Redesign sepolicy to only read the policy file once, not for every call

policycoreutils-rhat.patch

@@ -335989,7 +335989,7 @@ index 0000000..378eac2
 +build
 diff --git a/policycoreutils/sepolicy/Makefile b/policycoreutils/sepolicy/Makefile
 new file mode 100644
-index 0000000..6767e53
+index 0000000..af8cb8a
 --- /dev/null
 +++ b/policycoreutils/sepolicy/Makefile
 @@ -0,0 +1,31 @@
@@ -336010,7 +336010,7 @@ index 0000000..6767e53
 +
 +all: python-build
 +
-+python-build: info.c search.c common.h
++python-build: info.c search.c common.h policy.h policy.c
 +	$(PYTHON) setup.py build
 +
 +clean:
@@ -336082,10 +336082,10 @@ index 0000000..dc3ce6a
 +
 diff --git a/policycoreutils/sepolicy/info.c b/policycoreutils/sepolicy/info.c
 new file mode 100644
-index 0000000..f4cc0b0
+index 0000000..18aa555
 --- /dev/null
 +++ b/policycoreutils/sepolicy/info.c
-@@ -0,0 +1,928 @@
+@@ -0,0 +1,895 @@
 +/**
 + *  @file
 + *  Command line tool to search TE rules.
@@ -336119,9 +336119,9 @@ index 0000000..f4cc0b0
 + */
 +
 +#include "common.h"
++#include "policy.h"
 +
 +/* libapol */
-+#include <apol/policy.h>
 +#include <apol/policy-query.h>
 +#include <apol/render.h>
 +#include <apol/util.h>
@@ -336937,76 +336937,43 @@ index 0000000..f4cc0b0
 +	return list;
 +}
 +
-+PyObject* info( const char *policy_file, int type, const char *name)
++PyObject* info( int type, const char *name)
 +{
 +	PyObject* output = NULL;
-+	apol_policy_t *policydb = NULL;
-+	apol_policy_path_t *pol_path = NULL;
-+	apol_vector_t *mod_paths = NULL;
-+	apol_policy_path_type_e path_type = APOL_POLICY_PATH_TYPE_MONOLITHIC;
-+
-+	pol_path = apol_policy_path_create(path_type, policy_file, mod_paths);
-+	if (!pol_path) {
-+		apol_vector_destroy(&mod_paths);
-+		PyErr_SetString(PyExc_RuntimeError,strerror(ENOMEM));
-+		return NULL;
-+	}
-+	apol_vector_destroy(&mod_paths);
-+
-+	int policy_load_options = 0;
-+	policy_load_options |= QPOL_POLICY_OPTION_MATCH_SYSTEM;
-+	policydb = apol_policy_create_from_policy_path(pol_path, policy_load_options, NULL, NULL);
-+	if (!policydb) {
-+		apol_policy_path_destroy(&pol_path);
-+		PyErr_SetString(PyExc_RuntimeError,strerror(errno));
-+		return NULL;
-+	}
 +
 +	/* display requested info */
 +	if (type == TYPE)
-+		output = get_types(name, policydb);
++		output = get_types(name, policy);
 +
 +	if (type == ATTRIBUTE)
-+		output = get_attribs(name, policydb);
++		output = get_attribs(name, policy);
 +
 +	if (type == ROLE)
-+		output = get_roles(name, policydb);
++		output = get_roles(name, policy);
 +
 +	if (type == USER)
-+		output = get_users(name, policydb);
++		output = get_users(name, policy);
 +
 +	if (type == BOOLEAN)
-+		output = get_booleans(name, policydb);
++		output = get_booleans(name, policy);
 +
 +	if (type == PORT)
-+		output = get_ports(name, policydb);
++		output = get_ports(name, policy);
 +
-+	apol_policy_destroy(&policydb);
-+	apol_policy_path_destroy(&pol_path);
 +	return output;
 +}
 +
 +PyObject *wrap_info(PyObject *UNUSED(self), PyObject *args){
 +    unsigned int type;
 +    char *name;
-+    const char *policy_file;
 +    
-+    if (!PyArg_ParseTuple(args, "ziz", &policy_file, &type, &name))
++    if (!PyArg_ParseTuple(args, "iz", &type, &name))
 +        return NULL;
 +
-+    return Py_BuildValue("N",info(policy_file, type, name));
-+
++    return Py_BuildValue("N",info(type, name));
 +}
 +
-+static PyMethodDef methods[] = {
-+	{"info", (PyCFunction) wrap_info, METH_VARARGS,
-+	 "Return SELinux polcy info about types, attributes, roles, users"},
-+    {NULL, NULL, 0, NULL}
-+};
-+
-+void init_info(){
-+    PyObject *m;
-+    m = Py_InitModule("_info", methods);
++void init_info (PyObject *m) {
 +    PyModule_AddIntConstant(m, "ATTRIBUTE", ATTRIBUTE);
 +    PyModule_AddIntConstant(m, "PORT", PORT);
 +    PyModule_AddIntConstant(m, "ROLE", ROLE);
@@ -337016,10 +336983,10 @@ index 0000000..f4cc0b0
 +}
 diff --git a/policycoreutils/sepolicy/search.c b/policycoreutils/sepolicy/search.c
 new file mode 100644
-index 0000000..c98e4cf
+index 0000000..c1d9411
 --- /dev/null
 +++ b/policycoreutils/sepolicy/search.c
-@@ -0,0 +1,1007 @@
+@@ -0,0 +1,967 @@
 +// Author: Thomas Liu <tliu@redhat.com>
 +
 +/**
@@ -337057,9 +337024,9 @@ index 0000000..c98e4cf
 + */
 +
 +#include "common.h"
++#include "policy.h"
 +
 +/* libapol */
-+#include <apol/policy.h>
 +#include <apol/policy-query.h>
 +#include <apol/render.h>
 +#include <apol/util.h>
@@ -337805,8 +337772,7 @@ index 0000000..c98e4cf
