rpms/setroubleshoot
6
0
Fork 0
Code Issues Pull Requests Releases Activity

import setroubleshoot-3.3.26-5.el8

Browse Source
This commit is contained in:
CentOS Sources 2022-09-27 06:12:12 -04:00 committed by Stepan Oksanichenko
parent 7295da18ee
commit 49680f06eb
4 changed files with 184 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

70
SOURCES/0007-Decrease-setroubleshootd-priority-and-limit-RAM-util.patch Normal file
View File

@ -0,0 +1,70 @@
From a2102cb35cd45852fc508b2f62400be098050d7a Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Mon, 4 Jul 2022 16:20:30 +0200
Subject: [PATCH] Decrease setroubleshootd priority and limit RAM utilization
to 1GB
This should help with system responsiveness in case of large amount of
AVCs. The memory limit ensures the process cannot indefinitely hog
memory in case it is running continuously. My testing showed normal
memory consumption not to exceed 350MB, so 1GB should not limit normal
operation.
Note: Limiting memory using systemd service file was chosen to make it easier
for users to adjust the limits.
Related:
https://bugzilla.redhat.com/show_bug.cgi?id=2064727
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
Makefile.am | 3 +++
org.fedoraproject.Setroubleshootd.service | 3 ++-
setroubleshootd.service | 10 ++++++++++
3 files changed, 15 insertions(+), 1 deletion(-)
create mode 100644 setroubleshootd.service
diff --git a/framework/Makefile.am b/framework/Makefile.am
index f330b7c..93c6a06 100644
--- a/framework/Makefile.am
+++ b/framework/Makefile.am
@@ -28,6 +28,9 @@ polkit_systemdir = $(datadir)/polkit-1/actions
polkit_system_DATA = \
org.fedoraproject.setroubleshootfixit.policy
+systemd_systemunitdir = $(prefix)/lib/systemd/system/
+systemd_systemunit_DATA = setroubleshootd.service
+
autostartdir = $(sysconfdir)/xdg/autostart
autostart_DATA = sealertauto.desktop
diff --git a/framework/org.fedoraproject.Setroubleshootd.service b/framework/org.fedoraproject.Setroubleshootd.service
index 05c2c39..2c52499 100644
--- a/framework/org.fedoraproject.Setroubleshootd.service
+++ b/framework/org.fedoraproject.Setroubleshootd.service
@@ -1,4 +1,5 @@
[D-BUS Service]
Name=org.fedoraproject.Setroubleshootd
-Exec=/usr/sbin/setroubleshootd -f
+SystemdService=setroubleshootd.service
+Exec=/bin/false
User=setroubleshoot
diff --git a/framework/setroubleshootd.service b/framework/setroubleshootd.service
new file mode 100644
index 0000000..81c75b1
--- /dev/null
+++ b/framework/setroubleshootd.service
@@ -0,0 +1,10 @@
+[Unit]
+Description=SETroubleshoot daemon for processing new SELinux denial logs
+
+[Service]
+Type=dbus
+BusName=org.fedoraproject.Setroubleshootd
+ExecStart=/usr/sbin/setroubleshootd -f
+User=setroubleshoot
+LimitAS=1G
+Nice=5
--
2.35.3

