On 04/21/2010 10:04 AM, Robert Nichols wrote:
Last night, the audit log got rotated and "sealert -s" no
longer crashes.
Here's what I think occurred:
1. I got a bunch of AVCs (part of the "root procmail" problem).
2. I installed local policy to allow those actions.
3. sealert crashes when it encounters an old AVC that the current
policy allows. Perhaps setroubleshootd is having the same
problem. Now that logrotate has pushed out those pesky AVCs,
no more crash. (Right now, auditd seems to have stopped logging
new messages and has to be restarted, but that's an independent
problem.)
I'll try to research this further, but coming up with a test case that
can be easily reproduced on another system isn't going to be easy.
No, that's not what's doing it. I tracked it down to 1 line in the old
audit.log file. Here's the killer:
type=AVC msg=audit(1265646923.059:12565): avc: denied { search } for pid=1557
comm="polkitd" name=".config" dev=sda2 ino=32945
scontext=system_u:system_r:policykit_t:s0-s0:c0.c1023
tcontext=system_u:object_r:gnome_home_t:s0 tclass=dir
When "sealert -a" reads a file containing just that one line, the result
is:
100% doneTraceback (most recent call last):
File "/usr/lib64/python2.6/site-packages/setroubleshoot/analyze.py", line
621, in task
self.close()
File "/usr/lib64/python2.6/site-packages/setroubleshoot/analyze.py", line
608, in close
self.avc_event_handler(audit_event)
File "/usr/lib64/python2.6/site-packages/setroubleshoot/analyze.py", line
647, in avc_event_handler
avc = AVC(audit_event)
File "/usr/lib64/python2.6/site-packages/setroubleshoot/audit_data.py", line
586, in __init__
self.derive_avc_info_from_audit_event()
File "/usr/lib64/python2.6/site-packages/setroubleshoot/audit_data.py", line
884, in derive_avc_info_from_audit_event
raise ValueError("Invalid AVC %s, it is allowed in current policy" % avc)
NameError: global name 'avc' is not defined
--
Bob Nichols "NOSPAM" is really part of my email address.
Do NOT delete it.