Description of problem: I am trying to package a new package for Fedora and am facing SEAlerts. Unfortunately, the executables' names within the SEAlerts being generated are shortened too much and do not to provide sufficient information to identify the executable which is triggering the SEAlert: Eg. from the sealert: Raw Audit Messages type=AVC msg=audit(1416845516.215:1002): avc: denied { open } for pid=10925 comm="/usr/sbin/rt-se" path="/tmp/.UUID_NODEID" dev="tmpfs" ino=41813 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file permissive=0 Note the "/usr/sbin/rt-se" This is insufficient for me to guess which executable may have triggered this alert: # ls /usr/sbin/rt-se* /usr/sbin/rt-serializer /usr/sbin/rt-server /usr/sbin/rt-server.fcgi /usr/sbin/rt-session-viewer /usr/sbin/rt-setup-database /usr/sbin/rt-setup-fulltext-index Version-Release number of selected component (if applicable): setroubleshoot-3.2.20-3.fc21.x86_64 setroubleshoot-plugins-3.0.60-2.fc21.noarch setroubleshoot-server-3.2.20-3.fc21.x86_64 Additional info: The package I am referring to is rt-4.2.9. The sealert being triggered originates from rt's testsuite, which is calling a script via httpd.
Yes, this comes for AVC msg.
This comes from the comm field in the task structure of the kernel and is limited to 16 bytes. There has been many arguments about it being too short and kernel team does not want to change it. As a workaround, sometime around the 3.12 kernel, there was a new event record added to syscall events, PROCTITLE. It gives the full command line used to invoke the process. Maybe sealert might want to include that information too? Or perhaps the time and event number so the user can re-run the search and get the interpreted proctitle. There is nothing to fix in the audit system here.
Transferring back for final disposition or closing. The information is available, it just needs to be picked out.
Does this PROCTITILE get generated on all AVCs even with the audit subsystem disabled?
Off hand, not sure. Its emitted during syscall exit logging. But if its available, you can use it to get a higher quality program name. I don't know if the program's parameters are useful in all situations, but they are there as w ell. The proctitle string is composed of several NUL terminated strings (assuming there are arguments) just like argv[].
This message is a reminder that Fedora 21 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 21. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '21'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 21 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
Fedora 21 changed to end-of-life (EOL) status on 2015-12-01. Fedora 21 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.