Bug 621278 - False alerts of setroubleshoot
Summary: False alerts of setroubleshoot
Keywords:
Status: CLOSED EOL
Alias: None
Product: Fedora
Classification: Fedora
Component: setroubleshoot
Version: 22
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Petr Lautrbach
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-08-04 16:26 UTC by jb.alabern
Modified: 2016-07-19 20:25 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-07-19 20:25:46 UTC
Type: ---


Attachments (Terms of Use)

Description jb.alabern 2010-08-04 16:26:54 UTC
Description of problem: since 1 or 2 weeks, just right after doing it, it appears a little black window of setroubleshoot with an alert message and an icon of it at tha tasks bar. When I click on it, it has no messages to shwo, most of times.


Version-Release number of selected component (if applicable): Fedora 13


How reproducible: every time I start the computer


Steps to Reproduce:
1.
2.
3.
  
Actual results: I have asked at Fedora forums and two "forumers" have answered to me some possible solutions and no one has worked.


Expected results:


Additional info:

Comment 1 Daniel Walsh 2010-08-04 18:30:17 UTC
Sometimes you see the icon and when you click on it, it shows nothing?  Or the window never shows up?

Did you tell the browser to ignore any alerts?

Comment 2 jb.alabern 2010-08-05 17:41:33 UTC
   Sometimes appears only the icon at the tasks bar, sometimes, a part from the icon, appears a little black window with two options: "Dismiss" or "Show".
   When appears the little black window, if I click at "Dismiss", this black window ant the icon close; when I click at "Show", it appears a bigger window with the alert, almost always without any message.
   When only appears the icon, you must click on it to open the bigger window; if not, the icon stays.

Comment 3 Daniel Walsh 2010-08-05 19:03:17 UTC
Could you remove ~/.setroubleshoot

And see if it works better.

Comment 4 jb.alabern 2010-08-20 08:34:11 UTC
This is one of the very few messages which appears in the SELinux troubleshoot. It has appeared today. Also, I have an alert (form the Smartdrive?) which explains that the other hard disk drive (with Windows) doesn't work.


Resum:

SELinux is preventing /bin/bash access to a leaked /root file descriptor.

Descripció detallada:

[prelink has a permissive type (prelink_cron_system_t). This access was not
denied.]

SELinux denied access requested by the prelink command. It looks like this is
either a leaked descriptor or prelink output was redirected to a file it is not
allowed to access. Leaks usually can be ignored since SELinux is just closing
the leak and reporting the error. The application does not use the descriptor,
so it will run properly. If this is a redirection, you will not get output in
the /root. You should generate a bugzilla on selinux-policy, and it will get
routed to the appropriate package. You can safely ignore this avc.

Permet l'accés:

You can generate a local policy module to allow this access - see FAQ
(http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385)

Informació addicional:

Context de la font            system_u:system_r:prelink_cron_system_t:s0-s0:c0.c
                              1023
Context de l'objectiu         system_u:object_r:admin_home_t:s0
Objectes objectius            /root [ dir ]
Font                          prelink
Camí de la font              /bin/bash
Port                          <Desconegut>
Ordinador                     (removed)
Paquests RPM font             bash-4.1.7-1.fc13
Paquets RPM destí            filesystem-2.4.31-1.fc13
RPM de política              selinux-policy-3.7.19-44.fc13
S'ha habilitat el Selinux     True
Tipus de la política         targeted
Mode forçat                  Enforcing
Nom del connector             leaks
Nom de la màquina            (removed)
Plataforma                    Linux (removed)
                              2.6.33.6-147.2.4.fc13.i686.PAE #1 SMP Fri Jul 23
                              17:21:06 UTC 2010 i686 i686
Contador d'alertes            1
Vist per primera vegada       dv 20 ago 2010 10:11:07 CEST
Vist per darrera vegada       dv 20 ago 2010 10:11:07 CEST
Identificador local           b3b7aa89-f247-4be6-a65f-2be7e2d36b78
Número de línies            

Missatges d'auditoria sense p 

node=(removed) type=AVC msg=audit(1282291867.772:26): avc:  denied  { read } for  pid=2806 comm="prelink" path="/root" dev=dm-0 ino=262149 scontext=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 tcontext=system_u:object_r:admin_home_t:s0 tclass=dir

node=(removed) type=SYSCALL msg=audit(1282291867.772:26): arch=40000003 syscall=11 success=yes exit=0 a0=8f96ca8 a1=8f96b30 a2=8f93b88 a3=8f96b30 items=0 ppid=2661 pid=2806 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm="prelink" exe="/bin/bash" subj=system_u:system_r:prelink_cron_system_t:s0-s0:c0.c1023 key=(null)

Comment 5 GoinEasy9 2010-08-20 17:09:30 UTC
I am having a similar problem after login to F14:

An selinux troubleshoot icon appears after login.
I open up SELinux Troubleshooter and it says "No Alerts to view"
I click the arrow to "Show Full Error Output", and it's empty.
The only thing showing is Policy Version, which is 3.8.8-14.fc14.

