Bug 1530639

Summary: seapplet needs fixing to provide visible alert since GNOME removed notification icon support
Product: [Fedora] Fedora Reporter: Alan Jenkins <alan.christopher.jenkins>
Component: setroubleshootAssignee: Petr Lautrbach <plautrba>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: urgent    
Version: 27CC: dwalsh, mgrepl, plautrba, pmoore, vmojzis
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-01-08 07:30:44 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Alan Jenkins 2018-01-03 14:44:30 UTC 
Description of problem:

seapplet now fails to provide any visible indication when a SELinux error 
occurs, and the user is logged in to GNOME.

The problem must be that seapplet is an XDG "system tray" icon.  GNOME has now removed support for system tray icons.  So when a SELinux error occurs, a seapplet process appears in `ps` ... however that process does not manage to actually do anything.

So seapplet needs to be re-evaluated to decide what we want to happen here.  I didn't find any such discussion.

This was a deliberate feature of seapplet: to notify the user that SELinux is the cause of whatever failure has happened.  Which could otherwise have been very mysterious and frustrating.

For comparison, I _think_ ABRT is working correctly and showing notifications.  And I think selinux denials should be treated in the same way as ABRT: show a pop-up notification.   Ideally the seapplet process would also detect that it's systray icon is not visible, so it should be able to exit straight away.

That said, there are also messages visible in the main system log.  I don't know whether these would have been available pre-systemd... or if they would have been visible in the first system log file checked; the split of the log into multiple files was sometimes a cause of confusion.


Version-Release number of selected component (if applicable):
setroubleshoot-3.3.14-1.fc27.x86_64

How reproducible: always

Steps to Reproduce:
1. log in to GNOME
2. provoke a SELinux error (e.g. https://superuser.com/questions/908373/a-way-to-trigger-an-selinux-policy-violation)

Actual results:

no visible notification

Expected results:

Something changes onscreen to notify the user, like it used to.

Additional info:
Comment 1 Petr Lautrbach 2018-01-04 07:45:25 UTC 
For the reference:

https://pagure.io/setroubleshoot/issue/8
https://bugzilla.redhat.com/show_bug.cgi?id=1222797
Comment 2 Petr Lautrbach 2018-01-05 23:11:40 UTC 
The work on rewrite started in my private branch https://pagure.io/fork/plautrba/setroubleshoot/blob/WIP-gnome3-notifications/f/framework/src/seapplet.py
Comment 3 Petr Lautrbach 2018-01-08 07:25:45 UTC 
Builds are available at

https://copr.fedorainfracloud.org/coprs/plautrba/setroubleshoot/

Original seapplet was renamed to seappletlegacy and the new seapplet.py is seapplet now.
Comment 4 Petr Lautrbach 2018-01-08 07:30:44 UTC 

*** This bug has been marked as a duplicate of bug 1222797 ***