Bug 782907

Summary: sealert is dead
Product: [Fedora] Fedora Reporter: Nicolas Mailhot <nicolas.mailhot>
Component: setroubleshootAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-01-20 21:41:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Attachments:
Description Flags
system avcs none

Description Nicolas Mailhot 2012-01-18 20:20:38 UTC 
Description of problem:

sealert does not log selinux alerts anymore even though multiples services (amavisd, bip, denyhosts, ddclient) are failing on boot if the system is not switched to permissive mode

I doubt anyone will run rawhide in enforcing mode anymore if there is no easy way to report policy problems

Version-Release number of selected component (if applicable):
setroubleshoot-server-3.0.47-1.fc17.x86_64
Comment 1 Miroslav Grepl 2012-01-19 09:52:41 UTC 
We see this also on F16. The problem is downgraded setroubleshoot does not work too.

Btw. What AVC msgs are you getting?
Comment 2 Miroslav Grepl 2012-01-19 12:57:05 UTC 
Could you try to downgrade python-slip-dbus?
Comment 3 Nicolas Mailhot 2012-01-19 19:20:56 UTC 
(In reply to comment #2)
> Could you try to downgrade python-slip-dbus?

I've tried all python-slip* versions from the latest rawhide one till
python-slip-0.2.17-1.fc16.noarch
python-slip-gtk-0.2.17-1.fc16.noarch
python-slip-dbus-0.2.17-1.fc16.noarch

(rebooting after each downgrade)

but sealert stays empty
Comment 4 Nicolas Mailhot 2012-01-19 19:47:30 UTC 
Created attachment 556380 [details]
system avcs

(In reply to comment #1)

> Btw. What AVC msgs are you getting?
Comment 5 Nicolas Mailhot 2012-01-20 17:30:43 UTC 
(In reply to comment #4)
> Created attachment 556380 [details]
> system avcs

BTW, I made the mistake of forcing an autorelabel after installing 
selinux-policy-targeted-3.10.0-76.fc17.noarch since its changelog semmed to indicate some of those were fixed

selinux blocked itself at the relabel stage (blocked changing of booleans and another file I don't remember)

so now I need to boot with selinux=0

Otherwise it will try to relabel, block itself, and make no progress
Comment 6 Daniel Walsh 2012-01-20 21:41:30 UTC 
Fixed in setroubleshoot-3.1.1-1.fc17
Comment 7 Nicolas Mailhot 2012-01-22 11:19:24 UTC 
(In reply to comment #5)
> (In reply to comment #4)
> > Created attachment 556380 [details]
> > system avcs
> 
> BTW, I made the mistake of forcing an autorelabel after installing 
> selinux-policy-targeted-3.10.0-76.fc17.noarch since its changelog semmed to
> indicate some of those were fixed
> 
> selinux blocked itself at the relabel stage (blocked changing of booleans and
> another file I don't remember)
> 
> so now I need to boot with selinux=0
> 
> Otherwise it will try to relabel, block itself, and make no progress

Got the relabel to work by booting with enforcing=0 and single mode. Though it was quite un-obvious