Bug 771181

Summary:	sealert only appears after first avc denied error
Product:	[Fedora] Fedora	Reporter:	Robin Green <greenrd>
Component:	setroubleshoot	Assignee:	Daniel Walsh <dwalsh>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	medium	Docs Contact:
Priority:	unspecified
Version:	16	CC:	dwalsh, mgrepl
Target Milestone:	---
Target Release:	---
Hardware:	x86_64
OS:	Linux
Whiteboard:
Fixed In Version:	setroubleshoot-3.1.2-1.fc16	Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2012-01-28 03:26:38 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:

Description Robin Green 2012-01-02 11:13:28 UTC

Description of problem:
sealert only appeared for the first avc denied error I experienced since I enabled auditd.service (which was not enabled when I upgraded to F16). Subsequent denials did not result in sealert appearing.

Version-Release number of selected component (if applicable):
setroubleshoot-3.0.41-1.fc16.x86_64

How reproducible:
Haven't tried

Steps to Reproduce:
1. Trigger SELinux denied message
  
Actual results:
Message appears in /var/log/audit/audit.log, but (except for the very first time) sealert does not appear on the desktop.

Expected results:
sealert should always appear

Additional info:
The only messages mentioning Setroubleshoot in /var/log/* appear in the following excerpt, which corresponds to the very first denied message, that was reported:

Jan  1 10:11:51 localhost dbus[1063]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper)
Jan  1 10:11:51 localhost dbus-daemon[1063]: dbus[1063]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper)
Jan  1 10:11:52 localhost logger: /etc/xen/scripts/block: Path closed or removed during hotplug add: backend/vbd/1/51712 state: 5
Jan  1 10:11:52 localhost avahi-daemon[1039]: Withdrawing workstation service for vif1.0.
Jan  1 10:11:52 localhost logger: /etc/xen/scripts/block: xenstore-read backend/vbd/1/51712/node failed.
Jan  1 10:11:52 localhost logger: /etc/xen/scripts/block: /etc/xen/scripts/block failed; error detected.
Jan  1 10:11:55 localhost dbus[1063]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'
Jan  1 10:11:55 localhost dbus-daemon[1063]: dbus[1063]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'
Jan  1 10:11:55 localhost setroubleshoot: Deleting alert 456aef8f-40f0-4acf-99ad-d3b5b48f0e29, it is allowed in current policy
Jan  1 10:12:00 localhost setroubleshoot: SELinux is preventing /usr/lib/xen/bin/qemu-dm from 'read, write' accesses on the chr_file ptmx. For complete SELinux messages. run sealert -l b7abad9a-121c-431f-bca3-521c9e67f9a0

After this there are no more messages.

The other denied messages in audit.log all have the same comm field.

Comment 1 Robin Green 2012-01-02 11:51:31 UTC

I can't reproduce this now, after having rebooted.

Grasping at straws here, but could the crash I reported in bug 771100 - even though it wasn't in setroubleshootd itself - have somehow wedged setroubleshootd?

Comment 2 Miroslav Grepl 2012-01-02 13:30:54 UTC

Not sure if I understand correctly. 

Are you saying you were trying to repeat the same AVC msg and you were getting only the first AVC msg in sealert.

Comment 3 Robin Green 2012-01-02 14:06:43 UTC

No, when I experienced this bug, I was trying to fix the AVC problems using audit2allow and semodule. But fixing them that way only produced different AVC messages when I retried. But sealert did not pop up and inform me about the other messages - I only found about them when I looked in audit.log myself.

Comment 4 Daniel Walsh 2012-01-03 15:30:28 UTC

Are you seeing any errors about setroubleshoot in /var/log/messages?

If you run sealert -b

Does the browser show the errors?

Comment 5 Robin Green 2012-01-03 21:10:08 UTC

(In reply to comment #4)
> Are you seeing any errors about setroubleshoot in /var/log/messages?

No, as I said, the ones above were the only ones.

> If you run sealert -b
> 
> Does the browser show the errors?

Not the missing ones, no.

Comment 6 Robin Green 2012-01-07 18:17:22 UTC

It's repeatedly still losing avc messages (but not always from the second avc as I previously stated). I don't know what's triggering it. For example, the avc reports in https://bugzilla.redhat.com/attachment.cgi?id=551338&action=edit do not appear in sebrowser.

There are no setroubleshoot messages in /var/log/messages since the last time setroubleshoot worked (Jan 4).

setroubleshootd is running and has been running since Jan 4.

Comment 7 Miroslav Grepl 2012-01-09 14:22:11 UTC

Ok, could you try to switch to enforcing mode and see if you get sealert warning about that.

Comment 8 Robin Green 2012-01-11 20:42:00 UTC

I am already in enforcing mode.

Comment 9 Fedora Update System 2012-01-23 18:50:02 UTC

setroubleshoot-3.1.2-1.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/setroubleshoot-3.1.2-1.fc16

Comment 10 Fedora Update System 2012-01-24 01:45:14 UTC

Package setroubleshoot-3.1.2-1.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing setroubleshoot-3.1.2-1.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-0879/setroubleshoot-3.1.2-1.fc16
then log in and leave karma (feedback).

Comment 11 Fedora Update System 2012-01-28 03:26:38 UTC

setroubleshoot-3.1.2-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.