Bug 477780

Summary: RFE: AVC denial notifications configuration.
Product: [Fedora] Fedora Reporter: Gilboa Davara <gilboad>
Component: setroubleshootAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 10CC: dwalsh, jdennis, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-12-23 17:43:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Gilboa Davara 2008-12-23 17:32:37 UTC 
Description of problem:
As the title suggests - I have a certain script, that unless it's being executed from the right context, it generates huge amount of AVC denials. (I'm in the process of fix this).
Problem is, when the first denial hits, the user gets a notification and opens the setroubleshoot browser - which doesn't stop the flood of libnotify pop-ups...

I'd propose the following user-defined configuration:

1. Disable SELinux notification.
2. Disable SELinux notification when setroubleshoot browser is active and in focus.
3. Full SELinux notification. (Even w/ setroubleshoot browser is active.)

- Gilboa
Comment 1 John Dennis 2008-12-23 17:43:50 UTC 
This functionality is already present.

If this is the same AVC which keeps triggering it then all you need to do is check the "Quiet" checkbox in the browser, as long as that is checked you won't get any notifications for that alert.

You can also edit /etc/setroubleshoot/setroubleshoot.cfg and modify the use_notification parameter. It's values are documented in the config file. You'll have restart sealert for it to take effect. Here is the doc for use_notification:

Control balloon notification. Possible values: always,never,browser_hidden "always" will
always display the notification. "never" disables notification completely. "browser_hidden" displays the notification
but only if the alert browser is not visible. Note: individual alerts can be flagged as silent disabling notification
for a specific alert, this parameter does not override that.
Comment 2 Gilboa Davara 2008-12-23 18:43:20 UTC 
OK. Thanks.
Never the less, would it be possible the add some information about this cfg to the selart man page? (A normal 'man -k setroubleshoot' and/or google search about configuring selinux notification returns more-or-less nothing; same goes for 'man sealert'; in essence, you must be aware of setroubleshoot.cfg before-hand)

Beyond that, I've set setroubleshoot.cfg's use_notification to browser_hidden and restarted the setroubleshoot service.
Ran the script, first notification, started the browser... and the notification kept coming. Should I open a separated bug report?

- Gilboa