Bug 1408248

Summary: audit2allow errors with "unrecognized class capability"
Product: Red Hat Enterprise Linux 7 Reporter: Konstantin Ryabitsev <icon>
Component: policycoreutilsAssignee: Petr Lautrbach <plautrba>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.3CC: dwalsh, lvrabec, mgrepl, mmalik, plautrba, ssekidde
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-03-29 13:51:23 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Konstantin Ryabitsev 2016-12-22 14:55:58 UTC 
Latest EL7 selinux policy version generates a lot of AVCs related to self:capability net_admin, and when attempting to run "audit2allow" on the output, an error is thrown to stderr about "unrecognized class capability". E.g.:

type=AVC msg=audit(1482418180.175:84305): avc:  denied  { net_admin } for  pid=25662 comm="showq" capability=12  scontext=system_u:system_r:postfix_showq_t:s0 tcontext=system_u:system_r:postfix_showq_t:s0 tclass=capability
type=SYSCALL msg=audit(1482418180.175:84305): arch=c000003e syscall=47 success=yes exit=3420 a0=8 a1=7fffff749930 a2=0 a3=0 items=0 ppid=2597 pid=25662 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="showq" exe="/usr/libexec/postfix/showq" subj=system_u:system_r:postfix_showq_t:s0 key=(null)

Attempting to run audit2allow on the same system for this AVC returns:

libsepol.sepol_string_to_security_class: unrecognized class capability

#============= postfix_showq_t ==============
allow postfix_showq_t self:capability net_admin;

Moreover, this inserts a weird "1d" hex character after "capability":

00000070  3d 3d 3d 3d 3d 3d 3d 3d  3d 3d 3d 3d 3d 3d 0a 61  |==============.a|
00000080  6c 6c 6f 77 20 70 6f 73  74 66 69 78 5f 73 68 6f  |llow postfix_sho|
00000090  77 71 5f 74 20 73 65 6c  66 3a 63 61 70 61 62 69  |wq_t self:capabi|
000000a0  6c 69 74 79 1d 20 6e 65  74 5f 61 64 6d 69 6e 3b  |lity. net_admin;|
000000b0  0a                                                |.|

which, in our particular case, makes it difficult to mail the results, as that non-ascii character confuses mailx (but it's probably a side-effect of the error message above).
Comment 1 Konstantin Ryabitsev 2016-12-22 14:58:19 UTC 
If it helps, this happens after transitioning from nrpe_t to postfix_showq_t via a nrpe nagios check.
Comment 3 Milos Malik 2017-01-02 14:25:47 UTC 
This bug seems to be a duplicate of BZ#1406328.
Comment 4 Petr Lautrbach 2017-03-29 13:51:23 UTC 
It's indeed a duplicate. Thanks.

*** This bug has been marked as a duplicate of bug 1406328 ***