danwalsh


Dan Walsh's Blog

Got SELinux?


Previous Entry Add to Memories Share Next Entry
setroubleshoot for servers
danwalsh
In Fedora 6 and Red Hat Enterprise Linux 5 we introduced setroubleshoot.   This is a tool which listens for AVC audit messages and then runs them through a database of plugins looking for a match, and then trying to explain what SELinux has prevented and how to fix the problem or to react to a potential break in.  It has been fairly successful in explaining what SELinux is doing. Most people that have used setroubleshoot see a bubble window appear in the top tool bar and the "old West Sheriff Star" appear.  If you click on the Star, the message appears.  

This is great for the Desktop, but what about people using this on servers?

Setroubleshoot can be run without X windows and without the GUI.  setroubleshoot is broken into three different RPMS.

On Fedora 9:

# rpm -qa setroubleshoot\*
setroubleshoot-server-2.0.8-2.fc9.noarch
setroubleshoot-2.0.8-2.fc9.noarch
setroubleshoot-plugins-2.0.4-5.fc9.noarch

On a server only machine you can install just the server and the plugins.  You only need setroubleshoot if you are using the graphical interfaces. With the server component installed you will see messages like the following  appear in /var/log/messages.

Jul  1 22:03:01 localhost setroubleshoot: SELinux is preventing semodule (staff_t) "read" to ./BackupPC.pp (semanage_store_t). For complete SELinux messages. run sealert -l bca0cd18-5a5b-4cc5-9b08-5f5778439b2c

You can then use sealert to look at any AVC messages you get.  sealert also has a neat feature, that you can execute 'sealert -l \*' to look at all the alert messages that you received.
While these messages do not instantly appear on you desktop, you can still use setroubleshoot on a server.

If you want to receive email whenever SELinux reports a problem, you can configure setroubleshoot-server to send email messages.  Edit /var/lib/setroubleshoot/email_alert_recipients, add a line containing your email address, if you only want email the first time an alert fires and not subsequently add "filter_type=after_first" after the email address.

Partially borrowed from an Email message from John Dennis.

setroubleshoot client / server connection

ning_chan

2010-05-24 04:48 pm (UTC)

Hi Dan,
I have two selinux boxes and bot are running setroubleshoot server. Can I centralized the logging?

Thanks~
Ning

Re: setroubleshoot client / server connection

danwalsh

2010-05-24 05:43 pm (UTC)

The best you can do is setup email forwarding. You can read how to do this in /etc/setroubleshoot/setroubleshoot.cfg

Re: setroubleshoot client / server connection

danwalsh

2010-05-24 05:44 pm (UTC)

You can setup auditing to be centralized, but you really want the plugins to run on the host where the AVC was generated.

Re: setroubleshoot client / server connection

ning_chan

2010-05-25 06:13 pm (UTC)

Hi Dan,
Thanks for the quick answer. Another question related to setrobuleshoot. My setroubleshoot process is running and so does the auditd. But I did not see any sealert message throw to the /var/log/message when a blocking is happening. I put the setroubleshootd to debug mode and find the following:
2010-05-25 11:52:12,524 [avc.INFO] attempt to open audit socket (/var/run/audit_events) failed, error='No such file or directory'
2010-05-25 11:52:12,525 [avc.WARNING] could not open any audit sockets (/var/run/audispd_events, /var/run/audit_events), retry in 60 seconds
Do you know how I should resolve the problem? I can't find much info online.

Thanks~

Re: setroubleshoot client / server connection

ning_chan

2010-05-25 10:46 pm (UTC)

Hi Dan,
Thanks for looking into the issue. I figured that there is something to do with the auditd.conf. Once i use the original conf file, I see sealert message in the /var/log/messages file now. However, when i copy and paste the sealert file, I see the following:
[root@vm1 log]# sealert -l 06955f89-5bb1-470c-a6f1-5796e8e0c5c1
failed to connect to server: Connection refused

What could cause the connection refused? I disable the firewall? Leaving setroubleshoot conf and auditd conf as default.

Thanks~
Ning

Re: setroubleshoot client / server connection

ning_chan

2010-05-25 11:44 pm (UTC)

Hi dan,
sorry about this. But I figured all out. It is iptables, which I thought i disabled it, but apparently it did not.

Thanks for ur time again :)
Ning

You are viewing danwalsh