commit
b0f56ab3de
@ -0,0 +1 @@
|
|||||||
|
SOURCES/setroubleshoot-3.3.26.tar.gz
|
@ -0,0 +1 @@
|
|||||||
|
dab49dd85f3d8489fef60d2b94c4931cc9c473ea SOURCES/setroubleshoot-3.3.26.tar.gz
|
@ -0,0 +1,45 @@
|
|||||||
|
From 78840f4e0bd41d3ba1b3c90b909e6c2cf7ef4ea7 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Petr Lautrbach <plautrba@redhat.com>
|
||||||
|
Date: Wed, 14 Apr 2021 17:03:39 +0200
|
||||||
|
Subject: [PATCH] Stop SetroubleshootFixit after 10 seconds of inactivity
|
||||||
|
|
||||||
|
---
|
||||||
|
src/SetroubleshootFixit.py | 9 +++++++++
|
||||||
|
1 file changed, 9 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/framework/src/SetroubleshootFixit.py b/framework/src/SetroubleshootFixit.py
|
||||||
|
index 15c6cab..f7cbf95 100644
|
||||||
|
--- a/framework/src/SetroubleshootFixit.py
|
||||||
|
+++ b/framework/src/SetroubleshootFixit.py
|
||||||
|
@@ -7,6 +7,7 @@ from gi.repository import GLib
|
||||||
|
import slip.dbus.service
|
||||||
|
from slip.dbus import polkit
|
||||||
|
import os
|
||||||
|
+import signal
|
||||||
|
|
||||||
|
|
||||||
|
class RunFix(slip.dbus.service.Object):
|
||||||
|
@@ -14,12 +15,20 @@ class RunFix(slip.dbus.service.Object):
|
||||||
|
|
||||||
|
def __init__(self, *p, **k):
|
||||||
|
super(RunFix, self).__init__(*p, **k)
|
||||||
|
+ self.timeout = 10
|
||||||
|
+ self.alarm(self.timeout)
|
||||||
|
+
|
||||||
|
+ def alarm(self, timeout=10):
|
||||||
|
+ signal.alarm(timeout)
|
||||||
|
+
|
||||||
|
|
||||||
|
@dbus.service.method("org.fedoraproject.SetroubleshootFixit", in_signature='ss', out_signature='s')
|
||||||
|
def run_fix(self, local_id, analysis_id):
|
||||||
|
import subprocess
|
||||||
|
+ self.alarm(0)
|
||||||
|
command = ["sealert", "-f", local_id, "-P", analysis_id]
|
||||||
|
return subprocess.check_output(command, universal_newlines=True)
|
||||||
|
+ self.alarm(self.timeout)
|
||||||
|
|
||||||
|
if __name__ == "__main__":
|
||||||
|
mainloop = GLib.MainLoop()
|
||||||
|
--
|
||||||
|
2.30.2
|
||||||
|
|
@ -0,0 +1,103 @@
|
|||||||
|
From e9def2b8b0098842d0223d0951f41e2106821a88 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Petr Lautrbach <plautrba@redhat.com>
|
||||||
|
Date: Wed, 14 Apr 2021 17:04:59 +0200
|
||||||
|
Subject: [PATCH] Do not use Python slip package
|
||||||
|
|
||||||
|
It's not maintained anymore and it allows us to drop dependency on
|
||||||
|
Python slip package
|
||||||
|
|
||||||
|
Use DBUS polkit interface instead -
|
||||||
|
https://www.freedesktop.org/software/polkit/docs/latest/eggdbus-interface-org.freedesktop.PolicyKit1.Authority.html
|
||||||
|
---
|
||||||
|
src/SetroubleshootFixit.py | 35 +++++++++++++++++++++++++----------
|
||||||
|
src/setroubleshoot/browser.py | 3 ---
|
||||||
|
2 files changed, 25 insertions(+), 13 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/framework/src/SetroubleshootFixit.py b/framework/src/SetroubleshootFixit.py
|
||||||
|
index f7cbf95..ab0ad2b 100644
|
||||||
|
--- a/framework/src/SetroubleshootFixit.py
|
||||||
|
+++ b/framework/src/SetroubleshootFixit.py
|
||||||
|
@@ -4,13 +4,11 @@ import dbus
|
||||||
|
import dbus.service
|
||||||
|
import dbus.mainloop.glib
|
||||||
|
from gi.repository import GLib
|
||||||
|
-import slip.dbus.service
|
||||||
|
-from slip.dbus import polkit
|
||||||
|
import os
|
||||||
|
import signal
|
||||||
|
+import subprocess
|
||||||
|
|
||||||
|
-
|
||||||
|
-class RunFix(slip.dbus.service.Object):
|
||||||
|
+class RunFix(dbus.service.Object):
|
||||||
|
default_polkit_auth_required = "org.fedoraproject.setroubleshootfixit.write"
|
||||||
|
|
||||||
|
def __init__(self, *p, **k):
|
||||||
|
@@ -21,14 +19,32 @@ class RunFix(slip.dbus.service.Object):
|
||||||
|
def alarm(self, timeout=10):
|
||||||
|
signal.alarm(timeout)
|
||||||
|
|
||||||
|
-
|
||||||
|
- @dbus.service.method("org.fedoraproject.SetroubleshootFixit", in_signature='ss', out_signature='s')
