[systemd-devel] FYI setroubleshoot has better integration with journald in F20

Zbigniew Jędrzejewski-Szmek zbyszek at in.waw.pl
Fri Aug 2 13:28:22 PDT 2013


On Fri, Aug 02, 2013 at 02:50:02PM -0400, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 08/02/2013 11:49 AM, Zbigniew Jędrzejewski-Szmek wrote:
> > On Fri, Aug 02, 2013 at 04:36:15PM +0200, Tomasz Torcz wrote:
> >> On Fri, Aug 02, 2013 at 10:14:50AM -0400, Daniel J Walsh wrote:
> >>> http://danwalsh.livejournal.com/65777.html
> >>> 
> >>> I think we need  a
> >>> 
> >>> systemctl status -verbose httpd
> > --full is not enough? journalctl has recently learned to output properly
> > indented multiline messages...
> > 
> >> SELinux hints look like perfect fit for existing ”-x” switch.
> > Not really, because setroubleshoot crafts a specific message for each AVC.
> > It *could* be done, by outputting separate structured messages from each of
> > the setroubleshoot plugins, and adding the message template from each
> > plugin to the catalog, so that then journalctl could fill them in. But that
> > would tie setroubleshoot very closely to journalctl, and I'm not sure what
> > the gain would be.
> > 
> > Zbyszek
> > 
> Well I am looking for the user to see the entire multi-line message when running
> 
> systemctl status UNITFILE
> 
> Since this is where we want them to look first.
> 
> Maybe have a comment at the bottom of systemctl status UNITFILE, that says
> 
> run
> 
> systemctl status --full UNITFILE
> 
> to see full message.
I guess we could do that. We're always trying to conserve space,
but we could return a value saying if there were ellipsized lines and
append a hint at the bottom if there were.

> In the future when we eliminate the setroubleshoot.xml file and fully use the
> journal as our backing store, we can talk about that.  The biggest thing would
> be for setroubleshoot to know if it saw the message before.  Basically have a
> signature that it could look up.
If you mean a specific line in the logs, than probably journal
cursor should be used.
If you mean a denial for the given object & subject & operation, then
setroubleshoot would probably have to keep some state by itself.

Zbyszek



More information about the systemd-devel mailing list