Bug 843727 - audit2allow produces .te files that cannot be parsed by checkmodule
audit2allow produces .te files that cannot be parsed by checkmodule
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: policycoreutils (Show other bugs)
All Linux
medium Severity low
: rc
: ---
Assigned To: Daniel Walsh
Michal Trunecka
Depends On:
  Show dependency treegraph
Reported: 2012-07-27 04:00 EDT by Paolo Bonzini
Modified: 2014-09-30 19:33 EDT (History)
6 users (show)

See Also:
Fixed In Version: policycoreutils-2.0.83-19.25.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-02-21 05:15:26 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Paolo Bonzini 2012-07-27 04:00:32 EDT
Description of problem:
When the audit logs show multiple transitions from the same role, audit2allow produces files that cannot be parsed by checkmodule

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Create the following "bug.log" file
type=SELINUX_ERR msg=audit(1343312370.260:393): security_compute_sid:  invalid context unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=process
type=SELINUX_ERR msg=audit(1343312370.403:398): security_compute_sid:  invalid context unconfined_u:unconfined_r:dmidecode_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dmidecode_exec_t:s0 tclass=process
type=SELINUX_ERR msg=audit(1343312811.732:520): security_compute_sid:  invalid context unconfined_u:unconfined_r:dnsmasq_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dnsmasq_exec_t:s0 tclass=process

2. Run "audit2allow -M bug < bug.log".  Output:
compilation failed:
bug.te:12:ERROR 'syntax error' at token ',' on line 12:
role unconfined_r types dmidecode_t, iptables_t, dnsmasq_t;
#============= ROLES ==============
/usr/bin/checkmodule:  error(s) encountered while parsing configuration
/usr/bin/checkmodule:  loading policy configuration from bug.te

3.Run "audit2allow -m bug < bug.log".  Output:
module bug 1.0;

require {
	type dmidecode_t;
	type iptables_t;
	type dnsmasq_t;
	role unconfined_r;

#============= ROLES ==============
role unconfined_r types dmidecode_t, iptables_t, dnsmasq_t;

Actual results:
audit2allow fails to compile its own policies.

Expected results:
audit2allow can successfully compile its own policies.

Additional info:
Changing the role line to this:

role unconfined_r types dmidecode_t;
role unconfined_r types iptables_t;
role unconfined_r types dnsmasq_t;

creates a policy that works as intended.
Comment 2 Daniel Walsh 2012-07-27 08:40:14 EDT
How are you creating the bug log?  The problem is the extra \n in the file.  If each type= line is on one line audit2allow should parse it fine.
Comment 3 Paolo Bonzini 2012-07-27 09:25:38 EDT
Each type= line _is_ on one line.  The bug log is a reduced testcase from my /var/log/audit/audit.log.

Note the problem is not in parsing the bug log.  It is in compiling the .te file, see steps 2 and 3.
Comment 4 Daniel Walsh 2012-07-27 09:43:44 EDT
Ok I just fixed this in Rawhide, if we have policycoreutils in 6.4, I will back port the fix.
Comment 5 RHEL Product and Program Management 2012-08-14 17:59:03 EDT
This request was evaluated by Red Hat Product Management for
inclusion in a Red Hat Enterprise Linux release.  Product
Management has requested further review of this request by
Red Hat Engineering, for potential inclusion in a Red Hat
Enterprise Linux release for currently deployed products.
This request is not yet committed for inclusion in a release.
Comment 10 errata-xmlrpc 2013-02-21 05:15:26 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.