|
|
|
@ -1,37 +1,45 @@
|
|
|
|
|
Summary: Helps troubleshoot SELinux problems
|
|
|
|
|
Name: setroubleshoot
|
|
|
|
|
Version: 1.9.4
|
|
|
|
|
Release: 2%{?dist}
|
|
|
|
|
License: GPL
|
|
|
|
|
Version: 1.10.6
|
|
|
|
|
Release: 1%{?dist}
|
|
|
|
|
License: GPLv2+
|
|
|
|
|
Group: Applications/System
|
|
|
|
|
URL: http://www.redhat.com/
|
|
|
|
|
URL: https://hosted.fedoraproject.org/projects/setroubleshoot
|
|
|
|
|
Source0: %{name}-%{version}.tar.gz
|
|
|
|
|
Source1: setroubleshoot.init
|
|
|
|
|
Source2: setroubleshoot.logrotate
|
|
|
|
|
Patch0: setroubleshoot-autogen.patch
|
|
|
|
|
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
|
|
|
|
BuildArch: noarch
|
|
|
|
|
BuildRequires: perl-XML-Parser
|
|
|
|
|
Requires: %{name}-server = %{version}-%{release}
|
|
|
|
|
Requires: %{name}-plugins
|
|
|
|
|
Requires: pygtk2 >= 2.9.2
|
|
|
|
|
Requires: gnome-python2, gnome-python2-canvas
|
|
|
|
|
Requires: usermode, rhpl
|
|
|
|
|
BuildRequires: desktop-file-utils
|
|
|
|
|
Requires: gnome-python2-gtkhtml2
|
|
|
|
|
Requires: dbus
|
|
|
|
|
Requires: dbus-python
|
|
|
|
|
Requires: libxml2-python
|
|
|
|
|
Requires(post): /usr/bin/update-desktop-database
|
|
|
|
|
Requires(post): dbus
|
|
|
|
|
Requires(postun): /usr/bin/update-desktop-database
|
|
|
|
|
Requires(postun): dbus
|
|
|
|
|
Requires: notify-python
|
|
|
|
|
%{?fc7:Requires: selinux-policy-base >= 2.6.4-45 }
|
|
|
|
|
%{?fc8:Requires: selinux-policy-base >= 3.0.7-10 }
|
|
|
|
|
|
|
|
|
|
%{!?python_sitelib: %define python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib()")}
|
|
|
|
|
|
|
|
|
|
%define pkgpythondir %{python_sitelib}/%{name}
|
|
|
|
|
%define pkgdocdir %{_datadir}/doc/%{name}-%{version}
|
|
|
|
|
%define pkgguidir %{_datadir}/%{name}/gui
|
|
|
|
|
%define pkgdatadir %{_datadir}/%{name}
|
|
|
|
|
%define pkglibexecdir %{_prefix}/libexec/%{name}
|
|
|
|
|
%define pkgvardatadir %{_localstatedir}/lib/%{name}
|
|
|
|
|
%define pkgrundir %{_localstatedir}/run/%{name}
|
|
|
|
|
%define pkgconfigdir %{_sysconfdir}/%{name}
|
|
|
|
|
%define pkglogdir %{_localstatedir}/log/%{name}
|
|
|
|
|
%define pkgdatabase %{pkgvardatadir}/audit_listener_database.xml
|
|
|
|
|
|
|
|
|
|
%description
|
|
|
|
|
setroubleshoot gui. Application that allows you to view setroubleshoot-server
|
|
|
|
@ -42,18 +50,21 @@ about the problem and help track its resolution. Alerts can be configured
|
|
|
|
|
to user preference. The same tools can be run on existing log files.
