FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor


 
 
LinkBack Thread Tools
 
Old 01-04-2012, 10:31 AM
Nabeel Moidu
 
Default sealert error

Hi

I'm trying to create an SELinux policy for an rpm software installation. I've been getting sealerts in the var/log/messages but I am unable to view them due to this error,

[root@nmk-centos-60-1 policy]# sealert -l 6a6e02bc-23a7-4e55-adab-b06d0cdc2832

Error
query_alerts error (1003): id (6a6e02bc-23a7-4e55-adab-b06d0cdc2832) not found

I believe this has to do with the setroubleshoot daemon not running.

[root@nmk-centos-60-1 policy]# service setroubleshoot status

setroubleshoot: unrecognized service
[root@nmk-centos-60-1 policy]# service --status-all | grep setro

I have the setroubleshoot softwares installed

[root@nmk-centos-60-1 policy]# rpm -qa | grep setroubles

92:setroubleshoot-server-3.0.38-2.1.el6.x86_64
425:setroubleshoot-plugins-3.0.16-1.el6.noarch
426:setroubleshoot-3.0.38-2.1.el6.x86_64
587:setroubleshoot-doc-3.0.38-2.1.el6.x86_64
[root@nmk-centos-60-1 policy]#



I don't see the setroubleshoot rpms creating any init script file in init.d or elsewhere.


[root@nmk-centos-60-1 policy]# rpm -qa --list setroubleshoot-server* | grep -v ^/usr

1:/etc/audisp/plugins.d/sedispatch.conf

2:/etc/dbus-1/system.d/org.fedoraproject.SetroubleshootFixit.conf

3:/etc/dbus-1/system.d/org.fedoraproject.Setroubleshootd.conf

4:/etc/logrotate.d/setroubleshoot

5:/etc/setroubleshoot

6:/etc/setroubleshoot/setroubleshoot.conf

172:/var/lib/setroubleshoot

173:/var/lib/setroubleshoot/email_alert_recipients

174:/var/lib/setroubleshoot/setroubleshoot_database.xml

175:/var/log/setroubleshoot

176:/var/run/setroubleshoot

SELinux is running in permissive mode with mls type on my system.

[root@nmk-centos-60-1 policy]# sestatus
SELinux status:**************** enabled
SELinuxfs mount:*************** /selinux

Current mode:****************** permissive
Mode from config file:********* permissive
Policy version:**************** 24
Policy from config file:******* mls

I am running Centos 6.0

[root@nmk-centos-60-1 policy]# cat /etc/issue

CentOS Linux release 6.0 (Final)
Kernel
on an m
[root@nmk-centos-60-1 policy]# uname -a
Linux nmk-centos-60-1 2.6.32-71.el6.x86_64 #1 SMP Fri May 20 03:51:51 BST 2011 x86_64 x86_64 x86_64 GNU/Linux
[root@nmk-centos-60-1 policy]#


1) Did I miss anything with regards to the troubleshooting daemon installation ?
2) How can I fix the query alert error and view the sealert output ?

Nabeel

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 01-04-2012, 11:55 AM
Miroslav Grepl
 
Default sealert error

On 01/04/2012 12:31 PM, Nabeel Moidu wrote:
Hi



I'm trying to create an SELinux policy for an rpm software
installation. I've been getting sealerts in the var/log/messages
but I am unable to view them due to this error,



[root@nmk-centos-60-1 policy]# sealert -l
6a6e02bc-23a7-4e55-adab-b06d0cdc2832

Error

query_alerts error (1003): id
(6a6e02bc-23a7-4e55-adab-b06d0cdc2832) not found


The problem is the alert has been already deleted from
setroubleshoot_database.xml.



I believe this has to do with the setroubleshoot daemon not
running.


setroubleshoot is DBus service in RHEL6.


[root@nmk-centos-60-1 policy]# service setroubleshoot status

setroubleshoot: unrecognized service

[root@nmk-centos-60-1 policy]# service --status-all | grep setro



I have the setroubleshoot softwares installed



[root@nmk-centos-60-1 policy]# rpm -qa | grep setroubles

92:setroubleshoot-server-3.0.38-2.1.el6.x86_64

425:setroubleshoot-plugins-3.0.16-1.el6.noarch

426:setroubleshoot-3.0.38-2.1.el6.x86_64

587:setroubleshoot-doc-3.0.38-2.1.el6.x86_64

[root@nmk-centos-60-1 policy]#



I don't see the setroubleshoot rpms creating any init script file
in init.d or elsewhere.



[root@nmk-centos-60-1 policy]# rpm -qa --list
setroubleshoot-server* | grep -v ^/usr

1:/etc/audisp/plugins.d/sedispatch.conf

2:/etc/dbus-1/system.d/org.fedoraproject.SetroubleshootFixit.conf

3:/etc/dbus-1/system.d/org.fedoraproject.Setroubleshootd.conf

4:/etc/logrotate.d/setroubleshoot

5:/etc/setroubleshoot

6:/etc/setroubleshoot/setroubleshoot.conf

172:/var/lib/setroubleshoot

173:/var/lib/setroubleshoot/email_alert_recipients

174:/var/lib/setroubleshoot/setroubleshoot_database.xml

175:/var/log/setroubleshoot

176:/var/run/setroubleshoot



SELinux is running in permissive mode with mls type on my
system.



