Compare commits
2 Commits
imports/c8
...
c8
| Author | SHA1 | Date |
|---|---|---|
 eabdullin
|
f183b37a77 | |
CentOS Sources
|
3d49331be3 |
|
|
@ -1 +0,0 @@
|
|||
dab49dd85f3d8489fef60d2b94c4931cc9c473ea SOURCES/setroubleshoot-3.3.26.tar.gz
|
||||
|
|
@ -0,0 +1,70 @@
|
|||
From a2102cb35cd45852fc508b2f62400be098050d7a Mon Sep 17 00:00:00 2001
|
||||
From: Vit Mojzis <vmojzis@redhat.com>
|
||||
Date: Mon, 4 Jul 2022 16:20:30 +0200
|
||||
Subject: [PATCH] Decrease setroubleshootd priority and limit RAM utilization
|
||||
to 1GB
|
||||
|
||||
This should help with system responsiveness in case of large amount of
|
||||
AVCs. The memory limit ensures the process cannot indefinitely hog
|
||||
memory in case it is running continuously. My testing showed normal
|
||||
memory consumption not to exceed 350MB, so 1GB should not limit normal
|
||||
operation.
|
||||
|
||||
Note: Limiting memory using systemd service file was chosen to make it easier
|
||||
for users to adjust the limits.
|
||||
|
||||
Related:
|
||||
https://bugzilla.redhat.com/show_bug.cgi?id=2064727
|
||||
|
||||
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
|
||||
---
|
||||
Makefile.am | 3 +++
|
||||
org.fedoraproject.Setroubleshootd.service | 3 ++-
|
||||
setroubleshootd.service | 10 ++++++++++
|
||||
3 files changed, 15 insertions(+), 1 deletion(-)
|
||||
create mode 100644 setroubleshootd.service
|
||||
|
||||
diff --git a/framework/Makefile.am b/framework/Makefile.am
|
||||
index f330b7c..93c6a06 100644
|
||||
--- a/framework/Makefile.am
|
||||
+++ b/framework/Makefile.am
|
||||
@@ -28,6 +28,9 @@ polkit_systemdir = $(datadir)/polkit-1/actions
|
||||
polkit_system_DATA = \
|
||||
org.fedoraproject.setroubleshootfixit.policy
|
||||
|
||||
+systemd_systemunitdir = $(prefix)/lib/systemd/system/
|
||||
+systemd_systemunit_DATA = setroubleshootd.service
|
||||
+
|
||||
autostartdir = $(sysconfdir)/xdg/autostart
|
||||
autostart_DATA = sealertauto.desktop
|
||||
|
||||
diff --git a/framework/org.fedoraproject.Setroubleshootd.service b/framework/org.fedoraproject.Setroubleshootd.service
|
||||
index 05c2c39..2c52499 100644
|
||||
--- a/framework/org.fedoraproject.Setroubleshootd.service
|
||||
+++ b/framework/org.fedoraproject.Setroubleshootd.service
|
||||
@@ -1,4 +1,5 @@
|
||||
[D-BUS Service]
|
||||
Name=org.fedoraproject.Setroubleshootd
|
||||
-Exec=/usr/sbin/setroubleshootd -f
|
||||
+SystemdService=setroubleshootd.service
|
||||
+Exec=/bin/false
|
||||
User=setroubleshoot
|
||||
diff --git a/framework/setroubleshootd.service b/framework/setroubleshootd.service
|
||||
new file mode 100644
|
||||
index 0000000..81c75b1
|
||||
--- /dev/null
|
||||
+++ b/framework/setroubleshootd.service
|
||||
@@ -0,0 +1,10 @@
|
||||
+[Unit]
|
||||
+Description=SETroubleshoot daemon for processing new SELinux denial logs
|
||||
+
|
||||
+[Service]
|
||||
+Type=dbus
|
||||
+BusName=org.fedoraproject.Setroubleshootd
|
||||
+ExecStart=/usr/sbin/setroubleshootd -f
|
||||
+User=setroubleshoot
|
||||
+LimitAS=1G
|
||||
+Nice=5
|
||||
--
|
||||
2.35.3
|
||||
|
||||
|
|
@ -0,0 +1,45 @@
|
|||
From eed06d0f11867c1019fee4fb1a80be775a60d74e Mon Sep 17 00:00:00 2001
|
||||
From: Vit Mojzis <vmojzis@redhat.com>
|
||||
Date: Mon, 11 Jul 2022 18:20:47 +0200
|
||||
Subject: [PATCH] doc: Document performance related changes
|
||||
|
||||
- Setroubleshootd is now executed using setroubleshootd.service
|
||||
- ^^ is limited to 1GB of RAM and has a lower than normal priority
|
||||
|
||||
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
|
||||
---
|
||||
doc/setroubleshootd.8 | 9 +++++++--
|
||||
1 file changed, 7 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/framework/doc/setroubleshootd.8 b/framework/doc/setroubleshootd.8
|
||||
index bed6713..f1f04d8 100644
|
||||
--- a/framework/doc/setroubleshootd.8
|
||||
+++ b/framework/doc/setroubleshootd.8
|
||||
@@ -23,9 +23,14 @@ components, sealert and setroubleshootd.
|
||||
setroubleshootd is a system daemon which runs under setroubleshoot user and
|
||||
listens for audit events emitted from the kernel related to SELinux. When the
|
||||
setroubleshootd daemon sees an SELinux AVC denial it runs a series of analysis
|
||||
-plugins which examines the audit data related to the AVC. It records the
|
||||
+plugins which examine the audit data related to the AVC. It records the
|
||||
results of the analysis and signals any clients which have attached to the
|
||||
setroubleshootd daemon that a new alert has been seen.
|
||||
+.P
|
||||
+setroubleshootd is not persistent and only runs when there are new AVCs to be
|
||||
+analyzed. It is executed using setroubleshootd.service, which also limits its
|
||||
+priority and maximum RAM utilization to 1GB, in order to help with system
|
||||
+responsiveness in case of large amounts of AVCs.
|
||||
|
||||
.SH "OPTIONS"
|
||||
.TP
|
||||
@@ -33,7 +38,7 @@ setroubleshootd daemon that a new alert has been seen.
|
||||
Do not fork the daemon
|
||||
.TP
|
||||
.B \-d \-\-debug
|
||||
-Do not exit after 10 seconds
|
||||
+Do not exit after 10 seconds of inactivity
|
||||
.TP
|
||||
.B \-h \-\-help
|
||||
Show this message
|
||||
--
|
||||
2.35.3
|
||||
|
||||
|
|
@ -0,0 +1,56 @@
|
|||
From 2fbc58c26359989894dfb54daaca2ff4b537f4fe Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
|
||||
Date: Fri, 22 Apr 2022 16:27:30 +0200
|
||||
Subject: [PATCH] setroubleshoot/server: shutdown RunFaultServer nicely
|
||||
|
||||
systemd[1]: dbus-:1.2-org.fedoraproject.Setroubleshootd@2.service: Main process exited, code=killed, status=14/ALRM
|
||||
systemd[1]: dbus-:1.2-org.fedoraproject.Setroubleshootd@2.service: Failed with result 'signal'.
|
||||
audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0 msg='unit=dbus-:1.2-org.fedoraproject.Setroubleshootd@2 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
|
||||
---
|
||||
src/setroubleshoot/server.py | 14 +++++++++++---
|
||||
1 file changed, 11 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/framework/src/setroubleshoot/server.py b/framework/src/setroubleshoot/server.py
|
||||
index 10ef215..8f16993 100755
|
||||
--- a/framework/src/setroubleshoot/server.py
|
||||
+++ b/framework/src/setroubleshoot/server.py
|
||||
@@ -733,9 +733,17 @@ def goodbye(database):
|
||||
audit2why.finish()
|
||||
|
||||
|
||||
+main_loop = GLib.MainLoop()
|
||||
+
|
||||
+
|
||||
+def alarm_handler(signum, frame):
|
||||
+ log_debug("SIGALRM raised in RunFaultServer")
|
||||
+ main_loop.quit()
|
||||
+
|
||||
+
|
||||
def RunFaultServer(timeout=10):
|
||||
signal.alarm(timeout)
|
||||
- sigalrm_handler = signal.signal(signal.SIGALRM, polling_failed_handler)
|
||||
+ signal.signal(signal.SIGALRM, polling_failed_handler)
|
||||
# polling for /sys/fs/selinux/policy file
|
||||
while True:
|
||||
try:
|
||||
@@ -760,7 +768,7 @@ def RunFaultServer(timeout=10):
|
||||
|
||||
global host_database, analysis_queue, email_recipients
|
||||
|
||||
- signal.signal(signal.SIGALRM, sigalrm_handler)
|
||||
+ signal.signal(signal.SIGALRM, alarm_handler)
|
||||
signal.signal(signal.SIGHUP, sighandler)
|
||||
|
||||
#interface_registry.dump_interfaces()
|
||||
@@ -856,7 +864,7 @@ def RunFaultServer(timeout=10):
|
||||
|
||||
dbus.glib.init_threads()
|
||||
setroubleshootd_dbus = SetroubleshootdDBus(analysis_queue, alert_receiver, timeout)
|
||||
- main_loop = GLib.MainLoop()
|
||||
+
|
||||
main_loop.run()
|
||||
|
||||
except KeyboardInterrupt as e:
|
||||
--
|
||||
2.35.3
|
||||
|
||||
|
|
@ -0,0 +1,48 @@
|
|||
From 9e2753d241bf0bccaf0b05984e7562a2ac2a70e6 Mon Sep 17 00:00:00 2001
|
||||
From: Vit Mojzis <vmojzis@redhat.com>
|
||||
Date: Thu, 24 Aug 2023 19:02:24 +0200
|
||||
Subject: [PATCH] Check that SELinux is enabled before running
|
||||
|
||||
Setroubleshootd will fail to run when selinux is disabled. Check that
|
||||
SELinux is enabled in setroubleshootd service file and in sealert (so
|
||||
that it does not wait for setroubleshootd to start).