|
|
|
|
|
|
|
|
|
|
%files
|
|
|
|
|
%{pkgguidir}
|
|
|
|
|
%{_sysconfdir}/xdg/autostart/*
|
|
|
|
|
%{_datadir}/applications/*.desktop
|
|
|
|
|
%{_datadir}/dbus-1/services/sealert.service
|
|
|
|
|
%{_datadir}/icons/hicolor
|
|
|
|
|
%dir %attr(0755,root,root) %{pkgpythondir}
|
|
|
|
|
%{pkgpythondir}/browser.py*
|
|
|
|
|
%{pkgpythondir}/gui_utils.py*
|
|
|
|
|
%{pkgpythondir}/email_dialog.py*
|
|
|
|
|
%{pkgpythondir}/gui_utils.py*
|
|
|
|
|
|
|
|
|
|
%post
|
|
|
|
|
/usr/bin/update-desktop-database %{_datadir}/applications
|
|
|
|
|
touch --no-create %{_datadir}/icons/hicolor || :
|
|
|
|
|
%{_bindir}/gtk-update-icon-cache --quiet %{_datadir}/icons/hicolor || :
|
|
|
|
|
dbus-send --system /com/redhat/setroubleshootd com.redhat.SEtroubleshootdIface.restart string:'rpm install' >/dev/null 2>&1 || :
|
|
|
|
|
|
|
|
|
|
%postun
|
|
|
|
|
/usr/bin/update-desktop-database %{_datadir}/applications
|
|
|
|
@ -62,7 +73,6 @@ touch --no-create %{_datadir}/icons/hicolor || :
|
|
|
|
|
|
|
|
|
|
%prep
|
|
|
|
|
%setup -q
|
|
|
|
|
%patch0 -p1 -b .autogen
|
|
|
|
|
|
|
|
|
|
%build
|
|
|
|
|
%configure
|
|
|
|
@ -73,7 +83,8 @@ rm -rf %{buildroot}
|
|
|
|
|
make DESTDIR=%{buildroot} install
|
|
|
|
|
%{__install} -D -m755 %{SOURCE1} %{buildroot}/etc/rc.d/init.d/%{name}
|
|
|
|
|
%{__install} -D -m644 %{SOURCE2} %{buildroot}%{_sysconfdir}/logrotate.d/%{name}
|
|
|
|
|
touch %{buildroot}%{pkgvardatadir}/audit_listener_database.xml
|
|
|
|
|
desktop-file-install --vendor="" --dir=%{buildroot}%{_datadir}/applications %{buildroot}/%{_datadir}/applications/%{name}.desktop
|
|
|
|
|
touch %{buildroot}%{pkgdatabase}
|
|
|
|
|
touch %{buildroot}%{pkgvardatadir}/email_alert_recipients
|
|
|
|
|
%find_lang %{name}
|
|
|
|
|
|
|
|
|
@ -81,9 +92,16 @@ touch %{buildroot}%{pkgvardatadir}/email_alert_recipients
|
|
|
|
|
Summary: SELinux troubleshoot server
|
|
|
|
|
Group: Applications/System
|
|
|
|
|
|
|
|
|
|
Requires: %{name}-plugins
|
|
|
|
|
Requires: audit >= 1.2.6-3
|
|
|
|
|
Requires: audit-libs-python >= 1.2.6-3
|
|
|
|
|
Requires: libselinux >= 1.30.15-1
|
|
|
|
|
Requires: pygobject2
|
|
|
|
|
Requires: dbus-python
|
|
|
|
|
Requires: libxml2-python
|
|
|
|
|
Requires: libselinux-python
|
|
|
|
|
Requires: audit-libs-python
|
|
|
|
|
Requires: libuser
|
|
|
|
|
|
|
|
|
|
BuildRequires: intltool gettext python
|
|
|
|
|
|
|
|
|
@ -100,7 +118,10 @@ about the problem and help track its resolution. Alerts can be configured
|
|
|
|
|
to user preference. The same tools can be run on existing log files.
|
|
|
|
|
|
|
|
|
|
%post server
|
|
|
|
|
[ -f %{pkgvardatadir}/database.xml ] && chmod 644 %{pkgvardatadir}/database.xml
|
|
|
|
|
if [ -f %{pkgdatabase} ]; then
|
|
|
|
|
chown root:root %{pkgdatabase} >/dev/null 2>&1 || :
|
|
|
|
|
chmod 600 %{pkgdatabase} >/dev/null 2>&1 || :
|
|
|
|
|
fi
|
|
|
|
|
/sbin/chkconfig --add %{name}
|
|
|
|
|
/sbin/service %{name} condrestart >/dev/null 2>&1 || :
|
|
|
|
|
|
|
|
|
@ -122,10 +143,12 @@ rm -rf %{buildroot}
|
|
|
|
|
%{_bindir}/*
|
|
|
|
|
%{_sbindir}/*
|
|
|
|
|
%dir %attr(0755,root,root) %{pkgconfigdir}
|
|
|
|
|
%dir %attr(0755,root,root) %{pkgpythondir}
|
|
|
|
|
%{pkgpythondir}/Plugin.py*
|
|
|
|
|
%{pkgpythondir}/__init__.py*
|
|
|
|
|
%{pkgpythondir}/access_control.py*
|
|
|
|
|
%{pkgpythondir}/analyze.py*
|
|
|
|
|
%{pkgpythondir}/audit_data.py*
|
|
|
|
|
%{pkgpythondir}/avc_audit.py*
|
|
|
|
|
%{pkgpythondir}/config.py*
|
|
|
|
|
%{pkgpythondir}/email_alert.py*
|
|
|
|