|
||||||
|
- def run_fix(self, local_id, analysis_id):
|
||||||
|
- import subprocess
|
||||||
|
+ def is_authorized(self, sender):
|
||||||
|
+ bus = dbus.SystemBus()
|
||||||
|
+
|
||||||
|
+ proxy = bus.get_object('org.freedesktop.PolicyKit1', '/org/freedesktop/PolicyKit1/Authority')
|
||||||
|
+ authority = dbus.Interface(proxy, dbus_interface='org.freedesktop.PolicyKit1.Authority')
|
||||||
|
+ subject = ('system-bus-name', {'name' : sender})
|
||||||
|
+ action_id = 'org.fedoraproject.setroubleshootfixit.write'
|
||||||
|
+ details = {}
|
||||||
|
+ flags = 1 # AllowUserInteraction flag
|
||||||
|
+ cancellation_id = '' # No cancellation id
|
||||||
|
+ result = authority.CheckAuthorization(subject, action_id, details, flags, cancellation_id)
|
||||||
|
+ return result[0]
|
||||||
|
+
|
||||||
|
+ @dbus.service.method("org.fedoraproject.SetroubleshootFixit", sender_keyword="sender", in_signature='ss', out_signature='s')
|
||||||
|
+ def run_fix(self, local_id, analysis_id, sender):
|
||||||
|
self.alarm(0)
|
||||||
|
command = ["sealert", "-f", local_id, "-P", analysis_id]
|
||||||
|
- return subprocess.check_output(command, universal_newlines=True)
|
||||||
|
+
|
||||||
|
+ if self.is_authorized(sender):
|
||||||
|
+ result = subprocess.check_output(command, universal_newlines=True)
|
||||||
|
+ else:
|
||||||
|
+ result = "Authorization failed"
|
||||||
|
+
|
||||||
|
self.alarm(self.timeout)
|
||||||
|
+ return result
|
||||||
|
+
|
||||||
|
|
||||||
|
if __name__ == "__main__":
|
||||||
|
mainloop = GLib.MainLoop()
|
||||||
|
@@ -36,5 +52,4 @@ if __name__ == "__main__":
|
||||||
|
system_bus = dbus.SystemBus()
|
||||||
|
name = dbus.service.BusName("org.fedoraproject.SetroubleshootFixit", system_bus)
|
||||||
|
object = RunFix(system_bus, "/org/fedoraproject/SetroubleshootFixit/object")
|
||||||
|
- slip.dbus.service.set_mainloop(mainloop)
|
||||||
|
mainloop.run()
|
||||||
|
diff --git a/framework/src/setroubleshoot/browser.py b/framework/src/setroubleshoot/browser.py
|
||||||
|
index 2d37bb4..3203f75 100644
|
||||||
|
--- a/framework/src/setroubleshoot/browser.py
|
||||||
|
+++ b/framework/src/setroubleshoot/browser.py
|
||||||
|
@@ -65,8 +65,6 @@ from setroubleshoot.util import *
|
||||||
|
from setroubleshoot.html_util import html_to_text
|
||||||
|
import re
|
||||||
|
import dbus
|
||||||
|
-import slip.dbus.service
|
||||||
|
-from slip.dbus import polkit
|
||||||
|
import report
|
||||||
|
import report.io
|
||||||
|
import report.io.GTKIO
|
||||||
|
@@ -933,7 +931,6 @@ class DBusProxy (object):
|
||||||
|
self.bus = dbus.SystemBus()
|
||||||
|
self.dbus_object = self.bus.get_object("org.fedoraproject.SetroubleshootFixit", "/org/fedoraproject/SetroubleshootFixit/object")
|
||||||
|
|
||||||
|
- @polkit.enable_proxy
|
||||||
|
def run_fix(self, local_id, plugin_name):
|
||||||
|
return self.dbus_object.run_fix(local_id, plugin_name, dbus_interface="org.fedoraproject.SetroubleshootFixit")
|
||||||
|
|
||||||
|
--
|
||||||
|
2.30.2
|
||||||
|
|
@ -0,0 +1,82 @@
|
|||||||
|
From f6a21742b2531f5dfd0fa68400848ca4314f972f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Vit Mojzis <vmojzis@redhat.com>
|
||||||
|
Date: Mon, 6 Dec 2021 12:14:04 +0100
|
||||||
|
Subject: [PATCH] Fix typos in --help, man pages and developer's guide
|
||||||
|
|
||||||
|
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
|
||||||
|
---
|
||||||
|
TODO | 2 +-
|
||||||
|
doc/sealert.8 | 2 +-
|
||||||
|
src/config.py.in | 2 +-
|
||||||
|
src/sealert | 2 +-
|
||||||
|
src/setroubleshoot/server.py | 2 +-
|
||||||
|
5 files changed, 5 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/framework/TODO b/framework/TODO
|
||||||
|
index 6c2f375..25072ea 100644
|
||||||
|
--- a/framework/TODO
|
||||||
|
+++ b/framework/TODO
|
||||||
|
@@ -22,7 +22,7 @@ return plain text (to be used for plaintext email and writing to
|
||||||
|
stdout).
