udica icon indicating copy to clipboard operation
udica copied to clipboard
verified publisher icon containers

python3: handle.c:336: semanage_connect: Assertion `sh != NULL' failed.

Open nev888 opened this issue 1 year ago • 6 comments

When trying to generate the Selinux profile the application crashes with the following error: [user]# udica -j container.json my_container error parsing semanage configuration file: syntax error python3: handle.c:336: semanage_connect: Assertion sh != NULL' failed. Aborted (core dumped)`

I figured it out this happens when I have this mount dir in my container container, specifically the hostPath: { "containerPath": "/sys/devices", "gidMappings": [], "hostPath": "/sys/devices", "propagation": "PROPAGATION_PRIVATE", "readonly": false, "selinuxRelabel": false, "uidMappings": [] }, If I change the hostPath to something else, or remove the whole mount point, The profile will be generated.

I run udica in a pod in openshift platform. Attached core dump: coredump_udica.tar.gz

nev888 avatar Sep 30 '24 14:09 nev888

Hi, thank you for reporting the issue. Can you please check that the following command works as expected (as opposed to throwing errors such as error parsing semanage configuration file: syntax error): # semanage fcontext list Based on the error message it seems that there is a syntax error in /etc/selinux/semanage.conf on your machine (maybe a # symbol is missing before some comment).

vmojzis avatar Oct 07 '24 15:10 vmojzis

[user@worker-1]# semanage fcontext list

usage: semanage fcontext [-h] [-n] [-N] [-S STORE] [ --add ( -t TYPE -f FTYPE -r RANGE -s SEUSER | -e EQUAL ) FILE_SPEC | --delete ( -t TYPE -f FTYPE | -e EQUAL ) FILE_SPEC | --deleteall | --extract | --list [-C] | --modify ( -t TYPE -f FTYPE -r RANGE -s SEUSER | -e EQUAL ) FILE_SPEC ] semanage fcontext: error: one of the arguments -a/--add -d/--delete -m/--modify -l/--list -E/--extract -D/--deleteall is required

semanage fcontext --list this command works as expected.

I have checked content of /etc/selinux/semanage.conf I don't see any missing # before comments. If that's

nev888 avatar Oct 07 '24 16:10 nev888

OK, just tested that udica shows some variation of Couldn't create policy: [Errno 13] Permission denied in case of permission issues, but could you please try to run udica with root permissions (needed for accessing policy files, checking labels of mounted paths, etc.)? Also, please share the container.json file if possible (and the complete core dump -- the link in the description just point to this issue).

vmojzis avatar Oct 07 '24 19:10 vmojzis

Coredump file is corrected.

container2.json

I did run udica with root user already.

nev888 avatar Oct 07 '24 19:10 nev888

Can you please share details of the pod you use to run udica? By default SELinux appears disabled inside a container (unless /sys/fs/selinux is mounted as rw), which would block udica from accessing system policy.

vmojzis avatar Oct 07 '24 22:10 vmojzis

udica_pod.txt

nev888 avatar Oct 08 '24 06:10 nev888