Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 836213

Summary: sesearch --all does not find all rules
Product: Red Hat Enterprise Linux 7 Reporter: Milos Malik <mmalik>
Component: setoolsAssignee: Petr Lautrbach <plautrba>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: urgent    
Version: 7.0CC: dwalsh, ksrot, mgrepl, ovasik, vmojzis
Target Milestone: rcKeywords: Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: setools-3.3.8-2.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-10 16:39:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Milos Malik 2012-06-28 11:35:40 UTC 
Description of problem:


Version-Release number of selected component (if applicable):
setools-libs-3.3.7-22.el7.x86_64
setools-gui-3.3.7-22.el7.x86_64
setools-console-3.3.7-22.el7.x86_64
setools-3.3.7-22.el7.x86_64
setools-libs-tcl-3.3.7-22.el7.x86_64
setools-libs-python-3.3.7-22.el7.x86_64

How reproducible:
always

Steps to Reproduce:
# sesearch -s ipsec_t -t ipsec_mgmt_t -c process --allow
WARNING: Policy would be downgraded from version 27 to 26.
Found 1 semantic av rules:
   allow ipsec_t ipsec_mgmt_t : process { transition sigchld } ; 

# sesearch -s ipsec_t -t ipsec_mgmt_t -c process --dontaudit
WARNING: Policy would be downgraded from version 27 to 26.
Found 1 semantic av rules:
   dontaudit domain domain : process { noatsecure siginh rlimitinh } ; 

# sesearch -s ipsec_t -t ipsec_mgmt_t -c process --all
WARNING: Policy would be downgraded from version 27 to 26.
ERROR: Cannot get avrules: Neverallow rules requested but not available

Found 34 role allow rules:
   allow auditadm_r system_r;
   allow system_r auditadm_r;
   allow auditadm_r secadm_r;
   allow auditadm_r sysadm_r;
   allow system_r dbadm_r;
   allow dbadm_r system_r;
   allow system_r git_shell_r;
   allow system_r guest_r;
   allow logadm_r system_r;
   allow system_r logadm_r;
   allow system_r nx_server_r;
   allow system_r secadm_r;
   allow secadm_r auditadm_r;
   allow secadm_r sysadm_r;
   allow system_r staff_r;
   allow staff_r auditadm_r;
   allow staff_r dbadm_r;
   allow staff_r logadm_r;
   allow staff_r secadm_r;
   allow staff_r sysadm_r;
   allow staff_r unconfined_r;
   allow staff_r webadm_r;
   allow system_r sysadm_r;
   allow sysadm_r auditadm_r;
   allow sysadm_r system_r;
   allow sysadm_r secadm_r;
   allow sysadm_r staff_r;
   allow sysadm_r user_r;
   allow unconfined_r system_r;
   allow system_r unconfined_r;
   allow system_r user_r;
   allow webadm_r system_r;
   allow system_r webadm_r;
   allow system_r xguest_r;

#

Actual results:
* "sesearch --all" does not find the rules which were found by "sesearch --dontaudit" and "sesearch --allow"

Expected results:
* "sesearch --all" does find the rules which were found by "sesearch --dontaudit" and "sesearch --allow"
Comment 1 Milos Malik 2014-01-23 13:34:06 UTC 
"sesearch --all" was able to find allow, dontaudit, auditallow, type_trans, range_trans rules on RHEL-5 and RHEL-6, but the same command executed on RHEL-7 is not able to find any allow or auditallow or dontaudit rule.
Comment 2 Daniel Walsh 2014-02-13 19:46:54 UTC 
Fixed in setools-3.3.7-45.el7.src.rpm
Comment 6 Ondrej Vasik 2014-07-02 10:16:00 UTC 
Closing CURRENTRELEASE as RHEL 7.0 Erratum contains later version ( https://errata.devel.redhat.com/advisory/17365/builds ). Feel free to reopen if the issue is still not yet properly fixed in 7.0 .
Comment 7 Milos Malik 2016-09-15 09:27:25 UTC 
The problem is still not fixed.

# rpm -qa setools\*
setools-gui-3.3.8-1.1.el7.x86_64
setools-console-3.3.8-1.1.el7.x86_64
setools-libs-3.3.8-1.1.el7.x86_64
setools-3.3.8-1.1.el7.x86_64
setools-libs-tcl-3.3.8-1.1.el7.x86_64
setools-devel-3.3.8-1.1.el7.x86_64
# sesearch -s ipsec_t -t ipsec_mgmt_t -c process --allow
Found 1 semantic av rules:
   allow ipsec_t ipsec_mgmt_t : process { transition sigchld } ; 

# sesearch -s ipsec_t -t ipsec_mgmt_t -c process --dontaudit
Found 1 semantic av rules:
   dontaudit domain domain : process { noatsecure siginh rlimitinh } ; 

# sesearch -s ipsec_t -t ipsec_mgmt_t -c process --all
ERROR: Cannot get avrules: Neverallow rules requested but not available

Found 39 role allow rules:
   allow system_r xguest_r;
   allow webadm_r system_r;
   allow system_r webadm_r;
   allow system_r user_r;
   allow system_r unconfined_r;
   allow system_r unconfined_r;
   allow system_r unconfined_r;
   allow unconfined_r system_r;
   allow sysadm_r user_r;
   allow sysadm_r staff_r;
   allow sysadm_r system_r;
   allow sysadm_r secadm_r;
   allow sysadm_r system_r;
   allow sysadm_r system_r;
   allow sysadm_r system_r;
   allow sysadm_r system_r;
   allow sysadm_r system_r;
   allow sysadm_r auditadm_r;
   allow system_r sysadm_r;
   allow staff_r webadm_r;
   allow staff_r unconfined_r;
   allow staff_r sysadm_r;
   allow staff_r secadm_r;
   allow staff_r logadm_r;
   allow staff_r dbadm_r;
   allow staff_r auditadm_r;
   allow system_r staff_r;
   allow secadm_r sysadm_r;
   allow secadm_r auditadm_r;
   allow system_r nx_server_r;
   allow logadm_r system_r;
   allow logadm_r system_r;
   allow system_r guest_r;
   allow dbadm_r system_r;
   allow dbadm_r system_r;
   allow system_r system_r;
   allow auditadm_r sysadm_r;
   allow auditadm_r secadm_r;
   allow auditadm_r system_r;

#
Comment 12 errata-xmlrpc 2018-04-10 16:39:29 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0916