|
||||
|
||||
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2178950
|
||||
|
||||
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
|
||||
---
|
||||
setroubleshootd.service | 1 +
|
||||
src/sealert | 6 ++++++
|
||||
2 files changed, 7 insertions(+)
|
||||
|
||||
diff --git a/framework/setroubleshootd.service b/framework/setroubleshootd.service
|
||||
index 81c75b1..7fc2ffb 100644
|
||||
--- a/framework/setroubleshootd.service
|
||||
+++ b/framework/setroubleshootd.service
|
||||
@@ -1,5 +1,6 @@
|
||||
[Unit]
|
||||
Description=SETroubleshoot daemon for processing new SELinux denial logs
|
||||
+ConditionSecurity=selinux
|
||||
|
||||
[Service]
|
||||
Type=dbus
|
||||
diff --git a/framework/src/sealert b/framework/src/sealert
|
||||
index 2663a21..5ce6463 100755
|
||||
--- a/framework/src/sealert
|
||||
+++ b/framework/src/sealert
|
||||
@@ -576,6 +576,12 @@ if __name__ == '__main__':
|
||||
setup_sighandlers()
|
||||
log_debug("main() args=%s" % sys.argv)
|
||||
|
||||
+ # Exit if selinux is disabled - setroubleshootd cannot start
|
||||
+ if not selinux.is_selinux_enabled():
|
||||
+ log_debug("SELinux not enabled, sealert will not run on non SELinux systems")
|
||||
+ print("SELinux not enabled, sealert will not run on non SELinux systems", file=sys.stderr)
|
||||
+ sys.exit(3)
|
||||
+
|
||||
def validate_invocation_style(opt, opts_instance, conflict_opts):
|
||||
global invocation_style
|
||||
conflict_opts.remove(opt)
|
||||
--
|
||||
2.41.0
|
||||
|
||||
|
|
@ -1,12 +1,12 @@
|
|||
Summary: Helps troubleshoot SELinux problems
|
||||
Name: setroubleshoot
|
||||
Version: 3.3.26
|
||||
Release: 3%{?dist}
|
||||
Release: 6%{?dist}
|
||||
License: GPLv2+
|
||||
URL: https://gitlab.com/setroubleshoot/framework
|
||||
Source0: https://releases.pagure.org/setroubleshoot/%{name}-%{version}.tar.gz
|
||||
Source1: %{name}.tmpfiles
|
||||
# git format-patch --src-prefix=a/framework/ --dst-prefix=b/framework/ -N setroubleshoot-3.3.26 -- . ':!doc/developers_guide.wiki' ':!test/README.testing'
|
||||
# git format-patch --src-prefix=a/framework/ --dst-prefix=b/framework/ -N setroubleshoot-3.3.26 -- . ':!doc/developers_guide.wiki' ':!test/README.testing' ':!.gitlab-ci.yml'
|
||||
# i=1; for j in 00*patch; do printf "Patch%04d: %s\n" $i $j; i=$((i+1));done
|
||||
Patch0001: 0001-Stop-SetroubleshootFixit-after-10-seconds-of-inactiv.patch
|
||||
Patch0002: 0002-Do-not-use-Python-slip-package.patch
|
||||
|
|
@ -14,6 +14,10 @@ Patch0003: 0003-Fix-typos-in-help-man-pages-and-developer-s-guide.patch
|
|||
Patch0004: 0004-Revert-Replace-pydbus-with-dasbus.patch
|
||||
Patch0005: 0005-Improve-after_first-email-filter-behavior.patch
|
||||
Patch0006: 0006-Update-translations.patch
|
||||
Patch0007: 0007-Decrease-setroubleshootd-priority-and-limit-RAM-util.patch
