Re: SEtroubleshootd Crashing

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Could you send me a copy of your audit.log.

You should not be getting hundreds of AVC's a day. 

ausearch -m avc,user_avc -ts today

On 12/02/2014 05:08 AM, John Beranek wrote:
> I'll jump in here to say we'll try your suggestion, but I guess what's not
> been mentioned is that we get the setroubleshoot abrt's only a few times a
> day, but we're getting 10000s of setroubleshoot messages in
> /var/log/messages a day.
>
> e.g.
>
> Dec  2 10:03:55 server audispd: queue is full - dropping event
> Dec  2 10:04:00 server audispd: last message repeated 199 times
> Dec  2 10:04:00 server rsyslogd-2177: imuxsock begins to drop messages from
> pid 5967 due to rate-limiting
> Dec  2 10:04:01 server rsyslogd-2177: imuxsock lost 2 messages from pid
> 5967 due to rate-limiting
> Dec  2 10:04:01 server audispd: queue is full - dropping event
> Dec  2 10:04:02 server audispd: last message repeated 134 times
> Dec  2 10:04:02 server setroubleshoot: SELinux is preventing /bin/ps from
> read access on the file /proc/<pid>/stat. For complete SELinux messages.
> run sealert -l 2274b1c7-fd69-4fa8-8e67-cd7a9da9eff4
> Dec  2 10:04:02 server audispd: queue is full - dropping event
> Dec  2 10:04:03 server audispd: last message repeated 48 times
> Dec  2 10:04:03 server setroubleshoot: SELinux is preventing /bin/ps from
> getattr access on the directory /proc/<pid>. For complete SELinux messages.
> run sealert -l 2d09d555-8834-4c27-976b-6647f8673286
> Dec  2 10:04:03 server audispd: queue is full - dropping event
> Dec  2 10:04:03 server audispd: last message repeated 15 times
> Dec  2 10:04:03 server rsyslogd-2177: imuxsock begins to drop messages from
> pid 5967 due to rate-limiting
> Dec  2 10:04:03 server setroubleshoot: SELinux is preventing /bin/ps from
> search access on the directory /proc/<pid>/stat. For complete SELinux
> messages. run sealert -l 0ef0c7a1-acb2-433a-aaa2-361cc95b6069
> Dec  2 10:04:04 server setroubleshoot: last message repeated 2 times
> Dec  2 10:04:04 server setroubleshoot: SELinux is preventing /bin/ps from
> getattr access on the directory /proc/<pid>. For complete SELinux messages.
> run sealert -l 58f859b0-7382-428e-81f0-3e85f66d79fc
> Dec  2 10:04:04 server setroubleshoot: SELinux is preventing /bin/ps from
> search access on the directory /proc/<pid>/stat. For complete SELinux
> messages. run sealert -l 2448a46d-5089-4f85-aae8-e9013341471f
> Dec  2 10:04:05 server setroubleshoot: last message repeated 2 times
> Dec  2 10:04:05 server setroubleshoot: SELinux is preventing /bin/ps from
> getattr access on the directory /proc/<pid>. For complete SELinux messages.
> run sealert -l f935416b-54fe-4bbd-b66c-2e1b2e6724be
> Dec  2 10:04:06 server setroubleshoot: SELinux is preventing /bin/ps from
> search access on the directory /proc/<pid>/stat. For complete SELinux
> messages. run sealert -l d8dbf973-7bc2-4fd5-9540-18c4040be03c
> Dec  2 10:04:06 server setroubleshoot: last message repeated 2 times
> Dec  2 10:04:06 server sedispatch: AVC Message for setroubleshoot, dropping
> message
> Dec  2 10:04:06 server sedispatch: last message repeated 3 times
>
> Cheers,
>
> John
>
> On 1 December 2014 at 17:19, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
>
>> On 12/01/2014 10:39 AM, Gary Smithson wrote:
>>> We are currently running libxml2-2.7.6-14.el6_5.2.x86_64
>>>
>>> How far back would you suggest we go? would
