• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer navigation

The Geek Diary

  • OS
    • Linux
    • CentOS/RHEL
    • Solaris
    • Oracle Linux
    • VCS
  • Interview Questions
  • Database
    • oracle
    • oracle 12c
    • ASM
    • mysql
    • MariaDB
  • DevOps
    • Docker
    • Shell Scripting
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

How to install and configure “setroubleshootd” on CentOS/RHEL

by admin

What is setroubleshootd

SELinux (Security Enhanced Linux) provides mandatory access control to the Linux operating system. SELinux is quite pervasive, even if only in PERMISSIVE mode. This can expose latent bugs in non-SELinux components that are not visible unless SELinux is running. Frustrated users have developed the perception that SELinux is difficult to use.

The setroubleshoot service is intended to make SELinux more friendly. It collects SELinux audit events from the kernel and runs a series of analysis plug-ins to examine an access violation detected by SELinux. It then records the results of the analysis and signals any clients which have requested notifications of these events. Once tool which makes use of this is the sealert tool, which presents desktop notifications similar to email biff alerts.

SELinux must be enabled to run this service.

Service Control

On CentOS/RHEL 6 and above, the setroubleshootd doesn’t require a init script to start/stop, whereas it uses dbus to start it, but still it is used to analyze the AVC message. Two new programs act as a method to start setroubleshoot when needed i.e sedispatch and seapplet. “sedispatch” gets all the messages from audit system and use the audit library to search for the AVC messages and when it finds an AVC denial occurs message, it will go to setroubleshootd if it is already running or it will start setroubleshootd if it is not running. The seapplet utility runs in the system toolbar, waiting for dbus messages in setroubleshootd. It launches the notification bubble, allowing the user to review AVC messages.

Installation

1. Install the setroubleshoot package.

# yum install setroubleshoot

2. Verify the selinux status and make sure that it is set to Enforcing

# sestatus

3. The setroubleshoot service is controlled by the /etc/setroubleshoot/setroubleshoot.cfg configuration file.

Note: In most cases we can use the default configuration, but may wish to review it for additional features such as its ability to send email messages for each access denial.

Testing the functionality

Bind the sshd daemon to non-standard port. i.e Define additional port on /etc/sshd/sshd_config file:

Port 22
Port 222

Restart the sshd, it will bind to port 22 with success, but it won’t be allowed to bind to port 222. Since that’s blocked by SELinux as a non-standard port for the ssh_port_t port type. While restarting the sshd service, verify “ps aux | grep setroubleshoot” command output and the dbus service would have triggerred the setroubleshoot process.

# service sshd restart;ps aux|grep setroubleshoot
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
root 31779 41.4 8.5 420396 175700 ? Rl 12:44 0:03 /usr/bin/python -Es /usr/sbin/setroubleshootd -f

While restarting the SSHD service it will try to bind to Port 222 but setroubleshoot will block it and the log details would be captured in the /var/log/audit/audit.log file for the denial of access to the non-statndard port 222.

# cat /var/log/audit/audit.log
type=AVC msg=audit(1427956913.700:7926): avc: denied { name_bind } for pid=30949 comm="sshd" src=222 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1427956913.700:7926): arch=c000003e syscall=49 success=no exit=-13 a0=3 a1=7fc9e4d25410 a2=10 a3=7ffff48bd62c items=0 ppid=1 pid=30949 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=1296 tty=(none) comm="sshd" exe="/usr/sbin/sshd" subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1427956913.703:7927): avc: denied { name_bind } for pid=30949 comm="sshd" src=222 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket

audit.log file can be read using the sealert tool.

# sealert -a /var/log/audit/audit.log
100% donefound 1 alerts in /var/log/audit/audit.log
--------------------------------------------------------------------------------

SELinux is preventing /usr/sbin/sshd from name_bind access on the tcp_socket .

