sepolicy.ATTRIBUTE, "port_type"))[0]["types"])
>                             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^
> IndexError: list index out of range
>
> Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
> ---
>  python/semanage/seobject.py | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
> index d82da494..72a2ec55 100644
> --- a/python/semanage/seobject.py
> +++ b/python/semanage/seobject.py
> @@ -1055,7 +1055,7 @@ class portRecords(semanageRecords):
>      def __init__(self, args = None):
>          semanageRecords.__init__(self, args)
>          try:
> -            self.valid_types = list(list(sepolicy.info(sepolicy.ATTRIBUTE, "port_type"))[0]["types"])
> +            self.valid_types = list(list(sepolicy.info(sepolicy.PORT))[0]["type"])

I think it's a good approach. But the change seems to produce wrong results:

$ python
>>> import sepolicy
>>> list(list(sepolicy.info(sepolicy.ATTRIBUTE, "port_type"))[0]["types"])
['afs3_callback_port_t', 'afs_bos_port_t', 'afs_fs_port_t', 'afs_ka_port_t', 'afs_pt_port_t', 'afs_vl_port_t', 'agentx_port_t', 'amanda_port_t', 'amavisd_recv_port_t', 'amavisd_send_port_t', 'amqp_port_t', 'aol_port_t', 'apc_port_t', 'apcupsd_port_t', 'apertus_ldp_port_t', 'appswitch_emp_port_t', 'asterisk_port_t', 'audit_port_t', 'auth_port_t', 'babel_port_t', 'bacula_port_t', 'bctp_port_t', 'bfd_control_port_t', 'bfd_echo_port_t', 'bfd_multi_port_t', 'bgp_port_t', 'biff_port_t', 'boinc_client_port_t', 'boinc_port_t', 'brlp_port_t', 'certmaster_port_t', 'chronyd_port_t', 'clamd_port_t', 'clockspeed_port_t', 'cluster_port_t', 'cma_port_t', 'cmadmin_port_t', 'cobbler_port_t', 'collectd_port_t', 'commplex_link_port_t', 'commplex_main_port_t', 'comsat_port_t', 'condor_port_t', 'conman_port_t', 'connlcli_port_t', 'conntrackd_port_t', 'couchdb_port_t', 'ctdb_port_t', 'cvs_port_t', 'cyphesis_port_t', 'cyrus_imapd_port_t', 'daap_port_t', 'dbskkd_port_t', 'dcc_port_t', 'dccm_port_t', 'dey_keyneg_port_t', 'dey_sapi_port_t', 'dhcpc_port_t', 'dhcpd_port_t', 'dict_port_t', 'distccd_port_t', 'dns_port_t', 'dnssec_port_t', 'dogtag_port_t', 'echo_port_t', 'efs_port_t', 'embrace_dp_c_port_t', 'ephemeral_port_t', 'epmap_port_t', 'epmd_port_t', 'fac_restore_port_t', 'fingerd_port_t', 'firepower_port_t', 'flash_port_t', 'fmpro_internal_port_t', 'freeipmi_port_t', 'ftp_data_port_t', 'ftp_port_t', 'gatekeeper_port_t', 'gdomap_port_t', 'gds_db_port_t', 'gear_port_t', 'geneve_port_t', 'giftd_port_t', 'git_port_t', 'glance_port_t', 'glance_registry_port_t', 'gluster_port_t', 'gopher_port_t', 'gpsd_port_t', 'hadoop_datanode_port_t', 'hadoop_namenode_port_t', 'hddtemp_port_t', 'hi_reserved_port_t', 'howl_port_t', 'hplip_port_t', 'http_cache_port_t', 'http_port_t', 'i18n_input_port_t', 'ibm_dt_2_port_t', 'imaze_port_t', 'inetd_child_port_t', 'innd_port_t', 'intermapper_port_t', 'interwise_port_t', 'ionixnetmon_port_t', 'ipmi_port_t', 'ipp_port_t', 'ipsecnat_port_t', 'ircd_port_t', 'isakmp_port_t', 'iscsi_port_t', 'isns_port_t', 'jabber_client_port_t', 'jabber_interserver_port_t', 'jabber_router_port_t', 'jacorb_port_t', 'jboss_debug_port_t', 'jboss_management_port_t', 'jboss_messaging_port_t', 'journal_remote_port_t', 'kerberos_admin_port_t', 'kerberos_password_port_t', 'kerberos_port_t', 'keystone_port_t', 'kprop_port_t', 'ktalkd_port_t', 'kubernetes_port_t', 'l2tp_port_t', 'ldap_port_t', 'lirc_port_t', 'llmnr_port_t', 'lltng_port_t', 'lmtp_port_t', 'lrrd_port_t', 'lsm_plugin_port_t', 'luci_port_t', 'mail_port_t', 'mailbox_port_t', 'matahari_port_t', 'memcache_port_t', 'milter_port_t', 'mmcc_port_t', 'mongod_port_t', 'monopd_port_t', 'mountd_port_t', 'movaz_ssc_port_t', 'mpd_port_t', 'ms_streaming_port_t', 'msnp_port_t', 'mssql_port_t', 'munin_port_t', 'mxi_port_t', 'mysqld_port_t', 'mysqlmanagerd_port_t', 'mythtv_port_t', 'nessus_port_t', 