>> libxml2-2.7.6-14.el6_5.1.x86_64 be sufficient
>> Ok might not be related.  One other suggestion would be to clear the
>> database out.  And see if there
>> was something in the database that was causing it problems.
>>
>> Make sure there is no setroubleshootd running and
>>
>>> /var/lib/setroubleshoot/setroubleshoot_database.xml
>>> -----Original Message-----
>>> From: centos-bounces@xxxxxxxxxx [mailto:centos-bounces@xxxxxxxxxx] On
>> Behalf Of Daniel J Walsh
>>> Sent: 01 December 2014 15:10
>>> To: CentOS mailing list
>>> Subject: Re:  SEtroubleshootd Crashing
>>>
>>> I am not sure.  I was just seeing email on this today.  Could you try to
>> downgrade the latest version of libxml to see if the problem goes away.
>>> On 12/01/2014 10:01 AM, Gary Smithson wrote:
>>>> Thanks
>>>>
>>>> Could you please clarify, which version libxml is broken and has there
>> been a newer version released that will fix it.
>>>> -----Original Message-----
>>>> From: centos-bounces@xxxxxxxxxx [mailto:centos-bounces@xxxxxxxxxx] On
>>>> Behalf Of Daniel J Walsh
>>>> Sent: 01 December 2014 14:58
>>>> To: CentOS mailing list
>>>> Subject: Re:  SEtroubleshootd Crashing
>>>>
>>>> This seems to be a problem with an updated version of libxml.
>>>> On 11/28/2014 09:04 AM, Gary Smithson wrote:
>>>>> When running Node.js through Phusion Passenger on Centos 6.5 ( Linux
>> 2.6.32-431.23.3.el6.x86_64 #1 SMP Thu Jul 31 17:20:51 UTC 2014 x86_64
>> x86_64 x86_64 GNU/Linux), with SELinux enabled in permissive mode we
>> receive a large number of entries in the audit.log and setroubleshootd
>> randomly crashes with the following error, We have resolved the selinux
>> alerts by following the troubleshooting steps recommend by running
>> sealert,However we are concerned by setroubleshootd crashing and are
>> concered that we may have masked the issue by fixing the entries in the
>> audit.log.
>>>>>
>>>>>
>>>>> abrt_version:   2.0.8
>>>>>
>>>>> cmdline:        /usr/bin/python -Es /usr/sbin/setroubleshootd -f ''
>>>>>
>>>>> executable:     /usr/sbin/setroubleshootd
>>>>>
>>>>> kernel:         2.6.32-431.23.3.el6.x86_64
>>>>>
>>>>> last_occurrence: 1417101625
>>>>>
>>>>> time:           Thu 27 Nov 2014 03:20:25 PM UTC
>>>>>
>>>>> uid:            0
>>>>>
>>>>> username:       root
>>>>>
>>>>>
>>>>>
>>>>> sosreport.tar.xz: Binary file, 3642240 bytes
>>>>>
>>>>>
>>>>>
>>>>> backtrace:
>>>>>
>>>>> :analyze.py:426:lookup_signature:ProgramError: [Errno 1001] signature
>>>>> not found
>>>>>
>>>>> :
>>>>>
>>>>> :Traceback (most recent call last):
>>>>>
>>>>> :  File
>>>>> "/usr/lib64/python2.6/site-packages/setroubleshoot/analyze.py", line
>>>>> 401, in auto_save_callback
>>>>>
>>>>> :    self.save()
>>>>>
>>>>> :  File
>>>>> "/usr/lib64/python2.6/site-packages/setroubleshoot/analyze.py", line
>>>>> 377, in save
>>>>>
>>>>> :    self.prune()
>>>>>
>>>>> :  File
>>>>> "/usr/lib64/python2.6/site-packages/setroubleshoot/analyze.py", line
>>>>> 340, in prune
>>>>>
>>>>> :    self.delete_signature(sig, prune=True)
>>>>>
>>>>> :  File
>>>>> "/usr/lib64/python2.6/site-packages/setroubleshoot/analyze.py", line
>>>>> 471, in delete_signature
>>>>>
>>>>> :    siginfo = self.lookup_signature(sig)
>>>>>
>>>>> :  File
>>>>> "/usr/lib64/python2.6/site-packages/setroubleshoot/analyze.py", line
>>>>> 426, in lookup_signature
>>>>>
>>>>> :    raise ProgramError(ERR_NO_SIGNATURE_MATCH)
>>>>>
>>>>> :ProgramError: [Errno 1001] signature not found
>>>>>
>>>>> :
>>>>>