|
||||||
|
|
||||||
|
(John) Add log file scanning support (I'm currently working on this).
|
||||||
|
-We could use a better parser for AVC's in log file or other "stream",
|
||||||
|
+We could use a better parser for AVCs in log file or other "stream",
|
||||||
|
should work by accepting data via a feed() method and invoke a
|
||||||
|
callback when it finds an AVC returning an AVC class and a range
|
||||||
|
(start,end) where it was located (question: should the range be line
|
||||||
|
diff --git a/framework/doc/sealert.8 b/framework/doc/sealert.8
|
||||||
|
index 89f4dff..d3e81e3 100644
|
||||||
|
--- a/framework/doc/sealert.8
|
||||||
|
+++ b/framework/doc/sealert.8
|
||||||
|
@@ -102,7 +102,7 @@ Start sealert without dbus service as stand alone app
|
||||||
|
Lookup alert by id, if id is wildcard * then return all alerts
|
||||||
|
.TP
|
||||||
|
.B \-a \-\-analyze file
|
||||||
|
-Scan a log file, analyze its AVC's
|
||||||
|
+Scan a log file, analyze its AVCs
|
||||||
|
.TP
|
||||||
|
.B \-u \-\-user
|
||||||
|
logon as user
|
||||||
|
diff --git a/framework/src/config.py.in b/framework/src/config.py.in
|
||||||
|
index cbb0542..daf9a68 100644
|
||||||
|
--- a/framework/src/config.py.in
|
||||||
|
+++ b/framework/src/config.py.in
|
||||||
|
@@ -184,7 +184,7 @@ the alert's last seen date will be purged first. Zero implies no limit''',
|
||||||
|
'max_alert_age': {
|
||||||
|
'value': '',
|
||||||
|
'description' : '''
|
||||||
|
-Purge any alerts whose age based on it's last seen date exceeds this threshold.
|
||||||
|
+Purge any alerts whose age based on its last seen date exceeds this threshold.
|
||||||
|
Age may be specified as a sequence of integer unit pairs. Units may be one of
|
||||||
|
year,month,week,day,hour,minute,second and may optionally be plural.
|
||||||
|
Example: '2 weeks 1 day' sets the threshold at 15 days.
|
||||||
|
diff --git a/framework/src/sealert b/framework/src/sealert
|
||||||
|
index bae0c81..2663a21 100755
|
||||||
|
--- a/framework/src/sealert
|
||||||
|
+++ b/framework/src/sealert
|
||||||
|
@@ -598,7 +598,7 @@ if __name__ == '__main__':
|
||||||
|
parser.add_option("-l", "--lookupid", dest="lookupid", default=False,
|
||||||
|
help="Lookup alert by id, id may be wildcard * to lookup all alerts")
|
||||||
|
parser.add_option("-a", "--analyze", dest="analyze", default=False,
|
||||||
|
- help="Scan a log file, analyze it's AVC's", metavar="FILE")
|
||||||
|
+ help="Scan a log file, analyze its AVCs", metavar="FILE")
|
||||||
|
parser.add_option("-u", "--user", dest="user", default=False,
|
||||||
|
help="logon user name")
|
||||||
|
parser.add_option("-p", "--password", dest="password", default=False,
|
||||||
|
diff --git a/framework/src/setroubleshoot/server.py b/framework/src/setroubleshoot/server.py
|
||||||
|
index aef0346..771ea15 100755
|
||||||
|
--- a/framework/src/setroubleshoot/server.py
|
||||||
|
+++ b/framework/src/setroubleshoot/server.py
|
||||||
|
@@ -764,7 +764,7 @@ def RunFaultServer(timeout=10):
|
||||||
|
try:
|
||||||
|
# FIXME: should this be using our logging objects in log.py?
|
||||||
|
# currently syslog is only used for putting an alert into
|
||||||
|
- # the syslog with it's id
|
||||||
|
+ # the syslog with its id
|
||||||
|
|
||||||
|
global pkg_name
|
||||||
|
syslog.openlog(pkg_name)
|
||||||
|
--
|
||||||
|
2.30.2
|
||||||
|
|
@ -0,0 +1,174 @@
|
|||||||
|
From e0cf9f2e50e8da856ffd511cbbab7ee36a31bb74 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Vit Mojzis <vmojzis@redhat.com>
|
||||||
|
Date: Fri, 10 Dec 2021 15:04:21 +0100
|
||||||
|
Subject: [PATCH] Revert "Replace pydbus with dasbus"
|
||||||
|
|
||||||
|
dasbus is not available in rhel8.
