• 1

Re: setroubleshoot client / server connection

The best you can do is setup email forwarding. You can read how to do this in /etc/setroubleshoot/setroubleshoot.cfg

Re: setroubleshoot client / server connection

You can setup auditing to be centralized, but you really want the plugins to run on the host where the AVC was generated.

Re: setroubleshoot client / server connection

Hi Dan,
Thanks for the quick answer. Another question related to setrobuleshoot. My setroubleshoot process is running and so does the auditd. But I did not see any sealert message throw to the /var/log/message when a blocking is happening. I put the setroubleshootd to debug mode and find the following:
2010-05-25 11:52:12,524 [avc.INFO] attempt to open audit socket (/var/run/audit_events) failed, error='No such file or directory'
2010-05-25 11:52:12,525 [avc.WARNING] could not open any audit sockets (/var/run/audispd_events, /var/run/audit_events), retry in 60 seconds
Do you know how I should resolve the problem? I can't find much info online.

Thanks~

Re: setroubleshoot client / server connection

Hi Dan,
Thanks for looking into the issue. I figured that there is something to do with the auditd.conf. Once i use the original conf file, I see sealert message in the /var/log/messages file now. However, when i copy and paste the sealert file, I see the following:
[root@vm1 log]# sealert -l 06955f89-5bb1-470c-a6f1-5796e8e0c5c1
failed to connect to server: Connection refused

What could cause the connection refused? I disable the firewall? Leaving setroubleshoot conf and auditd conf as default.

Thanks~
Ning

Re: setroubleshoot client / server connection

Hi dan,
sorry about this. But I figured all out. It is iptables, which I thought i disabled it, but apparently it did not.

Thanks for ur time again :)
Ning

  • 1
?

Log in