45
SOURCES/0008-doc-Document-performance-related-changes.patch Normal file
View File

@ -0,0 +1,45 @@
From eed06d0f11867c1019fee4fb1a80be775a60d74e Mon Sep 17 00:00:00 2001
From: Vit Mojzis <vmojzis@redhat.com>
Date: Mon, 11 Jul 2022 18:20:47 +0200
Subject: [PATCH] doc: Document performance related changes
- Setroubleshootd is now executed using setroubleshootd.service
- ^^ is limited to 1GB of RAM and has a lower than normal priority
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
---
doc/setroubleshootd.8 | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/framework/doc/setroubleshootd.8 b/framework/doc/setroubleshootd.8
index bed6713..f1f04d8 100644
--- a/framework/doc/setroubleshootd.8
+++ b/framework/doc/setroubleshootd.8
@@ -23,9 +23,14 @@ components, sealert and setroubleshootd.
setroubleshootd is a system daemon which runs under setroubleshoot user and
listens for audit events emitted from the kernel related to SELinux. When the
setroubleshootd daemon sees an SELinux AVC denial it runs a series of analysis
-plugins which examines the audit data related to the AVC. It records the
+plugins which examine the audit data related to the AVC. It records the
results of the analysis and signals any clients which have attached to the
setroubleshootd daemon that a new alert has been seen.
+.P
+setroubleshootd is not persistent and only runs when there are new AVCs to be
+analyzed. It is executed using setroubleshootd.service, which also limits its
+priority and maximum RAM utilization to 1GB, in order to help with system
+responsiveness in case of large amounts of AVCs.
.SH "OPTIONS"
.TP
@@ -33,7 +38,7 @@ setroubleshootd daemon that a new alert has been seen.
Do not fork the daemon
.TP
.B \-d \-\-debug
-Do not exit after 10 seconds
+Do not exit after 10 seconds of inactivity
.TP
.B \-h \-\-help
Show this message
--
2.35.3

56
SOURCES/0009-setroubleshoot-server-shutdown-RunFaultServer-nicely.patch Normal file
View File

@ -0,0 +1,56 @@
From 2fbc58c26359989894dfb54daaca2ff4b537f4fe Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Fri, 22 Apr 2022 16:27:30 +0200
Subject: [PATCH] setroubleshoot/server: shutdown RunFaultServer nicely
systemd[1]: dbus-:1.2-org.fedoraproject.Setroubleshootd@2.service: Main process exited, code=killed, status=14/ALRM
systemd[1]: dbus-:1.2-org.fedoraproject.Setroubleshootd@2.service: Failed with result 'signal'.
audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0 msg='unit=dbus-:1.2-org.fedoraproject.Setroubleshootd@2 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
---
src/setroubleshoot/server.py | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/framework/src/setroubleshoot/server.py b/framework/src/setroubleshoot/server.py
index 10ef215..8f16993 100755
--- a/framework/src/setroubleshoot/server.py
+++ b/framework/src/setroubleshoot/server.py
@@ -733,9 +733,17 @@ def goodbye(database):
audit2why.finish()
+main_loop = GLib.MainLoop()
+
+
+def alarm_handler(signum, frame):
+ log_debug("SIGALRM raised in RunFaultServer")
+ main_loop.quit()
+
+
def RunFaultServer(timeout=10):
signal.alarm(timeout)
- sigalrm_handler = signal.signal(signal.SIGALRM, polling_failed_handler)
+ signal.signal(signal.SIGALRM, polling_failed_handler)
# polling for /sys/fs/selinux/policy file
while True:
try:
@@ -760,7 +768,7 @@ def RunFaultServer(timeout=10):
global host_database, analysis_queue, email_recipients
- signal.signal(signal.SIGALRM, sigalrm_handler)
+ signal.signal(signal.SIGALRM, alarm_handler)
signal.signal(signal.SIGHUP, sighandler)
#interface_registry.dump_interfaces()
@@ -856,7 +864,7 @@ def RunFaultServer(timeout=10):
dbus.glib.init_threads()
setroubleshootd_dbus = SetroubleshootdDBus(analysis_queue, alert_receiver, timeout)
- main_loop = GLib.MainLoop()
+
main_loop.run()
except KeyboardInterrupt as e:
--
2.35.3

