Description of problem: When the audit logs show multiple transitions from the same role, audit2allow produces files that cannot be parsed by checkmodule Version-Release number of selected component (if applicable): setroubleshoot-3.0.47-3.el6_3.x86_64 checkpolicy-2.0.22-1.el6.x86_64 How reproducible: 100% Steps to Reproduce: 1. Create the following "bug.log" file type=SELINUX_ERR msg=audit(1343312370.260:393): security_compute_sid: invalid context unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:iptables_exec_t:s0 tclass=process type=SELINUX_ERR msg=audit(1343312370.403:398): security_compute_sid: invalid context unconfined_u:unconfined_r:dmidecode_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dmidecode_exec_t:s0 tclass=process type=SELINUX_ERR msg=audit(1343312811.732:520): security_compute_sid: invalid context unconfined_u:unconfined_r:dnsmasq_t:s0-s0:c0.c1023 for scontext=unconfined_u:unconfined_r:virtd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:dnsmasq_exec_t:s0 tclass=process 2. Run "audit2allow -M bug < bug.log". Output: compilation failed: bug.te:12:ERROR 'syntax error' at token ',' on line 12: role unconfined_r types dmidecode_t, iptables_t, dnsmasq_t; #============= ROLES ============== /usr/bin/checkmodule: error(s) encountered while parsing configuration /usr/bin/checkmodule: loading policy configuration from bug.te 3.Run "audit2allow -m bug < bug.log". Output: module bug 1.0; require { type dmidecode_t; type iptables_t; type dnsmasq_t; role unconfined_r; } #============= ROLES ============== role unconfined_r types dmidecode_t, iptables_t, dnsmasq_t; Actual results: audit2allow fails to compile its own policies. Expected results: audit2allow can successfully compile its own policies. Additional info: Changing the role line to this: role unconfined_r types dmidecode_t; role unconfined_r types iptables_t; role unconfined_r types dnsmasq_t; creates a policy that works as intended.
How are you creating the bug log? The problem is the extra \n in the file. If each type= line is on one line audit2allow should parse it fine.
Each type= line _is_ on one line. The bug log is a reduced testcase from my /var/log/audit/audit.log. Note the problem is not in parsing the bug log. It is in compiling the .te file, see steps 2 and 3.
Ok I just fixed this in Rawhide, if we have policycoreutils in 6.4, I will back port the fix.
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux release for currently deployed products. This request is not yet committed for inclusion in a release.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0396.html