Bug 227315
Summary: | sealert doesn't seem to work if auditd/audispd is restarted | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | James Antill <james.antill> |
Component: | setroubleshoot | Assignee: | John Dennis <jdennis> |
Status: | CLOSED WORKSFORME | QA Contact: | Ben Levenson <benl> |
Severity: | medium | Docs Contact: | |
Priority: | low | ||
Version: | 6 | ||
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2008-01-09 19:25:43 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
James Antill
2007-02-05 05:59:38 UTC
Removing some of the options I'd left on. Sorry steve. Well, waiting a while longer I've got a bunch of lines like: poll([{fd=9, events=POLLIN, revents=POLLIN}, {fd=13, events=POLLIN}, {fd=17, events=POLLIN|POLLPRI}, {fd=11, events=POLLIN|POLLPRI}, {fd=10, events=POLLIN|POLLPRI}, {fd=8, events=POLLIN}, {fd=3, events=POLLIN}], 7, -1) = 1 ioctl(9, FIONREAD, [32]) = 0 read(9, "p\0\30\313\1\0\300\1\236$\340\2\1\0\0\0\0\33~\220\364\32"..., 32) = 32 ioctl(9, FIONREAD, [0]) = 0 poll( ...so something is certainly happening. But I'm still getting sealert messages in /var/log/messages and nothing in my panel notify area. So after still getting the sealert messages this morning I looked again at the running procs. and discovered: % ps axuwZ | egrep trouble system_u:system_r:setroubleshootd_t root 2064 0.0 0.8 43112 12780 ? Ssl Feb01 0:08 /usr/bin/python -E /usr/sbin/setroubleshootd root:system_r:unconfined_t root 31236 0.4 0.8 44192 13856 ? Ssl 00:37 1:52 /usr/bin/python -E /usr/sbin/setroubleshootd restart ...so this bug might only occur when you restart and go from having setroubleshoot transition to not-transition. Doing a sertvice stop/service start and then manually kill'ing the old version has got rid of the messages, anyway. I'm confused, I don't see how setroubleshootd could ever have been started with the 'restart' option which is showing up in the ps output, that's not what the init.d script does on a service restart. It looks like somehow you got two copies of setroubleshootd running which would be a problem. I just tested service start, service restart, and service stop with current versions and I don't see any problems. Do you still believe this is a current bug? closing as the requested information has not been provided. Also the whole mechanism of how setroubleshoot and sealert interact has been rewritten since this bug was originally filed (for example sealert now listens on the dbus system bus for changes in the running status of setroublehsootd). |