Description of problem: With avc's and SELINUX_ERR's that cause 'role' output, audit2allow -M fails: [root@localhost ~]# audit2allow -i log2 -M local2 ******************** IMPORTANT *********************** To make this policy package active, execute: semodule -i local2.pp Traceback (most recent call last): File "/usr/bin/audit2allow", line 275, in <module> app.main() File "/usr/bin/audit2allow", line 269, in main self.__output() File "/usr/bin/audit2allow", line 259, in __output fd.write("\n=========== ROLES ===============\n") UnboundLocalError: local variable 'fd' referenced before assignment [root@localhost ~]# The offending lines of /usr/bin/audit2allow appear to be: # Module package if self.__options.module_package: self.__output_modulepackage(writer, g) else: # File or stdout if self.__options.module: g.set_module_name(self.__options.module) if self.__options.output: fd = open(self.__options.output, "w") else: fd = sys.stdout writer.write(g.get_module(), fd) if len(self.__selinux_errs) > 0: fd.write("\n=========== ROLES ===============\n") for role in self.__selinux_errs: fd.write(role.output()) fd appears to get set only in the 'else' clase. Version-Release number of selected component (if applicable): policycoreutils-2.0.34-3.fc9 How reproducible: Everytime Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Created attachment 290295 [details] AVCs and SELINUX_ERR input to 'audit2allow -M'
Minor nit: Should the '==== ROLES ====' line have a '#' to make as a comment?
Fixed in policycoreutils-2.0.34-5 Currently this is not used in modules so not yet.