Forwarded from the "users" list
-------- Forwarded Message -------- Subject: setools-console-analyses package Date: Mon, 5 Aug 2019 13:34:11 +0300 From: Aristeidis Dimitriadis ar.s.dimitriadis@gmail.com To: users@lists.fedoraproject.org
Hello,
I believe there is an error in the packaging of setools-console-analyses which results in one of the tools being unusable. I am close to submitting a bug report but I would like someone to have a look first in case I am doing something wrong. Using up-to-date Fedora 30.
The tool of interest in sedta which performs "Domain transition analysis for SELinux policies" (from the manpage). Running this tool results in this:
$ sedta -s <some domain> -p <some policy file>
'DiGraph' object has no attribute 'edges_iter'
This is a Python error and seems related to the networkx Python library which is listed as a requirement. No version requirements for this library are displayed by rpm. Installed version (by dnf) is 2.3. However, there is this guide :
https://networkx.github.io/documentation/stable/release/migration_guide_from...
where it is clearly stated that the "edges_iter" API is removed in version 2.0. The upstream SELinux tools project which I believe is here :
https://github.com/SELinuxProject/setools
does not use the "edges_iter" API (I grep-ed for it). My guess is that networkx was updated but setools-console-analyses was not and now is trying to use an incompatible library version.
No similar issues appear on bugzilla. Should I create one?
Also, is there a way to report a bug without creating a bugzilla/fedora account? answered in "users" lists
Aristeidis Dimitriadis
Aristeidis Dimitriadis ar.s.dimitriadis@gmail.com writes:
Hello,
I believe there is an error in the packaging of setools-console-analyses which results in one of the tools being unusable. I am close to submitting a bug report but I would like someone to have a look first in case I am doing something wrong. Using up-to-date Fedora 30.
The tool of interest in sedta which performs "Domain transition analysis for SELinux policies" (from the manpage). Running this tool results in this:
$ sedta -s <some domain> -p <some policy file>
'DiGraph' object has no attribute 'edges_iter'
This is a Python error and seems related to the networkx Python library which is listed as a requirement. No version requirements for this library are displayed by rpm. Installed version (by dnf) is 2.3. However, there is this guide :
https://networkx.github.io/documentation/stable/release/migration_guide_from...
where it is clearly stated that the "edges_iter" API is removed in version 2.0. The upstream SELinux tools project which I believe is here :
https://github.com/SELinuxProject/setools
does not use the "edges_iter" API (I grep-ed for it). My guess is that networkx was updated but setools-console-analyses was not and now is trying to use an incompatible library version.
No similar issues appear on bugzilla. Should I create one?
There are 2 versions of setools available in Fedora 30:
- setools-4.1.1-14.fc30 from standard Fedora repo - the affected version
- setools-4.2.0-1.module_f30+3425+bbab1a14 from Fedora modular
We need to ship the 4.1 version as it's the last version which supports Python 2, python2-setools is required by python2-policycoreutils which is required by other packages outside of SELinux space.
Therefore setools-4.2 is packaged in a module:
# dnf module enable setools
# dnf update setools-console-analyses ... Upgraded: python3-setools-4.2.0-1.module_f30+3425+bbab1a14.x86_64 setools-console-analyses-4.2.0-1.module_f30+3425+bbab1a14.x86_64 Complete!
# sedta -s sshd_t -p /etc/selinux/targeted/policy/policy.31 Transition 1: sshd_t -> nx_server_t
Domain transition rule(s): allow sshd_t nx_server_t:process transition; ...
4.2.2 version should be also available, but I haven't found it. It was built by Vit who's currently on holidays. Given that I'm hardly a modularity expert, we would need to wait for him.
Also, is there a way to report a bug without creating a bugzilla/fedora account? answered in "users" lists
You need an account. Or you can send an email like you did - you can use this mailing list of setools-owner@fedoraproject.org aliases as a recipient.
Thanks!
Petr
Petr Lautrbach plautrba@redhat.com writes:
Aristeidis Dimitriadis ar.s.dimitriadis@gmail.com writes:
Hello,
I believe there is an error in the packaging of setools-console-analyses which results in one of the tools being unusable. I am close to submitting a bug report but I would like someone to have a look first in case I am doing something wrong. Using up-to-date Fedora 30.
The tool of interest in sedta which performs "Domain transition analysis for SELinux policies" (from the manpage). Running this tool results in this:
$ sedta -s <some domain> -p <some policy file>
'DiGraph' object has no attribute 'edges_iter'
This is a Python error and seems related to the networkx Python library which is listed as a requirement. No version requirements for this library are displayed by rpm. Installed version (by dnf) is 2.3. However, there is this guide :
https://networkx.github.io/documentation/stable/release/migration_guide_from...
where it is clearly stated that the "edges_iter" API is removed in version 2.0. The upstream SELinux tools project which I believe is here :
https://github.com/SELinuxProject/setools
does not use the "edges_iter" API (I grep-ed for it). My guess is that networkx was updated but setools-console-analyses was not and now is trying to use an incompatible library version.
No similar issues appear on bugzilla. Should I create one?
