Cancel pending alarm during AVC analyses

Previously the alarm was reset only in main DBUS thread and only when a new AVC appeared. In cases when there were several AVC messages in short time, analyses could take more than a default timeout and later analyses were not saved to the database. Now we cancel pending timeouts before analyze_avc() and reset the timeout back to default when it's done. Fixes: $ journalctl | grep 'sealert -l' setroubleshoot[314039]: SELinux is preventing bash from search access on the directory .local. For complete SELinux messages run: sealert -l ccf3307a-f4ab-4584-87c6-63884daf841a $ sealert -l ccf3307a-f4ab-4584-87c6-63884daf841a Error query_alerts error (1003): id (ccf3307a-f4ab-4584-87c6-63884daf841a) not found
2020-05-27 13:59:07 +02:00 · 2020-05-27 13:59:07 +02:00 · ce0b7236a0
commit ce0b7236a0
parent 6882e142b6
2 changed files with 83 additions and 2 deletions
--- a/0001-framework-Cancel-pending-alarm-during-AVC-analyses.patch
+++ b/0001-framework-Cancel-pending-alarm-during-AVC-analyses.patch
@ -0,0 +1,80 @@
+From dbf63d5f6f9d9152fa2b9e7eafb4d31a2d482d21 Mon Sep 17 00:00:00 2001
+From: Petr Lautrbach <plautrba@redhat.com>
+Date: Wed, 27 May 2020 11:15:38 +0200
+Subject: [PATCH] framework: Cancel pending alarm during AVC analyses
+
+Previously the alarm was reset only in main DBUS thread and only when a new AVC
+appeared. In cases when there were several AVC messages in short time, analyses
+could take more than a default timeout and later analyses were not saved to
+the database. Now we cancel pending timeouts before analyze_avc() and reset the
+timeout back to default when it's done.
+
+Fixes:
+    $ journalctl | grep 'sealert -l'
+    setroubleshoot[314039]: SELinux is preventing bash from search access on the directory .local. For complete SELinux messages run: sealert -l ccf3307a-f4ab-4584-87c6-63884daf841a
+
+    $ sealert -l ccf3307a-f4ab-4584-87c6-63884daf841a
+    Error
+    query_alerts error (1003): id (ccf3307a-f4ab-4584-87c6-63884daf841a) not found
+---
+ framework/src/setroubleshoot/analyze.py | 8 +++++++-
+ framework/src/setroubleshoot/server.py  | 2 +-
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/framework/src/setroubleshoot/analyze.py b/framework/src/setroubleshoot/analyze.py
+index 43b2484be353..9ff12886fd32 100644
+--- a/framework/src/setroubleshoot/analyze.py
+++ b/framework/src/setroubleshoot/analyze.py
+@@ -31,6 +31,7 @@ __all__ = ['AnalyzeThread',
+ import syslog
+ from gi.repository import GObject, GLib
+ import os
+import signal
+ import time
+ import threading
+ import traceback
+@@ -225,22 +226,27 @@ class Analyze(object):
+ 
+ class AnalyzeThread(Analyze, threading.Thread):
+ 
+-    def __init__(self, queue):
+    def __init__(self, queue, timeout=10):
+         # parent class constructors
+         threading.Thread.__init__(self)
+         Analyze.__init__(self)
+ 
+         self.queue = queue
+        self.timeout = timeout
+ 
+     def run(self):
+         while True:
+             try:
+                 avc, report_receiver = self.queue.get()
+                syslog.syslog(syslog.LOG_DEBUG, "AnalyzeThread.run(): Cancel pending alarm")
+                signal.alarm(0)
+                 self.analyze_avc(avc, report_receiver)
+             except Exception as e:
+                 syslog.syslog(syslog.LOG_ERR, "Exception during AVC analysis: %s" % e)
+             except ValueError as e:
+                 syslog.syslog(syslog.LOG_ERR, "Exception during AVC analysis: %s" % e)
+            syslog.syslog(syslog.LOG_DEBUG, "AnalyzeThread.run(): Set alarm timeout to {}".format(self.timeout))
+            signal.alarm(self.timeout)
+ 
+ #------------------------------------------------------------------------------
+ 
+diff --git a/framework/src/setroubleshoot/server.py b/framework/src/setroubleshoot/server.py
+index 9f25a480fc01..167e58634db5 100755
+--- a/framework/src/setroubleshoot/server.py
+++ b/framework/src/setroubleshoot/server.py
+@@ -810,7 +810,7 @@ def RunFaultServer(timeout=10):
+         # results of the analysis are to go) are included in the queued
+         # object along with the data to analyze.
+ 
+-        analyze_thread = AnalyzeThread(analysis_queue)
+        analyze_thread = AnalyzeThread(analysis_queue, timeout)
+         analyze_thread.setDaemon(True)
+         analyze_thread.start()
+ 
+-- 
+2.26.2
+
--- a/setroubleshoot.spec
+++ b/setroubleshoot.spec
@ -9,14 +9,15 @@ License: GPLv2+
 URL: https://pagure.io/setroubleshoot
 Source0: https://releases.pagure.org/setroubleshoot/%{name}-%{version}.tar.gz
 Source1: %{name}.tmpfiles
-# git format-patch -N setroubleshoot-3.3.22 -- framework
+# git format-patch -N setroubleshoot-3.3.23 -- framework
 # i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done
+Patch0001: 0001-framework-Cancel-pending-alarm-during-AVC-analyses.patch
 BuildRequires: gcc
 BuildRequires: libcap-ng-devel
 BuildRequires: intltool gettext python3 python3-devel
 BuildRequires: desktop-file-utils dbus-glib-devel gtk2-devel libnotify-devel audit-libs-devel libselinux-devel polkit-devel
 BuildRequires: python3-libselinux python3-pydbus python3-gobject gtk3-devel
-Requires: %{name}-server = %{version}-%{release} 
+Requires: %{name}-server = %{version}-%{release}
 Requires: gtk3, libnotify
 Requires: libreport-gtk >= 2.2.1-2, python3-libreport
 Requires: python3-gobject, python3-pydbus