Bug 1271669

Summary: audit2allow cannot parse boot date in some locales
Product: Red Hat Enterprise Linux 7 Reporter: Dalibor Pospíšil <dapospis>
Component: auditAssignee: Steve Grubb <sgrubb>
Status: CLOSED ERRATA QA Contact: Ondrej Moriš <omoris>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.2CC: dapospis, dwalsh, lvrabec, mgrepl, mmalik, omoris, pkis, plautrba, pmoore, pvrabec, sgrubb, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: audit-2.5.2-1.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-11-04 06:12:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dalibor Pospíšil 2015-10-14 13:24:42 UTC 
Description of problem:
audit2allow -b is trying to get boot time (I do not know from where) and it fail to decode it if LANG is set to some of the locales.

Following are the problematic ones, particularly on RHEL7.2:
ar_AE.iso88596, ar_AE.utf8, ar_BH, ar_BH.iso88596, ar_BH.utf8, ar_DZ, ar_DZ.iso88596, ar_DZ.utf8, ar_EG, ar_EG.iso88596, ar_EG.utf8, ar_IQ, ar_IQ.iso88596, ar_IQ.utf8, ar_JO, ar_JO.iso88596, ar_JO.utf8, ar_KW, ar_KW.iso88596, ar_KW.utf8, ar_LB, ar_LB.iso88596, ar_LB.utf8, ar_LY, ar_LY.iso88596, ar_LY.utf8, ar_MA, ar_MA.iso88596, ar_MA.utf8, ar_OM, ar_OM.iso88596, ar_OM.utf8, ar_QA, ar_QA.iso88596, ar_QA.utf8, ar_SD, ar_SD.iso88596, ar_SD.utf8, ar_SY, ar_SY.iso88596, ar_SY.utf8, ar_TN, ar_TN.iso88596, ar_TN.utf8, ar_YE, ar_YE.iso88596, ar_YE.utf8, as_IN, as_IN.utf8, bo_CN, bo_CN.utf8, bo_IN, bo_IN.utf8, bokmal, bokm, dz_BT, dz_BT.utf8, fa_IR, fa_IR.utf8, ja_JP, ja_JP.eucjp, ja_JP.ujis, ja_JP.utf8, japanese, japanese.euc, ko_KR, ko_KR.euckr, ko_KR.utf8, korean, korean.euc, nb_NO, nb_NO.iso88591, nb_NO.utf8, nn_NO, nn_NO.iso88591, nn_NO.utf8, no_NO, norwegian, nynorsk, or_IN, or_IN.utf8, sq_AL, sq_AL.iso88591, sq_AL.utf8, sq_MK, sq_MK.utf8, te_IN, te_IN.utf8, yue_HK, yue_HK.utf8, zh_CN, zh_CN.gb18030, zh_CN.gb2312, zh_CN.gbk, zh_CN.utf8, zh_HK, zh_HK.big5hkscs, zh_HK.utf8, zh_SG, zh_SG.gb2312, zh_SG.gbk, zh_SG.utf8, zh_TW, zh_TW.big5, zh_TW.euctw, zh_TW.utf8


Version-Release number of selected component (if applicable):
policycoreutils-2.2.5-15.el7

How reproducible:
100%

Steps to Reproduce:
1. # LANG=ar_AE audit2allow -b
Invalid start time (CEST 03:54:08 ). Hour, Minute, and Second are required.
Comment 1 Petr Lautrbach 2015-10-14 14:28:38 UTC 
see https://bugzilla.redhat.com/show_bug.cgi?id=1197235
Comment 2 Steve Grubb 2015-10-14 16:29:43 UTC 
I tested this on F22, and it doesn't seem to have this problem. But then again I have logs that are recorded in en_US.UTF-8. 

What version of audit is being used?
Can you include 2 or 3 lines out logs generated from this command:
# grep audit /var/log/messages | grep 1400

Thanks
Comment 3 Dalibor Pospíšil 2015-11-10 09:45:41 UTC 
After reboot I get:
# LANG=ar_AE audit2allow -b
Invalid start time (CET 10:36:03 ). Hour, Minute, and Second are required.

# grep audit /var/log/messages
Nov 10 07:45:01 sopos-rhel7-brq auditd[562]: Audit daemon rotating log files
Comment 4 Steve Grubb 2015-11-10 15:35:25 UTC 
What I was asking for is samples of the logs that are causing the problems. I specifically wanted the ones with 1400 because those are AVC's. You also didn't answer the question about which version of audit you are using.

When I use the one and only one log line you pasted, I cannot reproduce the problem.

# echo "Nov 10 07:45:01 sopos-rhel7-brq auditd[562]: Audit daemon rotating log files" | LANG=ar_AE audit2allow -b
<no matches>

If I can't reproduce the error, I can't fix it. Thanks.
Comment 5 Dalibor Pospíšil 2015-11-11 16:59:56 UTC 
I use audit-2.4.1-5.el7.

Actually I do not know where the boot timestamp comes form so I cannot check the format.
Comment 6 Steve Grubb 2016-01-13 20:43:37 UTC 
Going back to comment #2, I need some log samples to look at. Can you run the following for me:

# grep 'type=AVC' /var/log/audit/audit.log | head -n 3
Comment 7 Steve Grubb 2016-01-13 23:53:11 UTC 
Looking through the sepolgen code I find this:

    fd=open("/proc/uptime", "r")
    off=float(fd.read().split()[0])
    fd.close
    s = time.localtime(time.time() - off)
    bootdate = time.strftime("%x", s)
    boottime = time.strftime("%X", s)
    output = subprocess.Popen(["/sbin/ausearch", "-m", "AVC,USER_AVC,MAC_POLICY_LOAD,DAEMON_START,SELINUX_ERR", "-ts", bootdate, boottime],

Based on that, I'm inclined to believe this bz is a duplicate of Bug #1286633.
Comment 11 Steve Grubb 2016-04-29 17:30:56 UTC 
audit-2.5.2-1.el7 has been built to address this issue
Comment 15 errata-xmlrpc 2016-11-04 06:12:25 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2418.html