Bug 208369 - catchall plugin includes instance specific information in signature leading to inflation
Summary: catchall plugin includes instance specific information in signature leading t...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: setroubleshoot
Version: 6
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-09-28 05:31 UTC by John Dennis
Modified: 2008-01-09 19:29 UTC (History)
1 user (show)

Fixed In Version: 2.0.1-1
Clone Of:
Environment:
Last Closed: 2008-01-09 19:29:09 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description John Dennis 2006-09-28 05:31:16 UTC
The catchall plugin adds instance specific information to the signature, e.g.:

<object_path>pipe:[13491]</object_path>

The description contains:

Sometimes labeling problems can cause SELinux denials.  You could try to restore
the default system file context for pipe:[13491], restorecon -v pipe:[13491]

We need to decide if we want every catchall to be an independent alert or
collapse them based on signature. Putting the pipe identifier in the object path
will cause each event to be unique, do we want this? If so we should define a
better way to assure uniqueness asides from relying on object_path uniqueness.

Comment 1 John Dennis 2006-09-29 21:10:36 UTC
Dan, we need need to brainstorm a little on this one. The fundamental issue is:

Should the catchall plugin always generate a unique alert?

If the answer is yes then we don't have a mechanism yet which guarantees this,
we may be getting unique alerts only as an unintended side effect

If they are always unique we might end up generating quite a few of these alerts
all basically identical.

Perhaps the best thing is for the catchall plugin to generate a signature which
represents the AVC that triggered it, but omit any instance specific information
which would lead to a vast collection of virtually identical alerts, instead we
would end up with just a handful of catchall's representative of a collection of
 problems we failed to analyze. Individual plugin's can now override through
class inheritace the signature generation if that is necessary.

Comment 2 Daniel Walsh 2006-10-23 13:29:35 UTC
I am changin catchall to catchall.py and catchall_file, such that the reference
above would not happen on a non file_context issue.  We will report a one bug if
restorecon could fix it and another if it would not be able to .  So a fifo_file
would not generate the above avc message.

setroubleshoot-1.1

Comment 3 Matthew Miller 2007-04-06 18:35:06 UTC
Fedora Core 5 and Fedora Core 6 are, as we're sure you've noticed, no longer
test releases. We're cleaning up the bug database and making sure important bug
reports filed against these test releases don't get lost. It would be helpful if
you could test this issue with a released version of Fedora or with the latest
development / test release. Thanks for your help and for your patience.

[This is a bulk message for all open FC5/FC6 test release bugs. I'm adding
myself to the CC list for each bug, so I'll see any comments you make after this
and do my best to make sure every issue gets proper attention.]


Comment 4 John Dennis 2008-01-09 19:29:09 UTC
closing, current releases strip instance information out of socket and pipe path
information, this was the primary culprit.


Note You need to log in before you can comment on or make changes to this bug.