@ -141,17 +164,182 @@ rm -rf %{buildroot}
|
|
|
|
|
%config %{pkgconfigdir}/%{name}.cfg
|
|
|
|
|
%dir %{pkglogdir}
|
|
|
|
|
%config(noreplace) %{_sysconfdir}/logrotate.d/%{name}
|
|
|
|
|
%config %{_sysconfdir}/dbus-1/system.d/setroubleshootd.conf
|
|
|
|
|
%dir %{pkgrundir}
|
|
|
|
|
%dir %{pkgvardatadir}
|
|
|
|
|
%ghost %attr(0644,root,root) %{pkgvardatadir}/audit_listener_database.xml
|
|
|
|
|
%ghost %attr(0600,root,root) %{pkgdatabase}
|
|
|
|
|
%ghost %attr(0644,root,root) %{pkgvardatadir}/email_alert_recipients
|
|
|
|
|
%{_mandir}/man8/sealert.8.gz
|
|
|
|
|
|
|
|
|
|
/etc/rc.d/init.d/%{name}
|
|
|
|
|
%attr(0755,root,root) /etc/rc.d/init.d/%{name}
|
|
|
|
|
|
|
|
|
|
%changelog
|
|
|
|
|
* Mon May 7 2007 John Dennis <jdennis@redhat.com> - 1.9.4-2
|
|
|
|
|
- Resolves bug# 233760, fix autogen problem resulting in /usr/local prefix
|
|
|
|
|
* Wed Sep 26 2007 John Dennis <jdennis@redhat.com> - 1.10.6-1
|
|
|
|
|
- make selinx-policy requires in spec file specific to dist tag
|
|
|
|
|
|
|
|
|
|
* Mon Sep 24 2007 John Dennis <jdennis@redhat.com> - 1.10.5-1
|
|
|
|
|
- update code for command line log file scanning to work with
|
|
|
|
|
new log file scanning code introduced for the browser.
|
|
|
|
|
|
|
|
|
|
- update Bulgarian translation (Doncho N. Gunchev (gunchev@gmail.com))
|
|
|
|
|
|
|
|
|
|
- update Polish translation (Piotr Drąg (raven@pmail.pl))
|
|
|
|
|
|
|
|
|
|
- Resolves bug #239893: sealert wakes up very often
|
|
|
|
|
This was caused by the use of threads and pygtk's thread signal
|
|
|
|
|
handling. The only use of threads in sealert was for log file
|
|
|
|
|
scanning so that the UI would remain responsive during a
|
|
|
|
|
scan. Threads in sealert have now been completely
|
|
|
|
|
removed. Instead the scanning work is performed in a gobject idle
|
|
|
|
|
function called from the main loop. The idle function is written
|
|
|
|
|
as a python generator function which allows for the function to
|
|
|
|
|
perform a small amount of work, save it's execution state and
|
|
|
|
|
return. The next time the idle function is called from the main
|
|
|
|
|
loop it resumes execution from it's last state until it decides
|
|
|
|
|
to yield control again. This way the long running scan/analysis
|
|
|
|
|
can be performed in small successive units of work during the
|
|
|
|
|
time the application is otherwise idle and it does not interfere
|
|
|
|
|
with the rest of the GUI event processing. Everything now occurs
|
|
|
|
|
in an event loop, think of it as the applications process/thread
|
|
|
|
|
scheduler whose event handlers execute time slices.
|
|
|
|
|
|
|
|
|
|
- rewrote parts of the audit input pipeline to use generators
|
|
|
|
|
instead of callbacks, thus permitting the logfile scanning code
|
|
|
|
|
to yield control with more granularity. Also updated
|
|
|
|
|
test_setroubleshootd and audisp_listen to use the new
|
|
|
|
|
generator/yield logic.
|
|
|
|
|
|
|
|
|
|
- rewrote the dialog used for scanning log files, progress bar
|
|
|
|
|
updates are now in the dialog, the scan can be terminated part
|
|
|
|
|
way through, errors from the scan are reported in pop-up dialog,
|
|
|
|
|
one can only dismiss the dialog with success if the scan had
|
|
|
|
|
been successfully run to completion, otherwise the user is only
|
|
|
|
|
left with the option to cancel.
|
|
|
|
|
|
|
|
|
|
- Relates bug #252035 bug #247469, setroubleshootd and sealert should
|
|
|
|
|
exit if SELinux is disabled.
