Bug 690238

Summary: Exception when calling lgetfilecon when selinux is disabled
Product: Red Hat Enterprise Linux 6 Reporter: Miroslav Suchý <msuchy>
Component: libselinuxAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 6.0   
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-03-23 18:16:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 688461, 703384    

Description Miroslav Suchý 2011-03-23 16:53:14 UTC 
Description of problem:
Set your system SELinux to disabled (not permissive) and run:
# mkdir /tmp/foo
Now it is:
# ls -ldZ /tmp/foo
drwxr-xr-x root root ?                                /tmp/foo

# python
Python 2.6.5 (r265:79063, Jan 21 2011, 12:09:10) 
[GCC 4.4.4 20100726 (Red Hat 4.4.4-13)] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> from selinux import lgetfilecon, is_selinux_enabled
>>> lgetfilecon('/tmp/foo')
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
OSError: [Errno 61] No data available


While on RHEL5.7 I get as result:
[-1, None]
and on Fedora 14:
[10, 'unlabeled']

I would expect to have on RHEL6 either None or 'unlabeled', but I do not expect exception.

It block BZ 688461, but we will probably workaround it using try/except as we could not wait for correct fix ... unless it will make it to RHEL6.1
Comment 2 Dave Malcolm 2011-03-23 18:02:02 UTC 
The "selinux" python module is part of the libselinux-python rpm, a subpackage of libselinux.  Reassigning to the correct component.
Comment 3 Daniel Walsh 2011-03-23 18:16:51 UTC 
This is not a bug.  This is by design.  You should catch the error.
Comment 4 Miroslav Suchý 2011-03-23 23:58:41 UTC 
Daniel, can you please enlighten me, why it is feature (or design)? When it behave completely different from RHEL5 and from Fedora14?
Comment 5 Daniel Walsh 2011-03-24 18:25:52 UTC 
Because in python an application that fails on a read type access should throw an exception. RHEL5 we did not have this code.
Comment 6 Daniel Walsh 2011-03-24 18:26:51 UTC 
I guess you could report this as a bug in RHEL5 that libselinux should be throwing exceptions on failures.

We just added a patch for libsemanage to throw exceptions on failures also.  This is only fixed in F15, currently.