Project

General

Profile

action #174178

Updated by tjyrinki_suse about 1 month ago

## Motivation 

 Test sealert tool on SELinux enabled Tumbleweed. 

 ## Acceptance Criteria 

 1. Run certain commands testing adding and triggering an alert, an example below. listing of alerts can be done with either -l "*" or -l specific_UUID. 

 `      localhost:~ # sealert -l "*" || echo "FAILED" 
     localhost:~ # touch /tmp/pokusny_kralik && chcon -t httpd_sys_content_t /tmp/pokusny_kralik 
     localhost:~ # journalctl -u setroubleshootd.service | grep pokusny_kralik 
     localhost:~ # runcon -u guest_u -r guest_r -t user_tmp_t -- cat /tmp/pokusny_kralik;sleep 10 
     localhost:~ # sealert_command=$(journalctl -u setroubleshootd.service | grep -m 1 pokusny_kralik|grep -o "sealert.*") 
     localhost:~ # sealert -l 350d88fb-70f9-4e7a-a1b2-0a06615abfd2 
     localhost:~ # sealert_command` 

 One should get output something like the following: 

     SELinux is preventing pokusny_kralik from 'read, write' accesses on the chr_file /dev/pts/0. 

     *****    Plugin catchall (100. confidence) suggests     ************************** 

     If you believe that pokusny_kralik should be allowed read write access on the 0 chr_file by default. 
     Then you should report this as a bug. 
     You can generate a local policy module to allow this access. 

 Allow the access for now by executing: 
     `# ausearch -c 'pokusny_kralik' --raw | audit2allow -M my-pokusnykralik 
     # semodule -X 300 -i my-pokusnykralik.pp` 

 And there should be output: 

     Additional Information: 
     Source Context                  guest_u:guest_r:user_tmp_t:s0 
     Target Context                  unconfined_u:object_r:devpts_t:s0 
     Target Objects                  /dev/pts/0 [ chr_file ] 
     Source                          pokusny_kralik 
     Source Path                     pokusny_kralik 
     Port                            <Unknown> 
     ... 
     ... 
     ... 

 After that, one can run: 

     localhost:~ # analyze log -a  
     localhost:~ # ausearch (ausearch -m AVC > test_output 
     test_output) 

     localhost:~ # jsealert -a 

 And fix avc using plugin (e.g. boolean is predictable) 

     localhost:~ # getsebool -a | less (choose some boolean) 
     localhost:~ # sealert -f UUID 
     localhost:~ # getsebool -a | grep $choosen 
 ` 

 ## Further Information 

 See ticket #174175 for the related basic setroubleshootd testing.

Back