sealert error

Nabeel Moidu nabeelmoidu at gmail.com
Thu Jan 5 06:25:42 UTC 2012 

On Wed, Jan 4, 2012 at 6:25 PM, Miroslav Grepl <mgrepl at redhat.com> wrote:

>  On 01/04/2012 12:31 PM, Nabeel Moidu wrote:
>
> Hi
>
> I'm trying to create an SELinux policy for an rpm software installation.
> I've been getting sealerts in the var/log/messages but I am unable to view
> them due to this error,
>
> *[root at nmk-centos-60-1 policy]# sealert -l
> 6a6e02bc-23a7-4e55-adab-b06d0cdc2832
> Error
> query_alerts error (1003): id (6a6e02bc-23a7-4e55-adab-b06d0cdc2832) not
> found
> *
>
> The problem is the alert has been already deleted from
> setroubleshoot_database.xml.
>
Is there a timeframe for the xml overwrites ?

>
> I believe this has to do with the setroubleshoot daemon not running.
>
> setroubleshoot is DBus service in RHEL6.
>
OK. That explains it.

> *
> [root at nmk-centos-60-1 policy]# service setroubleshoot status
> setroubleshoot: unrecognized service
> [root at nmk-centos-60-1 policy]# service --status-all | grep setro*
>
> I have the setroubleshoot softwares installed
> *
> [root at nmk-centos-60-1 policy]# rpm -qa | grep setroubles
> 92:setroubleshoot-server-3.0.38-2.1.el6.x86_64
> 425:setroubleshoot-plugins-3.0.16-1.el6.noarch
> 426:setroubleshoot-3.0.38-2.1.el6.x86_64
> 587:setroubleshoot-doc-3.0.38-2.1.el6.x86_64
> [root at nmk-centos-60-1 policy]#
> *
> I don't see the setroubleshoot rpms creating any init script file in
> init.d or elsewhere.
> *
> [root at nmk-centos-60-1 policy]# rpm -qa --list setroubleshoot-server  |
> grep -v ^/usr
> 1:/etc/audisp/plugins.d/sedispatch.conf
> 2:/etc/dbus-1/system.d/org.fedoraproject.SetroubleshootFixit.conf
> 3:/etc/dbus-1/system.d/org.fedoraproject.Setroubleshootd.conf
> 4:/etc/logrotate.d/setroubleshoot
> 5:/etc/setroubleshoot
> 6:/etc/setroubleshoot/setroubleshoot.conf
> 172:/var/lib/setroubleshoot
> 173:/var/lib/setroubleshoot/email_alert_recipients
> 174:/var/lib/setroubleshoot/setroubleshoot_database.xml
> 175:/var/log/setroubleshoot
> 176:/var/run/setroubleshoot
>
> *SELinux is running in permissive mode with mls type on my system.*
>
> [root at nmk-centos-60-1 policy]# sestatus
> SELinux status:                 enabled
> SELinuxfs mount:                /selinux
> Current mode:                   permissive
> Mode from config file:          permissive
> Policy version:                 24
> Policy from config file:        mls
>
> *I am running Centos 6.0*
>
> [root at nmk-centos-60-1 policy]# cat /etc/issue
> CentOS Linux release 6.0 (Final)
> Kernel \r on an \m
> [root at nmk-centos-60-1 policy]# uname -a
> Linux nmk-centos-60-1 2.6.32-71.el6.x86_64 #1 SMP Fri May 20 03:51:51 BST
> 2011 x86_64 x86_64 x86_64 GNU/Linux
> [root at nmk-centos-60-1 policy]#
> *
> 1) Did I miss anything with regards to the troubleshooting daemon
> installation ?
> 2) How can I fix the query alert error and view the sealert output ?
>
> I see that you use MLS policy. I would suggest you to use ausearch tool
> rather than setroubleshoot in MLS policy.
>
> I wanted to formulate the rules for a custom rpm. When using the targeted
policy, I could not see any denials. So I switched to MLS to identify the
AVC denials. My approach is to log the AVC denials during rpm installation,
and apply the audit2allow on those denials and formulate the policy. Is
this workable ?

The policies for running the software can be different and I plan to have
that as a second stage. I just want to have the installation part getting
on fine with a targeted policy.

Another question, is MLS a namechange for the "strict" type used earlier.
Any links that explains the difference ?

For example:
>
> $ ausearch -m avc -ts recent
> $ ausearch -m avc -ts today
> $ ausearch -m avc -su testdomain_t
>
> This works, but I wanted to read the descriptive text about the denials
that shows up in sealert.

All AVC msgs are located in /var/log/audit/audit.log.
>
>
> Nabeel
>
>
> --
> selinux mailing listselinux at lists.fedoraproject.orghttps://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
>


-- 
Thanks and Regards
Nabeel Moidu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20120105/e2936ca4/attachment.html>

More information about the selinux mailing list