Distinguish policy syntax errors from other OS errors, eg ENOENT.

The policy parser does not set errno, so the libqpol code assumes the
errors from parser code are always invalid syntax, rather than something
else like out of memory.  This may not always be the case, but any other
kind of error is unlikely (and likely catastrophic)

libqpol/policy.c

@@ -200,7 +200,7 @@ static int read_source_policy(qpol_policy_t * qpolicy, const char *progname, int
 		ERR(qpolicy, "%s:  error(s) encountered while parsing configuration\n", progname);
 		queue_destroy(id_queue);
 		id_queue = NULL;
-//		errno = EIO;
+		errno = EINVAL;
 		return -1;
 	}
 	/* rewind the pointer */
@@ -211,13 +211,13 @@ static int read_source_policy(qpol_policy_t * qpolicy, const char *progname, int
 		ERR(qpolicy, "%s:  error(s) encountered while parsing configuration\n", progname);
 		queue_destroy(id_queue);
 		id_queue = NULL;
-//		errno = EIO;
+		errno = EINVAL;
 		return -1;
 	}
 	queue_destroy(id_queue);
 	id_queue = NULL;
 	if (policydb_errors) {
-//		errno = EIO;
+		errno = EINVAL;
 		return -1;
 	}
 	return 0;

setools/__init__.py

@@ -25,7 +25,7 @@ except:  # pragma: no cover
 
 # Python classes for policy representation
 from . import policyrep
-from .policyrep import SELinuxPolicy
+from .policyrep import SELinuxPolicy, InvalidPolicy
 
 # Component Queries
 from . import commonquery

setools/policyrep/__init__.py

@@ -56,6 +56,12 @@ from . import fscontext
 from . import netcontext
 
 
+class InvalidPolicy(SyntaxError):
+
+    """Exception for invalid policy."""
+    pass
+
+
 class SELinuxPolicy(object):
 
     """The complete SELinux policy."""
@@ -68,8 +74,8 @@ class SELinuxPolicy(object):
 
         try:
             self.policy = qpol.qpol_policy_t(policyfile, 0)
-        except OSError as err:
-            raise OSError("Error opening policy file \"{0}\": {1}".format(policyfile, err))
+        except SyntaxError as err:
+            raise InvalidPolicy("Error opening policy file \"{0}\": {1}".format(policyfile, err))
 
     #
     # Policy properties

setools/policyrep/qpol.i

@@ -258,7 +258,11 @@ typedef enum qpol_capability
 %exception qpol_policy {
   $action
   if (!result) {
+    if (errno == EINVAL) {
+        PyErr_SetString(PyExc_SyntaxError, "Invalid policy.");
+    } else {
         PyErr_SetFromErrno(PyExc_OSError);
+    }
     return NULL;
   }
 }

tests/policyrep/selinuxpolicy.py

@@ -15,13 +15,13 @@
 # You should have received a copy of the GNU General Public License
 # along with SETools.  If not, see <http://www.gnu.org/licenses/>.
 #
-
+from __future__ import print_function
 import os
 import subprocess
 import tempfile
 import unittest
 
-from setools import SELinuxPolicy
+from setools import SELinuxPolicy, InvalidPolicy
 from setools.boolquery import BoolQuery
 
 
@@ -54,8 +54,13 @@ class SELinuxPolicyTest(unittest.TestCase):
         self.p_binary = SELinuxPolicy(self.policy_path)
 
     def test_001_open_policy_error(self):
-        """SELinuxPolicy: error on open."""
-        self.assertRaises(OSError, SELinuxPolicy, "tests/policyrep/selinuxpolicy-bad.conf")
+        """SELinuxPolicy: Invalid policy on open."""
+        self.assertRaises(InvalidPolicy, SELinuxPolicy, "tests/policyrep/selinuxpolicy-bad.conf")
+        print("The \"category can not be associated\" error above is expected.")
+
+    def test_002_open_policy_non_existant(self):
+        """SELinuxPolicy: Non existant policy on open."""
+        self.assertRaises(OSError, SELinuxPolicy, "tests/policyrep/DOES_NOT_EXIST")
 
     def test_010_handle_unknown(self):
         """SELinuxPolicy: handle unknown setting."""