[systemd-devel] setroubleshoot integration.

Wed Jan 9 08:44:02 PST 2013

On Wed, Jan 09, 2013 at 11:00:36AM -0500, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> One of my goals with setroubleshoot analysys is to get it integrated into the
> journald system.
> 
> In Fedora I am adding
> 
> systemd.journal.send(siginfo.format_text())
> 
> Which will put the setroubleshoot info into the journal, but what I really
> need is to add a key for the process id that created the journal entry.
> 
> We had talked about this a while ago with the goal of allowing something like
> 
> systemctl httpd status
> ....
> SELinux is blocking httpd read access on /var/www/index.html
> setroubleshoot
> ...
> run restorecon /var/www/index.html
> 
> The only way for systemd to know the setroubleshoot analysys is for httpd is
> to include the pid when setroubleshoot writes the journal.
Hi,

the way that finding messages pertaining to a certain service works currently
is encoded in src/share/logs-show.c, function show_journal_by_unit:
- journald adds _SYSTEMD_UNIT=... when it can to messages generated
  by the services themselves
- systemd (PID 1) writes messages about services with UNIT=...
  and journalds tags them with _PID=1
- COREDUMP writes messages with COREDUMP_UNIT=...

I think it would be realitively to extend show_journal_by_unit() to check
for messages with _SYSTEMD_UNIT=setroubleshootd.service (or whatever)
and UNIT=... Would this work for you? This would require setroubleshootd
to find out the unit name on its own. Actually, this might be for the better,
since by the time that journald gets the message, the PID might be long
gone, and setroubleshootd has more knowledge.

Zbyszek