diff --git a/SOURCES/0007-Decrease-setroubleshootd-priority-and-limit-RAM-util.patch b/SOURCES/0007-Decrease-setroubleshootd-priority-and-limit-RAM-util.patch new file mode 100644 index 0000000..c9c03a5 --- /dev/null +++ b/SOURCES/0007-Decrease-setroubleshootd-priority-and-limit-RAM-util.patch @@ -0,0 +1,70 @@ +From a2102cb35cd45852fc508b2f62400be098050d7a Mon Sep 17 00:00:00 2001 +From: Vit Mojzis +Date: Mon, 4 Jul 2022 16:20:30 +0200 +Subject: [PATCH] Decrease setroubleshootd priority and limit RAM utilization + to 1GB + +This should help with system responsiveness in case of large amount of +AVCs. The memory limit ensures the process cannot indefinitely hog +memory in case it is running continuously. My testing showed normal +memory consumption not to exceed 350MB, so 1GB should not limit normal +operation. + +Note: Limiting memory using systemd service file was chosen to make it easier +for users to adjust the limits. + +Related: +https://bugzilla.redhat.com/show_bug.cgi?id=2064727 + +Signed-off-by: Vit Mojzis +--- + Makefile.am | 3 +++ + org.fedoraproject.Setroubleshootd.service | 3 ++- + setroubleshootd.service | 10 ++++++++++ + 3 files changed, 15 insertions(+), 1 deletion(-) + create mode 100644 setroubleshootd.service + +diff --git a/framework/Makefile.am b/framework/Makefile.am +index f330b7c..93c6a06 100644 +--- a/framework/Makefile.am ++++ b/framework/Makefile.am +@@ -28,6 +28,9 @@ polkit_systemdir = $(datadir)/polkit-1/actions + polkit_system_DATA = \ + org.fedoraproject.setroubleshootfixit.policy + ++systemd_systemunitdir = $(prefix)/lib/systemd/system/ ++systemd_systemunit_DATA = setroubleshootd.service ++ + autostartdir = $(sysconfdir)/xdg/autostart + autostart_DATA = sealertauto.desktop + +diff --git a/framework/org.fedoraproject.Setroubleshootd.service b/framework/org.fedoraproject.Setroubleshootd.service +index 05c2c39..2c52499 100644 +--- a/framework/org.fedoraproject.Setroubleshootd.service ++++ b/framework/org.fedoraproject.Setroubleshootd.service +@@ -1,4 +1,5 @@ + [D-BUS Service] + Name=org.fedoraproject.Setroubleshootd +-Exec=/usr/sbin/setroubleshootd -f ++SystemdService=setroubleshootd.service ++Exec=/bin/false + User=setroubleshoot +diff --git a/framework/setroubleshootd.service b/framework/setroubleshootd.service +new file mode 100644 +index 0000000..81c75b1 +--- /dev/null ++++ b/framework/setroubleshootd.service +@@ -0,0 +1,10 @@ ++[Unit] ++Description=SETroubleshoot daemon for processing new SELinux denial logs ++ ++[Service] ++Type=dbus ++BusName=org.fedoraproject.Setroubleshootd ++ExecStart=/usr/sbin/setroubleshootd -f ++User=setroubleshoot ++LimitAS=1G ++Nice=5 +-- +2.35.3 + diff --git a/SOURCES/0008-doc-Document-performance-related-changes.patch b/SOURCES/0008-doc-Document-performance-related-changes.patch new file mode 100644 index 0000000..391e3c7 --- /dev/null +++ b/SOURCES/0008-doc-Document-performance-related-changes.patch @@ -0,0 +1,45 @@ +From eed06d0f11867c1019fee4fb1a80be775a60d74e Mon Sep 17 00:00:00 2001 +From: Vit Mojzis +Date: Mon, 11 Jul 2022 18:20:47 +0200 +Subject: [PATCH] doc: Document performance related changes + +- Setroubleshootd is now executed using setroubleshootd.service +- ^^ is limited to 1GB of RAM and has a lower than normal priority + +Signed-off-by: Vit Mojzis +--- + doc/setroubleshootd.8 | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/framework/doc/setroubleshootd.8 b/framework/doc/setroubleshootd.8 +index bed6713..f1f04d8 100644 +--- a/framework/doc/setroubleshootd.8 ++++ b/framework/doc/setroubleshootd.8 +@@ -23,9 +23,14 @@ components, sealert and setroubleshootd. + setroubleshootd is a system daemon which runs under setroubleshoot user and + listens for audit events emitted from the kernel related to SELinux. When the + setroubleshootd daemon sees an SELinux AVC denial it runs a series of analysis +-plugins which examines the audit data related to the AVC. It records the ++plugins which examine the audit data related to the AVC. It records the + results of the analysis and signals any clients which have attached to the + setroubleshootd daemon that a new alert has been seen. ++.P ++setroubleshootd is not persistent and only runs when there are new AVCs to be ++analyzed. It is executed using setroubleshootd.service, which also limits its ++priority and maximum RAM utilization to 1GB, in order to help with system ++responsiveness in case of large amounts of AVCs. + + .SH "OPTIONS" + .TP +@@ -33,7 +38,7 @@ setroubleshootd daemon that a new alert has been seen. + Do not fork the daemon + .TP + .B \-d \-\-debug +-Do not exit after 10 seconds ++Do not exit after 10 seconds of inactivity + .TP + .B \-h \-\-help + Show this message +-- +2.35.3 + diff --git a/SOURCES/0009-setroubleshoot-server-shutdown-RunFaultServer-nicely.patch b/SOURCES/0009-setroubleshoot-server-shutdown-RunFaultServer-nicely.patch new file mode 100644 index 0000000..395467b --- /dev/null +++ b/SOURCES/0009-setroubleshoot-server-shutdown-RunFaultServer-nicely.patch @@ -0,0 +1,56 @@ +From 2fbc58c26359989894dfb54daaca2ff4b537f4fe Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= +Date: Fri, 22 Apr 2022 16:27:30 +0200 +Subject: [PATCH] setroubleshoot/server: shutdown RunFaultServer nicely + + systemd[1]: dbus-:1.2-org.fedoraproject.Setroubleshootd@2.service: Main process exited, code=killed, status=14/ALRM + systemd[1]: dbus-:1.2-org.fedoraproject.Setroubleshootd@2.service: Failed with result 'signal'. + audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0 msg='unit=dbus-:1.2-org.fedoraproject.Setroubleshootd@2 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed' +--- + src/setroubleshoot/server.py | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/framework/src/setroubleshoot/server.py b/framework/src/setroubleshoot/server.py +index 10ef215..8f16993 100755 +--- a/framework/src/setroubleshoot/server.py ++++ b/framework/src/setroubleshoot/server.py +@@ -733,9 +733,17 @@ def goodbye(database): + audit2why.finish() + + ++main_loop = GLib.MainLoop() ++ ++ ++def alarm_handler(signum, frame): ++ log_debug("SIGALRM raised in RunFaultServer") ++ main_loop.quit() ++ ++ + def RunFaultServer(timeout=10): + signal.alarm(timeout) +- sigalrm_handler = signal.signal(signal.SIGALRM, polling_failed_handler) ++ signal.signal(signal.SIGALRM, polling_failed_handler) + # polling for /sys/fs/selinux/policy file + while True: + try: +@@ -760,7 +768,7 @@ def RunFaultServer(timeout=10): + + global host_database, analysis_queue, email_recipients + +- signal.signal(signal.SIGALRM, sigalrm_handler) ++ signal.signal(signal.SIGALRM, alarm_handler) + signal.signal(signal.SIGHUP, sighandler) + + #interface_registry.dump_interfaces() +@@ -856,7 +864,7 @@ def RunFaultServer(timeout=10): + + dbus.glib.init_threads() + setroubleshootd_dbus = SetroubleshootdDBus(analysis_queue, alert_receiver, timeout) +- main_loop = GLib.MainLoop() ++ + main_loop.run() + + except KeyboardInterrupt as e: +-- +2.35.3 + diff --git a/SPECS/setroubleshoot.spec b/SPECS/setroubleshoot.spec index 88ff72c..20bb133 100644 --- a/SPECS/setroubleshoot.spec +++ b/SPECS/setroubleshoot.spec @@ -1,7 +1,7 @@ Summary: Helps troubleshoot SELinux problems Name: setroubleshoot Version: 3.3.26 -Release: 3%{?dist} +Release: 5%{?dist} License: GPLv2+ URL: https://gitlab.com/setroubleshoot/framework Source0: https://releases.pagure.org/setroubleshoot/%{name}-%{version}.tar.gz @@ -14,6 +14,9 @@ Patch0003: 0003-Fix-typos-in-help-man-pages-and-developer-s-guide.patch Patch0004: 0004-Revert-Replace-pydbus-with-dasbus.patch Patch0005: 0005-Improve-after_first-email-filter-behavior.patch Patch0006: 0006-Update-translations.patch +Patch0007: 0007-Decrease-setroubleshootd-priority-and-limit-RAM-util.patch +Patch0008: 0008-doc-Document-performance-related-changes.patch +Patch0009: 0009-setroubleshoot-server-shutdown-RunFaultServer-nicely.patch BuildRequires: gcc BuildRequires: make BuildRequires: libcap-ng-devel @@ -108,6 +111,7 @@ Requires: libselinux-python3 >= 2.1.5-1 Requires: policycoreutils-python-utils BuildRequires: intltool gettext python3 BuildRequires: python3-devel +BuildRequires: systemd Requires: systemd-python3 >= 206-1 Requires: python3-gobject >= 3.11 Requires: dbus @@ -198,11 +202,19 @@ chown -R setroubleshoot:setroubleshoot %{pkgvardatadir} %{_datadir}/polkit-1/actions/org.fedoraproject.setroubleshootfixit.policy %config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.fedoraproject.SetroubleshootFixit.conf %{_datadir}/dbus-1/system-services/org.fedoraproject.SetroubleshootFixit.service +%{_unitdir}/setroubleshootd.service %attr(0644,root,root) %{_tmpfilesdir}/%{name}.conf %attr(0711,setroubleshoot,setroubleshoot) %dir %{_rundir}/setroubleshoot %doc AUTHORS COPYING ChangeLog DBUS.md NEWS README TODO %changelog +* Mon Aug 22 2022 Vit Mojzis - 3.3.26-5 +- Shutdown RunFaultServer nicely (#2119001) + +* Wed Jul 13 2022 Vit Mojzis - 3.3.26-4 +- Decrease setroubleshootd priority and limit RAM utilization to 1GB (#2064727) +- doc: Document performance related changes + * Fri Feb 25 2022 Vit Mojzis - 3.3.26-3 - Update translations (#2017299)