audit2allow in rawhide is totally broken. audit2allow -i /tmp/t Traceback (most recent call last): File "/bin/audit2allow", line 360, in <module> app.main() File "/bin/audit2allow", line 348, in main self.__output() File "/bin/audit2allow", line 336, in __output writer.write(g.get_module(), fd) File "/usr/lib64/python3.4/site-packages/sepolgen/output.py", line 48, in write sort_filter(self.module) File "/usr/lib64/python3.4/site-packages/sepolgen/output.py", line 175, in sort_filter sort_node(node) File "/usr/lib64/python3.4/site-packages/sepolgen/output.py", line 134, in sort_node rules.sort(rule_cmp) TypeError: must use keyword argument for key function cat /tmp/t type=AVC msg=audit(07/29/2015 11:07:09.561:528626) : avc: denied { open } for pid=29981 comm=lojban_logger.p path=/dev/urandom dev="devtmpfs" ino=1033 scontext=system_u:system_r:svirt_lxc_net_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file permissive=1 type=AVC msg=audit(07/29/2015 11:07:09.561:528626) : avc: denied { read } for pid=29981 comm=lojban_logger.p name=urandom dev="devtmpfs" ino=1033 scontext=system_u:system_r:svirt_lxc_net_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file permissive=1
If I edit audit2allow to run python2 audit2allow -i /tmp/t #============= svirt_lxc_net_t ============== #!!!! This avc is allowed in the current policy allow svirt_lxc_net_t urandom_device_t:chr_file { read open };
Another blowup using /var/log/audit/audit.log audit2allow -la Traceback (most recent call last): File "/bin/audit2allow", line 360, in <module> app.main() File "/bin/audit2allow", line 346, in main self.__read_input() File "/bin/audit2allow", line 164, in __read_input parser.parse_string(messages) File "/usr/lib64/python3.4/site-packages/sepolgen/audit.py", line 478, in parse_string lines = input.split('\n') TypeError: 'str' does not support the buffer interface
Created attachment 1058471 [details] audit log causing audit2allow to blow up
Proposed as a Blocker for 23-alpha by Fedora user mgrepl using the blocker tracking app because: sepolgen is not completely re-written to Python3. It causes failures if a user try to generate own SELinux policy for AVCs. It means he eitther needs to go thru audit.log and write it without this tool or he switches SELinux mode to permissive.
I've missed Popen usage in audit.py when porting sepolgen to python3. I have prepared patch to fix 'TypeError: 'str' does not support the buffer interface' Also output.py was missed because of missing tests, I will fix that too.
This doesn't seem to meet any of the Alpha criteria. It's not even a Beta or Final requirement that custom SELinux policy generation work. -1 blocker unless I'm missing something.
*** Bug 1250557 has been marked as a duplicate of this bug. ***
I'm similarly -1 blocker, but given how useful audit2allow and audit2why are in tracking down other issues, I'd vehemently vote for +1 Freeze Exception if a fix is prepared in time.
-1 blocker, +1 FE
Well, I can go with +1 FE on merit, but we're gonna spin RC2 in like a few minutes. Still, that's -3/+3, so marking.
Well it is simple to fix if you have python2 installed. Change /usr/bin/python3 to /usr/bin/python. in /usr/bin/audit2allow.
policycoreutils-2.4-8.fc23 has been submitted as an update for Fedora 23. https://admin.fedoraproject.org/updates/policycoreutils-2.4-8.fc23
Package policycoreutils-2.4-8.fc23: * should fix your issue, * was pushed to the Fedora 23 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing policycoreutils-2.4-8.fc23' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2015-13026/policycoreutils-2.4-8.fc23 then log in and leave karma (feedback).
policycoreutils-2.4-8.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.