Search code examples
memoryoperating-systemredhatpolicyselinux

SELinux Policy Creation Error regarding Memory and Context Structure

I am working on RHEL 7. I have log files of another machine stored here. I used the following command to create policy :

grep -inr "denied" audit.log* | audit2allow -M Policy_File_Name

Using this command, I was able to create policy for many of log files. But in some cases I encountered this error :

Traceback (most recent call last):
  File "/usr/bin/audit2allow", line 365, in <module>
    app.main()
  File "/usr/bin/audit2allow", line 352, in main
    self.__process_input()
  File "/usr/bin/audit2allow", line 180, in __process_input
    self.__avs = self.__parser.to_access()
  File "/usr/lib64/python2.7/site-packages/sepolgen/audit.py", line 591, in to_access
    avc.path = self.__restore_path(avc.name, avc.ino)
  File "/usr/lib64/python2.7/site-packages/sepolgen/audit.py", line 531, in __restore_path
    universal_newlines=True)
  File "/usr/lib64/python2.7/subprocess.py", line 568, in check_output
    process = Popen(stdout=PIPE, *popenargs, **kwargs)
  File "/usr/lib64/python2.7/subprocess.py", line 711, in __init__
    errread, errwrite)
  File "/usr/lib64/python2.7/subprocess.py", line 1224, in _execute_child
    self.pid = os.fork()
OSError: [Errno 12] Cannot allocate memory

And for few I encountered this error :

libsepol.context_from_record: type celery_t is not defined
libsepol.context_from_record: could not create context structure
libsepol.context_from_string: could not create context structure
libsepol.sepol_context_to_sid: could not convert system_u:system_r:celery_t:s0 to sid

Here 'celery_t' changes with respect to target context.

System Condition :

[root@selinux-policy-creation abhisheklog]# free -h
           total       used        free      shared  buff/cache   available
 Mem:      31G         261M        27G        8.4M        3.1G         30GB
 Swap:      0B          0B          0B

Please provide with Cause and Solution. Thanks.

Solution

  • Such error messages mean that there are invalid SE modules present in the file-system, which might be leftovers from previous bad uninstall scripts. Manually deleting these files usually gets one rid of these error messages; but in this case it seems to be the other way around. While there are such orphaned SE modules present, this can cause bogus error messages - therefore I wouldn't even be too sure about the "cannot allocate memory" message. Got the feeling, this might be related to python2-celery (where type celery_t appears to come from). The problem is that type celery_t made it into the audit log, but it is unknown to the machine which runs audit2allow.

    python2-celery-4.2.1-3.el7.noarch : Distributed Task Queue
Repo        : epel
Matched from:
Filename    : /usr/bin/celery

    The first thing to try might be:

    sudo yum install python2-celery

    which might possibly restore the missing type celery_t. I mean, if this log file originates from another machine, this machine might have python2-celery installed - while the machine which runs the audit2allow might simply lack it. Hope this makes sense.