In the /etc/selinux.conf file (where you turn selinux on/off) add some pointers how to get more info on failing policies: I figured out where to find that file :)! We can add a commend right above, "before you disable... here are some things you can do to find what might be causing your problem". Again - you don't have to convince about it usefulness, just help me debug issues. FWIW I never heard of any of these tools until now; just saying that google did /not/ point me there. Pointer to /var/log/audit/audit.log setroubleshoot audit2allow audit2why http://mother.gsslab.fab.redhat.com/stuff/setroubleshoot-gui.png Cheers --Kurt
$ rpm -qf /etc/selinux/config selinux-policy-3.13.1-23.el7.noarch
Created attachment 1095262 [details] config.diff My suggestion is that the attached change is made to /etc/selinux/config.
Kurt, how about "man selinux"?
Sure you can mention that as well in the config file! Remember in their mind people have already decided to turn it of because they are working on a solution and selinux got in the way. This is your last chance to help them with how to debug their issue. So it's different then educating people about selinux in general.
I would say this is quite a good idea. We can add some short warning. What do you think Mirek?
What kind of warning? It needs to be short and usable by people. We might want to change the scructure of this config file at all and talk about disabled as the last option. We added some changes to RHEL SELinux guide. We could follow it.
# This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. Dangerous, security of your system # will be decreased! SELINUX=enforcing # SELINUXTYPE= can take one of these three values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted Something like this for beginning?
What about # This file controls the state of SELinux on the system. # # SELINUX= can take one of two SELinux modes # # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # # and # # disabled - No SELinux policy is loaded. It is strongly recommended to use # permissive mode instead of permanently disabling SELinux. # SELinux tools like setenforce, semodule, semanage, setsebool, # restorecon can be used to solve SELinux troubles before # permanent disabling. Read selinux(8) Linux man page for # more details. SELINUX=enforcing # # SELINUXTYPE= can take one of these three values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes # are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted
I don't think it improves on my change (see attachment comment 2).
Mirek: Maybe this is quite long, but we can try it. Just one more thing. What about move the first sentence to end of section? # disabled - It is strongly recommended to use # permissive mode instead of permanently disabling SELinux. # SELinux tools like setenforce, semodule, semanage, setsebool, # restorecon can be used to solve SELinux troubles before # permanent disabling. Read selinux(8) Linux man page for # more details. No SELinux policy is loaded. This will force administrator to read whole section. Richard: I agree with Mirek Grepl, that we want to have this warning in "disabled" description.
(In reply to Richard W.M. Jones from comment #9) > I don't think it improves on my change (see attachment comment 2). I believe a combination would be fine. Not sure if we want to mention audit2allow as a good tool for solutions. setroubleshoot-gui is going to be only on workstation installations.
(In reply to Lukas Vrabec from comment #10) > Mirek: > Maybe this is quite long, but we can try it. > Just one more thing. What about move the first sentence to end of section? > > # disabled - It is strongly recommended to use > # permissive mode instead of permanently disabling SELinux. # > SELinux tools like setenforce, semodule, semanage, setsebool, > # restorecon can be used to solve SELinux troubles before > # permanent disabling. Read selinux(8) Linux man page for > # more details. No SELinux policy is loaded. Does not make sense for me. > > This will force administrator to read whole section. > > Richard: > I agree with Mirek Grepl, that we want to have this warning in "disabled" > description.
This bug appears to have been reported against 'rawhide' during the Fedora 24 development cycle. Changing version to '24'. More information and reason for this action is here: https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora24#Rawhide_Rebase
This message is a reminder that Fedora 24 is nearing its end of life. Approximately 2 (two) weeks from now Fedora will stop maintaining and issuing updates for Fedora 24. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '24'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 24 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 24 changed to end-of-life (EOL) status on 2017-08-08. Fedora 24 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.