RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 852784 - Messages not being logged into /var/log/messages (setroubleshootd isnt processing the messages) -Selinux is blocking setroubleshoot
Summary: Messages not being logged into /var/log/messages (setroubleshootd isnt proces...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: setroubleshoot
Version: 6.3
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: Daniel Walsh
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-08-29 15:18 UTC by John W
Modified: 2012-09-27 11:02 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-09-27 11:02:21 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description John W 2012-08-29 15:18:39 UTC 
Description of problem:

i have auditd, rsyslogd enabled and selinux enforcing.
sealert messages are not logged to /var/log/messages (as is normal)


Version-Release number of selected component (if applicable):

RHEL 6.3

How reproducible:
Have not been able to reproduce

Steps to Reproduce:
1.
2.
3.
  
Actual results:

Aug 29 11:06:30 server setroubleshoot: [program.ERROR] failed to get filesystem list from rpm#012Traceback (most recent call last):#012  File "/usr/lib64/python2.6/site-packages/setroubleshoot/util.py", line 238, in get_standard_directories#012    h = ts.dbMatch("name", "filesystem").next()#012error: rpmdb open failed
Aug 29 11:06:30 server setroubleshoot: [program.ERROR] failed to get filesystem list from rpm#012Traceback (most recent call last):#012  File "/usr/lib64/python2.6/site-packages/setroubleshoot/util.py", line 238, in get_standard_directories#012    h = ts.dbMatch("name", "filesystem").next()#012error: rpmdb open failed
Aug 29 11:06:32 server sedispatch: AVC Message for setroubleshoot, dropping message
Aug 29 11:06:32 server sedispatch: AVC Message for setroubleshoot, dropping message
[root@server sysconfig]# cat /var/log/messages|grep setrouble


Expected results:



May 6 23:00:54 localhost setroubleshoot: SELinux is preventing httpd (httpd_t) "getattr"
to /var/www/html/testfile (samba_share_t). For complete SELinux messages.
run sealert -l c05911d3-e680-4e42-8e36-fe2ab9f8e654





Additional info:

I wouldnt think that i would have to create a selinux policy for setroubleshoot to work.  either way i created the rule per audit2allow's output and it still gives this same error.
Comment 2 John W 2012-08-29 15:53:29 UTC 
I have fixed the python error in /var/log/messages,  However i am following the documentation and i still dont get any sealert's to messages file .  Since this is a fresh RHEL6.3 machine i would think that would be a bug.  So please help me find whats causing no sealerts in messages file still.
Comment 3 Daniel Walsh 2012-09-07 04:21:08 UTC 
Miroslav didn't we fix this problem?
Comment 4 John W 2012-09-07 12:20:41 UTC 
Just an FYI , i have case 852784 open with support on this as well, so far no fix though.
Comment 5 Miroslav Grepl 2012-09-11 07:25:46 UTC 
(In reply to comment #3)
> Miroslav didn't we fix this problem?

Yes, I believe.

I am testing it and I see

Sep 11 09:24:07 rhel6 setroubleshoot: SELinux is preventing /usr/bin/runcon from using the transition access on a process. For complete SELinux messages. run sealert -l a7b45d79-31e2-4a7c-9d47-843d6cb26099


# rpm -qa setroubleshoot*
setroubleshoot-plugins-3.0.40-1.el6.noarch
setroubleshoot-3.0.47-3.el6_3.x86_64
setroubleshoot-server-3.0.47-3.el6_3.x86_64
Comment 6 John W 2012-09-11 10:58:20 UTC 
Please advise how you generated the sealers because I have attempted to create alerts using vsftpd and the sealert -l message never shows up in messages and I have he same rpm's installed.  Please reference my case also
Comment 7 Daniel Walsh 2012-09-11 11:45:52 UTC 
Are you still seeing the errors in the log files with the same packages?

Looking at this more closely, is there something wrong with your rpm database?
Comment 8 Miroslav Grepl 2012-09-11 11:47:20 UTC 
Maybe you will need to rebuild your rpm database.
Comment 9 John W 2012-09-11 11:55:44 UTC 
Support already had me rebuild my rpm database and still same results
Comment 10 John W 2012-09-11 11:56:36 UTC 
I will post the current error messages when I get back home Thursday.
Comment 11 John W 2012-09-11 12:17:11 UTC 
Here are the most recent messages after generating Selina's denial using vsftpd 


Ok so the tail -f /var/log/messages still returned nothing to me , nothing was logged to var log messages

the grep AVC audit.log|sedispatch returned a bunch of these 

Got Reply: AVC

Then i tested with ftp to my home dir and here are the results i got 


in messages file :

Sep  7 08:27:52 server vsftpd[2620]: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=root rhost=client  user=root
Sep  7 08:28:11 server setroubleshoot: [program.ERROR] failed to get filesystem list from rpm#012Traceback (most recent call last):#012  File "/usr/lib64/python2.6/site-packages/setroubleshoot/util.py", line 238, in get_standard_directories#012    h = ts.dbMatch("name", "filesystem").next()#012error: rpmdb open failed
Sep  7 08:28:11 server setroubleshoot: [program.ERROR] failed to get filesystem list from rpm#012Traceback (most recent call last):#012  File "/usr/lib64/python2.6/site-packages/setroubleshoot/util.py", line 238, in get_standard_directories#012    h = ts.dbMatch("name", "filesystem").next()#012error: rpmdb open failed
Sep  7 08:28:16 server sedispatch: AVC Message for setroubleshoot, dropping message
Sep  7 08:28:16 server sedispatch: AVC Message for setroubleshoot, dropping message



in audit file :

type=AVC msg=audit(1347020890.603:101): avc:  denied  { search } for  pid=2632 comm="vsftpd" name="home" dev=dm-0 ino=913925 scontext=system_u:system_r:ftpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:home_root_t:s0 tclass=dir
type=SYSCALL msg=audit(1347020890.603:101): arch=c000003e syscall=80 success=no exit=-13 a0=7f9739983490 a1=1f4 a2=0 a3=7fffcffd8e60 items=0 ppid=2627 pid=2632 auid=4294967295 uid=0 gid=0 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=4294967295 comm="vsftpd" exe="/usr/sbin/vsftpd" subj=system_u:system_r:ftpd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1347020892.294:102): avc:  denied  { write } for  pid=2634 comm="setroubleshootd" name="plugins" dev=dm-0 ino=420591 scontext=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=dir
type=SYSCALL msg=audit(1347020892.294:102): arch=c000003e syscall=87 success=no exit=-13 a0=7fff8477bf20 a1=7f7309a39fe7 a2=5049e6fa a3=3dcf5b9600 items=0 ppid=1 pid=2634 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="setroubleshootd" exe="/usr/bin/python" subj=system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023 key=(null)
Comment 12 Daniel Walsh 2012-09-18 16:00:17 UTC 
setroubleshoot is complaining about python compiles in /usr/share/setroubleshoot/plugins.

You you just run 
python /usr/share/setroubleshoot/plugins/*py

That should fix that problem.
Note You need to log in before you can comment on or make changes to this bug.