|
||||||
|
|
||||||
|
This reverts commit 5290ca0ee06d69102bf2b756e2decc0f8c5b770f.
|
||||||
|
---
|
||||||
|
configure.ac | 6 +++---
|
||||||
|
src/SetroubleshootPrivileged.py | 32 ++++++++++++++------------------
|
||||||
|
src/seapplet | 21 +++++++++++++--------
|
||||||
|
src/setroubleshoot/util.py | 9 +++------
|
||||||
|
4 files changed, 33 insertions(+), 35 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/framework/configure.ac b/framework/configure.ac
|
||||||
|
index d1d0176..e3b7b5a 100644
|
||||||
|
--- a/framework/configure.ac
|
||||||
|
+++ b/framework/configure.ac
|
||||||
|
@@ -65,13 +65,13 @@ else
|
||||||
|
$python_module_result])
|
||||||
|
fi
|
||||||
|
|
||||||
|
-AC_MSG_CHECKING([for the dasbus python3 module])
|
||||||
|
-python_module_result=`$PYTHON -c "import dasbus" 2>&1`
|
||||||
|
+AC_MSG_CHECKING([for the pydbus python3 module])
|
||||||
|
+python_module_result=`$PYTHON -c "import pydbus" 2>&1`
|
||||||
|
if test -z "$python_module_result"; then
|
||||||
|
AC_MSG_RESULT([yes])
|
||||||
|
else
|
||||||
|
AC_MSG_RESULT([no])
|
||||||
|
- AC_MSG_ERROR([cannot import Python3 module dasbus.
|
||||||
|
+ AC_MSG_ERROR([cannot import Python3 module pydbus.
|
||||||
|
Please check your Python3 installation. The error was:
|
||||||
|
$python_module_result])
|
||||||
|
fi
|
||||||
|
diff --git a/framework/src/SetroubleshootPrivileged.py b/framework/src/SetroubleshootPrivileged.py
|
||||||
|
index d2a9ea4..899e687 100644
|
||||||
|
--- a/framework/src/SetroubleshootPrivileged.py
|
||||||
|
+++ b/framework/src/SetroubleshootPrivileged.py
|
||||||
|
@@ -19,23 +19,23 @@
|
||||||
|
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||||
|
|
||||||
|
from gi.repository import GLib
|
||||||
|
-from dasbus.connection import SystemMessageBus
|
||||||
|
+from pydbus import SystemBus
|
||||||
|
import setroubleshoot.util
|
||||||
|
import signal
|
||||||
|
|
||||||
|
loop = GLib.MainLoop()
|
||||||
|
|
||||||
|
class Privileged(object):
|
||||||
|
- __dbus_xml__ = """
|
||||||
|
- <node>
|
||||||
|
- <interface name='org.fedoraproject.SetroubleshootPrivileged'>
|
||||||
|
- <method name='get_rpm_nvr_by_scontext'>
|
||||||
|
- <arg type='s' name='scontext' direction='in'/>
|
||||||
|
- <arg type='s' name='rpmnvr' direction='out'/>
|
||||||
|
- </method>
|
||||||
|
- <method name='finish'/>
|
||||||
|
- </interface>
|
||||||
|
- </node>
|
||||||
|
+ """
|
||||||
|
+ <node>
|
||||||
|
+ <interface name='org.fedoraproject.SetroubleshootPrivileged'>
|
||||||
|
+ <method name='get_rpm_nvr_by_scontext'>
|
||||||
|
+ <arg type='s' name='scontext' direction='in'/>
|
||||||
|
+ <arg type='s' name='rpmnvr' direction='out'/>
|
||||||
|
+ </method>
|
||||||
|
+ <method name='finish'/>
|
||||||
|
+ </interface>
|
||||||
|
+ </node>
|
||||||
|
"""
|
||||||
|
|
||||||
|
def __init__(self, timeout=10):
|
||||||
|
@@ -58,10 +58,6 @@ class Privileged(object):
|
||||||
|
loop.quit()
|
||||||
|
|
||||||
|
if __name__ == "__main__":
|
||||||
|
- bus = SystemMessageBus()
|
||||||
|
- try:
|
||||||
|
- bus.publish_object("/org/fedoraproject/SetroubleshootPrivileged", Privileged())
|
||||||
|
- bus.register_service("org.fedoraproject.SetroubleshootPrivileged")
|
||||||
|
- loop.run()
|
||||||
|
- finally:
|
||||||
|
- bus.disconnect()
|
||||||
|
+ bus = SystemBus()
|
||||||
|
+ bus.publish("org.fedoraproject.SetroubleshootPrivileged", Privileged())
|
||||||
|
+ loop.run()
|
||||||
|
diff --git a/framework/src/seapplet b/framework/src/seapplet
|
||||||
|
index b5f65d1..79b5ef2 100644
|
||||||
|
--- a/framework/src/seapplet
|
||||||
|