>>>>> :Local variables in innermost frame:
>>>>>
>>>>> :matches: []
>>>>>
>>>>> :siginfo: None
>>>>>
>>>>> :self: <setroubleshoot.analyze.SETroubleshootDatabase object at
>>>>> 0x151d590>
>>>>>
>>>>> :sig: <setroubleshoot.signature.SEFaultSignature object at 0x645a050>
>>>>>
>>>>>
>>>>>
>>>>> We are running the following versions Passenger/htttpd/node
>>>>>
>>>>>
>>>>> passenger --version
>>>>>
>>>>> Phusion Passenger version 4.0.53
>>>>>
>>>>>
>>>>> httpd -v
>>>>> Server version: Apache/2.2.15 (Unix)
>>>>> Server built:   Jul 23 2014 14:17:29
>>>>>
>>>>>
>>>>> node -v
>>>>> v0.10.32
>>>>>
>>>>> This email is from the Press Association. For more information, see
>> www.pressassociation.com. This email may contain confidential
>> information. Only the addressee is permitted to read, copy, distribute or
>> otherwise use this email or any attachments. If you have received it in
>> error, please contact the sender immediately. Any opinion expressed in this
>> email is personal to the sender and may not reflect the opinion of the
>> Press Association. Any email reply to this address may be subject to
>> interception or monitoring for operational reasons or for lawful business
>> practices.
>>>>> _______________________________________________
>>>>> CentOS mailing list
>>>>> CentOS@xxxxxxxxxx
>>>>> http://lists.centos.org/mailman/listinfo/centos
>>>> _______________________________________________
>>>> CentOS mailing list
>>>> CentOS@xxxxxxxxxx
>>>> http://lists.centos.org/mailman/listinfo/centos
>>>>
>>>> This email is from the Press Association. For more information, see
>> www.pressassociation.com. This email may contain confidential
>> information. Only the addressee is permitted to read, copy, distribute or
>> otherwise use this email or any attachments. If you have received it in
>> error, please contact the sender immediately. Any opinion expressed in this
>> email is personal to the sender and may not reflect the opinion of the
>> Press Association. Any email reply to this address may be subject to
>> interception or monitoring for operational reasons or for lawful business
>> practices.
>>>> _______________________________________________
>>>> CentOS mailing list
>>>> CentOS@xxxxxxxxxx
>>>> http://lists.centos.org/mailman/listinfo/centos
>>> _______________________________________________
>>> CentOS mailing list
>>> CentOS@xxxxxxxxxx
>>> http://lists.centos.org/mailman/listinfo/centos
>>>
>>> This email is from the Press Association. For more information, see
>> www.pressassociation.com. This email may contain confidential
>> information. Only the addressee is permitted to read, copy, distribute or
>> otherwise use this email or any attachments. If you have received it in
>> error, please contact the sender immediately. Any opinion expressed in this
>> email is personal to the sender and may not reflect the opinion of the
>> Press Association. Any email reply to this address may be subject to
>> interception or monitoring for operational reasons or for lawful business
>> practices.
>>> _______________________________________________
>>> CentOS mailing list
>>> CentOS@xxxxxxxxxx
>>> http://lists.centos.org/mailman/listinfo/centos
>> _______________________________________________
>> CentOS mailing list
>> CentOS@xxxxxxxxxx
>> http://lists.centos.org/mailman/listinfo/centos
>>
>
>

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos




[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux