Bugzilla – Bug 1217042
SELinux Tool sealert-gui Nonfunctional Due to Missing Dependency
Last modified: 2024-06-04 11:52:36 UTC
Coming from CentOS Stream I have utterly depended on sealert-gui to help me fix selinux blocks, however it can not run in MicroOS or any other Suse as dependencies are missing from repos. It is possible to run sealert on CLI but you must add the -a switch and provide the path to the logfile, which few people know, and so there is a plague of TURNING OFF selinux which I think is a travesty. selinux-gui is an applet which pops up in the system tray (dbus) if an selinux block occurs, and makes it possible to easily fix such blocks, at least in KDE, probably in Gnome. But in order to get it working I must install Fedora packages to satisfy its dependencies, as so: # transactional-update pkg in libvirt virt-manager libreport-2.17.4-1.fc37.x86_64.rpm libreport-gtk-2.17.4-1.fc37.x86_64.rpm python3-libreport-2.17.11-1.fc37.x86_64.rpm satyr-0.39-6.fc37.x86_64.rpm I am a real estate developer not a coder, so am in no position to add these to the Suse repos, but here is my suggestion that they are sorely needed.
Isn't setroubleshoot (available in official OSS repo) working for you? setroubleshoot GUI. Application that allows you to view setroubleshoot-server messages. Provides tools to help diagnose SELinux problems. When AVC messages are generated an alert can be generated that will give information about the problem and help track its resolution. Alerts can be configured to user preference. The same tools can be run on existing log files.
Well in MicroOS I now find that setroubleshoot is installed and does have - /etc/xdg/autostart/sealertauto.desktop - /usr/bin/seapplet ... and ps shows /usr/bin/python3 -Es /usr/bin/seapplet setroubleshoot-server is installed and has - /etc/setroubleshoot/setroubleshoot.conf - /usr/bin/sealert - /usr/lib/systemd/system/setroubleshootd.service ... and does seem to be dbus-driven. The problem which drove me nuts for two weeks was I could not get a remote x2go desktop on this headless machine, and the reason for that finally turned out to be an selinux block. When I turned off selinux I could get the remote desktop but didn't have an indicator in the system tray. I managed to learn the selinux CLI to find out the causes of the blocks and fixed them. I have't gotten far enough yet to know whether setroubleshoot is behaving the same as selinux-gui did, now that I know setroubleshoot is installed and is intended to replace it.
Yup, no applet nor popup on selinux blocks with setroubleshoot, and this is because it's not installed by default in MicroOS for some reason, even though selinux is Enforcing.
Installing setroubleshoot & setroubleshoot-server and rebooting, the systemd daemon fails a dependency: Nov 12 11:09:56 microos-clean-carl.darkmatter.org systemd[1]: Starting SETroubleshoot daemon for processing new SELinux denial logs... ░░ Subject: A start job for unit setroubleshootd.service has begun execution ░░ Defined-By: systemd ░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel ░░ ░░ A start job for unit setroubleshootd.service has begun execution. ░░ ░░ The job identifier is 1377. Nov 12 11:09:56 microos-clean-carl.darkmatter.org setroubleshootd[1811]: Traceback (most recent call last): Nov 12 11:09:56 microos-clean-carl.darkmatter.org setroubleshootd[1811]: File "/usr/sbin/setroubleshootd", line 31, in <module> Nov 12 11:09:56 microos-clean-carl.darkmatter.org setroubleshootd[1811]: from setroubleshoot.util import log_debug Nov 12 11:09:56 microos-clean-carl.darkmatter.org setroubleshootd[1811]: File "/usr/lib/python3.11/site-packages/setroubleshoot/util.py", line 2, in <module> Nov 12 11:09:56 microos-clean-carl.darkmatter.org setroubleshootd[1811]: from six.moves import range Nov 12 11:09:56 microos-clean-carl.darkmatter.org setroubleshootd[1811]: ModuleNotFoundError: No module named 'six' Nov 12 11:09:56 microos-clean-carl.darkmatter.org systemd[1]: setroubleshootd.service: Main process exited, code=exited, status=1/FAILURE ░░ Subject: Unit process exited ░░ Defined-By: systemd ░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel ░░ ░░ An ExecStart= process belonging to unit setroubleshootd.service has exited. ░░ ░░ The process' exit code is 'exited' and its exit status is 1. Nov 12 11:09:56 microos-clean-carl.darkmatter.org systemd[1]: setroubleshootd.service: Failed with result 'exit-code'. It needs python311-six. setroubleshoot come with MicroOS in the can, and dependency should be added.
