Did you have any errors recorded in your splunkd.log file?
Keith Schincke CAP, LPIC-1, RHCA, RHCSS
Team Lead IT Security System Administration, ITAMS
Building 46, Room 110A
email to: keith.d.schincke@xxxxxxxx
281-244-0183 Office 832-205-1534 Mobile
281-244-5708 Fax
ITAMS - Information Technology And Multimedia Services Contract
"One Team, One Vision >> Partnered For Innovative Solutions"
From: selinux-bounces@xxxxxxxxxxxxxxxxxxxxxxx [mailto:selinux-bounces@xxxxxxxxxxxxxxxxxxxxxxx] On Behalf Of Robert Gabriel
Sent: Wednesday, August 28, 2013 11:53 AM
To: selinux@xxxxxxxxxxxxxxxxxxxxxxx
Subject: Splunk Policy
Greetz,
So I have cobbled together a basic policy for Splunk residing
in /opt/splunkdashboards/.
I followed Dan's blog to do the basics.
So I've added all the AVC messages to the splunkdashboards.te and restarted
Splunk with run_init...
Now, no more AVC messages but after a few seconds Splunk crashes.
Nothing in the debug log.
There is a crash log, seems to be a different thread each time crashing.
If I use the browser UI to work with Splunk, it does a few tasks then something about
"Helper process is in an unknown state due to previous failure"
and then bang!Seems to be thread permissions?
I'm lost, nothing in the log and no more AVC messages, where to from here?
I have tried so hard so far, I don't want to be a coward now and hit "setenforce 0".
I must learn how to do this.
I'm unsure as to mailing list etiquette, do I post all the policy files, Splunk log etc.?
Please advise.
Any help appreciated, thank you.
[root@pluto splunkdashboards]# aureport --start today --anomaly
Anomaly Report
=========================================
# date time type exe term host auid event
=========================================
1. 08/28/2013 18:02:01 ANOM_ABEND splunkd ? ? 500 822
/var/log/audit/audit.log:
type=ANOM_ABEND msg=audit(1377705721.554:822): auid=500 uid=501 gid=501 ses=1 subj=system_u:system_r:splunkdashboards_t:s0 pid=14464 comm="splunkd" sig=6
/opt/splunkdashboards/var/log/splunk/crash-2013-08-28-16\:27\:15.log:
[build 149561] 2013-08-28 16:27:15
Received fatal signal 6 (Aborted).
Cause:
Signal sent by PID 9075 running under UID 501.
Crashing thread: DispatchReaper
Registers:
RIP: [0x00002AD7447898A5] gsignal + 53 (/lib64/libc.so.6)
RDI: [0x0000000000002373]
RSI: [0x0000000000002380]
RBP: [0x00002AD749462278]
RSP: [0x00002AD7491FF188]
RAX: [0x0000000000000000]
RBX: [0x000000000196FC38]
RCX: [0xFFFFFFFFFFFFFFFF]
RDX: [0x0000000000000006]
R8: [0x0000000000000001]
R9: [0x206E61206E692073]
R10: [0x0000000000000008]
R11: [0x0000000000000202]
R12: [0x00002AD74581E0C0]
R13: [0x00002AD7491FF3A0]
R14: [0x00002AD7491FF3E0]
R15: [0x00002AD74F8311E8]
EFL: [0x0000000000000202]
TRAPNO: [0x0000000000000000]
ERR: [0x0000000000000000]
CSGSFS: [0x0000000000000033]
OLDMASK: [0x0000000000000000]
OS: Linux
Arch: x86-64
Backtrace:
[0x00002AD7447898A5] gsignal + 53 (/lib64/libc.so.6)
[0x00002AD74478B085] abort + 373 (/lib64/libc.so.6)
[0x00000000012EB4B8] _ZN9__gnu_cxx27__verbose_terminate_handlerEv + 200 (splunkd)
[0x00000000012EB186] _ZN10__cxxabiv111__terminateEPFvvE + 6 (splunkd)
[0x00000000012EB1B3] ? (splunkd)
[0x00000000012EB2B3] ? (splunkd)
[0x0000000000D7294F] _ZN20ScopedHelperProcLockC1Ev + 271 (splunkd)
[0x0000000000D763C8] _ZN20ExternalProcessGroup12terminateAllERK20ConditionWaitTimeout + 56 (splunkd)
[0x0000000000E9BF1C] _ZN15DispatchProcess9terminateEv + 156 (splunkd)
[0x0000000000EB6359] _ZN15DispatchProcessD0Ev + 57 (splunkd)
[0x0000000000EB79E6] _ZN15DispatchManager24reapAllInactiveProcessesEv + 374 (splunkd)
[0x0000000000EEB2C5] _ZN20BulletinBoardUpdater4tickEv + 261 (splunkd)
[0x0000000000DA5553] _ZN11TimeoutHeap18runExpiredTimeoutsER7Timeval + 227 (splunkd)
[0x0000000000D3A318] _ZN9EventLoop3runEv + 216 (splunkd)
[0x0000000000EE97B4] _ZN14DispatchReaper4mainEv + 2852 (splunkd)
[0x0000000000DA2F32] _ZN6Thread8callMainEPv + 66 (splunkd)
[0x00002AD742F72851] ? (/lib64/libpthread.so.0)
[0x00002AD74483F90D] clone + 109 (/lib64/libc.so.6)
Linux / pluto.gdf.gsoc.co.za / 2.6.32-358.11.1.el6.centos.plus.x86_64 / #1 SMP Wed Jun 12 19:12:17 UTC 2013 / x86_64
Last few lines of stderr (may contain info on assertion failure, but also could be old):
2013-08-28 15:47:13.867 +0200 splunkd started (build 149561)
terminate called after throwing an instance of 'ProcessRunnerException'
what(): Helper process is in an unknown state due to previous failure
2013-08-28 15:49:26.583 +0200 splunkd started (build 149561)
2013-08-28 15:50:39.141 +0200 Interrupt signal received
2013-08-28 15:50:50.566 +0200 splunkd started (build 149561)
terminate called after throwing an instance of 'ProcessRunnerException'
what(): Helper process is in an unknown state due to previous failure
2013-08-28 15:51:43.309 +0200 splunkd started (build 149561)
terminate called after throwing an instance of 'ProcessRunnerException'
what(): Helper process is in an unknown state due to previous failure
/etc/redhat-release: CentOS release 6.4 (Final)
glibc version: 2.12
glibc release: stable
Threads running: 42
argv: [splunkd -h 192.168.122.2 -p 8089 restart]
terminating...
-- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
