Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 836213 - sesearch --all does not find all rules [NEEDINFO]
sesearch --all does not find all rules
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: setools (Show other bugs)
7.0
All Linux
urgent Severity medium
: rc
: ---
Assigned To: Petr Lautrbach
Milos Malik
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-06-28 07:35 EDT by Milos Malik
Modified: 2018-04-10 12:39 EDT (History)
5 users (show)

See Also:
Fixed In Version: setools-3.3.8-2.el7
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-04-10 12:39:29 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
ksrot: needinfo? (vmojzis)

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2018:0916 None None None 2018-04-10 12:39 EDT

  None (edit)
Description Milos Malik 2012-06-28 07:35:40 EDT 
Description of problem:


Version-Release number of selected component (if applicable):
setools-libs-3.3.7-22.el7.x86_64
setools-gui-3.3.7-22.el7.x86_64
setools-console-3.3.7-22.el7.x86_64
setools-3.3.7-22.el7.x86_64
setools-libs-tcl-3.3.7-22.el7.x86_64
setools-libs-python-3.3.7-22.el7.x86_64

How reproducible:
always

Steps to Reproduce:
# sesearch -s ipsec_t -t ipsec_mgmt_t -c process --allow
WARNING: Policy would be downgraded from version 27 to 26.
Found 1 semantic av rules:
   allow ipsec_t ipsec_mgmt_t : process { transition sigchld } ; 

# sesearch -s ipsec_t -t ipsec_mgmt_t -c process --dontaudit
WARNING: Policy would be downgraded from version 27 to 26.
Found 1 semantic av rules:
   dontaudit domain domain : process { noatsecure siginh rlimitinh } ; 

# sesearch -s ipsec_t -t ipsec_mgmt_t -c process --all
WARNING: Policy would be downgraded from version 27 to 26.
ERROR: Cannot get avrules: Neverallow rules requested but not available

Found 34 role allow rules:
   allow auditadm_r system_r;
   allow system_r auditadm_r;
   allow auditadm_r secadm_r;
   allow auditadm_r sysadm_r;
   allow system_r dbadm_r;
   allow dbadm_r system_r;
   allow system_r git_shell_r;
   allow system_r guest_r;
   allow logadm_r system_r;
   allow system_r logadm_r;
   allow system_r nx_server_r;
   allow system_r secadm_r;
   allow secadm_r auditadm_r;
   allow secadm_r sysadm_r;
   allow system_r staff_r;
   allow staff_r auditadm_r;
   allow staff_r dbadm_r;
   allow staff_r logadm_r;
   allow staff_r secadm_r;
   allow staff_r sysadm_r;
   allow staff_r unconfined_r;
   allow staff_r webadm_r;
   allow system_r sysadm_r;
   allow sysadm_r auditadm_r;
   allow sysadm_r system_r;
   allow sysadm_r secadm_r;
   allow sysadm_r staff_r;
   allow sysadm_r user_r;
   allow unconfined_r system_r;
   allow system_r unconfined_r;
   allow system_r user_r;
   allow webadm_r system_r;
   allow system_r webadm_r;
   allow system_r xguest_r;

#

Actual results:
* "sesearch --all" does not find the rules which were found by "sesearch --dontaudit" and "sesearch --allow"

Expected results:
* "sesearch --all" does find the rules which were found by "sesearch --dontaudit" and "sesearch --allow"
Comment 1 Milos Malik 2014-01-23 08:34:06 EST 
"sesearch --all" was able to find allow, dontaudit, auditallow, type_trans, range_trans rules on RHEL-5 and RHEL-6, but the same command executed on RHEL-7 is not able to find any allow or auditallow or dontaudit rule.
Comment 2 Daniel Walsh 2014-02-13 14:46:54 EST 
Fixed in setools-3.3.7-45.el7.src.rpm
Comment 6 Ondrej Vasik 2014-07-02 06:16:00 EDT 
Closing CURRENTRELEASE as RHEL 7.0 Erratum contains later version ( https://errata.devel.redhat.com/advisory/17365/builds ). Feel free to reopen if the issue is still not yet properly fixed in 7.0 .
Comment 7 Milos Malik 2016-09-15 05:27:25 EDT 
The problem is still not fixed.

# rpm -qa setools\*
setools-gui-3.3.8-1.1.el7.x86_64
setools-console-3.3.8-1.1.el7.x86_64
setools-libs-3.3.8-1.1.el7.x86_64
setools-3.3.8-1.1.el7.x86_64
setools-libs-tcl-3.3.8-1.1.el7.x86_64
setools-devel-3.3.8-1.1.el7.x86_64
# sesearch -s ipsec_t -t ipsec_mgmt_t -c process --allow
Found 1 semantic av rules:
   allow ipsec_t ipsec_mgmt_t : process { transition sigchld } ; 

# sesearch -s ipsec_t -t ipsec_mgmt_t -c process --dontaudit
Found 1 semantic av rules:
   dontaudit domain domain : process { noatsecure siginh rlimitinh } ; 

# sesearch -s ipsec_t -t ipsec_mgmt_t -c process --all
ERROR: Cannot get avrules: Neverallow rules requested but not available

Found 39 role allow rules:
   allow system_r xguest_r;
   allow webadm_r system_r;
   allow system_r webadm_r;
   allow system_r user_r;
   allow system_r unconfined_r;
   allow system_r unconfined_r;
   allow system_r unconfined_r;
   allow unconfined_r system_r;
   allow sysadm_r user_r;
   allow sysadm_r staff_r;
   allow sysadm_r system_r;
   allow sysadm_r secadm_r;
   allow sysadm_r system_r;
   allow sysadm_r system_r;
   allow sysadm_r system_r;
   allow sysadm_r system_r;
   allow sysadm_r system_r;
   allow sysadm_r auditadm_r;
   allow system_r sysadm_r;
   allow staff_r webadm_r;
   allow staff_r unconfined_r;
   allow staff_r sysadm_r;
   allow staff_r secadm_r;
   allow staff_r logadm_r;
   allow staff_r dbadm_r;
   allow staff_r auditadm_r;
   allow system_r staff_r;
   allow secadm_r sysadm_r;
   allow secadm_r auditadm_r;
   allow system_r nx_server_r;
   allow logadm_r system_r;
   allow logadm_r system_r;
   allow system_r guest_r;
   allow dbadm_r system_r;
   allow dbadm_r system_r;
   allow system_r system_r;
   allow auditadm_r sysadm_r;
   allow auditadm_r secadm_r;
   allow auditadm_r system_r;

#
Comment 12 errata-xmlrpc 2018-04-10 12:39:29 EDT 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2018:0916
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.