|
||||
Patch0008: 0008-doc-Document-performance-related-changes.patch
|
||||
Patch0009: 0009-setroubleshoot-server-shutdown-RunFaultServer-nicely.patch
|
||||
Patch0010: 0010-Check-that-SELinux-is-enabled-before-running.patch
|
||||
BuildRequires: gcc
|
||||
BuildRequires: make
|
||||
BuildRequires: libcap-ng-devel
|
||||
|
|
@ -88,11 +92,13 @@ install -m644 -D %{SOURCE1} $RPM_BUILD_ROOT%{_tmpfilesdir}/%{name}.conf
|
|||
pathfix.py -i "%{__python3} -Es" -p \
|
||||
%{buildroot}%{_sbindir}/setroubleshootd \
|
||||
%{buildroot}%{_bindir}/{sealert,seapplet} \
|
||||
%{buildroot}/usr/share/setroubleshoot/SetroubleshootFixit.py
|
||||
%{buildroot}/usr/share/setroubleshoot/SetroubleshootFixit.py \
|
||||
%{buildroot}/usr/share/setroubleshoot/SetroubleshootPrivileged.py
|
||||
rm \
|
||||
%{buildroot}%{_sbindir}/setroubleshootd~ \
|
||||
%{buildroot}%{_bindir}/{sealert,seapplet}~ \
|
||||
%{buildroot}/usr/share/setroubleshoot/SetroubleshootFixit.py~
|
||||
%{buildroot}/usr/share/setroubleshoot/SetroubleshootFixit.py~ \
|
||||
%{buildroot}/usr/share/setroubleshoot/SetroubleshootPrivileged.py~
|
||||
|
||||
%find_lang %{name}
|
||||
|
||||
|
|
@ -108,6 +114,7 @@ Requires: libselinux-python3 >= 2.1.5-1
|
|||
Requires: policycoreutils-python-utils
|
||||
BuildRequires: intltool gettext python3
|
||||
BuildRequires: python3-devel
|
||||
BuildRequires: systemd
|
||||
Requires: systemd-python3 >= 206-1
|
||||
Requires: python3-gobject >= 3.11
|
||||
Requires: dbus
|
||||
|
|
@ -198,11 +205,23 @@ chown -R setroubleshoot:setroubleshoot %{pkgvardatadir}
|
|||
%{_datadir}/polkit-1/actions/org.fedoraproject.setroubleshootfixit.policy
|
||||
%config(noreplace) %{_sysconfdir}/dbus-1/system.d/org.fedoraproject.SetroubleshootFixit.conf
|
||||
%{_datadir}/dbus-1/system-services/org.fedoraproject.SetroubleshootFixit.service
|
||||
%{_unitdir}/setroubleshootd.service
|
||||
%attr(0644,root,root) %{_tmpfilesdir}/%{name}.conf
|
||||
%attr(0711,setroubleshoot,setroubleshoot) %dir %{_rundir}/setroubleshoot
|
||||
%doc AUTHORS COPYING ChangeLog DBUS.md NEWS README TODO
|
||||
|
||||
%changelog
|
||||
* Thu Aug 24 2023 Vit Mojzis <vmojzis@redhat.com> - 3.3.26-6
|
||||
- Fix shebang of SetroubleshootPrivileged.py (#2231023)
|
||||
- Check that SELinux is enabled before running (#2178950)
|
||||
|
||||
* Mon Aug 22 2022 Vit Mojzis <vmojzis@redhat.com> - 3.3.26-5
|
||||
- Shutdown RunFaultServer nicely (#2119001)
|
||||
|
||||
* Wed Jul 13 2022 Vit Mojzis <vmojzis@redhat.com> - 3.3.26-4
|
||||
- Decrease setroubleshootd priority and limit RAM utilization to 1GB (#2064727)
|
||||
- doc: Document performance related changes
|
||||
|
||||
* Fri Feb 25 2022 Vit Mojzis <vmojzis@redhat.com> - 3.3.26-3
|
||||
- Update translations (#2017299)
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue