From ce726f15a40c06c4ade33b767c6a67874a0cc311 Mon Sep 17 00:00:00 2001 From: "Bryn M. Reeves" Date: Tue, 18 Jun 2013 14:59:00 +0100 Subject: [PATCH 1/2] Backport SELinux improvements from master This combines commits d24a27a and d406cc8 from upstream. The old SELinux module has had no maintenance in some time. Add the output of the following commands: - sestatus -b [ SELinux status and booleans ] - selinuxdefcon root - selinuxconlist root - selinuxexeccon /bin/passwd Add '-v' to fixfiles command line to produce more verbose output. Drop all setroubleshoot support - this is an optional package for all supported distributions and should be handled in a separate sos plug-in. The SELinux plug-in can also now optionally collect object lists from the semanage command. Since this command loads the SELinux python run time (~4s/command) it can add considerably to the overall run time of sosreport - for this reason these commands are disabled by default and may be enabled via the selinux.list option: # sosreport -k selinux.list With the option turned on we also collect: semanage fcontext -l semanage login -l semanage port -l semanage user -l Signed-off-by: Bryn M. Reeves Conflicts: sos/plugins/selinux.py --- sos/plugins/selinux.py | 41 +++++++++++++++-------------------------- 1 file changed, 15 insertions(+), 26 deletions(-) diff --git a/sos/plugins/selinux.py b/sos/plugins/selinux.py index 138c62e..1335562 100644 --- a/sos/plugins/selinux.py +++ b/sos/plugins/selinux.py @@ -17,33 +17,22 @@ import sos.plugintools class selinux(sos.plugintools.PluginBase): """selinux related information """ - optionList = [("fixfiles", 'Print incorrect file context labels', 'slow', False)] + optionList = [("fixfiles", 'Print incorrect file context labels', 'slow', False), + ("list", 'List objects and their context', 'slow', False)] + packages = ('libselinux', 'policycoreutils-python') + def setup(self): - # sestatus is always collected in checkenabled() + # sestatus is always collected in check_enabled() self.addCopySpec("/etc/selinux") - self.collectExtOutput("/usr/bin/selinuxconfig") + self.collectExtOutput("sestatus -b") + self.collectExtOutput("semodule -l") + self.collectExtOutput("selinuxdefcon root") + self.collectExtOutput("selinuxconlist root") if self.getOption('fixfiles'): - self.collectExtOutput("/sbin/fixfiles check") - self.addForbiddenPath("/etc/selinux/targeted") - - return - - def checkenabled(self): - # is selinux enabled ? - try: - if self.collectOutputNow("/usr/sbin/sestatus", symlink = "sestatus").split(":")[1].strip() == "disabled": - return False - except: - pass - return True + self.collectExtOutput("fixfiles check") + if self.getOption('list'): + self.collectExtOutput("semanage fcontext -l") + self.collectExtOutput("semanage user -l") + self.collectExtOutput("semanage login -l") + self.collectExtOutput("semanage port -l") - def analyze(self): - # Check for SELinux denials and capture raw output from sealert - if self.policy().runlevelDefault() in self.policy().runlevelByService("setroubleshoot"): - # TODO: fixup regex for more precise matching - sealert=doRegexFindAll(r"^.*setroubleshoot:.*(sealert\s-l\s.*)","/var/log/messages") - if sealert: - for i in sealert: - self.collectExtOutput("%s" % i) - self.addAlert("There are numerous selinux errors present and "+ - "possible fixes stated in the sealert output.") -- 1.7.11.7 commit c41c40193232a11aad7c7c0c077c7f1083a33d75 Author: Bryn M. Reeves Date: Thu Aug 22 19:19:19 2013 +0100 Add ausearch and semanage output to SELinux plug-in Signed-off-by: Bryn M. Reeves diff --git a/sos/plugins/selinux.py b/sos/plugins/selinux.py index 1335562..7f93023 100644 --- a/sos/plugins/selinux.py +++ b/sos/plugins/selinux.py @@ -28,6 +28,8 @@ class selinux(sos.plugintools.PluginBase): self.collectExtOutput("semodule -l") self.collectExtOutput("selinuxdefcon root") self.collectExtOutput("selinuxconlist root") + self.collectExtOutput("ausearch -m avc,user_avc -ts today") + self.collectExtOutput("semanage -o -") if self.getOption('fixfiles'): self.collectExtOutput("fixfiles check") if self.getOption('list'):