setroubleshoot-3.3.27

Resolves: rhbz#2028441, rhbz#2034581
This commit is contained in:
Petr Lautrbach 2022-01-13 15:09:38 +01:00
parent 4d93f7c067
commit 00f0755ee2
8 changed files with 17 additions and 432 deletions

1
.gitignore vendored
View File

@ -211,3 +211,4 @@ setroubleshoot-2.2.93.tar.gz
/setroubleshoot-3.3.24.tar.gz
/setroubleshoot-3.3.25.tar.gz
/setroubleshoot-3.3.26.tar.gz
/framework-3.3.27.tar.gz

View File

@ -1,45 +0,0 @@
From 56cf1525b5ebeb3591d4a3ded5299fe82d0f9208 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Wed, 14 Apr 2021 17:03:39 +0200
Subject: [PATCH] Stop SetroubleshootFixit after 10 seconds of inactivity
---
framework/src/SetroubleshootFixit.py | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/framework/src/SetroubleshootFixit.py b/framework/src/SetroubleshootFixit.py
index 15c6cab1cda4..f7cbf95f182f 100644
--- a/framework/src/SetroubleshootFixit.py
+++ b/framework/src/SetroubleshootFixit.py
@@ -7,6 +7,7 @@ from gi.repository import GLib
import slip.dbus.service
from slip.dbus import polkit
import os
+import signal
class RunFix(slip.dbus.service.Object):
@@ -14,12 +15,20 @@ class RunFix(slip.dbus.service.Object):
def __init__(self, *p, **k):
super(RunFix, self).__init__(*p, **k)
+ self.timeout = 10
+ self.alarm(self.timeout)
+
+ def alarm(self, timeout=10):
+ signal.alarm(timeout)
+
@dbus.service.method("org.fedoraproject.SetroubleshootFixit", in_signature='ss', out_signature='s')
def run_fix(self, local_id, analysis_id):
import subprocess
+ self.alarm(0)
command = ["sealert", "-f", local_id, "-P", analysis_id]
return subprocess.check_output(command, universal_newlines=True)
+ self.alarm(self.timeout)
if __name__ == "__main__":
mainloop = GLib.MainLoop()
--
2.31.1

