setroubleshoot seems to keep restarting. A strace shows it just allocating more and more memory with brk(). The log keeps truncating itself but once I saw this, repeating over and over and over again.... File "/usr/lib/python2.6/site-packages/setroubleshoot/analyze.py", line 417, in delete_signature self.mark_modified() File "/usr/lib/python2.6/site-packages/setroubleshoot/analyze.py", line 333, in mark_modified self.save() File "/usr/lib/python2.6/site-packages/setroubleshoot/analyze.py", line 319, in save self.prune() File "/usr/lib/python2.6/site-packages/setroubleshoot/analyze.py", line 283, in prune self.delete_signature(sig) File "/usr/lib/python2.6/site-packages/setroubleshoot/analyze.py", line 417, in delete_signature self.mark_modified() File "/usr/lib/python2.6/site-packages/setroubleshoot/analyze.py", line 333, in mark_modified self.save() File "/usr/lib/python2.6/site-packages/setroubleshoot/analyze.py", line 319, in save self.prune() File "/usr/lib/python2.6/site-packages/setroubleshoot/analyze.py", line 283, in prune self.delete_signature(sig) File "/usr/lib/python2.6/site-packages/setroubleshoot/analyze.py", line 417, in delete_signature self.mark_modified() File "/usr/lib/python2.6/site-packages/setroubleshoot/analyze.py", line 333, in mark_modified self.save() File "/usr/lib/python2.6/site-packages/setroubleshoot/analyze.py", line 319, in save self.prune() File "/usr/lib/python2.6/site-packages/setroubleshoot/analyze.py", line 283, in prune self.delete_signature(sig) File "/usr/lib/python2.6/site-packages/setroubleshoot/analyze.py", line 417, in delete_signature self.mark_modified() File "/usr/lib/python2.6/site-packages/setroubleshoot/analyze.py", line 333, in mark_modified self.save() File "/usr/lib/python2.6/site-packages/setroubleshoot/analyze.py", line 319, in save self.prune() File "/usr/lib/python2.6/site-packages/setroubleshoot/analyze.py", line 283, in prune self.delete_signature(sig) File "/usr/lib/python2.6/site-packages/setroubleshoot/analyze.py", line 417, in delete_signature self.mark_modified() File "/usr/lib/python2.6/site-packages/setroubleshoot/analyze.py", line 333, in mark_modified self.save() File "/usr/lib/python2.6/site-packages/setroubleshoot/analyze.py", line 319, in save self.prune() File "/usr/lib/python2.6/site-packages/setroubleshoot/analyze.py", line 283, in prune self.delete_signature(sig) File "/usr/lib/python2.6/site-packages/setroubleshoot/analyze.py", line 417, in delete_signature self.mark_modified() File "/usr/lib/python2.6/site-packages/setroubleshoot/analyze.py", line 333, in mark_modified self.save() File "/usr/lib/python2.6/site-packages/setroubleshoot/analyze.py", line 319, in save self.prune() File "/usr/lib/python2.6/site-packages/setroubleshoot/analyze.py", line 250, in prune self.sigs.signature_list.sort(lambda a,b: cmp(a.last_seen_date, b.last_seen_date)) File "/usr/lib/python2.6/site-packages/setroubleshoot/analyze.py", line 250, in <lambda> self.sigs.signature_list.sort(lambda a,b: cmp(a.last_seen_date, b.last_seen_date)) AttributeError: TimeStamp instance has no attribute '__coerce__' tail: setroubleshootd.log: file truncated setroubleshoot-2.1.14-1.fc11.i586 This is a Fedora 9 machine which I've just updated to Fedora 11 with yum.
Created attachment 353803 [details] output from 'setroubleshootd -f -V'
Created attachment 353804 [details] /var/lib/setroubleshoot/audit_listener_database.xml Removing the audit_listener_database made it happy again.