+++ b/framework/src/seapplet
|
||||||
|
@@ -26,7 +26,7 @@ from gi.repository import Gtk
|
||||||
|
gi.require_version('Notify', '0.7')
|
||||||
|
from gi.repository import Notify
|
||||||
|
|
||||||
|
-from dasbus.connection import SystemMessageBus
|
||||||
|
+from pydbus import SystemBus
|
||||||
|
|
||||||
|
import selinux
|
||||||
|
import sys
|
||||||
|
@@ -52,14 +52,13 @@ class SEApplet(GObject.Object):
|
||||||
|
|
||||||
|
def __init__(self):
|
||||||
|
|
||||||
|
- bus = SystemMessageBus()
|
||||||
|
- Setroubleshootd = bus.get_proxy(
|
||||||
|
- 'org.fedoraproject.Setroubleshootd',
|
||||||
|
- '/org/fedoraproject/Setroubleshootd'
|
||||||
|
+ bus = SystemBus()
|
||||||
|
+ self.bus_signal = bus.subscribe(
|
||||||
|
+ iface='org.fedoraproject.SetroubleshootdIface',
|
||||||
|
+ signal='alert',
|
||||||
|
+ signal_fired=self.send_notification
|
||||||
|
)
|
||||||
|
|
||||||
|
- Setroubleshootd.alert.connect(self.send_notification)
|
||||||
|
-
|
||||||
|
super(SEApplet, self).__init__()
|
||||||
|
Notify.init("seapplet")
|
||||||
|
# lets initialise with the application name
|
||||||
|
@@ -81,6 +80,11 @@ class SEApplet(GObject.Object):
|
||||||
|
except:
|
||||||
|
pass
|
||||||
|
|
||||||
|
+ Setroubleshootd = bus.get(
|
||||||
|
+ 'org.fedoraproject.Setroubleshootd',
|
||||||
|
+ '/org/fedoraproject/Setroubleshootd'
|
||||||
|
+ )
|
||||||
|
+
|
||||||
|
(count, red) = Setroubleshootd.check_for_new(last_id)
|
||||||
|
|
||||||
|
if count > 0:
|
||||||
|
@@ -115,7 +119,8 @@ class SEApplet(GObject.Object):
|
||||||
|
launcher.launch(None, context)
|
||||||
|
self.status_icon.set_visible(False)
|
||||||
|
|
||||||
|
- def send_notification(self, *params):
|
||||||
|
+ def send_notification(self, sender, dobject, iface, signal, params):
|
||||||
|
+
|
||||||
|
status_icon = self.__init_status_icon()
|
||||||
|
status_icon.set_visible(True)
|
||||||
|
|
||||||
|
diff --git a/framework/src/setroubleshoot/util.py b/framework/src/setroubleshoot/util.py
|
||||||
|
index 02c4f75..657c882 100755
|
||||||
|
--- a/framework/src/setroubleshoot/util.py
|
||||||
|
+++ b/framework/src/setroubleshoot/util.py
|
||||||
|
@@ -69,7 +69,7 @@ __all__ = [
|
||||||
|
import bz2
|
||||||
|
import six
|
||||||
|
import datetime
|
||||||
|
-from dasbus.connection import SystemMessageBus
|
||||||
|
+from pydbus import SystemBus
|
||||||
|
import glob
|
||||||
|
from gi.repository import GObject
|
||||||
|
import os
|
||||||
|
@@ -522,11 +522,8 @@ Finds an SELinux module which defines given SELinux context
|
||||||
|
|
||||||
|
"""
|
||||||
|
if use_dbus:
|
||||||
|
- bus = SystemMessageBus()
|
||||||
|
- remote_object = bus.get_proxy(
|
||||||
|
- "org.fedoraproject.SetroubleshootPrivileged",
|
||||||
|
- "/org/fedoraproject/SetroubleshootPrivileged"
|
||||||
|
- )
|
||||||
|
+ bus = SystemBus()
|
||||||
|
+ remote_object = bus.get("org.fedoraproject.SetroubleshootPrivileged")
|
||||||
|
return str(remote_object.get_rpm_nvr_by_scontext(str(scontext)))
|
||||||
|
else:
|
||||||
|
context = selinux.context_new(str(scontext))
|
||||||
|
--
|
||||||
|
2.30.2
|
||||||
|
|
@ -0,0 +1,40 @@
|
|||||||
|
From 73d60acf9d4d7ae740d450f9c9a9566dac1c3111 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Petr Lautrbach <plautrba@redhat.com>
|
||||||
|
Date: Thu, 3 Feb 2022 18:14:05 +0100
|
||||||
|
Subject: [PATCH] Improve after_first email filter behavior
|
||||||
|
|
||||||
|
after_first used to send 2 emails before it started to filter. The
|
||||||
|
problem was in the email users were not saved into database when a new
|
||||||
|
signature was created.