I've looked at the logs and can't find anything pointing to the error.  Let me know if further info would help.

Comment 6 GoinEasy9 2010-08-21 02:56:06 UTC
I resolved the problem by clearing ~/.setroubleshoot.

Comment 7 jb.alabern 2010-08-21 21:37:14 UTC
   I have tried this command line (?): clearing ~/.setroubleshoot in Terminal and it hasn't been recognized as an order. What must I do with it?

Comment 8 GoinEasy9 2010-08-22 22:23:58 UTC
@jb.alabern
Your looking for a file /home/<Username>/.setroubleshoot.  Open it up in gedit and delete the contents, or some would say just delete the file.  I felt safer just emptying its contents.  Once empty, the empty AVC error went away.

Comment 9 jb.alabern 2010-08-23 09:42:14 UTC
How can I open it with Gedit?

Comment 10 Daniel Walsh 2010-08-23 13:46:00 UTC
Just do an open And change the location to .setroubleshoot

Comment 11 jb.alabern 2010-08-23 21:47:30 UTC
   Whaaaaaat? Note that I am a simple user of computer, not a programmer. I just remembre the command lines of MS-DOS like "copy c:/program_X/*.* c:/program_Y". You have to explain the instructions step by step, please.
   Anyway, thank you very much for answering and for your patience.

Comment 12 Daniel Walsh 2010-08-24 14:41:22 UTC
Click on Applications Menu. Click on Accessories, Click on Gedit Text Editor. 

When gedit comes up, click on open.

In location bar on popup enter .setroubleshoot
Hit ok.

Delete Content,
Hit save.

Comment 13 jb.alabern 2010-08-24 16:12:01 UTC
   You want to say Gedit text editor, don't you?
   When I open it, if I click the icon Open (or press the keys "Ctrl." + "O"), it appears a window to open a file, without spaces to write in (".setroubleshoot").
   Oh no, this is like Matrix...!

Comment 14 jb.alabern 2010-09-08 20:34:40 UTC
   Moreover, it has helped to me a membre of a local Linux community, but I have not achieved to solve it. Where is the location bar of Gedit, the hidden files with ".setroubleshoot" I cannot delete because I don't have permission to do it...
   And if I uninstall SELinux?

Comment 15 jb.alabern 2010-09-21 20:20:39 UTC
   Toady I have uninstalled Setroubleshoot (not SELinux) and the next time when I have started the computer, finally it has not appeared the message about an alert without any message.
   Perhaps Setroubleshoot is important and necessary for reporting errors, but at the moment it has given to me only this annoyance.

Comment 16 jb.alabern 2010-10-04 20:26:47 UTC
   Both GoinEasy9 and you have asnwered to me since I uninstalled SEtroubleshoot, but it seems that there are no answers in your messages. The last comment which appears here is the 15th, written by me. What have you written to me after?

Comment 17 Daniel Walsh 2010-10-04 20:29:22 UTC
You reported that you were not able to delete the file that we told you to delete.  Now you say that you have uninstalled setroubleshoot, meaning you have no futher information to give.

Comment 18 jb.alabern 2010-10-06 21:10:44 UTC
   Because I didn't know how to delete that damned file, I uninstalled Setroubleshoot, and the problem of false alerts is already solved.
   Thank you for all.

Comment 19 Alick Zhao 2015-06-22 08:26:08 UTC
Hi guys,

I am having this bug on my laptop with Fedora 22, recently fedup-ed from Fedora 21. In my user session, after a while, I get a popup alert of seapplet. When I click it, the se browser window pop up, but listing no issue at all.

Comment 20 Alick Zhao 2015-06-22 08:43:18 UTC
Ah I can see there are quite a few avc messages in audit.log . The issue is they do not show up in sealert window.

I find the following logs from journalctl:

(forgive me for '月' which means month...)


