Bug 843727

Summary: audit2allow produces .te files that cannot be parsed by checkmodule
Product: Red Hat Enterprise Linux 6 Reporter: Paolo Bonzini <pbonzini>
Component: policycoreutilsAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact: Michal Trunecka <mtruneck>
Severity: low Docs Contact:
Priority: medium    
Version: 6.4CC: dwalsh, ebenes, mgrepl, mmalik, mtruneck, pbonzini
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: policycoreutils-2.0.83-19.25.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-02-21 10:15:26 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Paolo Bonzini 2012-07-27 08:00:32 UTC 
Description of problem:
When the audit logs show multiple transitions from the same role, audit2allow produces files that cannot be parsed by checkmodule

Version-Release number of selected component (if applicable):
setroubleshoot-3.0.47-3.el6_3.x86_64
checkpolicy-2.0.22-1.el6.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Create the following "bug.log" file
type=SELINUX_ERR msg=audit(1343312370.260:393): security_compute_sid:  invalid context unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=process
type=SELINUX_ERR msg=audit(1343312370.403:398): security_compute_sid:  invalid context unconfined_u:unconfined_r:dmidecode_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dmidecode_exec_t:s0 tclass=process
type=SELINUX_ERR msg=audit(1343312811.732:520): security_compute_sid:  invalid context unconfined_u:unconfined_r:dnsmasq_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dnsmasq_exec_t:s0 tclass=process

2. Run "audit2allow -M bug < bug.log".  Output:
compilation failed:
bug.te:12:ERROR 'syntax error' at token ',' on line 12:
role unconfined_r types dmidecode_t, iptables_t, dnsmasq_t;
#============= ROLES ==============
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
/usr/bin/checkmodule:  loading policy configuration from bug.te

3.Run "audit2allow -m bug < bug.log".  Output:
module bug 1.0;

require {
	type dmidecode_t;
	type iptables_t;
	type dnsmasq_t;
	role unconfined_r;
}

#============= ROLES ==============
role unconfined_r types dmidecode_t, iptables_t, dnsmasq_t;

  
Actual results:
audit2allow fails to compile its own policies.

Expected results:
audit2allow can successfully compile its own policies.

Additional info:
Changing the role line to this:

role unconfined_r types dmidecode_t;
role unconfined_r types iptables_t;
role unconfined_r types dnsmasq_t;

creates a policy that works as intended.
Comment 2 Daniel Walsh 2012-07-27 12:40:14 UTC 
How are you creating the bug log?  The problem is the extra \n in the file.  If each type= line is on one line audit2allow should parse it fine.
Comment 3 Paolo Bonzini 2012-07-27 13:25:38 UTC 
Each type= line _is_ on one line.  The bug log is a reduced testcase from my /var/log/audit/audit.log.

Note the problem is not in parsing the bug log.  It is in compiling the .te file, see steps 2 and 3.
Comment 4 Daniel Walsh 2012-07-27 13:43:44 UTC 
Ok I just fixed this in Rawhide, if we have policycoreutils in 6.4, I will back port the fix.
Comment 5 RHEL Program Management 2012-08-14 21:59:03 UTC 
This request was evaluated by Red Hat Product Management for
inclusion in a Red Hat Enterprise Linux release.  Product
Management has requested further review of this request by
Red Hat Engineering, for potential inclusion in a Red Hat
Enterprise Linux release for currently deployed products.
This request is not yet committed for inclusion in a release.
Comment 10 errata-xmlrpc 2013-02-21 10:15:26 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0396.html