694322 – setroubleshoot detects alerts some times but sealert cannot display any error messages and command 'sealert -l' returns id not found.

Bug 694322 - setroubleshoot detects alerts some times but sealert cannot display any error messages and command 'sealert -l' returns id not found.

Summary: setroubleshoot detects alerts some times but sealert cannot display any error...

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	setroubleshoot
Sub Component:
Version:	6.1
Hardware:	i386
OS:	All
Priority:	medium
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Daniel Walsh
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2011-04-07 00:47 UTC by Kenichi Takemura
Modified:	2014-08-04 22:03 UTC (History)
CC List:	5 users (show)
Fixed In Version:	setroubleshoot-3.0.31-1.el6
Doc Type:	Bug Fix
Doc Text:	Under certain circumstances, when the setroubleshoot utility detected alerts, the sealert utility was not able to display appropriate error messages and the "sealert -l" command returned the "id not found" error message. This bug has been fixed in this update so that sealert now works as expected.
Clone Of:
Environment:
Last Closed:	2011-11-02 11:11:31 UTC
Target Upstream Version:

Attachments	(Terms of Use)
audit_listener_database.xml (336 bytes, text/xml) 2011-04-10 23:11 UTC, Kenichi Takemura	no flags	Details
View All Add an attachment (proposed patch, testcase, etc.)

Description Kenichi Takemura 2011-04-07 00:47:39 UTC

Description of problem:

I am working RHEL6.1 ja_JP Desktop.
Frequently SELinux alerts occur but when I see sealert GUI, there is not message to report. In /var/log/messages there are logs below but described command 'sealert -l <id>' returns id not found.

Apr 4 10:37:13 dhcp-1-167 setroubleshoot: SELinux は /bin/bash による "dac_override" アクセスを阻止しています . For complete SELinux messages. run sealert -l 04d6a653-f1df-4630-bc20-1408bd9c1ccc
Apr 4 10:37:13 dhcp-1-167 setroubleshoot: SELinux は /bin/bash による "dac_override" アクセスを阻止しています . For complete SELinux messages. run sealert -l 04d6a653-f1df-4630-bc20-1408bd9c1ccc
Apr 7 09:36:35 dhcp-1-167 setroubleshoot: SELinux は /usr/sbin/tzdata-update による "dac_override" アクセスを阻止しています . For complete SELinux messages. run sealert -l 42128f12-361a-4489-b386-12315457b535
Apr 7 09:36:35 dhcp-1-167 setroubleshoot: SELinux は /usr/sbin/tzdata-update による "dac_override" アクセスを阻止しています . For complete SELinux messages. run sealert -l 42128f12-361a-4489-b386-12315457b535

# sealert -l 04d6a653-f1df-4630-bc20-1408bd9c1ccc
query_alerts error (1003): id (04d6a653-f1df-4630-bc20-1408bd9c1ccc) not found
# sealert -l 42128f12-361a-4489-b386-12315457b535
query_alerts error (1003): id (42128f12-361a-4489-b386-12315457b535) not found

Apart from why SELinux detects above "dac_override" access errors, I think sealert GUI or CLI should provide some info about how to fix the issue.

Version-Release number of selected component (if applicable):
$ rpm -qa | grep setroubleshoot
setroubleshoot-server-2.2.94-1.el6.i686
setroubleshoot-plugins-2.1.60-1.el6.noarch
setroubleshoot-2.2.94-1.el6.i686

How reproducible:
SELinux alert sometimes occurs.

Steps to Reproduce:
1. Do some routine tasks on RHEL6.1 ja_JP Desktop such as browsing.
2. Sometimes SELinux alerts occur.
3. Click alert icon on the Panel.
4. Run command described in /var/log/messages

Actual results:
Neither sealert GUI or CLI show any usable information.

Expected results:
sealert GUI or CLI should provide some info about how to fix the issue.

Additional info:

Comment 2 RHEL Program Management 2011-04-07 01:04:42 UTC

Since RHEL 6.1 External Beta has begun, and this bug remains
unresolved, it has been rejected as it is not proposed as
exception or blocker.

Red Hat invites you to ask your support representative to
propose this request, if appropriate and relevant, in the
next release of Red Hat Enterprise Linux.

Comment 3 Daniel Walsh 2011-04-07 13:37:32 UTC

Is this a translation problem?  IE Can you try those commands with 

LANG=C and see if it works?

Sometimes those commands could fail if the alert has been removed from the database.  Alerts get removed if more then 50 different alerts get added.  Or if a policy update fixes the problem.

Comment 4 Kenichi Takemura 2011-04-08 01:45:59 UTC

Hi I do not think this is an i18n issue.
At least regarding 'sealert', as below it cannot find most recent incident id.