View File

@ -1,103 +0,0 @@
From 65145c512908badc45fbab8f3b329e9923b42fb1 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Wed, 14 Apr 2021 17:04:59 +0200
Subject: [PATCH] Do not use Python slip package
It's not maintained anymore and it allows us to drop dependency on
Python slip package
Use DBUS polkit interface instead -
https://www.freedesktop.org/software/polkit/docs/latest/eggdbus-interface-org.freedesktop.PolicyKit1.Authority.html
---
framework/src/SetroubleshootFixit.py | 35 ++++++++++++++++++-------
framework/src/setroubleshoot/browser.py | 3 ---
2 files changed, 25 insertions(+), 13 deletions(-)
diff --git a/framework/src/SetroubleshootFixit.py b/framework/src/SetroubleshootFixit.py
index f7cbf95f182f..ab0ad2bf632c 100644
--- a/framework/src/SetroubleshootFixit.py
+++ b/framework/src/SetroubleshootFixit.py
@@ -4,13 +4,11 @@ import dbus
import dbus.service
import dbus.mainloop.glib
from gi.repository import GLib
-import slip.dbus.service
-from slip.dbus import polkit
import os
import signal
+import subprocess
-
-class RunFix(slip.dbus.service.Object):
+class RunFix(dbus.service.Object):
default_polkit_auth_required = "org.fedoraproject.setroubleshootfixit.write"
def __init__(self, *p, **k):
@@ -21,14 +19,32 @@ class RunFix(slip.dbus.service.Object):
def alarm(self, timeout=10):
signal.alarm(timeout)
-
- @dbus.service.method("org.fedoraproject.SetroubleshootFixit", in_signature='ss', out_signature='s')
- def run_fix(self, local_id, analysis_id):
- import subprocess
+ def is_authorized(self, sender):
+ bus = dbus.SystemBus()
+
+ proxy = bus.get_object('org.freedesktop.PolicyKit1', '/org/freedesktop/PolicyKit1/Authority')
+ authority = dbus.Interface(proxy, dbus_interface='org.freedesktop.PolicyKit1.Authority')
+ subject = ('system-bus-name', {'name' : sender})
+ action_id = 'org.fedoraproject.setroubleshootfixit.write'
+ details = {}
+ flags = 1 # AllowUserInteraction flag
+ cancellation_id = '' # No cancellation id
+ result = authority.CheckAuthorization(subject, action_id, details, flags, cancellation_id)
+ return result[0]
+
+ @dbus.service.method("org.fedoraproject.SetroubleshootFixit", sender_keyword="sender", in_signature='ss', out_signature='s')
+ def run_fix(self, local_id, analysis_id, sender):
self.alarm(0)
command = ["sealert", "-f", local_id, "-P", analysis_id]
- return subprocess.check_output(command, universal_newlines=True)
+
+ if self.is_authorized(sender):
+ result = subprocess.check_output(command, universal_newlines=True)
+ else:
+ result = "Authorization failed"
+
self.alarm(self.timeout)
+ return result
+
if __name__ == "__main__":
mainloop = GLib.MainLoop()
@@ -36,5 +52,4 @@ if __name__ == "__main__":
system_bus = dbus.SystemBus()
name = dbus.service.BusName("org.fedoraproject.SetroubleshootFixit", system_bus)
object = RunFix(system_bus, "/org/fedoraproject/SetroubleshootFixit/object")
- slip.dbus.service.set_mainloop(mainloop)
mainloop.run()
diff --git a/framework/src/setroubleshoot/browser.py b/framework/src/setroubleshoot/browser.py
index 2d37bb43df02..3203f75e0c17 100644
--- a/framework/src/setroubleshoot/browser.py
+++ b/framework/src/setroubleshoot/browser.py
@@ -65,8 +65,6 @@ from setroubleshoot.util import *
from setroubleshoot.html_util import html_to_text
import re
import dbus
-import slip.dbus.service
-from slip.dbus import polkit
import report
import report.io
import report.io.GTKIO
@@ -933,7 +931,6 @@ class DBusProxy (object):
self.bus = dbus.SystemBus()
self.dbus_object = self.bus.get_object("org.fedoraproject.SetroubleshootFixit", "/org/fedoraproject/SetroubleshootFixit/object")
- @polkit.enable_proxy
def run_fix(self, local_id, plugin_name):
return self.dbus_object.run_fix(local_id, plugin_name, dbus_interface="org.fedoraproject.SetroubleshootFixit")
--
2.31.1

