Package setroubleshoot on Arch Linux

[fishilico]

Fedora has a tool which shows SELinux AVC messages in a pretty GUI, setroubleshoot (there is a screenshot on https://pagure.io/docs/setroubleshoot/). It seems to be a useful tool to use alongside sesearch, audit2allow, etc.

I have started writing some PKGBUILDs for it and for now and here are some questions I hit:

• Fedora has 3 packages: setroubleshoot, setroubleshoot-server and setroubleshoot-plugins. The first two are split from the same source (cf. https://danwalsh.livejournal.com/20931.html for details, and http://pkgs.fedoraproject.org/cgit/rpms/setroubleshoot.git/tree/setroubleshoot.spec for the "implementation"). Would Arch Linux also have three packages (with two source packages, one building both setroubleshoot and setroubleshoot-server)?
• What is the reference website between Pagure and Github? https://pagure.io/setroubleshoot/commits/ and https://github.com/fedora-selinux/setroubleshoot/commits/master seems to contain the same commits and the releases seems to be the same. What would be the reference from which the source tarball is downloaded?
• What is the license name ? The COPYING file for setroubleshoot (https://pagure.io/setroubleshoot/blob/764d0c3426cc93f0d57a21a361226b9abfb75459/f/framework/COPYING) is GPLv2 but http://pkgs.fedoraproject.org/cgit/rpms/setroubleshoot.git/tree/setroubleshoot.spec tells "License: GPLv2+". Moreover setroubleshoot-plugins is GPLv3.

If someone who reads this issue would like to write these PKGBUILDs, I will happily integrate them with the other SELinux packages 😃

[mrvik]

Hi!

• For the first point, I don't know whats the best option, but I think (in order to Keep It Simple) that should be 3 packages as on fedora tree.
• The reference should be pagure.io as it's official from Fedora
• I've found that: on launchpad. I've understood that GPLv2+ stands for GPLv2 or greater (at your own). So you can choose GPLv2 or v3.

[mrvik]

I've written a PKGBUILD for setroubleshoot (server, client and applet) and installed it. But when I ran setroubleshootd it it says "No SELinux Policy installed" (I've installed all the SELinux utilities with the script on here, installed linux-hardened and boot with security=selinux selinux=1 and SELINUX=permissive and SELINUXTYPE=refpolicy-arch on /etc/selinux/config and did restorecon -R /).
Next comment is the PKGBUILD I wrote, I hope it helps.
Please, note there are some moves from /usr/local to /usr as /usr/local/ is discouraged by Archlinux Package Etiquette and some utilities like namcap emit warnings for binaries and man pages located there.

[mrvik]

pkgname=setroubleshoot
pkgver=3.3.19
pkgrel=1
pkgdesc="Helps troubleshoot SELinux problems"
arch=("x86_64")
url="https://pagure.io/setroubleshoot"
license=("GPL2")
# Fedora spec on https://src.fedoraproject.org/cgit/rpms/setroubleshoot.git/tree/setroubleshoot.spec
depends=("gtk3" "libnotify" "libreport" "desktop-file-utils" "dbus" "xdg-utils" "audit" "policycoreutils" "python-gobject" "python-slip" "python-systemd" "python-pydbus" "polkit")
makedepends=("libcap-ng" "intltool" "python" "dbus-glib" "gtk2" "libselinux")
source=(
    "${pkgname}-${pkgver}.tar.gz::https://releases.pagure.org/${pkgname}/${pkgname}-${pkgver}.tar.gz"
    "setroubleshoot.tmpfiles"
    "setroubleshoot-sysusers.conf"
)
sha512sums=('e012f9c0011fd682394232c9297e01710a389cc4bbae11193f75780c96a99451d7d8a77080a7d4686525ca8b8bbc6332991b7b06a282345d2baba64bab9beb24'
            'd1cc35a5041817c6ab475456156af9544b8974da1c829d8caef915a6393b90489a3963e1284a98e3387f1d64fbd9d2717abd5b6fa5fa80c55316bcadbc995eba'
            '938ad73dc7397ebb2b44519bd47ca0f56fb052e4a00b748b425775f92c38c86e34732602eface0cbb4c4eb8d4b92a9f16a2236b8fd6f4256b41f1802670886a6')

