sealert error

Miroslav Grepl mgrepl at redhat.com
Wed Jan 4 12:55:39 UTC 2012 

On 01/04/2012 12:31 PM, Nabeel Moidu wrote:
> Hi
>
> I'm trying to create an SELinux policy for an rpm software 
> installation. I've been getting sealerts in the var/log/messages but I 
> am unable to view them due to this error,
>
> /[root at nmk-centos-60-1 policy]# sealert -l 
> 6a6e02bc-23a7-4e55-adab-b06d0cdc2832
> Error
> query_alerts error (1003): id (6a6e02bc-23a7-4e55-adab-b06d0cdc2832) 
> not found
> /
The problem is the alert has been already deleted from 
setroubleshoot_database.xml.
>
> I believe this has to do with the setroubleshoot daemon not running.
setroubleshoot is DBus service in RHEL6.
> /
> [root at nmk-centos-60-1 policy]# service setroubleshoot status
> setroubleshoot: unrecognized service
> [root at nmk-centos-60-1 policy]# service --status-all | grep setro/
>
> I have the setroubleshoot softwares installed
> /
> [root at nmk-centos-60-1 policy]# rpm -qa | grep setroubles
> 92:setroubleshoot-server-3.0.38-2.1.el6.x86_64
> 425:setroubleshoot-plugins-3.0.16-1.el6.noarch
> 426:setroubleshoot-3.0.38-2.1.el6.x86_64
> 587:setroubleshoot-doc-3.0.38-2.1.el6.x86_64
> [root at nmk-centos-60-1 policy]#
> /
> I don't see the setroubleshoot rpms creating any init script file in 
> init.d or elsewhere.
> /
> [root at nmk-centos-60-1 policy]# rpm -qa --list setroubleshoot-server  | 
> grep -v ^/usr
> 1:/etc/audisp/plugins.d/sedispatch.conf
> 2:/etc/dbus-1/system.d/org.fedoraproject.SetroubleshootFixit.conf
> 3:/etc/dbus-1/system.d/org.fedoraproject.Setroubleshootd.conf
> 4:/etc/logrotate.d/setroubleshoot
> 5:/etc/setroubleshoot
> 6:/etc/setroubleshoot/setroubleshoot.conf
> 172:/var/lib/setroubleshoot
> 173:/var/lib/setroubleshoot/email_alert_recipients
> 174:/var/lib/setroubleshoot/setroubleshoot_database.xml
> 175:/var/log/setroubleshoot
> 176:/var/run/setroubleshoot
>
> /SELinux is running in permissive mode with mls type on my system./
>
> [root at nmk-centos-60-1 policy]# sestatus
> SELinux status:                 enabled
> SELinuxfs mount:                /selinux
> Current mode:                   permissive
> Mode from config file:          permissive
> Policy version:                 24
> Policy from config file:        mls
>
> /I am running Centos 6.0/
>
> [root at nmk-centos-60-1 policy]# cat /etc/issue
> CentOS Linux release 6.0 (Final)
> Kernel \r on an \m
> [root at nmk-centos-60-1 policy]# uname -a
> Linux nmk-centos-60-1 2.6.32-71.el6.x86_64 #1 SMP Fri May 20 03:51:51 
> BST 2011 x86_64 x86_64 x86_64 GNU/Linux
> [root at nmk-centos-60-1 policy]#
> /
> 1) Did I miss anything with regards to the troubleshooting daemon 
> installation ?
> 2) How can I fix the query alert error and view the sealert output ?
I see that you use MLS policy. I would suggest you to use ausearch tool 
rather than setroubleshoot in MLS policy.

For example:

$ ausearch -m avc -ts recent
$ ausearch -m avc -ts today
$ ausearch -m avc -su testdomain_t

All AVC msgs are located in /var/log/audit/audit.log.
>
> Nabeel
>
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20120104/0a2bd68c/attachment.html>

More information about the selinux mailing list