View File

@ -1,163 +0,0 @@
From 46369d08223e06fb7884a4e65ff47a3b0b828f25 Mon Sep 17 00:00:00 2001
From: Steve Grubb <sgrubb@redhat.com>
Date: Thu, 15 Jul 2021 13:22:59 +0200
Subject: [PATCH] sedispatch: improve performance
sedispatch is pretty much the slowest audit relatedplugin. It was mixing
descriptors (select) and FILE functions (fgets) which is not a good recipe.
It's reworked to only use descriptors. Also the flow is updated to
follow the latest plugin recommendations. This makes it run almost twice
as fast. The call to auparse_set_eoe_timeout() requires audit 3.0.1.
---
src/sedispatch.c | 72 +++++++++++++++++++++++++-----------------------
1 file changed, 38 insertions(+), 34 deletions(-)
diff --git a/framework/src/sedispatch.c b/framework/src/sedispatch.c
index 2fa94fd85cc3..49c2fce2a333 100644
--- a/framework/src/sedispatch.c
+++ b/framework/src/sedispatch.c
@@ -1,5 +1,5 @@
/* sedispatch.c --
- * Copyright 2009 Red Hat Inc., Durham, North Carolina.
+ * Copyright 2009,2021 Red Hat Inc.
* All Rights Reserved.
*
* This program is free software; you can redistribute it and/or modify
@@ -30,14 +30,14 @@
*
*/
-#define _GNU_SOURCE
-#include <stdio.h>
#include <stdlib.h>
#include <signal.h>
#include <string.h>
#include <sys/time.h>
#include <sys/types.h>
#include <unistd.h>
+#include <fcntl.h>
+#include <errno.h>
#include "libaudit.h"
#include "auparse.h"
#include "sedbus.h"
@@ -101,8 +101,6 @@ int main(int argc __attribute__((unused)), char *argv[] __attribute__((unused)))
{
char tmp[MAX_AUDIT_MESSAGE_LENGTH+1];
struct sigaction sa;
- fd_set rfds;
- struct timeval tv;
/* Register sighandlers */
sa.sa_flags = 0;
@@ -113,6 +111,9 @@ int main(int argc __attribute__((unused)), char *argv[] __attribute__((unused)))
sa.sa_handler = hup_handler;
sigaction(SIGHUP, &sa, NULL);
+ /* Set STDIN non-blocking */
+ fcntl(0, F_SETFL, O_NONBLOCK);
+
/* Initialize the auparse library */
au = auparse_init(AUSOURCE_FEED, 0);
if (au == NULL) {
@@ -120,37 +121,49 @@ int main(int argc __attribute__((unused)), char *argv[] __attribute__((unused)))
return -1;
}
+ auparse_set_eoe_timeout(2);
auparse_add_callback(au, handle_event, NULL, NULL);
+
#ifdef HAVE_LIBCAP_NG
capng_clear(CAPNG_SELECT_BOTH);
capng_apply(CAPNG_SELECT_BOTH);
#endif
+
do {
+ fd_set rfds;
+ int retval;
+ int read_size = 1; /* Set to 1 so it's not EOF */
+
/* Load configuration */
if (hup) {
reload_config();
}
- /* Now the event loop */
- while (fgets_unlocked(tmp, MAX_AUDIT_MESSAGE_LENGTH, stdin) &&
- hup==0 && stop==0) {
- auparse_feed(au, tmp, strnlen(tmp,
- MAX_AUDIT_MESSAGE_LENGTH));
-
- /* Wait for 3 seconds and if nothing has happen expect that the event
- * is complete and flush parser's feed
- * FIXME: in future, libaudit will provide a better mechanism for aging
- * events
- */
+ do {
FD_ZERO(&rfds);
FD_SET(0, &rfds);
- tv.tv_sec = 3;
- tv.tv_usec = 0;
- if (select(1, &rfds, NULL, NULL, &tv) == 0)
- /* The timeout occurred, the event is probably complete */
- auparse_flush_feed(au);
+
+ if (auparse_feed_has_data(au)) {
+ // We'll do a 1 second timeout to try to
+ // age events as quick as possible
+ struct timeval tv;
+ tv.tv_sec = 1;
+ tv.tv_usec = 0;
+ retval = select(1, &rfds, NULL, NULL, &tv);
+ } else
+ retval = select(1, &rfds, NULL, NULL, NULL);
+
+ /* If we timed out & have events, shake them loose */
+ if (retval == 0 && auparse_feed_has_data(au))
+ auparse_feed_age_events(au);
+ } while (retval == -1 && errno == EINTR && !hup && !stop);
+
+ /* Handle the event */
+ if (!hup && !stop && retval > 0) {
+ read_size = read(0, tmp, MAX_AUDIT_MESSAGE_LENGTH);
+ auparse_feed(au, tmp, read_size);
}
- if (feof(stdin))
+ if (read_size == 0) /* EOF */
break;
} while (stop == 0);
@@ -178,7 +191,6 @@ static void dump_whole_record(auparse_state_t *au, void *conn)
{
size_t size = 1;
char *tmp = NULL, *end=NULL;
- int i = 0;
const char * rec = NULL;
const char *scon = auparse_find_field(au, "scontext");
const char *tcon = auparse_find_field(au, "tcontext");
@@ -234,19 +246,11 @@ static void handle_event(auparse_state_t *au,
move the cursor accidentally skipping a record. */
while (auparse_goto_record_num(au, num) > 0) {
type = auparse_get_type(au);
- /* Now we can branch based on what record type we find.
- This is just a few suggestions, but it could be anything. */
+ /* Only handle AVCs. */
switch (type) {
case AUDIT_AVC:
- dump_whole_record(au, conn);
- break;
- case AUDIT_SYSCALL:
- break;
- case AUDIT_USER_LOGIN:
- break;
- case AUDIT_ANOM_ABEND:
- break;
- case AUDIT_MAC_STATUS:
+ dump_whole_record(au, conn);
+ return;
break;
default:
break;
--
2.32.0

