search

coreos / fedora-coreos-tracker

Issue tracker for Fedora CoreOS
https://fedoraproject.org/coreos/
264 stars 59 forks source link

Cockpit doesn't show selinux events #1720

Open sigulete opened 6 months ago

sigulete commented 6 months ago

Describe the bug

Cockpit is not showing selinux events even though they are available via: journbalctl -t setroubleshoot

After debuging the problem, I noticed that the directory /var/lib/setroubleshoot is not created when layering troubleshoot-server package. As such, applications depending on /var/lib/setroubleshoot/setroubleshoot_database.xml like cockpit-selinux are blind.

Note: The same happens in Silverblue, and SELinux Troubleshoot (UI) doesn't show the events.

Reproduction steps

Prerequisites: cockpit and cockpit-selinux needs to be installed. cockpit needs to be running.

  1. rpm-ostree install setroubleshoot-server
  2. Reboot
  3. Trigger a selinux event: podman run --detach --name mariadb --env MARIADB_ALLOW_EMPTY_ROOT_PASSWORD=1 mariadb:latest. This container requires container_manage_cgroup boolean.
  4. Confirm that selinux triggered an event: journalctl -t setroubleshoot OR ausearch -m AVC
  5. Login to Cockpit and open SELinux tab. It won't show any event.
  6. Review the messages from setroubleshootd: journalctl -u setroubleshootd It will show errors related to not being able to create /var/lib/setroubleshoot/setroubleshoot_database.xml

Expected behavior

All selinux events shoud be accessible from cockpit and SELinux Troubleshoot (UI) in Silverblue.

Actual behavior

Events not available by third party apps.

System details

Fedora CoreOS - Vultr

Butane or Ignition config

No response

Additional information

The problem can be resolved by manually creating the missing directory:

mkdir /var/lib/setroubleshoot
chown setroubleshoot:setroubleshoot /var/lib/setroubleshoot
chmod 0700 /var/lib/setroubleshoot
jlebon commented 6 months ago

I think this is an setroubleshoot RHBZ instead. It needs to use systemd-tmpfiles to create /var/lib/setroubleshoot.

OK, and looking at https://src.fedoraproject.org/rpms/setroubleshoot/blob/1a11b3af0a698e3bcb1e84cbcf9f16253d5029d9/f/setroubleshoot.tmpfiles it does have a tmpfiles entry, and an entry for /var/lib/setroubleshoot but only to relabel (Z) and not to create the directory itself (d). The latter is currently done via rpm: https://src.fedoraproject.org/rpms/setroubleshoot/blob/1a11b3af0a698e3bcb1e84cbcf9f16253d5029d9/f/setroubleshoot.spec#_174.