Description of problem: setroubleshootd doesn't seem to find any alerts anymore. Version-Release number of selected component (if applicable): setroubleshoot-server-3.3.9.1-1.fc24.x86_64 How reproducible: Always Steps to Reproduce: # mkdir -p ~/selinux_temp # cd ~/selinux_temp # cp /bin/ls ls # chcon -t httpd_exec_t ls # runcon -u system_u -r system_r -t httpd_t -- ./ls /home/* # gdbus call -y -d org.fedoraproject.Setroubleshootd -o /org/fedoraproject/Setroubleshootd -m org.fedoraproject.SetroubleshootdIface.get_all_alerts Actual results: (@a(ssi) [],) Expected results: ([('e55504a0-9476-4d99-845b-484de4eec20c', 'SELinux is preventing ls from read access on the directory builder.', 2)],) This is what I get with setroubleshoot-server-3.3.7-1.fc24.x86_64
Sorry, it's not just the version of setroubleshoot-server, something else is causing this bug. It might well be something in our test setup.
Created attachment 1176064 [details] Transcript
Hmm, maybe it is settroubleshoot, after all. I have attached a transscript that I think shows the following: - Each time I run "runcon -u system_u -r system_r -t httpd_t -- ./ls /home/*" I get two more alerts. - Upgrading setroubleshoot-server breaks that and the number of alerts is stuck at 8. - Rebooting doesn't help. - Downgrading setroubleshoot-server doesn't help.
According to https://bugzilla.redhat.com/show_bug.cgi?id=1350425#c1 (bug for RHEL 7), there is a bug in the audit dispatcher.
audit-2.6.3 should solve all the problems that it caused. https://bodhi.fedoraproject.org/updates/FEDORA-2016-f6b4eb55d4
> audit-2.6.3 should solve all the problems that it caused. The version of audit during the whole transcript was audit-2.5.2-1.fc24.x86_64, both when setroubleshootd was picking up the alerts and when it wasn't anymore. Indeed, updating to audit-2.6.3 didn't make our tests pass (unless I messed that up somehow). Now that I understand better where the alerts are coming from, I'll dig a little deeper.
Ok, I think I got it. The "locate" binary is missing in our images, which makes setroubleshootd throw an uncaught exception from with the "avc" method. # gdbus call -y \ -d org.fedoraproject.Setroubleshootd \ -o /org/fedoraproject/Setroubleshootd \ -m org.fedoraproject.SetroubleshootdIface.avc \ "node=localhost.localdomain type=AVC msg=audit(1467813201.877:351): avc: denied { read } for pid=1735 comm=\"ls\" name=\"admin\" dev=\"dm-0\" ino=8848947 scontext=system_u:system_r:httpd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0\n" Error: GDBus.Error:org.freedesktop.DBus.Python.FileNotFoundError: Traceback (most recent call last): File "/usr/lib64/python3.5/site-packages/dbus/service.py", line 707, in _message_cb retval = candidate_method(self, *args, **keywords) File "/usr/lib/python3.5/site-packages/setroubleshoot/server.py", line 661, in avc self.add(AVC(audit_event)) File "/usr/lib/python3.5/site-packages/setroubleshoot/audit_data.py", line 636, in __init__ self.derive_avc_info_from_audit_event() File "/usr/lib/python3.5/site-packages/setroubleshoot/audit_data.py", line 934, in derive_avc_info_from_audit_event self._set_tpath() File "/usr/lib/python3.5/site-packages/setroubleshoot/audit_data.py", line 872, in _set_tpath universal_newlines=True) File "/usr/lib64/python3.5/subprocess.py", line 629, in check_output **kwargs).stdout File "/usr/lib64/python3.5/subprocess.py", line 696, in run with Popen(*popenargs, **kwargs) as process: File "/usr/lib64/python3.5/subprocess.py", line 950, in __init__ restore_signals, start_new_session) File "/usr/lib64/python3.5/subprocess.py", line 1544, in _execute_child raise child_exception_type(errno_num, err_msg) FileNotFoundError: [Errno 2] No such file or directory: 'locate' Setroubleshoot catches and siilently ignores subprocess.CalledProcessError for that invocation, so it should probably do the same for FileNotFoundError. Maybe it also should have a dependency on "mlocate".
I think audispd 2.6.2 and later produce output that auparse rejects: # strace -e write -s1000 -p $(pgrep audisp) strace: Process 938 attached write(6, "node=demon.mvo.lan type=AVC msg=type=AVC msg=audit(1467976086.574:336): avc: denied { read } for pid=2010 comm=\"ls\" name=\"mvo\" dev=\"0:43\" ino=5242881 scontext=system_u:system_r:httpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=dir permissive=0\n", 263) = 263 Note the "msg=type=AVC" bit, that looks wrong and causes auparse to skip over that line completely. sedispatch never gets that event passed back to its callback. I file a separate bug.
(In reply to Dominik Perpeet from comment #4) > According to https://bugzilla.redhat.com/show_bug.cgi?id=1350425#c1 (bug for > RHEL 7), there is a bug in the audit dispatcher. Let's use 1353911 to track that. Bug 1350425 is quite nebulous, imo.
This issue was caught by Cockpit integration tests. One can see it occurs here: https://github.com/cockpit-project/cockpit/issues/4678
To summarize: * audisp writes bogus lines that auparse in sedispatch then ignores. * setroubleshootd crashes when the "locate" binary is not present on the system, and doesn't record any alerts because of that. Both bugs need to be fixed.
(In reply to Marius Vollmer from comment #11) > To summarize: > > * audisp writes bogus lines that auparse in sedispatch then ignores. https://bugzilla.redhat.com/show_bug.cgi?id=1353911#c15 As I understand, there will be another audit release with a fix soon. > * setroubleshootd crashes when the "locate" binary is not present on the > system, and doesn't record any alerts because of that. > It's already fixed upstream. I'll prepare updates. https://github.com/fedora-selinux/setroubleshoot/commit/fa2365f94ec1d33e3be14416b801b5f6e0ac840b
Comment on attachment 1176064 [details] Transcript I forgot to start auditd after reboot in the transcript, which makes it meaningless. Please disregard.
setroubleshoot-3.3.10-1.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-19370efde6
setroubleshoot-3.3.10-1.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-dc324f21e6
setroubleshoot-3.3.10-1.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-19370efde6
setroubleshoot-3.3.10-1.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-dc324f21e6
setroubleshoot-3.3.10-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
setroubleshoot-3.3.10-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.