import setroubleshoot-3.3.26-5.el8

2022-09-27 06:12:12 -04:00 · 2022-09-27 06:12:12 -04:00 · 49680f06eb
commit 49680f06eb
parent 7295da18ee
4 changed files with 184 additions and 1 deletions
--- a/SOURCES/0007-Decrease-setroubleshootd-priority-and-limit-RAM-util.patch
+++ b/SOURCES/0007-Decrease-setroubleshootd-priority-and-limit-RAM-util.patch
@ -0,0 +1,70 @@
+From a2102cb35cd45852fc508b2f62400be098050d7a Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Mon, 4 Jul 2022 16:20:30 +0200
+Subject: [PATCH] Decrease setroubleshootd priority and limit RAM utilization
+ to 1GB
+
+This should help with system responsiveness in case of large amount of
+AVCs. The memory limit ensures the process cannot indefinitely hog
+memory in case it is running continuously. My testing showed normal
+memory consumption not to exceed 350MB, so 1GB should not limit normal
+operation.
+
+Note: Limiting memory using systemd service file was chosen to make it easier
+for users to adjust the limits.
+
+Related:
+https://bugzilla.redhat.com/show_bug.cgi?id=2064727
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+---
+ Makefile.am                               |  3 +++
+ org.fedoraproject.Setroubleshootd.service |  3 ++-
+ setroubleshootd.service                   | 10 ++++++++++
+ 3 files changed, 15 insertions(+), 1 deletion(-)
+ create mode 100644 setroubleshootd.service
+
+diff --git a/framework/Makefile.am b/framework/Makefile.am
+index f330b7c..93c6a06 100644
+--- a/framework/Makefile.am
+++ b/framework/Makefile.am
+@@ -28,6 +28,9 @@ polkit_systemdir = $(datadir)/polkit-1/actions
+ polkit_system_DATA = \
+ 			org.fedoraproject.setroubleshootfixit.policy
+ 
+systemd_systemunitdir = $(prefix)/lib/systemd/system/
+systemd_systemunit_DATA = setroubleshootd.service
+
+ autostartdir = $(sysconfdir)/xdg/autostart
+ autostart_DATA = sealertauto.desktop
+ 
+diff --git a/framework/org.fedoraproject.Setroubleshootd.service b/framework/org.fedoraproject.Setroubleshootd.service
+index 05c2c39..2c52499 100644
+--- a/framework/org.fedoraproject.Setroubleshootd.service
+++ b/framework/org.fedoraproject.Setroubleshootd.service
+@@ -1,4 +1,5 @@
+ [D-BUS Service]
+ Name=org.fedoraproject.Setroubleshootd
+-Exec=/usr/sbin/setroubleshootd -f 
+SystemdService=setroubleshootd.service
+Exec=/bin/false
+ User=setroubleshoot
+diff --git a/framework/setroubleshootd.service b/framework/setroubleshootd.service
+new file mode 100644
+index 0000000..81c75b1
+--- /dev/null
+++ b/framework/setroubleshootd.service
+@@ -0,0 +1,10 @@
+[Unit]
+Description=SETroubleshoot daemon for processing new SELinux denial logs
+
+[Service]
+Type=dbus
+BusName=org.fedoraproject.Setroubleshootd
+ExecStart=/usr/sbin/setroubleshootd -f
+User=setroubleshoot
+LimitAS=1G
+Nice=5
+-- 
+2.35.3
+
--- a/SOURCES/0008-doc-Document-performance-related-changes.patch
+++ b/SOURCES/0008-doc-Document-performance-related-changes.patch
@ -0,0 +1,45 @@
+From eed06d0f11867c1019fee4fb1a80be775a60d74e Mon Sep 17 00:00:00 2001
+From: Vit Mojzis <vmojzis@redhat.com>
+Date: Mon, 11 Jul 2022 18:20:47 +0200
+Subject: [PATCH] doc: Document performance related changes
+
+- Setroubleshootd is now executed using setroubleshootd.service
+- ^^ is limited to 1GB of RAM and has a lower than normal priority
+
+Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
+---
+ doc/setroubleshootd.8 | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/framework/doc/setroubleshootd.8 b/framework/doc/setroubleshootd.8
+index bed6713..f1f04d8 100644
+--- a/framework/doc/setroubleshootd.8
+++ b/framework/doc/setroubleshootd.8
+@@ -23,9 +23,14 @@ components, sealert and setroubleshootd.
+ setroubleshootd is a system daemon which runs under setroubleshoot user and
+ listens for audit events emitted from the kernel related to SELinux. When the
+ setroubleshootd daemon sees an SELinux AVC denial it runs a series of analysis
+-plugins which examines the audit data related to the AVC. It records the
+plugins which examine the audit data related to the AVC. It records the
+ results of the analysis and signals any clients which have attached to the
+ setroubleshootd daemon that a new alert has been seen.
+.P
+setroubleshootd is not persistent and only runs when there are new AVCs to be
+analyzed. It is executed using setroubleshootd.service, which also limits its
+priority and maximum RAM utilization to 1GB, in order to help with system
+responsiveness in case of large amounts of AVCs.
+ 
+ .SH "OPTIONS"
+ .TP 
+@@ -33,7 +38,7 @@ setroubleshootd daemon that a new alert has been seen.
