Bug 836213

Summary:	sesearch --all does not find all rules
Product:	Red Hat Enterprise Linux 7	Reporter:	Milos Malik <mmalik>
Component:	setools	Assignee:	Petr Lautrbach <plautrba>
Status:	CLOSED ERRATA	QA Contact:	Milos Malik <mmalik>
Severity:	medium	Docs Contact:
Priority:	urgent
Version:	7.0	CC:	dwalsh, ksrot, mgrepl, ovasik, vmojzis
Target Milestone:	rc	Keywords:	Reopened
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	setools-3.3.8-2.el7	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2018-04-10 16:39:29 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Milos Malik 2012-06-28 11:35:40 UTC

Description of problem:


Version-Release number of selected component (if applicable):
setools-libs-3.3.7-22.el7.x86_64
setools-gui-3.3.7-22.el7.x86_64
setools-console-3.3.7-22.el7.x86_64
setools-3.3.7-22.el7.x86_64
setools-libs-tcl-3.3.7-22.el7.x86_64
setools-libs-python-3.3.7-22.el7.x86_64

How reproducible:
always

Steps to Reproduce:
# sesearch -s ipsec_t -t ipsec_mgmt_t -c process --allow
WARNING: Policy would be downgraded from version 27 to 26.
Found 1 semantic av rules:
   allow ipsec_t ipsec_mgmt_t : process { transition sigchld } ; 

# sesearch -s ipsec_t -t ipsec_mgmt_t -c process --dontaudit
WARNING: Policy would be downgraded from version 27 to 26.
Found 1 semantic av rules:
   dontaudit domain domain : process { noatsecure siginh rlimitinh } ; 

# sesearch -s ipsec_t -t ipsec_mgmt_t -c process --all
WARNING: Policy would be downgraded from version 27 to 26.
ERROR: Cannot get avrules: Neverallow rules requested but not available

Found 34 role allow rules:
   allow auditadm_r system_r;
   allow system_r auditadm_r;
   allow auditadm_r secadm_r;
   allow auditadm_r sysadm_r;
   allow system_r dbadm_r;
   allow dbadm_r system_r;
   allow system_r git_shell_r;
   allow system_r guest_r;
   allow logadm_r system_r;
   allow system_r logadm_r;
   allow system_r nx_server_r;
   allow system_r secadm_r;
   allow secadm_r auditadm_r;
   allow secadm_r sysadm_r;
   allow system_r staff_r;
   allow staff_r auditadm_r;
   allow staff_r dbadm_r;
   allow staff_r logadm_r;
   allow staff_r secadm_r;
   allow staff_r sysadm_r;
   allow staff_r unconfined_r;
   allow staff_r webadm_r;
   allow system_r sysadm_r;
   allow sysadm_r auditadm_r;
   allow sysadm_r system_r;
   allow sysadm_r secadm_r;
   allow sysadm_r staff_r;
   allow sysadm_r user_r;
   allow unconfined_r system_r;
   allow system_r unconfined_r;
   allow system_r user_r;
   allow webadm_r system_r;
   allow system_r webadm_r;
   allow system_r xguest_r;

#

Actual results:
* "sesearch --all" does not find the rules which were found by "sesearch --dontaudit" and "sesearch --allow"

Expected results:
* "sesearch --all" does find the rules which were found by "sesearch --dontaudit" and "sesearch --allow"

Comment 1 Milos Malik 2014-01-23 13:34:06 UTC

"sesearch --all" was able to find allow, dontaudit, auditallow, type_trans, range_trans rules on RHEL-5 and RHEL-6, but the same command executed on RHEL-7 is not able to find any allow or auditallow or dontaudit rule.

Comment 2 Daniel Walsh 2014-02-13 19:46:54 UTC

Fixed in setools-3.3.7-45.el7.src.rpm

Comment 6 Ondrej Vasik 2014-07-02 10:16:00 UTC

Closing CURRENTRELEASE as RHEL 7.0 Erratum contains later version ( https://errata.devel.redhat.com/advisory/17365/builds ). Feel free to reopen if the issue is still not yet properly fixed in 7.0 .

Comment 7 Milos Malik 2016-09-15 09:27:25 UTC

The problem is still not fixed.

# rpm -qa setools\*
setools-gui-3.3.8-1.1.el7.x86_64
setools-console-3.3.8-1.1.el7.x86_64
setools-libs-3.3.8-1.1.el7.x86_64
setools-3.3.8-1.1.el7.x86_64
setools-libs-tcl-3.3.8-1.1.el7.x86_64
setools-devel-3.3.8-1.1.el7.x86_64
# sesearch -s ipsec_t -t ipsec_mgmt_t -c process --allow
Found 1 semantic av rules:
   allow ipsec_t ipsec_mgmt_t : process { transition sigchld } ; 

# sesearch -s ipsec_t -t ipsec_mgmt_t -c process --dontaudit
Found 1 semantic av rules:
   dontaudit domain domain : process { noatsecure siginh rlimitinh } ; 

# sesearch -s ipsec_t -t ipsec_mgmt_t -c process --all
ERROR: Cannot get avrules: Neverallow rules requested but not available

Found 39 role allow rules:
   allow system_r xguest_r;
   allow webadm_r system_r;
   allow system_r webadm_r;
   allow system_r user_r;
   allow system_r unconfined_r;
   allow system_r unconfined_r;
   allow system_r unconfined_r;
   allow unconfined_r system_r;
   allow sysadm_r user_r;
   allow sysadm_r staff_r;
   allow sysadm_r system_r;
   allow sysadm_r secadm_r;
   allow sysadm_r system_r;
   allow sysadm_r system_r;
   allow sysadm_r system_r;
   allow sysadm_r system_r;
   allow sysadm_r system_r;
   allow sysadm_r auditadm_r;
   allow system_r sysadm_r;
   allow staff_r webadm_r;
   allow staff_r unconfined_r;
   allow staff_r sysadm_r;
   allow staff_r secadm_r;
   allow staff_r logadm_r;
   allow staff_r dbadm_r;
   allow staff_r auditadm_r;
   allow system_r staff_r;
   allow secadm_r sysadm_r;
   allow secadm_r auditadm_r;
   allow system_r nx_server_r;
   allow logadm_r system_r;
   allow logadm_r system_r;
   allow system_r guest_r;
   allow dbadm_r system_r;
   allow dbadm_r system_r;
   allow system_r system_r;
   allow auditadm_r sysadm_r;
   allow auditadm_r secadm_r;
   allow auditadm_r system_r;

#

Comment 12 errata-xmlrpc 2018-04-10 16:39:29 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0916