0

I'm trying to execute audit2allow using Symfony\Component\Process\Process.

When I run exec("audit2allow -a -M a2a"); in PHP, it works just fine, a2a.pp and a2a.te is produced. 

    $process = new Process(['audit2allow', '-a', '-M', 'a2a']);
    $process->run();
    if (!$process->isSuccessful()) {
        throw new ProcessFailedException($process);
    }
    echo $process->getOutput();

However, the above code produces the output below

Symfony\Component\Process\Exception\ProcessFailedException  : The command "'audit2allow' '-a' '-M' 'a2a'" failed.

Exit Code: 1(General error)

Working directory: /var/www/html/example

Output:
================
compilation failed:
a2a.te:6:ERROR 'syntax error' at token '' on line 6:


/usr/bin/checkmodule:  error(s) encountered while parsing configuration
/usr/bin/checkmodule:  loading policy configuration from a2a.te

which is the typical output when there is a empty /var/log/audit/audit.log. What do I need to change to make it work properly? Symfony claims it is not a bug. https://github.com/symfony/symfony/issues/35862

Update

Using Symfony\Component\Process\Process (code above) actually produces the file a2a.te, but it has only 1 line.

module a2a 1.0;

Whereas using exec() produces the file a2a.te with many lines:

module a2a 1.0;

require {
        type kernel_t;     
        type vmblock_t;    
        type container_t;  
...

Why does running the same command on Symfony\Component\Process\Process and exec() gives different outcomes?

bilogic
  • 449
  • 3
  • 18
  • The output hints at a problem in your `a2a.te` file being processed by `audi2allow`. That means the problem is likely either the arguments or the process itself. As far as Symfony is concerned, it does what it's supposed to do: run the command with the arguments and then pass the output back to you. Are all files for the command in the same working directory or do you have multiple copies and it picked the wrong one? Do you have multiple versions of audit2allow installed, .e.g. in your project and also in `/usr/bin` or `/usr/local/bin`? What happens when you run the same command in the CLI? – dbrumann Mar 02 '20 at 08:16
  • Maybe the working directory is affecting your call? (auto-detection may be affected by ZTS builds of PHP or Windows builds) – Nek Mar 02 '20 at 09:07
  • @dbrumann I have only 1 ```audit2allow``` in ```/usr/bin``` – bilogic Mar 03 '20 at 09:18
  • @dbrumann using PHP to run the same command with ```exec()``` and ```Symfony\Component\Process\Process``` yields different outputs so, my claim is that Symfony did not run the command properly. To me, Symfony's difference should only be in its added ability to capture the output and start/wait/stop the process etc. Since both are from PHP, I assume permissions are the same. – bilogic Mar 03 '20 at 09:25
  • The working folders are the same, in fact, the command is folder agnostic. ```-a``` says to read from ```/var/log/audit.log```, while ```-M``` is to produce the module package by the name of ```a2a``` – bilogic Mar 03 '20 at 09:26
  • `Symfony\Component\Process\Process` does not aim to exactly mimic `exec()`, so comparing them directly is not helpful. It's true that they are similar, but certain changes might be intentional. Please compare `Process` with the actual shell command being executed instead. That is more helpful, as this is what Process tries to build an abstraction on. Afterwards you can still examine how it differs from `exec()` and why. – dbrumann Mar 03 '20 at 13:35
  • thanks but my main purpose of posting here is to find someone who has encountered and found a way to overcome this issue. – bilogic Mar 06 '20 at 03:16

0 Answers0