setroubleshoot-plugins-3.3.15-3

- catchall: Discourage creating custom policy modules

Resolves: RHEL-80549
This commit is contained in:
Vit Mojzis 2026-06-18 17:12:34 +02:00
parent 53499765c2
commit b2821260d0
2 changed files with 41 additions and 1 deletions

View File

@ -0,0 +1,36 @@
From 8ad7f4c5528fbbc52a3d391c702102c6fe262d83 Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Tue, 9 Jun 2026 17:27:36 +0200
Subject: [PATCH] catchall: Discourage creating custom policy modules
Update the plugin text to discourage creating custom policy modules by
explaining the lack of support and potential security implications.
---
src/catchall.py | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/src/catchall.py b/src/catchall.py
index 052d6d8..7e4a8fa 100644
--- a/src/catchall.py
+++ b/src/catchall.py
@@ -54,9 +54,14 @@ class plugin(Plugin):
return _('If you believe that $SOURCE_BASE_PATH should be allowed $ACCESS access on $TARGET_CLASS labeled $TARGET_TYPE by default.')
return _('If you believe that $SOURCE_BASE_PATH should be allowed $ACCESS access on the $TARGET_BASE_PATH $TARGET_CLASS by default.')
- then_text = _('You should report this as a bug.\nYou can generate a local policy module to allow this access.')
- do_text = _("""Allow this access for now by executing:
-# ausearch -c '$SOURCE' --raw | audit2allow -M my-$MODULE_NAME
+ then_text = _('''
+ You should report this as a bug.\n
+ If you are certain this access is legitimate and not an intrusion attempt, you
+ can generate a local policy module to allow it.
+ Custom policy modules are not supported as they may weaken the system policy and expose the system to security vulnerabilities.
+ ''')
+
+ do_text = _("""# ausearch -c '$SOURCE' --raw | audit2allow -M my-$MODULE_NAME
# semodule -X 300 -i my-$MODULE_NAME.pp""")
def __init__(self):
--
2.53.0

View File

@ -6,13 +6,14 @@
Summary: Analysis plugins for use with setroubleshoot
Name: setroubleshoot-plugins
Version: 3.3.15
Release: 2%{?dist}
Release: 3%{?dist}
License: GPL-2.0-or-later
URL: https://gitlab.com/setroubleshoot/plugins
Source0: https://gitlab.com/-/project/24478430/uploads/1d856bff1c9fb16a8c6fc877d7fe91ca/setroubleshoot-plugins-3.3.15.tar.gz
# git format-patch -N setroubleshoot-plugins-<version>
# for j in 00*patch; do printf "Patch: %s\n" $j; done
Patch: 0001-Split-multi-command-fix_cmds-into-lists.patch
Patch: 0002-catchall-Discourage-creating-custom-policy-modules.patch
BuildArch: noarch
# gcc is needed only for ./configure
@ -50,6 +51,9 @@ rm -rf %{buildroot}
%{_datadir}/setroubleshoot/plugins
%changelog
* Thu Jun 18 2026 Vit Mojzis <vmojzis@redhat.com> - 3.3.15-3
- catchall: Discourage creating custom policy modules (RHEL-80549)
* Thu May 07 2026 Vit Mojzis <vmojzis@redhat.com> - 3.3.15-2
- Split multi-command fix_cmds into lists (RHEL-155206)