Re: setroubleshootd not running

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 04/21/2010 10:04 AM, Robert Nichols wrote:
> Last night, the audit log got rotated and "sealert -s" no longer crashes.
> Here's what I think occurred:
>
>     1. I got a bunch of AVCs (part of the "root procmail" problem).
>
>     2. I installed local policy to allow those actions.
>
>     3. sealert crashes when it encounters an old AVC that the current
>        policy allows.  Perhaps setroubleshootd is having the same
>        problem.  Now that logrotate has pushed out those pesky AVCs,
>        no more crash.  (Right now, auditd seems to have stopped logging
>        new messages and has to be restarted, but that's an independent
>        problem.)
>
> I'll try to research this further, but coming up with a test case that
> can be easily reproduced on another system isn't going to be easy.

No, that's not what's doing it.  I tracked it down to 1 line in the old
audit.log file.  Here's the killer:

type=AVC msg=audit(1265646923.059:12565): avc:  denied  { search } for  pid=1557 
comm="polkitd" name=".config" dev=sda2 ino=32945 
scontext=system_u:system_r:policykit_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:gnome_home_t:s0 tclass=dir

When "sealert -a" reads a file containing just that one line, the result
is:

100% doneTraceback (most recent call last):
   File "/usr/lib64/python2.6/site-packages/setroubleshoot/analyze.py", line 
621, in task
     self.close()
   File "/usr/lib64/python2.6/site-packages/setroubleshoot/analyze.py", line 
608, in close
     self.avc_event_handler(audit_event)
   File "/usr/lib64/python2.6/site-packages/setroubleshoot/analyze.py", line 
647, in avc_event_handler
     avc = AVC(audit_event)
   File "/usr/lib64/python2.6/site-packages/setroubleshoot/audit_data.py", line 
586, in __init__
     self.derive_avc_info_from_audit_event()
   File "/usr/lib64/python2.6/site-packages/setroubleshoot/audit_data.py", line 
884, in derive_avc_info_from_audit_event
     raise ValueError("Invalid AVC %s, it is allowed in current policy" %  avc)
NameError: global name 'avc' is not defined


-- 
Bob Nichols     "NOSPAM" is really part of my email address.
                 Do NOT delete it.

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux