Description of problem: SeTroubleshootd dies, no alerts received in Sealert in F16. Version-Release number of selected component (if applicable): [root@talon setroubleshoot]# yum list installed |grep selinux libselinux.i686 2.1.6-5.fc16 @updates libselinux.x86_64 2.1.6-5.fc16 @updates libselinux-devel.x86_64 2.1.6-5.fc16 @updates libselinux-python.x86_64 2.1.6-5.fc16 @updates libselinux-utils.x86_64 2.1.6-5.fc16 @updates selinux-policy.noarch 3.10.0-71.fc16 @updates selinux-policy-targeted.noarch 3.10.0-71.fc16 @updates How reproducible: attempt to start setroubleshootd manually using command line using command: #setroubleshootd & from a root shell in Runlevel 5 Actual results: SeTroubleshootD fails to start. SetroubleshootD fails to continue running when started manually. Expected results: I expect that since setroubleshootd was a service in F15, which was controlled by using chkconfig, that in F16 even if it is now a DBUS service that AuditD spawns, that a process setroubleshootd is visible and running all the time when you run: #ps -ef |grep setroubleshootd Additional info: SeTroubleShootD log and setroubleshoot.conf
Created attachment 555641 [details] SeTroubleShootD.conf I have modified several options in here to enable console and debug logging.
Created attachment 555642 [details] SeTroubleShootD Debug Logging
I see that SetroubleshootD isn't supposed to run like a regular process, and that sedispatch is supposed to send notify's to seapplet. The problem I am having is that I am not getting SeLinux Denial Alerts from Seapplet, and when I launch Sealert I see no avc denials that should be in there based on what I am seeing in audit.log.
setroubleshoot is now DBus service. Is auditd running? Are you creating AVC msg?
AuditD is running, I performed #systemctl enable auditd.service and #systemctl start auditd.service. I am testing by disabling Samba Home Directory sharing using SetSeBool. Once this happens and I try to perform a move or delete operation on a users home directory via another windows client I receive avc denial alerts in audit.log. However setroubleshoot log never sees any avc messages and I do not get alerted in Sealert inside KDE.
Ron, are you up-to-date? There was a bug which was fixed in the latest setroubleshoot. # rpm -q setroubleshoot
#yum list installed setroubleshoot Installed Packages setroubleshoot.x86_64 3.0.45-1.fc16 @updates # rpm -q setroubleshoot setroubleshoot-3.0.45-1.fc16.x86_64
Could you try to execute # grep smbd_t /var/log/audit/audit.log > /tmp/test.log # sealert -a /tmp/test.log
Created attachment 555840 [details] Sealert log output
It looks like it has zero alerts, but then why are these AVC Denials not counted as alerts?! It'd be nice to see when things get denied as alerts that I could cycle through in sealert, like in previous versions?
Could you just try rm -f ~/.setroubleshoot
I have removed the file ".setroubleshoot" from my user directory. It did not exist in /root. However I did find .seaudit in /root. I have attached both.
Created attachment 555879 [details] .setroubleshoot file from user directory.
Created attachment 555880 [details] /root/.seaudit
I retested (by setting samba home boolean to disabled) after removing .setroubleshoot from my home directory. I restarted auditd and smb services. I again attempted to create a new folder in the samba home directory from a Windows client to cause new denials to appear in the audit log. I noticed that the file was recreated, and it's contents match the deleted .setroubleshoot exactly. However I still do not get sealert system tray pop notification. Setroubleshootd.log also does not show any alert activity? I've attached sealert.log from /var/log/setroubleshoot as well as setroubleshootd.log in logs.tar.gz
Created attachment 555885 [details] /var/log/setroubleshoot/sealert.log and setroubleshootd.log
Same here, F16 KDE, I've wondered because I can't remember a selinux alert since the install of F16 I can see them via: [chris@thinkpad ~]$ sudo ausearch -m avc -ts today [chris@thinkpad ~]$ sudo cat /var/log/audit/audit.log [chris@thinkpad ~]$ sudo /usr/bin/sealert -v -V -a /var/log/audit/audit.log And I can generate a new one via: [chris@thinkpad ~]$ sandbox /usr/bin/perl -e '`cat /dev/urandom`' but the typical systray popup is missing and [chris@thinkpad ~]$ sealert -b shows nothing
We are getting the same issue on updated systems. I am investigating it.