6月 22 16:27:01 helium dbus[685]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper)
6月 22 16:27:02 helium dbus[685]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'
6月 22 16:27:02 helium setroubleshoot[22660]: cannot chmod /var/lib/setroubleshoot/setroubleshoot_database.xml to 600 [Operation not permitted]
6月 22 16:27:02 helium setroubleshoot[22660]: cannot chown /var/lib/setroubleshoot/setroubleshoot_database.xml to setroubleshoot:setroubleshoot [Operation not permitted]
6月 22 16:27:02 helium setroubleshoot[22660]: read_xml_file() libxml2.parserError: xmlParseFile() failed
6月 22 16:27:02 helium org.fedoraproject.Setroubleshootd[685]: Permission deniedPermission deniedI/O warning : failed to load external entity "/var/lib/setroubleshoot/setroubleshoot_database.xml"
6月 22 16:27:02 helium setroubleshoot[22660]: cannot chmod /var/lib/setroubleshoot/email_alert_recipients to 600 [Operation not permitted]
6月 22 16:27:02 helium setroubleshoot[22660]: cannot chown /var/lib/setroubleshoot/email_alert_recipients to setroubleshoot:setroubleshoot [Operation not permitted]
6月 22 16:27:02 helium setroubleshoot[22660]: could not write /var/lib/setroubleshoot/setroubleshoot_database.xml: [Errno 13] Permission denied: '/var/lib/setroubleshoot/setroubleshoot_database.xml'

Comment 21 dr-ru 2015-06-25 05:22:14 UTC
Hello,
 The same problem after upgrading from FC20 with fedup:

could not write /var/lib/setroubleshoot/setroubleshoot_database.xml: [Errno 13] Permission denied: '/var/lib/setroubleshoot/setroubleshoot_database.xml'
Permission deniedPermission deniedI/O warning : failed to load external entity "/var/lib/setroubleshoot/setroubleshoot_database.xml"
cannot chown /var/lib/setroubleshoot/email_alert_recipients to setroubleshoot:setroubleshoot [Operation not permitted]
cannot chmod /var/lib/setroubleshoot/email_alert_recipients to 600 [Operation not permitted]
read_xml_file() libxml2.parserError: xmlParseFile() failed
cannot chown /var/lib/setroubleshoot/setroubleshoot_database.xml to setroubleshoot:setroubleshoot [Operation not permitted]
cannot chmod /var/lib/setroubleshoot/setroubleshoot_database.xml to 600 [Operation not permitted]
[system] Successfully activated service 'org.fedoraproject.Setroubleshootd'

Comment 22 Paul Finnigan 2015-06-30 17:53:21 UTC
Same problem on a fresh installation of Fedora 22.

Note that the first error message:

cannot chmod /var/lib/setroubleshoot/setroubleshoot_database.xml to 600 [Operation not permitted]

file currently in place:

[root@####]# ls -l /var/lib/setroubleshoot/setroubleshoot_database.xml
-rw-------. 1 root root 2481 Jun 20 10:16 /var/lib/setroubleshoot/setroubleshoot_database.xml

Should the file be owned by setroubleshoot:setroubleshoot?

Comment 23 ILMostro 2015-07-17 04:59:47 UTC
Yeah, same problem after upgrading from Fedora20 to 22.  I noticed some systemd-related users were added to `/etc/passwd` as well as the "setroubleshoot" user; apparently those were not there before on my computer, according to my mail logs from rkhunter, I believe.  Not sure if that'll be helpful with resolving this issue for future users' upgrades.  As before, moving the files in `/var/lib/setroubleshoot/` to a backup or deleting them resolves the issue.  However, that's not at all obvious at first without an internet search.

Comment 24 Miroslav Grepl 2015-07-20 08:11:37 UTC
Yes, it should be owned by setroubleshoot.

drwx------. 2 setroubleshoot setroubleshoot 4096 Jun 19 02:57 /var/lib/setroubleshoot/


What does

$ rpm -q setroubleshoot

Comment 25 Göran Uddeborg 2015-07-21 19:16:07 UTC
In my case, I have setroubleshoot-3.2.24-1.fc22.x86_64.  All of the files

/var/lib/setroubleshoot
/var/lib/setroubleshoot/email_alert_recipients
/var/lib/setroubleshoot/setroubleshoot_database.xml

were owned by root.root.  When I did "rpm -qlv setroubleshoot-server", they are supposed to be owned by setroubleshoot.setroubleshoot.  Still, "rpm -V setroubleshoot-server" didn't complain.

I get the impression that these files previously belonged to root.  After some upgrade, they should belong to the setroubleshoot user instead.  But nothing in the upgrade made sure this ownership actually happened.  Could this be the case?

Comment 26 Petr Lautrbach 2015-08-12 15:37:39 UTC
You are right, Göran. The owner of files in /var/lib/setroubleshoot was not  correctly changed from root:root to seetroubleshoot:setroubleshoot. I'll add a trigger which will enforce this change on update to the next release.

Even though it's not related to the original report, I'll close this bug as resolved. Feel free to reopen it or file a new bug if the original problem persist.

Comment 27 Fedora End Of Life 2016-07-19 20:25:46 UTC
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.


Note You need to log in before you can comment on or make changes to this bug.