action #174178
Updated by tjyrinki_suse about 1 month ago
## Motivation Test sealert tool on SELinux enabled Tumbleweed. ## Acceptance Criteria 1. Run certain commands testing adding and triggering an alert, an example below. listing of alerts can be done with either -l "*" or -l specific_UUID. ` localhost:~ # sealert -l "*" || echo "FAILED" localhost:~ # touch /tmp/pokusny_kralik && chcon -t httpd_sys_content_t /tmp/pokusny_kralik localhost:~ # journalctl -u setroubleshootd.service | grep pokusny_kralik localhost:~ # runcon -u guest_u -r guest_r -t user_tmp_t -- cat /tmp/pokusny_kralik;sleep 10 localhost:~ # sealert_command=$(journalctl -u setroubleshootd.service | grep -m 1 pokusny_kralik|grep -o "sealert.*") localhost:~ # sealert -l 350d88fb-70f9-4e7a-a1b2-0a06615abfd2 localhost:~ # sealert_command` One should get output something like the following: SELinux is preventing pokusny_kralik from 'read, write' accesses on the chr_file /dev/pts/0. ***** Plugin catchall (100. confidence) suggests ************************** If you believe that pokusny_kralik should be allowed read write access on the 0 chr_file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Allow the access for now by executing: `# ausearch -c 'pokusny_kralik' --raw | audit2allow -M my-pokusnykralik # semodule -X 300 -i my-pokusnykralik.pp` And there should be output: Additional Information: Source Context guest_u:guest_r:user_tmp_t:s0 Target Context unconfined_u:object_r:devpts_t:s0 Target Objects /dev/pts/0 [ chr_file ] Source pokusny_kralik Source Path pokusny_kralik Port <Unknown> ... ... ... After that, one can run: localhost:~ # analyze log -a localhost:~ # ausearch (ausearch -m AVC > test_output test_output) localhost:~ # jsealert -a And fix avc using plugin (e.g. boolean is predictable) localhost:~ # getsebool -a | less (choose some boolean) localhost:~ # sealert -f UUID localhost:~ # getsebool -a | grep $choosen ` ## Further Information See ticket #174175 for the related basic setroubleshootd testing.