From Fedora Project Wiki

SELinux Troubleshooter Redesign

Summary

Redesign setroubleshoot to bring back all possible solutions, and simplify descriptions.

Owner

Current status

  • Targeted release: Fedora 15
  • Last updated: Apr 5 2011
  • Percentage of completion: 100%

Detailed Description

We are redesigning setroubleshoot to attempt to make it easier to diagnose SELinux problems. In the current setroubleshooter the "best" match is returned for a solution to the customer. In the new redesign, all matches will be returned. For example if samba tried to read content that it is not allowed, we would like to tell the admin that he could label the content samba_share_t or he could set up SELinux to allow samba to share all content Read Only, or Read Write, or samba should not be trying to read this content, it could be a bug or an attack.

We also want to simplify the interface with easier to explain definitions, like

if you want samba to share the entire system read/only, then you need to tell SELinux system about this, by setting the samba_export_all_ro boolean. Execute the following command as root. setsebool -P samba_export_all_ro=1

Benefit to Fedora

Make SELinux easier to administrate.

Scope

Limited impact.

How To Test

Generate different SELinux scenarios to see what the application returns.

  • setup vsftpd to share the users homedir.
    • ftp into the users homedir.
    • Setroubleshoot should fire, check the diagnostics, do they make sense.
    • Is sharing the users homedir the highest priority.
  • setup samba to share content in /myshares
    • Try to access the share remotely
    • Setroubleshoot should fire, check the diagnostics, do they make sense.
    • Is setting the label to samba_share_t the highest priority.
  • setup samba to share /var/log
    • Try to access the share remotely
    • Setroubleshoot should fire, check the diagnostics, do they make sense.
    • Is setting the label to samba_share_t the highest priority.
  • setup httpd
    • to share users homedirs
    • to share content in /var/lib/html
    • chcon -t ssh_home_t /var/www/index.html, try to access this file from apache.
  • setup /root/.ssh directory, for password free login, chcon -t admin_home_t -R /root/.ssh; ssh into the box, what does setroubleshoot suggest as the solution.
  • the setroubleshoot package has a series of avcs in the setroubleshoot/framework/test/audit/data directory, if you cat them to setdispatch, the setroubleshoot tool should fire. What are the suggested fixes? Do they make sense.

User Experience

The gui will change quite a bit. Hopefully becoming a lot less technical.

Dependencies

None

Contingency Plan

We can stick with the current setroubleshoot. No other packages will be affected.

Documentation

Original Design

Released Product

Release Notes

  • Old AVC's alerts will be deleted, since the format of the alert database has changed.

Comments and Discussion