1352611 – No alerts are found anymore

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1352611 - No alerts are found anymore

Summary: No alerts are found anymore

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	setroubleshoot
Sub Component:
Version:	24
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Petr Lautrbach
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:	1353911
Blocks:
TreeView+	depends on / blocked

Reported:	2016-07-04 12:23 UTC by Marius Vollmer
Modified:	2016-07-27 20:53 UTC (History)
CC List:	6 users (show)
Fixed In Version:	setroubleshoot-3.3.10-1.fc24 setroubleshoot-3.3.10-1.fc23
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-07-20 00:19:44 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
Transcript (22.99 KB, text/plain) 2016-07-04 12:55 UTC, Marius Vollmer	no flags	Details
Show Obsolete (1) View All

Description Marius Vollmer 2016-07-04 12:23:05 UTC

Description of problem:

setroubleshootd doesn't seem to find any alerts anymore.

Version-Release number of selected component (if applicable):
setroubleshoot-server-3.3.9.1-1.fc24.x86_64

How reproducible:
Always

Steps to Reproduce:
# mkdir -p ~/selinux_temp
# cd ~/selinux_temp
# cp /bin/ls ls
# chcon -t httpd_exec_t ls
# runcon -u system_u -r system_r -t httpd_t -- ./ls  /home/*
# gdbus call -y -d org.fedoraproject.Setroubleshootd -o /org/fedoraproject/Setroubleshootd -m org.fedoraproject.SetroubleshootdIface.get_all_alerts

Actual results:
(@a(ssi) [],)

Expected results:
([('e55504a0-9476-4d99-845b-484de4eec20c', 'SELinux is preventing ls from read access on the directory builder.', 2)],)

This is what I get with setroubleshoot-server-3.3.7-1.fc24.x86_64

Comment 1 Marius Vollmer 2016-07-04 12:31:46 UTC

Sorry, it's not just the version of setroubleshoot-server, something else is causing this bug.  It might well be something in our test setup.

Comment 2 Marius Vollmer 2016-07-04 12:55:33 UTC

Created attachment 1176064 [details]
Transcript

Comment 3 Marius Vollmer 2016-07-04 12:59:55 UTC

Hmm, maybe it is settroubleshoot, after all.  I have attached a transscript that I think shows the following:

- Each time I run "runcon -u system_u -r system_r -t httpd_t -- ./ls  /home/*" I get two more alerts.

- Upgrading setroubleshoot-server breaks that and the number of alerts is stuck at 8.

- Rebooting doesn't help.

- Downgrading setroubleshoot-server doesn't help.

Comment 4 Dominik Perpeet 2016-07-05 09:54:17 UTC

According to https://bugzilla.redhat.com/show_bug.cgi?id=1350425#c1 (bug for RHEL 7), there is a bug in the audit dispatcher.

Comment 5 Steve Grubb 2016-07-05 15:21:49 UTC

audit-2.6.3 should solve all the problems that it caused.
https://bodhi.fedoraproject.org/updates/FEDORA-2016-f6b4eb55d4

Comment 6 Marius Vollmer 2016-07-06 13:41:28 UTC

> audit-2.6.3 should solve all the problems that it caused.

The version of audit during the whole transcript was audit-2.5.2-1.fc24.x86_64, both when setroubleshootd was picking up the alerts and when it wasn't anymore.

Indeed, updating to audit-2.6.3 didn't make our tests pass (unless I messed that up somehow).

Now that I understand better where the alerts are coming from, I'll dig a little deeper.

Comment 7 Marius Vollmer 2016-07-06 14:10:53 UTC

Ok, I think I got it.  The "locate" binary is missing in our images, which makes setroubleshootd throw an uncaught exception from with the "avc" method.

# gdbus call -y \
  -d org.fedoraproject.Setroubleshootd \
  -o /org/fedoraproject/Setroubleshootd \
  -m org.fedoraproject.SetroubleshootdIface.avc \
  "node=localhost.localdomain type=AVC msg=audit(1467813201.877:351): avc:  denied  { read } for  pid=1735 comm=\"ls\" name=\"admin\" dev=\"dm-0\" ino=8848947 scontext=system_u:system_r:httpd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0\n"

