Description of problem:
Given a message like:
Feb 5 00:42:50 code setroubleshoot: SELinux is preventing /usr/bin/python
(setroubleshootd_t) "write" to audit_events (var_run_t). For complete
SELinux messages. run sealert -l 8d1d68d1-fb39-465c-b5a4-f50e7769bbe7
..the sealert -l doesn't shoe the time at which the SELinux AVC message
happened, this is esp. annoying because there seems to be some limiting in
setroubleshootd which means it sends out messages about itself for 10 minutes or
more after you've fixed it (and before which it said nothing, even though it was
obviously broken and it knew it -- the fix was setsebool
setroubleshootd_disable_trans=1, although I'm not 100% that's good advise but
certainly if auditd_disable_trans is on and that's off it's good advise).
Version-Release number of selected component (if applicable):
% rpm -q setroubleshoot
As I implied in, bug#227315 it wasn't old data but an old version of
setroubleshootd was hanging around generating those messages. This would have
been obvious if it had given the time :).
setroubleshoot tracks the first time the AVC is seen and the last time it was
seen. The detailed information section now includes the first and last seen
timestamps. The updated version will appear in rawhide in the next day or two. I
expect it will be in version 1.8.17.
BTW, sealert does not store every AVC it sees, rather it translates them into
"alerts" via the plugin analysis, then it asks if the alert has been seen
previously, if so it just updates the report count and the last seen timestamp.
This is why there is only a first and last timestamp.