What Happened to setroubleshoot?
Setroubleshoot is alive and well. I have seen blogs mentioning that we have disabled it because of trying to speed up booting. This is bogus.
If you read my blog you regularly you might have read
We have had complaints about the assumed huge amount of data used by setroubleshoot and sealert because they are python apps. James Antill debunks a lot of this in his blog http://illiterat.livejournal.com/4615.html.
As of Fedora 11, Setroubleshoot no longer runs as a service.
But it was still thought that we could do better. There is also an effort to get rid of as many init daemons as possible to improve the speed of boot.
So the question is why run setroubleshoot when there are NO AVC;s to analyze? The answer is we should not.
So I went in and wrote a little two little C program sedispatch and seapplet.
sedispatch runs from the audit subsystem, when it sees and AVC it packages these up into a DBUS System Message. The DBUS system will send the message to setroubleshoot if it is running, and will start setroubleshoot if it in not.
setroubleshoot processes the message and sends a dbus signal to any user space app listening for an setroubleshoot message. If setroubleshoot does not receive any AVC messages and is not connected to a user client app (sealert) it will exit.
seapplet is a simple applet tool that runs in the users toolbar waiting for setroubleshoot to send a dbus message and then puts up the yellow star, and notification bubble. If the user clicks on the star, seapplet launches sealert to communicate with the setroubleshoot to display the avc analysis data.
If the user starts sealert from the menu bar, it sends a dbus message to setroubleshoot to begin communications. dbus will start the server in this case, when the user exist the sealert browser, sealert and setroubleshoot will stop running. (setroubleshoot closes again after 10 seconds without an AVC).
Stay tuned in Fedora 12, we will be releasing a major redesign of the sealert gui, adding key features like reporting Bugzilla's with a single button press,, Fix it Button for certain troubleshoot plug-ins, clean up of browser view (hiding lots of data that makes setroubleshoot hard to read, Diagnosing definite cracker breakins via the browser.
A lot of this is available in Rawhide now.