Bug 809505

Summary: [RFE] Notify remote user of SELinux enforcing mode on AVC
Product: [Fedora] Fedora Reporter: Michal Novotny <minovotn>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: rawhideCC: areis, dominick.grift, dwalsh, mgrepl, mmalik
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-12-15 19:12:53 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Michal Novotny 2012-04-03 14:39:08 UTC 
Description of problem:

If you're using SELinux and you're connected from the remote host you don't get the AVC denials and you're not notified about the denials either. This would be nice to notify the user of having SELinux enabled and in enforcing mode if AVC denials occur.

Version-Release number of selected component (if applicable):
selinux-policy

How reproducible:
Easily

Steps to Reproduce:
1. Install a machine and leave SELinux enabled
2. Install e.g. Apache and alter configuration to use something in non-standard location to trigger AVC denials (don't fix)
3. Set IPTables to allow remote connectivity to the machine's port 80 (HTTP)
4. Try to connect to the machine's HTTP port from remote machine to see the error page and that you're not notified on the remote host and that you don't know what the problem is
  
Actual results:
You're not notified and you don't know there's SELinux enforcing and blocking it.

Expected results:
You should be notified about SELinux being enabled and in enforcing mode in case you get the AVC denial. If you get a AVC denial, an e-mail should be send to root user of the system (per each file/type/context of denial, but not duplicated for the same file/type/context).

Additional info:
It would be really nice to implement this because sometimes administrator don't know about SELinux is enabled and enforcing and he/she tries to find out what's wrong and is wasting time sometimes. The notification would be a really great thing and if you don't have SETroubleShoot installed/enabled and you're not accessing a local machine you don't get the AVC denials at all except for looking manually to the audit_log.
Comment 1 Milos Malik 2012-04-03 14:56:10 UTC 
I can think of two ways how to notify the remote user of the fact that AVCs appeared:
 * via bash (bash is periodically checking for new emails. What about periodic checking of new AVCs ?)
 * via setroubleshoot (f.e. setroubleshoot server could send an email when new AVCs appear, but max. 1 email per minute)

Maybe selinux-policy is not the right component, but it's a good place to start a discussion about the remote user notification mechanism.
Comment 2 Daniel Walsh 2012-04-05 20:53:11 UTC 
setroubleshoot can be currently setup to send email on avc arrival, It can be setup out of the box to send email to root.  Also it logs to /var/log/messages, it has been suggested that logwatch start watching for these messages.