Bug 2019962

Summary: "seinfo --constrain" doesn't produce identical output when constraints haven't changed
Product: Red Hat Enterprise Linux 9 Reporter: Jan Stodola <jstodola>
Component: setoolsAssignee: Petr Lautrbach <plautrba>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: medium    
Version: 9.0CC: lvrabec, mmalik, plautrba, qe-baseos-security, vmojzis
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: setools-4.4.0-4.el9 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: 2019961 Environment:
Last Closed: 2022-05-17 15:58:06 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Stodola 2021-11-03 17:37:22 UTC 
The same problem on RHEL-9 with setools-console-4.4.0-3.el9:

+++ This bug was initially created as a clone of Bug #2019961 +++

Description of problem:
"seinfo --constrain" doesn't produce the same output when the command is executed multiple times:

# seinfo --constrain > 1
# seinfo --constrain > 2
# diff -q 1 2
Files 1 and 2 differ
# rpm -qf $(which seinfo)
setools-console-4.3.0-2.el8.x86_64
#

Since the output is different every time, it's not easily usable for searching for differences in SELinux policies.

Version-Release number of selected component (if applicable):
setools-console-4.3.0-2.el8

How reproducible:
Always

Steps to Reproduce:
1. run "seinfo --constrain" several time and compare the outputs

Actual results:
Outputs differ.

Expected results:
Outputs are the same every time (unless the constraints really change).
Comment 1 Milos Malik 2021-11-03 18:21:49 UTC 
It looks like permissions are not sorted in the seinfo output:

# seinfo --constrain | sort > 1.txt
# seinfo --constrain | sort > 2.txt
# diff 1.txt 2.txt | grep alg_socket
<    constrain alg_socket { relabelto create relabelfrom } (u1 == u2 or ( t1 == can_change_object_identity )); 
>    constrain alg_socket { relabelfrom create relabelto } (u1 == u2 or ( t1 == can_change_object_identity )); 
#
Comment 2 Petr Lautrbach 2021-11-18 16:46:40 UTC 
https://github.com/SELinuxProject/setools/pull/66 is accepted and merged upstream.
Comment 3 Petr Lautrbach 2021-11-19 15:42:14 UTC 
https://gitlab.com/redhat/centos-stream/rpms/setools/-/merge_requests/4
Comment 4 Petr Lautrbach 2021-11-23 16:56:36 UTC 
https://gitlab.com/redhat/centos-stream/rpms/setools/-/commit/0e7e0ffd80f8425438701c6a1f51a6b938a5978e
https://gitlab.com/redhat/centos-stream/rpms/setools/-/commit/439a9c0061bfd627430932993cc21c6ca1ca8750
Comment 11 errata-xmlrpc 2022-05-17 15:58:06 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: setools), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:3982