diff mbox series

semanage: list all nodes even if not attributed with node_type

Message ID 20230604160334.10484-1-toiwoton@gmail.com (mailing list archive)
State New, archived
Delegated to: Petr Lautrbach
Headers show
Series semanage: list all nodes even if not attributed with node_type | expand

Commit Message

Topi Miettinen June 4, 2023, 4:03 p.m. UTC
For `semanage node -l`, show also nodes which are not attributed with
`node_type`. Such nodes may exist in custom policies and even the
attribute `node_type` may not be defined.

Fix also bash completion to work with such policies and actually start
using __get_all_node_types().

This fixes the following error with `semanage node -l`:

Traceback (most recent call last):
  File "/usr/sbin/semanage", line 975, in <module>
    do_parser()
  File "/usr/sbin/semanage", line 947, in do_parser
    args.func(args)
  File "/usr/sbin/semanage", line 652, in handleNode
    OBJECT = object_dict['node'](args)
             ^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/seobject.py", line 1850, in __init__
    self.valid_types = list(list(sepolicy.info(sepolicy.ATTRIBUTE, "node_type"))[0]["types"])
                            ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^
IndexError: list index out of range

Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
---
 python/semanage/semanage-bash-completion.sh |  7 ++++++-
 python/semanage/seobject.py                 |  2 +-
 python/sepolicy/sepolicy/__init__.py        | 13 +++++++++++++
 3 files changed, 20 insertions(+), 2 deletions(-)
diff mbox series

Patch

diff --git a/python/semanage/semanage-bash-completion.sh b/python/semanage/semanage-bash-completion.sh
index d0dd139f..54a4d8ad 100644
--- a/python/semanage/semanage-bash-completion.sh
+++ b/python/semanage/semanage-bash-completion.sh
@@ -43,7 +43,7 @@  __get_all_domains () {
     seinfo -adomain -x 2>/dev/null | tail -n +2 
 }
 __get_all_node_types () { 
-    seinfo -anode_type -x 2>/dev/null | tail -n +2 
+    seinfo --nodecon -x 2>/dev/null | sed -n 's/^\s\+nodecon\s\+\S\+\s\+\S\+\s\+[^:]\+:[^:]\+:\([^:]\+\):\S\+$/\1/gp'
 }
 __get_all_file_types () { 
     seinfo -afile_type -x 2>/dev/null | tail -n +2 
@@ -98,6 +98,11 @@  _semanage () {
 	            COMPREPLY=( $(compgen -W "$( __get_all_modules ) " -- "$cur") )
 		    return 0
 		fi
+	elif [ "$command" = "node" ]; then
+		if [ "$prev" = "-t" ] || [ "$prev" = "--type" ]; then
+	            COMPREPLY=( $(compgen -W "$( __get_all_node_types ) " -- "$cur") )
+		    return 0
+		fi
 	fi
 	if   [ "$verb" = "" -a "$prev" = "semanage" ]; then
                 comps="${VERBS[*]}"
diff --git a/python/semanage/seobject.py b/python/semanage/seobject.py
index d82da494..cc208a81 100644
--- a/python/semanage/seobject.py
+++ b/python/semanage/seobject.py
@@ -1848,7 +1848,7 @@  class nodeRecords(semanageRecords):
         semanageRecords.__init__(self, args)
         self.protocol = ["ipv4", "ipv6"]
         try:
-            self.valid_types = list(list(sepolicy.info(sepolicy.ATTRIBUTE, "node_type"))[0]["types"])
+            self.valid_types = list(list(sepolicy.info(sepolicy.NODE)))
         except RuntimeError:
             pass
 
diff --git a/python/sepolicy/sepolicy/__init__.py b/python/sepolicy/sepolicy/__init__.py
index c177cdfc..829f5c61 100644
--- a/python/sepolicy/sepolicy/__init__.py
+++ b/python/sepolicy/sepolicy/__init__.py
@@ -13,6 +13,7 @@  import re
 import gzip
 
 from setools.boolquery import BoolQuery
+from setools.nodeconquery import NodeconQuery
 from setools.portconquery import PortconQuery
 from setools.policyrep import SELinuxPolicy
 from setools.objclassquery import ObjClassQuery
@@ -49,6 +50,7 @@  PORT = 4
 USER = 5
 BOOLEAN = 6
 TCLASS = 7
+NODE = 8
 
 ALLOW = 'allow'
 AUDITALLOW = 'auditallow'
@@ -299,6 +301,17 @@  def info(setype, name=None):
             'permlist': list(x.perms),
         } for x in q.results())
 
+    elif setype == NODE:
+        q = NodeconQuery(_pol)
+        if name:
+            q.name = name
+
+        return ({
+            'address': re.fullmatch('nodecon (\S+) \S+ \S+', str(x)).group(1),
+            'mask': re.fullmatch('nodecon \S+ (\S+) \S+', str(x)).group(1),
+            'type': re.fullmatch('nodecon \S+ \S+ (\S+)', str(x)).group(1)
+        } for x in list(q.results()))
+
     else:
         raise ValueError("Invalid type")