Two issues: first, I've noticed a number of times that selinux is there, which we usually have in permissive, but setroubleshoot is *not* installed. Is there be some kind of dependency or group that it should be part of that's missing? I don't see why I need to manually install it....
Second - and I thought I knew the answer to this, but guess I don't - I see AVC's in the log file, but no sealerts - how do I start it up to give me them in messages? I see auditd is running....
mark
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 06/06/2013 02:10 PM, m.roth@5-cent.us wrote:
Two issues: first, I've noticed a number of times that selinux is there, which we usually have in permissive, but setroubleshoot is *not* installed. Is there be some kind of dependency or group that it should be part of that's missing? I don't see why I need to manually install it....
Not sure why it is not installed, which OS?
Second - and I thought I knew the answer to this, but guess I don't - I see AVC's in the log file, but no sealerts - how do I start it up to give me them in messages? I see auditd is running....
setroubleshoot should run if installed and auditd is running.
mark
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
m.roth@5-cent.us wrote:
Two issues: first, I've noticed a number of times that selinux is there, which we usually have in permissive, but setroubleshoot is *not* installed. Is there be some kind of dependency or group that it should be part of that's missing? I don't see why I need to manually install it....
Second - and I thought I knew the answer to this, but guess I don't - I see AVC's in the log file, but no sealerts - how do I start it up to give me them in messages? I see auditd is running....
Point of information: CentOS 6.4, up to date.
Dan, you say that setroubleshoot should run; I did install setroubleshoot-server and setroubleshoot-plugins, and then restarted auditd, yet I've seen some avc's since then, I think (wish audit.log had timestamps).
mark
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 06/07/2013 11:28 AM, m.roth@5-cent.us wrote:
m.roth@5-cent.us wrote:
Two issues: first, I've noticed a number of times that selinux is there, which we usually have in permissive, but setroubleshoot is *not* installed. Is there be some kind of dependency or group that it should be part of that's missing? I don't see why I need to manually install it....
Second - and I thought I knew the answer to this, but guess I don't - I see AVC's in the log file, but no sealerts - how do I start it up to give me them in messages? I see auditd is running....
Point of information: CentOS 6.4, up to date.
Dan, you say that setroubleshoot should run; I did install setroubleshoot-server and setroubleshoot-plugins, and then restarted auditd, yet I've seen some avc's since then, I think (wish audit.log had timestamps).
mark
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
audit log does have time stamps, but you need to translate using ausearch
ausearch -m avc -i
Should translate everything.
Daniel J Walsh wrote:
On 06/07/2013 11:28 AM, m.roth@5-cent.us wrote:
m.roth@5-cent.us wrote:
<snip>
Second - and I thought I knew the answer to this, but guess I don't - I see AVC's in the log file, but no sealerts - how do I start it up to give me them in messages? I see auditd is running....
Point of information: CentOS 6.4, up to date.
Dan, you say that setroubleshoot should run; I did install setroubleshoot-server and setroubleshoot-plugins, and then restarted auditd, yet I've seen some avc's since then, I think (wish audit.log had timestamps).
audit log does have time stamps, but you need to translate using ausearch
ausearch -m avc -i
Should translate everything.
It does, and thanks - I had no clue about that.
Now it gets more interesting: using that, the last avc in the audit log is from yesterday (Thurs) around 09:20 or so. I restarted auditd after that. Another admin ran fixfiles.... and then, in the logs this morning, our manager noted: Jun 7 08:09:12 <servername> sshd[6133]: pam_selinux(sshd:session): Unable to get valid context for root
in messages, and he rebooted and relabelled, and nothing since. What surprises me is that there was no AVC for that message - in fact, no AVC's since yesterday morning. Should there have been one?
mark
selinux@lists.fedoraproject.org