Hi,
I am now close to the solution, which is a combination of solving a bug
and a new feature ;)
the feature:
setroubleshootd is no more a real daemon, it is now started on-demand
when an alert is sent by auditd, or when sealert is started.
The 10 seconds timeout is hardcoded, and is "normal".
the bug:
So, "sealert -b" asks dbus to start setroubleshootd. However, there is a
bug somewhere between dbus, xorg (or something else ?) causing dbus not
to detect that the user starting dbus is using a console, and then
denies starting setroubleshootd.
Dbus configuration file org.fedoraproject.Setroubleshootd.conf contains:
<policy at_console="true">
<allow own="org.fedoraproject.Setroubleshootd"/>
<allow send_destination="org.fedoraproject.Setroubleshootd"/>
<allow send_interface="org.fedoraproject.SetroubleshootdIface"/>
</policy>
<policy context="default">
<deny own="org.fedoraproject.Setroubleshootd"/>
<deny send_destination="org.fedoraproject.Setroubleshootd"/>
<deny send_interface="org.fedoraproject.SetroubleshootdIface"/>
</policy>
Hence, since the user is not detected as using a console, starting the
daemon is denied ...
I'm searching why this policy does not work on Debian (it does on
Fedora). There are 2 workarounds in the meantime:
- either install consolekit and restart X
- or modify the policy and replace deny instruction by allow.
Note that I also had to upgrade auditd locally. I asked Philipp to
upgrade the package to 1.7.12 (#522026), and he has packaged it very
quickly, so a new (and working) version of setroubleshootd will be
uploaded very soon, I hope.
Cheers,
Pierre
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
