1sealert(8) sealert(8)
2
3
4
6 sealert - setroubleshoot client tool
7
8
10 sealert [-b] [-f local_id] [-h] [-H] [-s] [-S] [-l id] [-a file] [-v]
11 [-V] [-u] [-p] [-P plugin_name]
12
13
15 This manual page describes the sealert program.
16
17 sealert is the user interface component (either GUI or command line) to
18 the setroubleshoot system. setroubleshoot is used to diagnose SELinux
19 denials and attempts to provide user friendly explanations for a
20 SELinux denial (e.g. AVC) and recommendations for how one might adjust
21 the system to prevent the denial in the future.
22
23 In a standard configuration setroubleshoot is composed of two compo‐
24 nents, setroubleshootd and sealert.
25
26 setroubleshootd is a system daemon which runs with root privileges and
27 listens for audit events emitted from the kernel related to SELinux.
28 The audit daemon must be running. The audit daemon sends a dbus mes‐
29 sage to the setroubleshootd daemon when the system gets an SELinux AVC
30 denial. The setroubleshootd daemon then runs a series of analysis
31 plugins which examines the audit data related to the AVC. It records
32 the results of the analysis and signals any clients which have attached
33 to the setroubleshootd daemon that a new alert has been seen.
34
35 sealert can be run in either a GUI mode or a command line mode. In both
36 instances sealert run as a user process with the privileges associated
37 with the user. In GUI mode it attaches to a setroubleshootd server
38 instance and listens for notifications of new alerts. When a new alert
39 arrives it alerts the desktop user via a notification in the status
40 icon area. The user may then click on the alert notification which
41 will open an alert browser. In addition to the current alert sealert
42 communicates with the setroubleshootd daemon to access all prior alerts
43 stored in the setroubleshoot database.
44
45 The user may elect to tag any given alert as "ignore" in the browser
46 which prevents any future notification for the given alert. This is
47 useful when a user is already aware of a reoccurring problem.
48
49 sealert may also be run in command line mode. The two most useful com‐
50 mand line options are -l to "lookup" an alert ID and -a to "analyze" a
51 log file. When setroubleshootd generates a new alert it assigns it a
52 local ID and writes this as a syslog message. The -l lookup option may
53 then be used to retrieve the alert from the setroubleshootd alert data‐
54 base and write it to stdout. This is most useful when setroubleshootd
55 is being run on a headless system without the GUI desktop alert facil‐
56 ity. The -a analyze option is equivalent to the "Scan Logfile" command
57 in the browser. The log file is scanned for audit messages, analysis is
58 performed, alerts generated, and then written to stdout. In both cases
59 the -H option can be used to cause the alert to be written out in HTML
60 format rather than the default plain text.
61
62
64 You may ask sealert to parse a file accumulating all the audit messages
65 it finds in that file. As each audit event is recognized it is pre‐
66 sented for analysis which may generate an alert report if the analysis
67 was successful. If the same type of event is seen multiple times
68 resulting in the same report the results are coalesced into a single
69 report. The report count field will indicate the number of times the
70 tool thought it saw the same issue. The report will also include a list
71 of every line number on which it found an audit record which contrib‐
72 uted to the coalesced report. This will allow you to coordinate the
73 contents of the file with the analysis results if need be.
74
75 Log file scanning may be initiated from the sealert browser via the
76 File::ScanLogFile menu or from the command line via 'sealert -a file‐
77 name'. Please note that sealert runs as a user level process with the
78 permissions of the user running it. Many system log files are readable
79 by root only. To work around this if you have root access one can copy
80 the file as root to a temporary file and change it's permissions. This
81 is a good solution when scanning via the GUI as a normal user. Or you
82 might consider su'ing to root and run the analysis via the command line
83 (e.g. sealert -a filename).
84
85 The audit records in the log file must be valid syntactically correct
86 audit messages or the parser will ignore them.
87
88
90 -b --browser
91 Launch the browser
92
93 -f --fix
94 Execute the fix command for the avc with the given uuid and
95 plugin, requires --plugin option.
96
97 -h --help
98 Show this message
99
100 -H --html_output
101 Ouput in html, Used with the -a or -l option
102
103 -s --service
104 Start sealert service, Usually used by dbus.
105
106 -S --noservice
107 Start sealert without dbus service as stand alone app
108
109 -l --lookupid id
110 Lookup alert by id, if id is wildcard * then return all alerts
111
112 -a --analyze file
113 Scan a log file, analyze it's AVC's
114
115 -v --verbose
116 Start in verbose mode -V --debug Start in debug mode (i.e. very
117 verbose)
118
119 -u --user
120 logon as user
121
122 -p --password
123 set user password
124
125 -P --plugin
126 Set plugin name associated with the --fix option
127
128
130 This man page was written by John Dennis <jdennis@redhat.com> and Dan
131 Walsh <dwalsh@redhat.com>.
132
133
135 selinux(8),
136
137
138
139 20061121 sealert(8)