When a policy is inaccessible, scripts fail right "import sepolicy". With
this change we let the "sepolicy" module to import and move the policy
initialization before it's used for the first time.
Fixes:
>>> import seobject
Traceback (most recent call last):
File "/usr/lib/python3.9/site-packages/sepolicy/__init__.py", line 171, in policy
_pol = setools.SELinuxPolicy(policy_file)
File "setools/policyrep/selinuxpolicy.pxi", line 73, in setools.policyrep.SELinuxPolicy.__cinit__
File "setools/policyrep/selinuxpolicy.pxi", line 695, in setools.policyrep.SELinuxPolicy._load_policy
PermissionError: [Errno 13] Permission denied: '//etc/selinux/targeted/policy/policy.33'
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "/usr/lib/python3.9/site-packages/seobject.py", line 33, in <module>
import sepolicy
File "/usr/lib/python3.9/site-packages/sepolicy/__init__.py", line 186, in <module>
raise e
File "/usr/lib/python3.9/site-packages/sepolicy/__init__.py", line 183, in <module>
policy(policy_file)
File "/usr/lib/python3.9/site-packages/sepolicy/__init__.py", line 173, in policy
raise ValueError(_("Failed to read %s policy file") % policy_file)
ValueError: Failed to read //etc/selinux/targeted/policy/policy.33 policy file
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
xml.etree.ElementTree.Element.getiterator() was deprecated since Python 3.2 and
dropped in Python 3.9
Fixes:
Verify sepolicy interface -c -i works ... Traceback (most recent call last):
File "/usr/bin/sepolicy", line 691, in <module>
args = parser.parse_args(args=parser_args)
File "/usr/lib64/python3.9/argparse.py", line 1819, in parse_args
args, argv = self.parse_known_args(args, namespace)
File "/usr/lib64/python3.9/argparse.py", line 1852, in parse_known_args
namespace, args = self._parse_known_args(args, namespace)
File "/usr/lib64/python3.9/argparse.py", line 2043, in _parse_known_args
positionals_end_index = consume_positionals(start_index)
File "/usr/lib64/python3.9/argparse.py", line 2020, in consume_positionals
take_action(action, args)
File "/usr/lib64/python3.9/argparse.py", line 1929, in take_action
action(self, namespace, argument_values, option_string)
File "/usr/lib64/python3.9/argparse.py", line 1208, in __call__
subnamespace, arg_strings = parser.parse_known_args(arg_strings, None)
File "/usr/lib64/python3.9/argparse.py", line 1852, in parse_known_args
namespace, args = self._parse_known_args(args, namespace)
File "/usr/lib64/python3.9/argparse.py", line 2061, in _parse_known_args
start_index = consume_optional(start_index)
File "/usr/lib64/python3.9/argparse.py", line 2001, in consume_optional
take_action(action, args, option_string)
File "/usr/lib64/python3.9/argparse.py", line 1929, in take_action
action(self, namespace, argument_values, option_string)
File "/usr/bin/sepolicy", line 216, in __call__
interface_dict = get_interface_dict()
File "/usr/lib/python3.9/site-packages/sepolicy/interface.py", line 149, in get_interface_dict
for i in m.getiterator('interface'):
AttributeError: 'xml.etree.ElementTree.Element' object has no attribute 'getiterator'
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
pyflakes 2.2.0 improved the way format strings are analyzed, which
triggers new warnings in flake8:
python/sepolicy/sepolicy/manpage.py:1046:23: F999 '...' % ... has
unused named argument(s): type
python/sepolicy/sepolicy/manpage.py:1225:23: F999 '...' % ... has
unused named argument(s): user
Remove the unused arguments in order to silence these warnings.
This fixes failures in Travis-CI such as
https://travis-ci.org/github/SELinuxProject/selinux/jobs/686230518#L5153
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Acked-by: William Roberts <william.c.roberts@intel.com>
On Debian the `distutils` module is patched, so `get_python_lib()`
returns by default `/usr/lib/python3/dist-packages` (no minor version)
But `setuptools` affecting setup.py is not patched to create the library
directory at `/usr/lib/python3/dist-packages` by default, rather than a
command line argument `--install-layout deb` is added
Add PYTHON_SETUP_ARGS as argument to affected setup.py calls and add a
note in the global README.md
See https://www.debian.org/doc/packaging-manuals/python-policy/packaging_tools.html
Section B.1
Fixes: https://github.com/SELinuxProject/selinux/issues/187
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
The range of unreserved ports starts from 1024 and ends to
65535 (inclusive). (Secure) RPC ports can be between 512 and
1023 (inclusive).
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
Delete an unused column from view "Application Transitions From". The
second column displays names of the executable files instead of
booleans.
