Request to add a popup or notification when SELinux blocks a process or its action

Hello. I’m part of a community for a mod for a game that requires DLL injection to function. I am not a developer of the mod or moderator for the community, but I’ve noticed a problem experienced by basically every user installing the mod in Fedora; SELinux blocks the injection, preventing the mod from working correctly. To fix it, they have to add an exception for the mod in SELinux. This, in itself, is not a problem; DLL injection is commonly used by viruses, so it makes sense that SELinux would block this. Instead, the issue I have with this is that there was no indication that SELinux was causing the issue. No popup, no notification, though I can’t say nothing, since it does get logged. This, invariably makes it much harder for them to realize that SELinux is the cause of the problem, and they often need to ask for help.

This specific instance of the problem could be solved by adding a mention of this to the Linux installation instructions. However, I think this behavior, or lack of behavior, is bad UX for a home OS, and I don’t see a good security benefit to it in this environment. In a server or office environment, I think it’s fine, since someone is expected to monitor the logs. But, for a home OS, I don’t think you should need to monitor the logs for SELinux violations.

Why don’t I think it provides a good security benefit? I assume that the specific security benefit this is supposed to have is when a malicious actor has remote control of a PC. They may run a script to attempt to escalate privileges, but get blocked by SELinux. The lack of a popup or notification could, in theory, confuse the assailant and give more time for them to be discovered before they can do more harm. However, wouldn’t any hacker worth their salt trying to hack a Fedora system know about SELinux, and the possibility that this could happen? From my view, this would only ever be effective on script kiddies.

In fact, I think the lack of proper indication could harm security. Let’s say you made a mistake, and you ran malware on your PC under the impression it was a normal application. SELinux blocks the malware, but from your view, the application just isn’t working. You try for a while to get it to work, but eventually you give up. The problem here is, you made a mistake, but never realized that you did, and are unable to learn from it. What if you make the same mistake in the future, and run malware that is actually able to bypass SELinux? If you were able to learn from the original mistake, you might have been more careful and not let it happen again.

So, for all the reasons above, I heavily suggest adding a popup, notification, error message, or other UI element to notify when SELinux blocks a process to Fedora Workstation, and make this the default behavior. This has to be possible, since at worst, the logs could be monitored to determine when to notify the user, though hopefully there can be a better solution to this.

If I am understanding this correctly, the GNOME DE does, indeed, pop up a message for SELinux denials as long as setroubleshoot is available (I believe that is also true for KDE DE, but I don’t have access to such a system at the moment).

You do need to install setroubleshoot if it is not already installed, and as far as I know, Workstation does not include setroubleshoot.

Yes, just checked, and my KDE install has had the relevant package (setroubleshoot) from birth.

I wonder if the notifications are being suppressed while a game is running? (I guess users often want this “Do Not Disturb” behaviour while gaming.)

Ah yes, looks like it was removed from Workstation some time back:

Looking at the F43 comps file, I think these are the desktops that include it, either directly or via the “Admin Tools” group.

• KDE Plasma
• Cinnamon
• MATE
• Cosmic
• i3
• MiracleWM
• Sway
• Xfce
• Phosh
• LXDE
• LXQt

I think this is the intended solution. The developers of the mod can have some small understanding of selinux and what the mod needs to work. Perhaps there is a need for an installer script that can do these steps for the users.

The issue with exposing SELinux to non-technical users is that they don’t have enough background to know if the app is failing but it’s ok or if the app is failing because it’s a virus.

If you download an app and get an error that execmem() is forbidden. Is it because it’s trying to decompress some hidden payload and exec to it or is it because it’s a game based on the source engine and somehow that needs it?

SELinux is just way too granular to be consumed by non-experts.

It sounds like the right fix is for the mod author detecting if their attempt fails (which could fail any number of reasons, and not just selinux), and perform their own popup (better yet would be avoid the need for injecting executable code).

Hi, if somebody wants to work on this, what we want to do is:

• Use modern GNOME design guidelines (GTK 4, libadwaita)
• Tell the user that an security policy error has happened
• Focus on bug reporting, not on allowing local changes to selinux policy
• Avoid presenting technical details to the user such as the actual AVC; if the app is highly technical, then it’s not a good candidate for Fedora Workstation

Certainly do not try to emulate the design of setroubleshoot.

Ideally this feature would be integrated into ABRT to encourage bug reporting. Except, ABRT is also currently at risk.

Do consider that the selinux bugzilla is drowning in bug reports.