'netport_port_t', 'netsupport_port_t', 'neutron_port_t', 'nfs_port_t', 'nmbd_port_t', 'nmea_port_t', 'nodejs_debug_port_t', 'nsca_port_t', 'nsd_control_port_t', 'ntop_port_t', 'ntp_port_t', 'ntske_port_t', 'oa_system_port_t', 'ocsp_port_t', 'opendnssec_port_t', 'openflow_port_t', 'openhpid_port_t', 'openqa_liveview_port_t', 'openqa_port_t', 'openqa_websockets_port_t', 'openvpn_port_t', 'openvswitch_port_t', 'oracle_port_t', 'osapi_compute_port_t', 'ovsdb_port_t', 'pdps_port_t', 'pegasus_http_port_t', 'pegasus_https_port_t', 'pgpkeyserver_port_t', 'pingd_port_t', 'pki_ca_port_t', 'pki_kra_port_t', 'pki_ocsp_port_t', 'pki_ra_port_t', 'pki_tks_port_t', 'pki_tps_port_t', 'pktcable_cops_port_t', 'pop_port_t', 'port_t', 'portmap_port_t', 'postfix_policyd_port_t', 'postgresql_port_t', 'postgrey_port_t', 'pptp_port_t', 'prelude_port_t', 'presence_port_t', 'preupgrade_port_t', 'printer_port_t', 'priority_e_com_port_t', 'prosody_port_t', 'ptal_port_t', 'ptp_event_port_t', 'pulp_port_t', 'pulseaudio_port_t', 'puppet_port_t', 'pxe_port_t', 'pyzor_port_t', 'qpasa_agent_port_t', 'rabbitmq_port_t', 'radacct_port_t', 'radius_port_t', 'radsec_port_t', 'razor_port_t', 'redis_port_t', 'repository_port_t', 'reserved_port_t', 'ricci_modcluster_port_t', 'ricci_port_t', 'rkt_port_t', 'rlogin_port_t', 'rlogind_port_t', 'rndc_port_t', 'router_port_t', 'rsh_port_t', 'rsync_port_t', 'rtp_media_port_t', 'rtsclient_port_t', 'rtsp_port_t', 'rwho_port_t', 'salt_port_t', 'sap_port_t', 'saphostctrl_port_t', 'servistaitsm_port_t', 'sge_port_t', 'shellinaboxd_port_t', 'sieve_port_t', 'sip_port_t', 'sixxsconfig_port_t', 'smbd_port_t', 'smntubootstrap_port_t', 'smtp_port_t', 'snmp_port_t', 'socks_port_t', 'soundd_port_t', 'spamd_port_t', 'speech_port_t', 'squid_port_t', 'ssdp_port_t', 'ssh_port_t', 'statsd_port_t', 'stunnel_port_t', 'svn_port_t', 'svrloc_port_t', 'swat_port_t', 'swift_port_t', 'sype_transport_port_t', 'syslog_tls_port_t', 'syslogd_port_t', 'tangd_port_t', 'tcs_port_t', 'telnetd_port_t', 'tftp_port_t', 'time_port_t', 'tor_port_t', 'traceroute_port_t', 'tram_port_t', 'transproxy_port_t', 'trisoap_port_t', 'trivnet1_port_t', 'unreserved_port_t', 'ups_port_t', 'us_cli_port_t', 'utcpserver_port_t', 'uucpd_port_t', 'varnishd_port_t', 'versa_tek_port_t', 'virt_migration_port_t', 'virt_port_t', 'virtual_places_port_t', 'vnc_port_t', 'vqp_port_t', 'wap_wsp_port_t', 'wccp_port_t', 'websm_port_t', 'whois_port_t', 'winshadow_port_t', 'wsdapi_port_t', 'wsicopy_port_t', 'xdmcp_port_t', 'xen_port_t', 'xfs_port_t', 'xinuexpansion3_port_t', 'xinuexpansion4_port_t', 'xmsg_port_t', 'xodbc_connect_port_t', 'xserver_port_t', 'zabbix_agent_port_t', 'zabbix_port_t', 'zarafa_port_t', 'zebra_port_t', 'zented_port_t', 'zookeeper_client_port_t', 'zookeeper_election_port_t', 'zookeeper_leader_port_t', 'zope_port_t', 'container_port_t', 'openshift_port_t', 'pasta_port_t', 'systemd_socket_proxyd_port_t', 'test_port_t']

>>> list(list(sepolicy.info(sepolicy.PORT))[0]["type"])
['i', 'n', 'e', 't', 'd', '_', 'c', 'h', 'i', 'l', 'd', '_', 'p', 'o', 'r', 't', '_', 't']


Something like the following code could work:

>>> [x["type"] for x in list(list(sepolicy.info(sepolicy.PORT)))]


>          except RuntimeError:
>              pass
>  
> -- 
> 2.39.2

Patch

diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
index d82da494..72a2ec55 100644
--- a/python/semanage/seobject.py
+++ b/python/semanage/seobject.py
@@ -1055,7 +1055,7 @@  class portRecords(semanageRecords):
     def __init__(self, args = None):
         semanageRecords.__init__(self, args)
         try:
-            self.valid_types = list(list(sepolicy.info(sepolicy.ATTRIBUTE, "port_type"))[0]["types"])
+            self.valid_types = list(list(sepolicy.info(sepolicy.PORT))[0]["type"])
         except RuntimeError:
             pass