From 9e2753d241bf0bccaf0b05984e7562a2ac2a70e6 Mon Sep 17 00:00:00 2001 From: Vit Mojzis Date: Thu, 24 Aug 2023 19:02:24 +0200 Subject: [PATCH] Check that SELinux is enabled before running Setroubleshootd will fail to run when selinux is disabled. Check that SELinux is enabled in setroubleshootd service file and in sealert (so that it does not wait for setroubleshootd to start). Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2178950 Signed-off-by: Vit Mojzis --- setroubleshootd.service | 1 + src/sealert | 6 ++++++ 2 files changed, 7 insertions(+) diff --git a/framework/setroubleshootd.service b/framework/setroubleshootd.service index 81c75b1..7fc2ffb 100644 --- a/framework/setroubleshootd.service +++ b/framework/setroubleshootd.service @@ -1,5 +1,6 @@ [Unit] Description=SETroubleshoot daemon for processing new SELinux denial logs +ConditionSecurity=selinux [Service] Type=dbus diff --git a/framework/src/sealert b/framework/src/sealert index 2663a21..5ce6463 100755 --- a/framework/src/sealert +++ b/framework/src/sealert @@ -576,6 +576,12 @@ if __name__ == '__main__': setup_sighandlers() log_debug("main() args=%s" % sys.argv) + # Exit if selinux is disabled - setroubleshootd cannot start + if not selinux.is_selinux_enabled(): + log_debug("SELinux not enabled, sealert will not run on non SELinux systems") + print("SELinux not enabled, sealert will not run on non SELinux systems", file=sys.stderr) + sys.exit(3) + def validate_invocation_style(opt, opts_instance, conflict_opts): global invocation_style conflict_opts.remove(opt) -- 2.41.0