Signed-off-by: Topi Miettinen <toiwoton@gmail.com>
Acked-by: Petr Lautrbach <plautrba@redhat.com>
Commit 73b7ff410c ("Only invoke RPM on RPM-enabled Linux distributions") used
platform.linux_distribution() function to detect whether the system is rpm
based. This function is deprecated since Python 3.5 and it's removed from Python
3.8 - https://bugs.python.org/issue28167
The original problem is already fixed by another commit
671f83b42b ("policycoreutils/sepolicy: Check get_rpm_nvr_list() return
value"):
$ sepolicy generate --customize -p mypolicy -n testpolicy -d httpd_sys_script_t -w /home
Failed to retrieve rpm info for selinux-policy
Created the following files:
mypolicy/testpolicy.te # Type Enforcement file
mypolicy/testpolicy.if # Interface file
mypolicy/testpolicy.fc # File Contexts file
mypolicy/testpolicy_selinux.spec # Spec file
mypolicy/testpolicy.sh # Setup Script
Fixes:
File "/usr/lib/python3.8/site-packages/sepolicy/generate.py", line 1384, in generate
if (platform.linux_distribution(full_distribution_name=0)[0] in ("redhat", "centos", "SuSE", "fedora", "mandrake", "mandriva")):
AttributeError: module 'platform' has no attribute 'linux_distribution'
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Other python scripts already use python3 by default. Both files don't have exec
bits so they have to be run using python interpret on command line anyway:
$ python3 ./setup.py ...
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Use codespell (https://github.com/codespell-project/codespell) in order
to find many common misspellings that are present in English texts.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
- Python 2.7 is planned to be the last of the 2.x releases
- It's generally advised to use Python 3
- Majority of python/ scripts are already switched python3
- Users with python 2 only can still use:
$ make PYTHON=/usr/bin/python ....
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
setools 4.2.0 dropped support for Python 2. On systems where
/usr/bin/python is Python 2, several tools are now broken because of
this. Update the shebang of these tools to /usr/bin/python3.
For future reference, as semanage/seobject.py, sepolicy and sepolgen
import setools, every program that uses one of these modules need to be
run with Python 3. The following programs do not use any of these
modules so their shebangs have not been modified:
dbus/selinux_server.py
libsemanage/utils/semanage_migrate_store
mcstrans/share/util/mlscolor-test
mcstrans/share/util/mlstrans-test
sandbox/start
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
The files in sepolicy's module directory are not supposed to used as
executable files. The shebang line is therefore not needed.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
modify_button_clicked() used variable "type" in a comparison instead of
"ftype". This is a bug, which has been found with flake8 3.7.0. This
linter reported:
python/sepolicy/sepolicy/gui.py:1548:20: F823 local variable 'type'
{0} referenced before assignment
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Flake8 3.7.0 added a new fatal error message when parsing Python files:
python/semanage/semanage:112:16: F632 use ==/!= to compare str, bytes, and int literals
python/semanage/semanage:124:23: F632 use ==/!= to compare str, bytes, and int literals
...
python/sepolgen/src/sepolgen/output.py:77:8: F632 use ==/!= to compare str, bytes, and int literals
python/sepolgen/src/sepolgen/output.py:80:8: F632 use ==/!= to compare str, bytes, and int literals
python/sepolgen/src/sepolgen/output.py:83:8: F632 use ==/!= to compare str, bytes, and int literals
python/sepolicy/sepolicy/generate.py:646:16: F632 use ==/!= to compare str, bytes, and int literals
python/sepolicy/sepolicy/generate.py:1349:16: F632 use ==/!= to compare str, bytes, and int literals
Fix all these warnings.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Flake8 3.7.0 warns about lines that are over-indented, i.e. lines that
are indented with more than 4 spaces:
python/sepolgen/src/sepolgen/refparser.py:1047:26: E117 over-indented
python/sepolgen/src/sepolgen/yacc.py:2569:21: E117 over-indented
python/sepolicy/sepolicy/interface.py:196:13: E117 over-indented
python/sepolicy/sepolicy/interface.py:198:13: E117 over-indented
python/sepolicy/sepolicy/interface.py:215:13: E117 over-indented
python/sepolicy/sepolicy/interface.py:217:13: E117 over-indented
python/sepolicy/sepolicy/manpage.py:172:13: E117 over-indented
python/sepolicy/sepolicy/manpage.py:174:13: E117 over-indented
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Using "sepolicy gui" sometimes leads to an exception when entering the
Files tab:
Traceback (most recent call last):
File "python/sepolicy/sepolicy/gui.py", line 1345, in tab_change
self.show_mislabeled_files_only.set_visible(self.mislabeled_files)
AttributeError: 'SELinuxGui' object has no attribute 'mislabeled_files'
Indeed, when application_selected() calls show_applications_page(), this
function calls tab_change(), which can use mislabeled_files in this
line:
self.show_mislabeled_files_only.set_visible(self.mislabeled_files)
Make sure that mislabeled_files is initialized by defining it in
__init__(), in order to fix this error. Its value will be properly set
later, by calling several initializers, which is why the original
assignment to False is kept in:
self.mislabeled_files = False
self.executable_files_initialize(app)
self.network_initialize(app)
self.writable_files_initialize(app)
self.transitions_into_initialize(app)
self.transitions_from_initialize(app)
self.application_files_initialize(app)
self.transitions_files_initialize(app)
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
The sorting order seems to be fragile because '100' < '99', so the policy
filename needs to be parsed in order to extract the version as an integer and
sort according to it.