|
|
|
|
|
|
|
|
|
|
- add utility functions escape_html() and unescape_html()
|
|
|
|
|
|
|
|
|
|
- fix initial sort order in browser, track sort order in browser
|
|
|
|
|
|
|
|
|
|
- modify AVC.get_path() to only return a value if the 'path' field is
|
|
|
|
|
set, formerly it also considered the fields 'name' & 'file' which were
|
|
|
|
|
incorrect. get_path() now also looks to see if the string begins with a
|
|
|
|
|
slash for a fully qualified path, if not it looks to see if its a
|
|
|
|
|
pseudo path such as 'pipe[12345]' or 'socket[12345]' and if so strips out
|
|
|
|
|
the instance information inside the brackets and returns just the type of
|
|
|
|
|
the pseudo path. This is done because we do not want path information
|
|
|
|
|
in the signature to be unique for each instance of the denial.
|
|
|
|
|
|
|
|
|
|
- modify the TimeStamp class to hide it's internal datetime member,
|
|
|
|
|
remove the cmp() method, the internal __cmp__ will be automatically invoked.
|
|
|
|
|
|
|
|
|
|
- require selinux policy version in spec file to allow system dbus use
|
|
|
|
|
|
|
|
|
|
- Resolves bug #256601: audit2allow generates incorrect syntax when comma "," in
|
|
|
|
|
denied list
|
|
|
|
|
|
|
|
|
|
- update po i18n files
|
|
|
|
|
|
|
|
|
|
- Add support for pruning database by age and size
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
* Sat Sep 8 2007 John Dennis <jdennis@redhat.com> - 1.10.4-1
|
|
|
|
|
- fix init script
|
|
|
|
|
|
|
|
|
|
* Sat Sep 8 2007 John Dennis <jdennis@redhat.com> - 1.10.3-1
|
|
|
|
|
- modify avc_audit.py to use new audit_data.py implementation
|
|
|
|
|
|
|
|
|
|
- can listen for audit events on either /var/run/audit_events
|
|
|
|
|
in bindary protocol mode or /var/run/audisp_events in
|
|
|
|
|
text protocol mode
|
|
|
|
|
|
|
|
|
|
* Thu Sep 6 2007 John Dennis <jdennis@redhat.com> - 1.10.2-1
|
|
|
|
|
- remove all copied code from test_setroubleshootd, now we import
|
|
|
|
|
from setroubleshoot
|
|
|
|
|
|
|
|
|
|
- export ClientConnectionHandler from rpc.py as a base class.
|
|
|
|
|
Derive SetroubleshootdClientConnectionHandler and
|
|
|
|
|
AuditClientConnectionHandler from ClientConnectionHandler.
|
|
|
|
|
|
|
|
|
|
- add audisp_listen as test program
|
|
|
|
|
|
|
|
|
|
- create setroubleshoot sym link in top devel directory pointing
|
|
|
|
|
to src so import setroubleshoot.foo if PYTHONPATH=topdir
|
|
|
|
|
|
|
|
|
|
- add get_option, convert_cfg_type to config.py.in so that one
|
|
|
|
|
can pass optional dict to override config file settings
|
|
|
|
|
|
|
|
|
|
- rewrite log_init() so it's easier for other programs to use it,
|
|
|
|
|
fix the import logic concering log & config
|
|
|
|
|
|
|
|
|
|
- remove log code from test_setroubleshoot, now just does import
|
|
|
|
|
from setroubleshoot.
|
|
|
|
|
|
|
|
|
|
- test_setroubleshootd can now handle audit records in both text
|
|
|
|
|
and binary formats, can be selected by command line arg. It can now
|
|
|
|
|
either output to clients connecting on a socket or to stdout. Can
|
|
|
|
|
now optionally exit after N socket client connections.
|
|
|
|
|
|
|
|
|
|
- remove non audit record lines from test data
|
|
|
|
|
|
|
|
|
|
- remove config_init() and log_init() from package __init__.py
|
|
|
|
|
It was the wrong place to call them, now call them when the
|
|
|
|
|
process initializes before the first setroubleshoot imports
|
|
|
|
|
|
|
|
|
|
- add parse_config_setting() and set_config() to config module
|
|
|
|
|
- setroubleshootd now accepts -c --config command line arg
|
|
|
|
|
- test_sectroubleshoot: add err defines & program_error exception
|
|
|
|
|
add is_valid() tests to assure we read a valid audit record
|
|
|
|
|
log the unrecognized line if not valid, clean up socket close()
|
|
|
|
|
|
|
|
|
|
- Relates Bug #247056, update initscript to LSB standards
|
|
|
|
|
Note: LSB initscripts in Fedora is not yet a resolved issue,
|
|
|
|
|
the changes implemented were to add an LSB block and support
|
|
|
|
|
the new LSB try-restart and force-reload commands. However
|
|
|
|
|
the new /lib/lsb/init-functions are NOT currently used as this
|
|
|
|
|
is the unstable part.
