Package Base Details: setroubleshoot

Git Clone URL: (read-only, click to copy)
Submitter: IooNag
Maintainer: IooNag
Last Packager: IooNag
Votes: 1
Popularity: 0.000000
First Submitted: 2019-04-28 16:48 (UTC)
Last Updated: 2021-07-03 14:44 (UTC)

Latest Comments

zhs commented on 2020-09-25 15:59 (UTC)

There are two issues with this package. I have found a way to solve one but am still scratching my head over the other.

  1. In the PKGBUILD you should add --localstatedir=/var/lib to the invocation of configure script in build(). Without this change setroubleshoot attempts to find its state files under /usr/var/lib i.e., ${prefix}/var/lib, instead of the intended /var/lib, where the package_() functions create the directories for it.

  2. As the other user has already commented setroubleshoot invokes get_installed_policy() from selinux-python utility library. The daemon is run via dbus as the user 'setroubleshoot' who does not have read access to the directory /etc/selinux/${policy_name}/policy (this directory is owned by root and chmod 700). This results in the call to get_installed_policy() to fail enumerating installed policies and to raise the exception. Changing the permissions on this directory fixes the error but is likely an incorrect solution.

2a. Up to setroubleshoot 3.1.x the dbus unit would run setroubleshoot as root but some time around 5 years ago it changed this in this commit

and now runs it as 'setroubleshoot.' I have no idea how the filesystem and user/group permissions on Fedora are that allow this user access to the compiled policy store under, for example, /etc/selinux/refpolicy-arch/policy (or /etc/selinux/targeted/policy as it would be on Fedora).

2b. I noticed multiple instances of this setroubleshoot error reported to CentOS and Fedora bug trackers. These have been repeatedly allowed to lapse to EOL, left unanswered, or marked as duplicates of similarly unanswered bug reports.

P.S. Overall, the userland tools around SELinux all seem dilapidated and barely given any attention.

huskiesrock1884 commented on 2019-05-05 19:23 (UTC)

SETroubleshootd seems to think that there is no SELinux policy installed on my system, while sepolicy shows up in both /usr/lib/python{2,3}.7/site-packages and my SELinux policy is in fact refpolicy-arch. I've set SELinux to permissive for the duration of this issue, from which it is normally enforcing.

Here are my journalctl entries indicating the problem: