Bug 1249388

Summary: audit2allow and python3 do not get along
Product: [Fedora] Fedora Reporter: Daniel Walsh <dwalsh>
Component: policycoreutilsAssignee: Petr Lautrbach <plautrba>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: high    
Version: rawhideCC: awilliam, dwalsh, kevin, mgrepl, pbrobinson, plautrba, rkuska, robatino, sgallagh, ssekidde
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard: RejectedBlocker AcceptedFreezeException
Fixed In Version: policycoreutils-2.4-8.fc23 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-15 02:20:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1076441, 1170818    
Attachments:
Description Flags
audit log causing audit2allow to blow up none

Description Daniel Walsh 2015-08-02 10:53:08 UTC
audit2allow in rawhide is totally broken.

 audit2allow -i /tmp/t
Traceback (most recent call last):
  File "/bin/audit2allow", line 360, in <module>
    app.main()
  File "/bin/audit2allow", line 348, in main
    self.__output()
  File "/bin/audit2allow", line 336, in __output
    writer.write(g.get_module(), fd)
  File "/usr/lib64/python3.4/site-packages/sepolgen/output.py", line 48, in write
    sort_filter(self.module)
  File "/usr/lib64/python3.4/site-packages/sepolgen/output.py", line 175, in sort_filter
    sort_node(node)
  File "/usr/lib64/python3.4/site-packages/sepolgen/output.py", line 134, in sort_node
    rules.sort(rule_cmp)
TypeError: must use keyword argument for key function

 
 cat /tmp/t
type=AVC msg=audit(07/29/2015 11:07:09.561:528626) : avc:  denied  { open } for  pid=29981 comm=lojban_logger.p path=/dev/urandom dev="devtmpfs" ino=1033 scontext=system_u:system_r:svirt_lxc_net_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(07/29/2015 11:07:09.561:528626) : avc:  denied  { read } for  pid=29981 comm=lojban_logger.p name=urandom dev="devtmpfs" ino=1033 scontext=system_u:system_r:svirt_lxc_net_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file permissive=1

Comment 1 Daniel Walsh 2015-08-02 10:54:42 UTC
If I edit audit2allow to run python2

audit2allow  -i /tmp/t


#============= svirt_lxc_net_t ==============

#!!!! This avc is allowed in the current policy
allow svirt_lxc_net_t urandom_device_t:chr_file { read open };

Comment 2 Daniel Walsh 2015-08-02 10:55:18 UTC
Another blowup using /var/log/audit/audit.log

 audit2allow -la
Traceback (most recent call last):
  File "/bin/audit2allow", line 360, in <module>
    app.main()
  File "/bin/audit2allow", line 346, in main
    self.__read_input()
  File "/bin/audit2allow", line 164, in __read_input
    parser.parse_string(messages)
  File "/usr/lib64/python3.4/site-packages/sepolgen/audit.py", line 478, in parse_string
    lines = input.split('\n')
TypeError: 'str' does not support the buffer interface

Comment 3 Daniel Walsh 2015-08-02 10:59:01 UTC
Created attachment 1058471 [details]
audit log causing audit2allow to blow up

Comment 5 Fedora Blocker Bugs Application 2015-08-04 08:10:46 UTC
Proposed as a Blocker for 23-alpha by Fedora user mgrepl using the blocker tracking app because:

 sepolgen is not completely re-written to Python3. It causes failures if a user try to generate own SELinux policy for AVCs. It means he eitther needs to go thru audit.log and write it without this tool or he switches SELinux mode to permissive.

Comment 6 Robert Kuska 2015-08-04 09:05:59 UTC
I've missed Popen usage in audit.py when porting sepolgen to python3.

I have prepared patch to fix 'TypeError: 'str' does not support the buffer interface'

Also output.py was missed because of missing tests, I will fix that too.

Comment 7 Adam Williamson 2015-08-05 07:26:37 UTC
This doesn't seem to meet any of the Alpha criteria. It's not even a Beta or Final requirement that custom SELinux policy generation work. -1 blocker unless I'm missing something.

Comment 8 Stephen Gallagher 2015-08-05 13:15:03 UTC
*** Bug 1250557 has been marked as a duplicate of this bug. ***

Comment 9 Stephen Gallagher 2015-08-05 13:21:11 UTC
I'm similarly -1 blocker, but given how useful audit2allow and audit2why are in tracking down other issues, I'd vehemently vote for +1 Freeze Exception if a fix is prepared in time.

Comment 10 Kevin Fenzi 2015-08-05 16:58:58 UTC
-1 blocker, +1 FE

Comment 11 Adam Williamson 2015-08-05 17:53:24 UTC
Well, I can go with +1 FE on merit, but we're gonna spin RC2 in like a few minutes. Still, that's -3/+3, so marking.

Comment 12 Daniel Walsh 2015-08-05 18:55:50 UTC
Well it is simple to fix if you have python2 installed.  Change /usr/bin/python3 to /usr/bin/python. in /usr/bin/audit2allow.

Comment 13 Fedora Update System 2015-08-06 16:22:55 UTC
policycoreutils-2.4-8.fc23 has been submitted as an update for Fedora 23.
https://admin.fedoraproject.org/updates/policycoreutils-2.4-8.fc23

Comment 14 Fedora Update System 2015-08-08 16:19:49 UTC
Package policycoreutils-2.4-8.fc23:
* should fix your issue,
* was pushed to the Fedora 23 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing policycoreutils-2.4-8.fc23'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-13026/policycoreutils-2.4-8.fc23
then log in and leave karma (feedback).

Comment 15 Fedora Update System 2015-08-15 02:20:48 UTC
policycoreutils-2.4-8.fc23 has been pushed to the Fedora 23 stable repository.  If problems still persist, please make note of it in this bug report.