Description of problem: # cat > avc type=AVC msg=audit(1438030313.956:3777): avc: denied { write } for pid=8975 comm="cp" name="semanage.conf" dev="dm-3" ino=4461693 scontext=staff_u:staff_r:staff_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file permissive=1 type=AVC msg=audit(1438030803.435:3784): avc: denied { write } for pid=13793 comm="debugedit" name="sestatus" dev="dm-3" ino=4461956 scontext=staff_u:staff_r:staff_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file permissive=1 # audit2allow -i avc Traceback (most recent call last): File "/usr/bin/audit2allow", line 360, in <module> app.main() File "/usr/bin/audit2allow", line 347, in main self.__process_input() File "/usr/bin/audit2allow", line 175, in __process_input self.__avs = self.__parser.to_access() File "/usr/lib64/python3.4/site-packages/sepolgen/audit.py", line 580, in to_access base_type = self.__get_base_type(avc.tcontext.type, avc.scontext.type) File "/usr/lib64/python3.4/site-packages/sepolgen/audit.py", line 552, in __get_base_type for writable in sepolicy.get_writable_files(scontext): File "/usr/lib64/python3.4/site-packages/sepolicy/__init__.py", line 212, in get_writable_files permlist = search([ALLOW],{'source':setype, 'permlist':['open', 'write'], 'class':'file'}) File "/usr/lib64/python3.4/site-packages/sepolicy/__init__.py", line 72, in search dict_list = [x for x in dict_list if _dict_has_perms(x, perms)] File "/usr/lib64/python3.4/site-packages/sepolicy/__init__.py", line 72, in <listcomp> dict_list = [x for x in dict_list if _dict_has_perms(x, perms)] File "/usr/lib64/python3.4/site-packages/sepolicy/__init__.py", line 831, in _dict_has_perms for perm in perms: TypeError: expected bytes, str found # rpm -qf /usr/lib64/python3.4/site-packages/sepolicy/__init__.py policycoreutils-python3-2.4-7.fc23.x86_64
policycoreutils-2.4-8.fc23 has been submitted as an update for Fedora 23. https://admin.fedoraproject.org/updates/policycoreutils-2.4-8.fc23
Package policycoreutils-2.4-8.fc23: * should fix your issue, * was pushed to the Fedora 23 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing policycoreutils-2.4-8.fc23' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2015-13026/policycoreutils-2.4-8.fc23 then log in and leave karma (feedback).
I am afraid that this is still broken (but the stacktrace is different), even with the latest policycoreutils from updates-testing: # rpm -q policycoreutils policycoreutils-2.4-8.fc23.x86_64 # audit2allow -i avc Traceback (most recent call last): File "/usr/bin/audit2allow", line 360, in <module> app.main() File "/usr/bin/audit2allow", line 347, in main self.__process_input() File "/usr/bin/audit2allow", line 175, in __process_input self.__avs = self.__parser.to_access() File "/usr/lib64/python3.4/site-packages/sepolgen/audit.py", line 596, in to_access avc.path = self.__restore_path(avc.name, avc.ino) File "/usr/lib64/python3.4/site-packages/sepolgen/audit.py", line 531, in __restore_path output = util.decode_input(output) File "/usr/lib64/python3.4/site-packages/sepolgen/util.py", line 112, in decode_input decoded_text = text.decode(encoding) AttributeError: 'str' object has no attribute 'decode'
This works for me (with policycoreutils-2.4-8.fc23.x86_64): # cat avc-simple type=AVC msg=audit(1438170817.500:690): avc: denied { entrypoint } for pid=20376 comm="runcon" path="/usr/bin/cat" dev="dm-0" ino=553 scontext=system_u:system_r:httpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0 # audit2allow -i avc-simple #============= httpd_t ============== allow httpd_t bin_t:file entrypoint; But this one fails: # cat avc type=AVC msg=audit(1438030313.956:3777): avc: denied { write } for pid=8975 comm="cp" name="semanage.conf" dev="dm-3" ino=4461693 scontext=staff_u:staff_r:staff_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file permissive=1 type=AVC msg=audit(1438030803.435:3784): avc: denied { write } for pid=13793 comm="debugedit" name="sestatus" dev="dm-3" ino=4461956 scontext=staff_u:staff_r:staff_t:s0 tcontext=system_u:object_r:default_t:s0 tclass=file permissive=1 # audit2allow -i avc Traceback (most recent call last): File "/usr/bin/audit2allow", line 360, in <module> app.main() File "/usr/bin/audit2allow", line 347, in main self.__process_input() File "/usr/bin/audit2allow", line 175, in __process_input self.__avs = self.__parser.to_access() File "/usr/lib64/python3.4/site-packages/sepolgen/audit.py", line 596, in to_access avc.path = self.__restore_path(avc.name, avc.ino) File "/usr/lib64/python3.4/site-packages/sepolgen/audit.py", line 531, in __restore_path output = util.decode_input(output) File "/usr/lib64/python3.4/site-packages/sepolgen/util.py", line 112, in decode_input decoded_text = text.decode(encoding) AttributeError: 'str' object has no attribute 'decode'
I think I know where the problem is. I will add the patch to my existing pull request at GitHub: https://github.com/fedora-selinux/selinux/pull/14
Thanks. Re-opening the bug.
policycoreutils-2.4-9.fc23 has been submitted as an update for Fedora 23. https://admin.fedoraproject.org/updates/policycoreutils-2.4-9.fc23
Package policycoreutils-2.4-9.fc23: * should fix your issue, * was pushed to the Fedora 23 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing policycoreutils-2.4-9.fc23' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2015-13499/policycoreutils-2.4-9.fc23 then log in and leave karma (feedback).
policycoreutils-2.4-10.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.\nIf you want to test the update, you can install it with \n su -c 'yum --enablerepo=updates-testing update policycoreutils'. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2015-13922
policycoreutils-2.4-10.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.