Based on idea from Nicolas Iooss <nicolas.iooss@m4x.org>
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
load_store_policy() allows to (re)load SELinux policy based on a store name. It
is useful when SELinux is disabled and default policy is not installed; or when
a user wants to query or manipulate another policy.
Related: https://bugzilla.redhat.com/show_bug.cgi?id=1558861
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
dontaudit rules were accidentally dropped during rewrite to SETools 4 API in
97d5f6a2
Fixes:
>>> import sepolicy
>>> sepolicy.search(['dontaudit'])
[]
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
Aliases are not used in the selinux database. When user enters a type
alias as a parameter it should be converted to the corresponding type
in order to be processed correctly further in the userspace logic.
Fixes e.g.:
\#sepolicy transition -s phpfpm_t
/* where phpfpm_t is a type alias of httpd_t */
Traceback (most recent call last):
File "/usr/bin/sepolicy", line 691, in <module>
args.func(args)
File "/usr/bin/sepolicy", line 458, in transition
mytrans = setrans(args.source, args.target)
File "/usr/lib/python3.6/site-packages/sepolicy/transition.py", line 48, in __init__
self._process(self.source)
File "/usr/lib/python3.6/site-packages/sepolicy/transition.py", line 54, in _process
trans = _get_trans(source)
File "/usr/lib/python3.6/site-packages/sepolicy/transition.py", line 36, in _get_trans
src_list = [src] + list(filter(lambda x: x['name'] == src, sepolicy.get_all_types_info()))[0]['attributes']
IndexError: list index out of range
Change in internal setools API causes sepolicy to crash when processing
AVRules.
File "python/sepolicy/sepolicy/__init__.py", line 277, in _setools_rule_to_dict
if isinstance(rule, setools.policyrep.terule.AVRule):
AttributeError: module 'setools.policyrep' has no attribute 'terule'
See https://github.com/SELinuxProject/setools/issues/8 for more details.
Stop using internal setools API:
- use AttributeError instead of setools specific exceptions
- evaluate conditional expressions using conditional.evaluate() instead
of qpol_symbol.is_enabled()
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Python does not need to end a statement with a semicolon. Doing this
gets reported by linters such as flake8 ("E703 statement ends with a
semicolon").
Remove such semicolons in the code and enable this warning in
scripts/run-flake8.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
This module is not used and its name conflicts with variable "types".
This issue has been found using flake8. This Python linter reported:
python/sepolicy/sepolicy/generate.py:657:5: F811 redefinition of
unused 'types' from line 31
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
This issue has been found using flake8. This Python linter reported:
python/sepolicy/sepolicy.py:582:5: F811 redefinition of unused
'DAEMON' from line 582
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Some function used variables which were not defined when populating
self.cur_dict with an operation. Fix this, even though the old values do
not seem to be used.
This issue has been found using flake8. This Python linter reported:
python/sepolicy/sepolicy/gui.py:2020:101: F821 undefined name 'oldsetype'
python/sepolicy/sepolicy/gui.py:2020:122: F821 undefined name 'oldmls'
python/sepolicy/sepolicy/gui.py:2020:142: F821 undefined name 'oldclass'
python/sepolicy/sepolicy/gui.py:2050:133: F821 undefined name 'oldmls'
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
procotol -> protocol
This issue has been found using flake8. This Python linter reported:
python/sepolicy/sepolicy/gui.py:2525:132: F821 undefined name 'procotol'
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
SELinuxGui.files_initial_data_insert() uses both "seLinux_label" and
"selinux_label", which leads to using an undefined variable, as reported
by flake8:
python/sepolicy/sepolicy/gui.py:1191:42: F821 undefined name 'selinux_label'
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
CheckPolicyType class is not used in sepolicy and has been written from
an buggy copy-paste: "newval.append(v)" does not make any sense in
CheckPolicyType.__call__, as reported by flake8:
python/sepolicy/sepolicy.py:190:13: F821 undefined name 'newval'
python/sepolicy/sepolicy.py:190:27: F821 undefined name 'v'
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
in class policy, ports is usually initialized with the result of
get_all_ports(), which is a dict. If this function failed, the error was
not fatal but ports was left initialized as a list, which would trigger
other errors when accessing it.
Initialize ports as an empty dict in order to fix this issue.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
When using sepolgen GUI on a system with a non-MLS policy,
sepolicy.info(sepolicy.PORT) does not define "range" attributes (since
commit 908340e8e7 ("sepolicy: support non-MLS policy in manpage")).
Replace them with None in get_all_ports() result.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
When a translated string takes parameters with %, the % and the
parameters need to be after the call to the underline function in order
to work properly.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
It was removed from Python 3
Fixes:
File "polgengui.py", line 390, in forward
self.generate_policy()
File "polgengui.py", line 491, in generate_policy
my_policy.set_use_syslog(self.syslog_checkbutton.get_active() == 1)
File "/home/plautrba/devel/github/bachradsusi/SELinuxProject-selinux/python/sepolicy/sepolicy/generate.py", line 468, in set_use_syslog
if not isinstance(val, types.BooleanType):
AttributeError: module 'types' has no attribute 'BooleanType'
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>