What is your version of # rpm -q python-slip-dbus I have this working now.
[chris@thinkpad ~]$ rpm -q python-slip-dbus python-slip-dbus-0.2.20-1.fc16.noarch up to date with updates-testing enabled
#qrpm info python-slip-dbus Name : python-slip-dbus Version : 0.2.20 Release : 1.fc16 Architecture: noarch Install Date: Wed 04 Jan 2012 03:17:47 AM EST Group : System Environment/Libraries Size : 82204 License : GPLv2+ Signature : RSA/SHA256, Mon 28 Nov 2011 06:38:36 AM EST, Key ID 067f00b6a82ba4b7 Source RPM : python-slip-0.2.20-1.fc16.src.rpm Build Date : Mon 28 Nov 2011 11:07:29 AM EST Build Host : x86-10.phx2.fedoraproject.org Relocations : (not relocatable) Packager : Fedora Project Vendor : Fedora Project URL : http://fedorahosted.org/python-slip Summary : Convenience functions for dbus services
So if you've got it working can you attach the patch?
What does # ausearch -m user_avc
Interesting: [root@talon sbin]# ausearch -m user_avc ---- time->Tue Jan 17 19:32:35 2012 type=USER_AVC msg=audit(1326846755.452:634): user pid=16773 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=signal interface=org.freedesktop.systemd1.Activator member=ActivationRequest dest=org.freedesktop.systemd1 spid=16759 tpid=1 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=dbus : exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' ---- time->Tue Jan 17 19:33:00 2012 type=USER_AVC msg=audit(1326846780.643:638): user pid=16783 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=signal interface=org.freedesktop.systemd1.Activator member=ActivationRequest dest=org.freedesktop.systemd1 spid=16759 tpid=1 scontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:init_t:s0 tclass=dbus : exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Created attachment 556506 [details] output of "sudo ausearch -m user_avc -ts this-week" similar here, attached output of "sudo ausearch -m user_avc -ts this-week"
Maybe I've found something interesting: "Exception TypeError: "'NoneType' object is not callable" in <function _removeHandlerRef" cat /var/log/messages Jan 20 12:39:21 thinkpad dbus[1322]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper) Jan 20 12:39:21 thinkpad dbus-daemon[1322]: dbus[1322]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper) Jan 20 12:39:22 thinkpad dbus[1322]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd' Jan 20 12:39:22 thinkpad dbus-daemon[1322]: dbus[1322]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd' Jan 20 12:39:30 thinkpad dbus-daemon[1322]: ** (upowerd:2003): WARNING **: Property get or set does not have an interface string as first arg Jan 20 12:39:30 thinkpad dbus-daemon[1322]: ** (upowerd:2003): WARNING **: Property get or set does not have an interface string as first arg Jan 20 12:39:41 thinkpad dbus-daemon[1322]: Exception TypeError: "'NoneType' object is not callable" in <function _removeHandlerRef at 0x1f920c8> ignored Jan 20 12:40:00 thinkpad dbus-daemon[1322]: ** (upowerd:2003): WARNING **: Property get or set does not have an interface string as first arg Jan 20 12:40:00 thinkpad dbus-daemon[1322]: ** (upowerd:2003): WARNING **: Property get or set does not have an interface string as first arg Jan 20 12:40:02 thinkpad dbus[1322]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper) Jan 20 12:40:02 thinkpad dbus-daemon[1322]: dbus[1322]: [system] Activating service name='org.fedoraproject.Setroubleshootd' (using servicehelper) Jan 20 12:40:02 thinkpad dbus[1322]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd' Jan 20 12:40:02 thinkpad dbus-daemon[1322]: dbus[1322]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd' Jan 20 12:40:13 thinkpad dbus-daemon[1322]: Exception TypeError: "'NoneType' object is not callable" in <function _removeHandlerRef at 0x20a90c8> ignored Jan 20 12:40:19 thinkpad systemd[1]: Startup finished in 3s 388ms 54us (kernel) + 21s 285ms 403us (initrd) + 2min 37s 846ms 765us (userspace) = 3min 2s 520ms 222us. Jan 20 12:40:30 thinkpad dbus-daemon[1322]: ** (upowerd:2003): WARNING **: Property get or set does not have an interface string as first arg Jan 20 12:40:30 thinkpad dbus-daemon[1322]: ** (upowerd:2003): WARNING **: Property get or set does not have an interface string as first arg
Looks like the problem appears here too: https://bugzilla.redhat.com/show_bug.cgi?id=772982 I also get these messages: Jan 16 19:31:08 talon dbus-daemon[1024]: Exception TypeError: "'NoneType' object is not callable" in <function _removeHandlerRef at 0x16b0050> ignored
We have just built a fix for setroubleshoot in Rawhide, If everything looks ok, I will back port to F16.
