![[info]](http://l-stat.livejournal.com/img/userinfo.gif?v=91.6){kind=small}
This is great for the Desktop, but what about people using this on servers?
Setroubleshoot can be run without X windows and without the GUI. setroubleshoot is broken into three different RPMS.
On Fedora 9:
# rpm -qa setroubleshoot\*
setroubleshoot-server-2.0.8-2.fc9.noarch
setroubleshoot-2.0.8-2.fc9.noarch
setroubleshoot-plugins-2.0.4-5.fc9.noarc
On a server only machine you can install just the server and the plugins. You only need setroubleshoot if you are using the graphical interfaces. With the server component installed you will see messages like the following appear in /var/log/messages.
Jul 1 22:03:01 localhost setroubleshoot: SELinux is preventing semodule (staff_t) "read" to ./BackupPC.pp (semanage_store_t). For complete SELinux messages. run sealert -l bca0cd18-5a5b-4cc5-9b08-5f5778439b2c
You can then use sealert to look at any AVC messages you get. sealert also has a neat feature, that you can execute 'sealert -l \*' to look at all the alert messages that you received.
While these messages do not instantly appear on you desktop, you can still use setroubleshoot on a server.
If you want to receive email whenever SELinux reports a problem, you can configure setroubleshoot-server to send email messages. Edit /var/lib/setroubleshoot/email_alert_reci
Partially borrowed from an Email message from John Dennis.
setroubleshoot client / server connection
2010-05-24 04:48 pm (UTC)
I have two selinux boxes and bot are running setroubleshoot server. Can I centralized the logging?
Thanks~
Ning
Re: setroubleshoot client / server connection
2010-05-24 05:43 pm (UTC)
Re: setroubleshoot client / server connection
2010-05-24 05:44 pm (UTC)
Re: setroubleshoot client / server connection
2010-05-25 06:13 pm (UTC)
Thanks for the quick answer. Another question related to setrobuleshoot. My setroubleshoot process is running and so does the auditd. But I did not see any sealert message throw to the /var/log/message when a blocking is happening. I put the setroubleshootd to debug mode and find the following:
2010-05-25 11:52:12,524 [avc.INFO] attempt to open audit socket (/var/run/audit_events) failed, error='No such file or directory'
2010-05-25 11:52:12,525 [avc.WARNING] could not open any audit sockets (/var/run/audispd_events, /var/run/audit_events), retry in 60 seconds
Do you know how I should resolve the problem? I can't find much info online.
Thanks~
Re: setroubleshoot client / server connection
2010-05-25 10:46 pm (UTC)
Thanks for looking into the issue. I figured that there is something to do with the auditd.conf. Once i use the original conf file, I see sealert message in the /var/log/messages file now. However, when i copy and paste the sealert file, I see the following:
[root@vm1 log]# sealert -l 06955f89-5bb1-470c-a6f1-5796e8e0c5c1
failed to connect to server: Connection refused
What could cause the connection refused? I disable the firewall? Leaving setroubleshoot conf and auditd conf as default.
Thanks~
Ning
Re: setroubleshoot client / server connection
2010-05-25 11:44 pm (UTC)
sorry about this. But I figured all out. It is iptables, which I thought i disabled it, but apparently it did not.
Thanks for ur time again :)
Ning