Bug 475978 - Suggested setroubleshoot usability/workflow improvements
Suggested setroubleshoot usability/workflow improvements
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: setroubleshoot (Show other bugs)
12
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-12-11 07:13 EST by David Anderson
Modified: 2010-01-19 15:41 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-01-19 15:41:06 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
My /var/log/audit/audit.log (7.89 KB, application/x-bzip2)
2009-07-15 12:32 EDT, Denys Vlasenko
no flags Details

  None (edit)
Description David Anderson 2008-12-11 07:13:56 EST
setroubleshoot is unintelligble to the ordinary user, but it is activated by default. It does fulfil a role - the user tries something that is denied, and its nice to be told. But I think this can be done better.

I suggest that setroubleshoot ought to instead send e-mails to Bugzilla or some other system. Then the most common denials can be analysed. The user could be asked if they are happy to supply their e-mail address for further questions (what were you doing when this error came up?) or not.

Suggested workflow:

1. User does something. Triggers SELinux denial.

2. setroubleshoot pops up a message box:

"An action requested on this computer has been denied by the security policy, blah blah. This may be because of a genuine security threat to your system, or because of a misconfiguration in the policy. Would you like details of the denial to be sent back to Fedora so that potential misconfigurations in future policies can be fixed?" Yes/No.

3. If "Yes", then the user gets to supply their e-mail if they want. Whatever way, they can also choose a "do this every time without asking me" option.

4. Developers look at bugs, and e-mail the users if necessary to ask them stuff.

5. Even nicer, if the bug gets closed with a policy fix, setroubleshoot could learn about it somehow (polling?) and trigger PackageKit to update policy!

Apologies for not knowing enough about the tech to be able to send you any code!
Comment 1 David Anderson 2008-12-11 07:18:58 EST
Forgot to say the obvious - of course there should be an "advanced" button so that power-users can still actually analyse the denial themselves.
Comment 2 Daniel Walsh 2008-12-11 08:12:54 EST
We are working on a redesign of the GUI.  Which includes:

* simplification of the messages
* "Report Bug" button, 
* Perhaps a "Fix" button.
* Higher Alert status, on suspected intruder, IE Certain denials should never happen in the normal running of a system, and truly doe suggest an intruder, for example a confined application attempting to turn off selinux.
* A review of all report plugins by a doc writer to make sure they are humanly readable.

Other changes planned, are to reduce the memory foot print of setroubleshoot and make it more of a on demand, Only run the service when a alert comes in or the browser is running.
Comment 3 Bug Zapper 2009-06-09 06:14:07 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 11 development cycle.
Changing version to '11'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 4 Denys Vlasenko 2009-07-15 07:52:54 EDT
I second that.

I just installed F11. Current setroubleshoot behavior is not useful. It shows tons of information. I read it all, and I still can't figure out what is the problem. I can't even understand what file or directory it complains about.

And I am not an ordinary user. I wonder what ordinary users think when they see it.

I will likely just disable selinux, just as I did when I installed F9. It seems to only cause frustration.
Comment 5 Daniel Walsh 2009-07-15 12:05:04 EDT
Denys Please send me your /var/log/audit/audit.log and I can help you out.

dwalsh@redhat.com, most likely a labeling problem.
Comment 6 Daniel Walsh 2009-07-15 12:06:31 EDT
Current rawhide version of setroubleshoot has most of the fixes that you have suggested,  one thing we are looking into now is hooking up setroubleshoot to package kit to check for the availability of newer selinux-policy package, so it could at least suggest an upgrade.
Comment 7 Denys Vlasenko 2009-07-15 12:32:07 EDT
Created attachment 353848 [details]
My /var/log/audit/audit.log
Comment 8 Daniel Walsh 2009-07-15 13:50:09 EDT
Well I would guess Denys you have a badly labeled system


# fixfiles restore

should fix the labeling.

You have /dev/log mislabeled for some reason.  

You also have busybox in non default directory under /?
Comment 9 Denys Vlasenko 2009-07-16 04:28:45 EDT
(In reply to comment #8)
> Well I would guess Denys you have a badly labeled system
> 
> # fixfiles restore
> 
> should fix the labeling.
> 
> You have /dev/log mislabeled for some reason.

and I wasn't able to decipher it from setroubleshoot's information. This is what this bugzilla entry is about.
Comment 10 Daniel Walsh 2009-07-20 21:03:21 EDT
But setroubleshoot can only attempt to figure out what is wrong with each avc.  I am pretty sure it told you to run restorecon on many of your AVC's.  When a machine is totally mislabeled, setroubleshoot does not stand much of a chance of figuring out what is wrong.  Did you try to relabel the machine?  Did this fix your problem?
Comment 11 Denys Vlasenko 2009-07-21 07:59:35 EDT
(In reply to comment #10)
> But setroubleshoot can only attempt to figure out what is wrong with each avc. 
> I am pretty sure it told you to run restorecon on many of your AVC's.

No, it did not. That's why I am commenting in this particular bug, which is titled "setroubleshoot usability improvements". Because when I looked at its warnings as a user, I was confused.

I was looking at one avc report, and it did not tell me which file is mislabeled. I understand that the program cannot say "gee, I see you have many files mislabeled, please do XYZ". But it did not even say "file /foo/bar is mislabeled".

> When a
> machine is totally mislabeled, setroubleshoot does not stand much of a chance
> of figuring out what is wrong.

Can it at least say what file is mislabeled _for this particular_ avc?

> Did you try to relabel the machine?  Did this fix your problem?

I just disabled SELinux.
Comment 12 Daniel Walsh 2009-07-21 08:36:37 EDT
The trouble we have had in the past with the kernel is the kernel does not give the troubleshooter the full path, so it gives us something like name=passwd along with the inode, so we can not always figure out the kernel meant /etc/passwd.  In Rawhide now, we actually have setroubleshoot taking passwd and running locate on it, to find all files on the system named locate, then checking the inode number on each one to compare to the inode in the AVC.  If we can reassemble the path, we will get a much better hit rate on whether or not the file is mislabeled. 

The kernel will also only hand us a "/" for a path on mount points.  Which confuses setroubleshoot.  For example if you put your home directories in a directory /h and mounted a mount point there.  SELinux would default that label to default_t, since it defaults all unknown root directories as default_t.  Now if a confined application like httpd tried to read content in a users homedir, it would generate an avc that says something like

httpd_t can not read the "/" directory labled default_t.

We are trying to make setroubleshoot figure out what the kernel meant by this by looking at the device and /proc/mounts to figure out the kernel meant "/h"  Which would allow us to give the user a much better description of the problem.

THese are two enhancments that are coming in F12, and I might put out as a testing update in F11.
Comment 14 Bug Zapper 2009-11-16 04:43:36 EST
This bug appears to have been reported against 'rawhide' during the Fedora 12 development cycle.
Changing version to '12'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 15 Daniel Walsh 2010-01-19 15:41:06 EST
Fixed in setroubleshoot-2.2.52-1.fc12

Note You need to log in before you can comment on or make changes to this bug.