ce0b7236a0
Previously the alarm was reset only in main DBUS thread and only when a new AVC
appeared. In cases when there were several AVC messages in short time, analyses
could take more than a default timeout and later analyses were not saved to
the database. Now we cancel pending timeouts before analyze_avc() and reset the
timeout back to default when it's done.
Fixes:
$ journalctl | grep 'sealert -l'
setroubleshoot[314039]: SELinux is preventing bash from search access on the directory .local. For complete SELinux messages run: sealert -l ccf3307a-f4ab-4584-87c6-63884daf841a
$ sealert -l ccf3307a-f4ab-4584-87c6-63884daf841a
Error
query_alerts error (1003): id (ccf3307a-f4ab-4584-87c6-63884daf841a) not found
81 lines
3.2 KiB
Diff
81 lines
3.2 KiB
Diff
From dbf63d5f6f9d9152fa2b9e7eafb4d31a2d482d21 Mon Sep 17 00:00:00 2001
|
|
From: Petr Lautrbach <plautrba@redhat.com>
|
|
Date: Wed, 27 May 2020 11:15:38 +0200
|
|
Subject: [PATCH] framework: Cancel pending alarm during AVC analyses
|
|
|
|
Previously the alarm was reset only in main DBUS thread and only when a new AVC
|
|
appeared. In cases when there were several AVC messages in short time, analyses
|
|
could take more than a default timeout and later analyses were not saved to
|
|
the database. Now we cancel pending timeouts before analyze_avc() and reset the
|
|
timeout back to default when it's done.
|
|
|
|
Fixes:
|
|
$ journalctl | grep 'sealert -l'
|
|
setroubleshoot[314039]: SELinux is preventing bash from search access on the directory .local. For complete SELinux messages run: sealert -l ccf3307a-f4ab-4584-87c6-63884daf841a
|
|
|
|
$ sealert -l ccf3307a-f4ab-4584-87c6-63884daf841a
|
|
Error
|
|
query_alerts error (1003): id (ccf3307a-f4ab-4584-87c6-63884daf841a) not found
|
|
---
|
|
framework/src/setroubleshoot/analyze.py | 8 +++++++-
|
|
framework/src/setroubleshoot/server.py | 2 +-
|
|
2 files changed, 8 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/framework/src/setroubleshoot/analyze.py b/framework/src/setroubleshoot/analyze.py
|
|
index 43b2484be353..9ff12886fd32 100644
|
|
--- a/framework/src/setroubleshoot/analyze.py
|
|
+++ b/framework/src/setroubleshoot/analyze.py
|
|
@@ -31,6 +31,7 @@ __all__ = ['AnalyzeThread',
|
|
import syslog
|
|
from gi.repository import GObject, GLib
|
|
import os
|
|
+import signal
|
|
import time
|
|
import threading
|
|
import traceback
|
|
@@ -225,22 +226,27 @@ class Analyze(object):
|
|
|
|
class AnalyzeThread(Analyze, threading.Thread):
|
|
|
|
- def __init__(self, queue):
|
|
+ def __init__(self, queue, timeout=10):
|
|
# parent class constructors
|
|
threading.Thread.__init__(self)
|
|
Analyze.__init__(self)
|
|
|
|
self.queue = queue
|
|
+ self.timeout = timeout
|
|
|
|
def run(self):
|
|
while True:
|
|
try:
|
|
avc, report_receiver = self.queue.get()
|
|
+ syslog.syslog(syslog.LOG_DEBUG, "AnalyzeThread.run(): Cancel pending alarm")
|
|
+ signal.alarm(0)
|
|
self.analyze_avc(avc, report_receiver)
|
|
except Exception as e:
|
|
syslog.syslog(syslog.LOG_ERR, "Exception during AVC analysis: %s" % e)
|
|
except ValueError as e:
|
|
syslog.syslog(syslog.LOG_ERR, "Exception during AVC analysis: %s" % e)
|
|
+ syslog.syslog(syslog.LOG_DEBUG, "AnalyzeThread.run(): Set alarm timeout to {}".format(self.timeout))
|
|
+ signal.alarm(self.timeout)
|
|
|
|
#------------------------------------------------------------------------------
|
|
|
|
diff --git a/framework/src/setroubleshoot/server.py b/framework/src/setroubleshoot/server.py
|
|
index 9f25a480fc01..167e58634db5 100755
|
|
--- a/framework/src/setroubleshoot/server.py
|
|
+++ b/framework/src/setroubleshoot/server.py
|
|
@@ -810,7 +810,7 @@ def RunFaultServer(timeout=10):
|
|
# results of the analysis are to go) are included in the queued
|
|
# object along with the data to analyze.
|
|
|
|
- analyze_thread = AnalyzeThread(analysis_queue)
|
|
+ analyze_thread = AnalyzeThread(analysis_queue, timeout)
|
|
analyze_thread.setDaemon(True)
|
|
analyze_thread.start()
|
|
|
|
--
|
|
2.26.2
|
|
|