Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

python3: handle.c:336: semanage_connect: Assertion `sh != NULL' failed. #148

Open
nev888 opened this issue Sep 30, 2024 · 6 comments
Open

python3: handle.c:336: semanage_connect: Assertion `sh != NULL' failed. #148

nev888 opened this issue Sep 30, 2024 · 6 comments

Comments

@nev888
Copy link

nev888 commented Sep 30, 2024
edited
Loading

When trying to generate the Selinux profile the application crashes with the following error:
[user]# udica -j container.json my_container error parsing semanage configuration file: syntax error python3: handle.c:336: semanage_connect: Assertion sh != NULL' failed.
Aborted (core dumped)`

I figured it out this happens when I have this mount dir in my container container, specifically the hostPath:
{ "containerPath": "/sys/devices", "gidMappings": [], "hostPath": "/sys/devices", "propagation": "PROPAGATION_PRIVATE", "readonly": false, "selinuxRelabel": false, "uidMappings": [] },
If I change the hostPath to something else, or remove the whole mount point, The profile will be generated.

I run udica in a pod in openshift platform.
Attached core dump:
coredump_udica.tar.gz
@vmojzis
Copy link
Collaborator

vmojzis commented Oct 7, 2024
edited
Loading

Hi, thank you for reporting the issue.
Can you please check that the following command works as expected (as opposed to throwing errors such as error parsing semanage configuration file: syntax error):
# semanage fcontext list
Based on the error message it seems that there is a syntax error in /etc/selinux/semanage.conf on your machine (maybe a # symbol is missing before some comment).

@nev888
Copy link
Author

nev888 commented Oct 7, 2024
edited
Loading

[user@worker-1]# semanage fcontext list

usage: semanage fcontext [-h] [-n] [-N] [-S STORE] [ --add ( -t TYPE -f FTYPE -r RANGE -s SEUSER | -e EQUAL ) FILE_SPEC | --delete ( -t TYPE -f FTYPE | -e EQUAL ) FILE_SPEC | --deleteall | --extract | --list [-C] | --modify ( -t TYPE -f FTYPE -r RANGE -s SEUSER | -e EQUAL ) FILE_SPEC ] semanage fcontext: error: one of the arguments -a/--add -d/--delete -m/--modify -l/--list -E/--extract -D/--deleteall is required

semanage fcontext --list this command works as expected.

I have checked content of /etc/selinux/semanage.conf I don't see any missing # before comments. If that's

@vmojzis
Copy link
Collaborator

vmojzis commented Oct 7, 2024

OK, just tested that udica shows some variation of Couldn't create policy: [Errno 13] Permission denied in case of permission issues, but could you please try to run udica with root permissions (needed for accessing policy files, checking labels of mounted paths, etc.)? Also, please share the container.json file if possible (and the complete core dump -- the link in the description just point to this issue).

@nev888
Copy link
Author

nev888 commented Oct 7, 2024

Coredump file is corrected.

container2.json

I did run udica with root user already.

@vmojzis
Copy link
Collaborator

vmojzis commented Oct 7, 2024

Can you please share details of the pod you use to run udica? By default SELinux appears disabled inside a container (unless /sys/fs/selinux is mounted as rw), which would block udica from accessing system policy.

@nev888
Copy link
Author

nev888 commented Oct 8, 2024

udica_pod.txt

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@vmojzis @nev888