danwalsh (danwalsh) wrote,
danwalsh
danwalsh

What's new in Fedora 11 from SELinux

The next few blogs, I am going to talk about the new SELinux features in Fedora 11.

What Happened to setroubleshoot?

Setroubleshoot is alive and well.  I have seen blogs mentioning that we have disabled it because of trying to speed up booting.  This is bogus.

If you read my blog you regularly you might have read

http://danwalsh.livejournal.com/26053.html

We have had complaints about the assumed huge amount of data used by setroubleshoot and sealert because they are python apps.  James Antill debunks a lot of this in his blog http://illiterat.livejournal.com/4615.html.

As of Fedora 11, Setroubleshoot no longer runs as  a service.

But it was still thought that we could do better.  There is also an effort to get rid of as many init daemons as possible to improve the speed of boot.

So the question is why run setroubleshoot when there are NO AVC;s to analyze?  The answer is we should not.

So I went in and wrote a little two little C program sedispatch and seapplet.

sedispatch runs from the audit subsystem,  when it sees and AVC it packages these up into a DBUS System Message.  The DBUS system will send the message to setroubleshoot if it is running, and will start setroubleshoot if it in not. 
setroubleshoot processes the message and sends a dbus signal to any user space app listening for an setroubleshoot message.  If setroubleshoot does not receive any AVC messages and is not connected to a user client app (sealert) it will exit.

seapplet is a simple applet tool that runs in the users toolbar waiting for setroubleshoot to send a dbus message and then puts up the yellow star, and notification bubble.  If the user clicks on the star, seapplet launches sealert to communicate with the setroubleshoot to display the avc analysis data.

If the user starts sealert from the menu bar, it sends a dbus message to setroubleshoot to begin communications. dbus will start the server in this case, when the user exist the sealert browser, sealert and setroubleshoot will stop running.  (setroubleshoot closes again after 10 seconds without an AVC).

Stay tuned in Fedora 12, we will be releasing a major redesign of the sealert gui, adding key features like reporting Bugzilla's with a single button press,, Fix it Button for certain troubleshoot plug-ins, clean up of browser view (hiding lots of data that makes setroubleshoot hard to read, Diagnosing definite cracker breakins via the browser.

A lot of this is available in Rawhide now.

https://fedoraproject.org/wiki/Design/SETroubleshootUsabilityImprovements
Subscribe

  • Container Domains (Types)

    One of the things people have always had a hard time understanding about SELinux is around different types. In this blog, I am going to discuss…

  • Musings on Hybrid Cloud

    I work on the lowest levels of container runtimes and usually around process security. My team and I work on basically everything needed run…

  • Container Labeling

    An issue was recently raised on libpod, the github repo for Podman. "container_t isn't allowed to access container_var_lib_t" Container policy…

  • Post a new comment

    Error

    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

  • 0 comments