Bug 852784
| Summary: | Messages not being logged into /var/log/messages (setroubleshootd isnt processing the messages) -Selinux is blocking setroubleshoot | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | John W <unixdeaf> |
| Component: | setroubleshoot | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED NOTABUG | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.3 | CC: | mgrepl, unixdeaf |
| Target Milestone: | rc | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2012-09-27 11:02:21 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
I have fixed the python error in /var/log/messages, However i am following the documentation and i still dont get any sealert's to messages file . Since this is a fresh RHEL6.3 machine i would think that would be a bug. So please help me find whats causing no sealerts in messages file still. Miroslav didn't we fix this problem? Just an FYI , i have case 852784 open with support on this as well, so far no fix though. (In reply to comment #3) > Miroslav didn't we fix this problem? Yes, I believe. I am testing it and I see Sep 11 09:24:07 rhel6 setroubleshoot: SELinux is preventing /usr/bin/runcon from using the transition access on a process. For complete SELinux messages. run sealert -l a7b45d79-31e2-4a7c-9d47-843d6cb26099 # rpm -qa setroubleshoot* setroubleshoot-plugins-3.0.40-1.el6.noarch setroubleshoot-3.0.47-3.el6_3.x86_64 setroubleshoot-server-3.0.47-3.el6_3.x86_64 Please advise how you generated the sealers because I have attempted to create alerts using vsftpd and the sealert -l message never shows up in messages and I have he same rpm's installed. Please reference my case also Are you still seeing the errors in the log files with the same packages? Looking at this more closely, is there something wrong with your rpm database? Maybe you will need to rebuild your rpm database. Support already had me rebuild my rpm database and still same results I will post the current error messages when I get back home Thursday. Here are the most recent messages after generating Selina's denial using vsftpd
Ok so the tail -f /var/log/messages still returned nothing to me , nothing was logged to var log messages
the grep AVC audit.log|sedispatch returned a bunch of these
Got Reply: AVC
Then i tested with ftp to my home dir and here are the results i got
in messages file :
Sep 7 08:27:52 server vsftpd[2620]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=root rhost=client user=root
Sep 7 08:28:11 server setroubleshoot: [program.ERROR] failed to get filesystem list from rpm#012Traceback (most recent call last):#012 File "/usr/lib64/python2.6/site-packages/setroubleshoot/util.py", line 238, in get_standard_directories#012 h = ts.dbMatch("name", "filesystem").next()#012error: rpmdb open failed
Sep 7 08:28:11 server setroubleshoot: [program.ERROR] failed to get filesystem list from rpm#012Traceback (most recent call last):#012 File "/usr/lib64/python2.6/site-packages/setroubleshoot/util.py", line 238, in get_standard_directories#012 h = ts.dbMatch("name", "filesystem").next()#012error: rpmdb open failed
Sep 7 08:28:16 server sedispatch: AVC Message for setroubleshoot, dropping message
Sep 7 08:28:16 server sedispatch: AVC Message for setroubleshoot, dropping message
in audit file :
type=AVC msg=audit(1347020890.603:101): avc: denied { search } for pid=2632 comm="vsftpd" name="home" dev=dm-0 ino=913925 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
type=SYSCALL msg=audit(1347020890.603:101): arch=c000003e syscall=80 success=no exit=-13 a0=7f9739983490 a1=1f4 a2=0 a3=7fffcffd8e60 items=0 ppid=2627 pid=2632 auid=4294967295 uid=0 gid=0 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=4294967295 comm="vsftpd" exe="/usr/sbin/vsftpd" subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1347020892.294:102): avc: denied { write } for pid=2634 comm="setroubleshootd" name="plugins" dev=dm-0 ino=420591 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=dir
type=SYSCALL msg=audit(1347020892.294:102): arch=c000003e syscall=87 success=no exit=-13 a0=7fff8477bf20 a1=7f7309a39fe7 a2=5049e6fa a3=3dcf5b9600 items=0 ppid=1 pid=2634 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null)
setroubleshoot is complaining about python compiles in /usr/share/setroubleshoot/plugins. You you just run python /usr/share/setroubleshoot/plugins/*py That should fix that problem. |
Description of problem: i have auditd, rsyslogd enabled and selinux enforcing. sealert messages are not logged to /var/log/messages (as is normal) Version-Release number of selected component (if applicable): RHEL 6.3 How reproducible: Have not been able to reproduce Steps to Reproduce: 1. 2. 3. Actual results: Aug 29 11:06:30 server setroubleshoot: [program.ERROR] failed to get filesystem list from rpm#012Traceback (most recent call last):#012 File "/usr/lib64/python2.6/site-packages/setroubleshoot/util.py", line 238, in get_standard_directories#012 h = ts.dbMatch("name", "filesystem").next()#012error: rpmdb open failed Aug 29 11:06:30 server setroubleshoot: [program.ERROR] failed to get filesystem list from rpm#012Traceback (most recent call last):#012 File "/usr/lib64/python2.6/site-packages/setroubleshoot/util.py", line 238, in get_standard_directories#012 h = ts.dbMatch("name", "filesystem").next()#012error: rpmdb open failed Aug 29 11:06:32 server sedispatch: AVC Message for setroubleshoot, dropping message Aug 29 11:06:32 server sedispatch: AVC Message for setroubleshoot, dropping message [root@server sysconfig]# cat /var/log/messages|grep setrouble Expected results: May 6 23:00:54 localhost setroubleshoot: SELinux is preventing httpd (httpd_t) "getattr" to /var/www/html/testfile (samba_share_t). For complete SELinux messages. run sealert -l c05911d3-e680-4e42-8e36-fe2ab9f8e654 Additional info: I wouldnt think that i would have to create a selinux policy for setroubleshoot to work. either way i created the rule per audit2allow's output and it still gives this same error.