On 5/16/2017 2:36 PM, Stephen Smalley wrote:
> On Tue, 2017-05-16 at 19:34 +0000, Daniel Jurgens wrote:
>> On 5/16/2017 2:30 PM, Stephen Smalley wrote:
>>> On Mon, 2017-05-15 at 23:42 +0300, Dan Jurgens wrote:
>>>> From: Daniel Jurgens <dani...@mellanox.com>
>>>>
>>>> Update libsepol and libsemanage to work with pkey records. Add
>>>> local
>>>> storage for new and modified pkey records in pkeys.local. Update
>>>> semanage
>>>> to parse the pkey command options to add, modify, and delete
>>>> pkeys.
>>>>
>>>> Signed-off-by: Daniel Jurgens <dani...@mellanox.com>
>>>>
>>>> ---
>>>> v1:
>>>> Fixed semanage_pkey_exists -> semanage_ibpkey_exists in delete
>>>> flow
>>>> in
>>>> seobject.py
>>>>
>>>> Stephen Smalley:
>>>> - Subnet prefix can't vary in size always 16 bytes, remove size
>>>> field.
>>>> - Removed extraneous change in libsepol/VERSION
>>>> - Removed ifdef DARWIN s6_addr/32 blocks in favor of s6_addr.
>>>> - Got rid of magic constant for subnet prefix size.
>>>>
>>>> Jason Zaman:
>>>> - Use SETools directly to query types in seobject.py.
>>>>
>>>> Signed-off-by: Daniel Jurgens <dani...@mellanox.com>
>>>> ---
>>>> libsemanage/include/semanage/ibpkey_record.h | 76 +++++
>>>> libsemanage/include/semanage/ibpkeys_local.h | 36 +++
>>>> libsemanage/include/semanage/ibpkeys_policy.h | 28 ++
>>>> libsemanage/include/semanage/semanage.h | 3 +
>>>> libsemanage/src/direct_api.c | 29 +-
>>>> libsemanage/src/handle.h | 36 ++-
>>>> libsemanage/src/ibpkey_internal.h | 52 +++
>>>> libsemanage/src/ibpkey_record.c | 185 +++++++++++
>>>> libsemanage/src/ibpkeys_file.c | 181 +++++++++++
>>>> libsemanage/src/ibpkeys_local.c | 178 ++++++++++
>>>> libsemanage/src/ibpkeys_policy.c | 52 +++
>>>> libsemanage/src/ibpkeys_policydb.c | 62 ++++
>>>> libsemanage/src/libsemanage.map | 1 +
>>>> libsemanage/src/policy_components.c | 5 +-
>>>> libsemanage/src/semanage_store.c | 1 +
>>>> libsemanage/src/semanage_store.h | 1 +
>>>> libsemanage/src/semanageswig.i | 3 +
>>>> libsemanage/src/semanageswig_python.i | 43 +++
>>>> libsemanage/utils/semanage_migrate_store | 3 +-
>>>> libsepol/include/sepol/ibpkey_record.h | 77 +++++
>>>> libsepol/include/sepol/ibpkeys.h | 44 +++
>>>> libsepol/include/sepol/sepol.h | 2 +
>>>> libsepol/src/ibpkey_internal.h | 21 ++
>>>> libsepol/src/ibpkey_record.c | 448
>>>> ++++++++++++++++++++++++++
>>>> libsepol/src/ibpkeys.c | 263
>>>> +++++++++++++++
>>>> python/semanage/semanage | 60 +++-
>>>> python/semanage/seobject.py | 255
>>>> +++++++++++++++
>>>> 27 files changed, 2129 insertions(+), 16 deletions(-)
>>>> create mode 100644 libsemanage/include/semanage/ibpkey_record.h
>>>> create mode 100644 libsemanage/include/semanage/ibpkeys_local.h
>>>> create mode 100644 libsemanage/include/semanage/ibpkeys_policy.h
>>>> create mode 100644 libsemanage/src/ibpkey_internal.h
>>>> create mode 100644 libsemanage/src/ibpkey_record.c
>>>> create mode 100644 libsemanage/src/ibpkeys_file.c
>>>> create mode 100644 libsemanage/src/ibpkeys_local.c
>>>> create mode 100644 libsemanage/src/ibpkeys_policy.c
>>>> create mode 100644 libsemanage/src/ibpkeys_policydb.c
>>>> create mode 100644 libsepol/include/sepol/ibpkey_record.h
>>>> create mode 100644 libsepol/include/sepol/ibpkeys.h
>>>> create mode 100644 libsepol/src/ibpkey_internal.h
>>>> create mode 100644 libsepol/src/ibpkey_record.c
>>>> create mode 100644 libsepol/src/ibpkeys.c
>>>>
>>>> diff --git a/python/semanage/seobject.py
>>>> b/python/semanage/seobject.py
