Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-67926

setroubleshoot does not check store-root

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Normal Normal
    • rhel-10.0
    • rhel-10.0
    • setroubleshoot
    • None
    • setroubleshoot-3.3.35-1.el10
    • No
    • Important
    • 1
    • rhel-sst-security-selinux
    • ssg_security
    • 16
    • 2
    • QE ack
    • False
    • Hide

      None

      Show
      None
    • None
    • SELINUX 241127 - 241218
    • Hide

      The setroubleshootd service honors the store-root option defined in the /etc/selinux/semanage.conf file. When the store-root location does not exist, the service will complain (exception in systemd journal). When the store-root location exists, the service does not complain.

      Show
      The setroubleshootd service honors the store-root option defined in the /etc/selinux/semanage.conf file. When the store-root location does not exist, the service will complain (exception in systemd journal). When the store-root location exists, the service does not complain.
    • Pass
    • Not Needed
    • Automated
    • None

      https://gitlab.com/setroubleshoot/setroubleshoot/-/issues/11

      In ostree based systems, the target root is moved to /etc/selinux as /var/lib/selinux/targeted is empty.
      This is done by adding store-root=/etc/selinux to /etc/selinux/semanage.conf.
      Currently, https://gitlab.com/setroubleshoot/setroubleshoot/-/blame/main/src/setroubleshoot/util.py?ref_type=heads#L565 is hardcoded vor /var/lib/selinux, causing stacktraces on ostree based systems.

      Oct 26 12:21:01 antheas-ally-x SetroubleshootPrivileged.py[2316]: The call org.fedoraproject.SetroubleshootPrivileged.get_rpm_nvr_by_scontext has failed with an exception:
      Oct 26 12:21:01 antheas-ally-x SetroubleshootPrivileged.py[2316]: Traceback (most recent call last):
      Oct 26 12:21:01 antheas-ally-x SetroubleshootPrivileged.py[2316]: File "/usr/lib/python3.13/site-packages/dasbus/server/handler.py", line 455, in _method_callback
      Oct 26 12:21:01 antheas-ally-x SetroubleshootPrivileged.py[2316]: result = self._handle_call(
      Oct 26 12:21:01 antheas-ally-x SetroubleshootPrivileged.py[2316]: interface_name,
      Oct 26 12:21:01 antheas-ally-x SetroubleshootPrivileged.py[2316]: ...<2 lines>...
      Oct 26 12:21:01 antheas-ally-x SetroubleshootPrivileged.py[2316]: **additional_args
      Oct 26 12:21:01 antheas-ally-x SetroubleshootPrivileged.py[2316]: )
      Oct 26 12:21:01 antheas-ally-x SetroubleshootPrivileged.py[2316]: File "/usr/lib/python3.13/site-packages/dasbus/server/handler.py", line 265, in _handle_call
      Oct 26 12:21:01 antheas-ally-x SetroubleshootPrivileged.py[2316]: return handler(*parameters, **additional_args)
      Oct 26 12:21:01 antheas-ally-x SetroubleshootPrivileged.py[2316]: File "/usr/share/setroubleshoot/SetroubleshootPrivileged.py", line 57, in get_rpm_nvr_by_scontext
      Oct 26 12:21:01 antheas-ally-x SetroubleshootPrivileged.py[2316]: rpmnvr = setroubleshoot.util.get_rpm_nvr_by_scontext(scontext)
      Oct 26 12:21:01 antheas-ally-x SetroubleshootPrivileged.py[2316]: File "/usr/lib/python3.13/site-packages/setroubleshoot/util.py", line 629, in get_rpm_nvr_by_scontext
      Oct 26 12:21:01 antheas-ally-x SetroubleshootPrivileged.py[2316]: return get_rpm_nvr_by_type(str(selinux.context_type_get(context)))
      Oct 26 12:21:01 antheas-ally-x SetroubleshootPrivileged.py[2316]: File "/usr/lib/python3.13/site-packages/setroubleshoot/util.py", line 514, in get_rpm_nvr_by_type
      Oct 26 12:21:01 antheas-ally-x SetroubleshootPrivileged.py[2316]: build_module_type_cache()
      Oct 26 12:21:01 antheas-ally-x SetroubleshootPrivileged.py[2316]: ~~~~~~~~~~~~~~~~~~~~~~~^^
      Oct 26 12:21:01 antheas-ally-x SetroubleshootPrivileged.py[2316]: File "/usr/lib/python3.13/site-packages/setroubleshoot/util.py", line 565, in build_module_type_cache
      Oct 26 12:21:01 antheas-ally-x SetroubleshootPrivileged.py[2316]: with os.scandir("/var/lib/selinux/{}/active/modules".format(policytype)) as module_store:
      Oct 26 12:21:01 antheas-ally-x SetroubleshootPrivileged.py[2316]: ~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
      Oct 26 12:21:01 antheas-ally-x SetroubleshootPrivileged.py[2316]: FileNotFoundError: [Errno 2] No such file or directory: '/var/lib/selinux/targeted/active/modules'

      Proposed fix https://gitlab.com/setroubleshoot/setroubleshoot/-/merge_requests/44

              rhn-engineering-plautrba Petr Lautrbach
              rhn-engineering-plautrba Petr Lautrbach
              Vit Mojzis Vit Mojzis
              Milos Malik Milos Malik
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated: