Bug 1247575

Summary: sepolicy/__init__.py", line 831, in _dict_has_perms - TypeError: expected bytes, str found
Product: [Fedora] Fedora Reporter: Petr Lautrbach <plautrba>
Component: policycoreutilsAssignee: Petr Lautrbach <plautrba>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 23CC: dwalsh, mgrepl, msrb, plautrba
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: 2.4-10.fc23 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-26 04:32:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1076441    

Description Petr Lautrbach 2015-07-28 11:20:02 UTC 
Description of problem:

# cat > avc
type=AVC msg=audit(1438030313.956:3777): avc:  denied  { write } for  pid=8975 comm="cp" name="semanage.conf" dev="dm-3" ino=4461693 scontext=staff_u:staff_r:staff_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file permissive=1
type=AVC msg=audit(1438030803.435:3784): avc:  denied  { write } for  pid=13793 comm="debugedit" name="sestatus" dev="dm-3" ino=4461956 scontext=staff_u:staff_r:staff_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file permissive=1

# audit2allow -i avc                 
Traceback (most recent call last):
  File "/usr/bin/audit2allow", line 360, in <module>
    app.main()
  File "/usr/bin/audit2allow", line 347, in main
    self.__process_input()
  File "/usr/bin/audit2allow", line 175, in __process_input
    self.__avs = self.__parser.to_access()
  File "/usr/lib64/python3.4/site-packages/sepolgen/audit.py", line 580, in to_access
    base_type = self.__get_base_type(avc.tcontext.type, avc.scontext.type)
  File "/usr/lib64/python3.4/site-packages/sepolgen/audit.py", line 552, in __get_base_type
    for writable in sepolicy.get_writable_files(scontext):
  File "/usr/lib64/python3.4/site-packages/sepolicy/__init__.py", line 212, in get_writable_files
    permlist = search([ALLOW],{'source':setype,  'permlist':['open', 'write'], 'class':'file'})
  File "/usr/lib64/python3.4/site-packages/sepolicy/__init__.py", line 72, in search
    dict_list = [x for x in dict_list if _dict_has_perms(x, perms)]
  File "/usr/lib64/python3.4/site-packages/sepolicy/__init__.py", line 72, in <listcomp>
    dict_list = [x for x in dict_list if _dict_has_perms(x, perms)]
  File "/usr/lib64/python3.4/site-packages/sepolicy/__init__.py", line 831, in _dict_has_perms
    for perm in perms:
TypeError: expected bytes, str found


# rpm -qf /usr/lib64/python3.4/site-packages/sepolicy/__init__.py                                                                    policycoreutils-python3-2.4-7.fc23.x86_64
Comment 1 Fedora Update System 2015-08-06 16:22:57 UTC 
policycoreutils-2.4-8.fc23 has been submitted as an update for Fedora 23.
https://admin.fedoraproject.org/updates/policycoreutils-2.4-8.fc23
Comment 2 Fedora Update System 2015-08-08 16:19:51 UTC 
Package policycoreutils-2.4-8.fc23:
* should fix your issue,
* was pushed to the Fedora 23 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing policycoreutils-2.4-8.fc23'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-13026/policycoreutils-2.4-8.fc23
then log in and leave karma (feedback).
Comment 3 Michal Srb 2015-08-13 09:22:42 UTC 
I am afraid that this is still broken (but the stacktrace is different), even with the latest policycoreutils from updates-testing:

# rpm -q policycoreutils
policycoreutils-2.4-8.fc23.x86_64

# audit2allow -i avc     
Traceback (most recent call last):
  File "/usr/bin/audit2allow", line 360, in <module>
    app.main()
  File "/usr/bin/audit2allow", line 347, in main
    self.__process_input()
  File "/usr/bin/audit2allow", line 175, in __process_input
    self.__avs = self.__parser.to_access()
  File "/usr/lib64/python3.4/site-packages/sepolgen/audit.py", line 596, in to_access
    avc.path = self.__restore_path(avc.name, avc.ino)
  File "/usr/lib64/python3.4/site-packages/sepolgen/audit.py", line 531, in __restore_path
    output = util.decode_input(output)
  File "/usr/lib64/python3.4/site-packages/sepolgen/util.py", line 112, in decode_input
    decoded_text = text.decode(encoding)
AttributeError: 'str' object has no attribute 'decode'
Comment 4 Michal Srb 2015-08-13 09:46:59 UTC 
This works for me (with policycoreutils-2.4-8.fc23.x86_64):

# cat avc-simple
type=AVC msg=audit(1438170817.500:690): avc:  denied  { entrypoint } for  pid=20376 comm="runcon" path="/usr/bin/cat" dev="dm-0" ino=553 scontext=system_u:system_r:httpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0

# audit2allow -i avc-simple 


#============= httpd_t ==============
allow httpd_t bin_t:file entrypoint;

But this one fails:

# cat avc
type=AVC msg=audit(1438030313.956:3777): avc:  denied  { write } for  pid=8975 comm="cp" name="semanage.conf" dev="dm-3" ino=4461693 scontext=staff_u:staff_r:staff_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file permissive=1
type=AVC msg=audit(1438030803.435:3784): avc:  denied  { write } for  pid=13793 comm="debugedit" name="sestatus" dev="dm-3" ino=4461956 scontext=staff_u:staff_r:staff_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file permissive=1

# audit2allow -i avc
Traceback (most recent call last):
  File "/usr/bin/audit2allow", line 360, in <module>
    app.main()
  File "/usr/bin/audit2allow", line 347, in main
    self.__process_input()
  File "/usr/bin/audit2allow", line 175, in __process_input
    self.__avs = self.__parser.to_access()
  File "/usr/lib64/python3.4/site-packages/sepolgen/audit.py", line 596, in to_access
    avc.path = self.__restore_path(avc.name, avc.ino)
  File "/usr/lib64/python3.4/site-packages/sepolgen/audit.py", line 531, in __restore_path
    output = util.decode_input(output)
  File "/usr/lib64/python3.4/site-packages/sepolgen/util.py", line 112, in decode_input
    decoded_text = text.decode(encoding)
AttributeError: 'str' object has no attribute 'decode'
Comment 5 Michal Srb 2015-08-13 09:51:33 UTC 
I think I know where the problem is. I will add the patch to my existing pull request at GitHub:

https://github.com/fedora-selinux/selinux/pull/14
Comment 6 Petr Lautrbach 2015-08-13 10:07:00 UTC 
Thanks. Re-opening the bug.
Comment 7 Fedora Update System 2015-08-13 16:03:18 UTC 
policycoreutils-2.4-9.fc23 has been submitted as an update for Fedora 23.
https://admin.fedoraproject.org/updates/policycoreutils-2.4-9.fc23
Comment 8 Fedora Update System 2015-08-15 02:19:51 UTC 
Package policycoreutils-2.4-9.fc23:
* should fix your issue,
* was pushed to the Fedora 23 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing policycoreutils-2.4-9.fc23'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-13499/policycoreutils-2.4-9.fc23
then log in and leave karma (feedback).
Comment 9 Fedora Update System 2015-08-22 16:24:29 UTC 
policycoreutils-2.4-10.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update policycoreutils'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-13922
Comment 10 Fedora Update System 2015-08-26 04:32:44 UTC 
policycoreutils-2.4-10.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.