Bug 1281916 - Add info pointers right in the selinux.conf
Add info pointers right in the selinux.conf
Status: CLOSED EOL
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
24
Unspecified Unspecified
medium Severity low
: ---
: ---
Assigned To: Lukas Vrabec
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-11-13 14:37 EST by Kurt T Stam
Modified: 2017-08-08 08:24 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-08-08 08:24:01 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Kurt T Stam 2015-11-13 14:37:56 EST
In the /etc/selinux.conf file (where you turn selinux on/off) add some pointers how to get more info on failing policies:

I figured out where to find that file :)! We can add a commend right above, "before you disable... here are some things you can do to find what might be causing your problem". Again - you don't have to convince about it usefulness, just help me debug issues. FWIW I never heard of any of these tools until now; just saying that google did /not/ point me there.

Pointer to /var/log/audit/audit.log
setroubleshoot
audit2allow
audit2why
  http://mother.gsslab.fab.redhat.com/stuff/setroubleshoot-gui.png

Cheers

--Kurt
Comment 1 Richard W.M. Jones 2015-11-17 04:12:18 EST
$ rpm -qf /etc/selinux/config 
selinux-policy-3.13.1-23.el7.noarch
Comment 2 Richard W.M. Jones 2015-11-17 04:13 EST
Created attachment 1095262 [details]
config.diff

My suggestion is that the attached change is made to /etc/selinux/config.
Comment 3 Miroslav Grepl 2015-11-20 08:52:50 EST
Kurt,
how about "man selinux"?
Comment 4 Kurt T Stam 2015-11-20 09:53:08 EST
Sure you can mention that as well in the config file!

Remember in their mind people have already decided to turn it of because they are working on a solution and selinux got in the way. This is your last chance to help them with how to debug their issue. So it's different then educating people about selinux in general.
Comment 5 Lukas Vrabec 2015-11-23 06:34:34 EST
I would say this is quite a good idea. We can add some short warning. 

What do you think Mirek?
Comment 6 Miroslav Grepl 2015-12-08 06:41:29 EST
What kind of warning? It needs to be short and usable by people. We might want to change the scructure of this config file at all and talk about disabled as the last option.

We added some changes to RHEL SELinux guide. We could follow it.
Comment 7 Lukas Vrabec 2015-12-08 07:31:17 EST
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded. Dangerous, security of your system #                will be decreased!
SELINUX=enforcing
# SELINUXTYPE= can take one of these three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected. 
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted 

Something like this for beginning?
Comment 8 Miroslav Grepl 2015-12-11 08:37:33 EST
What about

# This file controls the state of SELinux on the system.
#
# SELINUX= can take one of two SELinux modes
#
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#
#          and
#
#     disabled - No SELinux policy is loaded. It is strongly recommended to use #                permissive mode instead of permanently disabling SELinux. #                SELinux tools like setenforce, semodule, semanage, setsebool,
#                restorecon can be used to solve SELinux troubles before
#                permanent disabling. Read selinux(8) Linux man page for 
#                more details.
SELINUX=enforcing
#
# SELINUXTYPE= can take one of these three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes 
#               are protected. 
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted
Comment 9 Richard W.M. Jones 2015-12-11 08:43:59 EST
I don't think it improves on my change (see attachment comment 2).
Comment 10 Lukas Vrabec 2015-12-11 08:47:36 EST
Mirek:
Maybe this is quite long, but we can try it.
Just one more thing. What about move the first sentence to end of section? 

#     disabled - It is strongly recommended to use 
#                permissive mode instead of permanently disabling SELinux. #                SELinux tools like setenforce, semodule, semanage, setsebool,
#                restorecon can be used to solve SELinux troubles before
#                permanent disabling. Read selinux(8) Linux man page for 
#                more details. No SELinux policy is loaded.

This will force administrator to read whole section.

Richard: 
I agree with Mirek Grepl, that we want to have this warning in "disabled" description.
Comment 11 Miroslav Grepl 2015-12-11 08:52:15 EST
(In reply to Richard W.M. Jones from comment #9)
> I don't think it improves on my change (see attachment comment 2).

I believe a combination would be fine. Not sure if we want to mention audit2allow as a good tool for solutions. setroubleshoot-gui is going to be only on workstation installations.
Comment 12 Miroslav Grepl 2015-12-11 09:07:01 EST
(In reply to Lukas Vrabec from comment #10)
> Mirek:
> Maybe this is quite long, but we can try it.
> Just one more thing. What about move the first sentence to end of section? 
> 
> #     disabled - It is strongly recommended to use 
> #                permissive mode instead of permanently disabling SELinux. #
> SELinux tools like setenforce, semodule, semanage, setsebool,
> #                restorecon can be used to solve SELinux troubles before
> #                permanent disabling. Read selinux(8) Linux man page for 
> #                more details. No SELinux policy is loaded.

Does not make sense for me.

> 
> This will force administrator to read whole section.
> 
> Richard: 
> I agree with Mirek Grepl, that we want to have this warning in "disabled"
> description.
Comment 13 Jan Kurik 2016-02-24 10:52:58 EST
This bug appears to have been reported against 'rawhide' during the Fedora 24 development cycle.
Changing version to '24'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora24#Rawhide_Rebase
Comment 14 Fedora End Of Life 2017-07-25 15:29:21 EDT
This message is a reminder that Fedora 24 is nearing its end of life.
Approximately 2 (two) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 24. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as EOL if it remains open with a Fedora  'version'
of '24'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not
able to fix it before Fedora 24 is end of life. If you would still like
to see this bug fixed and are able to reproduce it against a later version
of Fedora, you are encouraged  change the 'version' to a later Fedora
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.
Comment 15 Fedora End Of Life 2017-08-08 08:24:01 EDT
Fedora 24 changed to end-of-life (EOL) status on 2017-08-08. Fedora 24 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.