Previously the alarm was reset only in main DBUS thread and only when a new AVC
appeared. In cases when there were several AVC messages in short time, analyses
could take more than a default timeout and later analyses were not saved to
the database. Now we cancel pending timeouts before analyze_avc() and reset the
timeout back to default when it's done.
Fixes:
$ journalctl | grep 'sealert -l'
setroubleshoot[314039]: SELinux is preventing bash from search access on the directory .local. For complete SELinux messages run: sealert -l ccf3307a-f4ab-4584-87c6-63884daf841a
$ sealert -l ccf3307a-f4ab-4584-87c6-63884daf841a
Error
query_alerts error (1003): id (ccf3307a-f4ab-4584-87c6-63884daf841a) not found
Policy packages to be used in the test are specified using
TEST_PACKAGES variable in the Makefile. Corresponding avc_<package_name>
file has to exist for each such package.
avc_<package_name> files contain AVCs with "scontext" domain defined
in policy module installed by <package_name> RPM. The test verifies that
setroubleshoot is able to properly identify the source package.
- browser: Check return value of Gdk.Screen().get_default()
- Improve and unify error messages
- setroubleshoot.util: Catch exceptions from sepolicy import
- Add dpkg support
- Do not refer to hardcoded selinux-policy rpm in signature
- Make date/time format locale specific
- Improve speed of plugin evaluation
short.log exposes a problem with Plugin Exception in catchall_labels plugin
Covers "'generator' object is not subscriptable" in sealert output:
$ sealert -a ./short.log
100% done'generator' object is not subscriptable
100% done
found 2 alerts in ./short.log
...
- when first grep fails print journal as well
- check for setroubleshoot-server instead of setroubleshoot
- improve grep assert to match "passwd" and "/usr/bin/passwd"
This test should cover cases when setroubleshoot reports "Plugin Exception"
during analyses, see https://bugzilla.redhat.com/show_bug.cgi?id=1784564
Example log with the reported problem:
setroubleshoot[834]: Plugin Exception catchall_labels
setroubleshoot[834]: Plugin Exception file
setroubleshoot[834]: Plugin Exception openvpn
- Update "missing" scripts to automake-1.15
- Add active polling for acquiring policy file
- Fix translation of hex values in AVCs
- require initscripts to ensure that "service" call works properly
- Add man page for seapplet
- setroubleshoot-server: only require gobject-base
When only the server is being installed, there is no need for the
cairo portions of gobject. This change avoids pulling in the X11
stack.
Signed-off-by: Stephen Gallagher <sgallagh@redhat.com>
When setroubleshoot sedispatch is installed, or updated, auditd needs to be
reloaded so that it runs the new installed plugin. Since auditd needs to know
who reloaded him, `systemctl` can't be used. We need to use `service` script.
This fixes the problem when setroubleshoot is installed, but it doesn't collect
AVC denial messages until the machine is rebooted.
/com/redhat/setroubleshootd interface is not used for years therefore we can
drop it.
