771181 – sealert only appears after first avc denied error

Bug 771181 - sealert only appears after first avc denied error

Summary: sealert only appears after first avc denied error

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	setroubleshoot
Sub Component:
Version:	16
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	---
Assignee:	Daniel Walsh
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-01-02 11:13 UTC by Robin Green
Modified:	2012-01-28 03:26 UTC (History)
CC List:	2 users (show)
Fixed In Version:	setroubleshoot-3.1.2-1.fc16
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-01-28 03:26:38 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Robin Green 2012-01-02 11:13:28 UTC

Description of problem:
sealert only appeared for the first avc denied error I experienced since I enabled auditd.service (which was not enabled when I upgraded to F16). Subsequent denials did not result in sealert appearing.

Version-Release number of selected component (if applicable):
setroubleshoot-3.0.41-1.fc16.x86_64

How reproducible:
Haven't tried

Steps to Reproduce:
1. Trigger SELinux denied message
  
Actual results:
Message appears in /var/log/audit/audit.log, but (except for the very first time) sealert does not appear on the desktop.

Expected results:
sealert should always appear

Additional info:
The only messages mentioning Setroubleshoot in /var/log/* appear in the following excerpt, which corresponds to the very first denied message, that was reported:

Jan  1 10:11:51 localhost dbus[1063]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper)
Jan  1 10:11:51 localhost dbus-daemon[1063]: dbus[1063]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper)
Jan  1 10:11:52 localhost logger: /etc/xen/scripts/block: Path closed or removed during hotplug add: backend/vbd/1/51712 state: 5
Jan  1 10:11:52 localhost avahi-daemon[1039]: Withdrawing workstation service for vif1.0.
Jan  1 10:11:52 localhost logger: /etc/xen/scripts/block: xenstore-read backend/vbd/1/51712/node failed.
Jan  1 10:11:52 localhost logger: /etc/xen/scripts/block: /etc/xen/scripts/block failed; error detected.
Jan  1 10:11:55 localhost dbus[1063]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'
Jan  1 10:11:55 localhost dbus-daemon[1063]: dbus[1063]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'
Jan  1 10:11:55 localhost setroubleshoot: Deleting alert 456aef8f-40f0-4acf-99ad-d3b5b48f0e29, it is allowed in current policy
Jan  1 10:12:00 localhost setroubleshoot: SELinux is preventing /usr/lib/xen/bin/qemu-dm from 'read, write' accesses on the chr_file ptmx. For complete SELinux messages. run sealert -l b7abad9a-121c-431f-bca3-521c9e67f9a0

After this there are no more messages.

The other denied messages in audit.log all have the same comm field.

Comment 1 Robin Green 2012-01-02 11:51:31 UTC

I can't reproduce this now, after having rebooted.

Grasping at straws here, but could the crash I reported in bug 771100 - even though it wasn't in setroubleshootd itself - have somehow wedged setroubleshootd?

Comment 2 Miroslav Grepl 2012-01-02 13:30:54 UTC

Not sure if I understand correctly. 

Are you saying you were trying to repeat the same AVC msg and you were getting only the first AVC msg in sealert.

Comment 3 Robin Green 2012-01-02 14:06:43 UTC

No, when I experienced this bug, I was trying to fix the AVC problems using audit2allow and semodule. But fixing them that way only produced different AVC messages when I retried. But sealert did not pop up and inform me about the other messages - I only found about them when I looked in audit.log myself.

Comment 4 Daniel Walsh 2012-01-03 15:30:28 UTC

Are you seeing any errors about setroubleshoot in /var/log/messages?

If you run sealert -b

Does the browser show the errors?

Comment 5 Robin Green 2012-01-03 21:10:08 UTC

(In reply to comment #4)
> Are you seeing any errors about setroubleshoot in /var/log/messages?

No, as I said, the ones above were the only ones.

> If you run sealert -b
> 
> Does the browser show the errors?

Not the missing ones, no.

Comment 6 Robin Green 2012-01-07 18:17:22 UTC

It's repeatedly still losing avc messages (but not always from the second avc as I previously stated). I don't know what's triggering it. For example, the avc reports in https://bugzilla.redhat.com/attachment.cgi?id=551338&action=edit do not appear in sebrowser.

There are no setroubleshoot messages in /var/log/messages since the last time setroubleshoot worked (Jan 4).

setroubleshootd is running and has been running since Jan 4.

Comment 7 Miroslav Grepl 2012-01-09 14:22:11 UTC

Ok, could you try to switch to enforcing mode and see if you get sealert warning about that.

Comment 8 Robin Green 2012-01-11 20:42:00 UTC

I am already in enforcing mode.

Comment 9 Fedora Update System 2012-01-23 18:50:02 UTC

setroubleshoot-3.1.2-1.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/setroubleshoot-3.1.2-1.fc16

Comment 10 Fedora Update System 2012-01-24 01:45:14 UTC

Package setroubleshoot-3.1.2-1.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing setroubleshoot-3.1.2-1.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-0879/setroubleshoot-3.1.2-1.fc16
then log in and leave karma (feedback).

Comment 11 Fedora Update System 2012-01-28 03:26:38 UTC

setroubleshoot-3.1.2-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.