|
|
|
|
|
|
|
|
|
|
* Thu Aug 23 2007 John Dennis <jdennis@redhat.com> - 1.10.1-1
|
|
|
|
|
- add BuildRequires perl-XML-Parser
|
|
|
|
|
|
|
|
|
|
* Thu Aug 23 2007 John Dennis <jdennis@redhat.com> - 1.10.0-1
|
|
|
|
|
|
|
|
|
|
- move all plugins and their translations to independent package
|
|
|
|
|
- wrap XML generation inside try/except
|
|
|
|
|
- correct how access list is obtained in avc_auparse.py
|
|
|
|
|
- add try/except around top level of AnalyzeThread.run so exceptions
|
|
|
|
|
in the thread get reported and the analysis thread does not just die.
|
|
|
|
|
- also add try/except around LogfileThread.process_logfile
|
|
|
|
|
- add new function assure_file_ownership_permissions()
|
|
|
|
|
- server now forces it's database file permissions/ownership to be 0600 root:root
|
|
|
|
|
- rpm now forces the server's database file permissions/ownership to be 0600 root:root
|
|
|
|
|
- Resolves Bug #251545: Review Request: setroubleshoot-plugins - analysis plugins for setroubleshoot
|
|
|
|
|
- clean up some other rpmlint warnings in setroubleshoot.spec
|
|
|
|
|
- fix missing install of setroubleshoot icon and sym link to it
|
|
|
|
|
- Resolves Bug #251551, setroubleshoot shows up in in wrong desktop menu
|
|
|
|
|
also run desktop-file-install in rpm install
|
|
|
|
|
- add /etc/dbus-1/system.d/setroubleshootd.conf dbus configuration file
|
|
|
|
|
- Resolves Bug #250979, Bug #250932 Missing dependencies
|
|
|
|
|
- Restore plugins/Makefile.am which got nuked somehow
|
|
|
|
|
- remove dus.dbus_bindings.bus_name_has_owner(), deprecated as of F7
|
|
|
|
|
- wrap rpm transactions in try/except
|
|
|
|
|
|
|
|
|
|
* Tue Jun 12 2007 John Dennis <jdennis@redhat.com> - 1.9.7-1
|
|
|
|
|
- Resolves Bug# 241739, this bug is the lead bug for several bug reports,
|
|
|
|
|
all consequences of the same problem, setroubleshootd/sealert when run
|
|
|
|
|
in a non latin language environment because of incompatibilities in
|
|
|
|
|
i18n encoding between components.
|
|
|
|
|
|
|
|
|
|
* Wed May 30 2007 John Dennis <jdennis@redhat.com> - 1.9.6-1
|
|
|
|
|
- add avc_auparse.py, now has option to use audit parsing library instead of
|
|
|
|
|
built-in audit parsing.
|
|
|
|
|
- fix bug in log file scanning and detail display update
|
|
|
|
|
- Resolves Bug# 238516, python pkg directory not owned
|
|
|
|
|
|
|
|
|
|
* Wed Apr 25 2007 Dan Walsh <dwalsh@redhat.com> - 1.9.5-1
|
|
|
|
|
- Update translations
|
|
|
|
|
- Fix mislabeled file
|
|
|
|
|
|
|
|
|
|
* Mon Mar 19 2007 Dan Walsh <dwalsh@redhat.com> - 1.9.4-1
|
|
|
|
|
- Remove disable_trans boolean
|
|
|
|
@ -695,7 +883,7 @@ it has already been seen
|
|
|
|
|
- fix allow_execmod plugin to report better data.
|
|
|
|
|
|
|
|
|
|
* Mon Jun 26 2006 John Dennis <jdennis@redhat.com> - 0.3-1
|
|
|
|
|
- add missing /var/log directory %files section in spec file,
|
|
|
|
|
- add missing /var/log directory files section in spec file,
|
|
|
|
|
and add logrotate script
|
|
|
|
|
|
|
|
|
|
* Mon Jun 26 2006 John Dennis <jdennis@redhat.com> - 0.2-1
|
|
|
|
|