What is setroubleshootd
SELinux (Security Enhanced Linux) provides mandatory access control to the Linux operating system. SELinux is quite pervasive, even if only in PERMISSIVE mode. This can expose latent bugs in non-SELinux components that are not visible unless SELinux is running. Frustrated users have developed the perception that SELinux is difficult to use.
The setroubleshoot service is intended to make SELinux more friendly. It collects SELinux audit events from the kernel and runs a series of analysis plug-ins to examine an access violation detected by SELinux. It then records the results of the analysis and signals any clients which have requested notifications of these events. Once tool which makes use of this is the sealert tool, which presents desktop notifications similar to email biff alerts.
SELinux must be enabled to run this service.
Service Control
On CentOS/RHEL 6 and above, the setroubleshootd doesn’t require a init script to start/stop, whereas it uses dbus to start it, but still it is used to analyze the AVC message. Two new programs act as a method to start setroubleshoot when needed i.e sedispatch and seapplet. “sedispatch” gets all the messages from audit system and use the audit library to search for the AVC messages and when it finds an AVC denial occurs message, it will go to setroubleshootd if it is already running or it will start setroubleshootd if it is not running. The seapplet utility runs in the system toolbar, waiting for dbus messages in setroubleshootd. It launches the notification bubble, allowing the user to review AVC messages.
Installation
1. Install the setroubleshoot package.
# yum install setroubleshoot
2. Verify the selinux status and make sure that it is set to Enforcing
# sestatus
3. The setroubleshoot service is controlled by the /etc/setroubleshoot/setroubleshoot.cfg configuration file.
Testing the functionality
Bind the sshd daemon to non-standard port. i.e Define additional port on /etc/sshd/sshd_config file:
Port 22 Port 222
Restart the sshd, it will bind to port 22 with success, but it won’t be allowed to bind to port 222. Since that’s blocked by SELinux as a non-standard port for the ssh_port_t port type. While restarting the sshd service, verify “ps aux | grep setroubleshoot” command output and the dbus service would have triggerred the setroubleshoot process.
# service sshd restart;ps aux|grep setroubleshoot Stopping sshd: [ OK ] Starting sshd: [ OK ] root 31779 41.4 8.5 420396 175700 ? Rl 12:44 0:03 /usr/bin/python -Es /usr/sbin/setroubleshootd -f
While restarting the SSHD service it will try to bind to Port 222 but setroubleshoot will block it and the log details would be captured in the /var/log/audit/audit.log file for the denial of access to the non-statndard port 222.
# cat /var/log/audit/audit.log
type=AVC msg=audit(1427956913.700:7926): avc: denied { name_bind } for pid=30949 comm="sshd" src=222 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1427956913.700:7926): arch=c000003e syscall=49 success=no exit=-13 a0=3 a1=7fc9e4d25410 a2=10 a3=7ffff48bd62c items=0 ppid=1 pid=30949 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 ses=1296 tty=(none) comm="sshd" exe="/usr/sbin/sshd" subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1427956913.703:7927): avc: denied { name_bind } for pid=30949 comm="sshd" src=222 scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket
audit.log file can be read using the sealert tool.
# sealert -a /var/log/audit/audit.log 100% donefound 1 alerts in /var/log/audit/audit.log -------------------------------------------------------------------------------- SELinux is preventing /usr/sbin/sshd from name_bind access on the tcp_socket . ***** Plugin bind_ports (99.5 confidence) suggests ************************* If you want to allow /usr/sbin/sshd to bind to network port 222 Then you need to modify the port type. Do # semanage port -a -t PORT_TYPE -p tcp 222 where PORT_TYPE is one of the following: pki_tks_port_t, condor_port_t, ptal_port_t, ups_port_t, sieve_port_t, milter_port_t, pki_tps_port_t, zented_port_t, postgresql_port_t, winshadow_port_t, ntop_port_t, tor_port_t, squid_port_t, luci_port_t, speech_port_t, hddtemp_port_t, http_cache_port_t, ircd_port_t, prelude_port_t, quantum_port_t, certmaster_port_t, mssql_port_t, ionixnetmon_port_t, cvs_port_t, nessus_port_t, postgrey_port_t, movaz_ssc_port_t, zabbix_port_t, ocsp_port_t, pki_ocsp_port_t, iscsi_port_t, ssh_port_t, dccm_port_t, distccd_port_t, clockspeed_port_t, svn_port_t, postfix_policyd_port_t, traceroute_port_t, zabbix_agent_port_t, cyphesis_port_t, varnishd_port_t, afs_bos_port_t, pktcable_port_t, isns_port_t, msnp_port_t, lrrd_port_t, radacct_port_t, wccp_port_t, zebra_port_t, cma_port_t, ricci_port_t, websm_port_t, sap_port_t, matahari_port_t, sixxsconfig_port_t, glance_registry_port_t, dspam_port_t, l2tp_port_t, radsec_port_t, socks_port_t, afs_client_port_t, memcache_port_t, sip_port_t, pulseaudio_port_t, oracle_port_t, tor_socks_port_t, jabber_router_port_t, apcupsd_port_t, gpsd_port_t, puppet_port_t, saphostctrl_port_t, mysqlmanagerd_port_t, imaze_port_t, openhpid_port_t, jabber_client_port_t, aol_port_t, mysqld_port_t, clamd_port_t, utcpserver_port_t, pxe_port_t, mail_port_t, pki_ra_port_t, netport_port_t, monopd_port_t, zope_port_t, afs_pt_port_t, afs_vl_port_t, jacorb_port_t, florence_port_t, glance_port_t, presence_port_t, ipsecnat_port_t, howl_port_t, stunnel_port_t, amavisd_send_port_t, jabber_interserver_port_t, afs_fs_port_t, pingd_port_t, amanda_port_t, amavisd_recv_port_t, soundd_port_t, afs_ka_port_t, piranha_port_t, munin_port_t, mpd_port_t, jboss_debug_port_t, jboss_messaging_port_t, cobbler_port_t, commplex_port_t, hplip_port_t, amqp_port_t, ricci_modcluster_port_t, jboss_management_port_t, pyzor_port_t, razor_port_t, mmcc_port_t, kismet_port_t, pki_kra_port_t, lirc_port_t, asterisk_port_t, nodejs_debug_port_t, virt_port_t, sype_port_t, radius_port_t, netsupport_port_t, dbskkd_port_t, dict_port_t, repository_port_t, transproxy_port_t, virt_migration_port_t, xfs_port_t, xen_port_t, kerberos_master_port_t, festival_port_t, streaming_port_t, boinc_port_t, port_t, pgpkeyserver_port_t, gatekeeper_port_t, pegasus_http_port_t, xserver_port_t, git_port_t, vnc_port_t, mongod_port_t, openvpn_port_t, dcc_port_t, giftd_port_t, dogtag_port_t, pegasus_https_port_t, i18n_input_port_t, cluster_port_t, ctdb_port_t. ***** Plugin catchall (1.49 confidence) suggests *************************** If you believe that sshd should be allowed name_bind access on the tcp_socket by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep sshd /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp