Bug 809505 - [RFE] Notify remote user of SELinux enforcing mode on AVC
[RFE] Notify remote user of SELinux enforcing mode on AVC
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
Unspecified Linux
unspecified Severity high
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-04-03 10:39 EDT by Michal Novotny
Modified: 2014-02-02 17:38 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-12-15 14:12:53 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Michal Novotny 2012-04-03 10:39:08 EDT
Description of problem:

If you're using SELinux and you're connected from the remote host you don't get the AVC denials and you're not notified about the denials either. This would be nice to notify the user of having SELinux enabled and in enforcing mode if AVC denials occur.

Version-Release number of selected component (if applicable):
selinux-policy

How reproducible:
Easily

Steps to Reproduce:
1. Install a machine and leave SELinux enabled
2. Install e.g. Apache and alter configuration to use something in non-standard location to trigger AVC denials (don't fix)
3. Set IPTables to allow remote connectivity to the machine's port 80 (HTTP)
4. Try to connect to the machine's HTTP port from remote machine to see the error page and that you're not notified on the remote host and that you don't know what the problem is
  
Actual results:
You're not notified and you don't know there's SELinux enforcing and blocking it.

Expected results:
You should be notified about SELinux being enabled and in enforcing mode in case you get the AVC denial. If you get a AVC denial, an e-mail should be send to root user of the system (per each file/type/context of denial, but not duplicated for the same file/type/context).

Additional info:
It would be really nice to implement this because sometimes administrator don't know about SELinux is enabled and enforcing and he/she tries to find out what's wrong and is wasting time sometimes. The notification would be a really great thing and if you don't have SETroubleShoot installed/enabled and you're not accessing a local machine you don't get the AVC denials at all except for looking manually to the audit_log.
Comment 1 Milos Malik 2012-04-03 10:56:10 EDT
I can think of two ways how to notify the remote user of the fact that AVCs appeared:
 * via bash (bash is periodically checking for new emails. What about periodic checking of new AVCs ?)
 * via setroubleshoot (f.e. setroubleshoot server could send an email when new AVCs appear, but max. 1 email per minute)

Maybe selinux-policy is not the right component, but it's a good place to start a discussion about the remote user notification mechanism.
Comment 2 Daniel Walsh 2012-04-05 16:53:11 EDT
setroubleshoot can be currently setup to send email on avc arrival, It can be setup out of the box to send email to root.  Also it logs to /var/log/messages, it has been suggested that logwatch start watching for these messages.

Note You need to log in before you can comment on or make changes to this bug.