build(){
    cd "${pkgname}-${pkgver}"
    ./configure PYTHON=/usr/bin/python --with-auditpluginsdir=/etc/audisp/plugins.d
    make
}

package(){
    cd "${srcdir}/${pkgname}-${pkgver}"
    make DESTDIR="${pkgdir}/" PREFIX="/usr" install
    desktop-file-install --vendor="" --dir="${pkgdir}/usr/share/applications" "${pkgdir}/usr/local/share/applications/${pkgname}.desktop"
    rm -rf "${pkgdir}/usr/local/share/applications"
    mkdir -p "${pkgdir}/usr/bin"
    for f in $(ls "${pkgdir}/usr/local/bin"); do
        mv "${pkgdir}/usr/local/bin/$f" "${pkgdir}/usr/bin/"
    done
    for f in $(ls "${pkgdir}/usr/local/sbin"); do
        mv "${pkgdir}/usr/local/sbin/$f" "${pkgdir}/usr/bin/" # /usr/sbin is a symlink to /usr/bin
    done
    rm -rf "${pkgdir}/usr/local/bin" "${pkgdir}/usr/local/sbin"
    mv "${pkgdir}/usr/local/share/man" "${pkgdir}/usr/share/"
    mkdir -p "${pkgdir}/var/lib/${pkgname}"
    touch "${pkgdir}/var/lib/${pkgname}/setroubleshoot_database.xml"
    touch "${pkgdir}/var/lib/${pkgname}/email_alert_recipients"
    rm -rf "${pkgdir}/usr/share/doc" "${pkgdir}/usr/share/usr" # Seems like a missconfiguration
    install -m644 -D "${srcdir}/setroubleshoot.tmpfiles" "${pkgdir}/usr/lib/tmpfiles.d/${pkgname}.conf"
    install -m644 -D "${srcdir}/setroubleshoot-sysusers.conf" "${pkgdir}/usr/lib/sysusers.d/${pkgname}.conf"
}

[mrvik]

And this is setroubleshoot-sysusers.conf (let systemd create a sysuser instead of doing it on install)

u setroubleshoot - "SELinux troubleshoot utility" /var/lib/setroubleshoot /bin/nologin

[fishilico]

Thanks for your contribution. I merged it with the split package I wrote and published it on the AUR (https://aur.archlinux.org/pkgbase/setroubleshoot/) and in this repo (https://github.com/archlinuxhardened/selinux/tree/master/setroubleshoot). I have not tested it much so please consider it as a "work in progress".

Instead of moving files from /usr/local/..., I added some options to ./configure to set up where each file gets installed.

[obelix1502]

When I try to install it, terminal asks me an ID for github and a password.
I've putted the same ID and password for logging here, but it doesn't work!

[freedom1b2830]

@mrvik @fishilico how to run it?

[freedom1b2830]

need dependency

sealert -s
Opps, sealert hit an error!

Traceback (most recent call last):
  File "/usr/bin/sealert", line 682, in <module>
    run_as_dbus_service(username)
  File "/usr/bin/sealert", line 127, in run_as_dbus_service
    app = SEAlert(user, dbus_service.presentation_manager, watch_setroubleshootd=True)
  File "/usr/bin/sealert", line 344, in __init__
    from setroubleshoot.serverconnection import ServerConnectionHandler
  File "/usr/lib/python3.10/site-packages/setroubleshoot/serverconnection.py", line 22, in <module>
    from setroubleshoot.rpc_interfaces import SETroubleshootServerInterface
  File "/usr/lib/python3.10/site-packages/setroubleshoot/rpc_interfaces.py", line 21, in <module>
    from setroubleshoot.signature import *
  File "/usr/lib/python3.10/site-packages/setroubleshoot/signature.py", line 72, in <module>
    from setroubleshoot.html_util import *
  File "/usr/lib/python3.10/site-packages/setroubleshoot/html_util.py", line 39, in <module>
    import formatter as Formatter
ModuleNotFoundError: No module named 'formatter'

[umbernhard]

I resolved this issue by downloading the formatter.py from here and sticking it in /usr/lib/python3.10. It's a hacky solution that won't survive updates, but it works for now.

[umbernhard]

Though now I seem to get a different error. It appears that setroubleshoot has rpm compatibility hard coded into it...

error: cannot open Packages database in /var/lib/rpm
failed to connect to server: No such file or directory