14
SPECS/setroubleshoot.spec
View File

@ -1,7 +1,7 @@
Summary: Helps troubleshoot SELinux problems Summary: Helps troubleshoot SELinux problems
Name: setroubleshoot Name: setroubleshoot
Version: 3.3.26 Version: 3.3.26
Release: 3%{?dist} Release: 5%{?dist}
License: GPLv2+ License: GPLv2+
URL: https://gitlab.com/setroubleshoot/framework URL: https://gitlab.com/setroubleshoot/framework
Source0: https://releases.pagure.org/setroubleshoot/%{name}-%{version}.tar.gz Source0: https://releases.pagure.org/setroubleshoot/%{name}-%{version}.tar.gz
@ -14,6 +14,9 @@ Patch0003: 0003-Fix-typos-in-help-man-pages-and-developer-s-guide.patch
Patch0004: 0004-Revert-Replace-pydbus-with-dasbus.patch Patch0004: 0004-Revert-Replace-pydbus-with-dasbus.patch
Patch0005: 0005-Improve-after_first-email-filter-behavior.patch Patch0005: 0005-Improve-after_first-email-filter-behavior.patch
Patch0006: 0006-Update-translations.patch Patch0006: 0006-Update-translations.patch
Patch0007: 0007-Decrease-setroubleshootd-priority-and-limit-RAM-util.patch
Patch0008: 0008-doc-Document-performance-related-changes.patch
Patch0009: 0009-setroubleshoot-server-shutdown-RunFaultServer-nicely.patch
BuildRequires: gcc BuildRequires: gcc
BuildRequires: make BuildRequires: make
BuildRequires: libcap-ng-devel BuildRequires: libcap-ng-devel
@ -108,6 +111,7 @@ Requires: libselinux-python3 >= 2.1.5-1
Requires: policycoreutils-python-utils Requires: policycoreutils-python-utils
BuildRequires: intltool gettext python3 BuildRequires: intltool gettext python3
BuildRequires: python3-devel BuildRequires: python3-devel
BuildRequires: systemd
Requires: systemd-python3 >= 206-1 Requires: systemd-python3 >= 206-1
Requires: python3-gobject >= 3.11 Requires: python3-gobject >= 3.11
Requires: dbus Requires: dbus
@ -198,11 +202,19 @@ chown -R setroubleshoot:setroubleshoot %{pkgvardatadir}
%{_datadir}/polkit-1/actions/org.fedoraproject.setroubleshootfixit.policy %{_datadir}/polkit-1/actions/org.fedoraproject.setroubleshootfixit.policy
%config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.fedoraproject.SetroubleshootFixit.conf %config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.fedoraproject.SetroubleshootFixit.conf
%{_datadir}/dbus-1/system-services/org.fedoraproject.SetroubleshootFixit.service %{_datadir}/dbus-1/system-services/org.fedoraproject.SetroubleshootFixit.service
%{_unitdir}/setroubleshootd.service
%attr(0644,root,root) %{_tmpfilesdir}/%{name}.conf %attr(0644,root,root) %{_tmpfilesdir}/%{name}.conf
%attr(0711,setroubleshoot,setroubleshoot) %dir %{_rundir}/setroubleshoot %attr(0711,setroubleshoot,setroubleshoot) %dir %{_rundir}/setroubleshoot
%doc AUTHORS COPYING ChangeLog DBUS.md NEWS README TODO %doc AUTHORS COPYING ChangeLog DBUS.md NEWS README TODO
%changelog %changelog
* Mon Aug 22 2022 Vit Mojzis <vmojzis@redhat.com> - 3.3.26-5
- Shutdown RunFaultServer nicely (#2119001)
* Wed Jul 13 2022 Vit Mojzis <vmojzis@redhat.com> - 3.3.26-4
- Decrease setroubleshootd priority and limit RAM utilization to 1GB (#2064727)
- doc: Document performance related changes
* Fri Feb 25 2022 Vit Mojzis <vmojzis@redhat.com> - 3.3.26-3 * Fri Feb 25 2022 Vit Mojzis <vmojzis@redhat.com> - 3.3.26-3
- Update translations (#2017299) - Update translations (#2017299)