 +	return output;
 +}
 +
-+PyObject* search(const char *policy_file,
-+		 bool allow,
++PyObject* search(bool allow,
 +		 bool neverallow,
 +		 bool auditallow,
 +		 bool dontaudit,
@@ -337820,11 +337786,7 @@ index 0000000..c98e4cf
 +{
 +	options_t cmd_opts;
 +	PyObject *output = NULL;
-+	apol_policy_t *policy = NULL;
 +	apol_vector_t *v = NULL;
-+	apol_policy_path_t *pol_path = NULL;
-+	apol_vector_t *mod_paths = NULL;
-+	apol_policy_path_type_e path_type = APOL_POLICY_PATH_TYPE_MONOLITHIC;
 +
 +	memset(&cmd_opts, 0, sizeof(cmd_opts));
 +	cmd_opts.indirect = true;
@@ -337850,28 +337812,6 @@ index 0000000..c98e4cf
 +
 +	pol_opt |= QPOL_POLICY_OPTION_MATCH_SYSTEM;
 +
-+	if (apol_file_is_policy_path_list(policy_file) > 0) {
-+		pol_path = apol_policy_path_create_from_file(policy_file);
-+		if (!pol_path) {
-+			PyErr_SetString(PyExc_RuntimeError,"invalid policy list");
-+			return NULL;
-+		}
-+	}
-+
-+	if (!pol_path)
-+		pol_path = apol_policy_path_create(path_type, policy_file, mod_paths);
-+	if (!pol_path) {
-+		PyErr_SetString(PyExc_RuntimeError,strerror(ENOMEM));
-+		return NULL;
-+	}
-+	apol_vector_destroy(&mod_paths);
-+
-+	policy = apol_policy_create_from_policy_path(pol_path, pol_opt, NULL, NULL);
-+	if (!policy) {
-+		apol_policy_path_destroy(&pol_path);
-+		PyErr_SetString(PyExc_RuntimeError,strerror(errno));
-+		return NULL;
-+	}
 +	/* handle regex for class name */
 +	if (cmd_opts.useregex && cmd_opts.class_name != NULL) {
 +		cmd_opts.class_vector = apol_vector_create(NULL);
@@ -337965,8 +337905,6 @@ index 0000000..c98e4cf
 +	apol_vector_destroy(&v);
 +
 +      cleanup:
-+	apol_policy_destroy(&policy);
-+	apol_policy_path_destroy(&pol_path);
 +	free(cmd_opts.src_name);
 +	free(cmd_opts.tgt_name);
 +	free(cmd_opts.class_name);
@@ -338013,19 +337951,8 @@ index 0000000..c98e4cf
 +    const char *tgt_name = Dict_ContainsString(dict, "target");
 +    const char *class_name = Dict_ContainsString(dict, "class");
 +    const char *permlist = Dict_ContainsString(dict, "permlist");
-+    const char *policy_path = Dict_ContainsString(dict, "policy");
 +
-+    return Py_BuildValue("N",search(policy_path, allow, neverallow, auditallow, dontaudit, transition, role_allow, src_name, tgt_name, class_name, permlist));
-+}
-+
-+static PyMethodDef methods[] = {
-+	{"search", (PyCFunction) wrap_search, METH_VARARGS,
-+	"Search SELinux Policy for allow, neverallow, auditallow, dontaudit and transition records"},
-+	{NULL, NULL, 0, NULL}	/* sentinel */
-+};
-+
-+void init_search(void){
-+	(void) Py_InitModule("_search", methods);
++    return Py_BuildValue("N",search(allow, neverallow, auditallow, dontaudit, transition, role_allow, src_name, tgt_name, class_name, permlist));
 +}
 diff --git a/policycoreutils/sepolicy/sepolicy-bash-completion.sh b/policycoreutils/sepolicy/sepolicy-bash-completion.sh
 new file mode 100644
@@ -338818,25 +338745,24 @@ index 0000000..9f96fd5
 +        sys.exit(1)
 diff --git a/policycoreutils/sepolicy/sepolicy/__init__.py b/policycoreutils/sepolicy/sepolicy/__init__.py
 new file mode 100644
-index 0000000..fbd011c
+index 0000000..22c0724
 --- /dev/null
 +++ b/policycoreutils/sepolicy/sepolicy/__init__.py
-@@ -0,0 +1,91 @@
+@@ -0,0 +1,87 @@
 +#!/usr/bin/env python
 +
 +# Author: Thomas Liu <tliu@redhat.com>
 +# Author: Dan Walsh <dwalsh@redhat.com>
 +
-+import _search
-+import _info
++import _policy
 +import selinux
 +
-+TYPE = _info.TYPE
-+ROLE = _info.ROLE
-+ATTRIBUTE = _info.ATTRIBUTE
-+PORT = _info.PORT
-+USER = _info.USER
-+BOOLEAN = _info.BOOLEAN
++TYPE = _policy.TYPE
++ROLE = _policy.ROLE
++ATTRIBUTE = _policy.ATTRIBUTE
++PORT = _policy.PORT
++USER = _policy.USER
++BOOLEAN = _policy.BOOLEAN
 +
 +ALLOW = 'allow'
 +AUDITALLOW = 'auditallow'
@@ -338849,7 +338775,11 @@ index 0000000..fbd011c
 +TRANSITION = 'transition'
 +ROLE_ALLOW = 'role_allow'
 +
++def policy(policy_file):
++    _policy.policy(policy_file)
++
 +policy_file = selinux.selinux_current_policy_path()
++policy(policy_file)
 +
 +def search(types, info = {} ):
 +    valid_types = [ALLOW, AUDITALLOW, NEVERALLOW, DONTAUDIT, TRANSITION, ROLE_ALLOW]
@@ -338863,8 +338793,7 @@ index 0000000..fbd011c
 +        perms = info[PERMS]
 +        info[PERMS] = ",".join(info[PERMS])
 +
-+    info["policy"] = policy_file
-+    dict_list = _search.search(info)
++    dict_list = _policy.search(info)
 +    if dict_list and len(perms) != 0:
 +        dict_list = filter(lambda x: _dict_has_perms(x, perms), dict_list)
