Another selinux rant

[John Dennis]

Ed Swierk wrote:
> On 1/4/08, John Dennis <jdennis at redhat.com> wrote:
>> Re SELinux usability issues:
>>
>> We wrote the setroubleshoot package precisely to help SELinux novice
>> users so they wouldn't suffer with hidden obscure failures of the type
>> which have frustrated you. If it had been installed you would have
>> received notifications in real time on your desktop describing the
>> failure and suggestions on how to fix it.
> 
> The machine in question is a server with no graphical applications; is
> there a command-line version of setroubleshoot?

Yes, setroubleshoot-server.

You have two options for receiving the alerts from the headless server.
You can either run the gui on a machine with a head and point it at the 
headless server (requires modifying the config file to use TCP rather 
than the default Unix domain sockets).

On the headless server edit /etc/setroubleshoot/setroubleshoot.cfg and 
in the listen_for_client section set the address_list parameter to 
{inet}server.ip.addr. Then on the GUI system do the same thing except 
set the address_list in the client_connect_to section.

-OR-

You can choose to have the headless server send you emails with the 
alert by editing the file

/var/lib/setroubleshoot/email_alert_recipients

and adding a line like this:

user at example.com                       filter_type=after_first

The filter_type specifies whether to filter the email alert, the 3 
possible values are:

after_first	filter the email after the first notification
always		always filter, thus never send an email alert
never		never filter, thus always send an email alert
-- 
John Dennis <jdennis at redhat.com>