Bug 852784 - Messages not being logged into /var/log/messages (setroubleshootd isnt processing the messages) -Selinux is blocking setroubleshoot
Messages not being logged into /var/log/messages (setroubleshootd isnt proces...
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: setroubleshoot (Show other bugs)
6.3
All Linux
unspecified Severity medium
: rc
: ---
Assigned To: Daniel Walsh
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-08-29 11:18 EDT by John W
Modified: 2012-09-27 07:02 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-09-27 07:02:21 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description John W 2012-08-29 11:18:39 EDT
Description of problem:

i have auditd, rsyslogd enabled and selinux enforcing.
sealert messages are not logged to /var/log/messages (as is normal)


Version-Release number of selected component (if applicable):

RHEL 6.3

How reproducible:
Have not been able to reproduce

Steps to Reproduce:
1.
2.
3.
  
Actual results:

Aug 29 11:06:30 server setroubleshoot: [program.ERROR] failed to get filesystem list from rpm#012Traceback (most recent call last):#012  File "/usr/lib64/python2.6/site-packages/setroubleshoot/util.py", line 238, in get_standard_directories#012    h = ts.dbMatch("name", "filesystem").next()#012error: rpmdb open failed
Aug 29 11:06:30 server setroubleshoot: [program.ERROR] failed to get filesystem list from rpm#012Traceback (most recent call last):#012  File "/usr/lib64/python2.6/site-packages/setroubleshoot/util.py", line 238, in get_standard_directories#012    h = ts.dbMatch("name", "filesystem").next()#012error: rpmdb open failed
Aug 29 11:06:32 server sedispatch: AVC Message for setroubleshoot, dropping message
Aug 29 11:06:32 server sedispatch: AVC Message for setroubleshoot, dropping message
[root@server sysconfig]# cat /var/log/messages|grep setrouble


Expected results:



May 6 23:00:54 localhost setroubleshoot: SELinux is preventing httpd (httpd_t) "getattr"
to /var/www/html/testfile (samba_share_t). For complete SELinux messages.
run sealert -l c05911d3-e680-4e42-8e36-fe2ab9f8e654





Additional info:

I wouldnt think that i would have to create a selinux policy for setroubleshoot to work.  either way i created the rule per audit2allow's output and it still gives this same error.
Comment 2 John W 2012-08-29 11:53:29 EDT
I have fixed the python error in /var/log/messages,  However i am following the documentation and i still dont get any sealert's to messages file .  Since this is a fresh RHEL6.3 machine i would think that would be a bug.  So please help me find whats causing no sealerts in messages file still.
Comment 3 Daniel Walsh 2012-09-07 00:21:08 EDT
Miroslav didn't we fix this problem?
Comment 4 John W 2012-09-07 08:20:41 EDT
Just an FYI , i have case 852784 open with support on this as well, so far no fix though.
Comment 5 Miroslav Grepl 2012-09-11 03:25:46 EDT
(In reply to comment #3)
> Miroslav didn't we fix this problem?

Yes, I believe.

I am testing it and I see

Sep 11 09:24:07 rhel6 setroubleshoot: SELinux is preventing /usr/bin/runcon from using the transition access on a process. For complete SELinux messages. run sealert -l a7b45d79-31e2-4a7c-9d47-843d6cb26099


# rpm -qa setroubleshoot*
setroubleshoot-plugins-3.0.40-1.el6.noarch
setroubleshoot-3.0.47-3.el6_3.x86_64
setroubleshoot-server-3.0.47-3.el6_3.x86_64
Comment 6 John W 2012-09-11 06:58:20 EDT
Please advise how you generated the sealers because I have attempted to create alerts using vsftpd and the sealert -l message never shows up in messages and I have he same rpm's installed.  Please reference my case also
Comment 7 Daniel Walsh 2012-09-11 07:45:52 EDT
Are you still seeing the errors in the log files with the same packages?

Looking at this more closely, is there something wrong with your rpm database?
Comment 8 Miroslav Grepl 2012-09-11 07:47:20 EDT
Maybe you will need to rebuild your rpm database.
Comment 9 John W 2012-09-11 07:55:44 EDT
Support already had me rebuild my rpm database and still same results
Comment 10 John W 2012-09-11 07:56:36 EDT
I will post the current error messages when I get back home Thursday.
Comment 11 John W 2012-09-11 08:17:11 EDT
Here are the most recent messages after generating Selina's denial using vsftpd 


Ok so the tail -f /var/log/messages still returned nothing to me , nothing was logged to var log messages

the grep AVC audit.log|sedispatch returned a bunch of these 

Got Reply: AVC

Then i tested with ftp to my home dir and here are the results i got 


in messages file :

Sep  7 08:27:52 server vsftpd[2620]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=root rhost=client  user=root
Sep  7 08:28:11 server setroubleshoot: [program.ERROR] failed to get filesystem list from rpm#012Traceback (most recent call last):#012  File "/usr/lib64/python2.6/site-packages/setroubleshoot/util.py", line 238, in get_standard_directories#012    h = ts.dbMatch("name", "filesystem").next()#012error: rpmdb open failed
Sep  7 08:28:11 server setroubleshoot: [program.ERROR] failed to get filesystem list from rpm#012Traceback (most recent call last):#012  File "/usr/lib64/python2.6/site-packages/setroubleshoot/util.py", line 238, in get_standard_directories#012    h = ts.dbMatch("name", "filesystem").next()#012error: rpmdb open failed
Sep  7 08:28:16 server sedispatch: AVC Message for setroubleshoot, dropping message
Sep  7 08:28:16 server sedispatch: AVC Message for setroubleshoot, dropping message



in audit file :

type=AVC msg=audit(1347020890.603:101): avc:  denied  { search } for  pid=2632 comm="vsftpd" name="home" dev=dm-0 ino=913925 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
type=SYSCALL msg=audit(1347020890.603:101): arch=c000003e syscall=80 success=no exit=-13 a0=7f9739983490 a1=1f4 a2=0 a3=7fffcffd8e60 items=0 ppid=2627 pid=2632 auid=4294967295 uid=0 gid=0 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=4294967295 comm="vsftpd" exe="/usr/sbin/vsftpd" subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1347020892.294:102): avc:  denied  { write } for  pid=2634 comm="setroubleshootd" name="plugins" dev=dm-0 ino=420591 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=dir
type=SYSCALL msg=audit(1347020892.294:102): arch=c000003e syscall=87 success=no exit=-13 a0=7fff8477bf20 a1=7f7309a39fe7 a2=5049e6fa a3=3dcf5b9600 items=0 ppid=1 pid=2634 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null)
Comment 12 Daniel Walsh 2012-09-18 12:00:17 EDT
setroubleshoot is complaining about python compiles in /usr/share/setroubleshoot/plugins.

You you just run 
python /usr/share/setroubleshoot/plugins/*py

That should fix that problem.

Note You need to log in before you can comment on or make changes to this bug.