Adding six and rebooting, now the daemon starts and seaert appears in the tray on blocks. But we are back to my old friend, "No module named report", which means it needs packages that aren't in the repo as noted above. Maybe I'm the only one using this.
So once to this point, wget these from pkgs.org and: # transactional-update pkg in libreport-2.17.4-1.fc37.x86_64.rpm libreport-gtk-2.17.4-1.fc37.x86_64.rpm python3-libreport-2.17.4-1.fc37.x86_64.rpm satyr-0.39-6.fc37.x86_64.rpm Hit 'i' to ignore additional dependencies and missing keys, and install. Then sealert-gui works. Fed 39 files do -not- work. However with the most recent snapshot of MicroOS I am unable to log in as root through SSH, as selinux prevents access to authorized_keys. This block is -not- caught by setroubleshootd for some reason. I have to turn off selinux in order to log in remotely.
Is this on openSUSE MicroOS or on openSUSE Aeon (formerly MicroOS Desktop)? MicroOS does not provide a desktop environment, so GUI packages are not installed.
This is on MicroOS. Of course it can have a desktop, on install a choice of Gnome or KDE in fact. I run KDE and have done so since 1997. (on Debian) Ok, "Kalpa". Are you picking on me for semantics? Or do the problems matter? When I communicate on IRC and other channels I refer to it as MicroOS because n00bs don't care about the minutia. What matters is getting the word out that it works (for the most part) and is great.
You've set this to Kalpa. Nah this also applies to Aeon.
... and it's a deficiency of the base system setroubleshoot package. This is not a Plasma problem.
Hi Bill, Just FTR there are two things: 1) missing package dependency python3-six (setrboubleshoot-server) 2 missing packagewide dependency for python3-libreport First should be fixed in Tumbleweed soon after it will be accepted by factory (https://build.opensuse.org/request/show/1126803). But I'm not sure when exactly it can get into MicroOS repo. Second one is a little bit more complex issue because python3-libreport is a RedHat specific library for reporting issues and we does not have equivalent currently (AFAIK). If you want to use GUI, there is a quick dirty "workaround" to get GUI browser and notification working but it is temporary hotfix. I cannot guarantee it will not break anything else in the setroubbleshoot brower/notifications (although I think it should not affect overall functionality) and every package update will override it until we find a solution. If you want to test it on your own risk. comment out these lines(starting number is a line number for package version 3.3.32) in /usr/lib/python3.11/site-packages/setroubleshoot/browser.py >67 import report >68 import report.io >69 import report.io.GTKIO >70 import report.accountmanager >281 self.accounts = report.accountmanager.AccountManager()
Hi, thanks but this is not possible as MicroOS is an immutable OS. I guess that Tumbleweed/MicroOS will not have selinux troubleshooting indefinitely.
(In reply to Bill Southwell from comment #12) > Hi, thanks but this is not possible as MicroOS is an immutable OS. > > I guess that Tumbleweed/MicroOS will not have selinux troubleshooting > indefinitely. Hi Bill, I have packaged libreport and satyr (missing dependencies for gui of sealert) Can you please try to add this repository + install `python3-libreport` from my home obs repo and let me know if it works? `zypper ar https://download.opensuse.org/repositories/home:/djz88/openSUSE_Tumbleweed/home:djz88.repo` Thanks.
(In reply to Zdenek Kubala from comment #13) > (In reply to Bill Southwell from comment #12) > > Hi, thanks but this is not possible as MicroOS is an immutable OS. > > > > I guess that Tumbleweed/MicroOS will not have selinux troubleshooting > > indefinitely. > > Hi Bill, I have packaged libreport and satyr (missing dependencies for gui > of sealert) Can you please try to add this repository + install > `python3-libreport` from my home obs repo and let me know if it works? > > `zypper ar > https://download.opensuse.org/repositories/home:/djz88/openSUSE_Tumbleweed/ > home:djz88.repo` > > Thanks. Hi, I went ahead and installed the primary dependencies and Ignored their dependencies, and sealert-gui works in KDE. I'd rather not mess with it now.
Small update. I'm working on submitting libreport and satyr into devel project of devel:libraries:c_c++ .