+ Do not fork the daemon
+ .TP 
+ .B \-d \-\-debug
+-Do not exit after 10 seconds
+Do not exit after 10 seconds of inactivity
+ .TP 
+ .B \-h \-\-help           
+ Show this message
+-- 
+2.35.3
+
--- a/SOURCES/0009-setroubleshoot-server-shutdown-RunFaultServer-nicely.patch
+++ b/SOURCES/0009-setroubleshoot-server-shutdown-RunFaultServer-nicely.patch
@ -0,0 +1,56 @@
+From 2fbc58c26359989894dfb54daaca2ff4b537f4fe Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
+Date: Fri, 22 Apr 2022 16:27:30 +0200
+Subject: [PATCH] setroubleshoot/server: shutdown RunFaultServer nicely
+
+    systemd[1]: dbus-:1.2-org.fedoraproject.Setroubleshootd@2.service: Main process exited, code=killed, status=14/ALRM
+    systemd[1]: dbus-:1.2-org.fedoraproject.Setroubleshootd@2.service: Failed with result 'signal'.
+    audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0 msg='unit=dbus-:1.2-org.fedoraproject.Setroubleshootd@2 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
+---
+ src/setroubleshoot/server.py | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/framework/src/setroubleshoot/server.py b/framework/src/setroubleshoot/server.py
+index 10ef215..8f16993 100755
+--- a/framework/src/setroubleshoot/server.py
+++ b/framework/src/setroubleshoot/server.py
+@@ -733,9 +733,17 @@ def goodbye(database):
+     audit2why.finish()
+ 
+ 
+main_loop = GLib.MainLoop()
+
+
+def alarm_handler(signum, frame):
+    log_debug("SIGALRM raised in RunFaultServer")
+    main_loop.quit()
+
+
+ def RunFaultServer(timeout=10):
+     signal.alarm(timeout)
+-    sigalrm_handler = signal.signal(signal.SIGALRM, polling_failed_handler)
+    signal.signal(signal.SIGALRM, polling_failed_handler)
+     # polling for /sys/fs/selinux/policy file
+     while True:
+         try:
+@@ -760,7 +768,7 @@ def RunFaultServer(timeout=10):
+ 
+     global host_database, analysis_queue, email_recipients
+ 
+-    signal.signal(signal.SIGALRM, sigalrm_handler)
+    signal.signal(signal.SIGALRM, alarm_handler)
+     signal.signal(signal.SIGHUP, sighandler)
+ 
+     #interface_registry.dump_interfaces()
+@@ -856,7 +864,7 @@ def RunFaultServer(timeout=10):
+ 
+         dbus.glib.init_threads()
+         setroubleshootd_dbus = SetroubleshootdDBus(analysis_queue, alert_receiver, timeout)
+-        main_loop = GLib.MainLoop()
+
+         main_loop.run()
+ 
+     except KeyboardInterrupt as e:
+-- 
+2.35.3
+
--- a/SPECS/setroubleshoot.spec
+++ b/SPECS/setroubleshoot.spec
@ -1,7 +1,7 @@
 Summary: Helps troubleshoot SELinux problems
 Name: setroubleshoot
 Version: 3.3.26
-Release: 3%{?dist}
+Release: 5%{?dist}
 License: GPLv2+
 URL: https://gitlab.com/setroubleshoot/framework
 Source0: https://releases.pagure.org/setroubleshoot/%{name}-%{version}.tar.gz
@ -14,6 +14,9 @@ Patch0003: 0003-Fix-typos-in-help-man-pages-and-developer-s-guide.patch
 Patch0004: 0004-Revert-Replace-pydbus-with-dasbus.patch
 Patch0005: 0005-Improve-after_first-email-filter-behavior.patch
 Patch0006: 0006-Update-translations.patch
+Patch0007: 0007-Decrease-setroubleshootd-priority-and-limit-RAM-util.patch
+Patch0008: 0008-doc-Document-performance-related-changes.patch
+Patch0009: 0009-setroubleshoot-server-shutdown-RunFaultServer-nicely.patch
 BuildRequires: gcc
 BuildRequires: make
 BuildRequires: libcap-ng-devel
@ -108,6 +111,7 @@ Requires: libselinux-python3  >= 2.1.5-1
 Requires: policycoreutils-python-utils
 BuildRequires: intltool gettext python3
 BuildRequires: python3-devel
+BuildRequires: systemd
 Requires: systemd-python3 >= 206-1
 Requires: python3-gobject >= 3.11
 Requires: dbus
@ -198,11 +202,19 @@ chown -R setroubleshoot:setroubleshoot %{pkgvardatadir}
 %{_datadir}/polkit-1/actions/org.fedoraproject.setroubleshootfixit.policy
 %config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.fedoraproject.SetroubleshootFixit.conf
 %{_datadir}/dbus-1/system-services/org.fedoraproject.SetroubleshootFixit.service
+%{_unitdir}/setroubleshootd.service
 %attr(0644,root,root) %{_tmpfilesdir}/%{name}.conf
 %attr(0711,setroubleshoot,setroubleshoot) %dir %{_rundir}/setroubleshoot
 %doc AUTHORS COPYING ChangeLog DBUS.md NEWS README TODO

 %changelog
+* Mon Aug 22 2022 Vit Mojzis <vmojzis@redhat.com> - 3.3.26-5
+- Shutdown RunFaultServer nicely (#2119001)
+
+* Wed Jul 13 2022 Vit Mojzis <vmojzis@redhat.com> - 3.3.26-4
+- Decrease setroubleshootd priority and limit RAM utilization to 1GB (#2064727)
+- doc: Document performance related changes
+
 * Fri Feb 25 2022 Vit Mojzis <vmojzis@redhat.com> - 3.3.26-3
 - Update translations (#2017299)