$ sudo tail -20 /var/log/messages | grep setroubleshoot
Apr  8 11:38:14 dhcp-1-167 setroubleshoot: SELinux は /bin/bash による "dac_override" アクセスを阻止しています . For complete SELinux messages. run sealert -l f9f042e3-4b82-4590-8738-e0df85a86995
Apr  8 11:38:14 dhcp-1-167 setroubleshoot: SELinux は /bin/bash による "dac_override" アクセスを阻止しています . For complete SELinux messages. run sealert -l f9f042e3-4b82-4590-8738-e0df85a86995
Apr  8 11:40:24 dhcp-1-167 setroubleshoot: [xml.ERROR] read_xml_file() libxml2.parserError: xmlParseFile() failed

$ sudo LANG=C sealert -l f9f042e3-4b82-4590-8738-e0df85a86995
query_alerts error (1003): id (f9f042e3-4b82-4590-8738-e0df85a86995) not found
$ sudo LANG=ja_JP.UTF8 sealert -l f9f042e3-4b82-4590-8738-e0df85a86995
query_alerts error (1003): id (f9f042e3-4b82-4590-8738-e0df85a86995) not found
$ su 
パスワード:
# LANG=C
# sealert -l f9f042e3-4b82-4590-8738-e0df85a86995
query_alerts error (1003): id (f9f042e3-4b82-4590-8738-e0df85a86995) not found
# LANG=en_US.UTF8
# sealert -l f9f042e3-4b82-4590-8738-e0df85a86995
query_alerts error (1003): id (f9f042e3-4b82-4590-8738-e0df85a86995) not found

Comment 5 Daniel Walsh 2011-04-08 18:23:39 UTC

Please attach 

/var/lib/setroubleshoot/audit_listener_database.xml

This xml database is what sealert is trying to read.

Comment 6 Kenichi Takemura 2011-04-10 23:11:28 UTC

Created attachment 491119 [details]
audit_listener_database.xml

Please find attached, thanks

Comment 7 Daniel Walsh 2011-05-23 18:51:27 UTC

Fixed in setroubleshoot-3.0.31-1.el6

Comment 10 Petr Kovar 2011-07-04 17:14:59 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Under certain circumstances, when the setroubleshoot utility detected alerts, the sealert utility was not able to display appropriate error messages and the "sealert -l" command returned the "id not found" error message. This bug has been fixed in this update so that sealert now works as expected.

Comment 11 Milos Malik 2011-09-02 15:26:16 UTC

If a common user runs "sealert -b" and deletes all alerts which are shown in the browser window then these alerts stop being visible for root user too. Which means that "sealert -l ..." will always produce following message:

query_alerts error (1003): id (...) not found

I would say that this behavior is a bug. Alerts written by setroubleshootd to /var/log/messages should be always visible for root.

Comment 12 Milos Malik 2011-09-06 14:47:32 UTC

Is it possible that another user deleted some alerts via sealert browser window as described in comment#11 ?

Comment 13 Daniel Walsh 2011-09-06 15:09:35 UTC

You can prevent common users from deleteing the alerts if you want by modifying setroubleshoot config.

Comment 16 Karel Srot 2011-10-27 12:00:27 UTC

Hi Dan,
how to prevent users from deleting alerts? By restriction of "client_users = *" in /etc/setroubleshoot/setroubleshoot.conf?

Do you think that the default behavior (user can delete the alert) is fine?

Comment 17 Daniel Walsh 2011-10-27 14:47:42 UTC

Yes that will work.  Being able to delete alerts, is not changing the log files.  The AVC still exists in the audit.log and perhaps referred to in the /var/log/messages.

But if I had a multi-user machine, I would worry more about information leaks and might remove the setroubleshoot package and just leave the setroubleshoot-server package.

Comment 18 Karel Srot 2011-10-31 06:48:06 UTC

The thing is that ordinary user can delete the alert but not to remove the setroubleshoot package. Once the alert is deleted, it is difficult to match the warning in /var/log/messages to the audit.log record. Admin user cannot use id , the only option that comes to my mind right now is to "decrypt" the timestamp in audit.log.

Comment 19 Miroslav Grepl 2011-11-01 18:02:58 UTC

How Dan said, the AVC msgs are available from audit.log for root user. 

If a root user doesn't want to allow a common user to remove alerts then there is an option.

Comment 20 Karel Srot 2011-11-02 07:39:28 UTC

In that case this bug should be closed as NOT_A_BUG. Unless I am missing something.

Comment 21 Miroslav Grepl 2011-11-02 11:11:31 UTC

Per all comments I am closing this bug as NOTABUG.

Note You need to log in before you can comment on or make changes to this bug.