Error: GDBus.Error:org.freedesktop.DBus.Python.FileNotFoundError: Traceback (most recent call last):
  File "/usr/lib64/python3.5/site-packages/dbus/service.py", line 707, in _message_cb
    retval = candidate_method(self, *args, **keywords)
  File "/usr/lib/python3.5/site-packages/setroubleshoot/server.py", line 661, in avc
    self.add(AVC(audit_event))
  File "/usr/lib/python3.5/site-packages/setroubleshoot/audit_data.py", line 636, in __init__
    self.derive_avc_info_from_audit_event()
  File "/usr/lib/python3.5/site-packages/setroubleshoot/audit_data.py", line 934, in derive_avc_info_from_audit_event
    self._set_tpath()
  File "/usr/lib/python3.5/site-packages/setroubleshoot/audit_data.py", line 872, in _set_tpath
    universal_newlines=True)
  File "/usr/lib64/python3.5/subprocess.py", line 629, in check_output
    **kwargs).stdout
  File "/usr/lib64/python3.5/subprocess.py", line 696, in run
    with Popen(*popenargs, **kwargs) as process:
  File "/usr/lib64/python3.5/subprocess.py", line 950, in __init__
    restore_signals, start_new_session)
  File "/usr/lib64/python3.5/subprocess.py", line 1544, in _execute_child
    raise child_exception_type(errno_num, err_msg)
FileNotFoundError: [Errno 2] No such file or directory: 'locate'


Setroubleshoot catches and siilently ignores subprocess.CalledProcessError for that invocation, so it should probably do the same for FileNotFoundError.

Maybe it also should have a dependency on "mlocate".

Comment 8 Marius Vollmer 2016-07-08 11:10:32 UTC

I think audispd 2.6.2 and later produce output that auparse rejects:

# strace -e write -s1000 -p $(pgrep audisp)
strace: Process 938 attached
write(6, "node=demon.mvo.lan type=AVC msg=type=AVC msg=audit(1467976086.574:336): avc:  denied  { read } for  pid=2010 comm=\"ls\" name=\"mvo\" dev=\"0:43\" ino=5242881 scontext=system_u:system_r:httpd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=dir permissive=0\n", 263) = 263

Note the "msg=type=AVC" bit, that looks wrong and causes auparse to skip over that line completely.  sedispatch never gets that event passed back to its callback.

I file a separate bug.

Comment 9 Marius Vollmer 2016-07-08 12:07:18 UTC

(In reply to Dominik Perpeet from comment #4)
> According to https://bugzilla.redhat.com/show_bug.cgi?id=1350425#c1 (bug for
> RHEL 7), there is a bug in the audit dispatcher.

Let's use 1353911 to track that.  Bug 1350425 is quite nebulous, imo.

Comment 10 Stef Walter 2016-07-08 19:15:33 UTC

This issue was caught by Cockpit integration tests. One can see it occurs here: https://github.com/cockpit-project/cockpit/issues/4678

Comment 11 Marius Vollmer 2016-07-13 10:07:46 UTC

To summarize:

* audisp writes bogus lines that auparse in sedispatch then ignores.
* setroubleshootd crashes when the "locate" binary is not present on the system, and doesn't record any alerts because of that.

Both bugs need to be fixed.

Comment 12 Petr Lautrbach 2016-07-13 10:13:22 UTC

(In reply to Marius Vollmer from comment #11)
> To summarize:
> 
> * audisp writes bogus lines that auparse in sedispatch then ignores.

https://bugzilla.redhat.com/show_bug.cgi?id=1353911#c15

As I understand, there will be another audit release with a fix soon.

> * setroubleshootd crashes when the "locate" binary is not present on the
> system, and doesn't record any alerts because of that.
> 

It's already fixed upstream. I'll prepare updates.

https://github.com/fedora-selinux/setroubleshoot/commit/fa2365f94ec1d33e3be14416b801b5f6e0ac840b

Comment 13 Marius Vollmer 2016-07-15 07:11:01 UTC

Comment on attachment 1176064 [details]
Transcript

I forgot to start auditd after reboot in the transcript, which makes it meaningless.  Please disregard.

Comment 14 Fedora Update System 2016-07-16 14:20:16 UTC

setroubleshoot-3.3.10-1.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-19370efde6

Comment 15 Fedora Update System 2016-07-16 14:28:01 UTC

setroubleshoot-3.3.10-1.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-dc324f21e6

Comment 16 Fedora Update System 2016-07-16 22:56:47 UTC

setroubleshoot-3.3.10-1.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-19370efde6

Comment 17 Fedora Update System 2016-07-17 16:23:04 UTC

setroubleshoot-3.3.10-1.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-dc324f21e6

Comment 18 Fedora Update System 2016-07-20 00:19:40 UTC

setroubleshoot-3.3.10-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 19 Fedora Update System 2016-07-27 20:53:09 UTC

setroubleshoot-3.3.10-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.