Bug 1249388 - audit2allow and python3 do not get along
audit2allow and python3 do not get along
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: policycoreutils (Show other bugs)
rawhide
Unspecified Unspecified
high Severity unspecified
: ---
: ---
Assigned To: Petr Lautrbach
Fedora Extras Quality Assurance
RejectedBlocker AcceptedFreezeException
:
: 1250557 (view as bug list)
Depends On:
Blocks: 1076441 F23AlphaFreezeException
  Show dependency treegraph
 
Reported: 2015-08-02 06:53 EDT by Daniel Walsh
Modified: 2015-08-14 22:20 EDT (History)
10 users (show)

See Also:
Fixed In Version: policycoreutils-2.4-8.fc23
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-08-14 22:20:48 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
audit log causing audit2allow to blow up (5.15 MB, text/plain)
2015-08-02 06:59 EDT, Daniel Walsh
no flags Details

  None (edit)
Description Daniel Walsh 2015-08-02 06:53:08 EDT
audit2allow in rawhide is totally broken.

 audit2allow -i /tmp/t
Traceback (most recent call last):
  File "/bin/audit2allow", line 360, in <module>
    app.main()
  File "/bin/audit2allow", line 348, in main
    self.__output()
  File "/bin/audit2allow", line 336, in __output
    writer.write(g.get_module(), fd)
  File "/usr/lib64/python3.4/site-packages/sepolgen/output.py", line 48, in write
    sort_filter(self.module)
  File "/usr/lib64/python3.4/site-packages/sepolgen/output.py", line 175, in sort_filter
    sort_node(node)
  File "/usr/lib64/python3.4/site-packages/sepolgen/output.py", line 134, in sort_node
    rules.sort(rule_cmp)
TypeError: must use keyword argument for key function

 
 cat /tmp/t
type=AVC msg=audit(07/29/2015 11:07:09.561:528626) : avc:  denied  { open } for  pid=29981 comm=lojban_logger.p path=/dev/urandom dev="devtmpfs" ino=1033 scontext=system_u:system_r:svirt_lxc_net_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(07/29/2015 11:07:09.561:528626) : avc:  denied  { read } for  pid=29981 comm=lojban_logger.p name=urandom dev="devtmpfs" ino=1033 scontext=system_u:system_r:svirt_lxc_net_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file permissive=1
Comment 1 Daniel Walsh 2015-08-02 06:54:42 EDT
If I edit audit2allow to run python2

audit2allow  -i /tmp/t


#============= svirt_lxc_net_t ==============

#!!!! This avc is allowed in the current policy
allow svirt_lxc_net_t urandom_device_t:chr_file { read open };
Comment 2 Daniel Walsh 2015-08-02 06:55:18 EDT
Another blowup using /var/log/audit/audit.log

 audit2allow -la
Traceback (most recent call last):
  File "/bin/audit2allow", line 360, in <module>
    app.main()
  File "/bin/audit2allow", line 346, in main
    self.__read_input()
  File "/bin/audit2allow", line 164, in __read_input
    parser.parse_string(messages)
  File "/usr/lib64/python3.4/site-packages/sepolgen/audit.py", line 478, in parse_string
    lines = input.split('\n')
TypeError: 'str' does not support the buffer interface
Comment 3 Daniel Walsh 2015-08-02 06:59:01 EDT
Created attachment 1058471 [details]
audit log causing audit2allow to blow up
Comment 5 Fedora Blocker Bugs Application 2015-08-04 04:10:46 EDT
Proposed as a Blocker for 23-alpha by Fedora user mgrepl using the blocker tracking app because:

 sepolgen is not completely re-written to Python3. It causes failures if a user try to generate own SELinux policy for AVCs. It means he eitther needs to go thru audit.log and write it without this tool or he switches SELinux mode to permissive.
Comment 6 Robert Kuska 2015-08-04 05:05:59 EDT
I've missed Popen usage in audit.py when porting sepolgen to python3.

I have prepared patch to fix 'TypeError: 'str' does not support the buffer interface'

Also output.py was missed because of missing tests, I will fix that too.
Comment 7 Adam Williamson 2015-08-05 03:26:37 EDT
This doesn't seem to meet any of the Alpha criteria. It's not even a Beta or Final requirement that custom SELinux policy generation work. -1 blocker unless I'm missing something.
Comment 8 Stephen Gallagher 2015-08-05 09:15:03 EDT
*** Bug 1250557 has been marked as a duplicate of this bug. ***
Comment 9 Stephen Gallagher 2015-08-05 09:21:11 EDT
I'm similarly -1 blocker, but given how useful audit2allow and audit2why are in tracking down other issues, I'd vehemently vote for +1 Freeze Exception if a fix is prepared in time.
Comment 10 Kevin Fenzi 2015-08-05 12:58:58 EDT
-1 blocker, +1 FE
Comment 11 Adam Williamson 2015-08-05 13:53:24 EDT
Well, I can go with +1 FE on merit, but we're gonna spin RC2 in like a few minutes. Still, that's -3/+3, so marking.
Comment 12 Daniel Walsh 2015-08-05 14:55:50 EDT
Well it is simple to fix if you have python2 installed.  Change /usr/bin/python3 to /usr/bin/python. in /usr/bin/audit2allow.
Comment 13 Fedora Update System 2015-08-06 12:22:55 EDT
policycoreutils-2.4-8.fc23 has been submitted as an update for Fedora 23.
https://admin.fedoraproject.org/updates/policycoreutils-2.4-8.fc23
Comment 14 Fedora Update System 2015-08-08 12:19:49 EDT
Package policycoreutils-2.4-8.fc23:
* should fix your issue,
* was pushed to the Fedora 23 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing policycoreutils-2.4-8.fc23'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2015-13026/policycoreutils-2.4-8.fc23
then log in and leave karma (feedback).
Comment 15 Fedora Update System 2015-08-14 22:20:48 EDT
policycoreutils-2.4-8.fc23 has been pushed to the Fedora 23 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.