 +    return dict_list
@@ -338876,14 +338805,9 @@ index 0000000..fbd011c
 +    return True
 +
 +def info(setype, name=None):
-+    global policy_file
-+    dict_list = _info.info(policy_file, setype, name)
++    dict_list = _policy.info(setype, name)
 +    return dict_list
 +
-+def policy(alt_policy_file):
-+    global policy_file
-+    policy_file = alt_policy_file
-+
 +def _gen_boolens_dict():
 +	import xml.etree.ElementTree
 +	import re
@@ -338912,7 +338836,6 @@ index 0000000..fbd011c
 +		pass
 +	return booleans_dict
 +booleans_dict = _gen_boolens_dict()
-+
 diff --git a/policycoreutils/sepolicy/sepolicy/booleans.py b/policycoreutils/sepolicy/sepolicy/booleans.py
 new file mode 100644
 index 0000000..c23cb11
@@ -340308,10 +340231,10 @@ index 0000000..93b0762
 +            return out
 diff --git a/policycoreutils/sepolicy/sepolicy/manpage.py b/policycoreutils/sepolicy/sepolicy/manpage.py
 new file mode 100755
-index 0000000..2446be1
+index 0000000..7a07b5a
 --- /dev/null
 +++ b/policycoreutils/sepolicy/sepolicy/manpage.py
-@@ -0,0 +1,1273 @@
+@@ -0,0 +1,1279 @@
 +#! /usr/bin/python -Es
 +# Copyright (C) 2012 Red Hat
 +# AUTHOR: Dan Walsh <dwalsh@redhat.com>
@@ -340347,7 +340270,6 @@ index 0000000..2446be1
 +import sys, os, re, time
 +
 +equiv_dict={ "smbd" : "samba", "httpd" : "apache" }
-+
 +def _gen_modules_dict():
 +        import xml.etree.ElementTree
 +        modules_dict = {}
@@ -340367,7 +340289,7 @@ index 0000000..2446be1
 +        except IOError, e:
 +                pass
 +        return modules_dict
-+modules_dict = _gen_modules_dict()
++modules_dict = None
 +
 +all_attributes = map(lambda x: x['name'], sepolicy.info(sepolicy.ATTRIBUTE))
 +entrypoints =  sepolicy.info(sepolicy.ATTRIBUTE,"entry_type")[0]["types"]
@@ -340767,10 +340689,16 @@ index 0000000..2446be1
 +    """
 +    def __init__(self, domainname, path = "/tmp", html = False):
 +        self.html = html
-+        self.domainname = domainname
-+        self.short_name = domainname
++	if domainname.endswith("_t"):
++		self.domainname = domainname[:-2]
++	else:
++		self.domainname = domainname
++		
++	if self.domainname + "_t" not in alldomains:
++                raise  ValueError("domain %s_t does not exist" % self.domainname)
++        self.short_name = self.domainname
 +        self.type = self.domainname + "_t"
-+        self.man_page_path = "%s/%s_selinux.8" % (path, domainname)
++        self.man_page_path = "%s/%s_selinux.8" % (path, self.domainname)
 +        self.fd = open(self.man_page_path, 'w')
 +        if domainname in roles:
 +            self.__gen_user_man_page()
@@ -340787,7 +340715,8 @@ index 0000000..2446be1
 +
 +    def __gen_user_man_page(self):
 +        self.role = self.domainname + "_r"
-+
++	if not modules_dict:
++		modules_dict = _gen_modules_dict()
 +        try:
 +            self.desc = modules_dict[self.domainname]
 +        except:
@@ -344111,26 +344040,22 @@ index 0000000..72f5f65
 +    return slist
 diff --git a/policycoreutils/sepolicy/setup.py b/policycoreutils/sepolicy/setup.py
 new file mode 100644
-index 0000000..46a8415
+index 0000000..ec9c071
 --- /dev/null
 +++ b/policycoreutils/sepolicy/setup.py
-@@ -0,0 +1,16 @@
+@@ -0,0 +1,12 @@
 +#!/usr/bin/env python
 +
 +# Author: Thomas Liu <tliu@redhat.com>
 +# Author: Dan Walsh <dwalsh@redhat.com>
 +import os
 +from distutils.core import setup, Extension
-+info = Extension("sepolicy._info", 
-+                    libraries=["apol", "qpol"],
-+                    sources=[ "info.c"]
-+)
-+search = Extension("sepolicy._search", 
-+                    libraries=["apol", "qpol"],
-+                    sources=[ "search.c"]
++policy = Extension("sepolicy._policy", 
++                   libraries=["apol", "qpol"],
++                   sources=[ "policy.c", "info.c", "search.c"]
 +)
 +
-+setup(name = "sepolicy", version="1.1", description="Python SELinux Policy Analysys bindings", author="Daniel Walsh", author_email="dwalsh@redhat.com", ext_modules=[info, search], packages=["sepolicy", "sepolicy.templates"])
++setup(name = "sepolicy", version="1.1", description="Python SELinux Policy Analysys bindings", author="Daniel Walsh", author_email="dwalsh@redhat.com", ext_modules=[policy], packages=["sepolicy", "sepolicy.templates"])
 diff --git a/policycoreutils/setfiles/restore.c b/policycoreutils/setfiles/restore.c
 index 4c62b41..01fc818 100644
 --- a/policycoreutils/setfiles/restore.c

