Distinguish policy syntax errors from other OS errors, eg ENOENT.

The policy parser does not set errno, so the libqpol code assumes the errors from parser code are always invalid syntax, rather than something else like out of memory. This may not always be the case, but any other kind of error is unlikely (and likely catastrophic)
2025-04-24 20:29:56 +00:00 · 2015-03-06 10:44:32 -05:00 · 2015-03-06 10:44:32 -05:00 · 0b295755de
commit 0b295755de
parent 320c5e60f2
5 changed files with 26 additions and 11 deletions
--- a/libqpol/policy.c
+++ b/libqpol/policy.c
@ -200,7 +200,7 @@ static int read_source_policy(qpol_policy_t * qpolicy, const char *progname, int
 		ERR(qpolicy, "%s:  error(s) encountered while parsing configuration\n", progname);
 		queue_destroy(id_queue);
 		id_queue = NULL;
-//		errno = EIO;
+		errno = EINVAL;
 		return -1;
 	}
 	/* rewind the pointer */
@ -211,13 +211,13 @@ static int read_source_policy(qpol_policy_t * qpolicy, const char *progname, int
 		ERR(qpolicy, "%s:  error(s) encountered while parsing configuration\n", progname);
 		queue_destroy(id_queue);
 		id_queue = NULL;
-//		errno = EIO;
+		errno = EINVAL;
 		return -1;
 	}
 	queue_destroy(id_queue);
 	id_queue = NULL;
 	if (policydb_errors) {
-//		errno = EIO;
+		errno = EINVAL;
 		return -1;
 	}
 	return 0;
--- a/setools/init.py
+++ b/setools/init.py
@ -25,7 +25,7 @@ except:  # pragma: no cover
 # Python classes for policy representation
 from . import policyrep
-from .policyrep import SELinuxPolicy
+from .policyrep import SELinuxPolicy, InvalidPolicy
 # Component Queries
 from . import commonquery
--- a/setools/policyrep/init.py
+++ b/setools/policyrep/init.py
@ -56,6 +56,12 @@ from . import fscontext
 from . import netcontext
 class InvalidPolicy(SyntaxError):
    """Exception for invalid policy."""
    pass
 class SELinuxPolicy(object):
    """The complete SELinux policy."""
@ -68,8 +74,8 @@ class SELinuxPolicy(object):
        try:
            self.policy = qpol.qpol_policy_t(policyfile, 0)
-        except OSError as err:
+        except SyntaxError as err:
-            raise OSError("Error opening policy file \"{0}\": {1}".format(policyfile, err))
+            raise InvalidPolicy("Error opening policy file \"{0}\": {1}".format(policyfile, err))
    #
    # Policy properties
--- a/setools/policyrep/qpol.i
+++ b/setools/policyrep/qpol.i
@ -258,7 +258,11 @@ typedef enum qpol_capability
 %exception qpol_policy {
  $action
  if (!result) {
    if (errno == EINVAL) {
        PyErr_SetString(PyExc_SyntaxError, "Invalid policy.");
    } else {
        PyErr_SetFromErrno(PyExc_OSError);
    }
    return NULL;
  }
 }
--- a/tests/policyrep/selinuxpolicy.py
+++ b/tests/policyrep/selinuxpolicy.py
@ -15,13 +15,13 @@
 # You should have received a copy of the GNU General Public License
 # along with SETools.  If not, see <http://www.gnu.org/licenses/>.
 #
-
+from __future__ import print_function
 import os
 import subprocess
 import tempfile
 import unittest
-from setools import SELinuxPolicy
+from setools import SELinuxPolicy, InvalidPolicy
 from setools.boolquery import BoolQuery
@ -54,8 +54,13 @@ class SELinuxPolicyTest(unittest.TestCase):
        self.p_binary = SELinuxPolicy(self.policy_path)
    def test_001_open_policy_error(self):
-        """SELinuxPolicy: error on open."""
+        """SELinuxPolicy: Invalid policy on open."""
-        self.assertRaises(OSError, SELinuxPolicy, "tests/policyrep/selinuxpolicy-bad.conf")
+        self.assertRaises(InvalidPolicy, SELinuxPolicy, "tests/policyrep/selinuxpolicy-bad.conf")
        print("The \"category can not be associated\" error above is expected.")
    def test_002_open_policy_non_existant(self):
        """SELinuxPolicy: Non existant policy on open."""
        self.assertRaises(OSError, SELinuxPolicy, "tests/policyrep/DOES_NOT_EXIST")
    def test_010_handle_unknown(self):
        """SELinuxPolicy: handle unknown setting."""