Hi guys, It looks like the current stable sepolgen release has requirements towards an unofficial (well, fedora/rhel only) patch on setools. With the current stable setools, it gives the following error when trying to use audit2allow on a denial that contains write & open: Traceback (most recent call last): File "/usr/bin/audit2allow-2.7", line 354, in <module> app.main() File "/usr/bin/audit2allow-2.7", line 345, in main self.__output() File "/usr/bin/audit2allow-2.7", line 315, in __output g.add_access(self.__avs) File "/usr/lib64/python2.7/site-packages/sepolgen/policygen.py", line 211, in add_access self.__add_allow_rules(raw_allow) File "/usr/lib64/python2.7/site-packages/sepolgen/policygen.py", line 179, in __add_allow_rules self.domains = seinfo(ATTRIBUTE, name="domain")[0]["types"] NameError: global name 'seinfo' is not defined The patch that RedHat (and Fedora) provides fixes this in Python 2 systems, but doesn't work in Python 3 (because Python 3 has a different setup for Extension-based modules). I have a locally-tested patch on that, but I'm not sure this is a good way to go forward. Perhaps it would be wise to remove the dependency towards the setools binding and instead include the necessary code in the userspace libraries themselves? policygen.py doesn't require the entire set of querying that seinfo provides... The patch that is suggested by RedHat/Fedora doesn't follow the same structure as the other bindings do (like libqpol/libapol) in setools too. Wkr, Sven Vermeulen -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
