From 74926ff27b35329819d74ea53eef2aff376cc6e1 Mon Sep 17 00:00:00 2001 From: Petr Lautrbach Date: Tue, 25 Feb 2020 10:36:06 +0100 Subject: [PATCH] Add Local SELinux policy package version to analyses reports Sometimes a SELinux domain is shipped by other than selinux-policy packages. In this case it's useful to report other package policy version together with selinux-policy version, e.g. for the following AVC: type=AVC msg=audit(1582621541.469:6896): avc: denied { write } for pid=1627505 comm="python3" name="plautrba" dev="dm-4" ino=19529729 scontext=system_u:system_r:mysqld_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1 a report will contain the following lines: SELinux Policy RPM selinux-policy-3.14.5-24.fc32.1.contrib.50770ffc2a14.noarch Local Policy RPM mysql-selinux-1.0.0-9.fc32.noarch --- framework/src/setroubleshoot/signature.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/framework/src/setroubleshoot/signature.py b/framework/src/setroubleshoot/signature.py index 711c2875f5a4..7287eec8af61 100755 --- a/framework/src/setroubleshoot/signature.py +++ b/framework/src/setroubleshoot/signature.py @@ -120,6 +120,7 @@ class SEEnvironment(XmlSerialize): 'kernel': {'XMLForm': 'element'}, 'policy_type': {'XMLForm': 'element'}, 'policy_rpm': {'XMLForm': 'element'}, + 'local_policy_rpm': {'XMLForm': 'element'}, 'enforce': {'XMLForm': 'element'}, 'selinux_enabled': {'XMLForm': 'element', 'import_typecast': boolean, }, 'selinux_mls_enabled': {'XMLForm': 'element', 'import_typecast': boolean, }, @@ -141,6 +142,7 @@ class SEEnvironment(XmlSerialize): self.platform, self.kernel = get_os_environment() self.policy_type = selinux.selinux_getpolicytype()[1] self.policy_rpm = get_rpm_nvr_by_name("selinux-policy") + self.local_policy_rpm = self.policy_rpm self.policyvers = str(selinux.security_policyvers()) enforce = selinux.security_getenforce() if enforce == 0: @@ -312,6 +314,7 @@ class SEFaultSignatureInfo(XmlSerialize): setattr(self, k, v) self.report_count = 1 self.plugin_list = [] + self.environment.local_policy_rpm = get_rpm_nvr_by_scontext(self.scontext, use_dbus=True) def update_merge(self, siginfo): if siginfo.last_seen_date != self.last_seen_date: @@ -524,7 +527,8 @@ class SEFaultSignatureInfo(XmlSerialize): text += format_2_column_name_value(_("Host"), default_text(self.sig.host)) text += format_2_column_name_value(_("Source RPM Packages"), default_text(self.format_rpm_list(self.src_rpm_list))) text += format_2_column_name_value(_("Target RPM Packages"), default_text(self.format_rpm_list(self.tgt_rpm_list))) - text += format_2_column_name_value(_("Policy RPM"), default_text(env.policy_rpm)) + text += format_2_column_name_value(_("SELinux Policy RPM"), default_text(env.policy_rpm)) + text += format_2_column_name_value(_("Local Policy RPM"), default_text(env.local_policy_rpm)) text += format_2_column_name_value(_("Selinux Enabled"), default_text(env.selinux_enabled)) text += format_2_column_name_value(_("Policy Type"), default_text(env.policy_type)) text += format_2_column_name_value(_("Enforcing Mode"), default_text(env.enforce)) -- 2.25.1