FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Development

 
 
LinkBack Thread Tools
 
Old 01-04-2008, 05:13 PM
John Dennis
 
Default Another selinux rant

John Dennis wrote:

You have two options for receiving the alerts from the headless server.


Oh, forgot to mention, those will get you realtime alert sent to you.
But you can use sealert in command line mode too.


The alert will be logged to syslog with an ID, then you can:

% sealert -l ID

-or-

You can scan the audit log file (or any other log file) with:

% sealert -a logfile

--
John Dennis <jdennis@redhat.com>

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 01-04-2008, 05:17 PM
John Dennis
 
Default Another selinux rant

Arthur Pemberton wrote:

Yah. I'm not fond of how it is packaged myself... but since I can't do
better, i don't complain about it... it really does drag in too much
stuff however.


That's why setroubleshoot-server is a separate package, so it doesn't
drag in all the other cruft the GUI needs.

--
John Dennis <jdennis@redhat.com>

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 01-04-2008, 05:32 PM
"Arthur Pemberton"
 
Default Another selinux rant

On Jan 4, 2008 12:03 PM, Rahul Sundaram <sundaram@fedoraproject.org> wrote:
> Arthur Pemberton wrote:
> >
> > Yah. I'm not fond of how it is packaged myself... but since I can't do
> > better, i don't complain about it... it really does drag in too much
> > stuff however.
>
> Complaining in bugzilla would be a useful contribution.

Not a big enough deal. I'm not pulling my weight enough to be
nitpicking about a few more files.

--
Fedora 7 : sipping some of that moonshine
( www.pembo13.com )

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 01-04-2008, 05:32 PM
"Arthur Pemberton"
 
Default Another selinux rant

On Jan 4, 2008 12:17 PM, John Dennis <jdennis@redhat.com> wrote:
> Arthur Pemberton wrote:
> > Yah. I'm not fond of how it is packaged myself... but since I can't do
> > better, i don't complain about it... it really does drag in too much
> > stuff however.
>
> That's why setroubleshoot-server is a separate package, so it doesn't
> drag in all the other cruft the GUI needs.


That's the point I was trying to make.


--
Fedora 7 : sipping some of that moonshine
( www.pembo13.com )

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 01-04-2008, 06:24 PM
Ray Van Dolson
 
Default Another selinux rant

> I think improving error messages and warnings and default behavior
> (see my earlier comments on tar and ls) is more worthwhile than
> writing documentation, as the latter tends not to get read.

+1 for the error messages. Msot of us are used to things not always
quite working in the world of Unix. We're used to just taking a look
at /var/log/messages and getting a pretty good idea as to what the
problem is.

I guess the SELinux troubleshooter goes a long way to addressing this,
so maybe there's no point to making the syslog messages a bit better
for human consumption.

Ray

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 01-04-2008, 06:33 PM
Les Mikesell
 
Default Another selinux rant

Ed Swierk wrote:

On 1/4/08, John Dennis <jdennis@redhat.com> wrote:

Re SELinux usability issues:

We wrote the setroubleshoot package precisely to help SELinux novice
users so they wouldn't suffer with hidden obscure failures of the type
which have frustrated you. If it had been installed you would have
received notifications in real time on your desktop describing the
failure and suggestions on how to fix it.


The machine in question is a server with no graphical applications; is
there a command-line version of setroubleshoot?


As long as you have the X client libs installed you should be able to
run GUI programs with remote display if you 'ssh -Y' to the machine from
a terminal window on your desktop.


--
Les Mikesell
lesmikesell@gmail.com

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 01-04-2008, 06:44 PM
"Ed Swierk"
 
Default Another selinux rant

On 1/4/08, John Dennis <jdennis@redhat.com> wrote:
> You have two options for receiving the alerts from the headless server.
> You can either run the gui on a machine with a head and point it at the
> headless server (requires modifying the config file to use TCP rather
> than the default Unix domain sockets).
>
> [truncated]

I appreciate your taking the time to explain setroubleshoot but
anything that involves configuring daemons and email addresses is a
usability hurdle in itself.

If the mysterious audit log messages can't be made clearer, then can't
we have a simple command-line tool to translate a message into a
friendlier form?

--Ed

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 01-04-2008, 06:54 PM
"Konstantin Ryabitsev"
 
Default Another selinux rant

On Jan 4, 2008 2:44 PM, Ed Swierk <eswierk@arastra.com> wrote:
> If the mysterious audit log messages can't be made clearer, then can't
> we have a simple command-line tool to translate a message into a
> friendlier form?

Generally, audit2why and audit2allow are your best friends when making
first inroads with SELinux.

Regards,
--
Konstantin Ryabitsev
Montréal, Québec

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 01-04-2008, 07:19 PM
John Dennis
 
Default Another selinux rant

Ed Swierk wrote:

If the mysterious audit log messages can't be made clearer, then can't
we have a simple command-line tool to translate a message into a
friendlier form?


% sudo sealert -a /var/log/audit/audit.log

--
John Dennis <jdennis@redhat.com>

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 01-04-2008, 07:30 PM
"Arthur Pemberton"
 
Default Another selinux rant

On Jan 4, 2008 1:44 PM, Ed Swierk <eswierk@arastra.com> wrote:
> On 1/4/08, John Dennis <jdennis@redhat.com> wrote:
> > You have two options for receiving the alerts from the headless server.
> > You can either run the gui on a machine with a head and point it at the
> > headless server (requires modifying the config file to use TCP rather
> > than the default Unix domain sockets).
> >
> > [truncated]
>
> I appreciate your taking the time to explain setroubleshoot but
> anything that involves configuring daemons and email addresses is a
> usability hurdle in itself.
>
> If the mysterious audit log messages can't be made clearer, then can't
> we have a simple command-line tool to translate a message into a
> friendlier form?
>
> --Ed


Please try setroubleshot.


--
Fedora 7 : sipping some of that moonshine
( www.pembo13.com )

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 

Thread Tools




All times are GMT. The time now is 10:06 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org