Improve label collection for mounts and devices

Catch exception triggered by selabel_lookup when it encounters file context definition containing "<<none>>" Real label of given path may differ from what selable_lookup (matchpathcon) returns. Udica should allow access to both. Fixes: https://github.com/containers/udica/issues/98 https://github.com/containers/udica/issues/109
2024-05-25 01:56:14 +02:00 · 2022-04-29 16:15:06 +02:00 · 2022-04-29 16:15:06 +02:00 · 2e1f70537b
parent dd05dbe742
commit 2e1f70537b
1 changed files with 16 additions and 5 deletions
--- a/udica/policy.py
+++ b/udica/policy.py
@ -67,12 +67,23 @@ def list_contexts(directory):
                contexts.append(semanage.semanage_context_get_type(context))

    selabel = selinux.selabel_open(selinux.SELABEL_CTX_FILE, None, 0)
-    (rc, context) = selinux.selabel_lookup(selabel, directory, 0)
-    if context == None:
-        if exists(directory) == False:
-            exit(1)
+    try:
+        (rc, context) = selinux.selabel_lookup(selabel, directory, 0)
+    except FileNotFoundError:
+        # File context definition containing "<<none>>" triggers exception
+        context = None
+    if context:
+        contexts.append(context.split(":")[2])
+
+    # Get the real label (ls -lZ) - may differ from what selabel_lookup returns
+    try:
        context = selinux.getfilecon(directory)[1]
-    contexts.append(context.split(":")[2])
+    except FileNotFoundError:
+        context = None
+
+    if context:
+        contexts.append(context.split(":")[2])
+
    return contexts