Bug 227313 - sealert -l doesn't show time (and other UI issues)
sealert -l doesn't show time (and other UI issues)
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: setroubleshoot (Show other bugs)
6
All Linux
medium Severity medium
: ---
: ---
Assigned To: John Dennis
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-02-05 00:47 EST by James Antill
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-02-09 15:06:03 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description James Antill 2007-02-05 00:47:54 EST
Description of problem:

 Given a message like:
 
Feb  5 00:42:50 code setroubleshoot:      SELinux is preventing /usr/bin/python
(setroubleshootd_t) "write" to audit_events (var_run_t).      For complete
SELinux messages. run sealert -l 8d1d68d1-fb39-465c-b5a4-f50e7769bbe7

..the sealert -l doesn't shoe the time at which the SELinux AVC message
happened, this is esp. annoying because there seems to be some limiting in
setroubleshootd which means it sends out messages about itself for 10 minutes or
more after you've fixed it (and before which it said nothing, even though it was
obviously broken and it knew it -- the fix was setsebool
setroubleshootd_disable_trans=1, although I'm not 100% that's good advise but
certainly if auditd_disable_trans is on and that's off it's good advise).

Version-Release number of selected component (if applicable):

% rpm -q setroubleshoot
setroubleshoot(0:1.7.1-1.fc6).noarch

How reproducible:
 Always.
Comment 1 James Antill 2007-02-05 09:44:35 EST
 As I implied in, bug#227315 it wasn't old data but an old version of
setroubleshootd was hanging around generating those messages. This would have
been obvious if it had given the time :).
Comment 2 John Dennis 2007-02-09 15:06:03 EST
setroubleshoot tracks the first time the AVC is seen and the last time it was
seen. The detailed information section now includes the first and last seen
timestamps. The updated version will appear in rawhide in the next day or two. I
expect it will be in version 1.8.17.

BTW, sealert does not store every AVC it sees, rather it translates them into
"alerts" via the plugin analysis, then it asks if the alert has been seen
previously, if so it just updates the report count and the last seen timestamp.
This is why there is only a first and last timestamp.

Note You need to log in before you can comment on or make changes to this bug.