View File

@ -1,83 +0,0 @@
From ed6c940c8b05baaf8a4318beccde896893cc32dd Mon Sep 17 00:00:00 2001
From: Steve Grubb <sgrubb@redhat.com>
Date: Thu, 15 Jul 2021 13:29:32 +0200
Subject: [PATCH] sedispatch: improve performance using cache friendly api
It turns out that using auparse_goto_record_num() is not cache friendly.
Since it is only processing AVC events, there is no chance of seeking
around and missing the AVC record. So, that part of the program is
switched out to use auparse_next_record() which only moves through the
event once.
Also unused variables were remove and the loop simplified.
This change gets about 9% more speed. For reference, this
is how I checked the speed:
time ./sedispatch < /var/log/audit/audit.log >/dev/null
---
src/sedispatch.c | 36 +++++++++++-------------------------
1 file changed, 11 insertions(+), 25 deletions(-)
diff --git a/framework/src/sedispatch.c b/framework/src/sedispatch.c
index 49c2fce2a333..f2e9fbaf0743 100644
--- a/framework/src/sedispatch.c
+++ b/framework/src/sedispatch.c
@@ -187,7 +187,7 @@ static int is_setroubleshoot(const char *context) {
}
/* This function shows how to dump a whole record's text */
-static void dump_whole_record(auparse_state_t *au, void *conn)
+static void dump_whole_record(auparse_state_t *au)
{
size_t size = 1;
char *tmp = NULL, *end=NULL;
@@ -228,35 +228,21 @@ static void dump_whole_record(auparse_state_t *au, void *conn)
}
-/* This function receives a single complete event at a time from the auparse
- * library. This is where the main analysis code would be added. */
+/* This function receives a single complete event from auparse. Internal
+ * cursors are on the first record. This is where the analysis occurs. */
static void handle_event(auparse_state_t *au,
auparse_cb_event_t cb_event_type, void *user_data)
{
- int type, num=0;
-
- DBusConnection* conn =
- (DBusConnection*) user_data;
-
- if (cb_event_type != AUPARSE_CB_EVENT_READY)
- return;
-
- /* Loop through the records in the event looking for one to process.
- We use physical record number because we may search around and
- move the cursor accidentally skipping a record. */
- while (auparse_goto_record_num(au, num) > 0) {
- type = auparse_get_type(au);
+ /* Loop through the records looking for an AVC. If we ever process
+ * other record types without directly returning, we may need to use
+ * auparse_goto_record_num() to ensure seeing each record. */
+ do {
/* Only handle AVCs. */
- switch (type) {
- case AUDIT_AVC:
- dump_whole_record(au, conn);
- return;
- break;
- default:
- break;
+ if (auparse_get_type(au) == AUDIT_AVC) {
+ dump_whole_record(au);
+ return;
}
- num++;
- }
+ } while (auparse_next_record(au) > 0);
}
#ifdef NOTUSED
--
2.32.0