|
||||||
|
|
||||||
|
Also we need to skip email users when we evaluated whether send a
|
||||||
|
desktop notification or not.
|
||||||
|
---
|
||||||
|
src/setroubleshoot/server.py | 4 ++++
|
||||||
|
1 file changed, 4 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/framework/src/setroubleshoot/server.py b/framework/src/setroubleshoot/server.py
|
||||||
|
index 771ea15..10ef215 100755
|
||||||
|
--- a/framework/src/setroubleshoot/server.py
|
||||||
|
+++ b/framework/src/setroubleshoot/server.py
|
||||||
|
@@ -220,6 +220,7 @@ class AlertPluginReportReceiver(PluginReportReceiver):
|
||||||
|
if len(to_addrs):
|
||||||
|
from setroubleshoot.email_alert import email_alert
|
||||||
|
email_alert(siginfo, to_addrs)
|
||||||
|
+ self.database.mark_modified()
|
||||||
|
|
||||||
|
log_debug("sending alert to all clients")
|
||||||
|
|
||||||
|
@@ -234,6 +235,9 @@ class AlertPluginReportReceiver(PluginReportReceiver):
|
||||||
|
systemd.journal.send(siginfo.format_text(), OBJECT_PID=pid, SYSLOG_IDENTIFIER=pkg_name)
|
||||||
|
|
||||||
|
for u in siginfo.users:
|
||||||
|
+ if u.username[0:6] == "email:":
|
||||||
|
+ # skip email users - they were evaluated before
|
||||||
|
+ continue
|
||||||
|
action = siginfo.evaluate_filter_for_user(u.username)
|
||||||
|
if action == "ignore":
|
||||||
|
return siginfo
|
||||||
|
--
|
||||||
|
2.30.2
|
||||||
|
|
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,70 @@
|
|||||||
|
From a2102cb35cd45852fc508b2f62400be098050d7a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Vit Mojzis <vmojzis@redhat.com>
|
||||||
|
Date: Mon, 4 Jul 2022 16:20:30 +0200
|
||||||
|
Subject: [PATCH] Decrease setroubleshootd priority and limit RAM utilization
|
||||||
|
to 1GB
|
||||||
|
|
||||||
|
This should help with system responsiveness in case of large amount of
|
||||||
|
AVCs. The memory limit ensures the process cannot indefinitely hog
|
||||||
|
memory in case it is running continuously. My testing showed normal
|
||||||
|
memory consumption not to exceed 350MB, so 1GB should not limit normal
|
||||||
|
operation.
|
||||||
|
|
||||||
|
Note: Limiting memory using systemd service file was chosen to make it easier
|
||||||
|
for users to adjust the limits.
|
||||||
|
|
||||||
|
Related:
|
||||||
|
https://bugzilla.redhat.com/show_bug.cgi?id=2064727
|
||||||
|
|
||||||
|
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
|
||||||
|
---
|
||||||
|
Makefile.am | 3 +++
|
||||||
|
org.fedoraproject.Setroubleshootd.service | 3 ++-
|
||||||
|
setroubleshootd.service | 10 ++++++++++
|
||||||
|
3 files changed, 15 insertions(+), 1 deletion(-)
|
||||||
|
create mode 100644 setroubleshootd.service
|
||||||
|
|
||||||
|
diff --git a/framework/Makefile.am b/framework/Makefile.am
|
||||||
|
index f330b7c..93c6a06 100644
|
||||||
|
--- a/framework/Makefile.am
|
||||||
|
+++ b/framework/Makefile.am
|
||||||
|
@@ -28,6 +28,9 @@ polkit_systemdir = $(datadir)/polkit-1/actions
|
||||||
|
polkit_system_DATA = \
|
||||||
|
org.fedoraproject.setroubleshootfixit.policy
|
||||||
|
|
||||||
|
+systemd_systemunitdir = $(prefix)/lib/systemd/system/
|
||||||
|
+systemd_systemunit_DATA = setroubleshootd.service
|
||||||
|
+
|
||||||
|
autostartdir = $(sysconfdir)/xdg/autostart
|
||||||
|
autostart_DATA = sealertauto.desktop
|
||||||
|
|
||||||
|
diff --git a/framework/org.fedoraproject.Setroubleshootd.service b/framework/org.fedoraproject.Setroubleshootd.service
|
||||||
|
index 05c2c39..2c52499 100644
|
||||||
|
--- a/framework/org.fedoraproject.Setroubleshootd.service
|
||||||
|
+++ b/framework/org.fedoraproject.Setroubleshootd.service
|
||||||
|
@@ -1,4 +1,5 @@
|
||||||
|
[D-BUS Service]
|
||||||
|
