Red Hat Bugzilla – Bug 809505
[RFE] Notify remote user of SELinux enforcing mode on AVC
Last modified: 2014-02-02 17:38:41 EST
Description of problem:
If you're using SELinux and you're connected from the remote host you don't get the AVC denials and you're not notified about the denials either. This would be nice to notify the user of having SELinux enabled and in enforcing mode if AVC denials occur.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Install a machine and leave SELinux enabled
2. Install e.g. Apache and alter configuration to use something in non-standard location to trigger AVC denials (don't fix)
3. Set IPTables to allow remote connectivity to the machine's port 80 (HTTP)
4. Try to connect to the machine's HTTP port from remote machine to see the error page and that you're not notified on the remote host and that you don't know what the problem is
You're not notified and you don't know there's SELinux enforcing and blocking it.
You should be notified about SELinux being enabled and in enforcing mode in case you get the AVC denial. If you get a AVC denial, an e-mail should be send to root user of the system (per each file/type/context of denial, but not duplicated for the same file/type/context).
It would be really nice to implement this because sometimes administrator don't know about SELinux is enabled and enforcing and he/she tries to find out what's wrong and is wasting time sometimes. The notification would be a really great thing and if you don't have SETroubleShoot installed/enabled and you're not accessing a local machine you don't get the AVC denials at all except for looking manually to the audit_log.
I can think of two ways how to notify the remote user of the fact that AVCs appeared:
* via bash (bash is periodically checking for new emails. What about periodic checking of new AVCs ?)
* via setroubleshoot (f.e. setroubleshoot server could send an email when new AVCs appear, but max. 1 email per minute)
Maybe selinux-policy is not the right component, but it's a good place to start a discussion about the remote user notification mechanism.
setroubleshoot can be currently setup to send email on avc arrival, It can be setup out of the box to send email to root. Also it logs to /var/log/messages, it has been suggested that logwatch start watching for these messages.