Bug 477780 - RFE: AVC denial notifications configuration.
RFE: AVC denial notifications configuration.
Product: Fedora
Classification: Fedora
Component: setroubleshoot (Show other bugs)
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2008-12-23 12:32 EST by Gilboa Davara
Modified: 2008-12-23 13:43 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-12-23 12:43:50 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Gilboa Davara 2008-12-23 12:32:37 EST
Description of problem:
As the title suggests - I have a certain script, that unless it's being executed from the right context, it generates huge amount of AVC denials. (I'm in the process of fix this).
Problem is, when the first denial hits, the user gets a notification and opens the setroubleshoot browser - which doesn't stop the flood of libnotify pop-ups...

I'd propose the following user-defined configuration:

1. Disable SELinux notification.
2. Disable SELinux notification when setroubleshoot browser is active and in focus.
3. Full SELinux notification. (Even w/ setroubleshoot browser is active.)

- Gilboa
Comment 1 John Dennis 2008-12-23 12:43:50 EST
This functionality is already present.

If this is the same AVC which keeps triggering it then all you need to do is check the "Quiet" checkbox in the browser, as long as that is checked you won't get any notifications for that alert.

You can also edit /etc/setroubleshoot/setroubleshoot.cfg and modify the use_notification parameter. It's values are documented in the config file. You'll have restart sealert for it to take effect. Here is the doc for use_notification:

Control balloon notification. Possible values: always,never,browser_hidden "always" will
always display the notification. "never" disables notification completely. "browser_hidden" displays the notification
but only if the alert browser is not visible. Note: individual alerts can be flagged as silent disabling notification
for a specific alert, this parameter does not override that.
Comment 2 Gilboa Davara 2008-12-23 13:43:20 EST
OK. Thanks.
Never the less, would it be possible the add some information about this cfg to the selart man page? (A normal 'man -k setroubleshoot' and/or google search about configuring selinux notification returns more-or-less nothing; same goes for 'man sealert'; in essence, you must be aware of setroubleshoot.cfg before-hand)

Beyond that, I've set setroubleshoot.cfg's use_notification to browser_hidden and restarted the setroubleshoot service.
Ran the script, first notification, started the browser... and the notification kept coming. Should I open a separated bug report?

- Gilboa

Note You need to log in before you can comment on or make changes to this bug.