Bug 727264

Summary: setroubleshoot not finding AVC denials
Product: [Fedora] Fedora Reporter: Tom <thomasbelvin>
Component: setroubleshootAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CANTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: rawhideCC: dwalsh, germano.massullo, mgrepl, notting, rdieter
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-11-23 16:52:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Tom 2011-08-01 17:19:15 UTC
Description of problem:
I'm not sure exactly what's going on, but here's my problem.
I only get AVC denial messages in /var/log/messages and setroubleshoot isn't working. When I run 'semodule DB' I get:
'libsemanage.semanage_fc_sort: WARNING: semanage_fc_sort: Incomplete context.' and new AVC denials don't show using 'ausearch -m avc -ts recent' or 'grep AVC /var/log/audit/audit.log | sedispatch'.

Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.10.0-11.fc17

How reproducible:
Everytime

Steps to Reproduce:
1.Get an AVC denial with SELinux set to enforcing, and program closes
2.setroubleshoot shows nothing wrong
3.Program runs fine with SELinux set to permissive
  
Actual results:
No AVC denial message with setroubleshoot

Expected results:
setroubleshoot shows what SELinux just blocked

Additional info:

Comment 1 Germano Massullo 2011-11-21 17:38:22 UTC
This is happening to me in Fedora 16.
Programs well known to have problems with SELinux auto close or have malfunctions, but SELinux troubleshooter does not notify in taskbar.
I have KDE 4.7.3.

Tom could you change version to Fedora 16? I think it could be better

Comment 2 Daniel Walsh 2011-11-21 23:10:05 UTC
The problem is on update auditd is not running.

systemctl enable auditd
systemctl start auditd

Then the auditd will start sending avc's to setroubleshoot.

Comment 3 Germano Massullo 2011-11-21 23:19:08 UTC
[root@computer ]# systemctl enable auditd
Failed to issue method call: Invalid argument

Comment 4 Miroslav Grepl 2011-11-23 08:16:30 UTC
systemctl enable auditd.service
systemctl start auditd.service

should work.

Comment 5 Daniel Walsh 2011-11-23 16:52:43 UTC
Oops always forget the .service part.

Comment 6 Germano Massullo 2011-11-23 17:21:25 UTC
Why did you close as not a bug? The system did not show SELinux errors until we do
systemctl enable auditd.service
systemctl start auditd.service
That's not normal

Comment 7 Daniel Walsh 2011-11-23 17:48:25 UTC
Well I guess I should have closed it as cantfix, since updates from F15 to F16 did not maintain the state of running services.  I am not sure why this decision was made, but that is what caused the problem. Nothing audit, setroubleshoot or selinux can do about it.

Comment 8 Germano Massullo 2011-11-23 20:46:40 UTC
I don't understand well these technical things, but we must let know developer leaders that SELinux troubleshooter is no longer working, and this is not admissable.

Comment 9 Daniel Walsh 2011-11-29 01:55:53 UTC
Yes I understand.  On fresh installs it will work, but on updates no system services that were working before work afterwards.

Comment 10 Germano Massullo 2011-11-29 10:55:27 UTC
Then someone should put
systemctl enable auditd.service
systemctl start auditd.service
under upgrade FAQs from Fedora 15 to Fedora 16

Comment 11 Daniel Walsh 2011-11-29 21:04:30 UTC
Bill who should I ping to do this?

Comment 12 Bill Nottingham 2011-11-29 21:36:37 UTC
It's on the wiki - https://fedoraproject.org/wiki/Common_F16_bugs

Comment 13 Daniel Walsh 2011-11-30 17:24:56 UTC
Maybe we should call this out on setroubleshoot directly.