policycoreutils.spec

@@ -7,7 +7,7 @@
 Summary: SELinux policy core utilities
 Name:	 policycoreutils
 Version: 2.1.13
-Release: 20%{?dist}
+Release: 21%{?dist}
 License: GPLv2
 Group:	 System Environment/Base
 # Based on git repository with tag 20101221
@@ -329,6 +329,9 @@ The policycoreutils-restorecond package contains the restorecond service.
 %{_bindir}/systemctl try-restart restorecond.service >/dev/null 2>&1 || :
 
 %changelog
+* Mon Oct 29 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.12-21
+- Redesign sepolicy to only read the policy file once, not for every call
+
 * Mon Oct 29 2012 Dan Walsh <dwalsh@redhat.com> - 2.1.12-20
 - Fixes to sepolicy transition, allow it to list all transitions from a domain
 

selinux-polgengui.desktop

@@ -64,3 +64,4 @@ Type=Application
 Terminal=false
 Categories=System;Security;
 X-Desktop-File-Install-Version=0.2
+_Keywords=policy,security,selinux,avc,permission,mac

system-config-selinux.desktop

@@ -64,3 +64,4 @@ Type=Application
 Terminal=false
 Categories=System;Security;
 X-Desktop-File-Install-Version=0.2
+_Keywords=policy,security,selinux,avc,permission,mac