1sealert(8)                                                          sealert(8)
2
3
4

NAME

6       sealert - setroubleshoot client tool
7
8

SYNOPSIS

10       sealert  [-b]  [-f local_id] [-h] [-H] [-s] [-S] [-l id] [-a file] [-v]
11       [-V] [-u] [-p] [-P plugin_name]
12
13

DESCRIPTION

15       This manual page describes the sealert program.
16
17       sealert is the user interface component (either GUI or command line) to
18       the  setroubleshoot  system. setroubleshoot is used to diagnose SELinux
19       denials and attempts  to  provide  user  friendly  explanations  for  a
20       SELinux  denial (e.g. AVC) and recommendations for how one might adjust
21       the system to prevent the denial in the future.
22
23       In a standard configuration setroubleshoot is composed  of  two  compo‐
24       nents, setroubleshootd and sealert.
25
26       setroubleshootd  is a system daemon which runs with root privileges and
27       listens for audit events emitted from the kernel  related  to  SELinux.
28       The  audit  daemon must be running.  The audit daemon sends a dbus mes‐
29       sage to the setroubleshootd daemon when the system gets an SELinux  AVC
30       denial.   The  setroubleshootd  daemon  then  runs a series of analysis
31       plugins which examines the audit data related to the  AVC.  It  records
32       the results of the analysis and signals any clients which have attached
33       to the setroubleshootd daemon that a new alert has been seen.
34
35       sealert can be run in either a GUI mode or a command line mode. In both
36       instances  sealert run as a user process with the privileges associated
37       with the user. In GUI mode it  attaches  to  a  setroubleshootd  server
38       instance  and listens for notifications of new alerts. When a new alert
39       arrives it alerts the desktop user via a  notification  in  the  status
40       icon  area.   The  user  may then click on the alert notification which
41       will open an alert browser. In addition to the  current  alert  sealert
42       communicates with the setroubleshootd daemon to access all prior alerts
43       stored in the setroubleshoot database.
44
45       The user may elect to tag any given alert as "ignore"  in  the  browser
46       which  prevents  any  future  notification for the given alert. This is
47       useful when a user is already aware of a reoccurring problem.
48
49       sealert may also be run in command line mode. The two most useful  com‐
50       mand  line options are -l to "lookup" an alert ID and -a to "analyze" a
51       log file. When setroubleshootd generates a new alert it  assigns  it  a
52       local  ID and writes this as a syslog message. The -l lookup option may
53       then be used to retrieve the alert from the setroubleshootd alert data‐
54       base  and  write it to stdout. This is most useful when setroubleshootd
55       is being run on a headless system without the GUI desktop alert  facil‐
56       ity.  The -a analyze option is equivalent to the "Scan Logfile" command
57       in the browser. The log file is scanned for audit messages, analysis is
58       performed,  alerts generated, and then written to stdout. In both cases
59       the -H option can be used to cause the alert to be written out in  HTML
60       format rather than the default plain text.
61
62

LOG FILE SCANNING

64       You may ask sealert to parse a file accumulating all the audit messages
65       it finds in that file. As each audit event is  recognized  it  is  pre‐
66       sented  for analysis which may generate an alert report if the analysis
67       was successful. If the same  type  of  event  is  seen  multiple  times
68       resulting  in  the  same report the results are coalesced into a single
69       report. The report count field will indicate the number  of  times  the
70       tool thought it saw the same issue. The report will also include a list
71       of every line number on which it found an audit record  which  contrib‐
72       uted  to  the  coalesced  report. This will allow you to coordinate the
73       contents of the file with the analysis results if need be.
74
75       Log file scanning may be initiated from the  sealert  browser  via  the
76       File::ScanLogFile  menu  or from the command line via 'sealert -a file‐
77       name'. Please note that sealert runs as a user level process  with  the
78       permissions  of the user running it. Many system log files are readable
79       by root only. To work around this if you have root access one can  copy
80       the  file as root to a temporary file and change it's permissions. This
81       is a good solution when scanning via the GUI as a normal user.  Or  you
82       might consider su'ing to root and run the analysis via the command line
83       (e.g. sealert -a filename).
84
85       The audit records in the log file must be valid  syntactically  correct
86       audit messages or the parser will ignore them.
87
88

OPTIONS

90       -b --browser
91              Launch the browser
92
93       -f --fix
94              Execute  the  fix  command  for  the avc with the given uuid and
95              plugin, requires --plugin option.
96
97       -h --help
98              Show this message
99
100       -H --html_output
101              Ouput in html, Used with the -a or -l option
102
103       -s --service
104              Start sealert service,  Usually used by dbus.
105
106       -S --noservice
107              Start sealert without dbus service as stand alone app
108
109       -l --lookupid id
110              Lookup alert by id, if id is wildcard * then return all alerts
111
112       -a --analyze file
113              Scan a log file, analyze it's AVC's
114
115       -v --verbose
116              Start in verbose mode -V --debug Start in debug mode (i.e.  very
117              verbose)
118
119       -u --user
120              logon as user
121
122       -p --password
123              set user password
124
125       -P --plugin
126              Set plugin name associated with the --fix option
127
128

AUTHOR

130       This  man  page was written by John Dennis <jdennis@redhat.com> and Dan
131       Walsh <dwalsh@redhat.com>.
132
133

SEE ALSO

135       selinux(8),
136
137
138
139                                   20061121                         sealert(8)
Impressum