1247575 – sepolicy/__init__.py", line 831, in _dict_has_perms - TypeError: expected bytes, str found

Bug 1247575 - sepolicy/__init__.py", line 831, in _dict_has_perms - TypeError: expected bytes, str found

Summary: sepolicy/__init__.py", line 831, in _dict_has_perms - TypeError: expected byt...

Keywords:
Status:	CLOSED NEXTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	policycoreutils
Sub Component:
Version:	23
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Petr Lautrbach
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1076441
TreeView+	depends on / blocked

Reported:	2015-07-28 11:20 UTC by Petr Lautrbach
Modified:	2015-08-26 04:32 UTC (History)
CC List:	4 users (show)
Fixed In Version:	2.4-10.fc23
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2015-08-26 04:32:49 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Petr Lautrbach 2015-07-28 11:20:02 UTC

Description of problem:

# cat > avc
type=AVC msg=audit(1438030313.956:3777): avc:  denied  { write } for  pid=8975 comm="cp" name="semanage.conf" dev="dm-3" ino=4461693 scontext=staff_u:staff_r:staff_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file permissive=1
type=AVC msg=audit(1438030803.435:3784): avc:  denied  { write } for  pid=13793 comm="debugedit" name="sestatus" dev="dm-3" ino=4461956 scontext=staff_u:staff_r:staff_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file permissive=1

# audit2allow -i avc                 
Traceback (most recent call last):
  File "/usr/bin/audit2allow", line 360, in <module>
    app.main()
  File "/usr/bin/audit2allow", line 347, in main
    self.__process_input()
  File "/usr/bin/audit2allow", line 175, in __process_input
    self.__avs = self.__parser.to_access()
  File "/usr/lib64/python3.4/site-packages/sepolgen/audit.py", line 580, in to_access
    base_type = self.__get_base_type(avc.tcontext.type, avc.scontext.type)
  File "/usr/lib64/python3.4/site-packages/sepolgen/audit.py", line 552, in __get_base_type
    for writable in sepolicy.get_writable_files(scontext):
  File "/usr/lib64/python3.4/site-packages/sepolicy/__init__.py", line 212, in get_writable_files
    permlist = search([ALLOW],{'source':setype,  'permlist':['open', 'write'], 'class':'file'})
  File "/usr/lib64/python3.4/site-packages/sepolicy/__init__.py", line 72, in search
    dict_list = [x for x in dict_list if _dict_has_perms(x, perms)]
  File "/usr/lib64/python3.4/site-packages/sepolicy/__init__.py", line 72, in <listcomp>
    dict_list = [x for x in dict_list if _dict_has_perms(x, perms)]
  File "/usr/lib64/python3.4/site-packages/sepolicy/__init__.py", line 831, in _dict_has_perms
    for perm in perms:
TypeError: expected bytes, str found


# rpm -qf /usr/lib64/python3.4/site-packages/sepolicy/__init__.py                                                                    policycoreutils-python3-2.4-7.fc23.x86_64

Comment 1 Fedora Update System 2015-08-06 16:22:57 UTC

policycoreutils-2.4-8.fc23 has been submitted as an update for Fedora 23.
https://admin.fedoraproject.org/updates/policycoreutils-2.4-8.fc23

Comment 2 Fedora Update System 2015-08-08 16:19:51 UTC

Package policycoreutils-2.4-8.fc23:
* should fix your issue,
* was pushed to the Fedora 23 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing policycoreutils-2.4-8.fc23'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-13026/policycoreutils-2.4-8.fc23
then log in and leave karma (feedback).

Comment 3 Michal Srb 2015-08-13 09:22:42 UTC

I am afraid that this is still broken (but the stacktrace is different), even with the latest policycoreutils from updates-testing:

# rpm -q policycoreutils
policycoreutils-2.4-8.fc23.x86_64

# audit2allow -i avc     
Traceback (most recent call last):
  File "/usr/bin/audit2allow", line 360, in <module>
    app.main()
  File "/usr/bin/audit2allow", line 347, in main
    self.__process_input()
  File "/usr/bin/audit2allow", line 175, in __process_input
    self.__avs = self.__parser.to_access()
  File "/usr/lib64/python3.4/site-packages/sepolgen/audit.py", line 596, in to_access
    avc.path = self.__restore_path(avc.name, avc.ino)
  File "/usr/lib64/python3.4/site-packages/sepolgen/audit.py", line 531, in __restore_path
    output = util.decode_input(output)
  File "/usr/lib64/python3.4/site-packages/sepolgen/util.py", line 112, in decode_input
    decoded_text = text.decode(encoding)
AttributeError: 'str' object has no attribute 'decode'

Comment 4 Michal Srb 2015-08-13 09:46:59 UTC

This works for me (with policycoreutils-2.4-8.fc23.x86_64):

# cat avc-simple
type=AVC msg=audit(1438170817.500:690): avc:  denied  { entrypoint } for  pid=20376 comm="runcon" path="/usr/bin/cat" dev="dm-0" ino=553 scontext=system_u:system_r:httpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0

# audit2allow -i avc-simple 


#============= httpd_t ==============
allow httpd_t bin_t:file entrypoint;

But this one fails:

# cat avc
type=AVC msg=audit(1438030313.956:3777): avc:  denied  { write } for  pid=8975 comm="cp" name="semanage.conf" dev="dm-3" ino=4461693 scontext=staff_u:staff_r:staff_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file permissive=1
type=AVC msg=audit(1438030803.435:3784): avc:  denied  { write } for  pid=13793 comm="debugedit" name="sestatus" dev="dm-3" ino=4461956 scontext=staff_u:staff_r:staff_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file permissive=1

# audit2allow -i avc
Traceback (most recent call last):
  File "/usr/bin/audit2allow", line 360, in <module>
    app.main()
  File "/usr/bin/audit2allow", line 347, in main
    self.__process_input()
  File "/usr/bin/audit2allow", line 175, in __process_input
    self.__avs = self.__parser.to_access()
  File "/usr/lib64/python3.4/site-packages/sepolgen/audit.py", line 596, in to_access
    avc.path = self.__restore_path(avc.name, avc.ino)
  File "/usr/lib64/python3.4/site-packages/sepolgen/audit.py", line 531, in __restore_path
    output = util.decode_input(output)
  File "/usr/lib64/python3.4/site-packages/sepolgen/util.py", line 112, in decode_input
    decoded_text = text.decode(encoding)
AttributeError: 'str' object has no attribute 'decode'

Comment 5 Michal Srb 2015-08-13 09:51:33 UTC

I think I know where the problem is. I will add the patch to my existing pull request at GitHub:

https://github.com/fedora-selinux/selinux/pull/14

Comment 6 Petr Lautrbach 2015-08-13 10:07:00 UTC

Thanks. Re-opening the bug.

Comment 7 Fedora Update System 2015-08-13 16:03:18 UTC

policycoreutils-2.4-9.fc23 has been submitted as an update for Fedora 23.
https://admin.fedoraproject.org/updates/policycoreutils-2.4-9.fc23

Comment 8 Fedora Update System 2015-08-15 02:19:51 UTC

Package policycoreutils-2.4-9.fc23:
* should fix your issue,
* was pushed to the Fedora 23 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing policycoreutils-2.4-9.fc23'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-13499/policycoreutils-2.4-9.fc23
then log in and leave karma (feedback).

Comment 9 Fedora Update System 2015-08-22 16:24:29 UTC

policycoreutils-2.4-10.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update policycoreutils'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-13922

Comment 10 Fedora Update System 2015-08-26 04:32:44 UTC

policycoreutils-2.4-10.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.