809505 – [RFE] Notify remote user of SELinux enforcing mode on AVC

Bug 809505 - [RFE] Notify remote user of SELinux enforcing mode on AVC

Summary: [RFE] Notify remote user of SELinux enforcing mode on AVC

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	selinux-policy
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Miroslav Grepl
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-04-03 14:39 UTC by Michal Novotny
Modified:	2014-02-02 22:38 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2012-12-15 19:12:53 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Michal Novotny 2012-04-03 14:39:08 UTC

Description of problem:

If you're using SELinux and you're connected from the remote host you don't get the AVC denials and you're not notified about the denials either. This would be nice to notify the user of having SELinux enabled and in enforcing mode if AVC denials occur.

Version-Release number of selected component (if applicable):
selinux-policy

How reproducible:
Easily

Steps to Reproduce:
1. Install a machine and leave SELinux enabled
2. Install e.g. Apache and alter configuration to use something in non-standard location to trigger AVC denials (don't fix)
3. Set IPTables to allow remote connectivity to the machine's port 80 (HTTP)
4. Try to connect to the machine's HTTP port from remote machine to see the error page and that you're not notified on the remote host and that you don't know what the problem is

Actual results:
You're not notified and you don't know there's SELinux enforcing and blocking it.

Expected results:
You should be notified about SELinux being enabled and in enforcing mode in case you get the AVC denial. If you get a AVC denial, an e-mail should be send to root user of the system (per each file/type/context of denial, but not duplicated for the same file/type/context).

Additional info:
It would be really nice to implement this because sometimes administrator don't know about SELinux is enabled and enforcing and he/she tries to find out what's wrong and is wasting time sometimes. The notification would be a really great thing and if you don't have SETroubleShoot installed/enabled and you're not accessing a local machine you don't get the AVC denials at all except for looking manually to the audit_log.

Comment 1 Milos Malik 2012-04-03 14:56:10 UTC

I can think of two ways how to notify the remote user of the fact that AVCs appeared:
 * via bash (bash is periodically checking for new emails. What about periodic checking of new AVCs ?)
 * via setroubleshoot (f.e. setroubleshoot server could send an email when new AVCs appear, but max. 1 email per minute)

Maybe selinux-policy is not the right component, but it's a good place to start a discussion about the remote user notification mechanism.

Comment 2 Daniel Walsh 2012-04-05 20:53:11 UTC

setroubleshoot can be currently setup to send email on avc arrival, It can be setup out of the box to send email to root.  Also it logs to /var/log/messages, it has been suggested that logwatch start watching for these messages.

Note You need to log in before you can comment on or make changes to this bug.