[root@nmk-centos-60-1 policy]# sestatus

SELinux status:**************** enabled

SELinuxfs mount:*************** /selinux

Current mode:****************** permissive

Mode from config file:********* permissive

Policy version:**************** 24

Policy from config file:******* mls



I am running Centos 6.0



[root@nmk-centos-60-1 policy]# cat /etc/issue

CentOS Linux release 6.0 (Final)

Kernel
on an m

[root@nmk-centos-60-1 policy]# uname -a

Linux nmk-centos-60-1 2.6.32-71.el6.x86_64 #1 SMP Fri May 20
03:51:51 BST 2011 x86_64 x86_64 x86_64 GNU/Linux

[root@nmk-centos-60-1 policy]#



1) Did I miss anything with regards to the troubleshooting daemon
installation ?

2) How can I fix the query alert error and view the sealert output
?


I see that you use MLS policy. I would suggest you to use ausearch
tool rather than setroubleshoot in MLS policy.



For example:



$ ausearch -m avc -ts recent

$ ausearch -m avc -ts today

$ ausearch -m avc -su testdomain_t



All AVC msgs are located in /var/log/audit/audit.log.



Nabeel






--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux





--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 01-05-2012, 05:25 AM
Nabeel Moidu
 
Default sealert error

On Wed, Jan 4, 2012 at 6:25 PM, Miroslav Grepl <mgrepl@redhat.com> wrote:






On 01/04/2012 12:31 PM, Nabeel Moidu wrote:
Hi



I'm trying to create an SELinux policy for an rpm software
installation. I've been getting sealerts in the var/log/messages
but I am unable to view them due to this error,



[root@nmk-centos-60-1 policy]# sealert -l
6a6e02bc-23a7-4e55-adab-b06d0cdc2832

Error

query_alerts error (1003): id
(6a6e02bc-23a7-4e55-adab-b06d0cdc2832) not found


The problem is the alert has been already deleted from
setroubleshoot_database.xml.
Is there a timeframe for the xml overwrites ?




I believe this has to do with the setroubleshoot daemon not
running.


setroubleshoot is DBus service in RHEL6.
OK. That explains it.



[root@nmk-centos-60-1 policy]# service setroubleshoot status

setroubleshoot: unrecognized service

[root@nmk-centos-60-1 policy]# service --status-all | grep setro



I have the setroubleshoot softwares installed



[root@nmk-centos-60-1 policy]# rpm -qa | grep setroubles

92:setroubleshoot-server-3.0.38-2.1.el6.x86_64

425:setroubleshoot-plugins-3.0.16-1.el6.noarch

426:setroubleshoot-3.0.38-2.1.el6.x86_64

587:setroubleshoot-doc-3.0.38-2.1.el6.x86_64

[root@nmk-centos-60-1 policy]#



I don't see the setroubleshoot rpms creating any init script file
in init.d or elsewhere.



[root@nmk-centos-60-1 policy]# rpm -qa --list
setroubleshoot-server* | grep -v ^/usr

1:/etc/audisp/plugins.d/sedispatch.conf

2:/etc/dbus-1/system.d/org.fedoraproject.SetroubleshootFixit.conf

3:/etc/dbus-1/system.d/org.fedoraproject.Setroubleshootd.conf

4:/etc/logrotate.d/setroubleshoot

5:/etc/setroubleshoot

6:/etc/setroubleshoot/setroubleshoot.conf

172:/var/lib/setroubleshoot

173:/var/lib/setroubleshoot/email_alert_recipients

174:/var/lib/setroubleshoot/setroubleshoot_database.xml

175:/var/log/setroubleshoot

176:/var/run/setroubleshoot



SELinux is running in permissive mode with mls type on my
system.



[root@nmk-centos-60-1 policy]# sestatus

SELinux status:**************** enabled

SELinuxfs mount:*************** /selinux

Current mode:****************** permissive

Mode from config file:********* permissive

Policy version:**************** 24

Policy from config file:******* mls



I am running Centos 6.0



[root@nmk-centos-60-1 policy]# cat /etc/issue

CentOS Linux release 6.0 (Final)

Kernel
on an m

[root@nmk-centos-60-1 policy]# uname -a

Linux nmk-centos-60-1 2.6.32-71.el6.x86_64 #1 SMP Fri May 20
03:51:51 BST 2011 x86_64 x86_64 x86_64 GNU/Linux

[root@nmk-centos-60-1 policy]#



1) Did I miss anything with regards to the troubleshooting daemon
installation ?

2) How can I fix the query alert error and view the sealert output
?


I see that you use MLS policy. I would suggest you to use ausearch
tool rather than setroubleshoot in MLS policy.


I wanted to formulate the rules for a custom rpm. When using the targeted policy, I could not see any denials. So I switched to MLS to identify the AVC denials. My approach is to log the AVC denials during rpm installation, and apply the audit2allow on those denials and formulate the policy. Is this workable ?


The policies for running the software can be different and I plan to have that as a second stage. I just want to have the installation part getting on fine with a targeted policy.

Another question, is MLS a namechange for the "strict" type used earlier. Any links that explains the difference ?



For example:



$ ausearch -m avc -ts recent

$ ausearch -m avc -ts today

$ ausearch -m avc -su testdomain_t


This works, but I wanted to read the descriptive text about the denials that shows up in sealert.*



All AVC msgs are located in /var/log/audit/audit.log.



Nabeel






--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux







--
Thanks and Regards
Nabeel Moidu


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 12:59 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org