View File

@ -1,25 +0,0 @@
From 4041744bc94ee94a5d6ba59dd398e2eaae790b97 Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <plautrba@redhat.com>
Date: Fri, 16 Jul 2021 11:03:47 +0200
Subject: [PATCH] auparse_set_eoe_timeout() requires audit / libauparse 3.0.1
---
configure.ac | 2 ++
1 file changed, 2 insertions(+)
diff --git a/framework/configure.ac b/framework/configure.ac
index d1d01766e4a0..0fba58dca9d2 100644
--- a/framework/configure.ac
+++ b/framework/configure.ac
@@ -13,6 +13,8 @@ PKG_CHECK_MODULES([NOTIFY], [libnotify])
PKG_CHECK_MODULES([SEAPPLETLEGACY], [gtk+-2.0 gio-unix-2.0 libnotify dbus-glib-1],
[seappletlegacy=yes], [seappletlegacy=no])
PKG_CHECK_MODULES([SEAPPLET], [gtk+-3.0])
+# auparse_set_eoe_timeout() requires libauparse 3.0.1
+PKG_CHECK_MODULES([SEDISPATCH], [auparse >= 3.0.1])
# make sure we keep ACLOCAL_FLAGS around for maintainer builds to work
AC_SUBST(ACLOCAL_AMFLAGS, "\${ACLOCAL_FLAGS}")
--
2.32.0

View File

@ -3,19 +3,14 @@
Summary: Helps troubleshoot SELinux problems
Name: setroubleshoot
Version: 3.3.26
Release: 5%{?dist}
Version: 3.3.27
Release: 1%{?dist}
License: GPLv2+
URL: https://pagure.io/setroubleshoot
Source0: https://releases.pagure.org/setroubleshoot/%{name}-%{version}.tar.gz
URL: https://gitlab.com/setroubleshoot/framework
Source0: https://gitlab.com/setroubleshoot/framework/-/archive/%{version}/framework-%{version}.tar.gz
Source1: %{name}.tmpfiles
# git format-patch -N setroubleshoot-3.3.26 -- framework
# git format-patch -N 3.3.27
# i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done
Patch0001: 0001-Stop-SetroubleshootFixit-after-10-seconds-of-inactiv.patch
Patch0002: 0002-Do-not-use-Python-slip-package.patch
Patch0003: 0003-sedispatch-improve-performance.patch
Patch0004: 0004-sedispatch-improve-performance-using-cache-friendly-.patch
Patch0005: 0005-auparse_set_eoe_timeout-requires-audit-libauparse-3..patch
BuildRequires: gcc
BuildRequires: make
BuildRequires: libcap-ng-devel
@ -68,10 +63,10 @@ to user preference. The same tools can be run on existing log files.
%prep
%autosetup -p 2
%autosetup -p 2 -n framework-%{version}
%build
autoreconf -f
./autogen.sh
%configure PYTHON=%{__python3} --enable-seappletlegacy=no --with-auditpluginsdir=/etc/audit/plugins.d
make
@ -194,6 +189,14 @@ chown -R setroubleshoot:setroubleshoot %{pkgvardatadir}
%doc AUTHORS COPYING ChangeLog DBUS.md NEWS README TODO
%changelog
* Thu Jan 13 2022 Petr Lautrbach <plautrba@redhat.com> - 3.3.27-1
- sedispatch: check read_size
- SafeConfigParser is deprecated and will be dropped
- Fix typos in --help, man pages and developer's guide
- Improve Python 3.10 compatibility
https://pagure.io/setroubleshoot/issue/58
- Update translations
* Tue Aug 10 2021 Mohan Boddu <mboddu@redhat.com> - 3.3.26-5
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688

View File

@ -1 +1 @@
SHA512 (setroubleshoot-3.3.26.tar.gz) = e081a07303635e555923956541b6099fdf07c35d352f8f16ce9c131aa7155aaa5cb295919959af2088823400b074d4098a8a59741b09d25ef9ba0c86e45c62be
SHA512 (framework-3.3.27.tar.gz) = b9b5ed9771433bc40e96545a4bd2f21e108b10e932d9260407ea704dbb06c2633dff628272fb2a1b306153eab8bebda16325fb0e1312c4866dd07ef5bcb6a93a