Description of problem: If in source context is "." charakter and no "_t" convention, it's not possible to create local custom module using audit2allow. Based on the error msg it looks like the problem is in libsepol. For more info see: https://github.com/containers/udica/issues/8 Version-Release number of selected component (if applicable): libsepol-2.8-3.fc30.x86_64 How reproducible: Always Actual results: [root@localhost ~]# audit2allow -i avc -M test compilation failed: libsepol.hierarchy_add_type_callback: issuebug doesn't exist, mycontainer.process is an orphan libsepol.hierarchy_add_bounds: 1 errors found while adding hierarchies /usr/bin/checkmodule: loading policy configuration from test.te Expected results: audit2allow will generate custom local policy with source context" mycontainer.process
Adding steps to reproduce this issue: # cat base_container.cil (block container (type process) (roletype system_r process) (typeattributeset svirt_sandbox_domain (process )) (typeattributeset container_domain (process )) (allow process proc_type (file (getattr open read))) (allow process cpu_online_t (file (getattr open read))) ) # cat mycontainer.cil (block mycontainer (blockinherit container) ) # semodule -i base_container.cil mycontainer.cil # cat avc type=AVC msg=audit(1542355385.172:634661): avc: denied { read } for pid=5801 comm="passwd" capability=18 scontext=system_u:system_r:mycontainer.process:s0-s0:c0.c1023 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1 # audit2allow -i avc #============= mycontainer.process ============== #!!!! This avc has a dontaudit rule in the current policy ^^^ works [root@localhost ~]# audit2allow -i avc -M mypolicy compilation failed: libsepol.hierarchy_add_type_callback: mycontainer doesn't exist, mycontainer.process is an orphan libsepol.hierarchy_add_bounds: 1 errors found while adding hierarchies /usr/bin/checkmodule: loading policy configuration from mypolicy.te ^^^ Broken
Fixing one command in previous comment: [root@localhost ~]# audit2allow -i avc #============= mycontainer.process ============== #!!!! This avc has a dontaudit rule in the current policy allow mycontainer.process passwd_file_t:file read;
This bug appears to have been reported against 'rawhide' during the Fedora 31 development cycle. Changing version to '31'.
The policy created by udica is written in CIL where '.' is used for relationship between namespaces while audit2allow uses SELinux policy language where '.' is used for relationship between types. If audit2allow was able to generate CIL policy like '(allow bz1680601.process ssh_port_t (tcp_socket (name_bind)))' it would work just fine. Also udica could be able to modify/update the generated policy based on AVC denial messages.