477780 – RFE: AVC denial notifications configuration.

Bug 477780 - RFE: AVC denial notifications configuration.

Summary: RFE: AVC denial notifications configuration.

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	setroubleshoot
Sub Component:
Version:	10
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2008-12-23 17:32 UTC by Gilboa Davara
Modified:	2008-12-23 18:43 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2008-12-23 17:43:50 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Gilboa Davara 2008-12-23 17:32:37 UTC

Description of problem:
As the title suggests - I have a certain script, that unless it's being executed from the right context, it generates huge amount of AVC denials. (I'm in the process of fix this).
Problem is, when the first denial hits, the user gets a notification and opens the setroubleshoot browser - which doesn't stop the flood of libnotify pop-ups...

I'd propose the following user-defined configuration:

1. Disable SELinux notification.
2. Disable SELinux notification when setroubleshoot browser is active and in focus.
3. Full SELinux notification. (Even w/ setroubleshoot browser is active.)

- Gilboa

Comment 1 John Dennis 2008-12-23 17:43:50 UTC

This functionality is already present.

If this is the same AVC which keeps triggering it then all you need to do is check the "Quiet" checkbox in the browser, as long as that is checked you won't get any notifications for that alert.

You can also edit /etc/setroubleshoot/setroubleshoot.cfg and modify the use_notification parameter. It's values are documented in the config file. You'll have restart sealert for it to take effect. Here is the doc for use_notification:

Control balloon notification. Possible values: always,never,browser_hidden "always" will
always display the notification. "never" disables notification completely. "browser_hidden" displays the notification
but only if the alert browser is not visible. Note: individual alerts can be flagged as silent disabling notification
for a specific alert, this parameter does not override that.

Comment 2 Gilboa Davara 2008-12-23 18:43:20 UTC

OK. Thanks.
Never the less, would it be possible the add some information about this cfg to the selart man page? (A normal 'man -k setroubleshoot' and/or google search about configuring selinux notification returns more-or-less nothing; same goes for 'man sealert'; in essence, you must be aware of setroubleshoot.cfg before-hand)

Beyond that, I've set setroubleshoot.cfg's use_notification to browser_hidden and restarted the setroubleshoot service.
Ran the script, first notification, started the browser... and the notification kept coming. Should I open a separated bug report?

- Gilboa

Note You need to log in before you can comment on or make changes to this bug.