I have marked some recurring alerts as "ignore" in sealert browser. There have been some recent policy updates and I want to now receive alerts for those alerts to see if they were fixed in the update.
I have read the man pages for sealert and setroubleshootd and cannot find any reference to a command or an edit to be able to stop ignoring an alert.
Is there such a command? Do I have to edit a file? If so, which one?
Thanks, John
On Sat, May 26, 2018 at 09:26:22PM -0000, John Griffiths wrote:
I have marked some recurring alerts as "ignore" in sealert browser. There have been some recent policy updates and I want to now receive alerts for those alerts to see if they were fixed in the update.
I have read the man pages for sealert and setroubleshootd and cannot find any reference to a command or an edit to be able to stop ignoring an alert.
Is there such a command? Do I have to edit a file? If so, which one?
You can run sealert browser (`sealert` from command line, `SELinux Troubleshooter` from desktop ui) and go through the list of problems. When you find the one you want to un-ignore, hit `Notify` button or delete the problem.
Petr
That brings up the browser just fine, but there is not a list of alerts. It says, "No alerts."
If the alert is ignored, it does not show in the browser as far as I know.
What I am looking for is a way to display alerts that have been ignored and no longer display in the browser by default. Is there an option for that? The sealert --help shows none that are obvious.
If the installation of a new policy wipes the ignore data, then that is fine and eventually solves my issue. If it doesn't, then my question remains.
Thanks, John
On 05/28/2018 10:06 AM, Petr Lautrbach wrote:
On Sat, May 26, 2018 at 09:26:22PM -0000, John Griffiths wrote:
I have marked some recurring alerts as "ignore" in sealert browser. There have been some recent policy updates and I want to now receive alerts for those alerts to see if they were fixed in the update.
I have read the man pages for sealert and setroubleshootd and cannot find any reference to a command or an edit to be able to stop ignoring an alert.
Is there such a command? Do I have to edit a file? If so, which one?
You can run sealert browser (`sealert` from command line, `SELinux Troubleshooter` from desktop ui) and go through the list of problems. When you find the one you want to un-ignore, hit `Notify` button or delete the problem.
Petr
Is it Fedora? CentOS? Which version of setroubleshoot?
On Mon, May 28, 2018 at 11:07:39AM -0400, John Griffiths wrote:
That brings up the browser just fine, but there is not a list of alerts. It says, "No alerts."
If the alert is ignored, it does not show in the browser as far as I know.
The browser should show the same list of alerts as the following command:
$ sealert -l '*'
It's a list of all stored alerts.
If an alert is ignored, setroubleshood server doesn't sent DBUS signal with the alert and therefore seapplet doesn't show a notification. But when you open sealert browser, the alert should be there.
There's another button `List All Alerts` where you can list all alerts and see their statuses and how many time they occurred.
If you have 'No Alerts' then you might be just lucky.
You can try to generate an alert to check if it works correctly. Something like:
$ sudo runcon system_u:system_r:httpd_t:s0 bash -c 'hostname'
What I am looking for is a way to display alerts that have been ignored and no longer display in the browser by default. Is there an option for that? The sealert --help shows none that are obvious.
If the installation of a new policy wipes the ignore data, then that is fine and eventually solves my issue. If it doesn't, then my question remains.
Thanks, John
On 05/28/2018 10:06 AM, Petr Lautrbach wrote:
On Sat, May 26, 2018 at 09:26:22PM -0000, John Griffiths wrote:
I have marked some recurring alerts as "ignore" in sealert browser. There have been some recent policy updates and I want to now receive alerts for those alerts to see if they were fixed in the update.
I have read the man pages for sealert and setroubleshootd and cannot find any reference to a command or an edit to be able to stop ignoring an alert.
Is there such a command? Do I have to edit a file? If so, which one?
You can run sealert browser (`sealert` from command line, `SELinux Troubleshooter` from desktop ui) and go through the list of problems. When you find the one you want to un-ignore, hit `Notify` button or delete the problem.
Petr
Thanks for the reply, My responses are in line.
John
On 05/28/2018 12:12 PM, Petr Lautrbach wrote:
Is it Fedora? CentOS? Which version of setroubleshoot?
Fedora 28. setroubleshoot-3.3.17-1.fc28.x86_64
On Mon, May 28, 2018 at 11:07:39AM -0400, John Griffiths wrote:
That brings up the browser just fine, but there is not a list of alerts. It says, "No alerts."
If the alert is ignored, it does not show in the browser as far as I know.
The browser should show the same list of alerts as the following command:
$ sealert -l '*'
It's a list of all stored alerts.
If an alert is ignored, setroubleshood server doesn't sent DBUS signal with the alert and therefore seapplet doesn't show a notification. But when you open sealert browser, the alert should be there.
There's another button `List All Alerts` where you can list all alerts and see their statuses and how many time they occurred.
I guess somehow the alerts I ignored got cleared from the database, because when I run sealert -l '*' I get nothing.
There is no button 'List All Alerts' shown in the version of sealert I have.
If you have 'No Alerts' then you might be just lucky.
Guess I am lucky.
You can try to generate an alert to check if it works correctly. Something like:
$ sudo runcon system_u:system_r:httpd_t:s0 bash -c 'hostname'
What I am looking for is a way to display alerts that have been ignored and no longer display in the browser by default. Is there an option for that? The sealert --help shows none that are obvious.
If the installation of a new policy wipes the ignore data, then that is fine and eventually solves my issue. If it doesn't, then my question remains.
Thanks, John
On 05/28/2018 10:06 AM, Petr Lautrbach wrote:
On Sat, May 26, 2018 at 09:26:22PM -0000, John Griffiths wrote:
I have marked some recurring alerts as "ignore" in sealert browser. There have been some recent policy updates and I want to now receive alerts for those alerts to see if they were fixed in the update.
I have read the man pages for sealert and setroubleshootd and cannot find any reference to a command or an edit to be able to stop ignoring an alert.
Is there such a command? Do I have to edit a file? If so, which one?
You can run sealert browser (`sealert` from command line, `SELinux Troubleshooter` from desktop ui) and go through the list of problems. When you find the one you want to un-ignore, hit `Notify` button or delete the problem.
Petr
selinux@lists.fedoraproject.org