Just tried to compile the F17 package on F16 and sealert works again, only some python exceptions when trying to delete some alerts or when pressing the "Previous"/"Next" buttons. "signature.py:327:evaluate_filter_for_user:TypeError: not enough arguments for format string" cd ~ rpmdev-setuptree wget http://kojipkgs.fedoraproject.org/packages/setroubleshoot/3.1.1/1.fc17/src/setroubleshoot-3.1.1-1.fc17.src.rpm sudo yum-builddep *.rpm rpmbuild --rebuild *.rpm cd rpmbuild/RPMS/x86_64/ ls setroubleshoot-3.1.1-1.fc16.x86_64.rpm setroubleshoot-doc-3.1.1-1.fc16.x86_64.rpm setroubleshoot-server-3.1.1-1.fc16.x86_64.rpm sudo yum install *.rpm sudo reboot
Yes, you can apply a patch from https://bugzilla.redhat.com/show_bug.cgi?id=783652#c1 for now.
*** Bug 783858 has been marked as a duplicate of this bug. ***
setroubleshoot-3.1.2-1.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/setroubleshoot-3.1.2-1.fc16
the update works fine (the patch from #783652 has worked too)
Package setroubleshoot-3.1.2-1.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing setroubleshoot-3.1.2-1.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2012-0879/setroubleshoot-3.1.2-1.fc16 then log in and leave karma (feedback).
Could you update karma, please. Thank you.
(In reply to comment #35) > Could you update karma, please. Thank you. I am not sure what karma is but I did select that the update is working for me in the comment dialog. Please provide a link with instructions if you need me to do something else.
setroubleshoot-3.1.2-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.
setroubleshoot-3.1.2-1.fc16 showed up tonight in my yum update I am running f16 with Xfce. What I am seeing is that I am getting an icon in the upper "whatever" (its late and I am tired) which shows that a selinux warning has been generated. Sure wish it was a loud pop-up like I got in F14/Gnome, but I don't know if under Xfce I have to install something to get that. The number of warnings I am getting is less than before (both F14 and F16 prior to this release). If there is a way to have F16/Xfce bark louder, please let me know how to do it. If you were expecting that loud bark, then I need to let you know it ain't there. Please let me know if you think my comments warrant another look at this issue or if you think it is resolved per your expectations of the code. If I can give any additional info, please let me know. Thanks, Paul
While testing 754789 and 784122, I noticed an oddity. If I power up or reboot my F16 Xfce machine and log in when I get the ability to, I get the small icon up in the upper toolbar. If I power up or reboot but don't long in until after the rc.local has executed the clam command, the little icon isn't there. Meaning I seem to only get a notice if I happen to be logged in when it happens. I ran a test on my F14 Gnome machine in which I didn't log in until after it had do the rc.local clam and the same occurs ... so at least it is not a regression. On both machines, when I click to see the alerts, the small icon goes away ... but that is okay since I've acknowledged receipt by looking at the alerts. I would think that the icon for "an alert happened" should be visible if one has happened even if I wasn't logged in at the time and should only vanish once I have viewed the alerts or dismissed it. Thanks, Paul