Bug 1329120

Summary: sesearch loops endlessly when it should print neverallow rules from the base policy module
Product: Red Hat Enterprise Linux 6 Reporter: Milos Malik <mmalik>
Component: setoolsAssignee: Petr Lautrbach <plautrba>
Status: CLOSED WONTFIX QA Contact: Jan Zarsky <jzarsky>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.8CC: lvrabec, mgrepl, mmalik, plautrba
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 1329102 Environment:
Last Closed: 2016-11-08 11:38:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Milos Malik 2016-04-21 09:10:22 UTC 
Description of problem:
* sesearch loops endlessly, consumes memory and gets killed by OOM in the end

Version-Release number of selected component (if applicable):
libselinux-2.0.94-7.el6.x86_64
libselinux-devel-2.0.94-7.el6.x86_64
libselinux-python-2.0.94-7.el6.x86_64
libselinux-ruby-2.0.94-7.el6.x86_64
libselinux-static-2.0.94-7.el6.x86_64
libselinux-utils-2.0.94-7.el6.x86_64
libsemanage-2.0.43-5.1.el6.x86_64
libsemanage-devel-2.0.43-5.1.el6.x86_64
libsemanage-python-2.0.43-5.1.el6.x86_64
libsemanage-static-2.0.43-5.1.el6.x86_64
libsepol-2.0.41-4.el6.x86_64
libsepol-devel-2.0.41-4.el6.x86_64
libsepol-static-2.0.41-4.el6.x86_64
selinux-policy-3.7.19-292.el6.noarch
selinux-policy-doc-3.7.19-292.el6.noarch
selinux-policy-minimum-3.7.19-292.el6.noarch
selinux-policy-mls-3.7.19-292.el6.noarch
selinux-policy-targeted-3.7.19-292.el6.noarch
setools-3.3.7-4.el6.x86_64
setools-console-3.3.7-4.el6.x86_64
setools-gui-3.3.7-4.el6.x86_64
setools-libs-3.3.7-4.el6.x86_64
setools-libs-java-3.3.7-4.el6.x86_64
setools-libs-python-3.3.7-4.el6.x86_64
setools-libs-tcl-3.3.7-4.el6.x86_64

How reproducible:
always

Steps to Reproduce:
# cp /etc/selinux/targeted/modules/active/base.pp ./base.pp.bz2
# bzip2 -d base.pp.bz2 
# sesearch --allow ./base.pp | wc -l
35163
# sesearch --auditallow ./base.pp | wc -l
1
# sesearch --dontaudit ./base.pp | wc -l
4539
# sesearch --type ./base.pp | wc -l
791
# sesearch --role_allow ./base.pp | wc -l
6
# sesearch --role_trans ./base.pp | wc -l
18
# sesearch --range_trans ./base.pp | wc -l
238
# sesearch --neverallow ./base.pp 
Killed

Actual results:
* segfault
* neverallow rules are not shown at all

Expected results:
* no segfaults
* all neverallow rules are shown
Comment 1 Milos Malik 2016-04-21 09:25:00 UTC 
BTW following command also loops endlessly when analyzing the same policy module:

# seinfo --stats ./base.pp
Comment 2 Petr Lautrbach 2016-11-08 11:38:33 UTC 
Red Hat Enterprise Linux version 6 is in the Production 2 phase of its lifetime and this bug doesn't meet the criteria for it, i.e. only high severity issues will be fixed. Please see https://access.redhat.com/support/policy/updates/errata/ for further information.