On 01/04/2012 12:31 PM, Nabeel Moidu wrote:

Hi

I'm trying to create an SELinux policy for an rpm software installation. I've been getting sealerts in the var/log/messages but I am unable to view them due to this error,

[root@nmk-centos-60-1 policy]# sealert -l 6a6e02bc-23a7-4e55-adab-b06d0cdc2832
Error
query_alerts error (1003): id (6a6e02bc-23a7-4e55-adab-b06d0cdc2832) not found

The problem is the alert has been already deleted from setroubleshoot_database.xml.

I believe this has to do with the setroubleshoot daemon not running.

setroubleshoot is DBus service in RHEL6.

[root@nmk-centos-60-1 policy]# service setroubleshoot status
setroubleshoot: unrecognized service
[root@nmk-centos-60-1 policy]# service --status-all | grep setro

I have the setroubleshoot softwares installed

[root@nmk-centos-60-1 policy]# rpm -qa | grep setroubles
92:setroubleshoot-server-3.0.38-2.1.el6.x86_64
425:setroubleshoot-plugins-3.0.16-1.el6.noarch
426:setroubleshoot-3.0.38-2.1.el6.x86_64
587:setroubleshoot-doc-3.0.38-2.1.el6.x86_64
[root@nmk-centos-60-1 policy]#

I don't see the setroubleshoot rpms creating any init script file in init.d or elsewhere.

[root@nmk-centos-60-1 policy]# rpm -qa --list setroubleshoot-server | grep -v ^/usr
1:/etc/audisp/plugins.d/sedispatch.conf
2:/etc/dbus-1/system.d/org.fedoraproject.SetroubleshootFixit.conf
3:/etc/dbus-1/system.d/org.fedoraproject.Setroubleshootd.conf
4:/etc/logrotate.d/setroubleshoot
5:/etc/setroubleshoot
6:/etc/setroubleshoot/setroubleshoot.conf
172:/var/lib/setroubleshoot
173:/var/lib/setroubleshoot/email_alert_recipients
174:/var/lib/setroubleshoot/setroubleshoot_database.xml
175:/var/log/setroubleshoot
176:/var/run/setroubleshoot

SELinux is running in permissive mode with mls type on my system.

[root@nmk-centos-60-1 policy]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          permissive
Policy version:                 24
Policy from config file:        mls

I am running Centos 6.0

[root@nmk-centos-60-1 policy]# cat /etc/issue
CentOS Linux release 6.0 (Final)
Kernel \r on an \m
[root@nmk-centos-60-1 policy]# uname -a
Linux nmk-centos-60-1 2.6.32-71.el6.x86_64 #1 SMP Fri May 20 03:51:51 BST 2011 x86_64 x86_64 x86_64 GNU/Linux
[root@nmk-centos-60-1 policy]#

1) Did I miss anything with regards to the troubleshooting daemon installation ?
2) How can I fix the query alert error and view the sealert output ?

I see that you use MLS policy. I would suggest you to use ausearch tool rather than setroubleshoot in MLS policy.

For example:

$ ausearch -m avc -ts recent
$ ausearch -m avc -ts today
$ ausearch -m avc -su testdomain_t

All AVC msgs are located in /var/log/audit/audit.log.

Nabeel

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux