Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora SELinux Support (http://www.linux-archive.org/fedora-selinux-support/)
-   -   sealert and FC17 (http://www.linux-archive.org/fedora-selinux-support/690295-sealert-fc17.html)

08-03-2012 02:06 PM
sealert and FC17
 
Dan,

I read your post at <http://danwalsh.livejournal.com/26053.html>, but
what I still don't understand is this: on a user's system (actually, my
manager's). What I need, and not just for his system, is a way to do
what setroubleshoot *used* to do: give me a sealert in a logfile so I
can run it from a command line.

mark, pro-command line

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Thomas Cameron 08-03-2012 03:24 PM
sealert and FC17
 
On 08/03/2012 09:06 AM, m.roth@5-cent.us wrote:

Dan,

I read your post at <http://danwalsh.livejournal.com/26053.html>, but
what I still don't understand is this: on a user's system (actually, my
manager's). What I need, and not just for his system, is a way to do
what setroubleshoot *used* to do: give me a sealert in a logfile so I
can run it from a command line.


Have you installed setroubleshoot and setroubleshoot-server?

Once you do, you can use e.g. sealert to read the alerts from the
command line.


TC
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

08-03-2012 03:35 PM
sealert and FC17
 
Thomas Cameron wrote:
> On 08/03/2012 09:06 AM, m.roth@5-cent.us wrote:
>> Dan,
>>
>> I read your post at <http://danwalsh.livejournal.com/26053.html>, but
>> what I still don't understand is this: on a user's system (actually, my
>> manager's). What I need, and not just for his system, is a way to do
>> what setroubleshoot *used* to do: give me a sealert in a logfile so I
>> can run it from a command line.
>
> Have you installed setroubleshoot and setroubleshoot-server?
>
> Once you do, you can use e.g. sealert to read the alerts from the
> command line.

I must be missing something. Yes, they're both installed. I tried sealert
-a /var/log/audit/audit.log, and got nothing - in there, I see a lot of
SERVICE START and SERVICE STOP. I tried the same on /var/log/messages,
where I see avc's; for example,
<timestamp> <name> kernel: [96575.845662] type=1400
audit(1344007740.130:4055): avc: denied { open } for pid=5804
comm="awk" name="ld.so.cache" dev="dm-0" ino=61036
scontext=system_u:system_r:ksmtuned_t:s0
tcontext=system_u:object_r:file_t:s0 tclass=file

but get nothing. What am I missing?

mark

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Frank Murphy 08-03-2012 03:42 PM
sealert and FC17
 
On 03/08/12 16:35, m.roth@5-cent.us wrote:


I must be missing something. Yes, they're both installed. I tried sealert
-a /var/log/audit/audit.log, and got nothing - in there, I see a lot of
SERVICE START and SERVICE STOP. I tried the same on /var/log/messages,
where I see avc's; for example,
<timestamp> <name> kernel: [96575.845662] type=1400
audit(1344007740.130:4055): avc: denied { open } for pid=5804
comm="awk" name="ld.so.cache" dev="dm-0" ino=61036
scontext=system_u:system_r:ksmtuned_t:s0
tcontext=system_u:object_r:file_t:s0 tclass=file

but get nothing. What am I missing?

mark


Are you trying to find avc's in the audit.log?
sudo ausearch -m avc

--
Regards,
Frank
"Jack of all, fubars"
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Frank Murphy 08-03-2012 03:55 PM
sealert and FC17
 
On 03/08/12 16:50, m.roth@5-cent.us wrote:


Are you trying to find avc's in the audit.log?
sudo ausearch -m avc


Nothing. All my avc's seem to be in messages, and I'm not getting what I
used to get, the line with "run sealert ..." to move it to something
comprehensible. With the examples, above, I don't know what the ID is,
either.

mark




Is the audit service running?
systemctl status auditd.service
If is disabled try:
systemctl enable auditd.service
systemctl start auditd.service


--
Regards,
Frank
"Jack of all, fubars"
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Daniel J Walsh 08-04-2012 11:36 AM
sealert and FC17
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/03/2012 10:06 AM, m.roth@5-cent.us wrote:
> Dan,
>
> I read your post at <http://danwalsh.livejournal.com/26053.html>, but what
> I still don't understand is this: on a user's system (actually, my
> manager's). What I need, and not just for his system, is a way to do what
> setroubleshoot *used* to do: give me a sealert in a logfile so I can run it
> from a command line.
>
> mark, pro-command line
>
> -- selinux mailing list selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
It should still me there. If not then this is a bug.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAlAdCTUACgkQrlYvE4MpobMniwCbB4xyGJdv3p HLVXtcPgUrHDvt
PGEAoN25aBPlC0G+eGtv/vEwudTmbohB
=L9qI
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Daniel J Walsh 08-04-2012 11:45 AM
sealert and FC17
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/03/2012 11:35 AM, m.roth@5-cent.us wrote:
> Thomas Cameron wrote:
>> On 08/03/2012 09:06 AM, m.roth@5-cent.us wrote:
>>> Dan,
>>>
>>> I read your post at <http://danwalsh.livejournal.com/26053.html>, but
>>> what I still don't understand is this: on a user's system (actually,
>>> my manager's). What I need, and not just for his system, is a way to
>>> do what setroubleshoot *used* to do: give me a sealert in a logfile so
>>> I can run it from a command line.
>>
>> Have you installed setroubleshoot and setroubleshoot-server?
>>
>> Once you do, you can use e.g. sealert to read the alerts from the command
>> line.
>
> I must be missing something. Yes, they're both installed. I tried sealert
> -a /var/log/audit/audit.log, and got nothing - in there, I see a lot of
> SERVICE START and SERVICE STOP. I tried the same on /var/log/messages,
> where I see avc's; for example, <timestamp> <name> kernel: [96575.845662]
> type=1400 audit(1344007740.130:4055): avc: denied { open } for pid=5804
> comm="awk" name="ld.so.cache" dev="dm-0" ino=61036
> scontext=system_u:system_r:ksmtuned_t:s0
> tcontext=system_u:object_r:file_t:s0 tclass=file
>
> but get nothing. What am I missing?
>
> mark
>
> -- selinux mailing list selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
Looks like sealert does not recognize this as an AVC. Not sure why. I will
look into it. Anyways file_t means your machine is seriosly mislabeled.
file_t means the object has no label on it, in dhis case ld.so.cache, which
will cause everything to blow up.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAlAdC2gACgkQrlYvE4MpobOjngCeKyiL1q27Bq KT/wht5xa+K9AF
NKgAn1R7tLzTApEyaXa7dxXTXTGK0mhr
=BKsw
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux


All times are GMT. The time now is 09:12 PM.

VBulletin, Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.