<br><br><div class="gmail_quote">On Wed, Jan 4, 2012 at 6:25 PM, Miroslav Grepl <span dir="ltr"><<a href="mailto:mgrepl@redhat.com">mgrepl@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><div class="im">
On 01/04/2012 12:31 PM, Nabeel Moidu wrote:
<blockquote type="cite">Hi<br>
<br>
I'm trying to create an SELinux policy for an rpm software
installation. I've been getting sealerts in the var/log/messages
but I am unable to view them due to this error, <br>
<br>
<i>[root@nmk-centos-60-1 policy]# sealert -l
6a6e02bc-23a7-4e55-adab-b06d0cdc2832<br>
Error<br>
query_alerts error (1003): id
(6a6e02bc-23a7-4e55-adab-b06d0cdc2832) not found<br>
</i></blockquote></div>
The problem is the alert has been already deleted from
setroubleshoot_database.xml. <br></div></blockquote><div>Is there a timeframe for the xml overwrites ? <br></div><blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><div class="im">
<blockquote type="cite"><br>
I believe this has to do with the setroubleshoot daemon not
running.<br>
</blockquote></div>
setroubleshoot is DBus service in RHEL6.
</div></blockquote><div>OK. That explains it.<br></div><blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div bgcolor="#FFFFFF" text="#000000"><div>
<div></div><div class="h5"><blockquote type="cite"><i><br>
[root@nmk-centos-60-1 policy]# service setroubleshoot status<br>
setroubleshoot: unrecognized service<br>
[root@nmk-centos-60-1 policy]# service --status-all | grep setro</i><br>
<br>
I have the setroubleshoot softwares installed<br>
<i><br>
[root@nmk-centos-60-1 policy]# rpm -qa | grep setroubles<br>
92:setroubleshoot-server-3.0.38-2.1.el6.x86_64<br>
425:setroubleshoot-plugins-3.0.16-1.el6.noarch<br>
426:setroubleshoot-3.0.38-2.1.el6.x86_64<br>
587:setroubleshoot-doc-3.0.38-2.1.el6.x86_64<br>
[root@nmk-centos-60-1 policy]# <br>
</i><br>
I don't see the setroubleshoot rpms creating any init script file
in init.d or elsewhere. <br>
<i><br>
[root@nmk-centos-60-1 policy]# rpm -qa --list
setroubleshoot-server | grep -v ^/usr<br>
1:/etc/audisp/plugins.d/sedispatch.conf<br>
2:/etc/dbus-1/system.d/org.fedoraproject.SetroubleshootFixit.conf<br>
3:/etc/dbus-1/system.d/org.fedoraproject.Setroubleshootd.conf<br>
4:/etc/logrotate.d/setroubleshoot<br>
5:/etc/setroubleshoot<br>
6:/etc/setroubleshoot/setroubleshoot.conf<br>
172:/var/lib/setroubleshoot<br>
173:/var/lib/setroubleshoot/email_alert_recipients<br>
174:/var/lib/setroubleshoot/setroubleshoot_database.xml<br>
175:/var/log/setroubleshoot<br>
176:/var/run/setroubleshoot<br>
<br>
</i>SELinux is running in permissive mode with mls type on my
system.<i><br>
<br>
[root@nmk-centos-60-1 policy]# sestatus<br>
SELinux status: enabled<br>
SELinuxfs mount: /selinux<br>
Current mode: permissive<br>
Mode from config file: permissive<br>
Policy version: 24<br>
Policy from config file: mls<br>
<br>
</i>I am running Centos 6.0<i><br>
<br>
[root@nmk-centos-60-1 policy]# cat /etc/issue<br>
CentOS Linux release 6.0 (Final)<br>
Kernel \r on an \m<br>
[root@nmk-centos-60-1 policy]# uname -a<br>
Linux nmk-centos-60-1 2.6.32-71.el6.x86_64 #1 SMP Fri May 20
03:51:51 BST 2011 x86_64 x86_64 x86_64 GNU/Linux<br>
[root@nmk-centos-60-1 policy]# <br>
</i><br>
1) Did I miss anything with regards to the troubleshooting daemon
installation ?<br>
2) How can I fix the query alert error and view the sealert output
?<br>
</blockquote></div></div>
I see that you use MLS policy. I would suggest you to use ausearch
tool rather than setroubleshoot in MLS policy.<br>
<br></div></blockquote><div>I wanted to formulate the rules for a custom rpm. When using the targeted policy, I could not see any denials. So I switched to MLS to identify the AVC denials. My approach is to log the AVC denials during rpm installation, and apply the audit2allow on those denials and formulate the policy. Is this workable ? <br>
<br>The policies for running the software can be different and I plan to have that as a second stage. I just want to have the installation part getting on fine with a targeted policy.<br><br>Another question, is MLS a namechange for the "strict" type used earlier. Any links that explains the difference ?<br>
<br></div><blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div bgcolor="#FFFFFF" text="#000000">
For example:<br>
<br>
$ ausearch -m avc -ts recent<br>
$ ausearch -m avc -ts today<br>
$ ausearch -m avc -su testdomain_t<br>
<br></div></blockquote><div>This works, but I wanted to read the descriptive text about the denials that shows up in sealert. <br><br></div><blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
All AVC msgs are located in /var/log/audit/audit.log.<br>
<blockquote type="cite"><br>
Nabeel <br>
<br>
<fieldset></fieldset>
<br>
<pre>--
selinux mailing list
<a href="mailto:selinux@lists.fedoraproject.org" target="_blank">selinux@lists.fedoraproject.org</a>
<a href="https://admin.fedoraproject.org/mailman/listinfo/selinux" target="_blank">https://admin.fedoraproject.org/mailman/listinfo/selinux</a></pre>
</blockquote>
<br>
</div>
</blockquote></div><br><br clear="all"><br>-- <br><div dir="ltr">Thanks and Regards<br>Nabeel Moidu<br></div><br>