On 04/21/2010 08:02 AM, Daniel J Walsh wrote:
Send me the output of ausearch -m avc -ts today and I will see what
is
going on.
Last night, the audit log got rotated and "sealert -s" no longer crashes.
Here's what I think occurred:
1. I got a bunch of AVCs (part of the "root procmail" problem).
2. I installed local policy to allow those actions.
3. sealert crashes when it encounters an old AVC that the current
policy allows. Perhaps setroubleshootd is having the same
problem. Now that logrotate has pushed out those pesky AVCs,
no more crash. (Right now, auditd seems to have stopped logging
new messages and has to be restarted, but that's an independent
problem.)
I'll try to research this further, but coming up with a test case that
can be easily reproduced on another system isn't going to be easy.
--
Bob Nichols "NOSPAM" is really part of my email address.
Do NOT delete it.