Bug 196748

Summary: Review Request: setroubleshoot - automatic diagnosis of SELinux problems
Product: [Fedora] Fedora Reporter: John Dennis <jdennis>
Component: Package ReviewAssignee: David Cantrell <dcantrell>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: dmalcolm, dwalsh, fedora-package-review, notting, sundaram
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-07-22 08:16:40 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On:    
Bug Blocks: 188268    
Attachments:
Description Flags
trival log file with ftpd AVC message to use for testing
none
Cosmetic fix for setroubleshoot usage statement none

Description John Dennis 2006-06-26 17:13:51 EDT
Spec URL: ftp://people.redhat.com/jdennis/setroubleshoot.spec
SRPM URL: ftp://people.redhat.com/jdennis/setroubleshoot-0.2-1.src.rpm

Description:
Provides tools to help diagnose SELinux problems. When AVC messages
are generated an alert can be generated that will give information
about the problem and help track its resolution. Alerts can be configured
to user preference. The same tools can be run on existing log files.
Comment 1 Dave Malcolm 2006-06-26 17:35:31 EDT
Should the package own these:
/var/log/setroubleshoot/
/var/log/setroubleshoot/setroubleshoot.log

c.f.:
sudo /sbin/service setroubleshoot start
Starting setroubleshootd: Traceback (most recent call last):
  File "/usr/sbin/setroubleshootd", line 20, in ?
    from setroubleshoot.config import cfg
  File "/usr/lib/python2.4/site-packages/setroubleshoot/__init__.py", line 23, in ?
    LogInit()
  File "/usr/lib/python2.4/site-packages/setroubleshoot/log.py", line 39, in LogInit
    filemode='a')
  File "/usr/lib/python2.4/logging/__init__.py", line 1218, in basicConfig
    hdlr = FileHandler(filename, mode)
  File "/usr/lib/python2.4/logging/__init__.py", line 757, in __init__
    stream = open(filename, mode)
IOError: [Errno 2] No such file or directory:
'/var/log/setroubleshoot/setroubleshoot.log'
                                                           [FAILED]
Comment 2 John Dennis 2006-06-27 00:03:51 EDT
opps, you're right David the log directory was missing from the %files section,
as was a logrotate script. I added both, new version is now setroubleshoot-0.3-1
in the same ftp area. Thank you.
Comment 3 Jesse Keating 2006-06-28 16:41:09 EDT
SHOULDFIX:
- There is no URL to upstream source, so it would be difficult to verify source
checksum.

Everything else is clean.  This passes package review.

Bill, care to ack/nack?

John, if we bring this into core, how would it get installed on people's system?
 Would it go into a Comps group?  Would it be a dep of something else?
Comment 4 John Dennis 2006-06-30 15:47:34 EDT
How does one provide a source URL when the source is in our internal "elvis" CVS
repository?

I imagine it would be part of a comps group. There is nothing else dependent on it.
Comment 5 Bill Nottingham 2006-06-30 16:22:19 EDT
Hm, I can't seem to get it to do anything useful. The daemon starts, but that's
about it.
Comment 6 John Dennis 2006-07-06 15:36:16 EDT
I realize the package needs documentation but let me explain what Bill probably
experienced. There are two basic modes the analyzer can run it, either running
in the background waiting to be triggered by an real time AVC, or run against a
log file which might contain AVC messages.

In the former case, AVC real time event mode, the trigger is fired by auditd, it
invokes the analyzer because /etc/auditd.conf has its dispatcher line set to
/usr/sbin/avc_snap (BTW, that name is going to change), avc_snap talks to the
troubleshooter daemon setroubleshootd. However, the rpm in its current form does
not edit auditd.conf or manage the auditd service, all for a variety of good
packaging practices. Thus you may not have seen anything if auditd was not
running or it's dispatcher was not set to avc_snap. Steve Grubb and I are
working on fixing this issue this week. The plan is to have auditd find plugin
configuration files in /etc/audisp.d. When that functionality is present
(expected next week) then setroubleshoot will install a configuration file
there. (BTW, I did just notice the spec file was missing a requires for "audit",
that has been fixed).

The second mode, log file scanning, can be done via

% /usr/sbin/setroubleshoot filename

Just be aware the version you have does not throttle multiple alerts and may
fire off a bunch of them in succession, throttling code will be checked in tommorow.
Comment 7 John Dennis 2006-07-06 15:39:14 EDT
I spoke with Pete Graner today because we're trying to get this into RHEL5, but
that has a dependency on this being in FC6t2 (as I understand it). FC6t2 freeze
is 7/12, can we get this approved so that its in the pipeline?
Comment 8 Bill Nottingham 2006-07-06 15:41:14 EDT
OK, I installed auditd and started it, and still didn't get any pop-ups or
similar; setroubleshoot /var/log/messages also gave no output. Does it only
handle certain AVCs?
Comment 9 John Dennis 2006-07-06 16:08:21 EDT
There are two pieces to the package, the framework, and a set of analysis
plugins.  It is the analysis plugin's job to recognise an AVC. So far most of
the work has gone into the framework, not the set of plugins, and the current
rpm only has two analysis plugins. The plugin's are meant to be simple to
author, and on the TODO list is simplyfying them even further.

I'm attaching a trival log file you can test with that has an AVC which would be
generated by ftpd, one of the existing plugins.

I suppose I should mention as well that we would like to distribute the plugin's
separately and I'll probably tweak the spec file to make the plugin's a sub package.
Comment 10 John Dennis 2006-07-06 16:10:02 EDT
Created attachment 132021 [details]
trival log file with ftpd AVC message to use for testing
Comment 11 John Dennis 2006-07-14 09:56:37 EDT
ping, is this in for FC6t2? I haven't heard anything explicit and the freeze
date is approaching, just checking.
Comment 12 Paul W. Frields 2006-07-15 16:10:11 EDT
Created attachment 132498 [details]
Cosmetic fix for setroubleshoot usage statement

Trivial and cosmetic, but I'm just starting to learn Python.
Comment 13 Jesse Keating 2006-07-17 15:24:26 EDT
Bill, do we have an Ack?

John, where should this go in comps?  or should it be made a dep of selinux
userland stuff?
Comment 14 Bill Nottingham 2006-07-17 15:43:08 EDT
Yeah. When I ran it it seemed somewhat overloaded with jargon, but that can be
fixed.
Comment 15 Jesse Keating 2006-07-17 15:50:29 EDT
added to dist-fc6, jdennis is owner.  Still not sure where to put it in Comps.
Comment 16 Jesse Keating 2006-07-18 13:08:26 EDT
Please close this when the package is built into rawhide.
Comment 17 Rahul Sundaram 2006-07-22 08:16:40 EDT
Package is in rawhide now. closing