There are 2 versions of setools available in Fedora 30:
setools-4.1.1-14.fc30 from standard Fedora repo - the affected version
setools-4.2.0-1.module_f30+3425+bbab1a14 from Fedora modular
We need to ship the 4.1 version as it's the last version which supports Python 2, python2-setools is required by python2-policycoreutils which is required by other packages outside of SELinux space.
Therefore setools-4.2 is packaged in a module:
# dnf module enable setools
# dnf update setools-console-analyses ... Upgraded: python3-setools-4.2.0-1.module_f30+3425+bbab1a14.x86_64 setools-console-analyses-4.2.0-1.module_f30+3425+bbab1a14.x86_64 Complete!
# sedta -s sshd_t -p /etc/selinux/targeted/policy/policy.31 Transition 1: sshd_t -> nx_server_t
Domain transition rule(s): allow sshd_t nx_server_t:process transition; ...
4.2.2 version should be also available, but I haven't found it. It was built by Vit who's currently on holidays. Given that I'm hardly a modularity expert, we would need to wait for him.
I've found it:
https://bodhi.fedoraproject.org/updates/FEDORA-MODULAR-2019-3003745bbe
# dnf module reset setools
# dnf module enable --enablerepo=updates-testing-modular setools:4.2
# dnf update --enablerepo=updates-testing-modular setools-console-analyses ... Upgraded: python3-setools-4.2.2-1.module_f30+4995+aaa0ceb3.x86_64 setools-console-analyses-4.2.2-1.module_f30+4995+aaa0ceb3.x86_64
# sedta -s sshd_t -p /etc/selinux/targeted/policy/policy.31 Transition 1: sshd_t -> nx_server_t
Domain transition rule(s): allow sshd_t nx_server_t:process transition; ...
Also, is there a way to report a bug without creating a bugzilla/fedora account? answered in "users" lists
You need an account. Or you can send an email like you did - you can use this mailing list of setools-owner@fedoraproject.org aliases as a recipient.
Thanks!
Petr _______________________________________________ selinux mailing list -- selinux@lists.fedoraproject.org To unsubscribe send an email to selinux-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@lists.fedoraproject.or...
On 8/6/19 12:00 PM, Petr Lautrbach wrote:
There are 2 versions of setools available in Fedora 30:
setools-4.1.1-14.fc30 from standard Fedora repo - the affected version
setools-4.2.0-1.module_f30+3425+bbab1a14 from Fedora modular
We need to ship the 4.1 version as it's the last version which supports Python 2, python2-setools is required by python2-policycoreutils which is required by other packages outside of SELinux space.
Therefore setools-4.2 is packaged in a module:
# dnf module enable setools
# dnf update setools-console-analyses ... Upgraded: python3-setools-4.2.0-1.module_f30+3425+bbab1a14.x86_64 setools-console-analyses-4.2.0-1.module_f30+3425+bbab1a14.x86_64 Complete!
# sedta -s sshd_t -p /etc/selinux/targeted/policy/policy.31 Transition 1: sshd_t -> nx_server_t
Domain transition rule(s): allow sshd_t nx_server_t:process transition; ...
Using the modules version fixed my problem. Thank you!
However, it is still not clear to me why this happened. Why does python2-setools prevents setools-console-analyses from being updated? It requires python_3_-setools. Why can't we have an updated version of the command line tools using updated versions of the python3-setools AND the old versions of python2-setools for those packages that require them?
Isn't there a way to fix this rather ugly situation (other than getting rid of Python 2 completely)? A package is practically shipped broken at the moment.
Aristeidis Dimitriadis
On 8/6/19 12:00 PM, Petr Lautrbach wrote: Using the modules version fixed my problem. Thank you!
However, it is still not clear to me why this happened. Why does python2-setools prevents setools-console-analyses from being updated? It requires python_3_-setools. Why can't we have an updated version of the command line tools using updated versions of the python3-setools AND the old versions of python2-setools for those packages that require them?
All packages (python2-, python3-, -console-analyses) are built from one setools source rpm which contains one source tar ball. The only difference between python2-setools and python3-setools is that it's built using different python interpret, see https://src.fedoraproject.org/rpms/setools/blob/f30/f/setools.spec#_127 It means that all of them have the same version and release number.
Isn't there a way to fix this rather ugly situation (other than getting rid of Python 2 completely)? A package is practically shipped broken at the moment.
I guess that setools-4.1.1 could be fixed so that it would work with python-networkx-2. But given that there's a workaround (setools:4.2 module stream) and it looks like that only setools-console-analyses is affected, I'd personally assign a low priority to this task. On the other hand, if there's a patch fixing this issue, I'd use it and update setools-4.1.1 in Fedora 30.
Btw in Rawhide/Fedora31, python2 subpackage is already dropped and setools is updated to 4.2.2 version.
Petr
On 8/6/19 10:54 PM, Petr Lautrbach wrote:
All packages (python2-, python3-, -console-analyses) are built from one setools source rpm which contains one source tar ball. The only difference between python2-setools and python3-setools is that it's built using different python interpret, see https://src.fedoraproject.org/rpms/setools/blob/f30/f/setools.spec#_127 It means that all of them have the same version and release number.
Ok, I understand what the problem is now and why it doesn't make much sense to put effort into fixing it. Thank you very much for the detailed explanation.
I hope Python 2 gets dropped soon :P
selinux@lists.fedoraproject.org