Name=org.fedoraproject.Setroubleshootd
|
||||||
|
-Exec=/usr/sbin/setroubleshootd -f
|
||||||
|
+SystemdService=setroubleshootd.service
|
||||||
|
+Exec=/bin/false
|
||||||
|
User=setroubleshoot
|
||||||
|
diff --git a/framework/setroubleshootd.service b/framework/setroubleshootd.service
|
||||||
|
new file mode 100644
|
||||||
|
index 0000000..81c75b1
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/framework/setroubleshootd.service
|
||||||
|
@@ -0,0 +1,10 @@
|
||||||
|
+[Unit]
|
||||||
|
+Description=SETroubleshoot daemon for processing new SELinux denial logs
|
||||||
|
+
|
||||||
|
+[Service]
|
||||||
|
+Type=dbus
|
||||||
|
+BusName=org.fedoraproject.Setroubleshootd
|
||||||
|
+ExecStart=/usr/sbin/setroubleshootd -f
|
||||||
|
+User=setroubleshoot
|
||||||
|
+LimitAS=1G
|
||||||
|
+Nice=5
|
||||||
|
--
|
||||||
|
2.35.3
|
||||||
|
|
@ -0,0 +1,45 @@
|
|||||||
|
From eed06d0f11867c1019fee4fb1a80be775a60d74e Mon Sep 17 00:00:00 2001
|
||||||
|
From: Vit Mojzis <vmojzis@redhat.com>
|
||||||
|
Date: Mon, 11 Jul 2022 18:20:47 +0200
|
||||||
|
Subject: [PATCH] doc: Document performance related changes
|
||||||
|
|
||||||
|
- Setroubleshootd is now executed using setroubleshootd.service
|
||||||
|
- ^^ is limited to 1GB of RAM and has a lower than normal priority
|
||||||
|
|
||||||
|
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
|
||||||
|
---
|
||||||
|
doc/setroubleshootd.8 | 9 +++++++--
|
||||||
|
1 file changed, 7 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/framework/doc/setroubleshootd.8 b/framework/doc/setroubleshootd.8
|
||||||
|
index bed6713..f1f04d8 100644
|
||||||
|
--- a/framework/doc/setroubleshootd.8
|
||||||
|
+++ b/framework/doc/setroubleshootd.8
|
||||||
|
@@ -23,9 +23,14 @@ components, sealert and setroubleshootd.
|
||||||
|
setroubleshootd is a system daemon which runs under setroubleshoot user and
|
||||||
|
listens for audit events emitted from the kernel related to SELinux. When the
|
||||||
|
setroubleshootd daemon sees an SELinux AVC denial it runs a series of analysis
|
||||||
|
-plugins which examines the audit data related to the AVC. It records the
|
||||||
|
+plugins which examine the audit data related to the AVC. It records the
|
||||||
|
results of the analysis and signals any clients which have attached to the
|
||||||
|
setroubleshootd daemon that a new alert has been seen.
|
||||||
|
+.P
|
||||||
|
+setroubleshootd is not persistent and only runs when there are new AVCs to be
|
||||||
|
+analyzed. It is executed using setroubleshootd.service, which also limits its
|
||||||
|
+priority and maximum RAM utilization to 1GB, in order to help with system
|
||||||
|
+responsiveness in case of large amounts of AVCs.
|
||||||
|
|
||||||
|
.SH "OPTIONS"
|
||||||
|
.TP
|
||||||
|
@@ -33,7 +38,7 @@ setroubleshootd daemon that a new alert has been seen.
|
||||||
|
Do not fork the daemon
|
||||||
|
.TP
|
||||||
|
.B \-d \-\-debug
|
||||||
|
-Do not exit after 10 seconds
|
||||||
|
+Do not exit after 10 seconds of inactivity
|
||||||
|
.TP
|
||||||
|
.B \-h \-\-help
|
||||||
|
Show this message
|
||||||
|
--
|
||||||
|
2.35.3
|
||||||
|
|
@ -0,0 +1,56 @@
|
|||||||
|
From 2fbc58c26359989894dfb54daaca2ff4b537f4fe Mon Sep 17 00:00:00 2001
|
||||||
|
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
|
||||||
|
Date: Fri, 22 Apr 2022 16:27:30 +0200
|
||||||
|
Subject: [PATCH] setroubleshoot/server: shutdown RunFaultServer nicely
|
||||||
|
|
||||||
|
systemd[1]: dbus-:1.2-org.fedoraproject.Setroubleshootd@2.service: Main process exited, code=killed, status=14/ALRM
|
||||||
|
systemd[1]: dbus-:1.2-org.fedoraproject.Setroubleshootd@2.service: Failed with result 'signal'.
