RHEL 5.3 and sealert -b

ESGLinux esggrupos at gmail.com
Tue Mar 3 12:28:33 UTC 2009 

Hello, again

If I open the file /var/log/audit/audit.log I can see the problems with AVC
with the proposed solution,

I realized that when it doesn´t no work I have in the status bar of the
browser Audit Listener

and when I open the log I have:

file:audit

I haven´t changed that at all,  can be this the problem?

ESG


2009/3/3 ESGLinux <esggrupos at gmail.com>

> Hello,
>
> I have updated with RHN using pup
>
> here is the info you have requested:
> # getenforce
> Enforcing
>
> #yum list installed | grep selinux
>
> libselinux.i386                           1.33.4-5.1.el5
> installed
> libselinux-devel.i386                     1.33.4-5.1.el5
> installed
> libselinux-python.i386                    1.33.4-5.1.el5
> installed
> libselinux-utils.i386                     1.33.4-5.1.el5
> installed
> selinux-policy.noarch                     2.4.6-203.el5
> installed
> selinux-policy-devel.noarch               2.4.6-203.el5
> installed
> selinux-policy-targeted.noarch            2.4.6-203.el5
> installed
>
> #service setroubleshoot status
> Se esta ejecutando setroubleshootd (pid 2425)...
>
> in /var/log/audit/audit.log there are a lot of logs with AVC
> ...
>
> u:system_r:setroubleshootd_t:s0
> tcontext=system_u:object_r:auditd_var_run_t:s0 tclass=sock_file
> type=AVC msg=audit(1236072678.050:68): avc:  denied  { write } for
> pid=2130 comm="setroubleshootd" name="audispd_events" dev=hda8 ino=16329
> scontext=system_u:system_r:setroubleshootd_t:s0
> tcontext=system_u:object_r:auditd_var_run_t:s0 tclass=sock_file
> type=AVC msg=audit(1236072738.057:69): avc:  denied  { write } for
> pid=2130 comm="setroubleshootd" name="audispd_events" dev=hda8 ino=16329
> scontext=system_u:system_r:setroubleshootd_t:s0
> tcontext=system_u:object_r:auditd_var_run_t:s0 tclass=sock_file
> type=AVC msg=audit(1236085050.837:8): avc:  denied  { write } for  pid=2123
> comm="setroubleshootd" name="audispd_events" dev=hda8 ino=16329
> scontext=system_u:system_r:setroubleshootd_t:s0
> tcontext=system_u:object_r:auditd_var_run_t:s0 tclass=sock_file
> type=USER_TTY msg=audit(1236085103.658:21): user pid=2940 uid=0 auid=0
> subj=root:system_r:unconfined_t:s0-s0:c0.c1023 msg='grep AVC audit.log '
> type=AVC msg=audit(1236085110.848:22): avc:  denied  { write } for
> pid=2123 comm="setroubleshootd" name="audispd_events" dev=hda8 ino=16329
> scontext=system_u:system_r:setroubleshootd_t:s0
> tcontext=system_u:object_r:auditd_var_run_t:s0 tclass=sock_file
> type=USE
>
> ...
>
> But in the browser I dont see anything, I also think I used to log in the
> /var/log/messages with the explanation of the alert but I dont see anything
>
> Thanks
>
> ESG
>
>
>
>
> 2009/3/3 George Magklaras <georgios at biotek.uio.no>
>
>> Trusting that your getenforce shows Enforcing, I have upgraded a bunch of
>> 5.2 to 5.3 and sealert is active for me, so I do not think the problem is
>> specific to RHEL 5.3, maybe something peculiar with your configuration. What
>> does
>>
>> yum list installed | grep selinux
>>
>> says to your upgraded systems? Is the setroubleshootd process running?
>> Finally, what's the frequency of AVC messages in /var/log/audit/audit.log
>>  (cat /var/log/audit/audit.log | grep AVC) ?
>>
>> --
>> --
>> George Magklaras BSc Hons MPhil
>> RHCE:805008309135525
>>
>> Senior Computer Systems Engineer/UNIX-Linux Systems Administrator
>> EMBnet Technical Management Board
>> The Biotechnology Centre of Oslo,
>> University of Oslo
>> http://folk.uio.no/georgios
>>
>>
>>
>>
>> a bv wrote:
>>
>>> what method have you used for upgrading the system version?
>>>
>>> Regards
>>>
>>>
>

More information about the redhat-list mailing list