RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1408248 - audit2allow errors with "unrecognized class capability"
Summary: audit2allow errors with "unrecognized class capability"
Keywords:
Status: CLOSED DUPLICATE of bug 1406328
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: policycoreutils
Version: 7.3
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Petr Lautrbach
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-12-22 14:55 UTC by Konstantin Ryabitsev
Modified: 2017-03-29 13:51 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-03-29 13:51:23 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Konstantin Ryabitsev 2016-12-22 14:55:58 UTC 
Latest EL7 selinux policy version generates a lot of AVCs related to self:capability net_admin, and when attempting to run "audit2allow" on the output, an error is thrown to stderr about "unrecognized class capability". E.g.:

type=AVC msg=audit(1482418180.175:84305): avc:  denied  { net_admin } for  pid=25662 comm="showq" capability=12  scontext=system_u:system_r:postfix_showq_t:s0 tcontext=system_u:system_r:postfix_showq_t:s0 tclass=capability
type=SYSCALL msg=audit(1482418180.175:84305): arch=c000003e syscall=47 success=yes exit=3420 a0=8 a1=7fffff749930 a2=0 a3=0 items=0 ppid=2597 pid=25662 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="showq" exe="/usr/libexec/postfix/showq" subj=system_u:system_r:postfix_showq_t:s0 key=(null)

Attempting to run audit2allow on the same system for this AVC returns:

libsepol.sepol_string_to_security_class: unrecognized class capability

#============= postfix_showq_t ==============
allow postfix_showq_t self:capability net_admin;

Moreover, this inserts a weird "1d" hex character after "capability":

00000070  3d 3d 3d 3d 3d 3d 3d 3d  3d 3d 3d 3d 3d 3d 0a 61  |==============.a|
00000080  6c 6c 6f 77 20 70 6f 73  74 66 69 78 5f 73 68 6f  |llow postfix_sho|
00000090  77 71 5f 74 20 73 65 6c  66 3a 63 61 70 61 62 69  |wq_t self:capabi|
000000a0  6c 69 74 79 1d 20 6e 65  74 5f 61 64 6d 69 6e 3b  |lity. net_admin;|
000000b0  0a                                                |.|

which, in our particular case, makes it difficult to mail the results, as that non-ascii character confuses mailx (but it's probably a side-effect of the error message above).
Comment 1 Konstantin Ryabitsev 2016-12-22 14:58:19 UTC 
If it helps, this happens after transitioning from nrpe_t to postfix_showq_t via a nrpe nagios check.
Comment 3 Milos Malik 2017-01-02 14:25:47 UTC 
This bug seems to be a duplicate of BZ#1406328.
Comment 4 Petr Lautrbach 2017-03-29 13:51:23 UTC 
It's indeed a duplicate. Thanks.

*** This bug has been marked as a duplicate of bug 1406328 ***
Note You need to log in before you can comment on or make changes to this bug.