***** Plugin bind_ports (99.5 confidence) suggests *************************

If you want to allow /usr/sbin/sshd to bind to network port 222
Then you need to modify the port type.
Do
# semanage port -a -t PORT_TYPE -p tcp 222
where PORT_TYPE is one of the following: pki_tks_port_t, condor_port_t, ptal_port_t, ups_port_t, sieve_port_t, milter_port_t, pki_tps_port_t, zented_port_t, postgresql_port_t, winshadow_port_t, ntop_port_t, tor_port_t, squid_port_t, luci_port_t, speech_port_t, hddtemp_port_t, http_cache_port_t, ircd_port_t, prelude_port_t, quantum_port_t, certmaster_port_t, mssql_port_t, ionixnetmon_port_t, cvs_port_t, nessus_port_t, postgrey_port_t, movaz_ssc_port_t, zabbix_port_t, ocsp_port_t, pki_ocsp_port_t, iscsi_port_t, ssh_port_t, dccm_port_t, distccd_port_t, clockspeed_port_t, svn_port_t, postfix_policyd_port_t, traceroute_port_t, zabbix_agent_port_t, cyphesis_port_t, varnishd_port_t, afs_bos_port_t, pktcable_port_t, isns_port_t, msnp_port_t, lrrd_port_t, radacct_port_t, wccp_port_t, zebra_port_t, cma_port_t, ricci_port_t, websm_port_t, sap_port_t, matahari_port_t, sixxsconfig_port_t, glance_registry_port_t, dspam_port_t, l2tp_port_t, radsec_port_t, socks_port_t, afs_client_port_t, memcache_port_t, sip_port_t, pulseaudio_port_t, oracle_port_t, tor_socks_port_t, jabber_router_port_t, apcupsd_port_t, gpsd_port_t, puppet_port_t, saphostctrl_port_t, mysqlmanagerd_port_t, imaze_port_t, openhpid_port_t, jabber_client_port_t, aol_port_t, mysqld_port_t, clamd_port_t, utcpserver_port_t, pxe_port_t, mail_port_t, pki_ra_port_t, netport_port_t, monopd_port_t, zope_port_t, afs_pt_port_t, afs_vl_port_t, jacorb_port_t, florence_port_t, glance_port_t, presence_port_t, ipsecnat_port_t, howl_port_t, stunnel_port_t, amavisd_send_port_t, jabber_interserver_port_t, afs_fs_port_t, pingd_port_t, amanda_port_t, amavisd_recv_port_t, soundd_port_t, afs_ka_port_t, piranha_port_t, munin_port_t, mpd_port_t, jboss_debug_port_t, jboss_messaging_port_t, cobbler_port_t, commplex_port_t, hplip_port_t, amqp_port_t, ricci_modcluster_port_t, jboss_management_port_t, pyzor_port_t, razor_port_t, mmcc_port_t, kismet_port_t, pki_kra_port_t, lirc_port_t, asterisk_port_t, nodejs_debug_port_t, virt_port_t, sype_port_t, radius_port_t, netsupport_port_t, dbskkd_port_t, dict_port_t, repository_port_t, transproxy_port_t, virt_migration_port_t, xfs_port_t, xen_port_t, kerberos_master_port_t, festival_port_t, streaming_port_t, boinc_port_t, port_t, pgpkeyserver_port_t, gatekeeper_port_t, pegasus_http_port_t, xserver_port_t, git_port_t, vnc_port_t, mongod_port_t, openvpn_port_t, dcc_port_t, giftd_port_t, dogtag_port_t, pegasus_https_port_t, i18n_input_port_t, cluster_port_t, ctdb_port_t.

***** Plugin catchall (1.49 confidence) suggests ***************************

If you believe that sshd should be allowed name_bind access on the tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep sshd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Linux OS Service ‘setroubleshoot’

Filed Under: CentOS/RHEL 6, CentOS/RHEL 7, Linux

Some more articles you might also be interested in …

  1. CentOS / RHEL 7 : sysctl kernel parameter doesn’t take effect after reboot
  2. mdbook Command Examples in Linux
  3. Unable to set a GRUB password on a Raspberry Pi 3 system
  4. K3b Nero like CD/DVD Burning Software in Ubuntu Linux
  5. How to Create a Custom Log File Rotation by logrotate in Linux
  6. Linux OS service ‘portmap’
  7. Understanding the dm-multipath Configuration file /etc/multipath.conf
  8. lsblk: command not found
  9. tee: command not found
  10. rm: command not found

You May Also Like

Primary Sidebar

Recent Posts

  • nixos-rebuild Command Examples in Linux
  • nixos-option: Command Examples in Linux
  • nixos-container : Command Examples in Linux
  • nitrogen Command Examples in Linux

© 2023 · The Geek Diary

  • Archives
  • Contact Us
  • Copyright