Bug 1132470

Summary: setroubleshoot not as informative in RHEL7 as it was in RHEL6
Product: Red Hat Enterprise Linux 7 Reporter: L.L.Robinson <junk>
Component: setroubleshootAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: David Spurek <dspurek>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.0CC: dspurek, ebenes
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: setroubleshoot-3.2.17-3.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-11-25 10:05:11 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
output from sealert -a /var/log/audit/audit.log
none
output from sealert -a /var/log/audit/audit.log on Fedora 20 none

Description L.L.Robinson 2014-08-21 12:11:14 UTC
Description of problem:
In RHEL6 I did a trivial example of an SELinux issue, I created a html file in the root home dir, moved it to the web root and tried to view it. 

The setroubleshoot-server would suggest restorecon to fix the context

In RHEL7 the setroubleshoot-server only suggests plugin catchall. Also it doesn't tell you which file the httpd process tried to access and reccomends reading a man page called "none". Output attached

Version-Release number of selected component (if applicable):
Name        : setroubleshoot-plugins
Arch        : noarch
Version     : 3.0.59
Release     : 1.el7
Size        : 5.1 M
Repo        : installed
From repo   : cd
Summary     : Analysis plugins for use with setroubleshoot
URL         : https://fedorahosted.org/setroubleshoot
License     : GPLv2+
Description : This package provides a set of analysis plugins for use with
            : setroubleshoot. Each plugin has the capacity to analyze SELinux AVC
            : data and system data to provide user friendly reports describing how
            : to interpret SELinux AVC denials.



How reproducible:
Always

Steps to Reproduce:
1.Install minimal RHEL7 with setroubleshoot-server and httpd
2. start and enable httpd
3. create a file with an incorrect context to server and place it in webroot
4. observer sealert -a /var/log/audit/audit.log only recommending "Plugin Catchall" 

Actual results:
observer sealert -a /var/log/audit/audit.log only recommending "Plugin Catchall" 


Expected results:
output from "Plugin restorecon"

Additional info:

Comment 1 L.L.Robinson 2014-08-21 12:11:51 UTC
Created attachment 929180 [details]
output from sealert -a /var/log/audit/audit.log

Comment 3 Daniel Walsh 2014-08-21 12:32:53 UTC
This works fine in Fedora.  Miroslav can we get setroubleshoot updated to match the fedora release?

Comment 4 L.L.Robinson 2014-08-21 14:03:27 UTC
err. it doesn't work on my Fedora 20.

Comment 5 L.L.Robinson 2014-08-21 14:04:13 UTC
Created attachment 929213 [details]
output from sealert -a /var/log/audit/audit.log on Fedora 20

Comment 6 Miroslav Grepl 2014-08-21 15:01:11 UTC
Ok I see 

SELinux is preventing httpd from getattr access on the file /var/www/html/parp.html.

*****  Plugin restorecon (99.5 confidence) suggests   ************************

If you want to fix the label. 
/var/www/html/parp.html default label should be httpd_sys_content_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /var/www/html/parp.html


on my F21 system.

Comment 7 L.L.Robinson 2014-08-21 17:09:09 UTC
what is your systemd version? If it's in updates-testing I can check it as well.

Comment 8 L.L.Robinson 2014-08-21 17:10:15 UTC
(In reply to junk from comment #7)
> what is your systemd version? If it's in updates-testing I can check it as
> well.

I mean selinux setroubleshoot-server, setroubleshoot-plugins etc..., not systemd

Comment 10 Miroslav Grepl 2014-09-08 14:53:51 UTC
This is a bug in setroubleshoot-server package.

Comment 15 errata-xmlrpc 2014-11-25 10:05:11 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2014-1896.html