|
||||||
|
audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:systemd_t:s0 msg='unit=dbus-:1.2-org.fedoraproject.Setroubleshootd@2 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'
|
||||||
|
---
|
||||||
|
src/setroubleshoot/server.py | 14 +++++++++++---
|
||||||
|
1 file changed, 11 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/framework/src/setroubleshoot/server.py b/framework/src/setroubleshoot/server.py
|
||||||
|
index 10ef215..8f16993 100755
|
||||||
|
--- a/framework/src/setroubleshoot/server.py
|
||||||
|
+++ b/framework/src/setroubleshoot/server.py
|
||||||
|
@@ -733,9 +733,17 @@ def goodbye(database):
|
||||||
|
audit2why.finish()
|
||||||
|
|
||||||
|
|
||||||
|
+main_loop = GLib.MainLoop()
|
||||||
|
+
|
||||||
|
+
|
||||||
|
+def alarm_handler(signum, frame):
|
||||||
|
+ log_debug("SIGALRM raised in RunFaultServer")
|
||||||
|
+ main_loop.quit()
|
||||||
|
+
|
||||||
|
+
|
||||||
|
def RunFaultServer(timeout=10):
|
||||||
|
signal.alarm(timeout)
|
||||||
|
- sigalrm_handler = signal.signal(signal.SIGALRM, polling_failed_handler)
|
||||||
|
+ signal.signal(signal.SIGALRM, polling_failed_handler)
|
||||||
|
# polling for /sys/fs/selinux/policy file
|
||||||
|
while True:
|
||||||
|
try:
|
||||||
|
@@ -760,7 +768,7 @@ def RunFaultServer(timeout=10):
|
||||||
|
|
||||||
|
global host_database, analysis_queue, email_recipients
|
||||||
|
|
||||||
|
- signal.signal(signal.SIGALRM, sigalrm_handler)
|
||||||
|
+ signal.signal(signal.SIGALRM, alarm_handler)
|
||||||
|
signal.signal(signal.SIGHUP, sighandler)
|
||||||
|
|
||||||
|
#interface_registry.dump_interfaces()
|
||||||
|
@@ -856,7 +864,7 @@ def RunFaultServer(timeout=10):
|
||||||
|
|
||||||
|
dbus.glib.init_threads()
|
||||||
|
setroubleshootd_dbus = SetroubleshootdDBus(analysis_queue, alert_receiver, timeout)
|
||||||
|
- main_loop = GLib.MainLoop()
|
||||||
|
+
|
||||||
|
main_loop.run()
|
||||||
|
|
||||||
|
except KeyboardInterrupt as e:
|
||||||
|
--
|
||||||
|
2.35.3
|
||||||
|
|
@ -0,0 +1,48 @@
|
|||||||
|
From 9e2753d241bf0bccaf0b05984e7562a2ac2a70e6 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Vit Mojzis <vmojzis@redhat.com>
|
||||||
|
Date: Thu, 24 Aug 2023 19:02:24 +0200
|
||||||
|
Subject: [PATCH] Check that SELinux is enabled before running
|
||||||
|
|
||||||
|
Setroubleshootd will fail to run when selinux is disabled. Check that
|
||||||
|
SELinux is enabled in setroubleshootd service file and in sealert (so
|
||||||
|
that it does not wait for setroubleshootd to start).
|
||||||
|
|
||||||
|
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=2178950
|
||||||
|
|
||||||
|
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
|
||||||
|
---
|
||||||
|
setroubleshootd.service | 1 +
|
||||||
|
src/sealert | 6 ++++++
|
||||||
|
2 files changed, 7 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/framework/setroubleshootd.service b/framework/setroubleshootd.service
|
||||||
|
index 81c75b1..7fc2ffb 100644
|
||||||
|
--- a/framework/setroubleshootd.service
|
||||||
|
+++ b/framework/setroubleshootd.service
|
||||||
|
@@ -1,5 +1,6 @@
|
||||||
|
[Unit]
|
||||||
|
Description=SETroubleshoot daemon for processing new SELinux denial logs
|
||||||
|
+ConditionSecurity=selinux
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=dbus
|
||||||
|
diff --git a/framework/src/sealert b/framework/src/sealert
|
||||||
|
index 2663a21..5ce6463 100755
|
||||||
|
--- a/framework/src/sealert
|
||||||
|
+++ b/framework/src/sealert
|
||||||
|
@@ -576,6 +576,12 @@ if __name__ == '__main__':
|
||||||
|
setup_sighandlers()
|
||||||
|
log_debug("main() args=%s" % sys.argv)
|
||||||
|
|
||||||
|
+ # Exit if selinux is disabled - setroubleshootd cannot start
|
||||||
|
+ if not selinux.is_selinux_enabled():
|
||||||
|
+ log_debug("SELinux not enabled, sealert will not run on non SELinux systems")
|
||||||
|
+ print("SELinux not enabled, sealert will not run on non SELinux systems", file=sys.stderr)
|
||||||
|
+ sys.exit(3)
|
||||||
|
+
|
||||||
|
def validate_invocation_style(opt, opts_instance, conflict_opts):
|
||||||
|
global invocation_style
|
||||||
|
conflict_opts.remove(opt)
|
||||||
|
--
|
||||||
|
2.41.0
|
||||||
|
|
@ -0,0 +1 @@
|
|||||||
|
d /run/setroubleshoot 711 setroubleshoot setroubleshoot -
|
File diff suppressed because it is too large
Load Diff
Loading…
Reference in new issue