Sealert can't find paths to suggest restorecon fixes

[petervo]

Say I have the following selinux error.

type=AVC msg=audit(1504984141.804:412): avc: denied { read } for pid=11439 comm="sshd" name="authorized_keys" dev="dm-0" ino=750370 scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file permissive=0 

sealert is not able to suggest an automatic restorecon fix. If i manually edit the message to add a path field path="/root/.ssh/authorized_keys" it is able to fine it. I would have thought that between the dev and ino fields seleart would be able to find the path. But either way, is there a way to either get selinux to put paths in the log or get sealert to find paths from dev + ino.

Tested with the latest packages on f27.

setroubleshoot-server-3.3.12-3.fc27.x86_64
setroubleshoot-plugins-3.3.7-2.fc27.noarch

[bachradsusi]

The easiest way is to turn on full auditing adding by an audit rule like this:

# auditctl -D
# auditctl -w /etc/shadow -p w

or change /etc/audit/rules.d/audit.rules and restart auditd

Looking for pathname using inode could take a long time. Some information related to this problem can be found at http://danwalsh.livejournal.com/34903.html

[petervo]

@bachradsusi thanks that makes sense. We need to generate some sort of automatically fixable errors for tests. Are there any automatically fixable rules that don't require us to do this? Or is using auditctl to turn on fully auditing the best way to go?

[bachradsusi]

I'm afraid that only reliable solution for now is to turn full auditing on using -w /etc/shadow -p w. Or you can run a system in permissive mode to get AVC denial messages for open syscall which already contains path= element.

[petervo]

Ok, thanks for your help.