Red Hat Bugzilla – Full Text Bug Listing
|Summary:||Review Request: setroubleshoot - automatic diagnosis of SELinux problems|
|Product:||[Fedora] Fedora||Reporter:||John Dennis <jdennis>|
|Component:||Package Review||Assignee:||David Cantrell <dcantrell>|
|Status:||CLOSED NEXTRELEASE||QA Contact:||Fedora Extras Quality Assurance <extras-qa>|
|Version:||rawhide||CC:||dmalcolm, dwalsh, fedora-package-review, notting, sundaram|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2006-07-22 08:16:40 EDT||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:|
Description John Dennis 2006-06-26 17:13:51 EDT
Spec URL: ftp://people.redhat.com/jdennis/setroubleshoot.spec SRPM URL: ftp://people.redhat.com/jdennis/setroubleshoot-0.2-1.src.rpm Description: Provides tools to help diagnose SELinux problems. When AVC messages are generated an alert can be generated that will give information about the problem and help track its resolution. Alerts can be configured to user preference. The same tools can be run on existing log files.
Comment 1 Dave Malcolm 2006-06-26 17:35:31 EDT
Should the package own these: /var/log/setroubleshoot/ /var/log/setroubleshoot/setroubleshoot.log c.f.: sudo /sbin/service setroubleshoot start Starting setroubleshootd: Traceback (most recent call last): File "/usr/sbin/setroubleshootd", line 20, in ? from setroubleshoot.config import cfg File "/usr/lib/python2.4/site-packages/setroubleshoot/__init__.py", line 23, in ? LogInit() File "/usr/lib/python2.4/site-packages/setroubleshoot/log.py", line 39, in LogInit filemode='a') File "/usr/lib/python2.4/logging/__init__.py", line 1218, in basicConfig hdlr = FileHandler(filename, mode) File "/usr/lib/python2.4/logging/__init__.py", line 757, in __init__ stream = open(filename, mode) IOError: [Errno 2] No such file or directory: '/var/log/setroubleshoot/setroubleshoot.log' [FAILED]
Comment 2 John Dennis 2006-06-27 00:03:51 EDT
opps, you're right David the log directory was missing from the %files section, as was a logrotate script. I added both, new version is now setroubleshoot-0.3-1 in the same ftp area. Thank you.
Comment 3 Jesse Keating 2006-06-28 16:41:09 EDT
SHOULDFIX: - There is no URL to upstream source, so it would be difficult to verify source checksum. Everything else is clean. This passes package review. Bill, care to ack/nack? John, if we bring this into core, how would it get installed on people's system? Would it go into a Comps group? Would it be a dep of something else?
Comment 4 John Dennis 2006-06-30 15:47:34 EDT
How does one provide a source URL when the source is in our internal "elvis" CVS repository? I imagine it would be part of a comps group. There is nothing else dependent on it.
Comment 5 Bill Nottingham 2006-06-30 16:22:19 EDT
Hm, I can't seem to get it to do anything useful. The daemon starts, but that's about it.
Comment 6 John Dennis 2006-07-06 15:36:16 EDT
I realize the package needs documentation but let me explain what Bill probably experienced. There are two basic modes the analyzer can run it, either running in the background waiting to be triggered by an real time AVC, or run against a log file which might contain AVC messages. In the former case, AVC real time event mode, the trigger is fired by auditd, it invokes the analyzer because /etc/auditd.conf has its dispatcher line set to /usr/sbin/avc_snap (BTW, that name is going to change), avc_snap talks to the troubleshooter daemon setroubleshootd. However, the rpm in its current form does not edit auditd.conf or manage the auditd service, all for a variety of good packaging practices. Thus you may not have seen anything if auditd was not running or it's dispatcher was not set to avc_snap. Steve Grubb and I are working on fixing this issue this week. The plan is to have auditd find plugin configuration files in /etc/audisp.d. When that functionality is present (expected next week) then setroubleshoot will install a configuration file there. (BTW, I did just notice the spec file was missing a requires for "audit", that has been fixed). The second mode, log file scanning, can be done via % /usr/sbin/setroubleshoot filename Just be aware the version you have does not throttle multiple alerts and may fire off a bunch of them in succession, throttling code will be checked in tommorow.
Comment 7 John Dennis 2006-07-06 15:39:14 EDT
I spoke with Pete Graner today because we're trying to get this into RHEL5, but that has a dependency on this being in FC6t2 (as I understand it). FC6t2 freeze is 7/12, can we get this approved so that its in the pipeline?
Comment 8 Bill Nottingham 2006-07-06 15:41:14 EDT
OK, I installed auditd and started it, and still didn't get any pop-ups or similar; setroubleshoot /var/log/messages also gave no output. Does it only handle certain AVCs?
Comment 9 John Dennis 2006-07-06 16:08:21 EDT
There are two pieces to the package, the framework, and a set of analysis plugins. It is the analysis plugin's job to recognise an AVC. So far most of the work has gone into the framework, not the set of plugins, and the current rpm only has two analysis plugins. The plugin's are meant to be simple to author, and on the TODO list is simplyfying them even further. I'm attaching a trival log file you can test with that has an AVC which would be generated by ftpd, one of the existing plugins. I suppose I should mention as well that we would like to distribute the plugin's separately and I'll probably tweak the spec file to make the plugin's a sub package.
Comment 10 John Dennis 2006-07-06 16:10:02 EDT
Created attachment 132021 [details] trival log file with ftpd AVC message to use for testing
Comment 11 John Dennis 2006-07-14 09:56:37 EDT
ping, is this in for FC6t2? I haven't heard anything explicit and the freeze date is approaching, just checking.
Comment 12 Paul W. Frields 2006-07-15 16:10:11 EDT
Created attachment 132498 [details] Cosmetic fix for setroubleshoot usage statement Trivial and cosmetic, but I'm just starting to learn Python.
Comment 13 Jesse Keating 2006-07-17 15:24:26 EDT
Bill, do we have an Ack? John, where should this go in comps? or should it be made a dep of selinux userland stuff?
Comment 14 Bill Nottingham 2006-07-17 15:43:08 EDT
Yeah. When I ran it it seemed somewhat overloaded with jargon, but that can be fixed.
Comment 15 Jesse Keating 2006-07-17 15:50:29 EDT
added to dist-fc6, jdennis is owner. Still not sure where to put it in Comps.
Comment 16 Jesse Keating 2006-07-18 13:08:26 EDT
Please close this when the package is built into rawhide.
Comment 17 Rahul Sundaram 2006-07-22 08:16:40 EDT
Package is in rawhide now. closing