>>>> index 7a54373..41b0aca 100644
>>>> --- a/python/semanage/seobject.py
>>>> +++ b/python/semanage/seobject.py
>>>> @@ -32,6 +32,7 @@ import socket
>>>> from semanage import *
>>>> PROGNAME = "policycoreutils"
>>>> import sepolicy
>>>> +import setools
>>>> from IPy import IP
>>>>
>>>> try:
>>>> @@ -1309,6 +1310,260 @@ class portRecords(semanageRecords):
>>>> rec += ", %s" % p
>>>> print(rec)
>>>>
>>>> +class ibpkeyRecords(semanageRecords):
>>>> + try:
>>>> + q =
>>>> setools.TypeQuery(setools.SELinuxPolicy(sepolicy.get_installed_po
>>>> licy
>>>> ()), attrs=["ibpkey_type"])
>>>> + valid_types = sorted(str(t) for t in q.results())
>>>> + except RuntimeError:
>>>> + valid_types = []
>>> This causes all semanage commands to fail (without a patched
>>> refpolicy
>>> to define ibpkey_type).
>>>
>>> Traceback (most recent call last):
>>> File "/usr/sbin/semanage", line 28, in <module>
>>> import seobject
>>> File "/usr/lib64/python2.7/site-packages/seobject.py", line 1313,
>>> in
>>> <module>
>>> class ibpkeyRecords(semanageRecords):
>>> File "/usr/lib64/python2.7/site-packages/seobject.py", line 1315,
>>> in
>>> ibpkeyRecords
>>> q =
>>> setools.TypeQuery(setools.SELinuxPolicy(sepolicy.get_installed_poli
>>> cy()
>>> ), attrs=["ibpkey_type"])
>>> File "/usr/lib64/python2.7/site-packages/setools-4.0.1-py2.7-
>>> linux-
>>> x86_64.egg/setools/typequery.py", line 72, in __init__
>>> super(TypeQuery, self).__init__(policy, **kwargs)
>>> File "/usr/lib64/python2.7/site-packages/setools-4.0.1-py2.7-
>>> linux-
>>> x86_64.egg/setools/query.py", line 39, in __init__
>>> setattr(self, name, kwargs[name])
>>> File "/usr/lib64/python2.7/site-packages/setools-4.0.1-py2.7-
>>> linux-
>>> x86_64.egg/setools/descriptors.py", line 104, in __set__
>>> self.instances[obj] = set(lookup(v) for v in value)
>>> File "/usr/lib64/python2.7/site-packages/setools-4.0.1-py2.7-
>>> linux-
>>> x86_64.egg/setools/descriptors.py", line 104, in <genexpr>
>>> self.instances[obj] = set(lookup(v) for v in value)
>>> File "/usr/lib64/python2.7/site-packages/setools-4.0.1-py2.7-
>>> linux-
>>> x86_64.egg/setools/policyrep/__init__.py", line 449, in
>>> lookup_typeattr
>>> return typeattr.attribute_factory(self.policy, name)
>>> File "/usr/lib64/python2.7/site-packages/setools-4.0.1-py2.7-
>>> linux-
>>> x86_64.egg/setools/policyrep/typeattr.py", line 42, in
>>> attribute_factory
>>> qpol_symbol = _symbol_lookup(qpol_policy, name)
>>> File "/usr/lib64/python2.7/site-packages/setools-4.0.1-py2.7-
>>> linux-
>>> x86_64.egg/setools/policyrep/typeattr.py", line 32, in
>>> _symbol_lookup
>>> raise exception.InvalidType("{0} is not a valid
>>> type/attribute".format(name))
>>> setools.policyrep.exception.InvalidType: ibpkey_type is not a valid
>>> type/attribute
>> Yes, it's the same with all the others too. They require attribute
>> synchronization between the tool and the policy. I'm preparing
>> refpolicy patches right now.
> I think we just need to handle that exception cleanly. I agree that it
> is wrong that we don't do this for the other attributes, but those are
> long-established in refpolicy and therefore haven't shown up before
> (also, the particular exception has changed with the migration to
> setools4, so we likely just never adapted the handlers). We can't have
> a newer version of semanage break users with older policies.
Sure, that makes sense. I'll address this and your other comments today this
week and post a v2.