Open fishilico opened 6 years ago
Hi!
I've written a PKGBUILD for setroubleshoot (server, client and applet) and installed it. But when I ran setroubleshootd
it it says "No SELinux Policy installed" (I've installed all the SELinux utilities with the script on here, installed linux-hardened and boot with security=selinux selinux=1
and SELINUX=permissive and SELINUXTYPE=refpolicy-arch
on /etc/selinux/config
and did restorecon -R /
).
Next comment is the PKGBUILD I wrote, I hope it helps.
Please, note there are some moves from /usr/local
to /usr
as /usr/local/
is discouraged by Archlinux Package Etiquette and some utilities like namcap
emit warnings for binaries and man pages located there.
pkgname=setroubleshoot
pkgver=3.3.19
pkgrel=1
pkgdesc="Helps troubleshoot SELinux problems"
arch=("x86_64")
url="https://pagure.io/setroubleshoot"
license=("GPL2")
# Fedora spec on https://src.fedoraproject.org/cgit/rpms/setroubleshoot.git/tree/setroubleshoot.spec
depends=("gtk3" "libnotify" "libreport" "desktop-file-utils" "dbus" "xdg-utils" "audit" "policycoreutils" "python-gobject" "python-slip" "python-systemd" "python-pydbus" "polkit")
makedepends=("libcap-ng" "intltool" "python" "dbus-glib" "gtk2" "libselinux")
source=(
"${pkgname}-${pkgver}.tar.gz::https://releases.pagure.org/${pkgname}/${pkgname}-${pkgver}.tar.gz"
"setroubleshoot.tmpfiles"
"setroubleshoot-sysusers.conf"
)
sha512sums=('e012f9c0011fd682394232c9297e01710a389cc4bbae11193f75780c96a99451d7d8a77080a7d4686525ca8b8bbc6332991b7b06a282345d2baba64bab9beb24'
'd1cc35a5041817c6ab475456156af9544b8974da1c829d8caef915a6393b90489a3963e1284a98e3387f1d64fbd9d2717abd5b6fa5fa80c55316bcadbc995eba'
'938ad73dc7397ebb2b44519bd47ca0f56fb052e4a00b748b425775f92c38c86e34732602eface0cbb4c4eb8d4b92a9f16a2236b8fd6f4256b41f1802670886a6')
build(){
cd "${pkgname}-${pkgver}"
./configure PYTHON=/usr/bin/python --with-auditpluginsdir=/etc/audisp/plugins.d
make
}
package(){
cd "${srcdir}/${pkgname}-${pkgver}"
make DESTDIR="${pkgdir}/" PREFIX="/usr" install
desktop-file-install --vendor="" --dir="${pkgdir}/usr/share/applications" "${pkgdir}/usr/local/share/applications/${pkgname}.desktop"
rm -rf "${pkgdir}/usr/local/share/applications"
mkdir -p "${pkgdir}/usr/bin"
for f in $(ls "${pkgdir}/usr/local/bin"); do
mv "${pkgdir}/usr/local/bin/$f" "${pkgdir}/usr/bin/"
done
for f in $(ls "${pkgdir}/usr/local/sbin"); do
mv "${pkgdir}/usr/local/sbin/$f" "${pkgdir}/usr/bin/" # /usr/sbin is a symlink to /usr/bin
done
rm -rf "${pkgdir}/usr/local/bin" "${pkgdir}/usr/local/sbin"
mv "${pkgdir}/usr/local/share/man" "${pkgdir}/usr/share/"
mkdir -p "${pkgdir}/var/lib/${pkgname}"
touch "${pkgdir}/var/lib/${pkgname}/setroubleshoot_database.xml"
touch "${pkgdir}/var/lib/${pkgname}/email_alert_recipients"
rm -rf "${pkgdir}/usr/share/doc" "${pkgdir}/usr/share/usr" # Seems like a missconfiguration
install -m644 -D "${srcdir}/setroubleshoot.tmpfiles" "${pkgdir}/usr/lib/tmpfiles.d/${pkgname}.conf"
install -m644 -D "${srcdir}/setroubleshoot-sysusers.conf" "${pkgdir}/usr/lib/sysusers.d/${pkgname}.conf"
}
And this is setroubleshoot-sysusers.conf
(let systemd create a sysuser instead of doing it on install)
u setroubleshoot - "SELinux troubleshoot utility" /var/lib/setroubleshoot /bin/nologin
Thanks for your contribution. I merged it with the split package I wrote and published it on the AUR (https://aur.archlinux.org/pkgbase/setroubleshoot/) and in this repo (https://github.com/archlinuxhardened/selinux/tree/master/setroubleshoot). I have not tested it much so please consider it as a "work in progress".
Instead of moving files from /usr/local/...
, I added some options to ./configure
to set up where each file gets installed.
When I try to install it, terminal asks me an ID for github and a password. I've putted the same ID and password for logging here, but it doesn't work!
@mrvik @fishilico how to run it?
need dependency
sealert -s
Opps, sealert hit an error!
Traceback (most recent call last):
File "/usr/bin/sealert", line 682, in <module>
run_as_dbus_service(username)
File "/usr/bin/sealert", line 127, in run_as_dbus_service
app = SEAlert(user, dbus_service.presentation_manager, watch_setroubleshootd=True)
File "/usr/bin/sealert", line 344, in __init__
from setroubleshoot.serverconnection import ServerConnectionHandler
File "/usr/lib/python3.10/site-packages/setroubleshoot/serverconnection.py", line 22, in <module>
from setroubleshoot.rpc_interfaces import SETroubleshootServerInterface
File "/usr/lib/python3.10/site-packages/setroubleshoot/rpc_interfaces.py", line 21, in <module>
from setroubleshoot.signature import *
File "/usr/lib/python3.10/site-packages/setroubleshoot/signature.py", line 72, in <module>
from setroubleshoot.html_util import *
File "/usr/lib/python3.10/site-packages/setroubleshoot/html_util.py", line 39, in <module>
import formatter as Formatter
ModuleNotFoundError: No module named 'formatter'
I resolved this issue by downloading the formatter.py
from here and sticking it in /usr/lib/python3.10
. It's a hacky solution that won't survive updates, but it works for now.
Though now I seem to get a different error. It appears that setroubleshoot has rpm
compatibility hard coded into it...
error: cannot open Packages database in /var/lib/rpm
failed to connect to server: No such file or directory
Fedora has a tool which shows SELinux AVC messages in a pretty GUI, setroubleshoot (there is a screenshot on https://pagure.io/docs/setroubleshoot/). It seems to be a useful tool to use alongside
sesearch
,audit2allow
, etc.I have started writing some PKGBUILDs for it and for now and here are some questions I hit:
If someone who reads this issue would like to write these PKGBUILDs, I will happily integrate them with the other SELinux packages :smiley: