Bug 288881
Summary: | setroubleshoot failure when httpd is trying to access rpm_log_t | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Jan-Frode Myklebust <mykleb> |
Component: | setroubleshoot | Assignee: | John Dennis <jdennis> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 5.0 | ||
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | RHSA-2008-0061 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2008-05-21 14:25:54 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jan-Frode Myklebust
2007-09-13 07:25:57 UTC
I think you might have a corrupted alert database. To test this theory lets move the database to the side so a new one is freshly created, and then re-run your test. To do this you'll need to be root. % cd /var/lib/setroubleshoot % mv audit_listener_database.xml audit_listener_database.xml.bak % service setroubleshoot restart Now run you test again. Did it succeed? If yes, then we found the problem and I would like to look at the database to see if I can tell how it got corrupted. Do not attach the database to this bug report if there is security sensitive information in it, if that's the case we'll figure out another way to diagnose the corruption. Also, please /var/log/setroubleshootd/setroubleshootd.log to see if there were earlier error messages which might account for the corruption. If the test still fails then I'll need to see the exact audit log messages. To do that open the file /var/log/audit/audit.log. The audit messages your test generaged should be near the bottom. Please note there will likely be several lines comprising the audit event, they will all share the same audit event ID (e.g. audit(nnn.nnn.:nnn), I'll need each of those lines. HTH, John No, that didn't change anything. Here's the auditd lines generated: type=AVC msg=audit(1189881018.389:116302): avc: denied { getattr } for pid=2858 comm="httpd" name="z.html" dev=dm-4 ino=540680 scontext=root:system_r:httpd_t:s0 tcontext=system_u:object_r:rpm_log_t:s0 tclass=file type=SYSCALL msg=audit(1189881018.389:116302): arch=40000003 syscall=195 success=no exit=-13 a0=85f1c68 a1=bfb05b9c a2=385ff4 a3=8170 items=0 ppid=2851 pid=2858 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=root:system_r:httpd_t:s0 key=(null) type=AVC_PATH msg=audit(1189881018.389:116302): path="/var/www/html/z.html" type=AVC msg=audit(1189881018.394:116303): avc: denied { getattr } for pid=2858 comm="httpd" name="z.html" dev=dm-4 ino=540680 scontext=root:system_r:httpd_t:s0 tcontext=system_u:object_r:rpm_log_t:s0 tclass=file type=SYSCALL msg=audit(1189881018.394:116303): arch=40000003 syscall=196 success=no exit=-13 a0=85f1cf0 a1=bfb05b9c a2=385ff4 a3=2008171 items=0 ppid=2851 pid=2858 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=root:system_r:httpd_t:s0 key=(null) type=AVC_PATH msg=audit(1189881018.394:116303): path="/var/www/html/z.html" Hmm, just noticed that I didn't get this with the default /etc/setroubleshoot/setroubleshoot.cfg , but when I define a single "recepients" email address the failures start. re comment #3, thanks, that helps narrow it down. Were there any errors in setroubleshootd.log prior to the traceback complaining about the missing "analysis_id"? In the mean time I'll look at the code to see if there is an ordering problem when an email is generated. Thank you for your help in diagnosing this. No, this is the only entry I found in the log. And I just tested this on another system where I hadn't been messing with the setroubleshootd.cfg before.. This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release. This should be resolved in the setroubleshoot 2.0 series. The way email recipients is specified is now different (done through the GUI or by editing /var/lib/setroubleshoot/email_alert_recipients if the GUI is not present). Email notifications have been tested in the 2.0 series and this issue does not present. An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2008-0061.html |