hm, I'm still getting this... Message from syslogd@casper at Jul 15 11:54:01 ... sedispatch: AVC Message for setroubleshoot, dropping message
It's dying when it gets a SIGALRM... [root@casper setroubleshoot]# setroubleshootd -f -V 2009-07-15 11:59:59,839 [database.DEBUG] created new database: name=audit_listener, friendly_name=Audit Listener, filepath=/var/lib/setroubleshoot/audit_listener_database.xml 2009-07-15 11:59:59,857 [database.DEBUG] database version 3.0 compatible with current 3.0 version 2009-07-15 12:00:00,164 [plugin.DEBUG] load_plugins() names=['user_tcp_server', 'allow_java_execstack', 'httpd_can_network_relay', 'httpd_bad_labels', 'public_content', 'allow_execheap', 'allow_httpd_sys_script_anon_write', 'httpd_enable_ftp_server', 'home_tmp_bad_labels', 'pppd_can_insmod', 'cvs_data', 'samba_export_all_ro', 'filesystem_associate', 'allow_ypbind', 'httpd_use_cifs', 'bind_ports', 'spamd_enable_home_dirs', 'use_nfs_home_dirs', 'qemu_blk_image', 'httpd_enable_homedirs', 'fcron_crond', 'ftpd_is_daemon', 'connect_ports', 'allow_mplayer_execstack', 'samba_share_nfs', 'allow_mount_anyfile', 'allow_smbd_anon_write', 'allow_ftpd_full_access', 'execute', 'rsync_data', 'samba_share', 'squid_connect_any', 'qemu_file_image', 'secure_mode_policyload', 'stunnel_is_daemon', 'allow_ftpd_use_cifs', 'httpd_enable_cgi', 'httpd_unified', 'httpd_tty_comm', 'swapfile', 'httpd_can_network_connect', 'allow_execstack', 'allow_daemons_use_tty', 'allow_zebra_write_config', 'device', 'prelink_mislabled', 'allow_execmem', 'read_default_t', 'httpd_use_nfs', 'allow_ftpd_anon_write', 'allow_saslauthd_read_shadow', 'allow_rsync_anon_write', 'automount_exec_config', 'nfs_export_all_rw', 'catchall', 'default', 'mounton', 'nfs_export_all_ro', 'catchall_boolean', 'allow_cvs_read_shadow', 'xen_image', 'allow_httpd_anon_write', 'httpd_builtin_scripting', 'httpd_can_network_connect_db', 'secure_mode_insmod', 'use_samba_home_dirs', 'samba_export_all_rw', 'file', 'allow_daemons_dump_core', 'allow_kerberos', 'samba_enable_home_dirs', 'named_write_master_zones', 'httpd_ssi_exec', 'restorecon', 'allow_postfix_local_write_mail_spool', 'inetd_bind_ports', 'allow_execmod', 'allow_gssd_read_tmp', 'allow_ftpd_use_nfs', 'mislabeled_file', 'ftp_home_dir', 'allow_nfsd_anon_write', 'global_ssp'] 2009-07-15 12:00:00,169 [plugin.INFO] importing /usr/share/setroubleshoot/plugins/__init__ as plugins 2009-07-15 12:00:03,983 [avc.DEBUG] Number of Plugins = 83 2009-07-15 12:00:03,994 [communication.DEBUG] parse_socket_address_list: input='{unix}/var/run/setroubleshoot/setroubleshoot_server' 2009-07-15 12:00:03,995 [communication.DEBUG] parse_socket_address_list: {unix}/var/run/setroubleshoot/setroubleshoot_server --> {unix}/var/run/setroubleshoot/setroubleshoot_server socket=None 2009-07-15 12:00:03,999 [communication.DEBUG] new_listening_socket: {unix}/var/run/setroubleshoot/setroubleshoot_server socket=None 2009-07-15 12:00:04,002 [server.INFO] creating system dbus: bus_name=org.fedoraproject.Setroubleshootd object_path=/org/fedoraproject/Setroubleshootd interface=org.fedoraproject.SetroubleshootdIface 2009-07-15 12:00:04,004 [server.DEBUG] dbus __init__ /org/fedoraproject/Setroubleshootd called 2009-07-15 12:00:14,004 [server.DEBUG] received signal=14 2009-07-15 12:00:14,005 [server.DEBUG] KeyboardInterrupt in RunFaultServer 2009-07-15 12:00:14,006 [database.DEBUG] writing database (/var/lib/setroubleshoot/audit_listener_database.xml) modified_count=0
This means that setroubleshoot is seeing messages about it self. What does audit2allow -la Say
#============= setroubleshootd_t ============== allow setroubleshootd_t home_root_t:lnk_file read; allow setroubleshootd_t httpd_user_content_t:lnk_file read;
Add those rules using audit2allow -M mysetroubleshoot and semodule -i mysetroubleshoot.pp And the problem will (should) go away.
You set up a link in your /home directory, is this confusig other confined apps?
Miroslav, rawhide policy has files_read_all_symlinks(setroubleshootd_t) Can you add this to F10 and F11.
I've had a symlink from /home/dwmw2/public_html to /var/www/dwmw2 for a _long_ time now; I've never noticed any other fallout from it.
(In reply to comment #10) > I've had a symlink from /home/dwmw2/public_html to /var/www/dwmw2 for a _long_ > time now; I've never noticed any other fallout from it. ... although it's running in permissive mode and I never look at the logs.
RUn audit2allow -la And I bet you will see a lot of programs trying to read the link The avc is complaining about a link in /home, or your whole homedir is labeled incorectly. restorecon -R -v /home
(In reply to comment #9) > Miroslav, > > rawhide policy has > > files_read_all_symlinks(setroubleshootd_t) > > Can you add this to F10 and F11. Fixed in selinux-policy-3.6.12-69.fc11 and selinux-policy-3.5.13-67.fc10