PythonSELinux binding problem

PythonSELinux binding problem

[rarob]

Hi,
  I'm using the python selinux bindings to determine if SELinux is
disable/permissive/enforcing.  The following snippet of code works just
fine on RH5 and F10 regardless of the SELinux mode, but fails with an
error on F11/12/13 and RH6 if SELinux is disabled.

$ python -c 'import selinux ; print selinux.security_getenforce()'

Under RH5 and F10 I correctly get the -1/0/1 returns for
disabled/permissive/enforcing, as specified in the man pages for
'security_getenforce'.  Under F11/12/13 and RH6 for permissive and
enforcing I get the correct return values, but if the system is in
disabled mode instead an OSError is thrown for 'No such file or
directory'.  I haven't look at the source for the underlying
security_getenforce() system call, but I suspect is is assuming that the
/selinux pseudo filesystem is populated (as in permissive/enforcing mode),
and is not handling the case where that pseudo filesystem is empty.

For now I've got my python calls wrapped in try/except blocks treating any
exception as SELinux in disabled mode.

I wasn't sure where the best place to log this as a bug is, either for the
libselinux-python package or libselinux itself.

-Rob



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: PythonSELinux binding problem

[Stephen Smalley]

On Thu, 2011-07-21 at 17:33 -0400, rarob@travelinglightfarm.net wrote:
> Hi,
>   I'm using the python selinux bindings to determine if SELinux is
> disable/permissive/enforcing.  The following snippet of code works just
> fine on RH5 and F10 regardless of the SELinux mode, but fails with an
> error on F11/12/13 and RH6 if SELinux is disabled.
> 
> $ python -c 'import selinux ; print selinux.security_getenforce()'
> 
> Under RH5 and F10 I correctly get the -1/0/1 returns for
> disabled/permissive/enforcing, as specified in the man pages for
> 'security_getenforce'.  Under F11/12/13 and RH6 for permissive and
> enforcing I get the correct return values, but if the system is in
> disabled mode instead an OSError is thrown for 'No such file or
> directory'.  I haven't look at the source for the underlying
> security_getenforce() system call, but I suspect is is assuming that the
> /selinux pseudo filesystem is populated (as in permissive/enforcing mode),
> and is not handling the case where that pseudo filesystem is empty.
> 
> For now I've got my python calls wrapped in try/except blocks treating any
> exception as SELinux in disabled mode.
> 
> I wasn't sure where the best place to log this as a bug is, either for the
> libselinux-python package or libselinux itself.

I don't know why this would have ever worked, as security_getenforce()
has always returned -1 with errno ENOENT if there is no selinuxfs mount.
Maybe the older python bindings handled this error condition?  The
correct test for enabled/disabled is selinux.is_selinux_enabled(), and
that should be checked prior to calling security_getenforce().

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: PythonSELinux binding problem

[Eric Paris]

On Fri, Jul 22, 2011 at 9:44 AM, Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On Thu, 2011-07-21 at 17:33 -0400, rarob@travelinglightfarm.net wrote:
>> Hi,
>>   I'm using the python selinux bindings to determine if SELinux is
>> disable/permissive/enforcing.  The following snippet of code works just
>> fine on RH5 and F10 regardless of the SELinux mode, but fails with an
>> error on F11/12/13 and RH6 if SELinux is disabled.
>>
>> $ python -c 'import selinux ; print selinux.security_getenforce()'
>>
>> Under RH5 and F10 I correctly get the -1/0/1 returns for
>> disabled/permissive/enforcing, as specified in the man pages for
>> 'security_getenforce'.  Under F11/12/13 and RH6 for permissive and
>> enforcing I get the correct return values, but if the system is in
>> disabled mode instead an OSError is thrown for 'No such file or
>> directory'.  I haven't look at the source for the underlying
>> security_getenforce() system call, but I suspect is is assuming that the
>> /selinux pseudo filesystem is populated (as in permissive/enforcing mode),
>> and is not handling the case where that pseudo filesystem is empty.
>>
>> For now I've got my python calls wrapped in try/except blocks treating any
>> exception as SELinux in disabled mode.
>>
>> I wasn't sure where the best place to log this as a bug is, either for the
>> libselinux-python package or libselinux itself.
>
> I don't know why this would have ever worked, as security_getenforce()
> has always returned -1 with errno ENOENT if there is no selinuxfs mount.
> Maybe the older python bindings handled this error condition?  The
> correct test for enabled/disabled is selinux.is_selinux_enabled(), and
> that should be checked prior to calling security_getenforce().

Looks like the change is in my tree (but not upstream)  [not the title
is slightly wrong]

http://git.infradead.org/users/eparis/selinux-userspace.git/commitdiff/958217e94829487815ea3b62b264aa18b466ce4a


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: PythonSELinux binding problem

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/21/2011 05:33 PM, rarob@travelinglightfarm.net wrote:
> Hi, I'm using the python selinux bindings to determine if SELinux is 
> disable/permissive/enforcing.  The following snippet of code works
> just fine on RH5 and F10 regardless of the SELinux mode, but fails
> with an error on F11/12/13 and RH6 if SELinux is disabled.
> 
> $ python -c 'import selinux ; print selinux.security_getenforce()'
> 
> Under RH5 and F10 I correctly get the -1/0/1 returns for 
> disabled/permissive/enforcing, as specified in the man pages for 
> 'security_getenforce'.  Under F11/12/13 and RH6 for permissive and 
> enforcing I get the correct return values, but if the system is in 
> disabled mode instead an OSError is thrown for 'No such file or 
> directory'.  I haven't look at the source for the underlying 
> security_getenforce() system call, but I suspect is is assuming that
> the /selinux pseudo filesystem is populated (as in
> permissive/enforcing mode), and is not handling the case where that
> pseudo filesystem is empty.
> 
> For now I've got my python calls wrapped in try/except blocks
> treating any exception as SELinux in disabled mode.
> 
> I wasn't sure where the best place to log this as a bug is, either
> for the libselinux-python package or libselinux itself.
> 
> -Rob
> 
> 
> 
> -- This message was distributed to subscribers of the selinux mailing
> list. If you no longer wish to subscribe, send mail to
> majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without
> quotes as the message.

We have modified python to act correctly when it receives and error from
the underlying C Library and throw an exception with the STDERR reported.

I do not believe this is a bug.  And writing exception handling in
python is the correct behaviour, checking for -1 was the incorrect
behaviour from a python point of view.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEUEARECAAYFAk4pfyMACgkQrlYvE4MpobP4+ACbBvgfbP/yQt7lBk8HEQvNAO+O
LcoAl0RWJYGD3IJKEYsMK2NZe72fPEY=
=HGQR
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.